Kyle Brokaw – LDS ChurchRuss Lowenthal – Oracle Corp.

Session #102

Enterprise User Security – One Companies Experience

Speaker Qualifications

• Kyle Brokaw (OCP) – Core Technology Manager at the LDS Church.

• Russ Lowenthal (CISSP, CISM, CISA, OCM) - Oracle’s Protected Enterprise group.

• Kyle Brokaw implemented Enterprise User Security in February of 2007.

• Russ Lowenthal works with Oracle customers and often presents on Oracle’s security related products.

Before Implementation

• Decide what you need.

Licensing

• Must have Oracle 8i and higher Enterprise Edition Database.• Oracle no longer considers Enterprise User Security a

separately licensable database option (in Oracle 8i and Oracle 9i Release 1 EUS was part of the Advanced Security Option. Starting with Oracle 9iRelease 2 EUS moves under the umbrella of the Enterprise Edition database and the only thing that requires a license is the Oracle Directory Service (this includes both Oracle Internet Directory and Oracle Virtual Directory).

• As always, contact your customer service rep. to verify all of this information.

What is Enterprise User Security?• EUS Allows Centralized User Management

• May be used with any application or tool that uses an Oracle Database login

• Integrates with other vendors products (Active Directory, OpenLDAP, etc.)

• Extensible – API’s to replicate data out of and into Oracle’s Internet Directory

• Single Sign-on is also possible with EUS

How does EUS work?

Databases and Applications authenticate their users through Oracle’s Directory Services.

Oracle Internet Directory

How does EUS work?• Oracle 8i introduced the capability to store user

information in a centralized directory. • At logon the database checks DBA_USERS• If the user name DOES NOT exist in the local data

store, the database checks to see if EUS is enabled• If the user name DOES exist within the directory, the

database verifies that a valid mapping exists between the user name and a database schema. If one does, the database retrives a password verifier from the directory and compares it with the password submitted by the user.

How does EUS work?

Multiple OID users can be mapped to one database schema.

How does EUS work?

• EUS Roles must be mapped to database roles.

Example role 1

Example role 2

Example role 3 OID Roles

How Does EUS Work?

• In OID, databases can be placed within realms. (ie. dc=mycompany,dc=com)

• Each Realm can contain multiple domains. This is useful for:– Having a production, test, and dev realms with the

same roles and users but with different privileges.– Manage different sets of users for different

domains within the same company (ie. manufacturing is separated from HR)

• Roles are unique within a domain• Database user to OID user mapping is also unique

within a domain as well.

Enterprise User Events

• With the ability to subscribe to events within the directory, applications can automatically provision users.

Subscribe to eventsApplications

Event notification callback

Oracle Internet Directory – Provisioning and Integration Server

Tools you need.

Database Version

Enterprise Security Manager

Oracle Directory Manager DBCA

Oracle Wallet Manager

9iServer or client $ORACLE_HOME Very Useful Required Required

10g

Client $ORACLE_HOME only Very Useful Required  

11gPart of Database Control Very Useful Required  

Before Implementation

• Decide on your roles• To simplify administration in our usecase we created three

global roles.– DBA– Application Support– Developer

• Each database also had a create_session role in OID.• By default all users are mapped to all databases and given the

role of their job (DBA, Application Support, or Developer)• When someone needs access to a database they are simply

granted the create session role. This simplifies and automates 90% of user setup when a new database is created.

LDS Church Implementation• Setup and install issues

– Separating the database from the application server (undocumented ports).

– Moved to an appliance model. This allowed us to convince architecture to put a database in the application zone.

– Wallets• 9i requires type-3 SSL (requires SSL certs. on both

sides). Make sure you have access to a certificate authority or have your boss buy off on creating your own.

• 10g uses type-1 SSL (no SSL certificates required).• 11g wallet creation is broken in DBCA. See metalink

note 458095.1

Password Policies• 10.1.4.1 and on allow password policies to be set at

any level within the directory. • Prior to 10.1.4.1 only realms can have password

policies (this presents a problem).• Password policies apply to databases as well as

users. For older OID installations you may wish to register databases in a different realm than users to avoid this issue

• Policies within OID are not enforced on users when they logon to the database. The database logs on to OID using its password and then only verifies the password for the user.

After OID is installed• Create a new configuration set. This can

save you from invalid changes.

Adding Users and DBs to OID

• Default interface to oiddas is http://localhost:7777/oiddas

• User roles within OIDDAS are not the same as EUS roles.

• DBCA will register the database within OID. This adds all of the OID entries required for EUS.

Using OIDDAS to Add Users

Adding Databases to OID

• DBCA Registration• Using ESM to Assign a Domain (10g ,11g)• Create Groups Within a Domain

Using Enterprise Security Manager to Map OID users to DB Users

Examples of Events Availible for Applications to Subscribe.• User Add• User Delete• User Changed

Steps to subscribing to events

• For PL/SQL– Create a package that contains the following Functions:

FUNCTION user_exists ( user_name IN VARCHAR2, user_guid IN VARCHAR2, user_dn IN VARCHAR2)return NUMBER;

FUNCTION group_exists ( group_name IN VARCHAR2,group_guid IN VARCHAR2,group_dn IN VARCHAR2)RETURN NUMBER;

FUNCTION event_ntfy ( event_type IN VARCHAR2,event_id IN VARCHAR2,event_src IN VARCHAR2,event_time IN VARCHAR2,object_name IN VARCHAR2,object_guid IN VARCHAR2,object_dn IN VARCHAR2,profile_id IN VARCHAR2,attr_list IN LDAP_ATTR_LIST )RETURN NUMBER;

Steps to subscribing to events

• Use oidprovtool to setup a application subscription

• Start the odisrv process to begin the subscription

oidprovtool operation=create ldap_host=localhost ldap_port=389 ldap_user_dn="cn=orcladmin“ldap_user_password=iougtest0 application_dn="cn=portal,cn=Products,cn=OracleContext,dc=localdomain,dc=com“organization_dn="dc=localdomain,dc=com" interface_name=userprov.oid_event interface_type=PLSQL interface_connect_info=localhost:1521:oid03:userprov:iougtest0 schedule=60 event_subscription="USER:dc=localdomain,dc=com:DELETE" event_subscription="GROUP:dc=localdomain,dc=com:DELETE“event_subscription="USER:dc=localdomain,dc=com:MODIFY(orclDefaultProfileGroup, userpassword)" event_subscription="GROUP:dc=localdomain,dc=com:MODIFY(uniqueMember)"

oidctl connect=oid03 server=odisrv instance=1 configset=0 start

Integration with Other LDAP Compliant Directories

Integration Server Setup

• Step by Step setup guide for Active Directory guide can be found in metalink note 403287.1

• Uses the same server (odisrv) as event subscription

• Automated configuration is available by using scripts that reside in $ORACLE_HOME/ldap/odi/admin

Oracle Virtual Directory

• What is OVD?• How does it compare to OID?• When should you use it?

Items Learned in this Session

• Today we covered:– How Enterprise User can benefit you.– How to setup Enterprise User– Things to look out for when setting up your

environment– How you can integrate Enterprise User Security

into you environment

Questions?

LAB

Thank You

• Thank you for attending our session “Enterprise User Security – One Companies Experience” Session #102– Please fill out your evaluation forms– If you have further questions you can contact:

• Kyle Brokaw at kb57442@yahoo.com

     “Without education we are in a horrible and deadly danger of taking educated people seriously.”

G. K. Chesterton