1 / 30

Oracle Internet Directory and Enterprise User Security

Oracle Internet Directory and Enterprise User Security. LDAP :. Industry Standards. Stands for Lightweight Directory Access Protocol An Internet standard for directory services A vital platform for enabling integration among various services and applications

art
Download Presentation

Oracle Internet Directory and Enterprise User Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Oracle Internet Directory and Enterprise User Security

  2. LDAP: Industry Standards • Stands for Lightweight Directory Access Protocol • An Internet standard for directory services • A vital platform for enabling integration among various services and applications • Major players of LDAP directory: OID, Active Directory, iPlanet Directory: • A specialized database holding info about devices, people, etc. • To provide a centralized information management system

  3. OID Benefits • A simple and easily manageable network infrastructure for Oracle databases and Application Servers • Out-of-the-box configuration; easy to install and configure • Complete centralized configuration and management • Self service capabilities for managing users • One location to add / modify Oracle database information • Can be configured for HA and DR environments • Integration to other LDAP directories • Directory Integration Platform (DIP)

  4. Oracle Internet Directory LDAP Clients • Scalability • 100s of Millions of users • 1000’s of simultaneous clients • Flexible deployment topologies • Multi-master (DB based) • Multi-master (LDAP based) • Combined multi-master and Fan-out nodes • High availability • Mult-imaster & Fan-out replication • Oracle Application Server Cluster • Oracle DataGuard • Multi-master with rolling upgrades • Directory Integration Platform • Connecting 3rd party directories (Active Directory, Sun Java Enterprise Directory, Novell eDirectory, OpenLDAP) Oracle Directory Manager

  5. Oracle Internet Directory LDAP Clients • Built in Security • Comprehensive password policies • External authentication • Audit capabilities • Integrated Manageability • Oracle Directory Manager • Application Server Management Control • Enterprise Manager Grid Control • Rich Toolset • Oracle Directory Manager • OID Self Service Console • Enterprise Security Manager • Network Manager Oracle Directory Manager

  6. Listener Server 4 Client 3 2 1 Database Directory Server OID - How It Works(tnsnames.ora replacement) • Client initiates connect request (e.g., sales.us.oracle.com) • The request is directed to an LDAP directory server and translated to detailed address (e.g., port #, host name, protocol,…), and is sent back to the client • The client makes connect request to the detailed address provided • A listener in the database receives the request and directs it to the server

  7. Sample ldap.ora File DIRECTORY_SERVERS= (oidserver1:3060:3131, oidserver2:3060:3131) DEFAULT_ADMIN_CONTEXT = "dc=us,dc=oracle,dc=com" DIRECTORY_SERVER_TYPE = OID

  8. Sample sqlnet.ora File NAMES.DIRECTORY_PATH= (LDAP)

  9. Enterprise User Security

  10. Environments without EUS Databases • DBA’s must perform these tasks on every database: • Set password policies • Create users and passwords • Reset passwords • Manage roles and privileges • Assign roles to users

  11. Why Enterprise User Security? • Centralized database user administration • Create user once in directory, not every database • Change password in one location, not every database • Provide web interface for users to change password • Centralized database privilege administration • Still leverage VPD, Auditing, Label Security, TDE

  12. Enterprise User Security • Simplifies login • X509v3 certificates over SSL (8i) • Enables single password for users (9i) • Kerberos tickets (10g) • Multiple users can share a schema • Fewer schemas to manage • No need to create users in each database • Can still identify EUS user in database • Password Management • Password complexity policies set and controlled in Identity Management directory

  13. Enterprise User Security Authorizations • The EUS user resides in 10g Application Server (OID) • The EUS user maps to an Enterprise Role in OID • An Enterprise Role in OID maps to one or more Global Database Role(s) in the database(s) • The Global Database Role in the database maps to shared database schema. • Privileges should be granted to the global database roles.

  14. Oracle DataServer Oracle DB Oracle Internet Directory Schema-Independent Users User single sign-on over SSL HR User Schema Jane W W John W Oracle DB gets roles fromdirectory server and logs-in user, points user to HR User schema Kelly W User signs-on to desktop, opens wallet with password W

  15. Enterprise User Security Questions? • How do you determine the EUS id while connected to the database as the ldap shared schema? select sys_context('USERENV','EXTERNAL_NAME') from dual; • How does database auditing work with EUS? The EUS id is stored in the ‘comment$text’ column in the sys.aud$ table.

  16. Enterprise User Security Questions? • How do you determine if OID is running from the command line? $ORACLE_HOME/bin/ldapbind -p 3060 -D cn=orcladmin -w password • How do you capture EUS id attributes from the command line? $ORACLE_HOME/bin/ldapsearch -p 3060 –h machine.us.oracle.com -b "dc=us,dc=oracle,dc=com" -s sub "cn=username*"

  17. OID HA / DR Configurations • OID Replication • OID Guard • OID Cluster • OID Cluster + OID Replication

  18. OID with Multi-master Replication sso.mycompany.com ldap.mycompany.com Load Balancer sso1.mycompany.com sso2.mycompany.com Single Sign On Service Single Sign On Service Oracle Internet Directory (LDAP) Oracle Internet Directory (LDAP) ldap1.mycompany.com ldap2.mycompany.com Database 1 Database 2 Oracle NET SSO Multi-Master Replication LDAP

  19. OID Replication • Two or more directory servers that are maintaining the same naming contexts • Eliminates directory single point of failure • Improves performance by providing more servers to handle queries • Provides Rolling Upgrade capability

  20. OID Guard Architecture LBR OC4J OC4J OC4J OID OID SSO INACTIVE ACTIVE SSO DB Inst DB Inst Oracle Data Guard

  21. OID Guard • Disaster Recovery built into Oracle 10g AS • Standby Site: A consistent point-in-time snapshot of your production site • Integrated with Oracle Data Guard • Physical Standby Site: A snapshot of your production database environment

  22. OID Cluster Architecture sso.mycompany.com ldap.mycompany.com Load Balancer sso1.mycompany.com sso2.mycompany.com Single Sign On Service Single Sign On Service Oracle Internet Directory (LDAP) Oracle Internet Directory (LDAP) ldap2.mycompany.com ldap1.mycompany.com Oracle DB Real Application Cluster Database Instance 1 Database Instance 2 Interconnect Oracle NET SSO Data files in shared storage LDAP

  23. OID Cluster • OID Software installed on multiple hardware nodes which need not be part of a hardware cluster • RAC database instances active on multiple nodes forming an active/active configuration • A Load Balancer front ends the OID nodes

  24. OID Cluster + OID Replication LBR LBR LBR SSO SSO SSO SSO OID OID OID OID RAC RAC DB Inst2 DB Inst1 DB Inst1 DB Inst2 Site 2 Site 1 Multi-Master Replication

  25. OID Cluster + OID Replication • Combination of OID Cluster deployments with Multi-master OID Replication • Local availability and scalability with site protection • Deployment can be used for load balancing between the sites • Ability to scale up each replica as opposed to scaling by adding replicas

  26. OID HA and DR Matrix

  27. Sample EUS Login Trigger create or replace trigger sys.ban_non_eus_access after logon on database declare v_eus_user varchar2(80); v_isdba varchar2(20); begin select nvl(sys_context('USERENV','EXTERNAL_NAME'),’NO’) into v_eus_user from dual; select sys_context('USERENV','ISDBA') into v_isdba from dual; if v_isdba = 'FALSE' and v_eus_user = ‘NO' then raise_application_error (-20001,‘Only EUS users and DBA’s can login!'); end if; end; / EXTERNAL_NAME = oracle s/w owner if not going through Oracle Net Listener

  28. Setup EUS Database Environment $ Register the database with OID using dbca SQL> create user ldapuser identified globally as ‘’; SQL> create role ldaprole1 identified globally; SQL> grant connect to ldaprole1; SQL> grant select on scott.emp to ldaprole1; SQL> grant select on scott.dept to ldaprole1; SQL> create role ldaprole2 identified globally; SQL> grant connect to ldaprole2; SQL> grant select on hr.jobs to ldaprole2; SQL> grant select on hr.employees to ldaprole2; OID Ent Role Database Global Role orcllogin (eus1) ldaprole1 orcllogin2 (eus2) ldaprole2 orcllogin3 (eus3) ldaprole1, ldaprole2

More Related