1 / 30

Kyle Brokaw – LDS Church Russ Lowenthal – Oracle Corp. Session #102

Enterprise User Security – One Companies Experience. Kyle Brokaw – LDS Church Russ Lowenthal – Oracle Corp. Session #102. Speaker Qualifications. Kyle Brokaw (OCP) – Core Technology Manager at the LDS Church. Russ Lowenthal (CISSP, CISM, CISA, OCM) - Oracle’s Protected Enterprise group.

fauve
Download Presentation

Kyle Brokaw – LDS Church Russ Lowenthal – Oracle Corp. Session #102

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Enterprise User Security – One Companies Experience Kyle Brokaw – LDS ChurchRuss Lowenthal – Oracle Corp.Session #102

  2. Speaker Qualifications • Kyle Brokaw (OCP) – Core Technology Manager at the LDS Church. • Russ Lowenthal (CISSP, CISM, CISA, OCM) - Oracle’s Protected Enterprise group. • Kyle Brokaw implemented Enterprise User Security in February of 2007. • Russ Lowenthal works with Oracle customers and often presents on Oracle’s security related products.

  3. Before Implementation • Decide what you need.

  4. Licensing • Must have Oracle 8i and higher Enterprise Edition Database. • Oracle no longer considers Enterprise User Security a separately licensable database option (in Oracle 8i and Oracle 9i Release 1 EUS was part of the Advanced Security Option. Starting with Oracle 9iRelease 2 EUS moves under the umbrella of the Enterprise Edition database and the only thing that requires a license is the Oracle Directory Service (this includes both Oracle Internet Directory and Oracle Virtual Directory). • As always, contact your customer service rep. to verify all of this information.

  5. What is Enterprise User Security? • EUS Allows Centralized User Management • May be used with any application or tool that uses an Oracle Database login • Integrates with other vendors products (Active Directory, OpenLDAP, etc.) • Extensible – API’s to replicate data out of and into Oracle’s Internet Directory • Single Sign-on is also possible with EUS

  6. How does EUS work? Databases and Applications authenticate their users through Oracle’s Directory Services. Oracle Internet Directory

  7. How does EUS work? • Oracle 8i introduced the capability to store user information in a centralized directory. • At logon the database checks DBA_USERS • If the user name DOES NOT exist in the local data store, the database checks to see if EUS is enabled • If the user name DOES exist within the directory, the database verifies that a valid mapping exists between the user name and a database schema. If one does, the database retrives a password verifier from the directory and compares it with the password submitted by the user.

  8. How does EUS work? Multiple OID users can be mapped to one database schema.

  9. How does EUS work? • EUS Roles must be mapped to database roles. Example role 1 Example role 2 OID Roles Example role 3

  10. How Does EUS Work? • In OID, databases can be placed within realms. (ie. dc=mycompany,dc=com) • Each Realm can contain multiple domains. This is useful for: • Having a production, test, and dev realms with the same roles and users but with different privileges. • Manage different sets of users for different domains within the same company (ie. manufacturing is separated from HR) • Roles are unique within a domain • Database user to OID user mapping is also unique within a domain as well.

  11. Enterprise User Events • With the ability to subscribe to events within the directory, applications can automatically provision users. Oracle Internet Directory – Provisioning and Integration Server Event notification callback Subscribe to events Applications

  12. Tools you need.

  13. Before Implementation • Decide on your roles • To simplify administration in our usecase we created three global roles. • DBA • Application Support • Developer • Each database also had a create_session role in OID. • By default all users are mapped to all databases and given the role of their job (DBA, Application Support, or Developer) • When someone needs access to a database they are simply granted the create session role. This simplifies and automates 90% of user setup when a new database is created.

  14. LDS Church Implementation • Setup and install issues • Separating the database from the application server (undocumented ports). • Moved to an appliance model. This allowed us to convince architecture to put a database in the application zone. • Wallets • 9i requires type-3 SSL (requires SSL certs. on both sides). Make sure you have access to a certificate authority or have your boss buy off on creating your own. • 10g uses type-1 SSL (no SSL certificates required). • 11g wallet creation is broken in DBCA. See metalink note 458095.1

  15. Password Policies • 10.1.4.1 and on allow password policies to be set at any level within the directory. • Prior to 10.1.4.1 only realms can have password policies (this presents a problem). • Password policies apply to databases as well as users. For older OID installations you may wish to register databases in a different realm than users to avoid this issue • Policies within OID are not enforced on users when they logon to the database. The database logs on to OID using its password and then only verifies the password for the user.

  16. After OID is installed • Create a new configuration set. This can save you from invalid changes.

  17. Adding Users and DBs to OID • Default interface to oiddas is http://localhost:7777/oiddas • User roles within OIDDAS are not the same as EUS roles. • DBCA will register the database within OID. This adds all of the OID entries required for EUS.

  18. Using OIDDAS to Add Users

  19. Adding Databases to OID • DBCA Registration • Using ESM to Assign a Domain (10g ,11g) • Create Groups Within a Domain

  20. Using Enterprise Security Manager to Map OID users to DB Users

  21. Examples of Events Availible for Applications to Subscribe. • User Add • User Delete • User Changed

  22. Steps to subscribing to events • For PL/SQL • Create a package that contains the following Functions: FUNCTION user_exists ( user_name IN VARCHAR2, user_guid IN VARCHAR2, user_dn IN VARCHAR2) return NUMBER; FUNCTION group_exists ( group_name IN VARCHAR2, group_guid IN VARCHAR2, group_dn IN VARCHAR2) RETURN NUMBER; FUNCTION event_ntfy ( event_type IN VARCHAR2, event_id IN VARCHAR2, event_src IN VARCHAR2, event_time IN VARCHAR2, object_name IN VARCHAR2, object_guid IN VARCHAR2, object_dn IN VARCHAR2, profile_id IN VARCHAR2, attr_list IN LDAP_ATTR_LIST ) RETURN NUMBER;

  23. Steps to subscribing to events • Use oidprovtool to setup a application subscription oidprovtool operation=create ldap_host=localhost ldap_port=389 ldap_user_dn="cn=orcladmin“ ldap_user_password=iougtest0 application_dn="cn=portal,cn=Products,cn=OracleContext,dc=localdomain,dc=com“ organization_dn="dc=localdomain,dc=com" interface_name=userprov.oid_event interface_type=PLSQL interface_connect_info=localhost:1521:oid03:userprov:iougtest0 schedule=60 event_subscription="USER:dc=localdomain,dc=com:DELETE" event_subscription="GROUP:dc=localdomain,dc=com:DELETE“ event_subscription="USER:dc=localdomain,dc=com:MODIFY(orclDefaultProfileGroup, userpassword)" event_subscription="GROUP:dc=localdomain,dc=com:MODIFY(uniqueMember)" • Start the odisrv process to begin the subscription oidctl connect=oid03 server=odisrv instance=1 configset=0 start

  24. Integration with Other LDAP Compliant Directories

  25. Integration Server Setup • Step by Step setup guide for Active Directory guide can be found in metalink note 403287.1 • Uses the same server (odisrv) as event subscription • Automated configuration is available by using scripts that reside in $ORACLE_HOME/ldap/odi/admin

  26. Oracle Virtual Directory • What is OVD? • How does it compare to OID? • When should you use it?

  27. Items Learned in this Session • Today we covered: • How Enterprise User can benefit you. • How to setup Enterprise User • Things to look out for when setting up your environment • How you can integrate Enterprise User Security into you environment

  28. Questions?

  29. LAB

  30. Thank You • Thank you for attending our session “Enterprise User Security – One Companies Experience” Session #102 • Please fill out your evaluation forms • If you have further questions you can contact: • Kyle Brokaw at kb57442@yahoo.com      “Without education we are in a horrible and deadly danger of taking educated people seriously.” G. K. Chesterton

More Related