19_oracle9i security new features
TRANSCRIPT
-
8/3/2019 19_Oracle9i Security New Features
1/31
Oracle9i Security New Features
-
8/3/2019 19_Oracle9i Security New Features
2/31
Security Myths
-
8/3/2019 19_Oracle9i Security New Features
3/31
Oracle Answers to Security Questions
-
8/3/2019 19_Oracle9i Security New Features
4/31
-
8/3/2019 19_Oracle9i Security New Features
5/31
Oracle9i Proxy Authentication Enhancements
Proxy Authentication Enhancements
The introduction of n-tier authentication (also known as Proxy
Authentication) provides several benefits:
o Eliminates super-privileged middle tiers
o Preserves user identity throughout the application
o Provides scalability through lightweight OCI and JDBC connections
o Provides accountability through audit of connections on behalf of the real user
-
8/3/2019 19_Oracle9i Security New Features
6/31
Oracle9i Secure Application Role
Secure Application Role
In Oracle8i, we introduced the idea of application context, essentially
allowing each PL/SQL package to have their space of session variables.
Application role in Oracle9iis utilizes a similar concept of authentication toallow users to enable roles based on PL/SQL packages, and without supplying a
password. This feature is a significant proxy authentication enhancement.
The SET ROLE command ensures that only the trusted package is
consulted. The package can do the desired validation to ensure that the
appropriate conditions are in place before the ROLE is set.
For example, in a three tier system in which proxy authentication is used, the package
can access the PROXY_USER attribute of the user session (using 'USERENV' naming
-
8/3/2019 19_Oracle9i Security New Features
7/31
context) before allowing SET ROLE to proceed. The resultis that users who connect to the
database by proxy (through the application) have the role enabled and therefore access the
data, while users who connect directly to database do not get the role enabled and therefore
see no data through privileges granted to the role.
-
8/3/2019 19_Oracle9i Security New Features
8/31
Secure Application Role
Secure Application Role
The secure application role can be granted globally or locally. That is, the secure
application role can be granted to the user by creating the appropriate entry in Oracle
Internet Directory (part of the Enterprise User Security feature of Oracle Advanced
Security). The role can also be granted locally for database users.
-
8/3/2019 19_Oracle9i Security New Features
9/31
Public Key Infrastructure
What is PKI ?
PKI is a standards-based, interoperable technology based on X.509
certificates that scales to the Internet and millions of users. Oracle uses a
non-Oracle Certificate Authority such as Entrust, VeriSign, or Baltimore in itsPKI implementation. Many Certificate Authorities support Oracle Internet
Directory as repositories for publishing CA information such as certificates and
certificate revocation lists. Authentication and secure session key management is
accomplished using Secure Sockets Layer (SSL).
-
8/3/2019 19_Oracle9i Security New Features
10/31
Public Key Infrastructure Tools
Public Key Infrastructure Tools
Authentication systems based on public key cryptography systems issue
digital certificates to user clients, which use them to authenticate directly to
servers in the enterprise without direct involvement of an authentication
server. Oracle provides a public key infrastructure (PKI) for using public keys
and certificates. Features include:
o Oracle Wallet Manager 3.0, a standalone Java application used to manage and edit
the security credentials in Oracle wallets. Oracle wallets are data structures that contain a
user private key, a user certificate, and a set of trust points (the list of root certificates the
user trusts).
o Integration with Entrust PKI, providing full certificate life cycle management and
certificate revocation list (CRL) checking
-
8/3/2019 19_Oracle9i Security New Features
11/31
o Oracle Enterprise Login Assistant is used to open and close wallets, to update
centrally managed wallets and passwords in Oracle Internet Directory, and to enable or
disable secure SSL connections.
-
8/3/2019 19_Oracle9i Security New Features
12/31
Oracle Wallet Enhancements
Oracle Wallet Enhancements
Oracle Wallet Manager supports multiple certificates (and multiple private
keys) in each wallet. You can store Oracle wallets in Oracle Internet Directory or in
Windows Registry in addition to the file system. Oracle Wallet Manager and Enterprise
Login Assistant can read wallets from the file system or from the Windows System Registry.
Benefits include:
o Enhanced security
o Easier administration of users and their credentials
-
8/3/2019 19_Oracle9i Security New Features
13/31
Additional PKI Interoperability
PKI Interoperability
Since PKCS#12 is a PKI standard for credential storage, Oracle can now
support downloadable, machine-independent wallets. The same wallet and
PKI credentials can be used for the browser and for Oracle Wallet (requiresexport/import in PKCS#12 format).
This added functionality enables interoperability with browsers such as
Netscape and Internet Explorer. Now that Oracle Wallets are compatible
with browser wallets, customers no longer have to purchase two different sets of PKI
credentials.
-
8/3/2019 19_Oracle9i Security New Features
14/31
Oracle Internet Directory Support for Wallets
OID Support for Wallets
An Oracle wallet is stored in Oracle Internet Directory. Oracle Wallet
Manager can upload wallets and retrieve them from Oracle Internet
Directory. Storing the wallet in a centralized directory lets users access themfrom multiple locations or devices, ensuring consistent and reliable user
authentication while providing centralized wallet management throughout the
wallet life cycle.
Oracle Advanced Security is tightly integrated with OID, which can act as a
gateway to synchronize data with other LDAPv3 compliant directories, if
needed.
-
8/3/2019 19_Oracle9i Security New Features
15/31
Oracle Wallet Enhancements
Oracle Wallet Enhancements
Oracle Wallet Manager supports multiple certificates for a single digital
entity, where each certificate can be used for a set of Oracle PKI certificate
usagesbut the same certificate cannot be used for all such usages. Theremust be a one-to-one mapping between certificate requests and certificates.
The same certificate request cannot be used to obtain multiple certificates,
installed in the same wallet.
-
8/3/2019 19_Oracle9i Security New Features
16/31
KeyUsage Values
KeyUsage Values
Oracle Wallet Manager uses X.509 V3 extension KeyUsage to define Oracle PKI
certificate usages. When installing a certificate (user certificate, trusted certificate), Oracle
Wallet Manager maps the KeyUsage extension values to Oracle PKI certificate usages.
You should obtain certificates from the certificate authority with the correct
KeyUsage value for the required Oracle PKI certificate usage. A single wallet
can contain multiple key pairs for the same usage. Each certificate can
support multiple Oracle PKI certificate usages. Oracle PKI applications use
the first certificate containing the required PKI certificate usage.
-
8/3/2019 19_Oracle9i Security New Features
17/31
Wallet Password Management
Oracle Wallet Password Enhancements
Enhanced wallet password management can enforce policy guidelines such
as:
o Minimum password length
o Maximum password length unlimited
o Alphanumeric character mix required
-
8/3/2019 19_Oracle9i Security New Features
18/31
Multiple Wallet Formats
Supported Wallet Formats
In addition to Oracle Wallets, Oracle Advanced Security also supports
Entrust profiles and Microsoft Certificate Store.
-
8/3/2019 19_Oracle9i Security New Features
19/31
Oracle Wallets and Windows
Oracle Wallets and the Windows Registry
Oracle Wallet Manager lets you optionally store multiple Oracle wallets in the
user profile area of the Microsoft Windows System Registry (for Windows
95/98/ME/NT 4.0/2000), or in a Windows file management system. Storingyour wallets in the registry provides the following benefits:
o Better Access Control: Wallets stored in the user profile area of the registry are only
accessible by the associated user. User access controls for the system thus become, by
extension, access controls for the wallets. In addition, when a user logs out of a system,
access to that users wallets is effectively precluded.
o Easier Administration: Because wallets are associated with specific user profiles, no
permissions need to be managed, and the wallets stored in the profile are automatically
-
8/3/2019 19_Oracle9i Security New Features
20/31
deleted when the user profile is deleted. Oracle Wallet Manager can be used to create and
manage the wallets in the registry, and the wallets are accessible by Oracle Enterprise
Login Assistant as well.
o Improved Security: Because the wallets are imbedded in the registry, the wallets
associated with a particular user profile are transparent to all other users. Viewed in
combination with better access controland easier administration, this amounts to an
additional security layer for Oracle wallets.
Options Supported:
o Open wallet from the Registry
oSave wallet to the Registry
oSave As to a different Registry location
oDelete wallet from the Registry
oOpen wallet from the file system and save it to the Registry
oOpen wallet from the Registry and save it to the file system
-
8/3/2019 19_Oracle9i Security New Features
21/31
Single Sign-On
Single Sign-On
Oracle Advanced Security single sign-on authenticates the user once upon
initial connection, with strong authentication occurring transparently in
subsequent connections to other databases or services. Using single sign-on, users can access multiple accounts and applications with a single
password. Oracle Advanced Security supports many forms of two-tier single
sign-on with strong authentication, including:
o Kerberos
o PKI-based
o Entrust integration
-
8/3/2019 19_Oracle9i Security New Features
22/31
o DCE
Single Sign-On capabilities are extended to Web based applications and external
or legacy applications through Oracle Login Server. Oracle Advanced Security also provides
SSL-based single sign-on for Oracle users by integrating with Oracle Internet Directory. The
combination of integrated directory services through OID and Oracles PKI implementation
enable SSL-based single sign-on to Oracle9idatabases. Single sign-on lets users be
authenticated once, with subsequent connections relying on the users digital certificate. In
addition this integration model provides a single point of password management throughout
the enterprise.
-
8/3/2019 19_Oracle9i Security New Features
23/31
Single Sign-On for Web Applications
-
8/3/2019 19_Oracle9i Security New Features
24/31
Single Sign-On Integration
Single Sign-On Integration
The login server is able to authenticate the user credentials against multiple
kinds of password stores that are configured by the administrator.
Fundamentally, the interfaces that the login server uses to verify the user'sname against the password will be the same but the underlying adapters will
be different. These password stores can be either existing database
accounts, table lookups, or other external repositories like Oracle Internet
Directory (OID).
If it is existing database accounts then the login server will verify if it can bind
to the database with the user id and password specified. The rest of the
information needed for user validation and management, such as last
password change, will be stored as a part of other tables in the schema.
-
8/3/2019 19_Oracle9i Security New Features
25/31
In the second case, the login server looks up against some tables in its
schema containing user credentials. The incoming password is one-way
hashed and compared against the entry in the table.
The third case involves the login server to look up the user credentials
against any external repository like OID. LDAP servers typically being central
repositories for the enterprise would store user credentials. In such a case,
the login server would invoke some LDAP C-API to bind to LDAP to verify credentials and
then fetch some attributes.
Single Sign-On with Partner Applications
Single Sign-On With Partner Applications
In practice, the user points the browser to a portal providing access to all the
organizations SSO enabled (partner) applications. The user is then
challenged by the login server for the proper credentials. If the credentials
-
8/3/2019 19_Oracle9i Security New Features
26/31
are authenticated, the login server redirects the user back to the application
along with a URL cookie containing some application-specific SSO information.
Single Sign-On with External Applications
External Applications
The user is responsible for maintaining the contents of his or her entries in
the wallet. The administrator would be responsible for providing mapping
information for foreign applications.
-
8/3/2019 19_Oracle9i Security New Features
27/31
Directory Service Integration
Oracle Directory Integration Platform
The Oracle Directory Integration platform enables you to synchronize
various directories with Oracle Internet Directory. It also makes it easier for
third-party metadirectory vendors and developers to develop and deploy their ownconnectivity agents.
Metadirectories synchronize information between all enterprise directories,
forming one virtual directory. It centralizes administration, thereby reducing
administrative costs and it ensures that data is consistent and up-to-date
across the enterprise.
Oracle Directory Integration platform enables you to:
-
8/3/2019 19_Oracle9i Security New Features
28/31
o Import data from connected directories into Oracle Internet Directory, either all at
once or incrementally
o Export data from Oracle Internet Directory into connected directories, either all at
once or incrementally
o Synchronize all or part of the data in a connected directory with Oracle Internet
Directory
Synchronization is bi-directional. Changes in Oracle Internet Directory are
exported to connected directories, and changes in connected directories are
imported into Oracle Internet Directory
-
8/3/2019 19_Oracle9i Security New Features
29/31
Oracle Directory Integration Server
Oracle Directory Integration Server
The Oracle directory integration server is a multithreaded daemon server
process. It is the central component of Oracle Directory Integration platform.
It performs:
o Scheduling: Running a directory integration agent at a time you specify
o Mapping: Executing rules for converting data between connected directories and
Oracle Internet Directory
o Error handling
-
8/3/2019 19_Oracle9i Security New Features
30/31
Multiple integration servers can exist on different systems. Multiple instances of
directory integration server may be run concurrently on the same computer. Each instance
has a configuration set entry listing the agents the Oracle directory integration server
instance is to run.
Directory Integration Agents
A directory integration agent is a program that synchronizes data between
Oracle Internet Directory and connected directories. When it synchronizes
the data, it does one or more of the following:
o Exports changes out of Oracle Internet Directory
o Imports changes into a connected directory
o Exports changes out of a connected directory
o Imports changes into Oracle Internet Directory
Depending on how it is deployed in the Oracle Directory Integration platform,
an agent can be either a partner agent or an external agent. Partner agents
run under the control of the Oracle directory integration server meaning that
the Oracle directory integration server performs scheduling, data mapping,
and error handling for them. Before deploying a partner agent, you register it
in Oracle Internet Directory. This registration involves creating a directory
integration profile in the directory. To create the profile, you can use either
Oracle Directory Manager or command-line tools.
A partner agent uses either an import fileor an export fileto exchange data
between a connected directory and Oracle Internet Directory. At execution time, they may
use additional agent configuration information stored in Oracle Internet Directory. Unlike
partner agents, external agents are independent of the Oracle directory integration server.
The Oracle directory integration server performs neither scheduling nor data mapping for
them. External agents do not need to register with Oracle Internet Directory.
Typically, external agents are used when a third-party metadirectory solution is
integrated with the platform. The third-party metadirectory solution uses its own
metadirectory engine to perform mapping and scheduling.
-
8/3/2019 19_Oracle9i Security New Features
31/31
Summary