19_oracle9i security new features

8/3/2019 19_Oracle9i Security New Features

1/31

Oracle9i Security New Features


2/31

Security Myths


3/31

Oracle Answers to Security Questions


4/31


5/31

Oracle9i Proxy Authentication Enhancements

Proxy Authentication Enhancements

The introduction of n-tier authentication (also known as Proxy

Authentication) provides several benefits:

o Eliminates super-privileged middle tiers

o Preserves user identity throughout the application

o Provides scalability through lightweight OCI and JDBC connections

o Provides accountability through audit of connections on behalf of the real user


6/31

Oracle9i Secure Application Role

Secure Application Role

In Oracle8i, we introduced the idea of application context, essentially

allowing each PL/SQL package to have their space of session variables.

Application role in Oracle9iis utilizes a similar concept of authentication toallow users to enable roles based on PL/SQL packages, and without supplying a

password. This feature is a significant proxy authentication enhancement.

The SET ROLE command ensures that only the trusted package is

consulted. The package can do the desired validation to ensure that the

appropriate conditions are in place before the ROLE is set.

For example, in a three tier system in which proxy authentication is used, the package

can access the PROXY_USER attribute of the user session (using 'USERENV' naming


7/31

context) before allowing SET ROLE to proceed. The resultis that users who connect to the

database by proxy (through the application) have the role enabled and therefore access the

data, while users who connect directly to database do not get the role enabled and therefore

see no data through privileges granted to the role.


8/31



The secure application role can be granted globally or locally. That is, the secure

application role can be granted to the user by creating the appropriate entry in Oracle

Internet Directory (part of the Enterprise User Security feature of Oracle Advanced

Security). The role can also be granted locally for database users.


9/31

Public Key Infrastructure

What is PKI ?

PKI is a standards-based, interoperable technology based on X.509

certificates that scales to the Internet and millions of users. Oracle uses a

non-Oracle Certificate Authority such as Entrust, VeriSign, or Baltimore in itsPKI implementation. Many Certificate Authorities support Oracle Internet

Directory as repositories for publishing CA information such as certificates and

certificate revocation lists. Authentication and secure session key management is

accomplished using Secure Sockets Layer (SSL).


10/31

Public Key Infrastructure Tools

Public Key Infrastructure Tools

Authentication systems based on public key cryptography systems issue

digital certificates to user clients, which use them to authenticate directly to

servers in the enterprise without direct involvement of an authentication

server. Oracle provides a public key infrastructure (PKI) for using public keys

and certificates. Features include:

o Oracle Wallet Manager 3.0, a standalone Java application used to manage and edit

the security credentials in Oracle wallets. Oracle wallets are data structures that contain a

user private key, a user certificate, and a set of trust points (the list of root certificates the

user trusts).

o Integration with Entrust PKI, providing full certificate life cycle management and

certificate revocation list (CRL) checking


11/31

o Oracle Enterprise Login Assistant is used to open and close wallets, to update

centrally managed wallets and passwords in Oracle Internet Directory, and to enable or

disable secure SSL connections.


12/31

Oracle Wallet Enhancements


Oracle Wallet Manager supports multiple certificates (and multiple private

keys) in each wallet. You can store Oracle wallets in Oracle Internet Directory or in

Windows Registry in addition to the file system. Oracle Wallet Manager and Enterprise

Login Assistant can read wallets from the file system or from the Windows System Registry.

Benefits include:

o Enhanced security

o Easier administration of users and their credentials


13/31

Additional PKI Interoperability

PKI Interoperability

Since PKCS#12 is a PKI standard for credential storage, Oracle can now

support downloadable, machine-independent wallets. The same wallet and

PKI credentials can be used for the browser and for Oracle Wallet (requiresexport/import in PKCS#12 format).

This added functionality enables interoperability with browsers such as

Netscape and Internet Explorer. Now that Oracle Wallets are compatible

with browser wallets, customers no longer have to purchase two different sets of PKI

credentials.


14/31

Oracle Internet Directory Support for Wallets

OID Support for Wallets

An Oracle wallet is stored in Oracle Internet Directory. Oracle Wallet

Manager can upload wallets and retrieve them from Oracle Internet

Directory. Storing the wallet in a centralized directory lets users access themfrom multiple locations or devices, ensuring consistent and reliable user

authentication while providing centralized wallet management throughout the

wallet life cycle.

Oracle Advanced Security is tightly integrated with OID, which can act as a

gateway to synchronize data with other LDAPv3 compliant directories, if

needed.


15/31



Oracle Wallet Manager supports multiple certificates for a single digital

entity, where each certificate can be used for a set of Oracle PKI certificate

usagesbut the same certificate cannot be used for all such usages. Theremust be a one-to-one mapping between certificate requests and certificates.

The same certificate request cannot be used to obtain multiple certificates,

installed in the same wallet.


16/31

KeyUsage Values

KeyUsage Values

Oracle Wallet Manager uses X.509 V3 extension KeyUsage to define Oracle PKI

certificate usages. When installing a certificate (user certificate, trusted certificate), Oracle

Wallet Manager maps the KeyUsage extension values to Oracle PKI certificate usages.

You should obtain certificates from the certificate authority with the correct

KeyUsage value for the required Oracle PKI certificate usage. A single wallet

can contain multiple key pairs for the same usage. Each certificate can

support multiple Oracle PKI certificate usages. Oracle PKI applications use

the first certificate containing the required PKI certificate usage.


17/31

Wallet Password Management

Oracle Wallet Password Enhancements

Enhanced wallet password management can enforce policy guidelines such

as:

o Minimum password length

o Maximum password length unlimited

o Alphanumeric character mix required


18/31

Multiple Wallet Formats

Supported Wallet Formats

In addition to Oracle Wallets, Oracle Advanced Security also supports

Entrust profiles and Microsoft Certificate Store.


19/31

Oracle Wallets and Windows

Oracle Wallets and the Windows Registry

Oracle Wallet Manager lets you optionally store multiple Oracle wallets in the

user profile area of the Microsoft Windows System Registry (for Windows

95/98/ME/NT 4.0/2000), or in a Windows file management system. Storingyour wallets in the registry provides the following benefits:

o Better Access Control: Wallets stored in the user profile area of the registry are only

accessible by the associated user. User access controls for the system thus become, by

extension, access controls for the wallets. In addition, when a user logs out of a system,

access to that users wallets is effectively precluded.

o Easier Administration: Because wallets are associated with specific user profiles, no

permissions need to be managed, and the wallets stored in the profile are automatically


20/31

deleted when the user profile is deleted. Oracle Wallet Manager can be used to create and

manage the wallets in the registry, and the wallets are accessible by Oracle Enterprise

Login Assistant as well.

o Improved Security: Because the wallets are imbedded in the registry, the wallets

associated with a particular user profile are transparent to all other users. Viewed in

combination with better access controland easier administration, this amounts to an

additional security layer for Oracle wallets.

Options Supported:

o Open wallet from the Registry

oSave wallet to the Registry

oSave As to a different Registry location

oDelete wallet from the Registry

oOpen wallet from the file system and save it to the Registry

oOpen wallet from the Registry and save it to the file system


21/31

Single Sign-On

Single Sign-On

Oracle Advanced Security single sign-on authenticates the user once upon

initial connection, with strong authentication occurring transparently in

subsequent connections to other databases or services. Using single sign-on, users can access multiple accounts and applications with a single

password. Oracle Advanced Security supports many forms of two-tier single

sign-on with strong authentication, including:

o Kerberos

o PKI-based

o Entrust integration


22/31

o DCE

Single Sign-On capabilities are extended to Web based applications and external

or legacy applications through Oracle Login Server. Oracle Advanced Security also provides

SSL-based single sign-on for Oracle users by integrating with Oracle Internet Directory. The

combination of integrated directory services through OID and Oracles PKI implementation

enable SSL-based single sign-on to Oracle9idatabases. Single sign-on lets users be

authenticated once, with subsequent connections relying on the users digital certificate. In

addition this integration model provides a single point of password management throughout

the enterprise.


23/31

Single Sign-On for Web Applications


24/31

Single Sign-On Integration

Single Sign-On Integration

The login server is able to authenticate the user credentials against multiple

kinds of password stores that are configured by the administrator.

Fundamentally, the interfaces that the login server uses to verify the user'sname against the password will be the same but the underlying adapters will

be different. These password stores can be either existing database

accounts, table lookups, or other external repositories like Oracle Internet

Directory (OID).

If it is existing database accounts then the login server will verify if it can bind

to the database with the user id and password specified. The rest of the

information needed for user validation and management, such as last

password change, will be stored as a part of other tables in the schema.


25/31

In the second case, the login server looks up against some tables in its

schema containing user credentials. The incoming password is one-way

hashed and compared against the entry in the table.

The third case involves the login server to look up the user credentials

against any external repository like OID. LDAP servers typically being central

repositories for the enterprise would store user credentials. In such a case,

the login server would invoke some LDAP C-API to bind to LDAP to verify credentials and

then fetch some attributes.

Single Sign-On with Partner Applications

Single Sign-On With Partner Applications

In practice, the user points the browser to a portal providing access to all the

organizations SSO enabled (partner) applications. The user is then

challenged by the login server for the proper credentials. If the credentials


26/31

are authenticated, the login server redirects the user back to the application

along with a URL cookie containing some application-specific SSO information.

Single Sign-On with External Applications

External Applications

The user is responsible for maintaining the contents of his or her entries in

the wallet. The administrator would be responsible for providing mapping

information for foreign applications.


27/31

Directory Service Integration

Oracle Directory Integration Platform

The Oracle Directory Integration platform enables you to synchronize

various directories with Oracle Internet Directory. It also makes it easier for

third-party metadirectory vendors and developers to develop and deploy their ownconnectivity agents.

Metadirectories synchronize information between all enterprise directories,

forming one virtual directory. It centralizes administration, thereby reducing

administrative costs and it ensures that data is consistent and up-to-date

across the enterprise.

Oracle Directory Integration platform enables you to:


28/31

o Import data from connected directories into Oracle Internet Directory, either all at

once or incrementally

o Export data from Oracle Internet Directory into connected directories, either all at

once or incrementally

o Synchronize all or part of the data in a connected directory with Oracle Internet

Directory

Synchronization is bi-directional. Changes in Oracle Internet Directory are

exported to connected directories, and changes in connected directories are

imported into Oracle Internet Directory


29/31

Oracle Directory Integration Server

Oracle Directory Integration Server

The Oracle directory integration server is a multithreaded daemon server

process. It is the central component of Oracle Directory Integration platform.

It performs:

o Scheduling: Running a directory integration agent at a time you specify

o Mapping: Executing rules for converting data between connected directories and

Oracle Internet Directory

o Error handling


30/31

Multiple integration servers can exist on different systems. Multiple instances of

directory integration server may be run concurrently on the same computer. Each instance

has a configuration set entry listing the agents the Oracle directory integration server

instance is to run.

Directory Integration Agents

A directory integration agent is a program that synchronizes data between

Oracle Internet Directory and connected directories. When it synchronizes

the data, it does one or more of the following:

o Exports changes out of Oracle Internet Directory

o Imports changes into a connected directory

o Exports changes out of a connected directory

o Imports changes into Oracle Internet Directory

Depending on how it is deployed in the Oracle Directory Integration platform,

an agent can be either a partner agent or an external agent. Partner agents

run under the control of the Oracle directory integration server meaning that

the Oracle directory integration server performs scheduling, data mapping,

and error handling for them. Before deploying a partner agent, you register it

in Oracle Internet Directory. This registration involves creating a directory

integration profile in the directory. To create the profile, you can use either

Oracle Directory Manager or command-line tools.

A partner agent uses either an import fileor an export fileto exchange data

between a connected directory and Oracle Internet Directory. At execution time, they may

use additional agent configuration information stored in Oracle Internet Directory. Unlike

partner agents, external agents are independent of the Oracle directory integration server.

The Oracle directory integration server performs neither scheduling nor data mapping for

them. External agents do not need to register with Oracle Internet Directory.

Typically, external agents are used when a third-party metadirectory solution is

integrated with the platform. The third-party metadirectory solution uses its own

metadirectory engine to perform mapping and scheduling.


31/31

Summary

19_oracle9i security new features

Documents