Oracle9i Application Server

Security

Age nda

�JAZ N & JAAS�SSO , O ID & D ire ctory�3rd Party Auth e ntication

JAASJava Authentication and Authorization Service

JAAS 1.0: Fe ature s� Subje ct-bas e d Auth e ntication &

Auth orization–re q uire s JDK 1.3–e xte nds Java2 Se curity Mode l–curre ntly available as optional pack age

� Auth e ntication:–configurable , pluggable auth e ntication m odule s–transactional s e m antics

� Auth orization:–configurable , pluggable policy–de fault file -bas e d policy provide r

JAAS 1.0 Arch ite cture

JAAS 1.0 Pluggable Auth e ntication

Java2 Se curity Mode l: K e y Fe ature s�Im prove m e nts ove r JDK 1.1

Sandbox m odel–Fine -graine d & Pe rm is s ion-bas e d–Configurable , Pluggable Policy

�Lim itations :–only code -bas e d auth orization, no notion of

Subje ct/Principal–file -bas e d im ple m e ntation difficult to

m anage , doe s n’t scale

O racle 9 iAS JAAS: Core Se rvice s� Auth e ntication

–Inte grate s SSO w ith O C4J–JAAS-bas e d Auth e ntication Fram e w ork

� Auth orization–Role bas e d acce s s control –D ire ctory-bas e d–supports Principal- and code -bas e d policy

� D ele gation–RunAsClie ntor RunAsID for Se rvle t/EJB

O racle 9 iAS Java Se curity - JAAS� Enable s s e rvice s to auth e nticate us e rs and

e nforce acce s s controls (auth orization)� A Java Pluggable Auth e ntication M odule

(PAM)� O racle ’s JAAS provide s :

–auth e ntication–auth orization –de le gation

� JAAS-LDAP –ce ntrally m anage s us e rs , acce s s control policie s in

O racle Inte rne t D ire ctory

O racle 9 iAS JAAS: Pos itioning� W h at is JAZ N?

–JAZ N inte grate s JAAS Auth e ntication and Auth orization w ith OC4J�an industry first!

� JAZ N provide s unifie d s e curity for O racle 9 iAS Java Applications–(post-O rion) O racle now ow ns all th e tie rs

(W e bSSO , Se rvle t, EJB & Databas e)

� JAZ N provide s JAAS-bas e d s e curity s e rvice s for O racle 9 iAS J2EE Applications–big m om e ntum for JAAS in J2SE/EE

�JDK 1.4 Core , Conne ctor, J2EE 1.3, e tc.

O racle W e b Single Sign-O n

Web Browser

SSO Cookie

mod_osso

Oracle9iAS HTTP Server (Apache)

HTTP

Authenticate

Oracle SingleSign-on Server

HTTP

HTTPRe-direct

Oracle Internet Directory

LDAPUsers

PasswordsRoles

OC4J

AJP

LDAP

JAAS-LDAP•Authorize

P R O D U C TP R O D U C TD E M O N S T R A T I O ND E M O N S T R A T I O NJAAS Enabling and Enterprise ManagerJAAS Enabling and Enterprise Manager

SSO w ith D igital Ce rtificate s

�D igital Ce rtificate s provide s tronge r auth e ntication�X.509 Ce rtificate s tore d in O ID�Uploade d to O ID us ing ldapm odify�Com m unication ove r SSL

Oracle Internet Directory

LDAP�D ire ctory se rvice s tandard bas e d on

th e ISO X.500 spe cification�Ligh tw e igh t im plem e ntation of

X.500�Protocol standard de fine d and

m aintaine d by th e IETF�Ne e d for inte rope rability is driving

rapid adoption

O racle Inte rne t D ire ctory�LDAP v3 D ire ctory Se rve r

–Standards - LDAP v3, X.500–DB-Back e d - Scalable , Re liable–Fast - O ptim is e d Inde xing, Acce s s–2-W ay iPlane t Synch ronization

� Ce ntral Se curity Adm inis tration–M anage - Us e rs , Groups , Role s , ACLs–Com pre h e ns ive Se curity Ope rations–Advance d - Pas sw ord Policie s , Proxy ACL–D ele gate d Adm inistration (DASN)

� Be s t-of-Bre e d Partne rs–Baltim ore , Entrust, Ne te grity, Ve ris ign, RSA,

Sm artTrust

W h at is O racle Inte rne t D ire ctory?� Scalability

– 100M M s of e ntrie s pe r node– 1000’s of s im ultane ous

acce s s e s

� H igh availability– M ultim aste r re plication us ing

O racle 9 i Re plication– O racle 9 i h ot back up/re cove ry

� Se curity– Soph isticate d s e curity m odel

bas e d on acce s s control lists

� Standards -bas e d– Native LDAPv3

im plem e ntation– Tigh tly inte grate d w ith th e

O racle syste m m anage m e nt e nvironm e nt

� Inte gral to O racle– Se rve s as Oracle -w ide

DirectoryAdministration

OracleInternet Directory

Server

OracleDatabase

Oracle NetConnections

LDAP

Other Enterprise

Repositories(HR, LDAP,

X.500, NOS,...)

Ne w in O ID for 9 iAS v2�Pe rform ance Enh ance m e nts�M anage ability�Se curity and Inte gration

Se rve r-Side Entry Cach ing�K e e ps fe tch e d LDAP e ntrie s in

m e m ory–Subs e q ue nt s e arch e s re trie ve only e ntry

ids–ids used to fe tch e ntrie s from cach e

�Low -concurre ncy late ncy� H igh -concurre ncy th rough put: ove r

2000 re ads/s e c

D ele gate d Dire ctory Adm inistration: Ne w O ID Self-Se rvice Console

Se rvice M onitoring from O EM�M onitoring of s e rvice s from O racle

Ente rpris e M anage r Console–s e rvice startup and s h utdow n–load statistics–re s pons e s tatistics–conne ction statistics

Se rvice M onitoring

O racle 9 iAS R2 Com pone nt... …us e s OID to store :

O racle 9 iFS Us e r ids , pas sw ords

O racle 9 i Unifie d M e s s aging Us e rids ,pw ds ,pre fe re nce s ,buddylists ,dlists ,gre e tings

JAAS (Auth orization Toolk it) Auth orization profile s

O racle 9 i Single Sign-O n Se rve r Us e r ids , pas sw ords

O racle 9 i Re ports , O racle Form s Us e r, re s ource ACL Info

O racle 9 i Portal Us e r, group attribute s

O racle 9 iAS W ire le s s Edition Us e r, com m on us e r attribute s adm inistration

O racle 9 iAS R2 Com pone nt...O racle 9 iAS R2 Com pone nt... …us e s OID to store :…us e s OID to store :

O racle 9 iFSO racle 9 iFS Us e r ids , pas sw ordsUs e r ids , pas sw ords

O racle 9 i Unifie d M e s s agingO racle 9 i Unifie d M e s s aging Us e ridsUs e rids ,,pw dspw ds ,pre fe re nce s ,,pre fe re nce s ,buddylistsbuddylists ,,dlistsdlists ,gre e tings,gre e tings

JAAS (Auth orization Toolk it)JAAS (Auth orization Toolk it) Auth orization profile sAuth orization profile s

O racle 9 i Single SignO racle 9 i Single Sign--O n Se rve rO n Se rve r Us e r ids , pas sw ordsUs e r ids , pas sw ords

O racle 9 i Re ports , O racle Form sO racle 9 i Re ports , O racle Form s Us e r, re s ource ACL InfoUs e r, re s ource ACL Info

O racle 9 i PortalO racle 9 i Portal Us e r, group attribute sUs e r, group attribute s

O racle 9 iAS W ire le s s EditionO racle 9 iAS W ire le s s Edition Us e r, com m on us e r Us e r, com m on us e r attribute s adm inistrationattribute s adm inistration

O racle 9 iAS Com pone nt Inte gration

Ente rpris e Pas sw ord Manage m e nt�Passw ord policy m anage m e nt

–Expiration date s , m inim um pas sw ord le ngth s , form ats , re try lim its , lock outs

�M ultiple pas sw ord ve rifie rs–Support for m ultiple apps and protocols

(e .g. te xt pas sw ord for s ingle s ign-on, PIN for voice m ail)

�Proxy us e r capability–Proxy scope control capability th rough

ACLs

O racle W e b Single Sign-O n

Web Browser

SSO Cookie

mod_osso

Oracle9iAS HTTP Server (Apache)

HTTP

Authenticate

Oracle SingleSign-on Server

HTTP

HTTPRe-direct

Oracle Internet Directory

LDAPUsers

PasswordsRoles

OC4J

AJP

LDAP

JAAS-LDAP•Authorize

3rd Party Integration

O racle & Site M inde r Inte grationClient

Browser mod_SM

Oracle9i AS

SiteMinder PolicyServer

Oracle Internet Directory

Oracle SSO

Server

Partner Application

SiteMinder Web Agentinstalled in Oracle9iASweb listener (mod_SM)

Oracle SSO Serverobtains user identity frommod_SM

SiteMinder Policy Serverusers, policies managed in Oracle Internet Directory

Ne te grity Partne rs h ip Sum m ary�Ne te grity and O racle

–Le ade r in W e b Se curity partne re d w ith th e le ade r in eBus ine s s inform ation syste m s

�O racle Applications 11i is th e first ERP suite to be s upporte d bySite M inde r�O racle 9 i Applications Serve r SSO

inte grate d w ith Site M inde r�O racle Inte rne t D ire ctory for

e xtre m e ly scalable , re liable , and s e cure Site M inde r us e r m anage m e nt

Sum m ary

�JAZ N & JAAS�SSO , O ID & D ire ctory�3rd Party Auth e ntication