Top Banner
34

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Mar 26, 2015

Download

Documents

Molly Phillips
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.
Page 2: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Page 3: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

<Insert Picture Here>

Oracle Database Integration with Active Directory and Windows SecurityChristian ShayPrincipal Product Manager, Windows TechnologiesOracle USA

Page 4: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

<Insert Picture Here>

Agenda

• Database Registration and Name Resolution

• Single Sign-On • Windows Native Authentication• Kerberos

• Security Integration for .NET Applications• Enterprise User Security and Virtual Directory

Page 5: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Database Registration and Name Resolution

Overview • Store and resolve Net names through Active

Directory • Eliminate tnsnames.ora on clients• Centralize configuration, reduce administration• Authenticated connection to Active Directory (11g)

• AD no longer needs to allow anonymous access

• Enhanced tools support for storing Net naming• AD Users and Computers• Oracle DB Configuration Assistant, Net Configuration

Assistant and Net Manager

Page 6: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Database Registration and Name Resolution

Client OS Server OS AD OID Comments

Windows Windows Yes Yes

Windows Any Yes Yes

Tools for registering Net Service in AD must be run on Windows

Linux/Unix Any No YesAD Integration solutions can help

Page 7: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Database Registration and Name ResolutionConfiguration/Administration

WindowsEnvironment

ActiveDirectory

Repository of Database

Names and Connect

Descriptors

2 – Register Schema using NetCA

ClientSystems

5 - Configure Directory Naming and Directory Usage (AD) using

NetCA

1 – Ensure that Administrator can modify Schema in Active Directory

3 - Create Naming Context using NetCA

4 - Register database in AD using DBCA or Net Manager

Page 8: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Database Registration and Name Resolution Run-time

1 – User signs on to Desktop

ActiveDirectory

Oracle Database

2 – User issuesConnect Request

Repository of Database Names and

Connect Descriptors

3 - Retrieves Connect

Descriptor

4 - Connect to Database using

Connect Descriptor (Any Platform)

Page 9: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Database Registration and Name ResolutionDemo Environment

Windows XP SP2

Windows Server 2003 EE SP1

(Domain Controller)

Machine Name: xpclient.adnet.devUser: oracleDatabase Server: orcl

Machine Name: w2k3s.adnet.devDomain: adnet.dev

Tools installed

Support Tools (under Support directory on CD) -- ADSI  Edit is part of it

Admin Tools (under i386 directory on CD) -- AD users & computers, etc(These are available on Windows 2003 media,)

Page 10: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

D E M O N S T R A T I O N

Database Registration and

Name Resolution

Page 11: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Database Registration and Name Resolution Summary1. Ensure that Administrator can modify Schema in Active

Directory 2. Register Schema using NetCA (one time for the entire AD

forest) 3. Create Naming Context using NetCA (once per domain) 4. Register Database in AD using DBCA or Net Manager5. Configure Directory Naming and Directory Usage (AD) using

NetCA (on systems that want to use AD) 6. Set NAMES.LDAP_AUTHENTICATE_BIND=Yes in

SQLNET.ORA on all 11g client systemsTo support pre-11g clients1. Enable anonymous bind in AD2. Change ACLs for Oracle Naming Context and Database/Net

Services objects to allow anonymous access

Please refer to the white paper Configuring Microsoft Active Directory for Net Naming for detailed information

Page 12: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Single Sign-On

Page 13: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Single Sign-On

AuthenticationClient OS

Server OS

Comments

Windows Native Authentication

Windows Windows

•Included and configured in all db editions •MS KDC is used implicitly•Uses External Users mechanism•Enterprise User Security not supported•Direct support of Windows group membership for role authorization

Kerberos Any Any

•EE and ASO option needed•MS KDC is supported•Uses External Users mechanism (by default)•Enterprise User Security supported•EUS and AD integration solutions needed to support authorization through Windows group membership

Page 14: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Windows Native AuthenticationBasics

• All of this is preconfigured; We use it internally• ORA_DBA: All members get SYSDBA privileges • ORA_OPER: all members get SYSOPER privileges • ORA_ORCL_DBA: … get SYSDBA on ORCL only• For any other Windows user, an external user needs to

be created in Oracle DB• create user “Sales\frank” identified externally;

• Windows groups can be used to assign roles (if os_roles is true)• create role sales identified externally;• Corresponding Windows group for a database with SID orcl:

ORA_orcl_sales_d if this should be a default role • If Oracle Administration Assistant is used, it makes appropriate changes

in AD and Database

Page 15: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Windows Native Authentication • Enabled by default and can work across systems • Windows user logon credentials used for database

authentication • Authentication protocol (Kerberos or NTLM) negotiated

based on OS and Domain Controller • Authorization can be granted through Windows group

membership • Pre-defined Windows groups for DBAs and Operators • Uses Oracle External Users and External Roles mechanisms

• Oracle Administration Assistant can be used to manage user authentication and role authorization

• This feature is completely independent of Database Registration and Name Resolution feature

Page 16: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Windows Native Authentication

2 - Userattempts

to sign on to Oracle

1 - Usersigns on to desktop

Active Directory/KDC

4 - Identify as a specific External User

5 – Find Windows Group memberships (if os_roles is

true)

3 – Negotiate security protocol

and exchange security tokens

6 – Assign roles based on database roles or group memberships (based on

os_roles)

Page 17: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Windows Native AuthenticationConfiguration

• Set os_authent_prefix to “” (null) in init.ora• By default it is set to OPS$ (for backward compatibility)

• Ensure that sqlnet.authentication_services is set to NTS in sqlnet.ora (default set up)

• DO NOT: • Set remote_os_authent in init.ora (default value false is correct).

• Set os_auth_prefix_domain in Registry (default value true is correct)

• Set os_roles to true in init.ora if you want to use Windows Group Membership for role authorization

Page 18: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

D E M O N S T R A T I O N

Windows Native Authentication

Page 19: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Kerberos Authentication

• Integrated with Microsoft Key Distribution Center (MSKDC)

• Supports heterogeneous systems• A Windows client can connect to a non-Windows server and vice

versa

• Uses External User mechanisms in Database • Can also be supported with Enterprise User Security • EE and ASO (Advanced Security Option) feature

Page 20: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Kerberos Enhancements in 11g

• Stronger encryption algorithms (DES3, AES, RC4)• Support default encryption type supported by MS KDC • Encryption type configuration no longer needed in

Registry

• Use DNS Domain Name as Kerberos REALM name by default

• Mapping between DNS Domain Name and Kerberos REALM name longer needed in kerberos config file

• Kerberos authentication to Oracle database in a MS cross-domain setup

• Removal of 30 character limit on the Kerberos user name

Page 21: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Kerberos AuthenticationConfiguration

• Create Kerberos and sqlnet configuration files on clients and severs using Oracle Net Manager

• Create users in Active Directory for Client and Database Server (for non-windows clients or servers)

• Use ktpass utility to create keytab file and copy to DB server node

• Obtain an initial ticket for the kerberos user• Set os_authent_prefix to “” in init.ora• DO NOT:

• Set remote_os_authent in init.ora. (default value FALSE is correct)

Page 22: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Kerberos Authentication

Userattempts

to sign on to Oracle

Usersigns on to desktop

MS KDC

Identify as a specific External User and assign

database roles accordingly

Database

Example: SQL> CREATE USER KRBUSER IDENTIFIED EXTERNALLY AS '[email protected]'; SQL> Grant connect, resource to KRBUSER;

Page 23: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Security Integration

for .NET Applications

Page 24: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Security Integration for .NET Applications

• OS Authenticated Connection Pool in Oracle Data Provider for .NET

• Support pooling of OS authenticated users using Windows identity

• ASP.NET Membership and Role Provider• Validate and manage user and authorization

information for your ASP.NET web applications in Oracle Database

Page 25: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Oracle Virtual Directory:

Centralize DB User Account Management

Page 26: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Audience Questions

How many have user accounts in AD? Sun? OID?

How many have databases on an OS besides Windows?

How many can provide your CIO with an audit report verifying DBA and DB user access?

How many can disable DBA access by disabling a password in a single repository ?

Page 27: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Centralize Oracle Database Account Management

• Organizations have many databases on variety of platforms

• Organization have implemented enterprise directory services

• Oracle Enterprise User Security is all about how to centralize database account management

• Oracle Enterprise User Security allows to externalize database accounts and roles to an LDAP server

• Oracle Virtual Directory allows EUS to work with 3rd party directories, not just OID

Page 28: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Oracle Virtual Directory Overview

• Oracle Virtual Directory lets organizations rapidly deploy applications by providing a unified view of identity without synchronization.

Page 29: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

• Built Database Warehouse for reporting

• Wanted to leverage Active Directory & existing provisioning to manage credentials and role membership

• Did not want to synchronize to another directory

Oracle Solution

• Enterprise User Security & OVD

• OVD connects to AD

• EUS allows employees to use Windows password and existing provisioning system to manage access

Business Challenges

• Allowed to rapidly deploy secure access to Database warehouse

• Did not need to bring up yet another directory service just to manage database accounts

• Eliminated help desk calls

Return On Investment

Case Study – MKB Bank (Hungary)Database Security

Page 30: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Summary

• EUS centralizes database account management into a directory

• EUS works across heterogeneous operating systems

• OVD enables EUS to work with 3rd party directories without synchronization

Page 31: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

For More Information

Windows Server System Center

http://www.oracle.com/technology/windows

Oracle Net Services (AD White Paper and more)

http://www.oracle.com/technology/products/oraclenet/index.html

.NET Developer Center (ASP.NET Providers)

http://www.oracle.com/technology/dotnet

Oracle Virtual Directory (OVD)

http://www.oracle.com/identity

My email: [email protected]

Page 32: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

AQ&Q U E S T I O N S

A N S W E R S

Page 33: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

For More Information

search.oracle.com

or

oracle.com

Page 34: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.