Thursday, March 29, 2018

Okta : Password Sync Agent Requirements

For Secure Web Applications (SWA) which leverage AD Passwords and in turn SWA Apps in Okta store the username and password, we can leverage Password Sync Agent to make sure that AD passwords changed outside of Okta are pushed to the SWA Apps within Okta, so that no manual updates are needed.

Requirements for Password Sync Agent (PSA)
  • The org must be AD-mastered.
  • The Active Directory Agent must be installed and configured on at least one domain controller in each domain in your forest.
  • The Active Directory Password Sync Agent must be installed and configured on all domain controllers in each domain in your forest.
  • Delegated Authentication must be enabled.
  • Okta username format must be UPN
  •  If Inbound SAML is set up, PSA will not work

More requirements here

This will push AD Passwords to the provisioning-enabled SWA App during initial setup or whenever password changes. The Okta AD Password Sync Agent automatically pushes users' AD passwords from your Domain Controllers to the Okta service.
Passwords are synced from your Domain Controller to Okta whenever a user's password is changed. The agent must be installed on all Domain Controllers and Delegated Authentication must be enabled on your Okta organization.

Other useful Links

Okta Session : How to Set Maximum Session Timeout using APIs

Quite often, an application developer would need a maximum time after which a session should be destroyed irrespective of activity. This is also called the Maximum Session Timeout.

Okta is a popular cloud based Identity and Access Management Platform used as an Identity Provider enabling secure and seamless access to all applications via any device.

As of today, there’s NO setting in the Okta UI to set Maximum Session Time
The Session Lifetime setting in the Okta GUI is for Maximum Idle Session Time.
However, there’s an option to do this via APIs using SignOn Policy APIs

We can create Policies via APIs or from GUI .. Admin -> Security -> Authentication -> SignOn Policies-> Create Policy -> Create Rules and then update the maxSessionTimeoutInMinutes using API calls as shown in the screenshot.

If you are unaware of how to get started with Okta APIs and/or to setup Postman, please check this link.

Wednesday, March 28, 2018

Okta SAML SSO with Zoom : Error 1021 : You are not entitled to meeting service

Use Case : Setup SAML based SSO for Zoom using Okta as the IDP

Documents referred :

Pre-requisites :

  • Zoom owner or admin privileges
  • Business or Education account with approved Vanity URL
  • Okta admin privileges

Note :

Zoom is a Big Bang App (account needs to exist in SAML IDP) when using the vanity URL
A backdoor URL can be used : https://zoom.us/signin where users can login with their username and password

Issue : When doing SP-init (using vanity URL) or doing IDP-init (using Okta chiclet), we get the following error -

  • Checked SAML response was valid using SAML Tracer in Firefox
  • No errors in Okta Logs
  • Verified that Username being passed in SAML assertion from Okta to Zoom existed in Zoom
  • Created a custom SAML template App in Okta instead of using the App in Okta Integration Network (OIN) 

Solution :
Issue was in the Zoom SSO Configuration.

We need to change the "Default user type:" from None to either Basic or Pro on the SSO configuration page (SAML Response mapping). The SSO service is currently passing the user over but since "None" was selected, it was not assigning a user type and resulted in them not being authorized

Friday, October 14, 2016

Can we use Oracle Key Vault to Store the DB Wallet for Enterprise User Security(EUS) ?

Oracle Key Vault (OKV) enables customers to easily deploy encryption and other security solutions by offering robust, central management of encryption keysOracle Wallets, Java Keystores, and credential files.

Enterprise User Security (EUS) is an Oracle Database EE feature which leverages the LDAP-compliant directory services to centralize database user and role management.

While implementing EUS, we need to register the DB with the LDAP which houses the users. This process creates a DB wallet which is used to securely communicate to the LDAP.

Question is if we can use OKV to store this wallet and EUS can refer to OKV instead of wallet stored locally in the DB thereby enhancing Security.

Here's what I could find out on this -
  • When we register a database to OUD using DBCA, a local wallet will always be created containing the credentials for OUD access.
  • This behavior cannot be changed, however the same wallet can be uploaded to OKV for a backup using okvutil utility.
  • We cannot use/get the EUS credentials directly from OKV, they will always be taken from the local wallet [i.e. sqlnet.ora will not refer to OKV wallet].
  • Even if the EUS wallet is uploaded in the OKV after the DB registration, we cannot do a 'direct connection' to OKV to retrieve EUS credentials from the virtual wallet.  Such a 'direct connection' is possible with TDE wallets (OKV directly provides access to the TDE master keys). The wallets containing SSL certificates or credentials can be uploaded to OKV and downloaded at will, but client cannot be configured to use them directly from OKV.
  • There is no auto sync job for the wallet (local->OKV), once the credentials change, we need to re-upload the wallet in the OKV.

Wednesday, October 5, 2016

DB Security/Enterprise User Security (EUS) : Logon Trigger for auditing LDAP user logged on to Oracle DB

Use Case
Find a way to identify the AD domain user logged into a database configured with EUS

Pre-requisite: DB Users/Groups have already been centralized in an LDAP like Active Directory(AD) using Enterprise User Security (EUS)

Details:After logging in using sqlplus if we issue the following SQL we still see the shared schema user(which was used to map the Oracle DB Default Domain to the LDAP Container)

SQL> show user

Now the question is if we see a runaway query or a transaction causing blocking, how do we tie that back to the exact  external user instead of a Global Schema? How would we identify this information from within Oracle Enterprise Manager (OEM)session info?

A workaround could be to issue the following SQL quer
cn=Sudipto Desmukh,cn=Users, dc=corp, dc=kdemo,dc=com

But wouldn't it be great if this is available in v$session for anyone to see real-time without specifically issuing a SQL query ?
We are able to create a logon trigger (attached) which populates enterprise user session information to client_info of V$SESSION.
create or replace trigger sys.on_logon after logon on database 
v_externalname varchar2(64) := ''; 
SELECT substr(sys_context('userenv','external_name'),1,63) into v_externalname FROM dual; 
if v_externalname is not null 
end if; 

We should be able to pull up the blocking session information, if any from OEM tied to this enterprise user. An illustration of the result :


Monday, August 22, 2016

EUS with OUD: ORA-28030 Network Issues -- Hosts and DNS

Use Case : Centralize Database Users/Roles using Enterprise User Security to enable Password-based authentication via Oracle Unified Directory(OUD) connecting to Active Directory 

Issue : After following all the pre-requistes and steps needed to setup EUS, we get the below error while trying to connect to the DB using AD user/password.

SQL> CONNECT username@service_name;
ORA-28030: Server encountered problems accessing LDAP directory service

DB Trace Logs show the following -
*** ACTION NAME:() 2016-08-15 13:16:50.270
*** MODULE NAME:(sqlplus@recoverdwp (TNS V1-V3))
2016-08-15 13:16:50.270
*** SERVICE NAME:(desanew)
2016-08-15 13:16:50.270
*** SESSION ID:(159.13)
2016-08-15 13:16:50.270
kzld_discover received ldaptype: OID
kzld found pwd in wallet
KZLD_ERR: Failed to bind to LDAP server. Err=-1
KZLD is doing LDAP unbind
KZLD_ERR: found err from kzldini.

Cause inference 
The OUD server, as defined in ldap.ora, is not reachable from the RDBMS Server's machine. Also looks like the SASL bind requires that both forward and reverse lookup are defined in DNS for the target OUD hostname.

A database can bind to OUD by using password/SASL-based authentication. SASL (Simple Authentication and Security Layer) is a standard defined in the Internet Engineering Task Force RFC 2222. It is a method for adding authentication support to connection-based protocols such as LDAP.   

The following are the two options to fix/workaround this issue -
1) Edit  file /etc/hosts and add the IP address to the DB Server, FQDN and alias, eg:xxx.xxx.xxx.xxx   hostname.domain_name   hostname
This step would need to be repeated for all DB Servers which need to be configured for EUS.

2) Ensure that the forward and reverse lookup are properly defined in the DNS  for OUD Hosts. (nslookup should succeed for both IP and HostName)

This is a one-time activity and will be available for all DB Servers in the network

Note 331538.1   (Ora-7445 [Gslcoish_saslhostconnectedto()+78] Connecting as Enterprise User)
Note 1270342.1 (EUS User Can Not Login To The Database)

Tuesday, May 24, 2016

OUD/EUS - Running DBCA from the command line interface(CLI)

Use Case : To enable Enterprise User Security (EUS) to authenticate Active Directory users to connect to a Database using a OUD Proxy.

Typically the DBCA utility is used via the GUI to register the database with the directory service. We had a requirement to run the DBCA commands from the command line interface (CLI).

The following steps should help -

1) Create an empty wallet in the wallet's default location
mkstore -wrl . -create 

2) Run DBCA to register DB
dbca -silent -configureDatabase -sourceDB $ORACLE_SID \
-registerWithDirService true -dirServiceUserName "cn=Directory\20Manager" \
-dirServicePassword <pwd> -walletPassword <pwd>

3) Create the Database DN entry in the wallet manually using mkstore command
mkstore -wrl . -createEntry ORACLE.SECURITY.DN "cn=<SID>,cn=OracleContext,<OUD_Realm>" 


Monday, February 1, 2016

Security in the modern day Digital eXperience

What is Digital Experience (DX) ?
Digital experiences have become the cornerstone of just about every customer experience, driven in part by the rapid spread of customer activity among web, mobile, and social channels.The typical user experience has moved beyond desktop and laptop screens to an astonishing and growing array of mobile devices.
In the Oracle World, DX combines WebCenter, ADF including WC Sites, WC Content, WC Sites etc. DX Security should be a no-brainer at the end of this article.

Why do we need DX Security/Use Cases ?
  • No defined network perimeter : Network Security spend more than 67% on network security. With digital economy demanding more collaboration and seamless user experience, new points of control need to be introduced : User identities, permissions/ access to IS etc. Cloud Computing and Mobile has further blurred network security.Sensitive data that was secured behind a robust enterprise firewall is now accessible via low-cost smart phones. 

  • Transformation of the perimeter : “Businesses now invest in security rather than spend on it. Security architects need to design security systems that complement business policies and processes.” - Chris Gavin, vice president, Information Security, Oracle. 
  • A “trust but verify” approach to both enable productivity and address security governance requirements. The objective is to establish one consistent security framework underlying all information systems. Because users and sensitive data are part of every transaction, identity management and database security are the common denominators of addressing most security requirements. 

  • Re-architecture of IT within organizations : Most services are being performed via software solutions that are architected in the cloud rather than on-premises requiring real-time exchange of accurate information. Organizations rely on identity management technology to facilitate dynamic trust relationships and support regulatory compliance requirements. 
  • Risk-Aware Architectures : Security architects are tasked with developing “risk-aware” architectures that factor in legal liabilities, the privacy of partner and customer data, and regulatory requirements. These security policies ensure that the organization is ready for internal and external audits.
  •         Mobile Security :
    o   By 2020, 80 percent of access to the enterprise will be via mobile devices and other non-PC devices, up from 5 percent today.
    o   External providers will authenticate 60 percent of all users connecting with enterprises.
    o   By 2020 there will be more than 50 billion IP-enabled devices in use around the world.

  • Internet of things (IoT):According to Vadim Lander, chief identity architect at Oracle, there are three types of security concerns associated with the Internet of Things:
    o   Device Identity
    o   Application Identity
    o   User Identity
  • Cloud Security : Customers that contract with cloud vendors need to be able to control the identity management process for external applications and on-premises apps via single-sign-on procedures. These solutions should also make it easy to provision and de-provision users and to extend entitlement credentials from on-premises applications to cloud applications. Such controls are even more important when securing databases. According to IDC, 66 percent of today’s most sensitive data resides in relational databases.
  • Oracle Security Taxonomy as a measure of good security Design :Latency and consistency are two variables used to measure good security design. The objective is to reduce the latency of change and increase consistency across systems and applications. Oracle engineers hardware and software to work together. This cohesive approach reduces the latency of change and increases consistency. By embedding security technology into every layer of the technology stack and securing the integration between layers, Oracle not only delivers better performance with a smaller footprint, it also provides better security at a lower cost.
An IDM DX Use Case : Oracle DX with API Gateway : WCC and Anti-Virus support for Check-in of Files using OAG as first line of defense.

References : I wished to summarize and set context using the following articles as source :
Security Architecture in the new Digital Experience Whitepaper (Oracle)
Enabling Secure Consumer Mobility (Kanishk Mahajan, Oracle Product Mgmt)

Thursday, July 9, 2015

OIM / OID : Referential Integrity for referenced group memberships on change username

Use Case 
Change Username (typically via OIM APIs) doesn't update group memberships. When we change username, the cn of the user changes. Since the dn comprises of cn and the dc, the referenced group memberships are orphaned.
This is because, by default, "Referential Integrity" is turned OFF in OID and OIM. 

"Because the CN changed, Oracle Identity Manager attempts a modify operation (modrdn) in the directory resulting in DN change. Because of this unintended DN change, the group membership DN becomes stale resulting in the user loosing membership in that group. This subsequently results in authorization failure. This happens when referential integrity is turned off in the LDAP server, and therefore, the referenced groups are not updated when the RDN of the user changes. Therefore, referential integrity must be turned on in the target LDAP server. Otherwise, the group memberships become stale. The referential integrity issue is also applicable to roles. Groups are also members of other groups and any RDN changes must be reflected as well."

Please see table in link for scenarios when this property is not consistent in OIM and OID.
  • Turn on Referential Integrity Check in OID : 
Change orclRIEnabled to 2 within cn=dsaconfig,cn=configsets,cn=oracle internet directory [Default value is 0]
  • In OIM, modify System property : XL.IsReferentialIntegrityEnabled to TRUE
The above will make sure change username is seamless and doesn't cause any data corruption issues. Obviously, we need to have LDAP Sync turned on between OIM and OID to make sure that this works as expected.

Wednesday, July 8, 2015

OHS : Periodic OHS/Web Server/WebGate Crash due to cron job incorrectly deleting *.lck files/httpd.pid files

We faced a very unique issue for one of our OAM Single Sign On implementations wherein , all the OHS Nodes in a cluster setup used to crash every 7th day generating core dumps running into dozens of GBs which potentially used to crash the OHS in addition to the downtime on Production systems.

Stack Trace on OHS/Webgates :

Loaded symbols for /u01/app/orasec/middleware/Oracle_OAMWebGate1/webgate/ohs/lib/libxmlengine.so
Core was generated by `/u01/app/orasec/middleware/Oracle_WT1/ohs/bin/httpd.worker -DSSL'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007fd717f1161f in ObLockFileRelease(void*, bool) ()
  from /u01/app/orasec/middleware/Oracle_OAMWebGate1/webgate/ohs/lib/webgate.so
(gdb) (gdb)

Detailed Analysis of Root Cause 
On detailed debugging and some guidance from Oracle Support, we discovered that this was being caused by a Cron Job which was written to ensure oam_server.out files as well as oblog.log files get deleted every 7 days. This was due to the fact that Oracle doesn't provided log retention policies for these files OOTB.
The path that was used by the Cron Job was <MiddlewareHome>/<Oracle_WebTier>/instances/<instance_name>/diagnostics/logs/OHS/ohs1 which incidentally also hosted the important .lck files (polltracking.lck, oblog.log.lck, ObAccessClient.xml.lck)  and http.pid files [Why Oracle, Why ??!!]

Remember : Removing PID and *.lck files caused instability an is not supported by OAM or OHS.

It is not supported to remove httpd.pid and *.lck or log files that are created by a running instance while it is running - 

1.  Setup up logging to another location where lock file and httpd.pid and other process files do not exist, if it's a cron job or something else is used to remove those files. In our case we explicitly called out the files which needed to be deleted instead of running the cronjob on a folder.
2.  Use documented log rotation methods as much as possible ( The files in question though don't have OOTB options)

References  - 
OHS Segfault 11 Core Dumps ObLockFileRelease Webgate.so 5-7 Days (Doc ID 1985491.1)

OAM : Oracle Traffic Director Licensing for Oracle Access Portal

Starting with Oracle Access Manager (OAM) , the license includes Oracle Access Portal Service.

What is Oracle Access Portal (OAP) ?
The Access Portal Service is a hosted single sign-on proxy service that enables intranet and extranet applications with Oracle's form-fill single sign-on technology. Web Logon Manager, available as a standalone download from Oracle Support, provides end-users with the ability to create, modify, and delete application credentials as well as log on to provisioned applications through both desktop and mobile browsers. Available from 11gR2 PS2.

What is Oracle Traffic Director(OTD)  ? 
Oracle Traffic Director is a fast, reliable, and scalable layer-7 software load balancer. The architecture of Oracle Traffic Director enables it to handle large volumes of application traffic with low latency. The product is optimized for use in Oracle Exalogic Elastic Cloud and Oracle SuperCluster.

For enabling the Oracle Access Portal Service, Oracle traffic Director (OTD) is mandatory as it intercepts user connections to the target application and provides path-proxy and DNS-proxy functionality, allowing for path and DNS rewriting.  It also hosts the WebGate plugin.

OTD Licensing for OAP
Though OTD is primarily licensed only for Exalogic , following are exceptions -
  • The Oracle Traffic Director portion of the Oracle Access Portal is restricted to the following features: High Availability Virtual IP, Access Manager WebGate, and Origin Server Load Balancing to WebLogic Server.
  • IDM Oracle Access Portal (OAP) license entitlement now includes OTD to be a front-end on Oracle Enterprise Linux 5.6+, Redhat Enterprise Linux 5.6+ and Solaris (SPARC, x64) 11.1+.
    Access Management Licensing - http://docs.oracle.com/cd/E29542_01/doc.1111/e14860/im_options.htm#FMWLC240
Reference :

OID : Deleting OID/OPMN instances

One can face weird issues due to OID Instances not being deleted the right way. Simply deleting them from the file system or from OID might not be enough as there are entries that stay on the ODS Schema of the Database.
This can cause unforseen issues like delay in OID restarts (ldapbind fails for few mins even though instance shows up as ALIVE) or weird issues like referential integrity working intermittenly in OID/OIM.

It is highly recommended to remove an Oracle Internet Directory component by using opmnctl deletecomponent. This also unregisters the component with the WebLogic server.

Syntax :
$ORACLE_INSTANCE/bin/opmnctl deletecomponent
  -adminHost webLogicHostName
  -adminPort webLogicPort
  -adminUsername weblogicAdminUsername
  -adminPasswordFile text_file_containing_admin_password
  -componentType OID
  -componentName componentName

Sample for removing an instance named oid4
export ORACLE_INSTANCE=/u01/app/oracle/admin/config/oid_inst_3/
$ORACLE_INSTANCE/bin/opmnctl deletecomponent \
  -adminHost <wl_server_Name> \
  -adminPort 7001 \
  -adminUsername weblogic \
  -adminPasswordFile adminpass.txt \
  -componentType OID \
  -componentName oid4

Reference - https://docs.oracle.com/cd/E16764_01/oid.1111/e10029/oid_server_instances.htm#BABDJABF

Thursday, March 26, 2015

Oracle API Gateway (OAG) : Concept & marriage with SOA & Mobile

Oracle API Gateway is a standards-based, policy-driven, standalone software security solution that provides first line of defense in Service-Oriented Architecture (SOA) environments.
It enables organizations to securely and rapidly adopt Cloud, Mobile and SOA Services by bridging the gaps and managing the interactions between all relevant systems.
Oracle Web Services Manager(OWSM) is generally used for application security of a particular service,most customers have any use cases around DMZ or Perimeter Security for Web Services. This product serves as a part of the enterprise security solution.
This would be typically for customers needing access to web services from the internet, similar to how we access a web application. OAG can do a  lot of validations
and route the requests only once those checks have passed. This may also be a typical use case for Mobile Applications which use REST Web Services at the backend.
I have seen a strong value in this security product for all SOA and Mobile projects.
Here’s a high-level request flow :
There are many advantages that OAG can provide :
–   Authentication, Authorization (Leverages existing LDAP like AD ; existing IDM platforms for this – RSA AM, CA Site Minder, Oracle Access Mgr)
–   XML Acceleration, Throttling, Caching, Protocol translation (REST to SOAP and vice versa), Dynamic routing, SLA enforcement
–   Identity Propagation and Credential Mapping , Filter threatening content (XML Bombs, DOS Attacks, Virus)
Oracle OEMs (or Original Equipment Manufacturing) the OAG product from AxWay – AxWay’s gateway product is rebranded for Oracle as OAG, and is almost identical.
Oracle  Datasheet

Tuesday, March 24, 2015

Flavors of Mobile Security/SSO for Mobile Web Apps, Native/Hybrid Apps, MAM & MDM

I recently came across quite a few customer use cases which require mobile security/Single-Sign-On (SSO). While it may sound generic, there's a lot more to it.
This post intends to provide some clarity around the various security use cases for mobile apps possible & the high level solution approach using Oracle IDM -

1) Security for Mobile Web Applications (Invoked from a mobile browser)
This is no different from invoking a web application on a desktop or a laptop. Would use Oracle Access Manager(OAM) based SSO alongwith OHS+Webgate.

2) Security for Native/Hybrid mobile applications on personal devices 
(Leveraging existing IDM Platform)
This can be achieved using OAM Mobile & Social Services (OAMMS) which has support for Android and iOS platforms. For other platforms (like Windows) OAM Mobile OAuth Services (along with REST calls) within OAM can be leveraged. Mobile applications implemented using REST and supporting OAuth  makes mobile app security technology agnostic (similar to what SAML does to federation).
Image Courtesy : Oracle PM Team Blog

3) Security for Native/Hybrid mobile applications on corporate owned devices 
(MDM or Mobile Device Management)
This feature is currently not available in the Oracle IDM World, but would be available in Oracle Mobile Security Suite (OMSS) in the upcoming 11gR2 PS3 (

4) Security for Native/Hybrid mobile applications on personal devices (BYOD concept) 
(MAM or Mobile Application Management)
This can be implemented using OMSS. The concept uses a Secure Mobile Workspace within the personal device which silos all corporate communications using an App Tunnel. The concept is explained in detailed at my blog on OMSS here.
Image Courtesy : Oracle Document