Can we use Oracle Key Vault to Store the DB Wallet for Enterprise User Security(EUS) ?

Oracle Key Vault (OKV) enables customers to easily deploy encryption and other security solutions by offering robust, central management of encryption keys, Oracle Wallets, Java Keystores, and credential files.

Enterprise User Security (EUS) is an Oracle Database EE feature which leverages the LDAP-compliant directory services to centralize database user and role management.

While implementing EUS, we need to register the DB with the LDAP which houses the users. This process creates a DB wallet which is used to securely communicate to the LDAP.

Question is if we can use OKV to store this wallet and EUS can refer to OKV instead of wallet stored locally in the DB thereby enhancing Security.

Here's what I could find out on this -

• When we register a database to OUD using DBCA, a local wallet will always be created containing the credentials for OUD access.

• This behavior cannot be changed, however the same wallet can be uploaded to OKV for a backup using okvutil utility.

• We cannot use/get the EUS credentials directly from OKV, they will always be taken from the local wallet [i.e. sqlnet.ora will not refer to OKV wallet].

• Even if the EUS wallet is uploaded in the OKV after the DB registration, we cannot do a 'direct connection' to OKV to retrieve EUS credentials from the virtual wallet.  Such a 'direct connection' is possible with TDE wallets (OKV directly provides access to the TDE master keys). The wallets containing SSL certificates or credentials can be uploaded to OKV and downloaded at will, but client cannot be configured to use them directly from OKV.

• There is no auto sync job for the wallet (local->OKV), once the credentials change, we need to re-upload the wallet in the OKV.

DB Security/Enterprise User Security (EUS) : Logon Trigger for auditing LDAP user logged on to Oracle DB

Use Case: 

Find a way to identify the AD domain user logged into a database configured with EUS

Pre-requisite: DB Users/Groups have already been centralized in an LDAP like Active Directory(AD) using Enterprise User Security (EUS)

Details:After logging in using sqlplus if we issue the following SQL we still see the shared schema user(which was used to map the Oracle DB Default Domain to the LDAP Container)

SQL> show user
GLOBAL_IDENT_SCHEMA_USER

Now the question is if we see a runaway query or a transaction causing blocking, how do we tie that back to the exact  external user instead of a Global Schema? How would we identify this information from within Oracle Enterprise Manager (OEM)session info?

A workaround could be to issue the following SQL query
SQL>  SELECT SYS_CONTEXT('USERENV','EXTERNAL_NAME') FROM DUAL;
SYS_CONTEXT('USERENV','EXTERNAL_NAME')

--------------------------------------------------------------------------------

cn=Sudipto Desmukh,cn=Users, dc=corp, dc=kdemo,dc=com

But wouldn't it be great if this is available in v$session for anyone to see real-time without specifically issuing a SQL query ?

We are able to create a logon trigger (attached) which populates enterprise user session information to client_info of V$SESSION.

create or replace trigger sys.on_logon after logon on database 

declare 

v_externalname varchar2(64) := ''; 

begin 

SELECT substr(sys_context('userenv','external_name'),1,63) into v_externalname FROM dual; 

if v_externalname is not null 

then 

DBMS_APPLICATION_INFO.SET_CLIENT_INFO (v_externalname ); 

end if; 

end; 

/ 

We should be able to pull up the blocking session information, if any from OEM tied to this enterprise user. An illustration of the result :

References:

1) How To Know The DN Of The Users Authenticated Via Enterprise User Security (EUS) Using Audit Records (Doc ID 465674.1)

2) How to Identify users using a shared global schema in Enterprise User Security

EUS with OUD: ORA-28030 Network Issues -- Hosts and DNS

Use Case : Centralize Database Users/Roles using Enterprise User Security to enable Password-based authentication via Oracle Unified Directory(OUD) connecting to Active Directory 

Issue : After following all the pre-requistes and steps needed to setup EUS, we get the below error while trying to connect to the DB using AD user/password.

SQL> CONNECT username@service_name;
ORA-28030: Server encountered problems accessing LDAP directory service

DB Trace Logs show the following -
*** ACTION NAME:() 2016-08-15 13:16:50.270
*** MODULE NAME:(sqlplus@recoverdwp (TNS V1-V3)) 2016-08-15 13:16:50.270
*** SERVICE NAME:(desanew) 2016-08-15 13:16:50.270
*** SESSION ID:(159.13) 2016-08-15 13:16:50.270
kzld_discover received ldaptype: OID
kzld found pwd in wallet
KZLD_ERR: Failed to bind to LDAP server. Err=-1
KZLD_ERR: -1
KZLD is doing LDAP unbind
KZLD_ERR: found err from kzldini.

Cause inference 
The OUD server, as defined in ldap.ora, is not reachable from the RDBMS Server's machine. Also looks like the SASL bind requires that both forward and reverse lookup are defined in DNS for the target OUD hostname.

A database can bind to OUD by using password/SASL-based authentication. SASL (Simple Authentication and Security Layer) is a standard defined in the Internet Engineering Task Force RFC 2222. It is a method for adding authentication support to connection-based protocols such as LDAP.   

Solution
The following are the two options to fix/workaround this issue -
 
1) Edit  file /etc/hosts and add the IP address to the DB Server, FQDN and alias, eg:xxx.xxx.xxx.xxx   hostname.domain_name   hostname
This step would need to be repeated for all DB Servers which need to be configured for EUS.

2) Ensure that the forward and reverse lookup are properly defined in the DNS  for OUD Hosts. (nslookup should succeed for both IP and HostName)
This is a one-time activity and will be available for all DB Servers in the network

References
Note 331538.1   (Ora-7445 [Gslcoish_saslhostconnectedto()+78] Connecting as Enterprise User)
Note 1270342.1 (EUS User Can Not Login To The Database)

OUD/EUS - Running DBCA from the command line interface(CLI)

Use Case : To enable Enterprise User Security (EUS) to authenticate Active Directory users to connect to a Database using a OUD Proxy.

Typically the DBCA utility is used via the GUI to register the database with the directory service. We had a requirement to run the DBCA commands from the command line interface (CLI).

The following steps should help -

1) Create an empty wallet in the wallet's default location

mkstore -wrl . -create 

2) Run DBCA to register DB

dbca -silent -configureDatabase -sourceDB $ORACLE_SID \
-registerWithDirService true -dirServiceUserName "cn=Directory\20Manager" \
-dirServicePassword <pwd> -walletPassword <pwd>

3) Create the Database DN entry in the wallet manually using mkstore command

mkstore -wrl . -createEntry ORACLE.SECURITY.DN "cn=<SID>,cn=OracleContext,<OUD_Realm>" 

References

Support Note 808139.1

Database Security - Enterprise User Security (EUS)

About Enterprise User Security (EUS)

• Enterprise User Security (EUS) is a way of integrating Oracle Database with LDAP compliant directory server like Oracle Internet Directory (OID) or Microsoft AD
  so that database Users , Passwords & Roles can be centrally managed in a LDAP Directory Server.
• Belongs to Database Security category of the IdM stack.

Advantages 

• Offers low costs & centralized authentication.
• Increases security & compliance.
• No data migration needed , clients continue to use existing directories.

Architecture

• Oracle Virtual Directory (OVD) has a EUS Adapter and EUS Plugins OOTB.
• The LDAP Directory (OID or AD or Novell or Sun eDirectory) needs to be setup for EUS.
• The Oracle Database/s need to be EUS enabled using NETCA & DBCA utility.
• The Database/s can be logged into using a centralized EUS User/s later.
• Kerberos authentication can be enabled to do native authentication for SQL clients like sql plus & SQL Developer.

Useful Resources 

1. EUS DataSheet with Architecture
2. Enterprise User Security Guide
3. Integrating Enterprise Security with AD
4. Oracle Whitepaper
5. Atul Kumar’s Blog
6. How To Configure EUS with OVD 11.1.1.6 and Active Directory - AD (Doc ID 1449132.1)
7. Expected Issues - How To Avoid Extending The Active Directory Schema With extendAD For OVD-OID-AD-EUS 11g Integration? (Doc ID 1159337.1)