Facebook

Showing posts with label Management. Show all posts
Showing posts with label Management. Show all posts

Monday, September 22, 2014

Oracle Security : Getting Started

Oracle Identity Management(IDM) is a vast collection of products with confusing terminology and it can be difficult to understand where to start. Hope the below links help.

Concepts
Oracle IDM Basics - (Keep clicking to navigate through entire topics)
A few simple Tutorials from Oracle to get started
Oracle IDM Home Page (Source to Datasheets, Whitepapers, Customer Use Cases and various Data)

Installs

Issues/Continuous learning of tricky use cases & finer concepts
Oracle IDM A-Team Blogs (Learn tricks of the trade)

Mapping of use cases with products

Collated IDM 11gR2 Blog Dashboard
Posted by
Labels: , , , , , , , , , , , , , , , , ,

Saturday, August 23, 2014

Oracle IDM 11gR2 : Integrating with MS Active Directory 2003

The latest versions of OIM and OAM 11gR2(11.1.2.x) donot support LDAP Sync or OIM-OAM Integration using Active Directory(AD) 2003 as per the 11gr2 certification matrix
We had a use case to support federation using OAM 11gR2 somehow with AD 2003 as the Identity Store. 

Option 1 : Using OVD
We noticed that the latest version of OVD was 11.1.1.7 which happens to support AD 2003 as per the 11gR1 FMW certification matrix .So potentially we could hook OAM with OVD as the Identity Store and still connect to Active Directory 2003, which is not directly supported!
Extending this theory we could provision to OVD from OIM which finally would create relevant user accounts in Active Directory 2003!!
Oracle confirmed this in SR # 3-9503114871(you may not be able to view it directly but can refer to this in another SR if need be).

Option 2 : Using OID and DIP
Standup OID(11.1.1.7 is the latest as of today) and sync existing users from AD 2003 using a DIP process.

Option 3 : Use IDM 11gR1
Least preferred since it's never a good idea to go back to a older release when the newer release has so much to offer and IDM 12c is in the pipeline.If none of the above can be made to work for whatever reasons, AD 2003 is definitely supported both with OIM and OAM 11gR1(11.1.1.x).
Posted by
Labels: , , , , , , , , , , , , , , , , ,

Saturday, July 5, 2014

Allowing unauthenticated access to Webcenter Content/UCM public documents via OAM SSO

Recently we had a requirement at a client wherein Public Documents in UCM be accessed via a SSO URL (using the OHS Port) without the user being challenged for credentials.

Sounds pretty straighforward right ? Since anyways using the default managed server port of 16200 of the Content Server , anyways those documents don't popup asking for user credentials.
Well , wasn't that simple really! Took us(myself , Sachin Saxena et al) a few days to exactly figure this out and now we have Oracle's stamp on it as well !
Following were the examples of documents which needed to be publically accessible
1)http://<host>:7778/cs/idcplg?idcService=GET_FILE&dID=1445&dDocName=DEV_COMPLOGO_31364&allowInterrupt=1
(Accessing public document  called 'DEV_COMPLOGO_31364' having Public Security group via IdcService)
2)http://<host>:7778/cs/groups/public/documents/digitalmedia/b2dv/xzmx/~edisp/dev_complogo_31364.jpg
(This has a definite URL Pattern of /cs/groups/public)
3)Also this general service/document search page needs to open up without authentication.
http://<host>:7778/cs/idcplg?IdcService=GET_DOC_PAGE

**Oracle Access Manager (OAM) basically protects URLs or definite URL parameters , it cannot go inside an end-user application and check security assigned to a resource to determine if that should be challenged for credentials.
(Example in this case is that it cannot go and check the authorization / security Group using IdcService URL for the file DEV_COMPLOG_31364)**

Hence we have only two options here -
1)Either the URL pattern /cs/groups/public can be marked as unprotected in OAM Application Domain and hence user won't be challenged when using Pattern 2 as above.
2)Create a mapping folder pattern in UCM , like pretty URL to access even webDav content)
3)You can configure the IdcService url pattern to be public via OAM. (something like http://oamserver.com/cs/idcplg as url and query parameters as IdcService=GET_FILE) .But by exposing that people can still construct url of private documents if they know the dID and bypass OAM as the pattern is public. But once they reach UCM, ucm security will deny them access as they are not authenticated/have required permissions [Courtesy : Shidharth Mishra]

References
1)Oracle SR [Closed]            2) Forums
Posted by
Labels: , , , , , , , , , , , , , , , , ,

Tuesday, July 1, 2014

Database Security - Enterprise User Security (EUS)

About Enterprise User Security (EUS)
  • Enterprise User Security (EUS) is a way of integrating Oracle Database with LDAP compliant directory server like Oracle Internet Directory (OID) or Microsoft AD
    so that database Users , Passwords & Roles can be centrally managed in a LDAP Directory Server.
  • Belongs to Database Security category of the IdM stack.
Advantages 
  • Offers low costs & centralized authentication.
  • Increases security & compliance.
  • No data migration needed , clients continue to use existing directories.
Architecture
  • Oracle Virtual Directory (OVD) has a EUS Adapter and EUS Plugins OOTB.
  • The LDAP Directory (OID or AD or Novell or Sun eDirectory) needs to be setup for EUS.
  • The Oracle Database/s need to be EUS enabled using NETCA & DBCA utility.
  • The Database/s can be logged into using a centralized EUS User/s later.
  • Kerberos authentication can be enabled to do native authentication for SQL clients like sql plus & SQL Developer.
Useful Resources 
  1. EUS DataSheet with Architecture
  2. Enterprise User Security Guide
  3. Integrating Enterprise Security with AD
  4. Oracle Whitepaper
  5. Atul Kumar’s Blog
  6. How To Configure EUS with OVD 11.1.1.6 and Active Directory - AD (Doc ID 1449132.1)
  7. Expected Issues - How To Avoid Extending The Active Directory Schema With extendAD For OVD-OID-AD-EUS 11g Integration? (Doc ID 1159337.1)
Posted by
Labels: , , , , , , , , , , , , , , ,

Thursday, May 22, 2014

Oracle Identity Mgmt 11gR2 PS2 : New features & Cloud / Mobile Strategy

Source - The live webcast on this topic by Oracle. Here are the updates -

"Oracle IdM R2 PS2 Theme  - Cloud , Mobile , Simplification"

New features in 11gR2 PS2 release  -

1) Cloud Access Portal - a web based application has been added in PS2 release which will enable admins to manage SaaS based cloud applications.
  • The login to each application will be using SSO , form-fill technologies & federation capabilities.UI adapts to  various form factors.
  • OAM Protects the resources
  • When clicked on apps , redirection to logjn page with form fill and auto login.

2)Session Management features in Oracle Privileged Account Manager (OPAM) - 

OPAM is a whole new set of functionality focused on managing administrative passwords for applications, databases and operating systems.

3) Oracle Mobile Security Suite (OMSS) -

This heavily leverages features and concepts from Oracle's Bitzer acquistion . This is a MAM (Mobile Application Management) solution.
  • The onus is on application centric security as opposed to device centric security.
  • Introduces a new concept called the Secure Mobile Workspace which containerizes all corporate applications with a single login .
  • Builds on the BYOD concept where in employees can use their personal devices / phablets to access corporate apps/data.
  • Fine grained policy control using Oracle Mobile Access/Admin Console with new features like geo-fencing , time-bound access to workspace etc.
  • Enterprise wide Identity management solution is extended to mobile devices
  • Oracle API Gateway (OAG) support for RESTful IdM services.
  • DLP Support
  • Core apps for Email, Calendar, Contacts, Tasks, Notes.

4) Oracle Mobile Authenticator

  • Adds strong authentication features for SSO enabled apps
  • Uses changing PIN every 30 seconds for registered apps
  • Integration with OAM
  • Available on Android and iOS

5) Improved & fully integrated OAuth 2.0 Support for authorization -client , server , 2 legged or 3 legged authorization.

6) Automated IdM Suite install
  • 2 hours for single node  , 8 hours for 8 node HA cluster.
  • Patching support
  • Standard builds
  • No additional license needed , feature is supposedly OTB using Wizards and components to be installed can be configured.

 General 11gR2 IdM strategy from Oracle
To provide a unified Identity Management platform for Cloud , Enterprise and Mobile Applications.

Useful Links

OMSS Webcast -
Link to this webcast
P.S. Source of images Oracle Webcast , intention only to share the information.
Posted by
Labels: , , , , , , , , , , , , , ,

Oracle Mobile Security Suite (OMSS)

Oracle launched OMSS on Feb 26th , 2014 and had a webcast few days back detailing its features. Here are few details - 
Overview -
Oracle Mobile Security Suite (OMSS) addresses the BYOD challenges by isolating corporate from personal data on consumers’ personal mobile devices without
needing to lockdown the entire device.
Oracle’s Mobile Security Container technology protects corporate apps and data and enables a Secure Enterprise Workspace that meets enterprise security
requirements without compromising user experience. It offers the most integrated solution with Windows® authentication and Oracle Access Manager
infrastructure for secure Single Sign-on (SSO) to corporate applications.
The entire solution includes -
1)A BYOD,employee-centric mobile security suite that separates personal apps from secure,“containerized” corporate
,“off-the-shelf” apps and data avoiding device lock-down.Containerized apps are Oracle and/or third -party enterprise
applications accessed by employees through the corporate network(intranet).
2) A consumer - centric mobile and social service that provides a software development kit (SDK) allowing corporate
developers to secure custom enterprise apps for Apple’s iOS and Google’s Android devices, bridging the gap between mobile devices,
social networks, and the enterprise’s backend identity management infrastructure.

Key Identifiers -

1)Comprehensive set of security policies providing strong authentication, encryption and DLP (Data Leak Prevention) controls .
2)Containerization (apps are containerized and only one time login into a container is needed).
2)Secure Enterprise Workspace which houses all the corporate apps.

3)Single Sign-on (SSO) with Integrated Windows Authentication (Kerberos and NTLM) and OAM authentication (Basic Auth and OAuth 2.0) 
4)AppTunnel that eliminates need for mobile VPN and protects from rogue apps.
5)Mobile Security Access Server is located in the DMZ which redirects unauthenticated requests to appropriate Oracle Mobile Security containers.
7)Mobile Security Admin Console for Locking , providing access , remote wipe of corporate container.
8)New and useful features like geo-fencing and time-fencing available in admin console.
9)Leverages the existing IDM Architecture - talks to Directory Services(OID/OUD/AD) , apps can be protected by OAM and/or OIF.



10)Container has OOTB apps like Secure Browser , Catalog , Mail Mgr etc.
11)OMSS can be deployed on Oracle Enterprise Linux or Microsoft Windows.
12)Android 4.x and above including 4.4/KitKat compatibility
13)The Oracle Mobile Security Suite components are distributed across the corporate DMZ and the enterprise intranet (or corporate network)
14)This is a mobile application management (MAM) solution which has various advantages over MDM(Mobile Device Mgmt) solutions like Airwatch
like separate container for coprporate apps , no requirement of device locking , data privacy etc.

Architecture - 
The recently rechristened Oracle MAF is tightly integrated with OMSS.

Useful Links -
P.S. Source of images Oracle Webcast , intention only to share the information.
Posted by
Labels: , , , , , , , , , , , , , ,

Monday, March 10, 2014

Getting Started with BPM 11g

Posted by
Labels: , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)