Can we use Oracle Key Vault to Store the DB Wallet for Enterprise User Security(EUS) ?

Oracle Key Vault (OKV) enables customers to easily deploy encryption and other security solutions by offering robust, central management of encryption keys, Oracle Wallets, Java Keystores, and credential files.

Enterprise User Security (EUS) is an Oracle Database EE feature which leverages the LDAP-compliant directory services to centralize database user and role management.

While implementing EUS, we need to register the DB with the LDAP which houses the users. This process creates a DB wallet which is used to securely communicate to the LDAP.

Question is if we can use OKV to store this wallet and EUS can refer to OKV instead of wallet stored locally in the DB thereby enhancing Security.

Here's what I could find out on this -

• When we register a database to OUD using DBCA, a local wallet will always be created containing the credentials for OUD access.

• This behavior cannot be changed, however the same wallet can be uploaded to OKV for a backup using okvutil utility.

• We cannot use/get the EUS credentials directly from OKV, they will always be taken from the local wallet [i.e. sqlnet.ora will not refer to OKV wallet].

• Even if the EUS wallet is uploaded in the OKV after the DB registration, we cannot do a 'direct connection' to OKV to retrieve EUS credentials from the virtual wallet.  Such a 'direct connection' is possible with TDE wallets (OKV directly provides access to the TDE master keys). The wallets containing SSL certificates or credentials can be uploaded to OKV and downloaded at will, but client cannot be configured to use them directly from OKV.

• There is no auto sync job for the wallet (local->OKV), once the credentials change, we need to re-upload the wallet in the OKV.

DB Security/Enterprise User Security (EUS) : Logon Trigger for auditing LDAP user logged on to Oracle DB

Use Case: 

Find a way to identify the AD domain user logged into a database configured with EUS

Pre-requisite: DB Users/Groups have already been centralized in an LDAP like Active Directory(AD) using Enterprise User Security (EUS)

Details:After logging in using sqlplus if we issue the following SQL we still see the shared schema user(which was used to map the Oracle DB Default Domain to the LDAP Container)

SQL> show user
GLOBAL_IDENT_SCHEMA_USER

Now the question is if we see a runaway query or a transaction causing blocking, how do we tie that back to the exact  external user instead of a Global Schema? How would we identify this information from within Oracle Enterprise Manager (OEM)session info?

A workaround could be to issue the following SQL query
SQL>  SELECT SYS_CONTEXT('USERENV','EXTERNAL_NAME') FROM DUAL;
SYS_CONTEXT('USERENV','EXTERNAL_NAME')

--------------------------------------------------------------------------------

cn=Sudipto Desmukh,cn=Users, dc=corp, dc=kdemo,dc=com

But wouldn't it be great if this is available in v$session for anyone to see real-time without specifically issuing a SQL query ?

We are able to create a logon trigger (attached) which populates enterprise user session information to client_info of V$SESSION.

create or replace trigger sys.on_logon after logon on database 

declare 

v_externalname varchar2(64) := ''; 

begin 

SELECT substr(sys_context('userenv','external_name'),1,63) into v_externalname FROM dual; 

if v_externalname is not null 

then 

DBMS_APPLICATION_INFO.SET_CLIENT_INFO (v_externalname ); 

end if; 

end; 

/ 

We should be able to pull up the blocking session information, if any from OEM tied to this enterprise user. An illustration of the result :

References:

1) How To Know The DN Of The Users Authenticated Via Enterprise User Security (EUS) Using Audit Records (Doc ID 465674.1)

2) How to Identify users using a shared global schema in Enterprise User Security

EUS with OUD: ORA-28030 Network Issues -- Hosts and DNS

Use Case : Centralize Database Users/Roles using Enterprise User Security to enable Password-based authentication via Oracle Unified Directory(OUD) connecting to Active Directory 

Issue : After following all the pre-requistes and steps needed to setup EUS, we get the below error while trying to connect to the DB using AD user/password.

SQL> CONNECT username@service_name;
ORA-28030: Server encountered problems accessing LDAP directory service

DB Trace Logs show the following -
*** ACTION NAME:() 2016-08-15 13:16:50.270
*** MODULE NAME:(sqlplus@recoverdwp (TNS V1-V3)) 2016-08-15 13:16:50.270
*** SERVICE NAME:(desanew) 2016-08-15 13:16:50.270
*** SESSION ID:(159.13) 2016-08-15 13:16:50.270
kzld_discover received ldaptype: OID
kzld found pwd in wallet
KZLD_ERR: Failed to bind to LDAP server. Err=-1
KZLD_ERR: -1
KZLD is doing LDAP unbind
KZLD_ERR: found err from kzldini.

Cause inference 
The OUD server, as defined in ldap.ora, is not reachable from the RDBMS Server's machine. Also looks like the SASL bind requires that both forward and reverse lookup are defined in DNS for the target OUD hostname.

A database can bind to OUD by using password/SASL-based authentication. SASL (Simple Authentication and Security Layer) is a standard defined in the Internet Engineering Task Force RFC 2222. It is a method for adding authentication support to connection-based protocols such as LDAP.   

Solution
The following are the two options to fix/workaround this issue -
 
1) Edit  file /etc/hosts and add the IP address to the DB Server, FQDN and alias, eg:xxx.xxx.xxx.xxx   hostname.domain_name   hostname
This step would need to be repeated for all DB Servers which need to be configured for EUS.

2) Ensure that the forward and reverse lookup are properly defined in the DNS  for OUD Hosts. (nslookup should succeed for both IP and HostName)
This is a one-time activity and will be available for all DB Servers in the network

References
Note 331538.1   (Ora-7445 [Gslcoish_saslhostconnectedto()+78] Connecting as Enterprise User)
Note 1270342.1 (EUS User Can Not Login To The Database)

OUD/EUS - Running DBCA from the command line interface(CLI)

Use Case : To enable Enterprise User Security (EUS) to authenticate Active Directory users to connect to a Database using a OUD Proxy.

Typically the DBCA utility is used via the GUI to register the database with the directory service. We had a requirement to run the DBCA commands from the command line interface (CLI).

The following steps should help -

1) Create an empty wallet in the wallet's default location

mkstore -wrl . -create 

2) Run DBCA to register DB

dbca -silent -configureDatabase -sourceDB $ORACLE_SID \
-registerWithDirService true -dirServiceUserName "cn=Directory\20Manager" \
-dirServicePassword <pwd> -walletPassword <pwd>

3) Create the Database DN entry in the wallet manually using mkstore command

mkstore -wrl . -createEntry ORACLE.SECURITY.DN "cn=<SID>,cn=OracleContext,<OUD_Realm>" 

References

Support Note 808139.1

OAM : Oracle Traffic Director Licensing for Oracle Access Portal

Starting with Oracle Access Manager (OAM) 11.1.2.2.x , the license includes Oracle Access Portal Service.

What is Oracle Access Portal (OAP) ?
The Access Portal Service is a hosted single sign-on proxy service that enables intranet and extranet applications with Oracle's form-fill single sign-on technology. Web Logon Manager, available as a standalone download from Oracle Support, provides end-users with the ability to create, modify, and delete application credentials as well as log on to provisioned applications through both desktop and mobile browsers. Available from 11gR2 PS2.

What is Oracle Traffic Director(OTD)  ? 
Oracle Traffic Director is a fast, reliable, and scalable layer-7 software load balancer. The architecture of Oracle Traffic Director enables it to handle large volumes of application traffic with low latency. The product is optimized for use in Oracle Exalogic Elastic Cloud and Oracle SuperCluster.

OTD and OAP
For enabling the Oracle Access Portal Service, Oracle traffic Director (OTD) is mandatory as it intercepts user connections to the target application and provides path-proxy and DNS-proxy functionality, allowing for path and DNS rewriting.  It also hosts the WebGate plugin.

OTD Licensing for OAP
Though OTD is primarily licensed only for Exalogic , following are exceptions -

• The Oracle Traffic Director portion of the Oracle Access Portal is restricted to the following features: High Availability Virtual IP, Access Manager WebGate, and Origin Server Load Balancing to WebLogic Server.
• IDM Oracle Access Portal (OAP) license entitlement now includes OTD to be a front-end on Oracle Enterprise Linux 5.6+, Redhat Enterprise Linux 5.6+ and Solaris (SPARC, x64) 11.1+.
  Access Management Licensing - http://docs.oracle.com/cd/E29542_01/doc.1111/e14860/im_options.htm#FMWLC240

Reference :

http://docs.oracle.com/cd/E28280_01/doc.1111/e14860/im_options.htm#FMWLC239

Is Oracle Traffic Director (OTD) Available/Licensed to use for a Non Exalogic setup? (Doc ID 1500970.1)

OID : Deleting OID/OPMN instances

One can face weird issues due to OID Instances not being deleted the right way. Simply deleting them from the file system or from OID might not be enough as there are entries that stay on the ODS Schema of the Database.
This can cause unforseen issues like delay in OID restarts (ldapbind fails for few mins even though instance shows up as ALIVE) or weird issues like referential integrity working intermittenly in OID/OIM.

It is highly recommended to remove an Oracle Internet Directory component by using opmnctl deletecomponent. This also unregisters the component with the WebLogic server.

Syntax :

$ORACLE_INSTANCE/bin/opmnctl deletecomponent
  -adminHost webLogicHostName
  -adminPort webLogicPort
  -adminUsername weblogicAdminUsername
  -adminPasswordFile text_file_containing_admin_password
  -componentType OID
  -componentName componentName

Sample for removing an instance named oid4
export ORACLE_INSTANCE=/u01/app/oracle/admin/config/oid_inst_3/
$ORACLE_INSTANCE/bin/opmnctl deletecomponent \
  -adminHost <wl_server_Name> \
  -adminPort 7001 \
  -adminUsername weblogic \
  -adminPasswordFile adminpass.txt \
  -componentType OID \
  -componentName oid4

Reference - https://docs.oracle.com/cd/E16764_01/oid.1111/e10029/oid_server_instances.htm#BABDJABF

Flavors of Mobile Security/SSO for Mobile Web Apps, Native/Hybrid Apps, MAM & MDM

I recently came across quite a few customer use cases which require mobile security/Single-Sign-On (SSO). While it may sound generic, there's a lot more to it.

This post intends to provide some clarity around the various security use cases for mobile apps possible & the high level solution approach using Oracle IDM -

1) Security for Mobile Web Applications (Invoked from a mobile browser)

This is no different from invoking a web application on a desktop or a laptop. Would use Oracle Access Manager(OAM) based SSO alongwith OHS+Webgate.

2) Security for Native/Hybrid mobile applications on personal devices 

(Leveraging existing IDM Platform)

This can be achieved using OAM Mobile & Social Services (OAMMS) which has support for Android and iOS platforms. For other platforms (like Windows) OAM Mobile OAuth Services (along with REST calls) within OAM can be leveraged. Mobile applications implemented using REST and supporting OAuth  makes mobile app security technology agnostic (similar to what SAML does to federation).

Image Courtesy : Oracle PM Team Blog

3) Security for Native/Hybrid mobile applications on corporate owned devices 

(MDM or Mobile Device Management)

This feature is currently not available in the Oracle IDM World, but would be available in Oracle Mobile Security Suite (OMSS) in the upcoming 11gR2 PS3 (11.1.2.3).

4) Security for Native/Hybrid mobile applications on personal devices (BYOD concept) 

(MAM or Mobile Application Management)

This can be implemented using OMSS. The concept uses a Secure Mobile Workspace within the personal device which silos all corporate communications using an App Tunnel. The concept is explained in detailed at my blog on OMSS here.

Image Courtesy : Oracle Document

OAM : Custom Login Page Times out after 15 mins (Prior to User Login)

Product Versions : 
OAM 11.1.2.2.0, OHS 11.1.1.7 , Webgate for OHS - 11.1.2.2, Weblogic Server 10.3.6
Single Sign On implemented with WebCenter Custom Portal & WebCenter Content 11.1.1.8
A custom login page was used instead of the OOTB Login Page provided by Oracle.

Issue Summary : 

If User stays idle on custom login page (without having logged in) for  more than 15 mins and then tries to login, he is redirected to a blue screen/error page which says 'System error, please contact your administrator'

Error Logs -

Error occurred while handling the request.

Supplemental Detail     java.lang.RuntimeException:   Authentication request Timed out. Eapsed time in min: 79560 at oracle.security.am.controller.BaseRequest.updateObjectWithCachedMap(BaseRequest.java:482)

  

Note - 
If the user logs in to the application before 15 mins, the SSO enabled application honours the timeout values:

Webgate level 'Max Session Time' = 60 mins

OAM Console - Common Settings 'Idle Timeout' = 65 mins

The user has connected to the custom authentication page but not logged in yet. So there is no user session yet. The user just idles for a while and then attempts to login and gets the error - The 'Idle Timeout' is only applicable to logged-in sessions. The timeout we are hitting is the 'Request Time Out' which is somehow hardcoded by Oracle to 15 mins.

Solution :
This is a pretty weird Oracle Bug ! Workaround is as follows :

Add a meta tag such as following one behind <head> in the custom login page.
    <meta http-equiv="refresh" content="890; URL=http://host.example.com/public/public.html">
The Http mechanism for a meta tag is described on:  http://www.w3schools.com/tags/att_meta_http_equiv.asp

The time value of 890 seconds comes from :
The idle time of 15 minutes set by OAM minus 10 seconds, that is:
         => (15*60=900)  minus (tolerance time of 10 second)
If the user stays now for 890 seconds on the custom login page, the browser will bring him back to a public page as defined with URL  (http://host.example.com/public/public.html).

References : Doc Id 1908294.1

OAM Single-Sign-On (SSO) Deployment Architecture : Best Practice

Recently I came across couple of OAM Deployment Architectures which have been implemented and can potentially cause multiple issues - 

• Using the same OHS Instance which has a webgate deployed on it for reverse proxy to OAM Servers in addition to the target application which needs to be protected (e.g. WebCenter)
• Front-ending OAM Servers directly with an external Load Balancer(LBR) skipping the Web Server layer altogether

Ideally, OAM should be front-ended by a web server/OHS instance of it's own to 

• Allow separate streams of HTTP traffic(in addition to one for Application) 
• Scale the SSO architecture to other target applications - 
• In case the same OAM Server is used for a new application which needs to be SSO enabled as well, the standalone OHS which just services requests to OAM (and doesn't have any webgate on it) is a must!
• This would also ensure that any files needed to be cached (like javascript, css etc) for any OAM related applications can be cached at the OHS layer

(Image Courtesy : A-Team Blog) 

If we have to use a Load Balancer(LBR) to directly front-end the OAM Server instead of an intermittent OHS(probably due to cost constraints), we should have this LBR within the corporate network (in addition to an external LBR which front-ends the other OHS instance(s) for applications) and not in the DMZ to prevent the security risk of an external LBR based in the DMZ exposing the OAM located in the Application Tier directly.

Courtesy  :
1) Forum Post which was logged as few items in the A-Team blog mentioned below were not crystal clear
2) A-Team Blog

How to create new Admin users in Oracle Internet Directory (OID)

A lot of us end up using the superuser 'cn=orcladmin'  to connect to OID for all use-cases.

Certainly this is not the best practice as the superuser 'cn=orcladmin' is a privileged user having more privileges than are needed certain admin functions having access to multiple realms on OID. 

While there is no documented way to create a second superuser for OID, like cn=orcladmin. But, a user with the same privileges as the realm Admin (cn=orcladmin,dc=<companyName,dc=com) can be created and used for the following use cases : 

• Use in OAM Console for Identity Store credentials
• Providing ODSM login capability to admin users to view/modify the LDAP Tree for their realm
• Any kind of CRUD based LDAP APIs used in Java Code
• Separate password policies can be created for these users which are different from the cn=orcladmin superuser etc.

This user can be created as follows : 

1. Create an LDIF file with the following content
   dn: cn=myadmin,cn=Users,dc=oracle,dc=com
   givenname: myadmin
   sn: myadmin
   cn: myadmin
   uid: myadmin
   mail: myadmin@oracle.com
   objectclass: top
   objectclass: person
   objectclass: inetOrgPerson
   objectclass: orclUser
   objectclass: orclUserV2
   objectclass: organizationalPerson
   
   
   
2. Run ldapadd
   ldapadd -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <password> -f <LDIF_filename>

        Alternatively, we can use the 'Import' function available in Data Browser tab in ODSM .

3.  Confirm that you are able to bind successfully as the newly created user

  ldapbind -h <OID_host> -p <OID_port> -D      "cn=myadmin,cn=users,dc=oracle,dc=com" -w <password>

4. Get the existing group memberships for the orcladmin user

  ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w    <password> "<DN_of_orcladmin>" "dn"

Alternatively use 'Import' feature in Data Browser tab of ODSM to import the SuperUser.ldif file attached (essentially contains the all groups to be added for a Realm Admin in LDIF format)

Reference : Doc ID 454796.1

Good reads : 

1) Creating read-only users in OID
2) How to unlock superuser cn=orcladmin account in OID

Creating Read-Only Users in Oracle Internet Directory (OID)

A lot of us end up using the superuser 'cn=orcladmin'  to connect to OID for all use-cases.

Certainly this is not the best practice as the superuser 'cn=orcladmin' is a privileged user having way more privileges than are needed for non-admin functions. We should create read-only LDAP users for the following use cases :

• LDAP Monitoring at the F5/Load Balancer level (LDAP health check using ldapbind) 
• Use for username/password for Authenticators in Weblogic Console (which are for only authentication purposes)
• Providing ODSM login capability to non-admin users to view the LDAP Tree (based on allowed ACLs)
• Any kind of query only LDAP APIs used in Java Code
• Separate password policies can be created for read-only users which are different from superusers/realm-admins

Only three tabs are visible in ODSM for read-only users : Home, Data Browser, Schema.

Security and Advanced tabs are not visible.

One of the ways in which the read-only users can be created is : 

1. Create a text file (e.g., readonly.ldif) with the following:
   dn: cn=readonly, cn=Users,< subscriber domain >
   userpassword: < password >
   objectclass: top
   objectclass: person
   objectclass: organizationalPerson
   objectclass: inetorgperson
   objectclass: orcluser
   objectclass: orcluserV2
   mail: readonly
   givenname: readonly
   uid: readonly
   description: account to have readonly access
   sn: readonly
   cn: readonly

 2. Load the above file with ldapadd command :
ldapadd -h <OID_host> -p <OID_port> -D cn=orcladmin -w <password> -v -f readonly.ldif

Alternatively, we can use the 'Import' function available in Data Browser tab in ODSM .

The key is to make sure the user is not a member of any groups.

3. Check Group Memberships:

To verify the user is NOT a member of any group, issue the following search:

ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s sub -b "" "(uniquemember=<full_user_DN>)" "dn"

4.Confirm that you are able to bind successfully as the newly created user
ldapbind -h <OID_host> -p <OID_port> -D "cn=myadmin,cn=users,dc=oracle,dc=com" -w <password>

Reference : Doc ID 746612.1

Good read : How to unlock superuser cn=orcladmin account in OID

Recognized by Oracle as an ACE Associate

I am happy to share with you that I have been recognized by Oracle as an Oracle Associate ACE effective December 2014.

The Oracle ACE program select group of 500+ community advocates across all Oracle Technologies worldwide. 
I was primarily chosen for my experience across ADF, IDM, BPM and contributions with Oracle FMW on the Oracle Technology (OTN) Forums (Guru Level) apart for my contrbutions to the community via my technical blogs on this website.

Checkout my Oracle ACE Profile.

Know more about the Oracle ACE Program.

I am grateful to Oracle for recognizing my efforts towards the community over the last 4+ yrs ; this helps me strive further to make a difference and share my knowledge. After all, knowledge sharing is POWER !!