DB Security/Enterprise User Security (EUS) : Logon Trigger for auditing LDAP user logged on to Oracle DB

Use Case: 

Find a way to identify the AD domain user logged into a database configured with EUS

Pre-requisite: DB Users/Groups have already been centralized in an LDAP like Active Directory(AD) using Enterprise User Security (EUS)

Details:After logging in using sqlplus if we issue the following SQL we still see the shared schema user(which was used to map the Oracle DB Default Domain to the LDAP Container)

SQL> show user
GLOBAL_IDENT_SCHEMA_USER

Now the question is if we see a runaway query or a transaction causing blocking, how do we tie that back to the exact  external user instead of a Global Schema? How would we identify this information from within Oracle Enterprise Manager (OEM)session info?

A workaround could be to issue the following SQL query
SQL>  SELECT SYS_CONTEXT('USERENV','EXTERNAL_NAME') FROM DUAL;
SYS_CONTEXT('USERENV','EXTERNAL_NAME')

--------------------------------------------------------------------------------

cn=Sudipto Desmukh,cn=Users, dc=corp, dc=kdemo,dc=com

But wouldn't it be great if this is available in v$session for anyone to see real-time without specifically issuing a SQL query ?

We are able to create a logon trigger (attached) which populates enterprise user session information to client_info of V$SESSION.

create or replace trigger sys.on_logon after logon on database 

declare 

v_externalname varchar2(64) := ''; 

begin 

SELECT substr(sys_context('userenv','external_name'),1,63) into v_externalname FROM dual; 

if v_externalname is not null 

then 

DBMS_APPLICATION_INFO.SET_CLIENT_INFO (v_externalname ); 

end if; 

end; 

/ 

We should be able to pull up the blocking session information, if any from OEM tied to this enterprise user. An illustration of the result :

References:

1) How To Know The DN Of The Users Authenticated Via Enterprise User Security (EUS) Using Audit Records (Doc ID 465674.1)

2) How to Identify users using a shared global schema in Enterprise User Security

EUS with OUD: ORA-28030 Network Issues -- Hosts and DNS

Use Case : Centralize Database Users/Roles using Enterprise User Security to enable Password-based authentication via Oracle Unified Directory(OUD) connecting to Active Directory 

Issue : After following all the pre-requistes and steps needed to setup EUS, we get the below error while trying to connect to the DB using AD user/password.

SQL> CONNECT username@service_name;
ORA-28030: Server encountered problems accessing LDAP directory service

DB Trace Logs show the following -
*** ACTION NAME:() 2016-08-15 13:16:50.270
*** MODULE NAME:(sqlplus@recoverdwp (TNS V1-V3)) 2016-08-15 13:16:50.270
*** SERVICE NAME:(desanew) 2016-08-15 13:16:50.270
*** SESSION ID:(159.13) 2016-08-15 13:16:50.270
kzld_discover received ldaptype: OID
kzld found pwd in wallet
KZLD_ERR: Failed to bind to LDAP server. Err=-1
KZLD_ERR: -1
KZLD is doing LDAP unbind
KZLD_ERR: found err from kzldini.

Cause inference 
The OUD server, as defined in ldap.ora, is not reachable from the RDBMS Server's machine. Also looks like the SASL bind requires that both forward and reverse lookup are defined in DNS for the target OUD hostname.

A database can bind to OUD by using password/SASL-based authentication. SASL (Simple Authentication and Security Layer) is a standard defined in the Internet Engineering Task Force RFC 2222. It is a method for adding authentication support to connection-based protocols such as LDAP.   

Solution
The following are the two options to fix/workaround this issue -
 
1) Edit  file /etc/hosts and add the IP address to the DB Server, FQDN and alias, eg:xxx.xxx.xxx.xxx   hostname.domain_name   hostname
This step would need to be repeated for all DB Servers which need to be configured for EUS.

2) Ensure that the forward and reverse lookup are properly defined in the DNS  for OUD Hosts. (nslookup should succeed for both IP and HostName)
This is a one-time activity and will be available for all DB Servers in the network

References
Note 331538.1   (Ora-7445 [Gslcoish_saslhostconnectedto()+78] Connecting as Enterprise User)
Note 1270342.1 (EUS User Can Not Login To The Database)

OUD/EUS - Running DBCA from the command line interface(CLI)

Use Case : To enable Enterprise User Security (EUS) to authenticate Active Directory users to connect to a Database using a OUD Proxy.

Typically the DBCA utility is used via the GUI to register the database with the directory service. We had a requirement to run the DBCA commands from the command line interface (CLI).

The following steps should help -

1) Create an empty wallet in the wallet's default location

mkstore -wrl . -create 

2) Run DBCA to register DB

dbca -silent -configureDatabase -sourceDB $ORACLE_SID \
-registerWithDirService true -dirServiceUserName "cn=Directory\20Manager" \
-dirServicePassword <pwd> -walletPassword <pwd>

3) Create the Database DN entry in the wallet manually using mkstore command

mkstore -wrl . -createEntry ORACLE.SECURITY.DN "cn=<SID>,cn=OracleContext,<OUD_Realm>" 

References

Support Note 808139.1

Security in the modern day Digital eXperience

What is Digital Experience (DX) ?
Digital experiences have become the cornerstone of just about every customer experience, driven in part by the rapid spread of customer activity among web, mobile, and social channels.The typical user experience has moved beyond desktop and laptop screens to an astonishing and growing array of mobile devices.
In the Oracle World, DX combines WebCenter, ADF including WC Sites, WC Content, WC Sites etc. DX Security should be a no-brainer at the end of this article.

Why do we need DX Security/Use Cases ?

• No defined network perimeter : Network Security spend more than 67% on network security. With digital economy demanding more collaboration and seamless user experience, new points of control need to be introduced : User identities, permissions/ access to IS etc. Cloud Computing and Mobile has further blurred network security.Sensitive data that was secured behind a robust enterprise firewall is now accessible via low-cost smart phones. 

• Transformation of the perimeter : “Businesses now invest in security rather than spend on it. Security architects need to design security systems that complement business policies and processes.” - Chris Gavin, vice president, Information Security, Oracle. 

• A “trust but verify” approach to both enable productivity and address security governance requirements. The objective is to establish one consistent security framework underlying all information systems. Because users and sensitive data are part of every transaction, identity management and database security are the common denominators of addressing most security requirements. 

• Re-architecture of IT within organizations : Most services are being performed via software solutions that are architected in the cloud rather than on-premises requiring real-time exchange of accurate information. Organizations rely on identity management technology to facilitate dynamic trust relationships and support regulatory compliance requirements. 

• Risk-Aware Architectures : Security architects are tasked with developing “risk-aware” architectures that factor in legal liabilities, the privacy of partner and customer data, and regulatory requirements. These security policies ensure that the organization is ready for internal and external audits.

•         Mobile Security :
  o   By 2020, 80 percent of access to the enterprise will be via mobile devices and other non-PC devices, up from 5 percent today.
  o   External providers will authenticate 60 percent of all users connecting with enterprises.
  o   By 2020 there will be more than 50 billion IP-enabled devices in use around the world.

• Internet of things (IoT):According to Vadim Lander, chief identity architect at Oracle, there are three types of security concerns associated with the Internet of Things:
  
  o   Device Identity
  o   Application Identity
  o   User Identity

• Cloud Security : Customers that contract with cloud vendors need to be able to control the identity management process for external applications and on-premises apps via single-sign-on procedures. These solutions should also make it easy to provision and de-provision users and to extend entitlement credentials from on-premises applications to cloud applications. Such controls are even more important when securing databases. According to IDC, 66 percent of today’s most sensitive data resides in relational databases.

• Oracle Security Taxonomy as a measure of good security Design :Latency and consistency are two variables used to measure good security design. The objective is to reduce the latency of change and increase consistency across systems and applications. Oracle engineers hardware and software to work together. This cohesive approach reduces the latency of change and increases consistency. By embedding security technology into every layer of the technology stack and securing the integration between layers, Oracle not only delivers better performance with a smaller footprint, it also provides better security at a lower cost.

An IDM DX Use Case : Oracle DX with API Gateway : WCC and Anti-Virus support for Check-in of Files using OAG as first line of defense.

References : I wished to summarize and set context using the following articles as source :
Security Architecture in the new Digital Experience Whitepaper (Oracle)
Enabling Secure Consumer Mobility (Kanishk Mahajan, Oracle Product Mgmt)

Automated Security deployment : Oracle IAM Deployment Wizard

With the release of Identity & Access Management suite 11g R2 PS2 (11.1.2.2.0), Oracle has released a new deployment tool to automate the installation and configuration of products related to the IAM suite.

This tool is named Oracle Identity and Access Management Deployment Wizard.

Key insights –

1. Installs & Configures - OIM , OAM , OUD , OHS , Webgates etc.Also creates basic Users & groups in OUD , configures OUD as Identity store for OAM.
2. You will need to download a completely separate set of software for this. The normal Identity & Access Management suite download packages won’t work.If you go to Oracle Download page for 11.1.2.2.0, here, you will see at the bottom a section for the Deployment Repository
3. This 12GB package contains everything you will need: The IAM Suite, RCU, WebLogic, JDK, WebTier, WebGate (11g), SOA, OUD, and of course, the Deployment Wizard.
4.  If everything goes well, it will take approximately 6 hours to do everything. If this seems long, keep in mind that it’s installing OAM,OIM,OUD , configuring them, integrating OIM and OAM, setting up LDAPSync, SSL enabling some components, configuring OHS with Webgate, configures WebLogic Authentication Providers, performs some light performance tuning, does OUD reconciliation
5.  Supports both Single Node & HA configurations.

Checkout this blog for more details, limitations etc. !

Oracle Security : Getting Started

Oracle Identity Management(IDM) is a vast collection of products with confusing terminology and it can be difficult to understand where to start. Hope the below links help.

Concepts

Oracle IDM Basics - (Keep clicking to navigate through entire topics)

A few simple Tutorials from Oracle to get started

Oracle IDM Home Page (Source to Datasheets, Whitepapers, Customer Use Cases and various Data)

Installs

Software Downloads Page

Installation Guide 

Issues/Continuous learning of tricky use cases & finer concepts

Oracle IDM A-Team Blogs (Learn tricks of the trade)

Oracle IDM Forums

OnlineAppsDBA Blogs

Oracle Security Facebook Page

Mapping of use cases with products

IDM Customer Success Stories  

Collated IDM 11gR2 Blog Dashboard

Abhishek Gupta's Blog