Oracle9i Security New Features

Security Myths

Oracle Answers to Security Questions

Oracle9i Proxy Authentication Enhancements

Proxy Authentication Enhancements

The introduction of n-tier authentication (also known as Proxy Authentication) provides several benefits:
o o o o Eliminates super-privileged middle tiers Preserves user identity throughout the application Provides scalability through lightweight OCI and JDBC connections Provides accountability through audit of connections on behalf of the real user

Oracle9i Secure Application Role

Secure Application Role

In Oracle8i, we introduced the idea of application context, essentially allowing each PL/SQL package to have their space of session variables. Application role in Oracle9i is utilizes a similar concept of authentication to allow users to enable roles based on PL/SQL packages, and without supplying a
password. This feature is a significant proxy authentication enhancement.

The SET ROLE command ensures that only the trusted package is consulted. The package can do the desired validation to ensure that the appropriate conditions are in place before the ROLE is set. For example, in a three tier system in which proxy authentication is used, the package
can access the PROXY_USER attribute of the user session (using 'USERENV' naming

context) before allowing SET ROLE to proceed. The resultis that users who connect to the database by proxy (through the application) have the role enabled and therefore access the data, while users who connect directly to database do not get the role enabled and therefore see no data through privileges granted to the role.

Secure Application Role

Secure Application Role

The secure application role can be granted globally or locally. That is, the secure application role can be granted to the user by creating the appropriate entry in Oracle Internet Directory (part of the Enterprise User Security feature of Oracle Advanced Security). The role can also be granted locally for database users.

Public Key Infrastructure

What is PKI ?

PKI is a standards-based, interoperable technology based on X.509 certificates that scales to the Internet and millions of users. Oracle uses a non-Oracle Certificate Authority such as Entrust, VeriSign, or Baltimore in its PKI implementation. Many Certificate Authorities support Oracle Internet Directory as repositories for publishing CA information such as certificates and
certificate revocation lists. Authentication and secure session key management is accomplished using Secure Sockets Layer (SSL).

Public Key Infrastructure Tools

Public Key Infrastructure Tools

Authentication systems based on public key cryptography systems issue digital certificates to user clients, which use them to authenticate directly to servers in the enterprise without direct involvement of an authentication server. Oracle provides a public key infrastructure (PKI) for using public keys and certificates. Features include:
o Oracle Wallet Manager 3.0, a standalone Java application used to manage and edit

the security credentials in Oracle wallets. Oracle wallets are data structures that contain a user private key, a user certificate, and a set of trust points (the list of root certificates the user trusts). o Integration with Entrust PKI, providing full certificate life cycle management and

certificate revocation list (CRL) checking

Oracle Enterprise Login Assistant is used to open and close wallets, to update

centrally managed wallets and passwords in Oracle Internet Directory, and to enable or disable secure SSL connections.

Oracle Wallet Enhancements

Oracle Wallet Enhancements

Oracle Wallet Manager supports multiple certificates (and multiple private keys) in each wallet. You can store Oracle wallets in Oracle Internet Directory or in
Windows Registry in addition to the file system. Oracle Wallet Manager and Enterprise Login Assistant can read wallets from the file system or from the Windows System Registry. Benefits include: o o Enhanced security Easier administration of users and their credentials

Additional PKI Interoperability

PKI Interoperability

Since PKCS#12 is a PKI standard for credential storage, Oracle can now support downloadable, machine-independent wallets. The same wallet and PKI credentials can be used for the browser and for Oracle Wallet (requires export/import in PKCS#12 format). This added functionality enables interoperability with browsers such as Netscape and Internet Explorer. Now that Oracle Wallets are compatible with browser wallets, customers no longer have to purchase two different sets of PKI
credentials.

Oracle Internet Directory Support for Wallets

OID Support for Wallets

An Oracle wallet is stored in Oracle Internet Directory. Oracle Wallet Manager can upload wallets and retrieve them from Oracle Internet Directory. Storing the wallet in a centralized directory lets users access them from multiple locations or devices, ensuring consistent and reliable user authentication while providing centralized wallet management throughout the wallet life cycle. Oracle Advanced Security is tightly integrated with OID, which can act as a gateway to synchronize data with other LDAPv3 compliant directories, if
needed.

Oracle Wallet Enhancements

Oracle Wallet Enhancements

Oracle Wallet Manager supports multiple certificates for a single digital entity, where each certificate can be used for a set of Oracle PKI certificate usagesbut the same certificate cannot be used for all such usages. There must be a one-to-one mapping between certificate requests and certificates. The same certificate request cannot be used to obtain multiple certificates, installed in the same wallet.

KeyUsage Values

KeyUsage Values

Oracle Wallet Manager uses X.509 V3 extension KeyUsage to define Oracle PKI
certificate usages. When installing a certificate (user certificate, trusted certificate), Oracle Wallet Manager maps the KeyUsage extension values to Oracle PKI certificate usages.

You should obtain certificates from the certificate authority with the correct KeyUsage value for the required Oracle PKI certificate usage. A single wallet can contain multiple key pairs for the same usage. Each certificate can support multiple Oracle PKI certificate usages. Oracle PKI applications use the first certificate containing the required PKI certificate usage.

Wallet Password Management

Oracle Wallet Password Enhancements

Enhanced wallet password management can enforce policy guidelines such as:
o o o Minimum password length Maximum password length unlimited Alphanumeric character mix required

Multiple Wallet Formats

Supported Wallet Formats

In addition to Oracle Wallets, Oracle Advanced Security also supports Entrust profiles and Microsoft Certificate Store.

Oracle Wallets and Windows

Oracle Wallets and the Windows Registry

Oracle Wallet Manager lets you optionally store multiple Oracle wallets in the user profile area of the Microsoft Windows System Registry (for Windows 95/98/ME/NT 4.0/2000), or in a Windows file management system. Storing your wallets in the registry provides the following benefits:
o Better Access Control: Wallets stored in the user profile area of the registry are only

accessible by the associated user. User access controls for the system thus become, by extension, access controls for the wallets. In addition, when a user logs out of a system, access to that users wallets is effectively precluded. o Easier Administration: Because wallets are associated with specific user profiles, no

permissions need to be managed, and the wallets stored in the profile are automatically

deleted when the user profile is deleted. Oracle Wallet Manager can be used to create and manage the wallets in the registry, and the wallets are accessible by Oracle Enterprise Login Assistant as well. o Improved Security: Because the wallets are imbedded in the registry, the wallets

associated with a particular user profile are transparent to all other users. Viewed in combination with better access control and easier administration, this amounts to an additional security layer for Oracle wallets.

Options Supported:
o Open wallet from the Registry o Save wallet to the Registry o Save As to a different Registry location o Delete wallet from the Registry o Open wallet from the file system and save it to the Registry o Open wallet from the Registry and save it to the file system

Single Sign-On

Single Sign-On

Oracle Advanced Security single sign-on authenticates the user once upon initial connection, with strong authentication occurring transparently in subsequent connections to other databases or services. Using single signon, users can access multiple accounts and applications with a single password. Oracle Advanced Security supports many forms of two-tier single sign-on with strong authentication, including:
o o o Kerberos PKI-based Entrust integration

DCE

Single Sign-On capabilities are extended to Web based applications and external
or legacy applications through Oracle Login Server. Oracle Advanced Security also provides SSL-based single sign-on for Oracle users by integrating with Oracle Internet Directory. The combination of integrated directory services through OID and Oracles PKI implementation enable SSL-based single sign-on to Oracle9i databases. Single sign-on lets users be authenticated once, with subsequent connections relying on the users digital certificate. In addition this integration model provides a single point of password management throughout the enterprise.

Single Sign-On for Web Applications

Single Sign-On Integration

Single Sign-On Integration

The login server is able to authenticate the user credentials against multiple kinds of password stores that are configured by the administrator. Fundamentally, the interfaces that the login server uses to verify the user's name against the password will be the same but the underlying adapters will be different. These password stores can be either existing database accounts, table lookups, or other external repositories like Oracle Internet Directory (OID). If it is existing database accounts then the login server will verify if it can bind to the database with the user id and password specified. The rest of the information needed for user validation and management, such as last password change, will be stored as a part of other tables in the schema.

In the second case, the login server looks up against some tables in its schema containing user credentials. The incoming password is one-way hashed and compared against the entry in the table. The third case involves the login server to look up the user credentials against any external repository like OID. LDAP servers typically being central repositories for the enterprise would store user credentials. In such a case,
the login server would invoke some LDAP C-API to bind to LDAP to verify credentials and then fetch some attributes.

Single Sign-On with Partner Applications

Single Sign-On With Partner Applications

In practice, the user points the browser to a portal providing access to all the organizations SSO enabled (partner) applications. The user is then challenged by the login server for the proper credentials. If the credentials

are authenticated, the login server redirects the user back to the application along with a URL cookie containing some application-specific SSO information.

Single Sign-On with External Applications

External Applications

The user is responsible for maintaining the contents of his or her entries in the wallet. The administrator would be responsible for providing mapping information for foreign applications.

Directory Service Integration

Oracle Directory Integration Platform

The Oracle Directory Integration platform enables you to synchronize various directories with Oracle Internet Directory. It also makes it easier for third-party metadirectory vendors and developers to develop and deploy their own
connectivity agents.

Metadirectories synchronize information between all enterprise directories, forming one virtual directory. It centralizes administration, thereby reducing administrative costs and it ensures that data is consistent and up-to-date across the enterprise. Oracle Directory Integration platform enables you to:

Import data from connected directories into Oracle Internet Directory, either all at

once or incrementally o Export data from Oracle Internet Directory into connected directories, either all at

once or incrementally o Synchronize all or part of the data in a connected directory with Oracle Internet

Directory

Synchronization is bi-directional. Changes in Oracle Internet Directory are exported to connected directories, and changes in connected directories are imported into Oracle Internet Directory

Oracle Directory Integration Server

Oracle Directory Integration Server

The Oracle directory integration server is a multithreaded daemon server process. It is the central component of Oracle Directory Integration platform. It performs:
o o Scheduling: Running a directory integration agent at a time you specify Mapping: Executing rules for converting data between connected directories and

Oracle Internet Directory o Error handling

Multiple integration servers can exist on different systems. Multiple instances of

directory integration server may be run concurrently on the same computer. Each instance has a configuration set entry listing the agents the Oracle directory integration server instance is to run. Directory Integration Agents

A directory integration agent is a program that synchronizes data between Oracle Internet Directory and connected directories. When it synchronizes the data, it does one or more of the following:
o o o o Exports changes out of Oracle Internet Directory Imports changes into a connected directory Exports changes out of a connected directory Imports changes into Oracle Internet Directory

Depending on how it is deployed in the Oracle Directory Integration platform, an agent can be either a partner agent or an external agent. Partner agents run under the control of the Oracle directory integration server meaning that the Oracle directory integration server performs scheduling, data mapping, and error handling for them. Before deploying a partner agent, you register it in Oracle Internet Directory. This registration involves creating a directory integration profile in the directory. To create the profile, you can use either Oracle Directory Manager or command-line tools. A partner agent uses either an import file or an export file to exchange data
between a connected directory and Oracle Internet Directory. At execution time, they may use additional agent configuration information stored in Oracle Internet Directory. Unlike partner agents, external agents are independent of the Oracle directory integration server. The Oracle directory integration server performs neither scheduling nor data mapping for them. External agents do not need to register with Oracle Internet Directory.

Typically, external agents are used when a third-party metadirectory solution is

integrated with the platform. The third-party metadirectory solution uses its own metadirectory engine to perform mapping and scheduling.

Summary