Using Proxy Authentication

Copyright © 2009, Oracle. All rights reserved.

 Objectives

After completing this lesson, you should be able to do the

following:
• Describe how proxy authentication works
• Manage users authenticated by proxy authentication
• Audit users authenticated by proxy

9-2 Copyright © 2009, Oracle. All rights reserved.

 User Authentication

Identify the user in the following ways:

• Basic authentication
– Database user identified by a password
– Database user identified by the operating system
• Strong authentication
• Enterprise User Security
• Proxy authentication

9-3 Copyright © 2009, Oracle. All rights reserved.

 Security Challenges of
Three-Tier Computing
• Identify the real user
• Authenticate the end user to the database
• Restrict the privileges of the middle tier

User Application Database

server

9-4 Copyright © 2009, Oracle. All rights reserved.

 Identifying the Real User

• The database needs the end-user identity for the following

security functions:
– Authentication
– Data access control
– Auditing
• Application-level security requires that:
– Security must be coded in every application
– Applications must be the only method to access the data

User Application Database

Abuser
server

9-5 Copyright © 2009, Oracle. All rights reserved.

 Common Implementations
of Authentication
• Pass through: The user is unknown to the application.
• One big-application user: The user is unknown to the
database.
• Other methods:
– The user is reauthenticated to the database.
– The user is identified to the database.
– The user is proxied.

User Application Database

server

9-7 Copyright © 2009, Oracle. All rights reserved.

 User Reauthentication

Types of authentication in three-tier systems:

• Middle tier-to-database authentication
• Client-to-middle tier authentication
• Client reauthentication through the middle tier to the
database:
– Does the end user need to log in multiple times?
– Can the end user’s database account information be stored in
the application?
– Can the user be authenticated by using Lightweight Directory
Access Protocol (LDAP)?
– Point-to-point protocols, such as secure sockets layer (SSL),
can authenticate to only one node.
• Single authentication

9-9 Copyright © 2009, Oracle. All rights reserved.

 Restricting the Privileges of the Middle Tier

• Middle tier with high privileges:

– Connects with one database user for all application users
– Has all privileges for all application users for all connections
– Does not identify the end user to the database.
• Middle tier with limited privileges:
– Adjusts privileges by user identity
– May identify user to database

9 - 11 Copyright © 2009, Oracle. All rights reserved.

 Implementing Proxy Authentication Solutions

Proxy authentication solutions depend on the type of the end

user:
• Known to the database:
– Database user and enterprise user
– Possible to reauthenticate to the database
– Auditing actions taken on behalf of the real user
• Unknown to the database:
– End user known only to the application
– Support for application-user models
– Limiting the privilege of the middle tier

9 - 12 Copyright © 2009, Oracle. All rights reserved.

 Authenticating Database and
Enterprise Users
• Use Oracle Call Interface (OCI) or Java Database
Connectivity (JDBC).
• The authentication process includes the following steps:
1. The client authenticates to the middle tier.
2. The middle tier authenticates to the database.
3. The middle tier creates the end user’s session.
4. The database verifies that the middle tier can:
— Create the session for the user
— Assign the roles assigned to the user
• Database users can be:
– Authenticated to the application server
– Reauthenticated to the database

9 - 14 Copyright © 2009, Oracle. All rights reserved.

 Using Proxy Authentication
for Database Users
• Authenticate the user without a database password:
ALTER USER phall
GRANT CONNECT
THROUGH APPSVR;
• Authenticate the user with a database password:

ALTER USER phall

GRANT CONNECT
THROUGH APPSVR
AUTHENTICATION REQUIRED PASSWORD;

9 - 16 Copyright © 2009, Oracle. All rights reserved.

 Using Proxy Authentication
for Enterprise Users
• Authenticate the user with a distinguished name:
ALTER USER phall
GRANT CONNECT THROUGH APPSVR
AUTHENTICATED USING DISTINGUISHED NAME;
• Authenticate the user with a certificate:
ALTER USER phall
GRANT CONNECT THROUGH APPSVR
AUTHENTICATED USING CERTIFICATE
TYPE 'X.509' VERSION '3';

9 - 18 Copyright © 2009, Oracle. All rights reserved.

 Proxy Access Through SQL*Plus

Proxy access through SQL*Plus when:

• User is known to the database
CONNECT APPSVR[PHALL]/appsvr_pwd

• User is unknown to the database (Enterprise User Proxy)

CONNECT rajeev[APPSVR]/rajeev_pwd

9 - 20 Copyright © 2009, Oracle. All rights reserved.

 Enterprise User Proxy

Use enterprise users with current applications.

• Let the directory authenticate the users.
• Connect as a database user.

CONNECT george[APPSVR]/george_pwd

george[APPSVR]
APPSVR
george

9 - 21 Copyright © 2009, Oracle. All rights reserved.

 Enterprise User Proxy: Example

Rajeev

CONNECT RAJEEV[PARTS_GUEST]/pwd

CONNECT JIM[PARTS_GUEST]/pwd

PARTS_DB

Jim

9 - 22 Copyright © 2009, Oracle. All rights reserved.

 Revoking Proxy Authentication

• Revoke proxy authentication through a middle tier:

ALTER USER phall

REVOKE CONNECT THROUGH APPSVR;

• Do not use the AUTHENTICATED USING or

AUTHENTICATION REQUIRED clause with REVOKE.

9 - 24 Copyright © 2009, Oracle. All rights reserved.

 Application-User Model

• Use the OCI, thin JDBC, or thick JDBC.

• End-user identity is set by the middle tier.
• The authentication process is as follows:
1. The middle tier authenticates to the database.
2. The end user authenticates to the middle tier.
3. The middle tier allocates a session to the user, identifying the
user with client_identifier.
4. Optionally, the middle tier can enable roles to restrict the
privileges of the user.
• Examples:
– Certificate
– Application username and password

9 - 25 Copyright © 2009, Oracle. All rights reserved.

 Data Dictionary Views for
Proxy Authentication
• DBA_PROXIES: All proxy connections
• USER_PROXIES: Connections that the current user is
allowed to proxy
• PROXY_USERS: Users who can assume the identity of other
users
• V$SESSION_CONNECT_INFO: Network connections for all
current sessions
• V$SESSION: Session-connect details:
– The PROGRAM column shows “proxy-user…”
– The MODULE column shows “proxy-user…”

9 - 27 Copyright © 2009, Oracle. All rights reserved.

 Data Dictionary Views:
DBA_PROXIES and USER_PROXIES

SQL> SELECT proxy, client, authentication,

2 authorization_constraint
3 FROM dba_proxies

PROXY CLIENT AUTH AUTHORIZATION_CONSTRAINT

-------- -------- ---- ------------------------------
HRUSER PHALL NO PROXY MAY ACTIVATE ROLE
APPSVR PHALL NO NO CLIENT ROLES MAY BE
ACTIVATED

HRUSER PFAY YES PROXY MAY ACTIVATE ALL CLIENT

ROLES

9 - 28 Copyright © 2009, Oracle. All rights reserved.

 Data Dictionary Views:
V$SESSION_CONNECT_INFO

SQL> select SID, AUTHENTICATION_TYPE,

2 OSUSER, NETWORK_SERVICE_BANNER
3 from v$session_connect_info where SID = 148;

SID AUTHENTICA OSUSER NETWORK_SERVICE_BANNER

----- ---------- ------ ---------------------------------------
148 DATABASE oracle TCP/IP NT Protocol Adapter for Linux:
Version 11.1.0.6.0 - Production
148 DATABASE oracle Oracle Advanced Security: encryption
service for Linux: Version 11.1.0.6.0 -
Production
148 DATABASE oracle Oracle Advanced Security:
crypto-checksumming service for Linux:
Version 11.1.0.6.0 - Production

9 - 29 Copyright © 2009, Oracle. All rights reserved.

 Auditing Actions Taken on Behalf
of the Real User
• Audit SELECTs on the EMPLOYEES table that
HRAPPSERVER initiates for PHALL as follows:
AUDIT SELECT TABLE ON employees
BY hrappserver ON BEHALF OF phall;
• Audit SELECTs on the EMPLOYEES table that
HRAPPSERVER initiates for any user as follows:
AUDIT SELECT TABLE ON employees
BY hrappserver ON BEHALF OF ANY;
• The statements in this slide audit only SELECTs initiated by
HRAPPSERVER.
• You cannot audit CONNECT ON BEHALF OF 'DN'.

9 - 30 Copyright © 2009, Oracle. All rights reserved.

 Data Dictionary Views: DBA_STMT_AUDIT_OPTS

• DBA_STMT_AUDIT_OPTS describes the current system

auditing options.
• USER_NAME column:
– ANY CLIENT: Auditing access by a proxy
– NULL: Systemwide auditing
• PROXY_NAME column:
– The name of the proxy user performing an operation for the
client
– NULL if the client is performing the operation directly

9 - 32 Copyright © 2009, Oracle. All rights reserved.

 Data Dictionary Views: DBA_AUDIT_TRAIL

• These views list audit-trail entries:

– DBA_AUDIT_TRAIL
– USER_AUDIT_TRAIL
• The COMMENT_TEXT column can indicate how the user has
been authenticated:
– DATABASE: Authentication done by the password
– NETWORK: Authentication done by Oracle Net Services or
Oracle Advanced Security
– PROXY: Authentication by another user
– EXTERNAL NAME: The distinguished name (DN) of the
Enterprise User Security (EUS) user

9 - 33 Copyright © 2009, Oracle. All rights reserved.

 Practice 9 Overview:
Implementing Proxy Authentication
This practice covers the following topics:
• Implementing and testing database proxy authentication
• Implementing EUS proxy

9 - 34 Copyright © 2009, Oracle. All rights reserved.

 Summary

In this lesson, you should have learned how to:

• Describe how proxy authentication works
• Manage users authenticated by proxy authentication
• Audit users authenticated by proxy

9 - 35 Copyright © 2009, Oracle. All rights reserved.