RSS

Tag Archives: OCM

Oracle Certified Master – Highest Certification offered by Oracle.

User Authentication(Part 2/4): Strong Authentication

Last updated on November 26th, 2014 at 07:07 am

SOS to SSO !

Authentication methods can be classified as:

1. Something user know (password)
2. Something user is (biometric)
3. Something user have (smart card)

Strong user authentication is more than password authentication. It can be combination of any two of the above authentication type to gain high confidence on the user signed in to the centralized server. This server may also be SSO (Single Sign-on).

Strong authentication is supported by the following technologies:

1. Certificates, public key infrastructure (PKI).

a) Public Key Infrastructure (PKI) in oracle can be achieved through Oracle Wallet component which in turn can be managed using Oracle Wallet Manager. Oracle PKI (orapki) utility is a command-line utility given by oracle to manage certificates in Oracle.

b) Certificates are digital documents that provide proof of user identity. Certificates can be stored in Oracle in Oracle Wallet or Oracle Internet Directory.

2. RADIUS, token and smart cards:

a) RADIUS is Remote Authentication Dial-In User Service. Its a client/server security protocol that is widely used to enable remote authentication and access.

3. Kerberos:

Kerberos server needs to be installed and configured to use for authentication with Oracle Database.

Note: All strong authentication techniques requires Oracle Advanced Security (OAS).

I will soon add a demo on configuring Oracle Wallet Manager in this space.

 
Leave a comment

Posted by on September 11, 2011 in Oracle

 

Tags: , , ,

User Authentication(Part 1/4): Create users in oracle and authenticate by OS

Last updated on November 26th, 2014 at 07:07 am

Password! Password! Password!

Today with so many accounts and passwords for each of those accounts. Password management has become the primary focus for any database management team. DBA are burdened with additional responsibility which can be minimized and done with reduced time and cost.

Oracle provides some really good features for authentication, which are as follows:

1. Basic Authentication:
a. Database user authenticated by password
b. Database user authenticated by OS.
2. Strong Authentication
3. Enterprise User Security
4. Proxy Authentication

This post is Part 1 of 4 in the series on User Authentication in Oracle.

DBA are most needed when the user accounts get locked due to incorrect login attempts. When the user is a privileged user then it becomes utmost important to safeguard them against this unplanned lockout and mitigate the possibility of unproductive business hours.
In large organizations you can imagine the number of calls received by helpdesk and support team for resetting the password and request for unlocking accounts.

We are all familiar with basic user authentication in oracle which is mostly by password.
Following screen shows the user “whizdba” created and authenticated by password.

Basic Authentication - By Password

Database user authenticated by password

This type of authentication is very common and used widely. The advantage with this type of authentication is that database user can be audited, each user has a schema associated to them. On the other side the disadvantage is that the user can connect to only database where the account is created. The user is bind to one database server and any time there is need for the user to connect to different server, location the account has to be migrated or new account has to be created.

Another type of basic authentication provided by oracle is authentication by OS. The steps for setting up the user for this type is:

Step 1: Set the parameter os_authent_prefix. The default parameter value is ops$
Step 2: Create database user ops$whizdba with ‘identified externally’
Step 3: Create os user whizdba on the server where database resides.
Step 4: Set environment variables for the whizdba user in .bash_profile file
Step 5: Test and Connect to the database using OS authentication.

I have tried to demonstrate the above step with an example user “whizdba” as shown below

Step 1: Setting the parameter “os_authent_prefix” to ops$. In my case its already set. You can set it to different value using ALTER SYSTEM command.

Basic Authentication by OS

Step 1: Set parameter os_authent_prefix

Step 2: Create database user ops$whizdba with ‘identified externally’

Create database user "whizdba" identified externally

Step 2: Create database user "whizdba" identified externally

Step 3: Create os user whizdba on the server where database resides.

Step 3: Create os user "whizdba" on the server where database resides.

Step 3: Create os user "whizdba" on the server where database resides.

Step 4: Set environment variables for the whizdba user in .bash_profile file. Basic variables which need to be set are ORACLE_BASE, ORACLE_HOME, ORACLE_SID and PATH to ORACLE bin directory.

Step 4: Set environment variable in .bash_profile file of whizdba

Step 4: Set environment variable in .bash_profile file of whizdba

Step 5: Test and Connect to the database using OS authentication. Externally authenticated user connect to the database as : sqlplus / (as shown in the below screenshot)

Step 5: Test and Connect to user whizdba using OS Authentication

Step 5: Test and Connect to database using OS Authentication

Authenticating oracle database user externally by OS can be used in situation where scripting and batch job is performed by a user heavily. The advantage and disadvantage of this user remains same as that of basic password protected database user. The security concern here is that anyone can connect to the database from remote machine by creating an OS user with the same name as the externally authenticated database user. Hence getting unintended access to the database server. 

This calls for the need for stronger authentication techniques which I would discuss in my next post: User Authentication(Part 2/4): Strong Authentication

 
Leave a comment

Posted by on September 3, 2011 in Oracle

 

Tags: , , ,

My first step towards OCM

Last updated on November 26th, 2014 at 07:07 am

Recently, I had attended hands on course from Oracle University for Oracle 11g Security DBA.
I take this opportunity to share my experience and knowledge gained out of this course.

About the course:
In Oracle Database 11g: Security course is a 5 days course. In this students learn how they can use Oracle database features to meet the security, privacy and compliance requirements of their organization. The current regulatory environment of the Sarbanes-Oxley Act, HIPAA, the UK Data Protection Act, and others requires better security at the database level. Students learn how to secure their database and how to use the database features that enhance security. The course provides suggested architectures for common problems.
This course covers the following security features of the database:

  • auditing, virtual private database, label security
  • encryption for Payment Card Industry Data Security Standard (PCI DSS ) including encryption at the column, tablespace and file levels,
  • enterprise user security.
  • Some of the Oracle Network security topics covered are: securing the listener and restricting connections by IP address.

How to register for the course from Oracle University (http://education.oracle.com)
Oracle offers courses in different streams on Oracle products through class room training at Oracle University and authorized Oracle Education Center.
Below is the list of courses offered in Oracle 11g:

Learning-Paths-Oracle11g Source: http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getlppage?page_id=212&path=DBAN

Oracle class room trainings are pretty expensive and prospective candidates are advised to select the course carefully, depending on their career stage and past experience. Oracle 11g Security is an advanced course in Oracle and costed me 65,000 INR (including service tax).

Interested candidate can check the schedule for upcoming Oracle courses at Oracle Education website. On finding the course of interest they can then register for the course and complete the registration form. The candidate receives the e-kit for the course 2-3 days in advance before the start of the training at their email id with which they have registered.

Why I had opted for Training in Oracle 11g Security?
I had undertaken this course in pursuit my to become OCM (Oracle Certified Master). Having come from a PL/SQL development experience for 6+ years with 2 years of DBA, I found security to be the perfect mix of both the worlds. Moreover, working in finance domain made more sense for attending this course.

Security in Oracle has to be handled both at administrative level and developer level.

Oracle 11g has really impressive security features which I have tried to highlight in the later section of this document. I am sure you will appreciate the security features offered by Oracle 11g once you have read this document.

What I learnt in the training?

Defence-in-Depth

1. Prevent access by non-database users
2. Increase database user identity assurance
3. Control access to data within database
4. Audit database activity
5. Monitor database traffic and prevent threats from reaching the database
6. Ensure database production environment is secure and prevent drift
7. Remove sensitive data from non-production environments

The student guide of Oracle 11g Security consists of 21 chapters and 5 appendices demonstrating examples for practice in lab. This being advanced Oracle training, Its a plus if you have a experienced trainer. The trainer prioritizes the course content depending on the participants past experience and career level.
Oracle-11g-Security-CourseContent

References and Sources:
Those who are interested in delving deep into the security track may visit following sources:

Website: http://www.petefinnigan.com – Pete Finnigan is the author of the SANS book Oracle security step-by-step – a survival guide for Oracle security. Pete also has written many papers about Oracle security. petefinnigan.com is the place for free Oracle security information, white papers, links to other resources, free scripts tools and products and professional Oracle security audit services.

Book: Effective Oracle Database 10g Security by Design by David Knox

 
1 Comment

Posted by on August 26, 2011 in Oracle

 

Tags: , ,

 
snowflake snowflake snowflake snowflake snowflake snowflake snowflake snowflake snowflake snowflake snowflake snowflake snowflake snowflake snowflake snowflake snowflake snowflake snowflake snowflake
%d bloggers like this: