08 les 07 strong auth
TRANSCRIPT
-
8/13/2019 08 Les 07 Strong Auth
1/24
Copyright 2009, Oracle. All rights reserved.
Using Strong Authentication
-
8/13/2019 08 Les 07 Strong Auth
2/24
Copyright 2009, Oracle. All rights reserved.7 - 2
Objectives
After completing this lesson, you should be able to do thefollowing:
Describe strong authentication that uses:
Certificates
Kerberos Remote authentication dial-in service (RADIUS)
Describe a setup for strong authentication that uses:
Certificates
Kerberos
Key Distribution Center (KDC)
Implement the secure external password store
-
8/13/2019 08 Les 07 Strong Auth
3/24
Copyright 2009, Oracle. All rights reserved.7 - 3
User Authentication
Identify the user in the following ways: Basic authentication
Database user identified by a password
Database user identified by the operating system
Strong authentication Enterprise User Security
Proxy authentication
-
8/13/2019 08 Les 07 Strong Auth
4/24
Copyright 2009, Oracle. All rights reserved.7 - 4
Strong User Authentication
Strong authentication: Is stronger than password authentication
Often includes the single sign-on functionality
Is supported by the following authentication technologies:
Certificates, public key infrastructure (PKI) RADIUS, token, and smart cards
Kerberos
Integrates with Oracle Net Services
Requires Oracle Advanced Security (ASO)
-
8/13/2019 08 Les 07 Strong Auth
5/24
Copyright 2009, Oracle. All rights reserved.7 - 6
Single Sign-On
Single sign-on is a centralized authentication service. The user has a single username and password.
Servers authenticate users through the central service.
ServerAuthentication server
Client
-
8/13/2019 08 Les 07 Strong Auth
6/24
Copyright 2009, Oracle. All rights reserved.7 - 7
Public Key Infrastructure (PKI) Tools
The Oracle database PKI implementation includes: Components:
Oracle Wallet
Oracle Advanced Security
Oracle Identity Management infrastructure Management tools:
Oracle Wallet Manager
-
8/13/2019 08 Les 07 Strong Auth
7/24
-
8/13/2019 08 Les 07 Strong Auth
8/24Copyright 2009, Oracle. All rights reserved.7 - 9
How to Use Certificates for Authentication
1. Install the required components.2. Configure the server for SSL.
3. Configure the server-side Oracle Net files:
listener.ora
sqlnet.ora4. Configure the client for SSL.
5. Configure the client-side Oracle Net files:
sqlnet.ora
tnsnames.ora6. Create a user that is authenticated with a certificate.
7. Connect to the database.
-
8/13/2019 08 Les 07 Strong Auth
9/24Copyright 2009, Oracle. All rights reserved.7 - 10
Configuring SSL on the Server
-
8/13/2019 08 Les 07 Strong Auth
10/24
-
8/13/2019 08 Les 07 Strong Auth
11/24Copyright 2009, Oracle. All rights reserved.7 - 12
Configuring SSL on the Client
-
8/13/2019 08 Les 07 Strong Auth
12/24Copyright 2009, Oracle. All rights reserved.7 - 13
Configuring Oracle Net Files on the Client
On the client, specify: The servers distinguished name
The TCPS protocol listener port
The client wallet location
-
8/13/2019 08 Les 07 Strong Auth
13/24Copyright 2009, Oracle. All rights reserved.7 - 15
Creating a User Identified
by Certificate
When you create a global user, you can specify the X.509name that identifies this user at the enterprise directory
server:
You can create a shared schema that allows any user
identified to the directory and mapped to the schema:
CREATE USER global_user1 IDENTIFIED GLOBALLY AS
'CN=analyst,OU=division1, O=oracle, C=US';
CREATE USER global_user2 IDENTIFIED GLOBALLY AS
'';
-
8/13/2019 08 Les 07 Strong Auth
14/24Copyright 2009, Oracle. All rights reserved.7 - 16
Connecting to the Database
The user that owns the client wallet may connect to thedatabase by using:
CONNECT /@SSL_ORCL;
-
8/13/2019 08 Les 07 Strong Auth
15/24Copyright 2009, Oracle. All rights reserved.7 - 17
orapkiUtility
orapkiis a command-line utility for scripting common PKImanagement tasks. It can be used for:
Creating and viewing signed certificates for testing
purposes
Managing Oracle wallets Creating and displaying Oracle wallets
Renaming CRLs with a hash value for certificate validation
-
8/13/2019 08 Les 07 Strong Auth
16/24Copyright 2009, Oracle. All rights reserved.7 - 18
How to Use Kerberos for Authentication
1. Install Kerberos.2. Configure a service principal for the database server.
3. Extract a service table from Kerberos.
4. Install an Oracle database server and a client.
5. Install Oracle components.6. Configure Oracle Net Services and the Oracle database.
7. Configure Kerberos authentication.
8. Create a Kerberos user.
9. Create an externally authenticated Oracle user.10. Get an initial ticket for the Kerberos and Oracle user.
-
8/13/2019 08 Les 07 Strong Auth
17/24Copyright 2009, Oracle. All rights reserved.7 - 20
How to Use KDC with Windows 2000
for Authentication
1. Configure an Oracle Kerberos client to interoperate with aWindows 2000 domain controller KDC.
2. Configure a Windows 2000 domain controller KDC to
interoperate with an Oracle client.
3. Configure an Oracle database to interoperate with aWindows 2000 domain controller KDC.
4. Get an initial ticket for the Kerberos and Oracle user.
-
8/13/2019 08 Les 07 Strong Auth
18/24Copyright 2009, Oracle. All rights reserved.7 - 22
RADIUS Authentication: Overview
RADIUS is a protocol for remote authentication andaccess.
You may use any authentication method that supports the
RADIUS standard.
You may change authentication methods without changingthe database or client configuration.
The user is defined in the database as IDENTIFIED
EXTERNALLY.
-
8/13/2019 08 Les 07 Strong Auth
19/24Copyright 2009, Oracle. All rights reserved.7 - 23
External Secure Password Store
RAMA
DEV
PRODramav/????@prod_db.acme.com
vkrama/?????@DEV
CONNECT /@DEV
-
8/13/2019 08 Les 07 Strong Auth
20/24Copyright 2009, Oracle. All rights reserved.7 - 24
Configuring the Wallet
Use the mkstorecommand: Create the wallet:
Add credentials to the wallet:
Note: User password is not required on the command line; the
command-line input must be on one line.
mkstore -wrl $HOME/admin/orcl/wallets-createCredential dev hr [hr]
mkstore -wrl $HOME/admin/orcl/wallets -create
-
8/13/2019 08 Les 07 Strong Auth
21/24Copyright 2009, Oracle. All rights reserved.7 - 25
Configuring sqlnet.ora
Set the following in sqlnet.ora: WALLET_LOCATION
SQLNET.WALLET_OVERRIDE
WALLET_LOCATION =
(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY =/home/rama/admin/orcl/wallet)))
SQLNET.WALLET_OVERRIDE = TRUE
-
8/13/2019 08 Les 07 Strong Auth
22/24Copyright 2009, Oracle. All rights reserved.7 - 26
Managing the External Password Store
For the external password store: List contents
Add credentials
Modify credentials
Delete credentials
-
8/13/2019 08 Les 07 Strong Auth
23/24Copyright 2009, Oracle. All rights reserved.7 - 27
Practice 7 Overview:
Configuring the External Secure Password Store
This practice covers the following topics: Configuring the external secure password store
Implementing a user connecting remotely without a
password
Viewing the contents of the wallet
-
8/13/2019 08 Les 07 Strong Auth
24/24