Professional Documents
Culture Documents
9ib SEC
9ib SEC
Page 1
Objectives
Page 2
Security Myths
Page 3
Oracle Answers to Security Questions
Is an order read or
• Privacy of
Communications modified in transit?
Network encryption
Page 4
Oracle Answers to Security Questions
(Continued)
• Granular Access Can a customer see only
Control her own order?
Virtual Private Database
Page 5
Oracle9i Proxy Authentication
Enhancements
• Expanded protocol support
– thick JDBC, OCI for database and enterprise user
proxy
– OCI, thick JDBC, thin JDBC, ultra JDBC for
application user proxy
• Expanded credential proxy (DN, certificate)
• Expanded user model (enterprise user, database
user, application user)
• Pulls three tier security together with Oracle
Internet Directory
Page 6
Oracle9i Secure Application Role
Page 7
Secure Application Role
SYS_CONTEXT(‘USERENV’, ‘PROXY_USER’)
Page 8
Public Key Infrastructure
What is PKI ?
PKI is a standards-based, interoperable trusted certificate technology that scales to
the Internet and millions of users. A trusted certificate is a third-party identity that is
trusted. The trust is used when an identity is being validated as the entity it claims
to be.. Typically, the certificate authorities you trust issue user certificates. If there
are several levels of trusted certificates, a trusted certificate at a lower level in the
certificate chain does not need to have all its higher level certificates re-verified.
Oracle uses a non-Oracle Certificate Authority such as Entrust, VeriSign, or
Baltimore in its PKI implementation. These Certificate Authorities support Oracle
Internet Directory as repositories for publishing CA information like certificates and
certificate revocation lists. Authentication and secure session key management is
accomplished using Secure Sockets Layer (SSL).
Page 9
Public Key Infrastructure Tools
• Components:
– Oracle Advanced Security
– Oracle Internet Directory
• Management Tools:
– Oracle Wallet Manager
– Oracle Login Assistant
– Oracle Enterprise Security Manager
Page 10
Oracle Wallet Enhancements
Page 11
Additional PKI Interoperability
PKI Interoperability
Since PKCS#12 is a PKI standard for credential storage, Oracle can now support downloadable,
machine independent wallets. The same wallet and PKI credentials can be used for the browser and for
Oracle Wallet (requires export/import in PKCS#12 format).
This added functionality enables interoperability with browsers such as Netscape and Internet Explorer.
Now that Oracle Wallets are compatible with browser wallets, customer no longer have to purchase
two different sets of PKI credentials.
Page 12
Oracle Internet Directory Support for
Wallets
• Oracle Wallet Manager can upload and retrieve
wallets from Oracle Internet Directory
Page 13
Oracle Wallet Enhancements
Value Usage
0 digitalSignature
1 nonRepudiation
2 keyEncipherment
3 dataEncipherment
4 keyAgreement
5 keyCertSign
6 cRLSign
7 encipherOnly
8 decipherOnly
Page 14
Oracle Wallet Enhancements (continued)
When installing a certificate (user certificate, trusted certificate), Oracle Wallet Manager maps the
KeyUsage extension values to Oracle PKI certificate usages.
You should obtain certificates from the certificate authority with the correct KeyUsage value for the
required Oracle PKI certificate usage. A single wallet can contain multiple key pairs for the same
usage. Each certificate can support multiple Oracle PKI certificate usages. Oracle PKI applications use
the first certificate containing the required PKI certificate usage.
Page 15
Wallet Password Management
Page 16
Multiple Wallet Formats
Page 17
Oracle Wallets and Windows
Page 18
Single Sign-On
Single Sign-On
Oracle Advanced Security single sign-on authenticates the user once upon initial connection, with
strong authentication occurring transparently in subsequent connections to other databases or services.
Using single sign-on, users can access multiple accounts and applications with a single password.
Oracle Advanced Security supports many forms of two-tier single sign-on with strong authentication,
including:
• Kerberos
• PKI-based
• Entrust integration
• DCE
Single Sign-On capabilities are extended to web based applications and external or legacy applications
through Oracle Login Server. Oracle Advanced Security also provides SSL-based single sign-on for
Oracle users by integrating with Oracle Internet Directory. The combination of integrated directory
services through OID and Oracle’s PKI implementation enable SSL-based single sign-on to Oracle9i
databases. Single sign-on lets users be authenticated once, with subsequent connections relying on the
user’s digital certificate. In addition this integration model provides a single point of password
management throughout the enterprise.
Page 19
Single Sign-On For Web Applications
Page 20
Single Sign-On Integration
Page 21
Single Sign-On With Partner Applications
5. Login Server redirects
4. Login server authenticates user to Partner App A with
password and returns a URL Application A encrypted token
cookie
Application B
6. Partner App A sets Oracle
App A cookie
2. App A redirects Internet
user to Login Server Directory
1, 6 2, 5
3. Login server displays
username/password web page
4
1. User accesses App A which Username
determines user is not
authenticated (no cookie)
Password
Login
Server
User 3, 4
Page 22
Single Sign-On With External Applications
External Applications
The user is responsible for maintaining the contents of his or her entries in the wallet. The
administrator for the would be responsible for providing for mapping information for foreign
applications.
Page 23
Directory Service Integration
Page 24
Oracle Directory Integration Server
Page 25
Oracle Directory Integration Server (continued)
Depending on how it is deployed in the Oracle Directory Integration platform, an
agent can be either a partner agent or an external agent. Partner agents run under the
control of the Oracle directory integration server meaning that the Oracle directory
integration server performs scheduling, data mapping, and error handling for them.
Before deploying a partner agent, you register it in Oracle Internet Directory. This
registration involves creating a directory integration profile in the directory. To
create the profile, you can use either Oracle Directory Manager or command-line
tools.
A partner agent uses either an import file or an export file to exchange data between
a connected directory and Oracle Internet Directory. At execution time, they may
use additional agent configuration information stored in Oracle Internet Directory.
Unlike partner agents, external agents are independent of the Oracle directory
integration server. The Oracle directory integration server performs neither
scheduling nor data mapping for them. External agents do not need to register with
Oracle Internet Directory.
Typically, external agents are used when a third party metadirectory solution is
integrated with the platform. The third party metadirectory solution uses its own
metadirectory engine to perform mapping and scheduling.
Page 26
Summary
Page 27
Oracle 9i Security New Features
Page 1
Objectives
Page 2
Enterprise User Security
Page 3
Enterprise User Security Enhancements
Benefits:
• Integrate enterprise user management with proxy
authentication
• Manage both password-based and SSL-
authenticated users in a directory
• Improved ease of use
• Reduced processing overhead
• Simplified Enterprise user setup and
administration
• Backward compatibility for non-SSL clients
• Changes affect the server side only so older (pre
Oracle9i) clients are interoperable
Page 4
Oracle Enterprise Login Assistant
Page 5
Enterprise User Security Management
Store jsmith, scott, sarah,
OWM Oracle their passwords and
or ELA Internet roles
jsmith Directory
single sign-on LD
W W AP
/SS
8i or 9i client Orac L
Web le Ne
Application t/SSL
scott/tiger
single sign-on Login Server
with password Oracle9i
9i client W
t
SQL*Plus le Ne W = Wallet
Orac
sarah/tiger
single password
Any (7.3, 8.0, 8i or 9i)
Oracle client
Page 6
Update Passwords
Store jsmith, scott, sarah,
OWM or ELA
Oracle their passwords and roles
jsmith Internet
Update locally Directory
W W
8i or 9i client
sarah/tiger2
Update on OID ELA Change password
Any (7.3, 8.0, 8i or 9i) Servlet on directory
Oracle client
Page 7
CONNECT INTERNAL De-support
Page 8
Virtual Private Database Enhancements
Page 9
Partitioned Fine Grained Access Control
Page 10
Policy Groups
Policy Groups
With the partitioning of fine grained access control policies, administrators can
specify which policy group the policy falls into when adding policy to a table/view
using the ADD_POLICY_TO_GROUP interface. We are predefining a policy
group named SYS_DEFAULT. Policies defined in this policy group for a particular
table/view will always be executed along with the policy group specified by the
driving context. For backward compatibility purpose, all Oracle8i fine grained
access control policies have been migrated into this default policy group to maintain
the idea of global policies.
Page 11
Partitioned Fine Grained Access Control
Default policy
ERS
ORD
Page 12
Global Application Context
User A 3. Application
2. Application
determines creates Gold,
that User A is 4. Application sets Silver, Bronze
1. User A Gold global contexts
client_identifier to
connects Gold
Application
Application
Server
Server Oracle9i
7. Application resets
client_identifier to
Silver
6. Application
5. User B determines
User B
connects User B is Silver
Page 13
Global Application Context
Page 14
Managing Application Context
Page 15
Application Context Applied
Page 16
Application Context Applied
Parameter Description
namespace The namespace of the application context to be set
attribute The attribute of the application context to be set
value The value of the application context to be set
username The username attribute of the application context
client_id The client_id attribute of the application context
Page 17
Application Context Applied
DBMS_SESSION.CLEAR_IDENTIFIER ( );
Page 18
DBMS_OBFUSCATION_TOOLKIT
Enhancements
DBMS_OBFUSCATION_TOOLKIT Enhancements
The DBMS_OBFUSCATION_TOOLKIT packages require an encryption key as an
attribute. If keys are weak (that is, easy to guess or predictable), it makes encryption
much easier to break through cryptanalysis. Time of day, serial number of machines
and the like are all predictable and thus cannot be used as random numbers for
cryptographic keys. DBMS_RANDOM in particular cannot be used as a secure
random number generator since a given seed (input) will always produce the same
output. In Oracle 9i, a Federal Information Processing Standard (FIPS) -140
certified random number generator (GetKey) for secure key generation Secure
random number generation makes implementation much easier
While key management is still programmatic, having a secure random number
generator means that the solution is much more likely to be secure against
cryptanalysis as long as keys are stored securely. That said, it would be difficult to
recover data using a brute force attack if the keys are securely stored and randomly
generated.
Page 19
Fine Grained Auditing
Page 20
Fine-grained Auditing
Audit Policy
...
WHERE SALARY >500000
Not Audited AUDIT COLUMN = SALARY
SELECT NAME,
ADDRESS FROM EMP Audit Records
SELECT NAME,
SELECT NAME, SALARY SALARY FROM EMP
FROM EMP WHERE WHERE NAME =
NAME=ELLISON ELLISON,
<timestamp>,
EES <username>, etc.
LOY
EMP
Page 21
Fine Grained Auditing Concepts
FGA Concepts
Fine grained auditing allows the monitoring of data access based on content. More
importantly, the monitoring does not depend on how it is done. A built-in audit
mechanism into the database that users can not bypass is essential. Oracle DBMS
has already provided triggers capability for potentially monitoring DML actions
such as INSERT/UPDATE/DELETE. However, monitoring on SELECT is costly
and may not work for all cases. In addition, users may want to define their own alert
action in addition to just inserting an audit record into the audit trail. This feature
provides an extensible interface to audit SELECT/UPDATE/INSERT/DELETE on
tables and views.
Use DBMS_FGA PL/SQL package interface to apply policies to tables or views
• ADD_POLICY
• DROP_POLICY
• ENABLE_POLICY
• DISABLE_POLICY
Page 22
Fine Grained Auditing
Adding a policy:
DBMS_FGA.ADD_POLICY(
object_schema => 'hr',
object_name => 'emp',
policy_name => 'chk_hr_emp',
audit_condition => 'dept = "SALES"',
audit_column => 'salary');
Adding a Policy
To audit SELECT’s on table HR.EMP to monitor any query that accesses the salary
column of the employee records that belong to sales department, the administrator
can issue the SQL statement above to initiate the auditing.
Page 23
Triggering Audit Events
Or
Audit Events
In general, fine-grained auditing policy is based on simple user-defined SQL
predicates (where clause) on table objects as conditions for selective auditing.
During fetching, whenever policy conditions are met for a returning row, the query
is audited. Later, Oracle executes user-defined audit event handlers using
autonomous transactions to process the event.
Fine-grained auditing can be implemented in user applications using the
DBMS_FGA package or by using database triggers.
Page 24
Fine Grained Auditing
Page 25
Fine Grained Auditing
Page 26
Security of Default Accounts
• Security by default
– Locking of most default accounts on installation
– SYS and SYSTEM to be locked in future release
• Rationale
– Hackers love unlocked, privileged accounts with
default passwords
– Fewer unlocked default accounts equates to better
security
Page 27
Default Account Security
Page 28
Summary
Page 29