DOAG Security Day 2016 Enterprise Security Reloaded
•
0 likes•374 views
Oracle Enterprise Security mit Kerberos und PKI für die ganze Datenbank
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to DOAG Security Day 2016 Enterprise Security Reloaded
Similar to DOAG Security Day 2016 Enterprise Security Reloaded (20)
Recently uploaded
Recently uploaded (20)
DOAG Security Day 2016 Enterprise Security Reloaded
- 1. 1DOAG Security Day 2016 Enterprise Security Reloaded DOAG Security Day 17.03.2016
- 2. 2DOAG Security Day 2016 Jan Schreiber Loopback.ORG GmbH, Hamburg Database Operations & Security Data Warehouse & Business Intelligence Oracle Architektur & Performance
- 3. 3DOAG Security Day 2016 Table USER: SYSTEM PW: MANAGER USER: SCOTT PW: TIGER USER: OLAPSYS PW: OLAPSYS USER: ANONYMOUS PW: ANONYMOUS Table 8-2 Oracle 9i Default Accounts and Passwords
- 4. 4DOAG Security Day 2016 Quelle: XKCD
- 5. 5DOAG Security Day 2016 Quelle: XKCD
- 6. 6DOAG Security Day 2016 Oracle Hash Algorithmen 3DEShash(upper (username|| password)) password hash (20 bytes) = sha1(password + salt (10 bytes)) S8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1 F56554A; H:DC9894A01797D91D92ECA1DA66242209; T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F75 7FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD 8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Uralt: 11g: 12.1.0.2: 11g Hash md5digest(‘USER:XDB:password') PBKDF2-based SHA512 hash
- 7. 7DOAG Security Day 2016 LDAP-Directory Anbindung Database Client (1) Connect Leonard. Nimoy/ BIGDB Oracle DB Überprüft Passwort Hash, ordnet User Rollen und Schema zu (2) Request Leonard.Nimoy (3) Returned Leonard.Nimoy LDAP Server Ablage für User, Rollen & EUS Konfiguration SQL> alter user ... identified externally;
- 8. 8DOAG Security Day 2016 Jeder nur ein Kreuz – Hashes im Verzeichnis
- 9. 9DOAG Security Day 2016 Synchronisation • Keine AD-Schema- änderungen nötig • AD Agent muss auf AD- Kontrollern laufen und Klartext-Passwörter mitlesen Proxy: • AD-Schema- änderungen nötig • Password Filter muss auf AD-Controllern laufen • AD Update Recht muss vorhanden sein Virtualisierung: • Nur AD- Schemaänderung: Orclcommonattribute • Rollentrennung DBA/AD Active Directory Verzeichnisintegration DB FARM OVD Database Client SqlPlus, Java, etc (AUTH) Map Users, Schema,Roles HashesGroups OID DB FARM Oracle OID Database Client SqlPlus, Java, etc (AUTH) Map Users, Schema,Roles SYNC (DIP) oidpwdcn.dll DB FARM OUD Database Client SqlPlus, Java, etc (AUTH) Map Users, Schema,Roles Hashes Groups oidpwdcn.dll orclCommonAttribute
- 10. 10DOAG Security Day 2016 Kerberos-AD- Anbindung Benutzerdaten- prüfung (2) AD Domain Controller Key Distribu3on Center (KDC) Authen3ca3on Service (AS) Ticket Gran3ng Service (TGS) AuthenRsierung (1) Benutzer-Ticket TGT (3) Client-PC Ticket-Cache ST für Anwendungsserver mit TGT prüfen (6) Anforderung Service Ticket ST mit TGT (5) Domänenanmeldung User Password TGT (4) ST (7) DB Server Prüfung des ST (9) Tausch eines gemein- samen Schlüssels
- 11. 11DOAG Security Day 2016 PKI-Authentifizierung Private Key Private Key Benutzer / Applikation Datenbank Zertifizierungsstelle (CA) User .csr SSL Handshake User/CA Certs DB .csr DB/CA Certs
- 12. 12DOAG Security Day 2016 Enterprise User Security (EUS) Oracle Internet Directory Datenbanken Enterprise User User DBA RoleEnterpriseUser RoleEnterpriseDBA Enterprise Rollen Enterprise User Enterprise Rollen RoleUserGlobal1 RoleUserGlobal2 RoleDBAGlobal RoleUserLocal1 RoleUserLocal2 Resource DBA
- 13. 13DOAG Security Day 2016 AD-Integration mit Oracle Unified Directory (OUD) & Kerberos DB FARM OUD Database Client SqlPlus, Java, etc (EUS) Map Users, Schema,Roles Groups OracleContext OUD Proxy Setup: • Lesender AD-Benutzer • Leserechte auf DB- Usereinträge im AD • Oracle Context im LDAP • Software: OUD, WebLogic, ADF • Funktioniert auch mit EUS [linux7 Oracle_OUD1]$ ./oud-proxy-setup [linux6]$ okinit testuser [linux7]$ oklist Kerberos Ticket
- 14. 14DOAG Security Day 2016 Secure External Password Store (1) $ orapki wallet create -wallet "/u01/app/oracle/wallet" -auto_login_local Oracle PKI Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Enter wallet password: $ sqlplus /@ORCL SQL*Plus: Release 12.1.0.2.0 Production on Wed Jan 13 15:38:50 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. ERROR: ORA-12578: TNS:wallet open failed Enter user-name:
- 15. 15DOAG Security Day 2016 0x00 - 0x4C Header: 0x00 - 0x02 First 3 bytes are always A1 F8 4E (wallet recognition?) 0x03 Type = SSO: 36; LSSO: 38 0x04 - 0x06 00 00 00 0x07 Version (10g: 05; 11g: 06) 0x08 - 0x0A 00 00 00 0x0B - 0x0C 11g: always the same (41 35) 0x0D - 0x1C DES key 0x1D - 0x4C DES secret (DES -> CBC -> PKCS7 padding) which contains the PKCS#12 password 0x4D - EOF PKCS#12 data (ASN.1 block) _________________________________________________________________________________________ $ ./ssoDecrypt.sh ../PX-Linux11/cwallet.sso sso key: c29XXXXXXXXXX96 sso secret: 71c61e1XXXXXXXXXX99c77d747fa0f53e79ccd170409964b p12 password (hex): 1e482XXXXXXXXXX1f1f0b296f6178021c Secure External Password Store (2)
- 16. 16DOAG Security Day 2016 Trennung von Schema-Owner und Zugriffs-Benutzer 2 3 n .. 4 1 APPLICATION SCHEMA DB USER 1 2 3 n
- 17. 17DOAG Security Day 2016 Anforderung Alte Wallets AD-Kerberos SSL-PKI EUS Schutz des Passworts gegen Auslesen ★ ✔ ✔ Adminaufwand verringert für Passwortänderung ✖ ✔ ✔ Nachvollziehbarkeit von Änderungen verbessert ✖ ✔ ✔ Individuelle Benutzerkennungen ✖ ✔ ✔ Zentrale Benutzerverwalt. & Passwortrichtlinien ✔ Zentrale Rollenverwaltung ✔ Lösung für alle Zugriffe geeignet ★ ★ CA erforderlich ✔ Kerberos Roll-out erforderlich ✔ Wallets können weiterhin verwendet werden ★ ✔ Lizenkosten Directory entstehen Kosten-Nutzen-Analyse
- 18. 18DOAG Security Day 2016 Kerberos: SPN- Useraccount im AD
- 19. 19DOAG Security Day 2016 Kerberos Key Table PS C:UsersAdministrator> ktpass.exe -princ oracle/ ioaotow01.tested.lcl@TESTED.LCL -mapuser ioaotow01 -crypto RC4-HMAC-NT - pass XXX -out c:ioaotow-hmac2.keytab -ptype KRB5_NT_PRINCIPAL Targeting domain controller: test-dchh01.tested.lcl Successfully mapped oracle/ioaotow01.tested.lcl to ioaotow01. Password successfully set! Key created. Output keytab to c:ioaotow-hmac2.keytab: Keytab version: 0x502 keysize 73 oracle/ioaotow01.tested.lcl@TESTED.LCL ptype 1 (KRB5_NT_PRINCIPAL) vno 13 etype 0x17 (RC4-HMAC) keylength 16 (0xbd54ec4ab1feb299c0969b67f1d9deb8) _______________________________________________________________________________ [oracle@ioaotow01 TESTDB-KERB5]$ oklist -k ioaotow01.keytab Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 13-JAN-2016 15:11:59 Copyright (c) 1996, 2014 Oracle. All rights reserved. Service Key Table: ioaotow01.keytab Ver Timestamp Principal 4 01-Jan-1970 01:00:00 oracle/ioaotow01.tested.lcl@TESTED.LCL
- 20. 20DOAG Security Day 2016 Database Kerberos Konfiguration krc5.conf dns_lookup_realm = false [domain_realm] .tested.lcl = TESTED.LCL tested.lcl = TESTED.LCL __________________________________________________________________ sqlnet.ora General Sejngs NAMES.DIRECTORY_PATH=(TNSNAMES, HOSTNAME) SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS,KERBEROS5PRE,KERBEROS5) Kerberos Sejngs SQLNET.KERBEROS5_CONF=/etc/krb5.conf SQLNET.KERBEROS5_CONF_MIT=true SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle SQLNET.KERBEROS5_KEYTAB=/oracle/product/12.1.0/dbhome_1/network/ admin/ioaotow01.keytab SQLNET.KERBEROS5_CC_NAME=/oracle/diag/krb/cc/krb5cc_99
- 21. 21DOAG Security Day 2016 Kerberos User Login SQL> create user USER01 identified externally as 'USER01@TESTED.LCL'; User created. SQL> grant connect to user01; [oracle@ioaotow01 ~]$ okinit user01 Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production Copyright (c) 1996, 2014 Oracle. All rights reserved. Password for user01@TESTED.LCL: ________________________________________________________________________________________________ [oracle@ioaotow01 ~]$ oklist Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 08-FEB-2016 16:24:43 Copyright (c) 1996, 2014 Oracle. All rights reserved. Ticket cache: /oracle/diag/krb/cc/krb5cc_99 Default principal: user01@TESTED.LCL Valid Starting Expires Principal 08-Feb-2016 14:11:20 08-Feb-2016 22:11:11 krbtgt/TESTED.LCL@TESTED.LCL 08-Feb-2016 14:11:33 08-Feb-2016 22:11:11 oracle/ioaotow01@TESTED.LCL 08-Feb-2016 14:16:40 08-Feb-2016 22:11:11 oracle/ioaotow01.tested.lcl@TESTED.LCL ________________________________________________________________________________________________ [oracle@ioaotow01 ~]$ sqlplus /@TESTDB SQL*Plus: Release 12.1.0.2.0 Production on Mon Feb 8 16:24:51 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. Last Successful login time: Mon Feb 08 2016 14:17:35 +01:00 Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options SQL> show user; USER is "USER01@TESTED.LCL
- 22. 22DOAG Security Day 2016 Kerberos Datenbank- Anmeldung am Windows- PC
- 23. 23DOAG Security Day 2016 Kerberos & Datenbank 12c • Neu geschriebener Stack • RC4-HMAC-NT / W2012 Server • ORA-12638: Credential retrieval failed – SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS,KERBEROS5PRE,KERBEROS5) • Bugs.... Reading List: Doc ID 1958479.1: "Bug 19931730, The keytab has/uses arcfour-hmac encryption which currently has an open 12c bug:19636771. The workaround for this is to use AES encryption in the keytab" Doc ID 1611643.1: Bug 17497520 : KERBEROS CONNECTIONS USING A 12C CLIENT AND THE OKINIT REQUESTED TGT ARE FAILING Doc ID 182979.1: Oracle is not able to parse the krb5.conf file due to the tabs between the assignment operator in the domain to realm mapping section. Doc ID 185897.1: Kerberos Troubleshooting Guide Master Note For Kerberos Authentication (Doc ID 1375853.1) WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1): "While creating the keytab file, SSO hostname value was given without specifying fully qualified domain" How To Configure EUS Kerberos Authentication For Database Administrative Users (SYSDBA and SYSOPER) (Doc ID 2081984.1): "On a 12c database sqlplus connection fails with ORA-1017 and this is caused by Bug 19307420 : KERBEROS AUTHENTICATED EUS USER FAILS WITH ORA-01017 FOR ADMINISTRATIVE LOGIN." Configuring ASO Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory KDC (Doc ID 1304004.1) Microsoft Technet: Service Logons Fail Due to Incorrectly Set SPNs Laurent Schneider: The long long route to Kerberos Microsoft Technet: FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1) Case Study: Configuring the Kerberos Adapter in a Windows Environment (Kevin Reardon, Consulting Technical Advisor)
- 24. 24DOAG Security Day 2016 PKI: Zertifikate und Wallets Datenbank-Server 1. Leeres Wallet erstellen 2. Key und Zertifikat-Request stellen 3. Request durch CA signieren lassen (Z.B. CN=db12c) 4. CA Zertifikat importieren (CN=myCA) 5. Signiertes Zertifikat importieren Client 1. Leeres Wallet erstellen 2. Key und Zertifikat-Request stellen 3. Request durch CA signieren lassen (Z.B. CN=jans) 4. CA Zertifikat importieren (CN=myCA) 5. Signierte Zertifikat importieren
- 25. 25DOAG Security Day 2016 PKI: Server-Wallet $ mkdir $ORACLE_BASE/admin/loopds/pki $ orapki wallet create -wallet $ORACLE_BASE/admin/loopds/pki -auto_login -pwd XXX $ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki -dn 'CN=db12c' -keysize 2048 -pwd XXX $ orapki wallet export -wallet $ORACLE_BASE/admin/loopds/pki -dn 'CN=db12c' -request ~/db12c.csr $ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki -cert myca.pem –trusted_cert –pwd XXX $ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki -cert db12c.pem –user_cert –pwd XXX
- 26. 26DOAG Security Day 2016 PKI: Client-Wallet $ orapki wallet create -wallet $ORACLE_HOME/owm/wallets/client -auto_login -pwd XXX $ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client -dn 'CN=jans' -keysize 2048 -pwd XXX $ orapki wallet export -wallet $ORACLE_HOME/owm/wallets/client -dn 'CN=jans' -request ~/jans.csr $ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client -cert myca.pem –trusted_cert –pwd XXX $ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client -cert jans.pem –user_cert –pwd XXX
- 27. 27DOAG Security Day 2016 Display Wallet [oracle@linux11 ~]$ orapki wallet display -wallet /u01/app/oracle/product/11.2.0/ dbhome_1/network/pki Oracle PKI Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. _________________________________________________________________________________________ Requested Certificates: User Certificates: Subject: CN=LOOPDS Trusted Certificates: Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: CN=LBO Root Certificate II,OU=LoopCA,O= Loopback.ORG GmbH,O=Loopback.ORG,L=Hamburg,ST=No-State,C=DE Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
- 28. 28DOAG Security Day 2016 PKI: Listener-Konfiguration SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = $ORACLE_BASE/admin/loopds/pki) ) ) LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = db12c.loopback.org)(PORT = 1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = db12c.loopback.org)(PORT = 2484)) ) )
- 29. 29DOAG Security Day 2016 PKI: TNS-Konfiguration SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS) NAMES.DIRECTORY_PATH= (TNSNAMES, HOSTNAME) SSL_CLIENT_AUTHENTICATION = TRUE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = $ORACLE_BASE/admin/loopds/pki) ) )
- 30. 30DOAG Security Day 2016 Anmeldung mit User/Passwort und SSL $ sqlplus user/pwd@DB12C Connected. SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual; SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') ------------------------------------------------------------------------ tcps SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual; SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD') ------------------------------------------------------------------------ PASSWORD
- 31. 31DOAG Security Day 2016 PKI: Anmeldung mit Zertifikat SQL> create user JANS identified externally as 'CN=jans'; SQL> grant create session to JANS; $ sqlplus /@DB12C Connected. SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual; SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') --------------------------------------------------- tcps SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual; SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD') ----------------------------------------------------- SSL
- 32. 32DOAG Security Day 2016 PKI: JDBC • Auch per JDBC kann SSL verwendet werden • Integration auch über keytool String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps) (HOST=servernam e)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))"); Properties props = new Properties(); props.setProperty("user", "scott"); props.setProperty("password", "tiger"); props.setProperty("javax.net.ssl.trustStore", "/truststore/ewallet.p12"); props.setProperty("javax.net.ssl.trustStoreType","PKCS12"); props.setProperty("javax.net.ssl.trustStorePassword","welcome123"); Connection conn = DriverManager.getConnection(url, props); http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf How to configure Oracle SQLDeveloper to use a SSL connection that was configured as per Note 401251.1
- 33. 33DOAG Security Day 2016 PKI: ODBC Oracle ODBC Treiber verwenden: Oracle Data Access Components (ODAC)
- 34. 34DOAG Security Day 2016 Be a Certificate Authority (CA) • AD Certificate Service • Kommerzielle Produkte – Auch Open Source: • EBJCA • OpenXPKI • Alle Schritte sind in OpenSSL implementiert – Nicht mit selbstsignierten Zertifikaten zu verwechseln openssl genrsa -out rootCA.key 2048 openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem openssl ca -policy policy_anything -config loopca-url.cnf -out Certs/$1.pem -infiles Reqs/$1.req
- 35. 35DOAG Security Day 2016 Windows AD CA mit Autoenrollment
- 36. 36DOAG Security Day 2016 Certificate Chaining für Sub-CA
- 37. 37DOAG Security Day 2016 Jan Schreiber Loopback.ORG GmbH, Hamburg database intelligence | operaRons excellence | bi soluRons jans@loopback.org blogs.loopback.org Vielen Dank für Ihre Aufmerksamkeit!