Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Password Policies in
Oracle Access Manager
How to improve user authentication security
for your Oracle E-Business Suite.
A...
About me
© 2016 Pythian 2
Apps DBA from Riga, Latvia.
Speaking SQL since 2001.
In Oracle world since 2004.
“In love” with ...
ABOUT PYTHIAN
Pythian’s 400+ IT professionals
help companies adopt and
manage disruptive technologies
to better compete
© ...
TECHNICAL EXPERTISE
© 2016 Pythian 4
Infrastructure: Transforming and
managing the IT infrastructure
that supports the bus...
Systems currently
managed by Pythian
EXPERIENCED
Pythian experts
in 35 countries
GLOBAL
Millennia of experience
gathered a...
THE TOP 1.5% GLOBALLY
© 2016 Pythian 6
2015
Resumes
Reviewed:
12,711
Behavioral
Interviews
Conducted:
394
Technical
Tests
...
We are hiring !!!
Please visit:
https://www.pythian.com/careers/
HOT !!! Oracle Apps DBA
position in APAC region.
© 2016 P...
Agenda
• Current Oracle E-Business Suite password security limitations.
• Implementation of password policy management in ...
Why this is important?
© 2016 Pythian 9
Why this is important?
• #1 - We now live in the “cloud” era.
• Less people / organizations are storing their sensitive pr...
Why this is important?
• #2 – Today’s Hardware capacity.
• Modern CPU chip power is huge enough that it might take “second...
Why this is important?
• #3 – Social Engineering.
• One of the most dreadful security concerns today.
• Examples: Facebook...
Why this is important?
• #4 – Let us remember few recent cases.
• August 2014 – iCloud famous 10+ celebrity photo leak.
• ...
Why this is important?
© 2016 Pythian 14
Few guidelines… as a starter
• #1 – Master rule – everything that is shared online must be considered as “public”,
disrega...
Oracle E-Business Suite
© 2016 Pythian 16
So what’s about Oracle E-Business Suite?
• Is it somehow different that password security is not a concern?
• NO! Username...
Standard password policy in Oracle E-Business Suite
• SIGNON_PASSWORD_% profile options.
© 2016 Pythian 18
Standard password policy in Oracle E-Business Suite
• SIGNON_PASSWORD_% profile options.
• Signon Password Case (SIGNON_PA...
Standard password policy in Oracle E-Business Suite
• Security User Define form (FNDSCAUS).
• Password expiration.
▪ Days ...
Does it look like a modern password policy of year 2016?
• Not really. L
• But we have “Signon Password Custom” available....
Does it look like a modern password policy of year 2016?
© 2016 Pythian 22
Standard password policy in Oracle E-Business Suite
• Non-reversable hash support for passwords.
• R12: New Feature: Enhan...
Oracle Access Manager
© 2016 Pythian 24
History of the Password Policy implementation
• Oracle Single Sign-On 10g
• Password policy is controlled by Oracle Intern...
History of the Password Policy implementation
• Oracle Access Manager 10g
• Bound to Identity Server only.
• Full user man...
History of the Password Policy implementation
• Oracle Access Manager 11g Release 1
• Independed Oracle Access Manager is ...
History of the Password Policy implementation
• Oracle Access Manager 11g Release 2
• Same cool independed Oracle Access M...
OAM 11gR2 native password policy – what it is?
• Most of the current modern rules are
there.
• Expiration and Lockout supp...
OAM 11gR2 native password policy – what it is?
• It is still based on OAM 10g Oblix schema object classes and attributes.
...
OAM 11gR2 native password policy – what it is NOT?
• It is NOT a complete password lifecycle management tool.
• Self servi...
More advantages of Oracle Access Manager
• Windows Native Authentication
• Kerberos / RADIUS
• Certificates
• Social (Goog...
Licensing
• Usage of Oracle Access Manager requires additional license. It is not included with
E-Business Suite licensing...
Candy
• What to do if you have an allergy on additional extra component overhead that you
do not want, do not need and do ...
Example of most
common configuration
© 2016 Pythian 35
Configuring the password policy
• OAM Console
• Application Security – Password Policy
• Full reference:
▪ Fusion Middlewa...
Configuring the password policy
• OAM Console
• Application Security – Password Policy
• Console is doing it’s own math. I...
User Identity Store
• OAM Console
• Configuration – User Identity Stores
• Password Management feature to be enabled.
• “U...
User Identity Store
• OAM Console
• Configuration – User Identity Stores
• Do not forget about the mandatory Oblix attribu...
User Identity Store
• ACI grant example (Oracle Unified Directory)
© 2016 Pythian 40
ldapmodify -h localhost -p 1389 -D "c...
User Identity Store
• Reminder about LDAP directory own password policy.
• Policy should be set the same or weaker.
• Or j...
Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• Let us create new module ...
Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• 3 steps to be configured....
Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• User Identification Step
...
Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• User Authentication Step
...
Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• User Password Status Step...
Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• User Password Status Step...
Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• Full parameter reference
...
Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• Workflow
© 2016 Pythian 49
Configure EBS to use the new Authentication Module
• OAM Console
• Application Security – Access Manager – Authentication ...
Testing
• Did I forget something important to mention?
• Hint:
© 2016 Pythian 51
<LIBOVD-40082> <Could not modify entry.ja...
LDAP directory schema extension
• We forgot Oblix schema extension.
• Reference:
▪ Fusion Middleware Administrator's Guide...
Summary
• Even latest R12.2.6 is not meeting today’s modern password policy standards out-
of-the-box. We can code a custo...
Demo
© 2016 Pythian 54
THANK YOU
Q & A
© 2016 Pythian 55
Upcoming SlideShare
Loading in …5
×

Password Policies in Oracle Access Manager. How to improve user authentication security for your Oracle E-Business Suite environment. (UKOUG APPS16 edition)

This presentation is about how System Administrators and/or Oracle Apps DBAs can improve and meet user authentication security standards in Oracle E-Business Suite by using Oracle Access Manager integration and it's password policy management.
We will talk about:
- Current Oracle E-Business Suite password security limitations.
- Implementation of password policy management in Oracle Access Manager releases. Comparing the capabilities and why you should upgrade your OAM to the latest 11gR2.
- A use case example of most common configuration.
- Demo.

  • Login to see the comments

Password Policies in Oracle Access Manager. How to improve user authentication security for your Oracle E-Business Suite environment. (UKOUG APPS16 edition)

  1. 1. Password Policies in Oracle Access Manager How to improve user authentication security for your Oracle E-Business Suite. ANDREJS PROKOPJEVS Lead Applications Database Consultant
  2. 2. About me © 2016 Pythian 2 Apps DBA from Riga, Latvia. Speaking SQL since 2001. In Oracle world since 2004. “In love” with Oracle EBS since 2006. Andrejs Prokopjevs Lead Applications Database Consultant At Pythian since 2011 @aprokopjevs prokopjevs@pythian.com https://www.pythian.com/blog/author/prokopjevs/
  3. 3. ABOUT PYTHIAN Pythian’s 400+ IT professionals help companies adopt and manage disruptive technologies to better compete © 2016 Pythian 3
  4. 4. TECHNICAL EXPERTISE © 2016 Pythian 4 Infrastructure: Transforming and managing the IT infrastructure that supports the business DevOps: Providing critical velocity in software deployment by adopting DevOps practices Cloud: Using the disruptive nature of cloud for accelerated, cost-effective growth Databases: Ensuring databases are reliable, secure, available and continuously optimized Big Data: Harnessing the transformative power of data on a massive scale Advanced Analytics: Mining data for insights & business transformation using data science
  5. 5. Systems currently managed by Pythian EXPERIENCED Pythian experts in 35 countries GLOBAL Millennia of experience gathered and shared over 19 years EXPERTS 11,800 2400 © 2016 Pythian 5
  6. 6. THE TOP 1.5% GLOBALLY © 2016 Pythian 6 2015 Resumes Reviewed: 12,711 Behavioral Interviews Conducted: 394 Technical Tests Sent: 4062 Passed: 562 Job Offers Made: 189 Accepted: 174
  7. 7. We are hiring !!! Please visit: https://www.pythian.com/careers/ HOT !!! Oracle Apps DBA position in APAC region. © 2016 Pythian 7
  8. 8. Agenda • Current Oracle E-Business Suite password security limitations. • Implementation of password policy management in Oracle Access Manager releases. Comparing the capabilities and why you should upgrade your OAM to the latest 11gR2. • A use case example of most common configuration. • Demo. © 2016 Pythian 8
  9. 9. Why this is important? © 2016 Pythian 9
  10. 10. Why this is important? • #1 - We now live in the “cloud” era. • Less people / organizations are storing their sensitive private data in the isolated local segment. • Cloud services (SaaS / PaaS) • And the shift is still only at the beginning point. • Personal examples: • Corporate examples: © 2016 Pythian 10
  11. 11. Why this is important? • #2 – Today’s Hardware capacity. • Modern CPU chip power is huge enough that it might take “seconds” to break your weak password. • Examples: • Standard dictionary word password: hours / days / weeks online, seconds offline. • At least 10 characters with special characters: centuries online, years offline. • Any idea how these statistics will change in next 5-10 years? © 2016 Pythian 11
  12. 12. Why this is important? • #3 – Social Engineering. • One of the most dreadful security concerns today. • Examples: Facebook / Instagram / Twitter / etc. © 2016 Pythian 12
  13. 13. Why this is important? • #4 – Let us remember few recent cases. • August 2014 – iCloud famous 10+ celebrity photo leak. • May 2016 - 100 million LinkedIn member emails and password hashes leaked in 2012. • August 2016 - 68 million Dropbox logins and password hashes leaked in 2012. • September 2016 - at least 500 million Yahoo accounts, leak dates back to late 2014. • October 2016 - AdultFriendFinder - 339 million names, addresses and phone numbers. Stolen data stretched back over the last 20 years. Affected sites: Cams.com, iCams.com, and Stripshow.com, as well as Penthouse.com. © 2016 Pythian 13
  14. 14. Why this is important? © 2016 Pythian 14
  15. 15. Few guidelines… as a starter • #1 – Master rule – everything that is shared online must be considered as “public”, disregards of the “privacy rules” set. • #2 – Your password is the first line of defense. It is in your power to make it stronger. • #3 – Today’s must-have – Two-Factor Authentication. Configure and use it everywhere the cloud service provides a support for it. © 2016 Pythian 15
  16. 16. Oracle E-Business Suite © 2016 Pythian 16
  17. 17. So what’s about Oracle E-Business Suite? • Is it somehow different that password security is not a concern? • NO! Username / Password is the same first line of defense. • My EBS instance is not a cloud service, it is isolated in my local network, why should I care? • “Isolated in my local network” doesn’t mean you are not vulnerable. • VPN / Work From Home / Bring Your Own Device is a risk. • Internal threat. • We are doing bi-yearly security awareness training. • That’s great. But it’s not a 100% guarantee, is it? Enforcing password policies in your organization is something that could make that guarantee much stronger. © 2016 Pythian 17
  18. 18. Standard password policy in Oracle E-Business Suite • SIGNON_PASSWORD_% profile options. © 2016 Pythian 18
  19. 19. Standard password policy in Oracle E-Business Suite • SIGNON_PASSWORD_% profile options. • Signon Password Case (SIGNON_PASSWORD_CASE). ▪ Case sensitivity for passwords. • Signon Password Custom (SIGNON_PASSWORD_CUSTOM). ▪ Custom java class which enables the use of custom, client specific, password policy. • Signon Password Failure Limit (SIGNON_PASSWORD_FAILURE_LIMIT). ▪ Max number of unsuccessful login attempts before the lockout. • Signon Password Hard To Guess (SIGNON_PASSWORD_HARD_TO_GUESS). ▪ Enables password requirements: 1) at least one letter and at least one number 2) doesn’t contain username 3) doesn’t contain repeating characters. • Signon Password Length (SIGNON_PASSWORD_LENGTH). ▪ Minimum length of a password. • Signon Password No Reuse (SIGNON_PASSWORD_NO_REUSE). ▪ Number of days before reusing an earlier used password. • With some cosmetical changes this hasn’t changed since 11i (10+ years). © 2016 Pythian 19
  20. 20. Standard password policy in Oracle E-Business Suite • Security User Define form (FNDSCAUS). • Password expiration. ▪ Days – password lifetime. ▪ Accesses – how many times ▪ None – no expiration. • Password expiration is handled on a user level. There is no centralized control !!! © 2016 Pythian 20
  21. 21. Does it look like a modern password policy of year 2016? • Not really. L • But we have “Signon Password Custom” available. • Custom Java class. • Loaded to the database. ▪ loadjava -user apps/apps -verbose -resolve -force MyCustomPasswordValidation.java • Do I need to learn Java now and support this custom class? Do I need to code all these rules myself? © 2016 Pythian 21 package oracle.apps.fnd.security; ... if (do_a_triple_flipover_with_your_right_knee_up_shouting_chupakabra(password) == true) { return true; } else { return false; }
  22. 22. Does it look like a modern password policy of year 2016? © 2016 Pythian 22
  23. 23. Standard password policy in Oracle E-Business Suite • Non-reversable hash support for passwords. • R12: New Feature: Enhance Security With Non-Reversible Hash Password (Doc ID 457166.1) ▪ R12.1.x - Patch 21276707:R12.FND.B R12.2.3+ - Patch 21276707:R12.FND.C ▪ SHA-1 is being deprecated. © 2016 Pythian 23
  24. 24. Oracle Access Manager © 2016 Pythian 24
  25. 25. History of the Password Policy implementation • Oracle Single Sign-On 10g • Password policy is controlled by Oracle Internet Directory standard pwd policies. • /sso/ and /oiddas/ pages support the UI. • Full password lifecycle is managed, with some limitations. • Full user management suite. © 2016 Pythian 25
  26. 26. History of the Password Policy implementation • Oracle Access Manager 10g • Bound to Identity Server only. • Full user management suite through Identity Server. Full password lifecycle is managed. • Based on Oblix schema object classes and attributes. • LDAP directory own policies should be same or weaker, or even just disabled. • “validate_password” is the only standard plugin that supports the built-in password policy functionality and UI pages. • 0 successful production implementations seen in the practice. Mostly because of the customization requirements (multi domain support, multi user base sub-trees, non-Oblix schema attribute requirement, and more). • Adding C based custom plugin changes or external custom UI pages is always evaluated as too costly and unnecessary effort. Usually replaced with an external User Management system directly managing the LDAP directory. © 2016 Pythian 26
  27. 27. History of the Password Policy implementation • Oracle Access Manager 11g Release 1 • Independed Oracle Access Manager is finally here. • You can use *any* LDAP directory. There is no dependency on schema, attributes. • But... Password policies are removed. L • You can use LDAP directory own policies, but it is not smoothly managed during the login process. If something is not right – max LDAP error in the oam_server1 logs, and just a System error in the UI. • Only Oracle Identity Manager (OIM) integration with OAM provides the full user management suite, desired password policy implementation, UI support for full password lifecycle. • $$$ J © 2016 Pythian 27
  28. 28. History of the Password Policy implementation • Oracle Access Manager 11g Release 2 • Same cool independed Oracle Access Manager 11gR1, overall. • But on steroids (integrated federation, mobile and social, and many more). • Password policies are back. J • LDAP directory own policies should be same or weaker, or disabled. • Oracle Identity Manager (OIM) integration with OAM is still there and provides the same “more advanced” policy implementation, UI support for full password lifecycle, and full user management suite. • $$$ J … nothing changed © 2016 Pythian 28
  29. 29. OAM 11gR2 native password policy – what it is? • Most of the current modern rules are there. • Expiration and Lockout support. • Provides the “UserPasswordPolicyPlugin” Authentication Plugin that can be used with various types of authentication worklow. © 2016 Pythian 29
  30. 30. OAM 11gR2 native password policy – what it is? • It is still based on OAM 10g Oblix schema object classes and attributes. • But mandatory are only related to password management. • For user data reference – you have a choice. Usable for OAM 10g upgrade use cases. • List: ▪ obPasswordCreationDate ▪ obPasswordHistory ▪ obPasswordChangeFlag ▪ obuseraccountcontrol ▪ obpasswordexpirydate ▪ obLockoutTime ▪ obLoginTrvCount ▪ oblastsuccessfullogin ▪ oblastfailedlogin • It is not mandatory to pre-assign Oblix object classes to your existing user entries. • IMPORTANT: User Identity Store configured Bind DN user must have required ACI permissions to adjust these attributes !!!. © 2016 Pythian 30
  31. 31. OAM 11gR2 native password policy – what it is NOT? • It is NOT a complete password lifecycle management tool. • Self service is missing (password change on-demand, forgot your password) • Standard password management pages are not operational without a valid OAM user authentication request process (request_id). • Direct access just ends with a System error. • Customizations is a solution. • Login page customization is supported by both ECC and DCC. • Password Policy page customization is supported only by DCC. ▪ ER Bug 17800099 - OAM 11G R2 : PASSWORD POLICY: NEED STEPS TO CUSTOMIZE PASWORD SERVICE PAGES ▪ Was targeted for release 11.1.2.3.0, but it’s not there yet. • Or implement OIM. $$$ J © 2016 Pythian 31
  32. 32. More advantages of Oracle Access Manager • Windows Native Authentication • Kerberos / RADIUS • Certificates • Social (Google, Facebook, more) • Multi-Step authentication support. • RSA (same RADIUS) • OTP – Oracle Mobile Authenticator © 2016 Pythian 32 Sorry Windows Mobile users…
  33. 33. Licensing • Usage of Oracle Access Manager requires additional license. It is not included with E-Business Suite licensing model. • Oracle EBS Single Sign-On implementation requires an Oracle Internet Directory (Oracle Unified Directory supported from R12.2.5 only) – again licensed separately. • Standard pack: ▪ Oracle Directory Services Plus. ▪ Oracle Access Manager. ▪ Both are covered with Oracle Identity and Access Management Suite Plus license pack. • Also includes Oracle Identity Manager. ▪ Database separate license is not required if used only for Metadata Repository data. • “Extra” features of OAM requires an additional licensing. ▪ Like Mobile and Social for OTP. © 2016 Pythian 33
  34. 34. Candy • What to do if you have an allergy on additional extra component overhead that you do not want, do not need and do not want to license? • Challenge #1: Web server protection. • You can replace mod_webgate with something else, like mod_auth_kerb (WNA). • Challenge #2: What to do with EBS, OID or OUD? • Leave your EBS local as it was before SSO • Write your own authentication solution (ebsSDK) • mod_rewrite: redirect your AppsLocalLogin.jsp to your own authentication processing. © 2016 Pythian 34
  35. 35. Example of most common configuration © 2016 Pythian 35
  36. 36. Configuring the password policy • OAM Console • Application Security – Password Policy • Full reference: ▪ Fusion Middleware Administrator's Guide for Oracle Access Management ▪ 24.3.1 Password Policy Configuration Page ▪ https://docs.oracle.com/cd/E52734_01/oam/ AIAAG/GUID-7850A074-9EE3-45EE-9150- 5DD96B9D13CD.htm#GUID-200E3E90- 21CC-439C-BF4E- 0468CA455148__BABDBBHE © 2016 Pythian 36
  37. 37. Configuring the password policy • OAM Console • Application Security – Password Policy • Console is doing it’s own math. If something is not going inline, there will be a warning about that. • Example: If we put value 1 into both Minimum Uppercase and Lowercase Characters fields, Minimum Alphabetic Characters is expected to be the sum. © 2016 Pythian 37
  38. 38. User Identity Store • OAM Console • Configuration – User Identity Stores • Password Management feature to be enabled. • “Use Oblix User Schema” should not be enabled as we are using standard Oracle schema. • Other 4 parameters are needed to point to correct attributes for “Can Include X” policy setting verification. © 2016 Pythian 38
  39. 39. User Identity Store • OAM Console • Configuration – User Identity Stores • Do not forget about the mandatory Oblix attributes in use ! • “Bind DN” LDAP user should have WRITE permissions to manage these attributes. • Also to add the required object classes to the user entry if found missing. • Do not use a super user account like I do here J © 2016 Pythian 39
  40. 40. User Identity Store • ACI grant example (Oracle Unified Directory) © 2016 Pythian 40 ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd <<EOF dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com")(version 3.0; acl "OAM app user entry level aci example"; allow (read,search,compare) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";) - add: aci aci: (targetattr="*")(version 3.0; acl "OAM app user attribute level aci read example"; allow (read,search,compare) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";) - add: aci aci: (targetattr="obPasswordCreationDate || obPasswordHistory || obPasswordChangeFlag || obuseraccountcontrol || obpasswordexpirydate || obLockoutTime || obLoginTrvCount || oblastsuccessfullogin || oblastfailedlogin || userPassword")(version 3.0; acl "OAM app user attribute level aci write example"; allow (write) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";) EOF
  41. 41. User Identity Store • Reminder about LDAP directory own password policy. • Policy should be set the same or weaker. • Or just completely disabled. © 2016 Pythian 41
  42. 42. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • Let us create new module with name “LDAP_EBS_with_password_policy”. © 2016 Pythian 42
  43. 43. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • 3 steps to be configured. “User Password Status Step” is one for the policy. © 2016 Pythian 43
  44. 44. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • User Identification Step ▪ KEY_LDAP_FILTER: default value should be (uid={KEY_USERNAME}) ▪ KEY_IDENTITY_STORE_REF: your EBS User Identity Store (OIDIdentityStore) ▪ KEY_SEARCH_BASE_URL: leave empty for plugin to use default Identity store’s User Search Base DN. © 2016 Pythian 44
  45. 45. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • User Authentication Step ▪ KEY_IDENTITY_STORE_REF: your EBS User Identity Store (OIDIdentityStore) ▪ KEY_PROP_AUTHN_EXCEPTION: Enable or disable the propagation of LDAP errors. Must be TRUE if password policy plugin is used in the chain. ▪ KEY_ENABLE_AUTHN_FAILOVER and KEY_PROP_AUTHN_LEVEL: These parameters are not yet documented. © 2016 Pythian 45
  46. 46. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • User Password Status Step ▪ PLUGIN_EXECUTION_MODE: This plugin can be used as a replacement for User Authentication Plugin too. We are going to set it as PSWDONLY to be a separate 3rd step. ▪ OBJECTCLASS_EXTENSION_SUPPORTED: Must be set to TRUE in order to automatically adjust affected user entries with Oblix object classes. ▪ KEY_IDENTITY_STORE_REF: your EBS User Identity Store (OIDIdentityStore) © 2016 Pythian 46
  47. 47. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • User Password Status Step ▪ URL_ACTION: Redirection behavior between the pages. Default: REDIRECT_POST. ▪ NEW_USERPSWD_BEHAVIOR: Action for new user not marked by the policy. We’ll use FORCEPASSWORDCHANGE. • Actually should be FORCECHANGEPASSWORD. • Configuring OAM Password Policy Parameter NEW_USERPSWD_BEHAVIOR To Force Password Changes for Existing Passwords Not Working (Doc ID 1563172.1) • Documentation bug. ▪ POLICY_SCHEMA: Just OAM10G, as everything is based on Oblix schema standards. ▪ CHALLENGES_SUPPORTED: This parameter is not yet documented. Default: FALSE. ▪ DISABLED_STATUS_SUPPORT: User Account disabled status support – TRUE. © 2016 Pythian 47
  48. 48. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • Full parameter reference ▪ Fusion Middleware Administrator's Guide for Oracle Access Management ▪ Table 24-8 User Password Step Details ▪ https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-30780A11-8254-4AE3-9A15- C759C08E872D.htm#GUID-9FE10CF0-A4E7-4F7F-81A9-859EC85AEA80__CFFEHBFJ © 2016 Pythian 48
  49. 49. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • Workflow © 2016 Pythian 49
  50. 50. Configure EBS to use the new Authentication Module • OAM Console • Application Security – Access Manager – Authentication Schemes • Expecting that EBS is already integrated. • Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1) • EBSAuthScheme • Authentication Module: LDAP_EBS_with_password_policy • Challenge Parameters: OverrideRetryLimit=0 © 2016 Pythian 50
  51. 51. Testing • Did I forget something important to mention? • Hint: © 2016 Pythian 51 <LIBOVD-40082> <Could not modify entry.javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Entry cn=testuser1,ou=people,dc=example,dc=com cannot not be modified because the resulting entry would have violated the server schema: Entry cn=testuser1,ou=people,dc=example,dc=com violates the Directory Server schema configuration because it includes attribute oblastsuccessfullogin which is not allowed by any of the objectclasses defined in that entry]; remaining name 'cn=testuser1,ou=people,dc=example,dc=com'
  52. 52. LDAP directory schema extension • We forgot Oblix schema extension. • Reference: ▪ Fusion Middleware Administrator's Guide for Oracle Access Management ▪ Table 24-6 Location of Oracle-provided LDIFs for LDAP Providers ▪ https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-E0DF807A-6432-4261-A119- 9AECAC56AD53.htm#GUID-48382B33-54CB-407D-8CAA-2A69CDEA50FB__CFFEJEEE • OUD example: ▪ Object classes: oblixPersonPwdPolicy and oblixorgperson ▪ Attributes: obPasswordCreationDate, obPasswordHistory, obPasswordChangeFlag, obuseraccountcontrol, obpasswordexpirydate, obLockoutTime, obLoginTrvCount, oblastsuccessfullogin, oblastfailedlogin © 2016 Pythian 52 ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd --defaultAdd -f $OAM_HOME/oam/server/pswdservice/ldif/OUD_PWDPersonSchema.ldif
  53. 53. Summary • Even latest R12.2.6 is not meeting today’s modern password policy standards out- of-the-box. We can code a custom java class, but that requires Java skills, courage and good release management. • Oracle Access Manager is the only certified SSO solution for EBS. It has the support of today’s standards, but costs additional resources as it is a separate component and separately licensed. • 11gR2 upgrade is highly recommended. Provides support for other more secure authentication methods, like Multi-Step Authentication, OTP usage. • Password policy setup is well documented and quite straightforward. • Except few nuances noted. J © 2016 Pythian 53
  54. 54. Demo © 2016 Pythian 54
  55. 55. THANK YOU Q & A © 2016 Pythian 55

×