SlideShare a Scribd company logo
1 of 37
Download to read offline
1DOAG Security Day 2016
Enterprise Security Reloaded
DOAG Security Day 17.03.2016
2DOAG Security Day 2016
Jan Schreiber
Loopback.ORG GmbH, Hamburg
Database Operations &
Security
Data Warehouse &
Business Intelligence
Oracle Architektur &
Performance
3DOAG Security Day 2016
Table	
	
USER: SYSTEM

PW: MANAGER
USER: SCOTT
PW: TIGER
USER: OLAPSYS

PW: OLAPSYS
USER: ANONYMOUS

PW: ANONYMOUS
Table 8-2 Oracle 9i Default Accounts and Passwords
4DOAG Security Day 2016
Quelle:	XKCD
5DOAG Security Day 2016
Quelle:	XKCD
6DOAG Security Day 2016
Oracle Hash Algorithmen
3DEShash(upper	
(username||
password))	
password	hash	(20	
bytes)	=	sha1(password	
+	salt	(10	bytes))	
S8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1
F56554A;
H:DC9894A01797D91D92ECA1DA66242209;
T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F75
7FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD
8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C
Uralt:	
11g:	
12.1.0.2:	
11g	Hash	
md5digest(‘USER:XDB:password')	
PBKDF2-based	SHA512	hash
7DOAG Security Day 2016
LDAP-Directory Anbindung
Database
Client
(1) Connect
Leonard.
Nimoy/
BIGDB
Oracle DB
Überprüft
Passwort Hash,
ordnet User
Rollen und
Schema zu
(2) Request
Leonard.Nimoy
(3) Returned
Leonard.Nimoy
LDAP
Server
Ablage für User,
Rollen & EUS
Konfiguration
SQL> alter user ... identified externally;
8DOAG Security Day 2016
Jeder nur ein Kreuz – Hashes im Verzeichnis
9DOAG Security Day 2016
Synchronisation
•  Keine AD-Schema-
änderungen nötig
•  AD Agent muss auf AD-
Kontrollern laufen und
Klartext-Passwörter
mitlesen
Proxy:
•  AD-Schema-
änderungen nötig
•  Password Filter muss auf
AD-Controllern laufen
•  AD Update Recht muss
vorhanden sein
Virtualisierung:
•  Nur AD-
Schemaänderung:
Orclcommonattribute
•  Rollentrennung DBA/AD
Active Directory Verzeichnisintegration
DB FARM
OVD
Database
Client
SqlPlus,
Java, etc
(AUTH)
Map Users,
Schema,Roles
HashesGroups
OID
DB FARM
Oracle
OID
Database
Client
SqlPlus,
Java, etc
(AUTH)
Map Users,
Schema,Roles
SYNC
(DIP)
oidpwdcn.dll
DB FARM
OUD
Database
Client
SqlPlus,
Java, etc
(AUTH)
Map Users,
Schema,Roles
Hashes
Groups
oidpwdcn.dll
orclCommonAttribute
10DOAG Security Day 2016
Kerberos-AD-
Anbindung
Benutzerdaten-
prüfung (2)
AD	
Domain	Controller	
Key	Distribu3on	Center	(KDC)	
Authen3ca3on	Service	(AS)	
Ticket	Gran3ng	Service	(TGS)	
AuthenRsierung	(1)	
Benutzer-Ticket	TGT	(3)	
Client-PC	
Ticket-Cache	
ST	für	Anwendungsserver	
	mit	TGT	prüfen	(6)	
Anforderung	Service	Ticket	ST	mit	TGT	(5)	
Domänenanmeldung
User
Password
TGT	(4)	
ST	(7)	
DB	Server	
Prüfung	des	ST	(9)	
Tausch	eines	gemein-	
samen	Schlüssels
11DOAG Security Day 2016
PKI-Authentifizierung
Private	Key	 Private	Key	Benutzer /
Applikation
Datenbank
Zertifizierungsstelle (CA)
User	
.csr	
SSL	Handshake	
User/CA	
Certs	
DB	
.csr	
DB/CA	
Certs
12DOAG Security Day 2016
Enterprise User Security (EUS)
Oracle	Internet	Directory	 Datenbanken	
Enterprise	User	
User	
DBA	
RoleEnterpriseUser	
RoleEnterpriseDBA	
Enterprise	Rollen	 Enterprise	User	 Enterprise	Rollen	
RoleUserGlobal1	
RoleUserGlobal2	
RoleDBAGlobal	
RoleUserLocal1	
RoleUserLocal2	
Resource	
DBA
13DOAG Security Day 2016
AD-Integration mit Oracle
Unified Directory (OUD) & Kerberos
DB FARM
OUD
Database
Client
SqlPlus,
Java, etc
(EUS)
Map Users,
Schema,Roles
Groups
OracleContext
OUD Proxy Setup:
•  Lesender AD-Benutzer
•  Leserechte auf DB-
Usereinträge im AD
•  Oracle Context im LDAP
•  Software: OUD, WebLogic,
ADF
•  Funktioniert auch mit EUS
[linux7 Oracle_OUD1]$ ./oud-proxy-setup
[linux6]$ okinit testuser
[linux7]$ oklist
Kerberos	Ticket
14DOAG Security Day 2016
Secure External Password Store (1)
$ orapki wallet create -wallet "/u01/app/oracle/wallet" 
-auto_login_local
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights
reserved.
Enter wallet password:
$ sqlplus /@ORCL
SQL*Plus: Release 12.1.0.2.0 Production on Wed Jan 13 15:38:50
2016
Copyright (c) 1982, 2014, Oracle. All rights reserved.
ERROR:
ORA-12578: TNS:wallet open failed
Enter user-name:
15DOAG Security Day 2016
0x00 - 0x4C Header:
0x00 - 0x02 First 3 bytes are always A1 F8 4E (wallet recognition?)
0x03 Type = SSO: 36; LSSO: 38
0x04 - 0x06 00 00 00
0x07 Version (10g: 05; 11g: 06)
0x08 - 0x0A 00 00 00
0x0B - 0x0C 11g: always the same (41 35)
0x0D - 0x1C DES key
0x1D - 0x4C DES secret (DES -> CBC -> PKCS7 padding) which contains the PKCS#12
password
0x4D - EOF PKCS#12 data (ASN.1 block)
_________________________________________________________________________________________
$ ./ssoDecrypt.sh ../PX-Linux11/cwallet.sso
sso key: c29XXXXXXXXXX96
sso secret: 71c61e1XXXXXXXXXX99c77d747fa0f53e79ccd170409964b
p12 password (hex): 1e482XXXXXXXXXX1f1f0b296f6178021c
Secure External Password Store (2)
16DOAG Security Day 2016
Trennung von Schema-Owner
und Zugriffs-Benutzer
2	 3	 n	..	4	1	
APPLICATION	SCHEMA	
DB	USER	
1	
2	
3	
n
17DOAG Security Day 2016
Anforderung	 Alte	Wallets	 AD-Kerberos	 SSL-PKI	 EUS	
Schutz	des	Passworts	gegen	Auslesen	 ★	 ✔	 ✔	
Adminaufwand	verringert	für	Passwortänderung	 ✖ ✔	 ✔	
Nachvollziehbarkeit	von	Änderungen	verbessert	 ✖	 ✔	 ✔	
Individuelle	Benutzerkennungen	 ✖	 ✔	 ✔	
Zentrale	Benutzerverwalt.	&	Passwortrichtlinien	 ✔	
Zentrale	Rollenverwaltung	 ✔	
Lösung	für	alle	Zugriffe	geeignet	 ★	 ★	
CA	erforderlich	 ✔	
Kerberos	Roll-out	erforderlich	 ✔	
Wallets	können	weiterhin	verwendet	werden	 ★	 ✔	
Lizenkosten	Directory	entstehen	
Kosten-Nutzen-Analyse
18DOAG Security Day 2016
Kerberos:
SPN-
Useraccount
im AD
19DOAG Security Day 2016
Kerberos Key Table
PS C:UsersAdministrator> ktpass.exe -princ oracle/
ioaotow01.tested.lcl@TESTED.LCL -mapuser ioaotow01 -crypto RC4-HMAC-NT -
pass XXX -out c:ioaotow-hmac2.keytab -ptype KRB5_NT_PRINCIPAL
Targeting domain controller: test-dchh01.tested.lcl
Successfully mapped oracle/ioaotow01.tested.lcl to ioaotow01.
Password successfully set!
Key created.
Output keytab to c:ioaotow-hmac2.keytab:
Keytab version: 0x502 keysize 73 oracle/ioaotow01.tested.lcl@TESTED.LCL
ptype 1 (KRB5_NT_PRINCIPAL) vno 13 etype 0x17 (RC4-HMAC) keylength 16
(0xbd54ec4ab1feb299c0969b67f1d9deb8)
_______________________________________________________________________________	
[oracle@ioaotow01 TESTDB-KERB5]$ oklist -k ioaotow01.keytab
Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 13-JAN-2016
15:11:59
Copyright (c) 1996, 2014 Oracle. All rights reserved.
Service Key Table: ioaotow01.keytab
Ver Timestamp Principal
4 01-Jan-1970 01:00:00 oracle/ioaotow01.tested.lcl@TESTED.LCL
20DOAG Security Day 2016
Database Kerberos Konfiguration
krc5.conf
dns_lookup_realm = false
[domain_realm]
.tested.lcl = TESTED.LCL
tested.lcl = TESTED.LCL
__________________________________________________________________
sqlnet.ora
General	Sejngs	
NAMES.DIRECTORY_PATH=(TNSNAMES, HOSTNAME)
SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS,KERBEROS5PRE,KERBEROS5)
Kerberos	Sejngs	
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_CONF_MIT=true
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
SQLNET.KERBEROS5_KEYTAB=/oracle/product/12.1.0/dbhome_1/network/
admin/ioaotow01.keytab
SQLNET.KERBEROS5_CC_NAME=/oracle/diag/krb/cc/krb5cc_99
21DOAG Security Day 2016
Kerberos User Login
SQL>	create	user	USER01	identified	externally	as	'USER01@TESTED.LCL';	
User	created.	
SQL>	grant	connect	to	user01;	
[oracle@ioaotow01 ~]$ okinit user01
Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production
Copyright (c) 1996, 2014 Oracle. All rights reserved.
Password for user01@TESTED.LCL:
________________________________________________________________________________________________
[oracle@ioaotow01 ~]$ oklist
Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 08-FEB-2016 16:24:43
Copyright (c) 1996, 2014 Oracle. All rights reserved.
Ticket cache: /oracle/diag/krb/cc/krb5cc_99
Default principal: user01@TESTED.LCL
Valid Starting Expires Principal
08-Feb-2016 14:11:20 08-Feb-2016 22:11:11 krbtgt/TESTED.LCL@TESTED.LCL
08-Feb-2016 14:11:33 08-Feb-2016 22:11:11 oracle/ioaotow01@TESTED.LCL
08-Feb-2016 14:16:40 08-Feb-2016 22:11:11 oracle/ioaotow01.tested.lcl@TESTED.LCL
________________________________________________________________________________________________
[oracle@ioaotow01 ~]$ sqlplus /@TESTDB
SQL*Plus: Release 12.1.0.2.0 Production on Mon Feb 8 16:24:51 2016
Copyright (c) 1982, 2014, Oracle. All rights reserved.
Last Successful login time: Mon Feb 08 2016 14:17:35 +01:00
Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With
the Partitioning, OLAP, Advanced Analytics and Real Application Testing options
SQL> show user; USER is "USER01@TESTED.LCL
22DOAG Security Day 2016
Kerberos
Datenbank-
Anmeldung
am Windows-
PC
23DOAG Security Day 2016
Kerberos & Datenbank 12c
•  Neu geschriebener Stack
•  RC4-HMAC-NT / W2012 Server
•  ORA-12638: Credential retrieval failed
–  SQLNET.AUTHENTICATION_SERVICES=
(BEQ,TCPS,KERBEROS5PRE,KERBEROS5)
•  Bugs....
Reading List:
Doc ID 1958479.1: "Bug 19931730, The keytab has/uses arcfour-hmac encryption which currently has an open 12c bug:19636771. The workaround for this
is to use AES encryption in the keytab"
Doc ID 1611643.1: Bug 17497520 : KERBEROS CONNECTIONS USING A 12C CLIENT AND THE OKINIT REQUESTED TGT ARE FAILING
Doc ID 182979.1: Oracle is not able to parse the krb5.conf file due to the tabs between the assignment operator in the domain to realm mapping section.
Doc ID 185897.1: Kerberos Troubleshooting Guide
Master Note For Kerberos Authentication (Doc ID 1375853.1)
WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1): "While creating the keytab file, SSO hostname value
was given without specifying fully qualified domain"
How To Configure EUS Kerberos Authentication For Database Administrative Users (SYSDBA and SYSOPER) (Doc ID 2081984.1): "On a 12c database  sqlplus
connection fails with ORA-1017 and this is caused by 
Bug 19307420 : KERBEROS AUTHENTICATED EUS USER FAILS WITH ORA-01017 FOR ADMINISTRATIVE LOGIN."
Configuring ASO Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory KDC (Doc ID 1304004.1)
Microsoft Technet: Service Logons Fail Due to Incorrectly Set SPNs
Laurent Schneider: The long long route to Kerberos
Microsoft Technet: 
FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows
Server 2008 R2 domain controller joins the domain
WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1)
Case Study: Configuring the Kerberos Adapter in a Windows Environment (Kevin Reardon, Consulting Technical Advisor)
24DOAG Security Day 2016
PKI: Zertifikate und Wallets
Datenbank-Server
1.  Leeres Wallet erstellen
2.  Key und Zertifikat-Request stellen
3.  Request durch CA signieren lassen (Z.B. CN=db12c)
4.  CA Zertifikat importieren (CN=myCA)
5.  Signiertes Zertifikat importieren
Client
1.  Leeres Wallet erstellen
2.  Key und Zertifikat-Request stellen
3.  Request durch CA signieren lassen (Z.B. CN=jans)
4.  CA Zertifikat importieren (CN=myCA)
5.  Signierte Zertifikat importieren
25DOAG Security Day 2016
PKI: Server-Wallet
$ mkdir $ORACLE_BASE/admin/loopds/pki
$ orapki wallet create -wallet 
$ORACLE_BASE/admin/loopds/pki -auto_login -pwd XXX
$ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki 
-dn 'CN=db12c' -keysize 2048 -pwd XXX
$ orapki wallet export -wallet $ORACLE_BASE/admin/loopds/pki 
-dn 'CN=db12c' 
-request ~/db12c.csr
$ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki 
-cert myca.pem –trusted_cert –pwd XXX
$ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki 
-cert db12c.pem –user_cert –pwd XXX
26DOAG Security Day 2016
PKI: Client-Wallet
$ orapki wallet create -wallet 
$ORACLE_HOME/owm/wallets/client -auto_login -pwd XXX
$ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client 
-dn 'CN=jans' -keysize 2048 -pwd XXX
$ orapki wallet export -wallet $ORACLE_HOME/owm/wallets/client 
-dn 'CN=jans' 
-request ~/jans.csr
$ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client 
-cert myca.pem –trusted_cert –pwd XXX
$ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client 
-cert jans.pem –user_cert –pwd XXX
27DOAG Security Day 2016
Display Wallet
[oracle@linux11 ~]$ orapki wallet display -wallet /u01/app/oracle/product/11.2.0/
dbhome_1/network/pki
Oracle PKI Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
_________________________________________________________________________________________
Requested Certificates:
User Certificates:
Subject: CN=LOOPDS
Trusted Certificates:
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: CN=LBO Root Certificate II,OU=LoopCA,O=
Loopback.ORG GmbH,O=Loopback.ORG,L=Hamburg,ST=No-State,C=DE
Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE
Corporation,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
28DOAG Security Day 2016
PKI: Listener-Konfiguration
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = $ORACLE_BASE/admin/loopds/pki)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = db12c.loopback.org)(PORT = 1521))
)
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = db12c.loopback.org)(PORT = 2484))
)
)
29DOAG Security Day 2016
PKI: TNS-Konfiguration
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)
NAMES.DIRECTORY_PATH= (TNSNAMES, HOSTNAME)
SSL_CLIENT_AUTHENTICATION = TRUE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = $ORACLE_BASE/admin/loopds/pki)
)
)
30DOAG Security Day 2016
Anmeldung mit User/Passwort und SSL
$ sqlplus user/pwd@DB12C
Connected.
SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual;
SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
------------------------------------------------------------------------
tcps
SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual;
SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD')
------------------------------------------------------------------------
PASSWORD
31DOAG Security Day 2016
PKI: Anmeldung mit Zertifikat
SQL> create user JANS identified externally as 'CN=jans';
SQL> grant create session to JANS;
$ sqlplus /@DB12C
Connected.
SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual;
SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
---------------------------------------------------
tcps
SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual;
SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD')
-----------------------------------------------------
SSL
32DOAG Security Day 2016
PKI: JDBC
•  Auch per JDBC kann SSL verwendet werden
•  Integration auch über keytool
String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)
(HOST=servernam e)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))");
Properties props = new Properties();
props.setProperty("user", "scott");
props.setProperty("password", "tiger");
props.setProperty("javax.net.ssl.trustStore",
"/truststore/ewallet.p12");
props.setProperty("javax.net.ssl.trustStoreType","PKCS12");
props.setProperty("javax.net.ssl.trustStorePassword","welcome123"); Connection conn
= DriverManager.getConnection(url, props);
http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf
How to configure Oracle SQLDeveloper to use a SSL connection that was configured as
per Note 401251.1
33DOAG Security Day 2016
PKI: ODBC
Oracle	ODBC	Treiber	verwenden:	Oracle	Data	Access	Components	(ODAC)
34DOAG Security Day 2016
Be a Certificate Authority (CA)
•  AD Certificate Service
•  Kommerzielle Produkte
–  Auch Open Source:
•  EBJCA
•  OpenXPKI
•  Alle Schritte sind in OpenSSL implementiert
–  Nicht mit selbstsignierten Zertifikaten zu verwechseln
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
openssl ca -policy policy_anything -config loopca-url.cnf -out Certs/$1.pem
-infiles Reqs/$1.req
35DOAG Security Day 2016
Windows AD CA mit
Autoenrollment
36DOAG Security Day 2016
Certificate Chaining für Sub-CA
37DOAG Security Day 2016
Jan Schreiber
Loopback.ORG GmbH, Hamburg
database	intelligence	|	operaRons	excellence	|	bi	soluRons	
jans@loopback.org
blogs.loopback.org
Vielen Dank für Ihre Aufmerksamkeit!

More Related Content

What's hot

Intravert Server side processing for Cassandra
Intravert Server side processing for CassandraIntravert Server side processing for Cassandra
Intravert Server side processing for Cassandra
Edward Capriolo
 
Indexing and Query Optimizer (Aaron Staple)
Indexing and Query Optimizer (Aaron Staple)Indexing and Query Optimizer (Aaron Staple)
Indexing and Query Optimizer (Aaron Staple)
MongoSF
 
MongoDB Performance Debugging
MongoDB Performance DebuggingMongoDB Performance Debugging
MongoDB Performance Debugging
MongoDB
 
Mssm及assm下索引叶块分裂的测试
Mssm及assm下索引叶块分裂的测试Mssm及assm下索引叶块分裂的测试
Mssm及assm下索引叶块分裂的测试
maclean liu
 

What's hot (20)

Cassandra Drivers and Tools
Cassandra Drivers and ToolsCassandra Drivers and Tools
Cassandra Drivers and Tools
 
Cassandra nice use cases and worst anti patterns no sql-matters barcelona
Cassandra nice use cases and worst anti patterns no sql-matters barcelonaCassandra nice use cases and worst anti patterns no sql-matters barcelona
Cassandra nice use cases and worst anti patterns no sql-matters barcelona
 
Intravert Server side processing for Cassandra
Intravert Server side processing for CassandraIntravert Server side processing for Cassandra
Intravert Server side processing for Cassandra
 
Cassandra introduction @ ParisJUG
Cassandra introduction @ ParisJUGCassandra introduction @ ParisJUG
Cassandra introduction @ ParisJUG
 
Oracle Database 12.1.0.2 New Features
Oracle Database 12.1.0.2 New FeaturesOracle Database 12.1.0.2 New Features
Oracle Database 12.1.0.2 New Features
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
SQL Transactions - What they are good for and how they work
SQL Transactions - What they are good for and how they workSQL Transactions - What they are good for and how they work
SQL Transactions - What they are good for and how they work
 
Indexing and Query Optimizer (Aaron Staple)
Indexing and Query Optimizer (Aaron Staple)Indexing and Query Optimizer (Aaron Staple)
Indexing and Query Optimizer (Aaron Staple)
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
 
Azure SQL Database - Connectivity Best Practices
Azure SQL Database - Connectivity Best PracticesAzure SQL Database - Connectivity Best Practices
Azure SQL Database - Connectivity Best Practices
 
MongoDB Performance Debugging
MongoDB Performance DebuggingMongoDB Performance Debugging
MongoDB Performance Debugging
 
Mssm及assm下索引叶块分裂的测试
Mssm及assm下索引叶块分裂的测试Mssm及assm下索引叶块分裂的测试
Mssm及assm下索引叶块分裂的测试
 
Agile Database Development with JSON
Agile Database Development with JSONAgile Database Development with JSON
Agile Database Development with JSON
 
Modern Java Development
Modern Java DevelopmentModern Java Development
Modern Java Development
 
MongoDB World 2016: Deciphering .explain() Output
MongoDB World 2016: Deciphering .explain() OutputMongoDB World 2016: Deciphering .explain() Output
MongoDB World 2016: Deciphering .explain() Output
 
My sql regis_handsonlab
My sql regis_handsonlabMy sql regis_handsonlab
My sql regis_handsonlab
 
Mongodb debugging-performance-problems
Mongodb debugging-performance-problemsMongodb debugging-performance-problems
Mongodb debugging-performance-problems
 
Latest java
Latest javaLatest java
Latest java
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 
Caching and tuning fun for high scalability @ LOAD2012
Caching and tuning fun for high scalability @ LOAD2012Caching and tuning fun for high scalability @ LOAD2012
Caching and tuning fun for high scalability @ LOAD2012
 

Similar to DOAG Security Day 2016 Enterprise Security Reloaded

11thingsabout11g 12659705398222 Phpapp01
11thingsabout11g 12659705398222 Phpapp0111thingsabout11g 12659705398222 Phpapp01
11thingsabout11g 12659705398222 Phpapp01
Karam Abuataya
 

Similar to DOAG Security Day 2016 Enterprise Security Reloaded (20)

DOAG 2016 Oracle Logon Security
DOAG 2016 Oracle Logon SecurityDOAG 2016 Oracle Logon Security
DOAG 2016 Oracle Logon Security
 
Securefile LOBs
Securefile LOBsSecurefile LOBs
Securefile LOBs
 
Rmoug ashmaster
Rmoug ashmasterRmoug ashmaster
Rmoug ashmaster
 
MySQL 5.7 + JSON
MySQL 5.7 + JSONMySQL 5.7 + JSON
MySQL 5.7 + JSON
 
AUSOUG Oracle Password Security
AUSOUG Oracle Password SecurityAUSOUG Oracle Password Security
AUSOUG Oracle Password Security
 
DBCC - Dubi Lebel
DBCC - Dubi LebelDBCC - Dubi Lebel
DBCC - Dubi Lebel
 
Php forum2015 tomas_final
Php forum2015 tomas_finalPhp forum2015 tomas_final
Php forum2015 tomas_final
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
11thingsabout11g 12659705398222 Phpapp01
11thingsabout11g 12659705398222 Phpapp0111thingsabout11g 12659705398222 Phpapp01
11thingsabout11g 12659705398222 Phpapp01
 
11 Things About11g
11 Things About11g11 Things About11g
11 Things About11g
 
Oracle goldengate 11g schema replication from standby database
Oracle goldengate 11g schema replication from standby databaseOracle goldengate 11g schema replication from standby database
Oracle goldengate 11g schema replication from standby database
 
Real Time Big Data (w/ NoSQL)
Real Time Big Data (w/ NoSQL)Real Time Big Data (w/ NoSQL)
Real Time Big Data (w/ NoSQL)
 
Mini Session - Using GDB for Profiling
Mini Session - Using GDB for ProfilingMini Session - Using GDB for Profiling
Mini Session - Using GDB for Profiling
 
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c   ILOUG Feb 2020Troubleshooting Tips and Tricks for Database 19c   ILOUG Feb 2020
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020
 
Introduction to MongoDB
Introduction to MongoDBIntroduction to MongoDB
Introduction to MongoDB
 
2011 Mongo FR - MongoDB introduction
2011 Mongo FR - MongoDB introduction2011 Mongo FR - MongoDB introduction
2011 Mongo FR - MongoDB introduction
 
String Comparison Surprises: Did Postgres lose my data?
String Comparison Surprises: Did Postgres lose my data?String Comparison Surprises: Did Postgres lose my data?
String Comparison Surprises: Did Postgres lose my data?
 
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019Troubleshooting Tips and Tricks for Database 19c - Sangam 2019
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019
 
MySQL8.0 in COSCUP2017
MySQL8.0 in COSCUP2017MySQL8.0 in COSCUP2017
MySQL8.0 in COSCUP2017
 
Practical attacks on commercial white-box cryptography solutions
Practical attacks on commercial white-box cryptography solutionsPractical attacks on commercial white-box cryptography solutions
Practical attacks on commercial white-box cryptography solutions
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 

DOAG Security Day 2016 Enterprise Security Reloaded

  • 1. 1DOAG Security Day 2016 Enterprise Security Reloaded DOAG Security Day 17.03.2016
  • 2. 2DOAG Security Day 2016 Jan Schreiber Loopback.ORG GmbH, Hamburg Database Operations & Security Data Warehouse & Business Intelligence Oracle Architektur & Performance
  • 3. 3DOAG Security Day 2016 Table USER: SYSTEM
 PW: MANAGER USER: SCOTT PW: TIGER USER: OLAPSYS
 PW: OLAPSYS USER: ANONYMOUS
 PW: ANONYMOUS Table 8-2 Oracle 9i Default Accounts and Passwords
  • 4. 4DOAG Security Day 2016 Quelle: XKCD
  • 5. 5DOAG Security Day 2016 Quelle: XKCD
  • 6. 6DOAG Security Day 2016 Oracle Hash Algorithmen 3DEShash(upper (username|| password)) password hash (20 bytes) = sha1(password + salt (10 bytes)) S8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1 F56554A; H:DC9894A01797D91D92ECA1DA66242209; T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F75 7FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD 8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Uralt: 11g: 12.1.0.2: 11g Hash md5digest(‘USER:XDB:password') PBKDF2-based SHA512 hash
  • 7. 7DOAG Security Day 2016 LDAP-Directory Anbindung Database Client (1) Connect Leonard. Nimoy/ BIGDB Oracle DB Überprüft Passwort Hash, ordnet User Rollen und Schema zu (2) Request Leonard.Nimoy (3) Returned Leonard.Nimoy LDAP Server Ablage für User, Rollen & EUS Konfiguration SQL> alter user ... identified externally;
  • 8. 8DOAG Security Day 2016 Jeder nur ein Kreuz – Hashes im Verzeichnis
  • 9. 9DOAG Security Day 2016 Synchronisation •  Keine AD-Schema- änderungen nötig •  AD Agent muss auf AD- Kontrollern laufen und Klartext-Passwörter mitlesen Proxy: •  AD-Schema- änderungen nötig •  Password Filter muss auf AD-Controllern laufen •  AD Update Recht muss vorhanden sein Virtualisierung: •  Nur AD- Schemaänderung: Orclcommonattribute •  Rollentrennung DBA/AD Active Directory Verzeichnisintegration DB FARM OVD Database Client SqlPlus, Java, etc (AUTH) Map Users, Schema,Roles HashesGroups OID DB FARM Oracle OID Database Client SqlPlus, Java, etc (AUTH) Map Users, Schema,Roles SYNC (DIP) oidpwdcn.dll DB FARM OUD Database Client SqlPlus, Java, etc (AUTH) Map Users, Schema,Roles Hashes Groups oidpwdcn.dll orclCommonAttribute
  • 10. 10DOAG Security Day 2016 Kerberos-AD- Anbindung Benutzerdaten- prüfung (2) AD Domain Controller Key Distribu3on Center (KDC) Authen3ca3on Service (AS) Ticket Gran3ng Service (TGS) AuthenRsierung (1) Benutzer-Ticket TGT (3) Client-PC Ticket-Cache ST für Anwendungsserver mit TGT prüfen (6) Anforderung Service Ticket ST mit TGT (5) Domänenanmeldung User Password TGT (4) ST (7) DB Server Prüfung des ST (9) Tausch eines gemein- samen Schlüssels
  • 11. 11DOAG Security Day 2016 PKI-Authentifizierung Private Key Private Key Benutzer / Applikation Datenbank Zertifizierungsstelle (CA) User .csr SSL Handshake User/CA Certs DB .csr DB/CA Certs
  • 12. 12DOAG Security Day 2016 Enterprise User Security (EUS) Oracle Internet Directory Datenbanken Enterprise User User DBA RoleEnterpriseUser RoleEnterpriseDBA Enterprise Rollen Enterprise User Enterprise Rollen RoleUserGlobal1 RoleUserGlobal2 RoleDBAGlobal RoleUserLocal1 RoleUserLocal2 Resource DBA
  • 13. 13DOAG Security Day 2016 AD-Integration mit Oracle Unified Directory (OUD) & Kerberos DB FARM OUD Database Client SqlPlus, Java, etc (EUS) Map Users, Schema,Roles Groups OracleContext OUD Proxy Setup: •  Lesender AD-Benutzer •  Leserechte auf DB- Usereinträge im AD •  Oracle Context im LDAP •  Software: OUD, WebLogic, ADF •  Funktioniert auch mit EUS [linux7 Oracle_OUD1]$ ./oud-proxy-setup [linux6]$ okinit testuser [linux7]$ oklist Kerberos Ticket
  • 14. 14DOAG Security Day 2016 Secure External Password Store (1) $ orapki wallet create -wallet "/u01/app/oracle/wallet" -auto_login_local Oracle PKI Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Enter wallet password: $ sqlplus /@ORCL SQL*Plus: Release 12.1.0.2.0 Production on Wed Jan 13 15:38:50 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. ERROR: ORA-12578: TNS:wallet open failed Enter user-name:
  • 15. 15DOAG Security Day 2016 0x00 - 0x4C Header: 0x00 - 0x02 First 3 bytes are always A1 F8 4E (wallet recognition?) 0x03 Type = SSO: 36; LSSO: 38 0x04 - 0x06 00 00 00 0x07 Version (10g: 05; 11g: 06) 0x08 - 0x0A 00 00 00 0x0B - 0x0C 11g: always the same (41 35) 0x0D - 0x1C DES key 0x1D - 0x4C DES secret (DES -> CBC -> PKCS7 padding) which contains the PKCS#12 password 0x4D - EOF PKCS#12 data (ASN.1 block) _________________________________________________________________________________________ $ ./ssoDecrypt.sh ../PX-Linux11/cwallet.sso sso key: c29XXXXXXXXXX96 sso secret: 71c61e1XXXXXXXXXX99c77d747fa0f53e79ccd170409964b p12 password (hex): 1e482XXXXXXXXXX1f1f0b296f6178021c Secure External Password Store (2)
  • 16. 16DOAG Security Day 2016 Trennung von Schema-Owner und Zugriffs-Benutzer 2 3 n .. 4 1 APPLICATION SCHEMA DB USER 1 2 3 n
  • 17. 17DOAG Security Day 2016 Anforderung Alte Wallets AD-Kerberos SSL-PKI EUS Schutz des Passworts gegen Auslesen ★ ✔ ✔ Adminaufwand verringert für Passwortänderung ✖ ✔ ✔ Nachvollziehbarkeit von Änderungen verbessert ✖ ✔ ✔ Individuelle Benutzerkennungen ✖ ✔ ✔ Zentrale Benutzerverwalt. & Passwortrichtlinien ✔ Zentrale Rollenverwaltung ✔ Lösung für alle Zugriffe geeignet ★ ★ CA erforderlich ✔ Kerberos Roll-out erforderlich ✔ Wallets können weiterhin verwendet werden ★ ✔ Lizenkosten Directory entstehen Kosten-Nutzen-Analyse
  • 18. 18DOAG Security Day 2016 Kerberos: SPN- Useraccount im AD
  • 19. 19DOAG Security Day 2016 Kerberos Key Table PS C:UsersAdministrator> ktpass.exe -princ oracle/ ioaotow01.tested.lcl@TESTED.LCL -mapuser ioaotow01 -crypto RC4-HMAC-NT - pass XXX -out c:ioaotow-hmac2.keytab -ptype KRB5_NT_PRINCIPAL Targeting domain controller: test-dchh01.tested.lcl Successfully mapped oracle/ioaotow01.tested.lcl to ioaotow01. Password successfully set! Key created. Output keytab to c:ioaotow-hmac2.keytab: Keytab version: 0x502 keysize 73 oracle/ioaotow01.tested.lcl@TESTED.LCL ptype 1 (KRB5_NT_PRINCIPAL) vno 13 etype 0x17 (RC4-HMAC) keylength 16 (0xbd54ec4ab1feb299c0969b67f1d9deb8) _______________________________________________________________________________ [oracle@ioaotow01 TESTDB-KERB5]$ oklist -k ioaotow01.keytab Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 13-JAN-2016 15:11:59 Copyright (c) 1996, 2014 Oracle. All rights reserved. Service Key Table: ioaotow01.keytab Ver Timestamp Principal 4 01-Jan-1970 01:00:00 oracle/ioaotow01.tested.lcl@TESTED.LCL
  • 20. 20DOAG Security Day 2016 Database Kerberos Konfiguration krc5.conf dns_lookup_realm = false [domain_realm] .tested.lcl = TESTED.LCL tested.lcl = TESTED.LCL __________________________________________________________________ sqlnet.ora General Sejngs NAMES.DIRECTORY_PATH=(TNSNAMES, HOSTNAME) SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS,KERBEROS5PRE,KERBEROS5) Kerberos Sejngs SQLNET.KERBEROS5_CONF=/etc/krb5.conf SQLNET.KERBEROS5_CONF_MIT=true SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle SQLNET.KERBEROS5_KEYTAB=/oracle/product/12.1.0/dbhome_1/network/ admin/ioaotow01.keytab SQLNET.KERBEROS5_CC_NAME=/oracle/diag/krb/cc/krb5cc_99
  • 21. 21DOAG Security Day 2016 Kerberos User Login SQL> create user USER01 identified externally as 'USER01@TESTED.LCL'; User created. SQL> grant connect to user01; [oracle@ioaotow01 ~]$ okinit user01 Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production Copyright (c) 1996, 2014 Oracle. All rights reserved. Password for user01@TESTED.LCL: ________________________________________________________________________________________________ [oracle@ioaotow01 ~]$ oklist Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 08-FEB-2016 16:24:43 Copyright (c) 1996, 2014 Oracle. All rights reserved. Ticket cache: /oracle/diag/krb/cc/krb5cc_99 Default principal: user01@TESTED.LCL Valid Starting Expires Principal 08-Feb-2016 14:11:20 08-Feb-2016 22:11:11 krbtgt/TESTED.LCL@TESTED.LCL 08-Feb-2016 14:11:33 08-Feb-2016 22:11:11 oracle/ioaotow01@TESTED.LCL 08-Feb-2016 14:16:40 08-Feb-2016 22:11:11 oracle/ioaotow01.tested.lcl@TESTED.LCL ________________________________________________________________________________________________ [oracle@ioaotow01 ~]$ sqlplus /@TESTDB SQL*Plus: Release 12.1.0.2.0 Production on Mon Feb 8 16:24:51 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. Last Successful login time: Mon Feb 08 2016 14:17:35 +01:00 Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options SQL> show user; USER is "USER01@TESTED.LCL
  • 22. 22DOAG Security Day 2016 Kerberos Datenbank- Anmeldung am Windows- PC
  • 23. 23DOAG Security Day 2016 Kerberos & Datenbank 12c •  Neu geschriebener Stack •  RC4-HMAC-NT / W2012 Server •  ORA-12638: Credential retrieval failed –  SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS,KERBEROS5PRE,KERBEROS5) •  Bugs.... Reading List: Doc ID 1958479.1: "Bug 19931730, The keytab has/uses arcfour-hmac encryption which currently has an open 12c bug:19636771. The workaround for this is to use AES encryption in the keytab" Doc ID 1611643.1: Bug 17497520 : KERBEROS CONNECTIONS USING A 12C CLIENT AND THE OKINIT REQUESTED TGT ARE FAILING Doc ID 182979.1: Oracle is not able to parse the krb5.conf file due to the tabs between the assignment operator in the domain to realm mapping section. Doc ID 185897.1: Kerberos Troubleshooting Guide Master Note For Kerberos Authentication (Doc ID 1375853.1) WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1): "While creating the keytab file, SSO hostname value was given without specifying fully qualified domain" How To Configure EUS Kerberos Authentication For Database Administrative Users (SYSDBA and SYSOPER) (Doc ID 2081984.1): "On a 12c database  sqlplus connection fails with ORA-1017 and this is caused by  Bug 19307420 : KERBEROS AUTHENTICATED EUS USER FAILS WITH ORA-01017 FOR ADMINISTRATIVE LOGIN." Configuring ASO Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory KDC (Doc ID 1304004.1) Microsoft Technet: Service Logons Fail Due to Incorrectly Set SPNs Laurent Schneider: The long long route to Kerberos Microsoft Technet:  FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1) Case Study: Configuring the Kerberos Adapter in a Windows Environment (Kevin Reardon, Consulting Technical Advisor)
  • 24. 24DOAG Security Day 2016 PKI: Zertifikate und Wallets Datenbank-Server 1.  Leeres Wallet erstellen 2.  Key und Zertifikat-Request stellen 3.  Request durch CA signieren lassen (Z.B. CN=db12c) 4.  CA Zertifikat importieren (CN=myCA) 5.  Signiertes Zertifikat importieren Client 1.  Leeres Wallet erstellen 2.  Key und Zertifikat-Request stellen 3.  Request durch CA signieren lassen (Z.B. CN=jans) 4.  CA Zertifikat importieren (CN=myCA) 5.  Signierte Zertifikat importieren
  • 25. 25DOAG Security Day 2016 PKI: Server-Wallet $ mkdir $ORACLE_BASE/admin/loopds/pki $ orapki wallet create -wallet $ORACLE_BASE/admin/loopds/pki -auto_login -pwd XXX $ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki -dn 'CN=db12c' -keysize 2048 -pwd XXX $ orapki wallet export -wallet $ORACLE_BASE/admin/loopds/pki -dn 'CN=db12c' -request ~/db12c.csr $ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki -cert myca.pem –trusted_cert –pwd XXX $ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki -cert db12c.pem –user_cert –pwd XXX
  • 26. 26DOAG Security Day 2016 PKI: Client-Wallet $ orapki wallet create -wallet $ORACLE_HOME/owm/wallets/client -auto_login -pwd XXX $ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client -dn 'CN=jans' -keysize 2048 -pwd XXX $ orapki wallet export -wallet $ORACLE_HOME/owm/wallets/client -dn 'CN=jans' -request ~/jans.csr $ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client -cert myca.pem –trusted_cert –pwd XXX $ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client -cert jans.pem –user_cert –pwd XXX
  • 27. 27DOAG Security Day 2016 Display Wallet [oracle@linux11 ~]$ orapki wallet display -wallet /u01/app/oracle/product/11.2.0/ dbhome_1/network/pki Oracle PKI Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. _________________________________________________________________________________________ Requested Certificates: User Certificates: Subject: CN=LOOPDS Trusted Certificates: Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: CN=LBO Root Certificate II,OU=LoopCA,O= Loopback.ORG GmbH,O=Loopback.ORG,L=Hamburg,ST=No-State,C=DE Subject: OU=Secure Server Certification Authority,O=RSA Data Security, Inc.,C=US Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
  • 28. 28DOAG Security Day 2016 PKI: Listener-Konfiguration SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = $ORACLE_BASE/admin/loopds/pki) ) ) LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = db12c.loopback.org)(PORT = 1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = db12c.loopback.org)(PORT = 2484)) ) )
  • 29. 29DOAG Security Day 2016 PKI: TNS-Konfiguration SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS) NAMES.DIRECTORY_PATH= (TNSNAMES, HOSTNAME) SSL_CLIENT_AUTHENTICATION = TRUE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = $ORACLE_BASE/admin/loopds/pki) ) )
  • 30. 30DOAG Security Day 2016 Anmeldung mit User/Passwort und SSL $ sqlplus user/pwd@DB12C Connected. SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual; SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') ------------------------------------------------------------------------ tcps SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual; SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD') ------------------------------------------------------------------------ PASSWORD
  • 31. 31DOAG Security Day 2016 PKI: Anmeldung mit Zertifikat SQL> create user JANS identified externally as 'CN=jans'; SQL> grant create session to JANS; $ sqlplus /@DB12C Connected. SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual; SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') --------------------------------------------------- tcps SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual; SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD') ----------------------------------------------------- SSL
  • 32. 32DOAG Security Day 2016 PKI: JDBC •  Auch per JDBC kann SSL verwendet werden •  Integration auch über keytool String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps) (HOST=servernam e)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))"); Properties props = new Properties(); props.setProperty("user", "scott"); props.setProperty("password", "tiger"); props.setProperty("javax.net.ssl.trustStore", "/truststore/ewallet.p12"); props.setProperty("javax.net.ssl.trustStoreType","PKCS12"); props.setProperty("javax.net.ssl.trustStorePassword","welcome123"); Connection conn = DriverManager.getConnection(url, props); http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf How to configure Oracle SQLDeveloper to use a SSL connection that was configured as per Note 401251.1
  • 33. 33DOAG Security Day 2016 PKI: ODBC Oracle ODBC Treiber verwenden: Oracle Data Access Components (ODAC)
  • 34. 34DOAG Security Day 2016 Be a Certificate Authority (CA) •  AD Certificate Service •  Kommerzielle Produkte –  Auch Open Source: •  EBJCA •  OpenXPKI •  Alle Schritte sind in OpenSSL implementiert –  Nicht mit selbstsignierten Zertifikaten zu verwechseln openssl genrsa -out rootCA.key 2048 openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem openssl ca -policy policy_anything -config loopca-url.cnf -out Certs/$1.pem -infiles Reqs/$1.req
  • 35. 35DOAG Security Day 2016 Windows AD CA mit Autoenrollment
  • 36. 36DOAG Security Day 2016 Certificate Chaining für Sub-CA
  • 37. 37DOAG Security Day 2016 Jan Schreiber Loopback.ORG GmbH, Hamburg database intelligence | operaRons excellence | bi soluRons jans@loopback.org blogs.loopback.org Vielen Dank für Ihre Aufmerksamkeit!