SlideShare a Scribd company logo

Password Policies in Oracle Access Manager. How to improve user authentication security for your Oracle E-Business Suite environment. (DOAG TECH 17 edition)

Download as PPTX, PDF
A
Andrejs Prokopjevs

This presentation is about how System Administrators and/or Oracle Apps DBAs can improve and meet user authentication security standards in Oracle E-Business Suite by using Oracle Access Manager integration and it's password policy management. We will talk about: - Current Oracle E-Business Suite password security limitations. - Implementation of password policy management in Oracle Access Manager releases. Comparing the capabilities and why you should upgrade your OAM to the latest 11gR2. - A use case example of most common configuration. - Demo.

Technology
1 of 51
Password Policies in Oracle Access Manager How to improve user authentication security for your Oracle E-Business Suite. ANDREJS PROKOPJEVS Lead Applications Database Consultant
About me © 2017 Pythian 2 Apps DBA from Riga, Latvia. Speaking SQL since 2001. In Oracle world since 2004. “In love” with Oracle EBS since 2006. Andrejs Prokopjevs Lead Applications Database Consultant At Pythian since 2011 @aprokopjevs prokopjevs@pythian.com https://www.pythian.com/blog/author/prokopjevs/
ABOUT PYTHIAN Pythian’s 400+ IT professionals help companies adopt and manage disruptive technologies to better compete © 2017 Pythian 3
TECHNICAL EXPERTISE © 2017 Pythian 4 Infrastructure: Transforming and managing the IT infrastructure that supports the business DevOps: Providing critical velocity in software deployment by adopting DevOps practices Cloud: Using the disruptive nature of cloud for accelerated, cost-effective growth Databases: Ensuring databases are reliable, secure, available and continuously optimized Big Data: Harnessing the transformative power of data on a massive scale Advanced Analytics: Mining data for insights & business transformation using data science
Systems currently managed by Pythian EXPERIENCED Pythian experts in 35 countries GLOBAL Millennia of experience gathered and shared over 19 years EXPERTS 11,800 2400 © 2017 Pythian 5
Agenda • Why this is important? • Password policy limitations in Oracle E-Business Suite. • Implementation of password policy management in OAM. Why 11gR2. • An example of most common configuration. • Demo. © 2017 Pythian 6
Why this is important? © 2017 Pythian 7
Why this is important? • #1 - We now live in the “cloud” era. • Less people / organizations are storing their sensitive data in the isolated local segment. • Cloud services (SaaS / PaaS) • And the shift is still only at the beginning point. © 2017 Pythian 8
Why this is important? • #2 – Today’s Hardware capacity. • With modern CPU chip power it takes “seconds” to break your weak password. • Standard dictionary word password: hours / days / weeks online, seconds offline. • At least 10 characters with special characters: centuries online, years offline. • Any idea how these statistics will change in next 5-10 years? © 2017 Pythian 9
Why this is important? • #3 – Social Engineering. • One of the most dreadful security concerns today. © 2017 Pythian 10
Why this is important? • Few examples: • August 2014 – iCloud famous 10+ celebrity photo leak. • May 2016 - 100 million LinkedIn member emails and password hashes leaked in 2012. • August 2016 - 68 million Dropbox logins and password hashes leaked in 2012. • September 2016 - at least 500 million Yahoo accounts, leak dates back to late 2014. • October 2016 - AdultFriendFinder - 339 million names, addresses and phone numbers. Stolen data stretched back over the last 20 years. © 2017 Pythian 11
Few guidelines… as a starter • #1 – Your password is the first line of defense. It is in your power to make it stronger. • #2 – Today’s must-have – Two-Factor Authentication. New trend – Multi-Factor Authentication. • #3 – Master rule – everything that is shared online must be considered as “public”, disregards of the “privacy rules” set. © 2017 Pythian 12
Oracle E-Business Suite © 2017 Pythian 13
So what’s about Oracle E-Business Suite? • Is it somehow different? • No, Username / Password is the same first line of defense. • Non-vulnerable product? • ~10-20 quarterly released security fixes via CPU patch release. • “Isolated in my local network” doesn’t mean you are not vulnerable. • VPN / Work From Home / Bring Your Own Device is a risk. • Internal threat. • We are doing bi-yearly security awareness training. • That’s great. But it’s not a 100% guarantee, is it? • Enforcing password policies in your organization is something that could make that guarantee much stronger. © 2017 Pythian 14
Standard password policy in Oracle E-Business Suite • SIGNON_PASSWORD_% profile options. © 2017 Pythian 15
Standard password policy in Oracle E-Business Suite • SIGNON_PASSWORD_% profile options. • Signon Password Case (SIGNON_PASSWORD_CASE). ▪ Case sensitivity for passwords. • Signon Password Custom (SIGNON_PASSWORD_CUSTOM). ▪ Custom java class which enables the use of custom, client specific, password policy. • Signon Password Failure Limit (SIGNON_PASSWORD_FAILURE_LIMIT). ▪ Max number of unsuccessful login attempts before the lockout. • Signon Password Hard To Guess (SIGNON_PASSWORD_HARD_TO_GUESS). ▪ Enables password requirements: 1) at least one letter and at least one number 2) doesn’t contain username 3) doesn’t contain repeating characters. • Signon Password Length (SIGNON_PASSWORD_LENGTH). ▪ Minimum length of a password. • Signon Password No Reuse (SIGNON_PASSWORD_NO_REUSE). ▪ Number of days before reusing an earlier used password. • With some cosmetical changes this hasn’t changed since 11i (10+ years). © 2017 Pythian 16
Standard password policy in Oracle E-Business Suite • Security User Define form (FNDSCAUS). • Password expiration. ▪ Days – password lifetime. ▪ Accesses – how many times ▪ None – no expiration. • Password expiration is handled on a user level. There is no centralized control !!! © 2017 Pythian 17
Does it look like a modern password policy of year 2017? • Not really.  • But we have “Signon Password Custom” available. • Custom Java class. • Loaded to the database. ▪ loadjava -user apps/apps -verbose -resolve -force MyCustomPasswordValidation.java • Do I need to learn Java now and support this custom class? • Do I need to code all these rules myself? © 2017 Pythian 18 package oracle.apps.fnd.security; ... if (do_a_triple_flipover_with_your_right_knee_up_shouting_chupakabra(password) == true) { return true; } else { return false; }
Does it look like a modern password policy of year 2016? © 2017 Pythian 19
Standard password policy in Oracle E-Business Suite • Non-reversable hash support for passwords. • R12: New Feature: Enhance Security With Non-Reversible Hash Password (Doc ID 457166.1) ▪ Patch 21276707 - R12.1.x / R12.2.3+ ▪ SHA-1 is deprecated ! ▪ Patch 25430466: FND SECURITY RUP MAR-2017 © 2017 Pythian 20
Oracle Access Manager © 2017 Pythian 21
History of the Password Policy implementation • Oracle Single Sign-On 10g • Password policy is controlled by Oracle Internet Directory standard password policies. • SSO and OIDDAS pages support the UI. • Full password lifecycle is managed, with some limitations. • Full user management suite. © 2017 Pythian 22
History of the Password Policy implementation • Oracle Access Manager 10g • Bound to own Identity Server only with full user management suite. • Full password lifecycle is managed. • Based on Oblix schema object classes and attributes. • LDAP directory own policies should be same or weaker, or even just disabled. • “validate_password” - only standard authentication plugin that supports the built-in password policy management. • 0 successful production implementations seen in the practice. Mostly because of the customization requirements (multi domain and multi user sub-tree support, non-Oblix schema attribute requirement, and more). • Usually replaced with an external User Management system directly managing the LDAP directory. © 2017 Pythian 23
History of the Password Policy implementation • Oracle Access Manager 11g Release 1 • Independed Oracle Access Manager is finally here. • You can use most of the LDAP v3 compliant directories. No dependency on schema and attributes. • But... Password policy support is removed.  • You can use LDAP directory own policies, but for OAM it is an LDAP error, which just ends with a system error. • Only Oracle Identity Manager (OIM) integration with OAM provides the full user management suite, desired password policy implementation and UI support for full password lifecycle. • $$$  © 2017 Pythian 24
History of the Password Policy implementation • Oracle Access Manager 11g Release 2 • Same old independed OAM 11g, overall. • But on steroids (integrated federation, mobile and social, and many more). • Basic password policy support is back and free.  • LDAP directory own policies should be same or weaker, or disabled. • Oracle Identity Manager (OIM) integration with OAM is still there and provides the same “more advanced” policy implementation with UI support for full password lifecycle, self services, and full user management suite. • $$$ … nothing changed © 2017 Pythian 25
OAM 11gR2 native password policy – what it is? • Most of the current modern rules are there. • Expiration and Lockout support. • Provides the “UserPasswordPolicyPlugin” authentication plugin that can be used with various combinations of authentication workflow. © 2017 Pythian 26
OAM 11gR2 native password policy – what it is? • It is still based on OAM 10g Oblix schema object classes and attributes. • But mandatory are only related to password management. ▪ obPasswordCreationDate ▪ obPasswordHistory ▪ obPasswordChangeFlag ▪ obuseraccountcontrol ▪ obpasswordexpirydate ▪ obLockoutTime ▪ obLoginTrvCount ▪ oblastsuccessfullogin ▪ oblastfailedlogin • For user data reference – you have a choice. Usable for OAM 10g upgrade scenarios. • It is not mandatory to pre-assign Oblix object classes to your existing user entries. • IMPORTANT: User Identity Store configured Bind DN user must have required ACI permissions to adjust these attributes !!! © 2017 Pythian 27
OAM 11gR2 native password policy – what it is NOT? • It is NOT a complete password lifecycle management tool. • Self service is missing: password change on-demand, forgot your password. • Standard UI pages requires valid OAM authentication request id. • Direct access just ends with a system error. • Customizations is a solution. • Login page customization is supported by both ECC and DCC. • Password Policy page customization is supported only by DCC. ▪ ER Bug 17800099 - OAM 11G R2 : PASSWORD POLICY: NEED STEPS TO CUSTOMIZE PASWORD SERVICE PAGES ▪ Was targeted for release 11.1.2.3.0, but it’s not there yet. • Or implement OIM. $$$  © 2017 Pythian 28
More advantages of Oracle Access Manager • Windows Native Authentication • Kerberos / RADIUS • Certificates • Social (Google, Facebook, more) • Multi-Factor authentication support. • RSA (same RADIUS) • OTP – Oracle Mobile Authenticator. • Update: Officially Google Authenticator compliant. © 2017 Pythian 29 Sorry Windows Mobile users…
Licensing • Oracle Access Manager is separately licensed. • Oracle E-Business Suite implementation requires an Oracle Internet Directory (Oracle Unified Directory supported from R12.2.5 only) – again licensed separately. • Standard pack: ▪ Oracle Directory Services Plus. ▪ Oracle Access Manager. ▪ Both are covered with Oracle Identity and Access Management Suite Plus license pack. • Also includes Oracle Identity Manager. ▪ Database separate license is not required if used only for Metadata Repository data. • “Extra” features of OAM requires an additional licensing. ▪ Like Mobile and Social for OTP. © 2017 Pythian 30
Example of most common configuration © 2017 Pythian 31
Configuring the password policy • OAM Console • Application Security – Password Policy • Full reference: • Administrator's Guide for Oracle Access Management © 2017 Pythian 32 24.3.1 Password Policy Configuration Page https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-7850A074- 9EE3-45EE-9150-5DD96B9D13CD.htm#GUID-200E3E90-21CC- 439C-BF4E-0468CA455148__BABDBBHE
Configuring the password policy • OAM Console • Application Security – Password Policy • Console is doing it’s own math. If something is not inline, there will be a warning. • Example: If we put value 1 into both Minimum Uppercase and Lowercase Characters fields then Minimum Alphabetic Characters value is expected to be the sum of above. © 2017 Pythian 33
User Identity Store • OAM Console • Configuration – User Identity Stores • Password Management feature must be enabled. • “Use Oblix User Schema” - if we use full Oblix schema for everything. • If disabled, only password lifecycle attributes are in use. • Other 4 parameters are needed to point the correct attributes to be used with “Can Include X” policies. © 2017 Pythian 34
User Identity Store • OAM Console • Configuration – User Identity Stores • Do not forget about the mandatory Oblix attributes in use ! • “Bind DN” LDAP user should have WRITE permissions to manage these attributes. • Also to add the required object classes to the user entry if found missing. • Do not use a super user account like I do here  © 2017 Pythian 35
User Identity Store • ACI grant example (Oracle Unified Directory) © 2017 Pythian 36 ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd <<EOF dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com")(version 3.0; acl "OAM app user entry level aci example"; allow (read,search,compare) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";) - add: aci aci: (targetattr="*")(version 3.0; acl "OAM app user attribute level aci read example"; allow (read,search,compare) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";) - add: aci aci: (targetattr="obPasswordCreationDate || obPasswordHistory || obPasswordChangeFlag || obuseraccountcontrol || obpasswordexpirydate || obLockoutTime || obLoginTrvCount || oblastsuccessfullogin || oblastfailedlogin || userPassword")(version 3.0; acl "OAM app user attribute level aci write example"; allow (write) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";) EOF
User Identity Store • Reminder about LDAP directory own password policy. • Policy should be set the same or weaker. • Or just completely disabled. © 2017 Pythian 37
Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • Let us create new module with name “LDAP_EBS_with_password_policy”. © 2017 Pythian 38
Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • 3 steps to be configured: • User Identification Step • User Authentication Step • User Password Status Step ▪ The one that triggers the policy. © 2017 Pythian 39
Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • User Identification Step ▪ KEY_LDAP_FILTER: default value should be (uid={KEY_USERNAME}) ▪ KEY_IDENTITY_STORE_REF: your User Identity Store (OIDIdentityStore) ▪ KEY_SEARCH_BASE_URL: leave empty for plugin to use default Identity store’s User Search Base DN. © 2017 Pythian 40
Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • User Authentication Step ▪ KEY_IDENTITY_STORE_REF: your User Identity Store (OIDIdentityStore) ▪ KEY_PROP_AUTHN_EXCEPTION: enables the propagation of LDAP errors. Must be TRUE if password policy plugin is used in the chain. ▪ KEY_ENABLE_AUTHN_FAILOVER and KEY_PROP_AUTHN_LEVEL parameters are not yet documented. © 2017 Pythian 41
Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • User Password Status Step ▪ PLUGIN_EXECUTION_MODE: this plugin can be used as a replacement for User Authentication Plugin too, but we are going to set it as PSWDONLY for a separate 3rd step. ▪ OBJECTCLASS_EXTENSION_SUPPORTED: must be set to TRUE in order to automatically adjust affected user entries with Oblix object classes. ▪ KEY_IDENTITY_STORE_REF: your User Identity Store (OIDIdentityStore) © 2017 Pythian 42
Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • User Password Status Step ▪ URL_ACTION: redirection behavior between the pages, default REDIRECT_POST. ▪ NEW_USERPSWD_BEHAVIOR: action for new user entry not covered by the policy, and we will enable it via FORCEPASSWORDCHANGE. • Actually should be FORCECHANGEPASSWORD. Documentation bug. • Configuring OAM Password Policy Parameter NEW_USERPSWD_BEHAVIOR To Force Password Changes for Existing Passwords Not Working (Doc ID 1563172.1) ▪ POLICY_SCHEMA: just OAM10G, as everything is based on Oblix schema standards. ▪ CHALLENGES_SUPPORTED: this parameter is not yet documented, default FALSE. ▪ DISABLED_STATUS_SUPPORT: User Account disabled status support – TRUE. © 2017 Pythian 43
Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • Full parameter reference • Administrator's Guide for Oracle Access Management © 2017 Pythian 44 Table 24-8 User Password Step Details https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-30780A11-8254-4AE3-9A15-C759C08E872D.htm#GUID-9FE10CF0-A4E7-4F7F-81A9-859EC85AEA80__CFFEHBFJ
Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • Workflow © 2017 Pythian 45
Configure EBS to use the new Authentication Module • OAM Console • Application Security – Access Manager – Authentication Schemes • Expecting that EBS is already integrated. • Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1) • EBSAuthScheme • Authentication Module: LDAP_EBS_with_password_policy • Challenge Parameters: OverrideRetryLimit=0 © 2017 Pythian 46
Testing • Did I forget something important to mention? • Hint: © 2017 Pythian 47 <LIBOVD-40082> <Could not modify entry.javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Entry cn=testuser1,ou=people,dc=example,dc=com cannot not be modified because the resulting entry would have violated the server schema: Entry cn=testuser1,ou=people,dc=example,dc=com violates the Directory Server schema configuration because it includes attribute oblastsuccessfullogin which is not allowed by any of the objectclasses defined in that entry]; remaining name 'cn=testuser1,ou=people,dc=example,dc=com'
LDAP directory schema extension • We forgot Oblix schema extension. • Reference: • Administrator's Guide for Oracle Access Management • OUD example: ▪ Object classes: oblixPersonPwdPolicy and oblixorgperson ▪ Attributes: obPasswordCreationDate, obPasswordHistory, obPasswordChangeFlag, obuseraccountcontrol, obpasswordexpirydate, obLockoutTime, obLoginTrvCount, oblastsuccessfullogin, oblastfailedlogin © 2017 Pythian 48 ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd --defaultAdd -f $OAM_HOME/oam/server/pswdservice/ldif/OUD_PWDPersonSchema.ldif Table 24-6 Location of Oracle-provided LDIFs for LDAP Providers https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-E0DF807A-6432-4261-A119-9AECAC56AD53.htm#GUID-48382B33-54CB-407D-8CAA- 2A69CDEA50FB__CFFEJEEE
Summary • Even latest R12.2.7 is not meeting today’s modern password policy standards out- of-the-box. We can code a custom java class, but that requires Java skills, courage, luck, and good release management process. • Oracle Access Manager is the only certified SSO solution for EBS. It has the support of today’s standards, but costs additional resources, is a separate component, and is separately licensed. • 11gR2 upgrade is highly recommended. Provides support for other more secure authentication methods, like Multi-Factor Authentication. • Password policy setup is well documented and quite straightforward. • Except few nuances noted.  © 2017 Pythian 49
Demo © 2017 Pythian 50
THANK YOU Q & A © 2017 Pythian 51

Recommended

Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...Andrejs Prokopjevs
 
Practical learnings from running thousands of Flink jobs
Practical learnings from running thousands of Flink jobsPractical learnings from running thousands of Flink jobs
Practical learnings from running thousands of Flink jobsFlink Forward
 
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the CloudOracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the CloudMarkus Michalewicz
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
 
Automating Your Clone in E-Business Suite R12.2
Automating Your Clone in E-Business Suite R12.2Automating Your Clone in E-Business Suite R12.2
Automating Your Clone in E-Business Suite R12.2Michael Brown
 
Oracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and Administer
Oracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and AdministerOracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and Administer
Oracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and AdministerAndrejs Karpovs
 
Oracle Active Data Guard: Best Practices and New Features Deep Dive
Oracle Active Data Guard: Best Practices and New Features Deep Dive Oracle Active Data Guard: Best Practices and New Features Deep Dive
Oracle Active Data Guard: Best Practices and New Features Deep Dive Glen Hawkins
 
Oracle Extended Clusters for Oracle RAC
Oracle Extended Clusters for Oracle RACOracle Extended Clusters for Oracle RAC
Oracle Extended Clusters for Oracle RACMarkus Michalewicz
 

Recommended

Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...
Optimize DR and Cloning with Logical Hostnames in Oracle E-Business Suite (OA...Andrejs Prokopjevs
 
Practical learnings from running thousands of Flink jobs
Practical learnings from running thousands of Flink jobsPractical learnings from running thousands of Flink jobs
Practical learnings from running thousands of Flink jobsFlink Forward
 
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the CloudOracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the CloudMarkus Michalewicz
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
 
Automating Your Clone in E-Business Suite R12.2
Automating Your Clone in E-Business Suite R12.2Automating Your Clone in E-Business Suite R12.2
Automating Your Clone in E-Business Suite R12.2Michael Brown
 
Oracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and Administer
Oracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and AdministerOracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and Administer
Oracle E-Business Suite R12.2.6 on Database 12c: Install, Patch and AdministerAndrejs Karpovs
 
Oracle Active Data Guard: Best Practices and New Features Deep Dive
Oracle Active Data Guard: Best Practices and New Features Deep Dive Oracle Active Data Guard: Best Practices and New Features Deep Dive
Oracle Active Data Guard: Best Practices and New Features Deep Dive Glen Hawkins
 
Oracle Extended Clusters for Oracle RAC
Oracle Extended Clusters for Oracle RACOracle Extended Clusters for Oracle RAC
Oracle Extended Clusters for Oracle RACMarkus Michalewicz
 
Oracle RAC 12c Overview
Oracle RAC 12c OverviewOracle RAC 12c Overview
Oracle RAC 12c OverviewMarkus Michalewicz
 
Running E-Business Suite Database on Oracle Database Appliance
Running E-Business Suite Database on Oracle Database ApplianceRunning E-Business Suite Database on Oracle Database Appliance
Running E-Business Suite Database on Oracle Database ApplianceMaris Elsins
 
The Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RACThe Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RACMarkus Michalewicz
 
Exadata_X10M-Hardware-Overview.pdf
Exadata_X10M-Hardware-Overview.pdfExadata_X10M-Hardware-Overview.pdf
Exadata_X10M-Hardware-Overview.pdfKoko842772
 
OOW16 - Oracle Enterprise Manager 13c Cloud Control for Managing Oracle E-Bus...
OOW16 - Oracle Enterprise Manager 13c Cloud Control for Managing Oracle E-Bus...OOW16 - Oracle Enterprise Manager 13c Cloud Control for Managing Oracle E-Bus...
OOW16 - Oracle Enterprise Manager 13c Cloud Control for Managing Oracle E-Bus...vasuballa
 
Oracle Database Appliance Workshop
Oracle Database Appliance WorkshopOracle Database Appliance Workshop
Oracle Database Appliance WorkshopMarketingArrowECS_CZ
 
Oracle MAA (Maximum Availability Architecture) 18c - An Overview
Oracle MAA (Maximum Availability Architecture) 18c - An OverviewOracle MAA (Maximum Availability Architecture) 18c - An Overview
Oracle MAA (Maximum Availability Architecture) 18c - An OverviewMarkus Michalewicz
 
Oracle GoldenGate on Docker
Oracle GoldenGate on DockerOracle GoldenGate on Docker
Oracle GoldenGate on DockerBobby Curtis
 
Oracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret InternalsOracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret InternalsAnil Nair
 
Oracle Cloud is Best for Oracle Database - High Availability
Oracle Cloud is Best for Oracle Database - High AvailabilityOracle Cloud is Best for Oracle Database - High Availability
Oracle Cloud is Best for Oracle Database - High AvailabilityMarkus Michalewicz
 
Understanding Oracle RAC 11g Release 2 Internals
Understanding Oracle RAC 11g Release 2 InternalsUnderstanding Oracle RAC 11g Release 2 Internals
Understanding Oracle RAC 11g Release 2 InternalsMarkus Michalewicz
 
Oracle ASM Training
Oracle ASM TrainingOracle ASM Training
Oracle ASM TrainingVigilant Technologies
 
Rman Presentation
Rman PresentationRman Presentation
Rman PresentationRick van Ek
 
Oracle Architecture
Oracle ArchitectureOracle Architecture
Oracle ArchitectureNeeraj Singh
 
Oracle R12 EBS Performance Tuning
Oracle R12 EBS Performance TuningOracle R12 EBS Performance Tuning
Oracle R12 EBS Performance TuningScott Jenner
 
Oracle Database performance tuning using oratop
Oracle Database performance tuning using oratopOracle Database performance tuning using oratop
Oracle Database performance tuning using oratopSandesh Rao
 
Oracle RAC features on Exadata
Oracle RAC features on ExadataOracle RAC features on Exadata
Oracle RAC features on ExadataAnil Nair
 
A Brief Introduction of TiDB (Percona Live)
A Brief Introduction of TiDB (Percona Live)A Brief Introduction of TiDB (Percona Live)
A Brief Introduction of TiDB (Percona Live)PingCAP
 
MySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group ReplicationMySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group ReplicationFrederic Descamps
 
Oracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLONOracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLONMarkus Michalewicz
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Andrejs Prokopjevs
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Andrejs Prokopjevs
 

More Related Content

What's hot

Running E-Business Suite Database on Oracle Database Appliance
Running E-Business Suite Database on Oracle Database ApplianceRunning E-Business Suite Database on Oracle Database Appliance
Running E-Business Suite Database on Oracle Database ApplianceMaris Elsins
 
The Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RACThe Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RACMarkus Michalewicz
 
Exadata_X10M-Hardware-Overview.pdf
Exadata_X10M-Hardware-Overview.pdfExadata_X10M-Hardware-Overview.pdf
Exadata_X10M-Hardware-Overview.pdfKoko842772
 
OOW16 - Oracle Enterprise Manager 13c Cloud Control for Managing Oracle E-Bus...
OOW16 - Oracle Enterprise Manager 13c Cloud Control for Managing Oracle E-Bus...OOW16 - Oracle Enterprise Manager 13c Cloud Control for Managing Oracle E-Bus...
OOW16 - Oracle Enterprise Manager 13c Cloud Control for Managing Oracle E-Bus...vasuballa
 
Oracle Database Appliance Workshop
Oracle Database Appliance WorkshopOracle Database Appliance Workshop
Oracle Database Appliance WorkshopMarketingArrowECS_CZ
 
Oracle MAA (Maximum Availability Architecture) 18c - An Overview
Oracle MAA (Maximum Availability Architecture) 18c - An OverviewOracle MAA (Maximum Availability Architecture) 18c - An Overview
Oracle MAA (Maximum Availability Architecture) 18c - An OverviewMarkus Michalewicz
 
Oracle GoldenGate on Docker
Oracle GoldenGate on DockerOracle GoldenGate on Docker
Oracle GoldenGate on DockerBobby Curtis
 
Oracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret InternalsOracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret InternalsAnil Nair
 
Oracle Cloud is Best for Oracle Database - High Availability
Oracle Cloud is Best for Oracle Database - High AvailabilityOracle Cloud is Best for Oracle Database - High Availability
Oracle Cloud is Best for Oracle Database - High AvailabilityMarkus Michalewicz
 
Understanding Oracle RAC 11g Release 2 Internals
Understanding Oracle RAC 11g Release 2 InternalsUnderstanding Oracle RAC 11g Release 2 Internals
Understanding Oracle RAC 11g Release 2 InternalsMarkus Michalewicz
 
Rman Presentation
Rman PresentationRman Presentation
Rman PresentationRick van Ek
 
Oracle Architecture
Oracle ArchitectureOracle Architecture
Oracle ArchitectureNeeraj Singh
 
Oracle R12 EBS Performance Tuning
Oracle R12 EBS Performance TuningOracle R12 EBS Performance Tuning
Oracle R12 EBS Performance TuningScott Jenner
 
Oracle Database performance tuning using oratop
Oracle Database performance tuning using oratopOracle Database performance tuning using oratop
Oracle Database performance tuning using oratopSandesh Rao
 
Oracle RAC features on Exadata
Oracle RAC features on ExadataOracle RAC features on Exadata
Oracle RAC features on ExadataAnil Nair
 
A Brief Introduction of TiDB (Percona Live)
A Brief Introduction of TiDB (Percona Live)A Brief Introduction of TiDB (Percona Live)
A Brief Introduction of TiDB (Percona Live)PingCAP
 
MySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group ReplicationMySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group ReplicationFrederic Descamps
 
Oracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLONOracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLONMarkus Michalewicz
 

What's hot (20)

Oracle RAC 12c Overview
Oracle RAC 12c OverviewOracle RAC 12c Overview
Oracle RAC 12c Overview
 
Running E-Business Suite Database on Oracle Database Appliance
Running E-Business Suite Database on Oracle Database ApplianceRunning E-Business Suite Database on Oracle Database Appliance
Running E-Business Suite Database on Oracle Database Appliance
 
The Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RACThe Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RAC
 
Exadata_X10M-Hardware-Overview.pdf
Exadata_X10M-Hardware-Overview.pdfExadata_X10M-Hardware-Overview.pdf
Exadata_X10M-Hardware-Overview.pdf
 
OOW16 - Oracle Enterprise Manager 13c Cloud Control for Managing Oracle E-Bus...
OOW16 - Oracle Enterprise Manager 13c Cloud Control for Managing Oracle E-Bus...OOW16 - Oracle Enterprise Manager 13c Cloud Control for Managing Oracle E-Bus...
OOW16 - Oracle Enterprise Manager 13c Cloud Control for Managing Oracle E-Bus...
 
Oracle Database Appliance Workshop
Oracle Database Appliance WorkshopOracle Database Appliance Workshop
Oracle Database Appliance Workshop
 
Oracle MAA (Maximum Availability Architecture) 18c - An Overview
Oracle MAA (Maximum Availability Architecture) 18c - An OverviewOracle MAA (Maximum Availability Architecture) 18c - An Overview
Oracle MAA (Maximum Availability Architecture) 18c - An Overview
 
Oracle GoldenGate on Docker
Oracle GoldenGate on DockerOracle GoldenGate on Docker
Oracle GoldenGate on Docker
 
Oracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret InternalsOracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret Internals
 
Oracle Cloud is Best for Oracle Database - High Availability
Oracle Cloud is Best for Oracle Database - High AvailabilityOracle Cloud is Best for Oracle Database - High Availability
Oracle Cloud is Best for Oracle Database - High Availability
 
Understanding Oracle RAC 11g Release 2 Internals
Understanding Oracle RAC 11g Release 2 InternalsUnderstanding Oracle RAC 11g Release 2 Internals
Understanding Oracle RAC 11g Release 2 Internals
 
Oracle ASM Training
Oracle ASM TrainingOracle ASM Training
Oracle ASM Training
 
Rman Presentation
Rman PresentationRman Presentation
Rman Presentation
 
Oracle Architecture
Oracle ArchitectureOracle Architecture
Oracle Architecture
 
Oracle R12 EBS Performance Tuning
Oracle R12 EBS Performance TuningOracle R12 EBS Performance Tuning
Oracle R12 EBS Performance Tuning
 
Oracle Database performance tuning using oratop
Oracle Database performance tuning using oratopOracle Database performance tuning using oratop
Oracle Database performance tuning using oratop
 
Oracle RAC features on Exadata
Oracle RAC features on ExadataOracle RAC features on Exadata
Oracle RAC features on Exadata
 
A Brief Introduction of TiDB (Percona Live)
A Brief Introduction of TiDB (Percona Live)A Brief Introduction of TiDB (Percona Live)
A Brief Introduction of TiDB (Percona Live)
 
MySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group ReplicationMySQL InnoDB Cluster - Group Replication
MySQL InnoDB Cluster - Group Replication
 
Oracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLONOracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLON
 

Similar to Password Policies in Oracle Access Manager. How to improve user authentication security for your Oracle E-Business Suite environment. (DOAG TECH 17 edition)

Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Andrejs Prokopjevs
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Andrejs Prokopjevs
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
Yuriy Chapran - Building microservices.
Yuriy Chapran - Building microservices.Yuriy Chapran - Building microservices.
Yuriy Chapran - Building microservices.Yuriy Chapran
 
Pl17: MySQL 8.0: security
Pl17: MySQL 8.0: securityPl17: MySQL 8.0: security
Pl17: MySQL 8.0: securityGeorgi Kodinov
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationTriNimbus
 
Mule soft meetup_-_finland_september_25th__2020 v2.0
Mule soft meetup_-_finland_september_25th__2020 v2.0Mule soft meetup_-_finland_september_25th__2020 v2.0
Mule soft meetup_-_finland_september_25th__2020 v2.0D.Rajesh Kumar
 
MySQL Shell: the daily tool for devs and admins. By Vittorio Cioe.
MySQL Shell: the daily tool for devs and admins. By Vittorio Cioe.MySQL Shell: the daily tool for devs and admins. By Vittorio Cioe.
MySQL Shell: the daily tool for devs and admins. By Vittorio Cioe.Cloud Native Day Tel Aviv
 
Enabling digital transformation with MySQL
Enabling digital transformation with MySQLEnabling digital transformation with MySQL
Enabling digital transformation with MySQLMySQL Brasil
 
BGOUG17: Cloudy with a chance of MySQL
BGOUG17: Cloudy with a chance of MySQLBGOUG17: Cloudy with a chance of MySQL
BGOUG17: Cloudy with a chance of MySQLGeorgi Kodinov
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQLVittorio Cioe
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldMaria Colgan
 
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL TeamMySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL TeamOlivier DASINI
 
How Partners Can Tap into a New Revenue Stream w/MySQL EE
How Partners Can Tap into a New Revenue Stream w/MySQL EEHow Partners Can Tap into a New Revenue Stream w/MySQL EE
How Partners Can Tap into a New Revenue Stream w/MySQL EENick Mader
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedHoward Greenberg
 
Oracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing DifferentlyOracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing DifferentlyPythian
 
Java2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudJava2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudWerner Keil
 
Netherlands Tech Tour 03 - MySQL Cluster
Netherlands Tech Tour 03 - MySQL ClusterNetherlands Tech Tour 03 - MySQL Cluster
Netherlands Tech Tour 03 - MySQL ClusterMark Swarbrick
 

Similar to Password Policies in Oracle Access Manager. How to improve user authentication security for your Oracle E-Business Suite environment. (DOAG TECH 17 edition) (20)

Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Yuriy Chapran - Building microservices.
Yuriy Chapran - Building microservices.Yuriy Chapran - Building microservices.
Yuriy Chapran - Building microservices.
 
Pl17: MySQL 8.0: security
Pl17: MySQL 8.0: securityPl17: MySQL 8.0: security
Pl17: MySQL 8.0: security
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
 
Mule soft meetup_-_finland_september_25th__2020 v2.0
Mule soft meetup_-_finland_september_25th__2020 v2.0Mule soft meetup_-_finland_september_25th__2020 v2.0
Mule soft meetup_-_finland_september_25th__2020 v2.0
 
MySQL Shell: the daily tool for devs and admins. By Vittorio Cioe.
MySQL Shell: the daily tool for devs and admins. By Vittorio Cioe.MySQL Shell: the daily tool for devs and admins. By Vittorio Cioe.
MySQL Shell: the daily tool for devs and admins. By Vittorio Cioe.
 
Enabling digital transformation with MySQL
Enabling digital transformation with MySQLEnabling digital transformation with MySQL
Enabling digital transformation with MySQL
 
BGOUG17: Cloudy with a chance of MySQL
BGOUG17: Cloudy with a chance of MySQLBGOUG17: Cloudy with a chance of MySQL
BGOUG17: Cloudy with a chance of MySQL
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQL
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous World
 
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL TeamMySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
 
How Partners Can Tap into a New Revenue Stream w/MySQL EE
How Partners Can Tap into a New Revenue Stream w/MySQL EEHow Partners Can Tap into a New Revenue Stream w/MySQL EE
How Partners Can Tap into a New Revenue Stream w/MySQL EE
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
 
Oracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing DifferentlyOracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing Differently
 
Hands-On with Oracle SOA Cloud Service
Hands-On with Oracle SOA Cloud ServiceHands-On with Oracle SOA Cloud Service
Hands-On with Oracle SOA Cloud Service
 
Java2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudJava2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the Cloud
 
Netherlands Tech Tour 03 - MySQL Cluster
Netherlands Tech Tour 03 - MySQL ClusterNetherlands Tech Tour 03 - MySQL Cluster
Netherlands Tech Tour 03 - MySQL Cluster
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Password Policies in Oracle Access Manager. How to improve user authentication security for your Oracle E-Business Suite environment. (DOAG TECH 17 edition)

  • 1. Password Policies in Oracle Access Manager How to improve user authentication security for your Oracle E-Business Suite. ANDREJS PROKOPJEVS Lead Applications Database Consultant
  • 2. About me © 2017 Pythian 2 Apps DBA from Riga, Latvia. Speaking SQL since 2001. In Oracle world since 2004. “In love” with Oracle EBS since 2006. Andrejs Prokopjevs Lead Applications Database Consultant At Pythian since 2011 @aprokopjevs prokopjevs@pythian.com https://www.pythian.com/blog/author/prokopjevs/
  • 3. ABOUT PYTHIAN Pythian’s 400+ IT professionals help companies adopt and manage disruptive technologies to better compete © 2017 Pythian 3
  • 4. TECHNICAL EXPERTISE © 2017 Pythian 4 Infrastructure: Transforming and managing the IT infrastructure that supports the business DevOps: Providing critical velocity in software deployment by adopting DevOps practices Cloud: Using the disruptive nature of cloud for accelerated, cost-effective growth Databases: Ensuring databases are reliable, secure, available and continuously optimized Big Data: Harnessing the transformative power of data on a massive scale Advanced Analytics: Mining data for insights & business transformation using data science
  • 5. Systems currently managed by Pythian EXPERIENCED Pythian experts in 35 countries GLOBAL Millennia of experience gathered and shared over 19 years EXPERTS 11,800 2400 © 2017 Pythian 5
  • 6. Agenda • Why this is important? • Password policy limitations in Oracle E-Business Suite. • Implementation of password policy management in OAM. Why 11gR2. • An example of most common configuration. • Demo. © 2017 Pythian 6
  • 7. Why this is important? © 2017 Pythian 7
  • 8. Why this is important? • #1 - We now live in the “cloud” era. • Less people / organizations are storing their sensitive data in the isolated local segment. • Cloud services (SaaS / PaaS) • And the shift is still only at the beginning point. © 2017 Pythian 8
  • 9. Why this is important? • #2 – Today’s Hardware capacity. • With modern CPU chip power it takes “seconds” to break your weak password. • Standard dictionary word password: hours / days / weeks online, seconds offline. • At least 10 characters with special characters: centuries online, years offline. • Any idea how these statistics will change in next 5-10 years? © 2017 Pythian 9
  • 10. Why this is important? • #3 – Social Engineering. • One of the most dreadful security concerns today. © 2017 Pythian 10
  • 11. Why this is important? • Few examples: • August 2014 – iCloud famous 10+ celebrity photo leak. • May 2016 - 100 million LinkedIn member emails and password hashes leaked in 2012. • August 2016 - 68 million Dropbox logins and password hashes leaked in 2012. • September 2016 - at least 500 million Yahoo accounts, leak dates back to late 2014. • October 2016 - AdultFriendFinder - 339 million names, addresses and phone numbers. Stolen data stretched back over the last 20 years. © 2017 Pythian 11
  • 12. Few guidelines… as a starter • #1 – Your password is the first line of defense. It is in your power to make it stronger. • #2 – Today’s must-have – Two-Factor Authentication. New trend – Multi-Factor Authentication. • #3 – Master rule – everything that is shared online must be considered as “public”, disregards of the “privacy rules” set. © 2017 Pythian 12
  • 13. Oracle E-Business Suite © 2017 Pythian 13
  • 14. So what’s about Oracle E-Business Suite? • Is it somehow different? • No, Username / Password is the same first line of defense. • Non-vulnerable product? • ~10-20 quarterly released security fixes via CPU patch release. • “Isolated in my local network” doesn’t mean you are not vulnerable. • VPN / Work From Home / Bring Your Own Device is a risk. • Internal threat. • We are doing bi-yearly security awareness training. • That’s great. But it’s not a 100% guarantee, is it? • Enforcing password policies in your organization is something that could make that guarantee much stronger. © 2017 Pythian 14
  • 15. Standard password policy in Oracle E-Business Suite • SIGNON_PASSWORD_% profile options. © 2017 Pythian 15
  • 16. Standard password policy in Oracle E-Business Suite • SIGNON_PASSWORD_% profile options. • Signon Password Case (SIGNON_PASSWORD_CASE). ▪ Case sensitivity for passwords. • Signon Password Custom (SIGNON_PASSWORD_CUSTOM). ▪ Custom java class which enables the use of custom, client specific, password policy. • Signon Password Failure Limit (SIGNON_PASSWORD_FAILURE_LIMIT). ▪ Max number of unsuccessful login attempts before the lockout. • Signon Password Hard To Guess (SIGNON_PASSWORD_HARD_TO_GUESS). ▪ Enables password requirements: 1) at least one letter and at least one number 2) doesn’t contain username 3) doesn’t contain repeating characters. • Signon Password Length (SIGNON_PASSWORD_LENGTH). ▪ Minimum length of a password. • Signon Password No Reuse (SIGNON_PASSWORD_NO_REUSE). ▪ Number of days before reusing an earlier used password. • With some cosmetical changes this hasn’t changed since 11i (10+ years). © 2017 Pythian 16
  • 17. Standard password policy in Oracle E-Business Suite • Security User Define form (FNDSCAUS). • Password expiration. ▪ Days – password lifetime. ▪ Accesses – how many times ▪ None – no expiration. • Password expiration is handled on a user level. There is no centralized control !!! © 2017 Pythian 17
  • 18. Does it look like a modern password policy of year 2017? • Not really.  • But we have “Signon Password Custom” available. • Custom Java class. • Loaded to the database. ▪ loadjava -user apps/apps -verbose -resolve -force MyCustomPasswordValidation.java • Do I need to learn Java now and support this custom class? • Do I need to code all these rules myself? © 2017 Pythian 18 package oracle.apps.fnd.security; ... if (do_a_triple_flipover_with_your_right_knee_up_shouting_chupakabra(password) == true) { return true; } else { return false; }
  • 19. Does it look like a modern password policy of year 2016? © 2017 Pythian 19
  • 20. Standard password policy in Oracle E-Business Suite • Non-reversable hash support for passwords. • R12: New Feature: Enhance Security With Non-Reversible Hash Password (Doc ID 457166.1) ▪ Patch 21276707 - R12.1.x / R12.2.3+ ▪ SHA-1 is deprecated ! ▪ Patch 25430466: FND SECURITY RUP MAR-2017 © 2017 Pythian 20
  • 21. Oracle Access Manager © 2017 Pythian 21
  • 22. History of the Password Policy implementation • Oracle Single Sign-On 10g • Password policy is controlled by Oracle Internet Directory standard password policies. • SSO and OIDDAS pages support the UI. • Full password lifecycle is managed, with some limitations. • Full user management suite. © 2017 Pythian 22
  • 23. History of the Password Policy implementation • Oracle Access Manager 10g • Bound to own Identity Server only with full user management suite. • Full password lifecycle is managed. • Based on Oblix schema object classes and attributes. • LDAP directory own policies should be same or weaker, or even just disabled. • “validate_password” - only standard authentication plugin that supports the built-in password policy management. • 0 successful production implementations seen in the practice. Mostly because of the customization requirements (multi domain and multi user sub-tree support, non-Oblix schema attribute requirement, and more). • Usually replaced with an external User Management system directly managing the LDAP directory. © 2017 Pythian 23
  • 24. History of the Password Policy implementation • Oracle Access Manager 11g Release 1 • Independed Oracle Access Manager is finally here. • You can use most of the LDAP v3 compliant directories. No dependency on schema and attributes. • But... Password policy support is removed.  • You can use LDAP directory own policies, but for OAM it is an LDAP error, which just ends with a system error. • Only Oracle Identity Manager (OIM) integration with OAM provides the full user management suite, desired password policy implementation and UI support for full password lifecycle. • $$$  © 2017 Pythian 24
  • 25. History of the Password Policy implementation • Oracle Access Manager 11g Release 2 • Same old independed OAM 11g, overall. • But on steroids (integrated federation, mobile and social, and many more). • Basic password policy support is back and free.  • LDAP directory own policies should be same or weaker, or disabled. • Oracle Identity Manager (OIM) integration with OAM is still there and provides the same “more advanced” policy implementation with UI support for full password lifecycle, self services, and full user management suite. • $$$ … nothing changed © 2017 Pythian 25
  • 26. OAM 11gR2 native password policy – what it is? • Most of the current modern rules are there. • Expiration and Lockout support. • Provides the “UserPasswordPolicyPlugin” authentication plugin that can be used with various combinations of authentication workflow. © 2017 Pythian 26
  • 27. OAM 11gR2 native password policy – what it is? • It is still based on OAM 10g Oblix schema object classes and attributes. • But mandatory are only related to password management. ▪ obPasswordCreationDate ▪ obPasswordHistory ▪ obPasswordChangeFlag ▪ obuseraccountcontrol ▪ obpasswordexpirydate ▪ obLockoutTime ▪ obLoginTrvCount ▪ oblastsuccessfullogin ▪ oblastfailedlogin • For user data reference – you have a choice. Usable for OAM 10g upgrade scenarios. • It is not mandatory to pre-assign Oblix object classes to your existing user entries. • IMPORTANT: User Identity Store configured Bind DN user must have required ACI permissions to adjust these attributes !!! © 2017 Pythian 27
  • 28. OAM 11gR2 native password policy – what it is NOT? • It is NOT a complete password lifecycle management tool. • Self service is missing: password change on-demand, forgot your password. • Standard UI pages requires valid OAM authentication request id. • Direct access just ends with a system error. • Customizations is a solution. • Login page customization is supported by both ECC and DCC. • Password Policy page customization is supported only by DCC. ▪ ER Bug 17800099 - OAM 11G R2 : PASSWORD POLICY: NEED STEPS TO CUSTOMIZE PASWORD SERVICE PAGES ▪ Was targeted for release 11.1.2.3.0, but it’s not there yet. • Or implement OIM. $$$  © 2017 Pythian 28
  • 29. More advantages of Oracle Access Manager • Windows Native Authentication • Kerberos / RADIUS • Certificates • Social (Google, Facebook, more) • Multi-Factor authentication support. • RSA (same RADIUS) • OTP – Oracle Mobile Authenticator. • Update: Officially Google Authenticator compliant. © 2017 Pythian 29 Sorry Windows Mobile users…
  • 30. Licensing • Oracle Access Manager is separately licensed. • Oracle E-Business Suite implementation requires an Oracle Internet Directory (Oracle Unified Directory supported from R12.2.5 only) – again licensed separately. • Standard pack: ▪ Oracle Directory Services Plus. ▪ Oracle Access Manager. ▪ Both are covered with Oracle Identity and Access Management Suite Plus license pack. • Also includes Oracle Identity Manager. ▪ Database separate license is not required if used only for Metadata Repository data. • “Extra” features of OAM requires an additional licensing. ▪ Like Mobile and Social for OTP. © 2017 Pythian 30
  • 31. Example of most common configuration © 2017 Pythian 31
  • 32. Configuring the password policy • OAM Console • Application Security – Password Policy • Full reference: • Administrator's Guide for Oracle Access Management © 2017 Pythian 32 24.3.1 Password Policy Configuration Page https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-7850A074- 9EE3-45EE-9150-5DD96B9D13CD.htm#GUID-200E3E90-21CC- 439C-BF4E-0468CA455148__BABDBBHE
  • 33. Configuring the password policy • OAM Console • Application Security – Password Policy • Console is doing it’s own math. If something is not inline, there will be a warning. • Example: If we put value 1 into both Minimum Uppercase and Lowercase Characters fields then Minimum Alphabetic Characters value is expected to be the sum of above. © 2017 Pythian 33
  • 34. User Identity Store • OAM Console • Configuration – User Identity Stores • Password Management feature must be enabled. • “Use Oblix User Schema” - if we use full Oblix schema for everything. • If disabled, only password lifecycle attributes are in use. • Other 4 parameters are needed to point the correct attributes to be used with “Can Include X” policies. © 2017 Pythian 34
  • 35. User Identity Store • OAM Console • Configuration – User Identity Stores • Do not forget about the mandatory Oblix attributes in use ! • “Bind DN” LDAP user should have WRITE permissions to manage these attributes. • Also to add the required object classes to the user entry if found missing. • Do not use a super user account like I do here  © 2017 Pythian 35
  • 36. User Identity Store • ACI grant example (Oracle Unified Directory) © 2017 Pythian 36 ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd <<EOF dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com")(version 3.0; acl "OAM app user entry level aci example"; allow (read,search,compare) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";) - add: aci aci: (targetattr="*")(version 3.0; acl "OAM app user attribute level aci read example"; allow (read,search,compare) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";) - add: aci aci: (targetattr="obPasswordCreationDate || obPasswordHistory || obPasswordChangeFlag || obuseraccountcontrol || obpasswordexpirydate || obLockoutTime || obLoginTrvCount || oblastsuccessfullogin || oblastfailedlogin || userPassword")(version 3.0; acl "OAM app user attribute level aci write example"; allow (write) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";) EOF
  • 37. User Identity Store • Reminder about LDAP directory own password policy. • Policy should be set the same or weaker. • Or just completely disabled. © 2017 Pythian 37
  • 38. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • Let us create new module with name “LDAP_EBS_with_password_policy”. © 2017 Pythian 38
  • 39. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • 3 steps to be configured: • User Identification Step • User Authentication Step • User Password Status Step ▪ The one that triggers the policy. © 2017 Pythian 39
  • 40. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • User Identification Step ▪ KEY_LDAP_FILTER: default value should be (uid={KEY_USERNAME}) ▪ KEY_IDENTITY_STORE_REF: your User Identity Store (OIDIdentityStore) ▪ KEY_SEARCH_BASE_URL: leave empty for plugin to use default Identity store’s User Search Base DN. © 2017 Pythian 40
  • 41. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • User Authentication Step ▪ KEY_IDENTITY_STORE_REF: your User Identity Store (OIDIdentityStore) ▪ KEY_PROP_AUTHN_EXCEPTION: enables the propagation of LDAP errors. Must be TRUE if password policy plugin is used in the chain. ▪ KEY_ENABLE_AUTHN_FAILOVER and KEY_PROP_AUTHN_LEVEL parameters are not yet documented. © 2017 Pythian 41
  • 42. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • User Password Status Step ▪ PLUGIN_EXECUTION_MODE: this plugin can be used as a replacement for User Authentication Plugin too, but we are going to set it as PSWDONLY for a separate 3rd step. ▪ OBJECTCLASS_EXTENSION_SUPPORTED: must be set to TRUE in order to automatically adjust affected user entries with Oblix object classes. ▪ KEY_IDENTITY_STORE_REF: your User Identity Store (OIDIdentityStore) © 2017 Pythian 42
  • 43. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • User Password Status Step ▪ URL_ACTION: redirection behavior between the pages, default REDIRECT_POST. ▪ NEW_USERPSWD_BEHAVIOR: action for new user entry not covered by the policy, and we will enable it via FORCEPASSWORDCHANGE. • Actually should be FORCECHANGEPASSWORD. Documentation bug. • Configuring OAM Password Policy Parameter NEW_USERPSWD_BEHAVIOR To Force Password Changes for Existing Passwords Not Working (Doc ID 1563172.1) ▪ POLICY_SCHEMA: just OAM10G, as everything is based on Oblix schema standards. ▪ CHALLENGES_SUPPORTED: this parameter is not yet documented, default FALSE. ▪ DISABLED_STATUS_SUPPORT: User Account disabled status support – TRUE. © 2017 Pythian 43
  • 44. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • Full parameter reference • Administrator's Guide for Oracle Access Management © 2017 Pythian 44 Table 24-8 User Password Step Details https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-30780A11-8254-4AE3-9A15-C759C08E872D.htm#GUID-9FE10CF0-A4E7-4F7F-81A9-859EC85AEA80__CFFEHBFJ
  • 45. Authentication module • OAM Console • Application Security – Plug-ins – Authentication Modules • Workflow © 2017 Pythian 45
  • 46. Configure EBS to use the new Authentication Module • OAM Console • Application Security – Access Manager – Authentication Schemes • Expecting that EBS is already integrated. • Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1) • EBSAuthScheme • Authentication Module: LDAP_EBS_with_password_policy • Challenge Parameters: OverrideRetryLimit=0 © 2017 Pythian 46
  • 47. Testing • Did I forget something important to mention? • Hint: © 2017 Pythian 47 <LIBOVD-40082> <Could not modify entry.javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Entry cn=testuser1,ou=people,dc=example,dc=com cannot not be modified because the resulting entry would have violated the server schema: Entry cn=testuser1,ou=people,dc=example,dc=com violates the Directory Server schema configuration because it includes attribute oblastsuccessfullogin which is not allowed by any of the objectclasses defined in that entry]; remaining name 'cn=testuser1,ou=people,dc=example,dc=com'
  • 48. LDAP directory schema extension • We forgot Oblix schema extension. • Reference: • Administrator's Guide for Oracle Access Management • OUD example: ▪ Object classes: oblixPersonPwdPolicy and oblixorgperson ▪ Attributes: obPasswordCreationDate, obPasswordHistory, obPasswordChangeFlag, obuseraccountcontrol, obpasswordexpirydate, obLockoutTime, obLoginTrvCount, oblastsuccessfullogin, oblastfailedlogin © 2017 Pythian 48 ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd --defaultAdd -f $OAM_HOME/oam/server/pswdservice/ldif/OUD_PWDPersonSchema.ldif Table 24-6 Location of Oracle-provided LDIFs for LDAP Providers https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-E0DF807A-6432-4261-A119-9AECAC56AD53.htm#GUID-48382B33-54CB-407D-8CAA- 2A69CDEA50FB__CFFEJEEE
  • 49. Summary • Even latest R12.2.7 is not meeting today’s modern password policy standards out- of-the-box. We can code a custom java class, but that requires Java skills, courage, luck, and good release management process. • Oracle Access Manager is the only certified SSO solution for EBS. It has the support of today’s standards, but costs additional resources, is a separate component, and is separately licensed. • 11gR2 upgrade is highly recommended. Provides support for other more secure authentication methods, like Multi-Factor Authentication. • Password policy setup is well documented and quite straightforward. • Except few nuances noted.  © 2017 Pythian 49
  • 51. THANK YOU Q & A © 2017 Pythian 51