Driving Behavioral Change for Information Management through Data-Driven Gree...
TechEvent EUS, Kerberos, SSL and OUD
1. BASEL BERN BRUGG DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. GENF
HAMBURG KOPENHAGEN LAUSANNE MÜNCHEN STUTTGART WIEN ZÜRICH
EUS, Kerberos, SSL and OUD
A Guideline
Stefan Oehrli
2. Trivadis – Our mission.
TechEvent - EUS, Kerberos, SSL and OUD2 14.09.2018
Trivadis makes IT easier:
We provide significant support for our
customers in the smart use of data in
the digital age.
We reduce complexity for our
customers through outstanding
technological expertise.
We take over key tasks in the existing
and future IT of our customers.
3. Trivadis – What sets us apart.
TechEvent - EUS, Kerberos, SSL and OUD3 14.09.2018
We understand the business processes and economic challenges of our customers
and support them through IT consulting and in the development of comprehensive IT
solutions.
Our proven products, developed by Trivadis, are based on in-depth expertise in the
key technologies offered by Microsoft, Oracle and Open Source.
That sets us apart from the competition.
A selection of awards we have received
OPEN SOURCE
4. Trivadis – Our key figures
TechEvent - EUS, Kerberos, SSL and OUD4 14.09.2018
Founded in 1994
15 Trivadis locations with
more than 650 employees
Sales of CHF 111 million (EUR 96 million)
Over 250 Service Level Agreements
More than 4000 training participants
Research and development budget: CHF
5.0 million
More than 1900 projects each year with
over 800 customers
Financially independent and sustainably
profitable
5. Stefan Oehrli
Solution Manager BDS SEC / Trivadis Partner
Working since 1997 in IT
Since 2008 with Trivadis AG
Since 2010 Discipline Manager SEC INFR
Since 2014 Solution Manager BDS Security
Skills
Backup & Recovery
Oracle Advanced Security
Oracle AVDF and DB Vault
Oracle Directory Services
Team / Project Management
Trainer O-SEC, O-BR,…
IT Experience
Database administration and
database security solutions
Administration complex,
heterogeneous systems
IT / Database Team leader
Specialization
DB security and operation
Security concepts and their
implementation
Security assessments
Oracle Backup & Recovery
Enterprise User Security and
Oracle Unified Directory
5 TechEvent - EUS, Kerberos, SSL and OUD14.09.2018
8. The Example Inc.
TechEvent - EUS, Kerberos, SSL and OUD8 14.09.2018
Scott DBA
Bob User
Alice User
Larry Security Admin
username /
password
Weak password verifier
e.g. 10g, 11g, 12c
Risk of weak or shared
passwords
Decentralized administration
Poor usability (Admin, User,..)
Overvisibility
9. The Example Inc.
TechEvent - EUS, Kerberos, SSL and OUD10 14.09.2018
... as usual it just depends!
Different approaches for improving
authentication and authorization are possible…
10. The Example Inc.
TechEvent - EUS, Kerberos, SSL and OUD11 14.09.2018
Scott DBA
Bob User
Alice User
Larry Security Admin
Single Logon /
Single Sign On
Single logon / Single Sign On
Centralized user management Nice guy from HR
Oracle
Directory
MS AD
IAM / IdM
11. Distinguishing characteristics
TechEvent - EUS, Kerberos, SSL and OUD12 14.09.2018
Authentication methods
– Password base authentication providing different authentication protocol versions
– OS authentication
– Strong authentication using Kerberos or Radius
– Certificate based authentication using SSL and TCPS
– Special authentication like administrators (SYSxxx) or proxy
Just authentication or also authorization e.g. who versus what
Centralized versus decentralized account management
– Manual distribution and maintenance of user and roles
– IdM based distribution and maintenance of user and roles
– Centralized management of user and roles
13. Password authentication
TechEvent - EUS, Kerberos, SSL and OUD14 14.09.2018
Password authentication requires a verifier / hash stored in USER$
– USER$.PASSWORD for 10g hash (DES based)
– USER$.SPARE4 for 11g and 12c hashes (sha1 respectively sha2 based)
Old authentication protocols have serious security vulnerabilities
– CVE-2012-3137, MOS Note 1492721.1 and 1493990.1
Specifying the Version of the Logon Process
– SQLNET.ALLOWED_LOGON_VERSION (deprecated)
– SQLNET. ALLOWED_LOGON_VERSION_SERVER|CLIENT
Strong password verifiers by default as of 12.2.0.1
– Default value changed to 12 use to be 8
– Earlier releases require critical patch updates CPUOct2012 to use 12
14. Authentication protocols version
TechEvent - EUS, Kerberos, SSL and OUD15 14.09.2018
Logon
Version
Password
Version
Ability
Client
Meaning for Clients
Server Exclusive
Mode
12a 12c O7L_MR
Only Oracle DB 12c R1 (12.1.0.2 or later) clients
can connect to the server
Yes because it
excludes 10G and 11G
password versions
12 11g, 12c O5L_NP
Oracle DB 11g R2 (11.2.0.3 or later) clients can
connect to the server
Older clients need the critical patch update
CPUOct2012 or later, to gain the O5L_NP ability
Yes because it
excludes 10G
password version
11 10g, 11g, 12c O5L
Oracle 10g DB or newer clients can connect.
Clients using releases earlier than 11.2.0.3 that
have not applied critical patch update
CPUOct2012 or later patches must use the 10G
password version
No
10 10g, 11g, 12c O5L Oracle 10g DB or newer clients can connect No
9 10g, 11g, 12c O4L Oracle 9i DB or newer clients can connect No
8 10g, 11g, 12c O3L Oracle 8i DB or newer clients can connect No
15. Authentication protocols version
TechEvent - EUS, Kerberos, SSL and OUD16 14.09.2018
SQL> conn USER_10G/manager
ERROR:
ORA-01017: invalid username/password; logon denied
Logon using a wrong password verifier (Error ORA-28040 or ORA-01017)
SELECT username,password_versions FROM dba_users
WHERE username LIKE 'USER_%' ORDER BY 1;
USERNAME PASSWORD_VERSIONS
------------------------------ -----------------
USER_10G 10G
USER_11G 11G
USER_12C 12C
USER_ALL 10G 11G 12C
Available password version in DBA_USERS
16. Kerberos in a Nutshell
TechEvent - EUS, Kerberos, SSL and OUD17 14.09.2018
Network Authentication Protocol developed by MIT
Uses a trusted third-party Authentication System
KDC (not KGB…)
– “strong” Authentication
Basis for a couple of Services and Tools
Windows Servers
Requires three parties
– KDC with Authentication Service and Ticket Granting Service
– Service or Service Principle who provide a Service
– Client who request access
Has been around for some time now
17. Kerberos Authentication Workflow
TechEvent - EUS, Kerberos, SSL and OUD18 14.09.2018
Keytab file
Service Ticket
Send Ticket Granting Ticket
logon / okinit / kinit
Request Ticket Granting Ticket
Request a Service Ticket
Send Service Ticket
Acknowledge session
18. Kerberos Configuration (Demo)
TechEvent - EUS, Kerberos, SSL and OUD19 14.09.2018
Configuration a proper server name resolution (DNS and revers lookup)
Configure SQL Net e.g. sqlnet.ora, krb5.conf on server and clients
Create a service principle in MS Active Directory
Create a keytab file for the service principle
Make sure that…
– ... the times on the server, client and directory server are in sync
– … don’t mix up domain name, realm, user principle name, service principle name
– … avoid using 12.1.0.x due to incompatibility with KERBEROS5PRE
20. Oracle Directory Services
TechEvent - EUS, Kerberos, SSL and OUD21 14.09.2018
Oracle does provide a couple of directory servers the Oracle Directory Service Plus
– OID Oracle Internet Directory a Oracle Database based LDAP server
– OUD Oracle Unified Directory a small lightweight LDAP server
– ODSEE Oracle Directory Server Enterprise Edition deprecated product
(formerly Sun Directory Server Enterprise Edition)
– OVD Oracle Virtual Directory deprecated product
OUD and OID used two different approaches
– Horizontal scaling for OUD versus monolithic scalability for OID
OID does require a full Oracle Database and WebLogic stack
– Although it can be used without any additional license for Oracle Names resolution
No other Directory Server is supported for direct integration with Oracle DatabasesCentrally Managed Users CMU
21. Oracle Unified Directory
TechEvent - EUS, Kerberos, SSL and OUD22 14.09.2018
The other Oracle Directory …J
– Yes my favorite…
OUD is the latest of three Oracle LDAP directories and based on OpenDS Standard
– Full LDAPv3 compliant directory Server
– Proxy server e.g. Integrate OUD and MS Active Directory
– Replication Server
Java Based Directory
– Written in Java for multiple platform support
High performance and space effective data storage
– Embedded Berkley DB
22. Oracle Unified Directory (Demo)
TechEvent - EUS, Kerberos, SSL and OUD23 14.09.2018
Setup an OUD Active Directory Proxy for Enterprise User Security
Prepare OUD configuration scripts
The classical setup…
– Install Oracle Java
– Install Oracle Unified Directory and the latest bundle patch's
– Create the OUD proxy instance using the configuration scripts
The modern way…
– Initiate a new OUD Docker container J
24. TechEvent - EUS, Kerberos, SSL and OUD25 14.09.2018
Oracle Enterprise User Security
25. Integration of MS Active Directory Services using EUS
TechEvent - EUS, Kerberos, SSL and OUD26 14.09.2018
Until now, integration with Active
Directory also meant to…
– …maintain an Oracle Directory
– …setup OID or OUD
– …configure OUD AD Proxy, DIP etc.
– …configure Enterprise User Security
– …purchase Directory Server Plus
Oracle Enterprise User Security has a
number of advantages for medium and
large environments
To manage only a few users centrally
with EUS means “to crack a nut with a
sledgehammer”
26. OUD EUS Proxy Workflow
TechEvent - EUS, Kerberos, SSL and OUD27 14.09.2018
27. Integration of MS Active Directory Services using CMU
TechEvent - EUS, Kerberos, SSL and OUD28 14.09.2018
Centrally Managed User CMU…
– …does not require an Oracle Directory
– …does not require a license
– …allows to manage user via AD
Supports usual authentication methods
– Password
– Kerberos
– Public key infrastructure (PKI)
Requires a password filter and AD
schema extension
Requires a AD service account
Ideal for small environments
28. Configuration – Database
TechEvent - EUS, Kerberos, SSL and OUD29 14.09.2018
ldap_directory_access string PASSWORD
ldap_directory_sysauth string NO
Register Database with LDAP Directory using dbca (CLI or GUI)
– could cause issues with none default Listener Ports
Initialization parameter change by dbca
DIRECTORY_SERVERS= (oudad.postgasse.org:1389:1636)
DEFAULT_ADMIN_CONTEXT = "dc=postgasse,dc=org"
DIRECTORY_SERVER_TYPE = OID
Define the LDAP Directory using netca or directly in ldap.ora
29. Configuration – Database
TechEvent - EUS, Kerberos, SSL and OUD30 14.09.2018
ALTER USER clark IDENTIFIED GLOBALLY AS
'cn=clark, cn=Users,dc=trivadistraining,dc=com';
CREATE USER employee IDENTIFIED GLOBALLY;
Create global Database Users with IDENTIFIED GLOBALLY
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA = (DIRECTORY =/u00/app/oracle/admin/$ORACLE_SID/wallet)))
Oracle Wallet used to store LDAP credentials
– dbca does create a new Oracle Wallet at the WALLET_LOCATION
– WALLET_LOCATION is not supported for Container Database
30. Configuration – EUS
TechEvent - EUS, Kerberos, SSL and OUD31 14.09.2018
eusm createMapping database_name="TDB12A"
realm_dn="dc=trivadistraining,dc=com"
map_type="SUBTREE"
map_dn="cn=Users,dc=trivadistraining,dc=com"
schema="employee"
ldap_host="localhost" ldap_port=1389
ldap_user_dn="cn=orcladmin" ldap_user_password="TVD04manager"
Define Schema / Role mapping for EUS
– Enterprise Manager Cloud Control
– eusm command line utility MOS Note 1085065.1
– eusm officially documented in Oracle Database 18c
Create Mapping to a global shared schema
31. Oracle Enterprise User Security (Demo)
TechEvent - EUS, Kerberos, SSL and OUD32 14.09.2018
Configure SQL Net e.g. sqlnet.ora and ldap.conf on server and clients
Register database using dbca
Create global user and roles
Define EUS mapping using eusm
32. TechEvent - EUS, Kerberos, SSL and OUD33 14.09.2018
Troubleshooting and challenges
33. Challenges
TechEvent - EUS, Kerberos, SSL and OUD34 14.09.2018
Use of OUD, EUS and Active Directory for the central manage of users and roles,
requires the consideration of high availability and backup & recovery solutions
– Multiple OUD installation with LDAP replication
The technical aspects of EUS is one part of the problem
A corresponding user and role concept is another aspect that must be solved
seriously and comprehensively.
More complex infrastructures increase the probability to hit a bug
– Issues on the LDAP stack are not handled by the core DB dev team
34. Challenges
TechEvent - EUS, Kerberos, SSL and OUD35 14.09.2018
Some Oracle products are not always on the leading edge of certain technologies
– EUS and Databases require legacy unsecure SSL ciphers
– EUS still requires sha1 password store
– PBKDF2 SHA-512 is possible but requires some patch’s
Kerberos is not Kerberos
– Not all implementation work as excepted OS stack, DB stack, KDC etc.
Not all clients and/or applications can handle EUS, SSO and Kerberos
– theoretically and technically yes, but what to do when the app requires a username
RADIUS is not an option for EUS
35. Troubleshooting
TechEvent - EUS, Kerberos, SSL and OUD36 14.09.2018
The error messages are clearly arranged J a few common errors
– ORA-01017 : invalid username/password; logon denied
– ORA-28030 : Unable to access LDAP directory service
– ORA-12638: Credential retrieval failed
– ORA-12631: Username retrieval failed
Check your network and DNS configuration
User KRB5_TRACE environment variable available as of Oracle 12c
Get familiar with SQL Net trace
Use Wireshark to trace your network traffic
Double check if you do not hit one of the well known bug e.g. 19285025
And again, check your network and DNS configuration
36. Troubleshooting using MOS Notes
TechEvent - EUS, Kerberos, SSL and OUD37 14.09.2018
MOS Note 1375853.1 Master Note For Kerberos Authentication
https://support.oracle.com/epmos/faces/DocumentDisplay?id=1375853.1
MOS Note 185897.1 Kerberos Troubleshooting Guide
https://support.oracle.com/epmos/faces/DocumentDisplay?id=185897.1
MOS Note 1376365.1 Master Note For Enterprise User Security
https://support.oracle.com/epmos/faces/DocumentDisplay?id=1376365.1
MOS Note 453853.1 Step by Step Guide To Troubleshooting Enterprise User Security
(EUS) - Password Authentication
https://support.oracle.com/epmos/faces/DocumentDisplay?id=453853.1
And much more, but make sure to check Oracle Version and MOS Note release date!
37. Resources
TechEvent - EUS, Kerberos, SSL and OUD38 14.09.2018
DOAG RedStack Magazine Sept 2018 “Oracle Unified Directory in Docker”
Oracle Docker GitHub repository https://github.com/oracle/docker-images
Stefan Oehrli GitHub Docker repository https://github.com/oehrlis/docker
OUD Base environment scripts https://github.com/oehrlis/oudbase
O5Logon https://marcel.vandewaters.nl/oracle/security/cryptographic-flaws-in-oracle-
database-authentication-protocol
38. TechEvent - EUS, Kerberos, SSL and OUD39 14.09.2018
Conclusion
Strong password verifier and strong authentication e.g. Kerberos is state of the art today
Setup OUD and EUS isn't as hard as it looks at first glance
– Main challenge is a proper user and role concept
Centrally Managed User CMU is a promising solution for small / medium IT environments
Despite bug's, Kerberos, EUS and OUD provides reliable methods to centrally manage
users and roles and increase database security