Oracle Advanced Security Administrator's Guide Release 9.0.1 Part Number A90150-01 |
|
This chapter describes how to use Oracle Enterprise Security Manager to administer Enterprise User Security in Oracle9i databases. This chapter contains the following topics:
Oracle Enterprise Security Manager, a component of Oracle Enterprise Manager, is an administration tool employed by Oracle Advanced Security to manage enterprise users, enterprise domains, databases, and enterprise roles that are held in an LDAP-compliant directory service.
The directory service is used as a central repository to define user and server access information for a network. It stores naming information, global password definitions, PKI credentials, and application access authorizations for the users that it defines. Such centralized storage of enterprise users and their access privileges supports single sign-on capability, and provides secure, scalable user administration.
The following tasks describe how to use Oracle Enterprise Security Manager to install Oracle Management Server and Oracle Enterprise Manager:
Oracle9i Enterprise User Security is based on an LDAP-compliant directory. The directory server must be properly installed and configured before Oracle Enterprise Manager can be used to manage Enterprise User Security. The following elements of directory configuration must be completed before proceeding:
Oracle Enterprise Manager is automatically installed by the Oracle9i Enterprise Edition server installation process, and includes all necessary functionality to support Enterprise User Security. Oracle Enterprise Manager is also installed by default with the Oracle9i infrastructure installation at the same time as Oracle Internet Directory. Oracle Enterprise Manager can also be installed separately in its own ORACLE_HOME, using the custom install option.
You can use Oracle Enterprise Manager to manage Enterprise User Security in two modes of operation:
The functionality is identical in either mode of operation. Only the latter mode, Oracle Enterprise Security Manager, is described in this chapter.
To launch Oracle Enterprise Security Manager from the Enterprise Manager ORACLE_HOME, enter the following at the command line:
oemapp esm
The directory login box appears (Figure 18-1):
Oracle Enterprise Security Manager provides three ways to connect to a directory server, summarized by Table 18-1:
Authentication Method | Description |
---|---|
Password Authentication |
Uses simple authentication requiring a distinguished name (DN) or a known directory UserID and a password (i.e., user name and password). |
SSL Client Authentication |
Uses two-way SSL authentication in which both the client and server use Oracle Wallets containing digital certificates (i.e., user name and certificate). The subsequent connection is encrypted. |
Native Authentication |
Applies to Microsoft Windows NT and Windows 2000 only; uses operating system-level authentication to log on to a Microsoft Active Directory. |
To select an authentication method, choose the appropriate option in the Directory Server Login Window (Figure 18-1).
Oracle Enterprise Security Manager displays the following window after the initial connection (Figure 18-2):
Oracle Enterprise Security Manager manages one directory server, identified at the top of the main application tree, followed by a series of menu operations that apply to this server.
You use Enterprise Security Manager to manage users in the directory. The application shows the directory to which it is connected and lets you delete and browse users in that directory. Oracle Enterprise Security Manager can also be used to manage Oracle Contexts in the directory. An Oracle Context is a subtree in a directory recognizable to Oracle products. It provides an administrative hierarchy for management of Oracle data--including installed Oracle products that access the directory.
This section describes how to use Oracle Enterprise Security Manager to administer enterprise users. It contains the following topics:
Use Oracle Enterprise Security Manager to create users in the directory.
To create new users, select Create Enterprise User... from the Operations menu (Figure 18-3):
The Create User window appears (Figure 18-4).
Referring to Table 18-2, enter the appropriate user information required by the User Naming tabbed window; choose OK to create a new enterprise user.
An enterprise user entry can reside at any base within the directory. The base can be any existing directory entry, such as country entry (c=us), or an organization entry (o=acme,c=us). Multiple users typically share the same directory base. This base associates all the users contained under it with the same high level organization in the hierarchy.
You can enter the base in the base field of the Create User window (Figure 18-4). Alternatively, you can browse the entire directory to select a suitable base by choosing the Browse... button (in the same window); the Browse Directory Window appears (Figure 18-5):
The Browse Directory window lets you navigate the directory by drilling down into each entry from the top of the directory tree. When a directory entry is selected its distinguished name (DN) is placed in the Selection field. To accept the selected Distinguished Name choose the OK button. This value is returned as the selected base for a new directory user, and is preserved for all subsequent operations that create or search for users in the directory--although you can change it from time to time.
The Password tab of the Create User Window (Figure 18-6) lets you define and maintain the enterprise user password:
The enterprise user password is used for:
When creating a new password, you can accept a default password or manually enter and confirm a new password. In either case, the new user must change the password immediately after its first use.
When you create a new enterprise user, you can grant any previously configured enterprise roles to a new user.
To select one or more enterprise roles to grant to a new user, choose the Add... button on the Enterprise Roles tab of the Create User window (Figure 18-7):
The Add Enterprise Roles window appears (Figure 18-8):
Select any enterprise roles in your Oracle Context to assign to the new user; choose OK.
You can use Oracle Enterprise Security Manager to view a user wallet, stored in the directory as part of the directory entry for the user.
You can use Oracle Wallet Manager to create new user wallets, and to upload and download wallets from the directory.
Oracle Enterprise Security Manager lets you browse the directory for all users currently stored.
To browse enterprise users, choose the All Users tab in the main window (Figures 18-2, 18-9):
To search for users in the directory, define the search criteria and choose the Search Now button. The window displays the results of the search. Table 18-3 summarizes the search criteria and their respective effects on the search results:
Example 1:
Searching an Oracle directory for a user named Richard (Figure 18-10):
Example 2:
Selecting a user from the search results for editing.
To edit one of the returned user names, select the target user name and choose the Edit... button--or just double-click the target user name in the list (Figure 18-11):
When you select a directory user for edit, you can change the password and enterprise role assignments--and you can modify the user wallet in the same manner as during its initial creation.
The user entry must reside in a directory subtree of users that has been enabled for Oracle database access. You can set Oracle Database Access permissions for a selected subtree--to let databases within a domain in the Password-Accessible Domains group read the user's login credentials.
To enable database access:
On a selected subtree of directory users, set Oracle Database Access permissions to permit databases in the Password-Accessible Domains group to access the user's database login credentials:
An Oracle Context is a subtree in a directory that contains the data used by any installed Oracle product that uses the directory. Oracle Enterprise Security Manager is one such product. It lets you manage database and security-related information in the directory, in an Oracle Context.
Oracle Enterprise Security Manager can support multiple Oracle Contexts in a directory, including Oracle8i and Oracle9i versions. However, Oracle9i Enterprise User Security can only be managed using an Oracle9i Oracle Context. Enterprise manager for oracle 9i may be used to manage version 9i oracle contexts as well version 8i oracle contexts in the directory.
Oracle Enterprise Security Manager displays all existing Oracle Contexts in its main application tree--including both Oracle8i and Oracle9i versions. In the following example (Figure 18-12), Oracle Enterprise Security Manager is connected to an Oracle directory that has been configured to support the Oracle9i directory schema and an Oracle9i root Oracle Context.
An Oracle Context has a number of properties that can be viewed and managed in the Enterprise Security Manager window (Figure 18-12, Table 18-4):
Note: The reference to Default Oracle Context in Figure 18-12 should read Root Oracle Context; all references to Default Oracle Context will be changed to Root Oracle Context in the production release of Oracle Advanced Security. |
To define or edit properties of an Oracle Context, refer to Table 18-4:
Common user search bases can be added to or removed from an Oracle9i Oracle Context using the General tabbed window (Figure 18-12).
To remove a user search base from an Oracle Context:
To add a new user search base to an Oracle Context:
An Oracle Context contains administrative groups that have varying levels of privileges for operations within an Oracle Context. Some administrative groups are only available to Oracle9i Oracle Contexts and some are available to both Oracle8i and Oracle9i Oracle Contexts. The administrative groups for an Oracle Context are defined by Table 18-5:
Use the Administrators tab of the Oracle Enterprise Security Manager main window to manage Oracle Context Administrators(Table 18-14):
To remove a user from a list of Oracle Context Administrators:
To add a new user to the list of Oracle Context Administrators:
Use this window to locate and select users in the directory. There are three panels in the window:
In a selected Oracle9i Oracle Context, add the domain to the Password-Accessible Domains group. Choose Add and select one of the current enterprise domains from the resulting dialog. To remove an enterprise domain from the group, select it in the Accessible Domains window and choose Remove.
There are three requirements for a database to accept a connection from a password-authenticated user:
To configure password accessibility:
The directory can be used as a central repository that controls user authentication and authorization on multiple databases. Oracle Enterprise Security Manager lets you to manage an Oracle Context in the directory for database security.
Both Oracle8i and Oracle9i databases are published to the directory within an Oracle Context using the Oracle Database Configuration Assistant. Once databases are published to the directory, you can use Oracle Enterprise Security Manager to manage user access to those databases. This is achieved using the following objects in the Oracle Context (Table 18-6):
Object | Description |
---|---|
Database |
A directory entry representing a published database. |
Enterprise Domain |
A grouping of databases published in the directory, upon which a common user access model for database security can be implemented |
Enterprise Role |
An Authorization that spans multiple databases within an enterprise domain. It is an enterprise role to which individual roles can be granted on each of the databases in an enterprise domain. |
Mapping |
A mapping object is used to map the distinguished name (DN) of a user to a database schema that the user will access. |
After a database has been published to an Oracle Context in the directory, Oracle Enterprise Security Manager can be used to view and modify security characteristics of that database.
A Database Administrator is a directory user that has privileges to modify the database and its subtree in the Oracle Context. Database Administrators may be managed using the Administrators tabbed window when a database is selected under an Oracle Context in the main application tree (Figure 18-14).
To remove a user from the list of Database Administrators:
To add a new user to the list of Enterprise Domain Administrators:
Database schema mappings let databases that are registered in the directory accept connections from users without requiring any dedicated database schemas for them. For example, when user Scott connects to a database, a database schema called Scott must exist--for that logon to be successful. This can be difficult to maintain if there are thousands of users and perhaps hundreds of databases in a very large enterprise.
Users that are defined in an LDAP-compliant directory do not require dedicated schemas on every Oracle8i or Oracle9i database to which they might connect.
A database can use a schema mapping to share one database schema between multiple directory users. The schema mapping is a pair of values: the base in the directory at which users exist, and the name of the database schema they will use.
You can use the Database Schema Mappings tabbed window to manage database schema mappings--when a database is selected under an Oracle Context in the main application tree. This window contains a list of database schema names and Directory Base pairs (Figure 18-16):
To remove a mapping from the list of database schema mappings in an enterprise domain:
To add a new mapping to the list of database schema mappings in the enterprise domain:
Use this window to locate and select a base in the directory and pair it with a database schema name, to make a database schema mapping. There are two components to the window: there is a directory search tree from which to select a base, and a field in which to enter a schema name.
An Oracle Context contains at one enterprise domain called OracleDefaultDomain
. The OracleDefaultDomain
is part of the Oracle Context when it is first created in the directory. When a new database is registered into an Oracle Context it automatically becomes a member of the OracleDefaultDomain
in that Oracle Context. You can create and remove your own enterprise domains but you cannot remove the OracleDefaultDomain
from an Oracle Context.
To create a new enterprise domain in an Oracle Context, use either of the following methods:
The Create Enterprise Domain window appears (Figure 18-18):
To create the new enterprise domain:
To remove an enterprise domain:
Use the application tree of the main Oracle Enterprise Security Manager window to select a target enterprise domain. You can then use the Databases tab to manage database membership of an enterprise domain in an Oracle Context (Figure 18-19):
To remove a database from an enterprise domain:
To add a database to an enterprise domain:
Use the Databases tabbed window (Figure 18-19) to manage database security options applicable to all databases that are members of the enterprise domain.
Database security options are summarized by Table 18-7:
An Enterprise Domain Administrator is a directory user in an enterprise domain that has privileges to modify the content of that domain. You can use the Administrators tabbed window (Figure 18-14) to manage Enterprise Domain Administrators when an enterprise domain is selected under an Oracle Context in the main application tree.
To remove a user from the list of Enterprise Domain Administrators:
To add a new user to the list of Enterprise Domain Administrators:
As previously discussed, database schema mappings can be managed for each database in an Oracle Context. Schema mappings can also be defined for each enterprise domain in an Oracle Context, using the database schema mappings tabbed window with an enterprise domain selected in the main application tree. These mappings apply to all databases that are members of the enterprise domain. Therefore, each database in the enterprise domain must have a schema of the same name used in the mapping for that mapping to be effective on that database.
To remove a mapping from the list of database schema mappings in the enterprise domain (Figure 18-21):
To add a new mapping to the list of database schema mappings in the enterprise domain (Figure 18-21):
An enterprise domain within an Oracle Context can contain multiple enterprise roles. An enterprise role is a set of Oracle role-based authorizations across one or more databases in an enterprise domain.
To create a new enterprise role:
You can create an enterprise role in an enterprise domain either from the Operations menu on the Oracle Enterprise Security Manager main window (Figure 18-21), or by right-clicking an enterprise domain in the main application tree. In either case, the Create Enterprise Role window appears (Figure 18-22):
To remove an enterprise role:
Use the Database Global Roles tabbed window (Figure 18-23) of the Oracle Enterprise Security Manager main window to manage database global role membership in an enterprise role. This window lists the names of each global role that belongs to the enterprise role, along with the name of the database on which that global role exists.
When populating an enterprise role with different database roles it is only possible to reference roles on databases that are configured to be global roles on those databases. A global role on a database is identical to a normal role, except that the Database Administrator has defined it to be authorized only via the directory. A Database Administrator cannot locally grant and revoke global roles to users of the database.
To remove a database global role from an enterprise role:
To add a global role to an enterprise role:
An enterprise role grantee is a directory user granted an enterprise role, including all database global roles contained within that enterprise role. You can use the Enterprise Users tabbed window (Figure 18-25) to manage enterprise role grantees, when an enterprise role is selected under an enterprise domain in the main application tree.
To remove a user from the list of enterprise role grantees (Figure 18-25):
To add a new user to the list of enterprise role grantees:
You can assign enterprise roles to this newly created enterprise user by selecting the user and choosing the Enterprise Role tab.
|
Copyright © 1996-2001, Oracle Corporation. All Rights Reserved. |
|