|Oracle Internet Directory Administrator's Guide
Part Number A90151-01
This chapter discusses the most important aspects of security in the Oracle Directory Integration platform. It contains these sections:
Authentication is the process by which the Oracle directory server establishes the true identity of the user connecting to the directory. It occurs when an LDAP session is established by means of the ldapbind operation.
It is important that each component in the Oracle Directory Integration platform be properly authenticated before it is allowed access to the directory.
The server verifies its identity to the client by sending a certificate issued by a trusted certificate authority (CA). This mode requires a public key infrastructure (PKI) and SSL wallets to hold the certificates.
To use SSL with the Oracle Directory Integration platform, you must start both the Oracle directory server and the Oracle directory integration server in the SSL mode.
You can install and run multiple instances of the directory integration server on various hosts. When you do this, beware of a malicious user either posing as the directory integration server or using an unauthorized copy of it.
To avoid such security issues:
To use non-SSL authentication, register each directory integration server by using the registration tool called odisrvreg.
The registration tool creates:
odisrvwallet, and it is stored in the
When it binds to the directory, the directory integration server uses the encrypted password in the private wallet.
"Registering the Oracle Directory Integration Server" for instructions about registering the directory integration server
The identity of the directory server can be established by starting both Oracle Internet Directory and the directory integration server in the SSL server authentication mode. The directory server provides its certificate to the directory integration server, which acts the client of Oracle Internet Directory.
The directory integration server is authenticated by using the same mechanism used in the non-SSL mode.
Within Oracle Internet Directory, an agent is a user with its own DN and password. This information is stored in the integration profile of the agent. To protect the profile from unauthorized access, establish appropriate access control policies for it in the directory. Only the Oracle Directory Integration platform administrator or a user designated by the Oracle Internet Directory administrator can create the integration profiles.
When the directory integration server performs a task on behalf of an agent, it binds to the directory as that agent and uses the agent name and password stored in the agent profile. The Oracle Directory Integration platform uses this mechanism to authenticate agents in both the SSL and non-SSL mode.
Authorization is the process of ensuring that a user reads or updates only the information for which that user has privileges. When directory operations are attempted within a directory session, the directory server ensures that the user-- identified by the authorization identifier associated with the session--has the requisite permissions to perform those operations. Otherwise, the operation is disallowed. Through this mechanism, the directory server protects directory data from unauthorized operations by directory users. This mechanism is called access control. Access control information is the directory metadata that captures the administrative policies relating to access control.
Access to data in Oracle Internet Directory is restricted for both the directory integration server as well as the agents only to the desired subset of data by placing appropriate access policies in the directory. The following section discusses these policies in detail.
The directory integration server binds to the directory both as itself and on behalf of the agent.
To establish and manage access rights granted to directory integration servers, the Oracle Directory Integration platform creates a group entry, called
odisgroup, during installation. When a directory integration server is registered, it becomes a member of this group.
You control the access rights granted to directory integration servers by placing access control policies in the
odisgroup entry. The default policy grants various rights to directory integration servers for accessing the profiles. For example, the default policy enables the directory integration server to compare user passwords for authenticating agents when it binds on their behalf. It also enables directory integration servers to modify status information in the profile--such as the next synchronization time and the synchronization status.
To control access to Oracle Internet Directory data by agents, place appropriate access control policies in Oracle Internet Directory. This enables you to protect data of one agent from interference by other agents. It also enables you to allow only the agent that owns an attribute to modify that attribute.
To control access, a group entry called
odipgroup is created in the directory during installation. The access rights granted to various agents in the Oracle Internet Directory Platform are controlled by placing appropriate access policies in the
odipgroup entry. Each agent is a member of this group. The membership is established when the agent is registered in the system. The default access policy, which is installed automatically with the product, grants various access rights to the agents for the integration profiles they own. For example, the agent can modify the status information such as
orclodipConDirLastAppliedChgTime in the integration profile. The default access policy also permits agents to access Oracle Internet Directory change logs. The access to the Oracle Internet Directory change log is otherwise restricted.
odipgroup and the
odisgroup group entries and their default policies are created only during the server installation of the Oracle Internet Directory release 3.0.1 patch. Client-only installations do not create these groups and policies. For this reason, Oracle Corporation recommends that you install the 220.127.116.11 patch on the Oracle Internet Directory release 2.1.1 server. Do this even if you do not intend to use the Oracle Directory Integration platform on the Oracle Internet Directory server installation.
The Oracle Directory Integration platform ensures that data has not been modified, deleted, or replayed during transmission by using SSL. This SSL feature generates a cryptographically secure message digest--through cryptographic checksums using either the MD5 algorithm or the Secure Hash Algorithm (SHA) --and includes it with each packet sent across the network.
The Oracle Directory Integration platform ensures that data is not disclosed during transmission by using public-key encryption available with SSL. In public-key encryption, the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the recipient decrypts the message using the recipient's private key.
To exchange data securely between the directory integration server and Oracle Internet Directory, you run both components in the SSL mode.
You can run all the commonly used tools in the SSL mode to transmit data to Oracle Internet Directory securely. These tools include: