|Oracle Internet Directory Administrator's Guide
Part Number A95192-01
This chapter discusses the most important aspects of security in the Oracle Directory Integration platform. It contains these sections:
Authentication is the process by which the Oracle directory server establishes the true identity of the user connecting to the directory. It occurs when an LDAP session is established by means of the ldapbind operation.
It is important that each component in the Oracle Directory Integration platform be properly authenticated before it is allowed access to the directory.
The server verifies its identity to the client by sending a certificate issued by a trusted certificate authority (CA). This mode requires a public key infrastructure (PKI) and SSL wallets to hold the certificates.
To use SSL with the Oracle Directory Integration platform, you must start both the Oracle directory server and the Oracle directory integration server in the SSL mode.
Chapter 3, "Preliminary Tasks and Information" for instructions on starting the Oracle directory server in SSL mode
You can install and run multiple instances of the directory integration server on various hosts. When you do this, beware of a malicious user either posing as the directory integration server or using an unauthorized copy of it.
To avoid such security issues:
To use non-SSL authentication, register each directory integration server by using the registration tool called odisrvreg.
The registration tool creates:
odisrvwallet, and it is stored in the
When it binds to the directory, the directory integration server uses the encrypted password in the private wallet.
"Registering the Oracle Directory Integration Server" for instructions about registering the directory integration server
The identity of the directory server can be established by starting both Oracle Internet Directory and the directory integration server in the SSL server authentication mode. The directory server provides its certificate to the directory integration server, which acts the client of Oracle Internet Directory.
The directory integration server is authenticated by using the same mechanism used in the non-SSL mode.
Within Oracle Internet Directory, an integration profile represent a user with its own DN and password. This information is stored in the integration profile of the agent. To protect the profile from unauthorized access, establish appropriate access control policies for it in the directory such that only an integration platform administrator or a user designated by the Oracle Internet Directory administrator can create the integration profiles.
When the directory integration server imports data to OID based on an integration profile, it binds to the directory as that integration profile and uses the profile name and password for binding. The Oracle Directory Integration platform uses this mechanism to authenticate agents in both the SSL and non-SSL mode.
Authorization is the process of ensuring that a user reads or updates only the information for which that user has privileges. When directory operations are attempted within a directory session, the directory server ensures that the user-- identified by the authorization identifier associated with the session--has the requisite permissions to perform those operations. Otherwise, the operation is disallowed. Through this mechanism, the directory server protects directory data from unauthorized operations by directory users. This mechanism is called access control.
To restrict access to only the desired subset of Oracle Internet Directory data, for both the directory integration server and the agents, place appropriate access policies in the directory. The following section discusses these policies in detail.
The directory integration server binds to the directory both as itself and on behalf of the agent.
To establish and manage access rights granted to directory integration servers, the Oracle Directory Integration platform creates a group entry, called
odisgroup, during installation. When a directory integration server is registered, it becomes a member of this group.
You control the access rights granted to directory integration servers by placing access control policies in the
odisgroup entry. The default policy grants various rights to directory integration servers for accessing the profiles. For example, the default policy enables the directory integration server to compare user passwords for authenticating agents when it binds on their behalf. It also enables directory integration servers to modify status information in the profile--such as the last successful execution time and the synchronization status.
To control access to Oracle Internet Directory data by integration profiles, place appropriate access control policies in Oracle Internet Directory. This enables you to protect data synchronized or processed by one agent from interference by other agents. It also enables you to allow only the integration profile that owns synchronization of an attribute to modify that attribute.
For example, creating a group entry called
odipgroup when installing the Oracle Internet Directory enables controlling the access rights granted to various agents. Rights are controlled by placing appropriate access policies in the
odipgroup entry. Each agent is a member of this group. The membership is established when the agent is registered in the system. The default access policy, automatically installed with the product, grants to agents certain standard access rights for the integration profiles they own. One such right is the ability to modify status information in the integration profile, such as the parameter named
orclodipConDirLastAppliedChgTime. The default access policy also permits agents to access Oracle Internet Directory change logs, to which access is otherwise restricted.
odisgroup group entries and their default policies are created during the server installation of the Oracle Internet Directory. Client-only installations do not create these groups and policies.
The Oracle Directory Integration platform ensures that data has not been modified, deleted, or replayed during transmission by using SSL. This SSL feature generates a cryptographically secure message digest--through cryptographic checksums using either the MD5 algorithm or the Secure Hash Algorithm (SHA) --and includes it with each packet sent across the network.
The Oracle Directory Integration platform ensures that data is not disclosed during transmission by using public-key encryption available with SSL. In public-key encryption, the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the recipient decrypts the message using the recipient's private key.
To exchange data securely between the directory integration server and Oracle Internet Directory, you run both components in the SSL mode.
You can run all the commonly used tools in the SSL mode to transmit data to Oracle Internet Directory securely. These tools include: