| Oracle® Authentication Services for Operating Systems Administrator's Guide 10g (10.1.4.0.1-OAS4OS) E12023-01 |
|
|
View PDF |
| Oracle® Authentication Services for Operating Systems Administrator's Guide 10g (10.1.4.0.1-OAS4OS) E12023-01 |
|
|
View PDF |
This chapter contains the following topics:
Configuring Oracle Authentication Services for Operating Systemson the Server
Configuring Oracle Authentication Services for Operating Systems on the Client
Replacing Self-Signed Certificates with CA-Signed Certificates
Configuring Oracle Internet Directory forCentralized Password Policies
Switching Between SSL Authentication and Non-SSL Configurations
Restoring the Client andServer to Their Pre-Configuration State
Before you begin the procedures described in this chapter, you must perform the prerequisite procedures described in Chapter 2.
This introduction contains the following sections:
Oracle Internet Directory can be configured for SSL-no authentication, SSL-server authentication and SSL-mutual authentication modes. In all three modes, the data is encrypted during transmission. Oracle Internet Directory comes pre-configured with the SSL-no authentication mode. However, some clients such as the PAM_LDAP clients used for Linux user authentication do not support this mode and only support SSL-server authentication mode.
For administrative ease, the initial server configuration process enables you to configure Oracle Internet Directory for SSL-server authentication mode, using self-signed certificates.
|
Note: Self-signed certificates are not intended for production use. See "Replacing Self-Signed Certificates with CA-Signed Certificates" for information on using certificates issued by a trusted certificate authority. |
The SSL server configuration script generates two Oracle wallets:
Test Certificate Authority (CA) Wallet–used to sign the Oracle Internet Directory SSL Server Certificate. This consists of the following files in $ORACLE_HOME/wallet/root:
cakey.txt–a 1024 bit RSA private key
cacert.txt–based64 encoded certificate
Oracle Internet Directory SSL Server Certificate. This consists of the following files in $ORACLE_HOME/wallet/server:
creq.txt–Oracle Internet Directory SSL Server Certificate Request
cert.txt–Oracle Internet Directory SSL Server Certificate signed by Test CA Wallet
cwallet.sso–Oracle Internet Directory SSL Server Wallet for auto-login
ewallet.p12–PKCS12 encoded Oracle Internet Directory SSL wallet
|
Note: The PKCS12-encoded wallets contain the private keys for the relevant entities and are protected by a wallet password that you set when running the SSL server configuration script. |
For a client to trust the Oracle Internet Directory SSL Server Certificate (2) it must trust the Test CA Wallet (1). Since most Linux clients work with the PEM format, a copy of the Test CA Wallet (1) in PEM format is available at: $ORACLE_HOME/wallet/pem.cert.
If you have access to a Public Key Infrastructure (PKI) deployment, you can use certificates issued by a trusted CA in that PKI to secure your Oracle Internet Directory deployment. The procedure for swapping certificates is described in "Replacing Self-Signed Certificates with CA-Signed Certificates".
Oracle Internet Directory ships with a rich set of password policies that can be leveraged for centralized password policy management. See the chapter on Password Policies in the Oracle Internet Directory Administrator's Guide 10g (10.1.4.0.1) to understand the concepts governing these features.
Oracle Internet Directory supports two types of password policies: value policies and state policies. Value policies govern password construction requirements, such as minimum length. State policies govern things like password expiration and lockout. On Linux and UNIX-based operating systems, state policies are traditionally handled in the shadow password file using the password aging feature. These policies can be applied in a fine-grained manner down to the level of a single user entry.
You can use Oracle Internet Directory to enforce both value and state policies. Value policy violations result in visible error message on the Linux client, but state policy violations simply result in login failures. This is because the pam_ldap client does not display the messages that Oracle Internet Directory sends as additional information with the LDAP bind failure.
To use Oracle Internet Directory for centralized password policies, you must disable value and state policies local to the operating system. The procedure for doing this is described in "Configuring Oracle Internet Directory forCentralized Password Policies".
If you do not want to use Oracle Internet Directory for password policy enforcement, you must disable password policies in Oracle Internet Directory by setting orclpwdpolicyenable to 0. To avoid messages about password syntax, you must also disable the password syntax check by setting pwdCheckSyntax to 0.
If you have users in Active Directory, and you want to use the credentials stored in Active Directory for Linux authentication, you can configure Oracle Directory Integration Platform to integrate with Active Directory. The configuration process is described in Chapter 5, "Configuring Active Directory Integration."
A directory server plug-in is a customized program that extends the capabilities of the Oracle Internet Directory server. The procedures for augmenting Active Directory entries and for setting up external authentication with Active Directory both include setting up plug-ins. These procedures are described in Chapter 5, "Configuring Active Directory Integration."
|
See Also: Oracle Internet Directory Administrator's Guide for more information about directory server plug-ins. |
Some of the tasks described in this chapter require you to use Oracle Internet Directory or Oracle Directory Integration Platform tools. These tools include:
The Oracle Internet Directory LDAP command-line tools–These are located in the $ORACLE_HOME/bin directory. These tools are ldapsearch, ldapbind, ldapmodify, ldapdelete, ldapcompare, ldapmoddn, ldapaddmt and ldapmodifymt. For interaction with the Oracle Internet Directory server, you must use the LDAP tools in $ORACLE_HOME/bin and not those shipped in the operating system base image.
The Oracle Internet Directory bulk tools–These are also located in the $ORACLE_HOME/bin directory. These tools are bulkload, bulkmodify, catalog, bulkdelete and ldifwrite. The bulk tools allow you to perform bulk operations, such as adding or deleting a large number of entries.
One important bulk tool is the catalog tool. This tool enables you to add indexes to attributes in Oracle Internet Directory. Attributes must be indexed in order to be searchable. This example adds an index to the attribute uid:
catalog connect="connect_str" add="TRUE" attribute="uid"
The oidctl command–You use this to stop and start the Oracle Internet Directory server.
The dipassistant command–You use this when configuring SSL for communication between Oracle Directory Integration Platform and Active Directory and when migrating data from another LDAP-compliant directory to Oracle Internet Directory. If you are using dipassistant for data migration, you must apply the dipassistant patch, which simplifies the syntax of the properties file you will use with the migration tool dipassistant. The tracking bug for the patch is 6849766.
|
See Also:
|
Use the server configuration script to configure the server for UNIX or Linux authentication, as follows:
As a precaution, perform a backup of the Oracle Internet Directory schemas and database.
If you have old versions of the server configuration scripts in $ORACLE_HOME/ldap/bin, you might want to save them elsewhere before copying the new script to $ORACLE_HOME/ldap/bin.
If you want to configure SSL, copy sslConfig_OIDclient.sh and sslConfig_OIDserver.sh to $ORACLE_HOME/ldap/bin. Otherwise, copy config_OIDclient.sh and config_OIDserver.sh to $ORACLE_HOME/ldap/bin.
|
Note:
|
Copy oasconfig.ldif to $ORACLE_HOME/ldap/admin.
Execute the server script on the server as the same user who installed Oracle Internet Directory. Type:
./ sslConfig_OIDserver.sh
or
./ config_OIDserver.sh
You will be prompted for ORACLE_HOME, realm (naming context), non-SSL port, password for cn=orcladmin, and wallet password. Supply the appropriate values in response to the prompts. (If you have set ORACLE_HOME as an environment variable, you will not be prompted for it.)
The server script edits oasconfig.ldif so that it contains the necessary information about the server, then loads the information into Oracle Internet Directory.
The SSL version of the script configures Oracle Internet Directory for SSL server side authentication mode with self-signed certificates. This mode can be used with pam_ldap to enable user authentication.
The SSL version of the script configures port 389 for StartTLS, which allows SSL and non-SSL connections to use the same port. The script also configures port 636, the SSL port, for connections from clients that do not support StartTLS.
The server script edits the client script, sslConfig_OIDclient.sh or config_OIDclient.sh, customizing it for your environment.
The script updates several Oracle Internet Directory server parameters with the information it has gathered. The SSL version of the script restarts the Oracle Internet Directory server. The non-SSL version does not.
You configure each client for UNIX or Linux authentication by running a client configuration script. Follow these steps:
Solaris 9 Only
On Solaris 9 only, download the Sun Java System Directory Server Resource Kit SDRK52 and install it as root. This kit is currently available at: http://www.sun.com/download/products.xml?id=3f74a0db
After installing the Sun Java System Directory Server Resource Kit, before you run the client configuration script, modify the environment variables PATH and LD_LIBRARY_PATH so that PATH includes installroot/lib/nss/bin and LD_LIBRARY_PATH includes installroot/lib, where installroot is the directory where you installed the Sun Java System Directory Server Resource Kit For example, if you installed the software in /usr, add /usr/lib/nss/bin to PATH and add /usr/lib to LD_LIBRARY_PATH.
Proceed as described for all client platforms.
AIX Without SSL Only
Install the AIX LDAP client package. You can find it in the ldap.client file sets located on the AIX 5L product media. Execute the following command to install the package:
installp -acgXd LPPSOURCE ldap.client
where LPPSOURCE is the source device for the product images.
Proceed as described for all client platforms.
AIX With SSL Only
The following packages are required for SSL Configuration on an AIX 5L Version 5.3 client:
gskta.rte
ldap.clt_max_cryptobitsizerelease.rte
where bitsize is 32bit or 64bit and release is the release number.
If these packages are not already installed, install them from the AIX 5L Version 5.3 Expansion Package CD (5705-603) or from the equivalent package in Tivoli Directory Server, which is available at the IBM web site.
Verify the installed packages by typing:
lslpp -l | grep "gskta*" "*ldap*"
If necessary, create a symbolic link in /usr/lib to the new LDAP client library. For example:
ln -s /opt/IBM/ldap/release/lib/libidsldap.a /usr/lib/libibmldap.a
Proceed as described for all client platforms.
Verify that LDAP SSL is enabled by using ldapsearch, for example:
ldapsearch -h myserver.oracle.com -Z -K /etc/security/ldap/key.kdb
-P keystore_password -b "" -s base objectclass=*
Verify that authentication is working correctly by logging into your client machine using telnet, rlogin, ssh, or a similar program.
All Client Platforms
Copy the client configuration script from the server to the client after you have run the server configuration script. The server script edits the client script, customizing it for your environment.
For SSL Server Authentication enabled Linux clients, use the client script sslConfig_OIDclient.sh. For non-SSL Linux clients, use config_OIDclient.sh. Copy the script from $ORACLE_HOME/ldap/bin on the server to each client you want to configure.
Execute the client configuration script on the client as the root user. Type:
./ sslConfig_OIDclient.sh
or
./ config_OIDclient.sh
When prompted, confirm that you want to configure the client to authenticate against the LDAP server.
If the client is Red Hat Enterprise Linux or Oracle Enterprise Linux, the client script prompts you as to whether you want to configure the libuser package to work with LDAP. Respond y if you want libuser to be configured. If you configure libuser to work with LDAP, adding a user with luseradd, for example, adds the user entry to Oracle Internet Directory.
The script configures Pluggable Authentication Modules (PAM) on the client operating system to use Oracle Internet Directory for user authentication. The exact tasks performed depend on the operating system type. The script performs the following basic tasks:
Makes configuration changes to nsswitch.conf so that ldap is an option for passwd, group and shadow.
Configures /etc/ldap.conf and /etc/openldap/ldap.conf with the correct URI, Base DN
Optionally, configures the libuser package (via libuser.conf) for user management on Red Hat Enterprise Linux and Oracle Enterprise Linux.
|
Note: The script makes backup copies of the files it touches in subdirectories of the/etc directory. These subdirectories have names of the form oracle_backup_time_stamp. For example, a backup directory created 18:54:46 on Jan. 13 2008 would have the name /etc/oracle_backup_20080113185446. |
In addition, sslConfig_OIDclient.sh performs the following steps:
Writes out /etc/oracle-certs/oid-test-ca.pem, the pem format encoded certificate for the Test CA created during configuration on the Oracle Internet Directory Server. This is equivalent to pem.cert in "Self Signed Certificates".
Adds oid-test-ca.pem as a trusted CA in /etc/ldap.conf and /etc/openldap/ldap.conf
Configures /etc/ldap.conf to use cleartext passwords and enable SSL
On most client operating systems, the script configures the client to use the StartTLS port on the server for SSL communication. The script does not configure StartTLS if the operating system on the client is HP-UX or Solaris. These clients use the standard SSL port, 636, on the server for SSL communication.
After you have successfully executed the client configuration script, your Linux or UNIX-based client can use Oracle Internet Directory to authenticate users.
If you select SSL-server authentication mode during the initial Oracle Internet Directory configuration, the server configuration script produces test self-signed certificates. If you have access to a Public Key Infrastructure (PKI) deployment, you can use certificates issued by a trusted CA in that PKI to secure your Oracle Internet Directory deployment. To do so, you must swap out the test self-signed certificates produced by the setup script with those your own trusted CA issues.
To swap out the certificates, perform the following steps:
Use the tools you already use with your PKI to create a signed SSL server certificate for your Oracle Internet Directory server. At the end of this process you should have two files:
A PKCS#12-formatted file containing the Oracle Internet Directory SSL Server Certificate, Associated Private Key, Trusted Signing CA certificate and any other Trusted CA certificates
The signing CA certificate in PEM format (X509v3 or PKCS#7).
|
Note: The password used to secure the PKCS#12 file should be the same as the one you selected as the password for your Directory Administrator (cn=orcladmin) during initial Oracle Internet Directory configuration. |
Shut down Oracle Internet Directory.
As root, type:
mv /$ORACLE_HOME/wallet/server $ORACLE_HOME/wallet/server-old mkdir $ORACLE_HOME/wallet/server
Copy the.p12 file containing the Oracle Internet Directory SSL Server Certificate you generated offline into $ORACLE_HOME/wallet/server and rename it ewallet.p12
Execute orapki to create an auto-login wallet for use by Oracle Internet Directory:
$ORACLE_HOME/bin/orapki wallet create \
-wallet $ORACLE_HOME/wallet/server -pwd wallet_password \ -auto_login
Start Oracle Internet Directory.
On all clients you configure, you must replace the contents of /etc/oracle-certs/oid-test-ca.pem with the PEM format certificate of your signing CA.
To use Oracle Internet Directory for centralized password policies, you must disable value and state policies local to the operating system.
After you do that, users can invoke the passwd tool as usual to change their password. Violations of Oracle Internet Directory password value policies produce error messages in the log files beginning with Password Policy Error.
Most Linux distributions are configured by default to use the cracklib library to perform end-user supplied password quality validations. When using a centralized password policy enforced in Oracle Internet Directory, you might want to disable the local validations in order to avoid conflicts between the two policies.
On Oracle Enterprise Linux and Red Hat Linux, you can do this as follows:
Locate the following line in /etc/pam.d/system-auth and comment it out:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
Locate all subsequent lines beginning with password and remove use_authtok from those lines.
As mentioned previously, state policies on Linux are enforced through the password aging feature enabled by the shadow password information. The operating system parses the shadow information on each account and enforces state policies locally.
In Red Hat Enterprise Linux or Oracle Enterprise Linux, you can disable password ageing for accounts created under Oracle Internet Directory by modifying /etc/libuser.conf to use -1 as the default value for LU_SHADOWINACTIVE, LU_SHADOWEXPIRE, LU_SHADOWWARNING in the [userdefaults] section of the file.
For accounts that already exist in Oracle Internet Directory, or that are to be migrated to Oracle Internet Directory, you must set shadowmax=99999 and shadowexpire=-1 to disable password expiration.
If you have configured non-ssl authentication, you can switch to SSL authentication as follows:
Copy sslConfigure_OIDserver.sh to $ORACLE_HOME/ldap/bin. Copy oasconfig.ldif to $ORACLE_HOME/ldap/admin.
On the server, run the script sslConfigure_OIDserver.sh. Optionally, you can disable the non-ssl port by following the instructions in the Oracle Internet Directory Administrator's Guide.
Copy the sslConfigure_OIDclient.sh script generated on the server to the client machine and run this script as root.
If you have configured SSL authentication, you can switch to non-ssl authentication as follows:
On the server, run the script config_OIDserver.sh. Optionally, you can disable the ssl port by following the instructions in the Oracle Internet Directory Administrator's Guide.
Copy the config_OIDclient.sh generated on the server to the client machine and run this script as root.
There are occasions when you might need to rerun the configuration scripts. For example, you might want to regenerate the wallet or certificate if the old one is compromised or expired.
First, rerun the configuration script on the server.
Copy the following scripts from the release to $ORACLE_HOME/ldap/bin:
config_OIDclient.sh or sslConfig_OIDclient.sh
config_OIDserver.sh or sslConfig_OIDserver.sh
Copy oasconfig.ldif from the release to $ORACLE_HOME/ldap/admin.
Execute config_OIDserver.sh or sslConfig_OIDserver.sh as the user who installed Oracle Internet Directory.
Then, rerun the script on each client.
Copy the latest version of the client scripts from $ORACLE_HOME/ldap/bin on the Oracle Internet Directory server machine to each client machine.
Execute config_OIDclient.sh or sslConfig_OIDclient.sh on each client machine as root.
If necessary, you can restore your client computers to the state they were in before you ran config_OIDclient.sh or sslConfig_OIDclient.sh. To do so, locate directories under /etc with names of the form oracle_backup_time_stamp. For example, a backup directory created 18:54:46 on Jan. 13 2008 would have the name /etc/oracle_backup_20080113185446. If there is more than one backup directory, in most cases, you need to use the backup files in the earliest backup directory.
Perform these steps to restore the client:
Copy the following files, as root, from the backup directory to the specified destinations:
Copy openldap_ldap.conf to /etc/openldap/ldap.conf.
Copy copy all the files under backup-directory/pam.d/ to /etc/pam.d.
On SuSE, copy pam_unix2.conf to /etc/security/ and copy ldap to /etc/sysconfig.
On Solaris, copy all the files under backup-directory/restore to /var/ldap/restore.
Copy all other files in the backup directory to /etc.
Execute the following commands:
On Red Hat or Oracle Enterprise Linux:
authconfig --disableldapauth --update
On SuSE Linux:
/etc/init.d/nscd restart /etc/init.d/sshd restart
On Solaris:
ldapclient uninit
On HP-UX:
Edit the file /etc/opt/ldapux/ldapclientd.conf. Change the value of the StartOnBoot parameter to enable=no. Then execute the following command:
kill -9 `cat /etc/opt/ldapux/ldapclientd.pid`
On AIX:
stop-secldapclntd
There is nothing to restore on the server. See the Oracle Internet Directory Administrator's Guide if you want to stop the Oracle Internet Directory server or to disable the SSL or non-SSL port.
