|Oracle® Fusion Middleware Integration Guide for Oracle Identity Management
11g Release 1 (11.1.1)
Part Number E10031-01
This chapter discusses the most important aspects of security in Oracle Directory Integration Platform. It contains these topics:
Authentication is the process by which the Oracle directory server establishes the true identity of the user connecting to the directory. It occurs when an LDAP session is established by means of the
It is important that each component in Oracle Directory Integration Platform be properly authenticated before it is allowed access to the directory.
This section contains these topics:
You can deploy Oracle Directory Integration Platform only when Oracle Internet Directory is operating with Secure Socket Layer (SSL). SSL implementation supports these modes:
No authentication—Provides SSL data encryption, but does not use SSL for authentication.
SSL server authentication—Includes both SSL data encryption and SSL authentication of the server to the client. In Oracle Directory Integration Platform, the server is the directory server, and the client is the Oracle Directory Integration Platform.
The server verifies its identity to the client by sending a certificate issued by a trusted certificate authority (CA). This mode requires a public key infrastructure (PKI) and certificates to be stored in the Java Keystore (JKS).
To use SSL with Oracle Directory Integration Platform, you must start both the Oracle Internet Directory and Oracle Directory Integration Platform in the same SSL mode. For example, if Oracle Internet Directory is running in SSL mode 1, then Directory Integration Platform must be configured to connect to Oracle Internet Directory using the same SSL mode 1.
See Also:The chapter on preliminary tasks and information in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for instructions about starting the Oracle directory server in SSL mode
The identity of the directory server can be established by starting both Oracle Internet Directory and the directory integration server in SSL server authentication mode. In this case, the directory server provides its certificate to the directory integration server, which acts as the client of Oracle Internet Directory.
You can also configure the Oracle Directory Integration Platform to use SSL when connecting to a third-party directory. In this case, you store the connected directory certificates in the Java Keystore (JKS) as described in "Managing the SSL Certificates of Oracle Internet Directory and Connected Directories".
Within Oracle Internet Directory, an integration profile represents a user with its own distinguished name (DN) and password. The users who can access the profiles are:
The administrator of Oracle Directory Integration Platform, represented by the DN
cn=dipadmin,cn=dipadmins,cn=directory integration platform,cn=products,cn=oraclecontext
Members of the Oracle Directory Integration Platform administrator group, represented by the DN
cn=odisgroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=OracleContext
When the Oracle Directory Integration Platform imports data to Oracle Internet Directory based on an integration profile, it proxy-binds to the directory as that integration profile.The Oracle Directory Integration Platform can bind in either SSL or non-SSL mode.
Authorization is the process of ensuring that a user reads or updates only the information for which he or she has privileges. When directory operations are attempted within a directory session, the directory server ensures that the user— identified by the authorization identifier associated with the session—has the requisite permissions to perform those operations. If the user does not have the necessary permissions, then the directory server disallows the operation. Through this mechanism, called access control, the directory server protects directory data from unauthorized operations by directory users.
To restrict access to only the desired subset of Oracle Internet Directory data, for both the directory integration server and a connector, place appropriate access policies in the directory.
This section discusses these policies in detail. It contains these topics:
The Oracle Directory Integration Platform binds to the directory both as itself and on behalf of the profile, as follows:
When it binds as itself, it can cache the information in various integration profiles. This enables the directory integration server to schedule synchronization actions to be carried out by various connectors.
When the directory integration server operates on behalf of a profile, it acts as proxy for the profile—that is, it uses the profile credentials to bind to the directory and perform various operations. The directory integration server can perform only those operations in the directory that are permitted in the profile.
To establish and manage access rights granted to directory integration servers, Oracle Directory Integration Platform creates a group entry, called
odisgroup, during installation. When a directory integration server is registered, it becomes a member of this group. The DN of
cn=odisgroup,cn=directory admins,cn=directory integration plataform,cn=products,cn=oraclecontext
You control the access rights granted to directory integration servers by placing access control policies in the
odisgroup entry. The default policy grants various rights to directory integration servers for accessing the profiles. For example, the default policy enables the directory integration server to compare user passwords between Oracle Internet Directory and a connected directory it binds as a proxy on behalf of a profile. It also enables directory integration servers to modify status information in the profile—such as the last successful execution time and the synchronization status.
During installation, Oracle Directory Integration Platform creates a group entry called
odipgroup that enables you to control the access rights granted to various profiles. For additional security, the
odipegroup groups are also created during installation. All import profiles are assigned to the
odipigroup group and all export profiles are assigned to the
odipegroup group. Rights are controlled by placing appropriate access policies in the
odipgroup entry. The default access policy, automatically installed with the product, grants to profiles certain standard access rights for the integration profiles they own. One such right is the ability to modify status information in the integration profile, such as the parameter named
orclodipConDirLastAppliedChgTime. The default access policy also permits profiles to access Oracle Internet Directory change logs, to which access is otherwise restricted.
See Also:The chapter on access control, specifically, the section about security groups, in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for instructions about setting access control policies for group entries
Oracle Directory Integration Platform ensures that data is not modified, deleted, or replayed during transmission by using SSL. This SSL feature generates a cryptographically secure message digest—through cryptographic checksums using either the Message-Digest algorithm 5 (MD5) or the Secure Hash Algorithm (SHA) —and includes the message digest with each packet sent across the network.
Oracle Directory Integration Platform ensures that data is not disclosed during transmission by using public-key encryption available with SSL. In public-key encryption, the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the recipient decrypts the message using the recipient's private key.
To exchange data securely between the directory integration server and Oracle Internet Directory, you must run both components in the same SSL mode.
You can run all the commonly used tools in SSL mode to transmit data to Oracle Internet Directory securely, including Oracle Enterprise Manager Fusion Middleware Control.
Oracle Directory Integration Platform uses the Credential Store Framework of the Oracle Application Server 11g infrastructure. The following is a list and description of the credentials Oracle Directory Integration Platform stores in this Credential Store Framework:
The Oracle Directory Integration Platform user password. The password is created during installation, stored as read-only, and read by run-time operations.
The JKS password. The JKS password is used if the Server Only (mode 2) SSL setting is configured for connecting to Oracle Internet Directory or a third-party directory. You can use the WebLogic Scripting Tool (WLST)
createCred() command to write the keystore password to the Credential Store Framework. For example: after invoking the WLST shell and connecting to the Oracle WebLogic Admin Server using the
connect() command, enter:
createCred(map="dip", key="jksKey", type="PC", user="userName", password="password")
The map and key options are fixed—the only supported values are
You can use the wlst
listCred() command to view the keystore password in the Credential Store Framework. For example: after invoking the WLST shell and connecting to the Oracle WebLogic Admin Server using the
connect() command, enter:
The Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for more information about the wlst commands.