Skip Headers

Oracle Enterprise Manager Administrator's Guide
Release 9.2.0

Part Number A96670-01
Go To Documentation Library
Home
Go To Product List
Book List
Go To Table Of Contents
Contents
Go To Index
Index

Master Index

Feedback

Go to previous page Go to next page

9
Enterprise Security Management

This chapter describes the component of Oracle Enterprise Manager used to administer Enterprise User Security for the Advanced Security Option. The chapter explains use of Enterprise Manager within a simple scenario in which an Oracle Internet Directory Server is used as the central repository for users in a large organization. It contains the following sections

Overview of Enterprise Security Manager

Oracle Enterprise Security Manager provides an easy-to-use graphical interface to administer enterprise user security and access control for large numbers of databases in your enterprise environment through the Oracle Internet Directory server. You use Oracle Enterprise Security Manager to perform the following tasks:

You start this Enterprise Security Manager via the MS Windows Start menu, or by issuing the "esm" command on a UNIX command line. Upon logging in, Enterprise Security Manager appears as shown in Figure 9-1, "Enterprise Security Manager", given that the Directory contains at least the Oracle9i Default Oracle Context.

Figure 9-1 Enterprise Security Manager

Text description of screen0.gif follows.

Text description of the illustration screen0.gif

Enterprise Security Manager manages one Directory Server, identified at the top of the main application tree. It has a series of menu operations that apply to this Directory Server.

Users are managed in the Directory using Enterprise Security Manager. The application shows the directory to which it is connected and allows you to add, delete and browse Users in that Directory. Enterprise Security Manager may also be used to manage Oracle Contexts in the Directory. An Oracle Context is an area of structured information in the Directory recognizable to Oracle8i and Oracle9i products as well as an administrator hierarchy for management of the data in Oracle Contexts for different Oracle product areas.

This chapter is presented in two parts; Administering U.0sers and Administering Oracle Contexts. It will use the example the "AppsOnline" Application Service Provider to illustrate both facets of Enterprise User Security management.

Introduction to Directory Servers

A Directory Server may be used a general purpose means to centralize definitions of user and server access information over an entire network. As well as storing naming information, the Directory may be employed to centralize password definitions, digital certificates and application authorizations for the users that it defines. This is possible, in the particular case of Oracle Internet Directory, as it allows for secured access and modification of sensitive information held in the Directory such as passwords or application authorizations.

This chapter shall use as its example an Application Service Provider called, "AppsOnline". AppsOnline has a large set of Oracle9i Databases that it uses to host different types of Application Software for its customers. AppsOnline needs to manage administrative access to these databases for its IT staff.

Figure 9-2 AppsOnline Hierarchy

Text description of appsonli.gif follows.

Text description of the illustration appsonli.gif



AppsOnline maintains Oracle9i databases upon which are hosted three types of Application for its customers; Human Resources, Inventory and Billing. One customer, "TaxTime.com" subscribes to AppsOnline for its Human Resources Applications. A second customer, "CelticTravel.com" subscribes to the company for its Billing Applications. A third company, "UKMusic.com" subscribes to the company for its Inventory Management Applications.

AppsOnline dedicates some of its databases to each customer and manages these databases on behalf of the customer. The company has used an Oracle Internet Directory to hold information about their own employees, the databases on which they host Applications, and the customers for whom they provide a service. In the course of their business, they may wish to manage administrative access to their databases by their IT employees and manage access rights to information in these databases based upon each type of customer Application that they support.

This chapter will illustrate how Oracle Enterprise Manager may be used in this example scenario.

Entailing and Configuring Your Enterprise Security Environment

Task1: Configure an Oracle Internet Directory.

Task2: Install Oracle Enterprise manager

Task3: Configure Oracle Enterprise Manager for Enterprise User Security

Task4: Start Oracle Enterprise Security Manager

Task5: Log On To the Directory

Task 1: Configure an Oracle Internet Directory

Oracle9i Enterprise User Security is based wholly around an Oracle Internet Directory. The Directory Server must be properly installed and configured before Enterprise Manager may be used to manage Enterprise User Security. The following stages of Oracle Internet Directory configuration must be complete before proceeding

  1. Either an Oracle8i or Oracle9i Internet Directory is installed, running and accessible over both standard LDAP and Secure Sockets Layer enabled LDAP (LDAP/SSL). For more information please refer to the Oracle Internet Directory Administrators Guide.
  2. The Oracle Internet Directory has been configured to support Oracle9i Directory Schema Objects and contains an Oracle9i Default Oracle Context. In the case of a version 9i Oracle Internet Directory these requirements may already be in place. However, the Oracle9i Directory Schema Objects and Default Oracle Context may be configured on the Directory Server using The Oracle Net Configuration Assistant. For more information please refer to the Oracle Net Configuration Assistant Administrators Guide.

Task 2: Install Oracle Enterprise Manager

Oracle Enterprise Manager is automatically installed with the Oracle9i Enterprise Edition Server Install and includes all necessary functionality for Enterprise User Security. Oracle Enterprise Manager is also installed by default with the Oracle9i Infrastructure Install at the same time as Oracle Internet Directory. Oracle Enterprise Manager may also be installed separately in its own ORACLE_HOME using the custom install option.

Task 3: Configure Oracle Enterprise Manager for Enterprise User Security

Oracle Enterprise Manager may be used to manage Enterprise User Security in two modes of operation. The Oracle9i Enterprise Manager Console may be used to connect to the Oracle9i Management Server (OMS) and discover a Directory Server to manage. Alternatively, a dedicated application called, "Enterprise Security Manager" may be launched from the same ORACLE_HOME as Enterprise Manager and used to connect directly to the Directory Server. In either mode of operation functionality is identical. Only the latter mode, using the Enterprise Security Manager application, will be used in this chapter.

Enterprise Security Manager does not require any special configuration for it to run. However all Oracle Databases in the enterprise that need to avail of Enterprise User Security should be accessible over Oracle Net from the Enterprise Manager ORACLE_HOME.

Task 4: Start Oracle Enterprise Security Manager

To launch Enterprise Security Manager from the Enterprise Manager ORACLE_HOME, enter the following at the command line:

> esm

This will cause the Directory Log On box to appear

Figure 9-3 Directory Login Dialog

Text description of logon.gif follows.

Text description of the illustration logon.gif

Task 5: Log On To the Directory

Enterprise Security Manager offers three ways to connect to a Directory Server by selecting the appropriate option in the Log On Box. These options are listed in the table below

Table 9-1 Directory Connection Methods
Authentication Type Description

Password Authentication

Uses Simple Authentication requiring a distinguished name or a known directory nickname and a password

SSL Client Authentication

Uses two-way SSL Authentication in which both the client and server use Oracle Wallets containing digital certificates. The subsequent connection will then be encrypted.

Native Authentication

Applies only to Microsoft Windows NT or Windows 2000 and uses Operating System level authentication to log on to a Microsoft Active Directory



For example, Password Authentication may be selected when using the orcladmin Oracle Internet Directory super user name and password to log on.

Administering Users

Enterprise Security Manager may be used to Create Users in the Directory. This is done by selecting "Create Enterprise User..." from the Operations Menu.

Figure 9-4 Operations Menu

Text description of menu0.gif follows.

Text description of the illustration menu0.gif

The Create User Window will appear in which to enter the name and location of the new User in the Directory.

Oracle Wallets

Oracle wallets are data structures that contain a user private key, a user certificate, and a set of trust points (the list of root certificates the user trusts). Enterprise Security Manager functionality pertaining to Oracle Wallets will only appear in the Create User or Edit User screens when running in an ORACLE_HOME that has been configured for this purpose to use Oracle PKI Products. First, you must generate a Certificate Signing Authority for Enterprise Security Manager. This is done by running "esm -genca" on the command line. The following example displays the expected output from running this utility.

> esm -genca
Generating CA Private Key. Please Wait..

Enter a Wallet Administrator Password to protect access 
to your CA private key: test_password

A CA has been created for Enterprise Security Manager. 
You must remember your Wallet Administrator Password. It is required 
by Enterprise Security Manager to generate new Oracle Wallets.

Note:

When you use invoke esm -genca to generate a new CA for Enterprise Security Manager, a default identity will be created for your CA using 'ORACLE' as the value for all X500 name components of the CA certificate.

You may define your own individual values to be used for the CA identity by editing the ORACLE_HOME/sysman/admin/esmca.properties file.

You must run esm -genca again after modifying this file.




Specifying a new User Name

Figure 9-5 Create User Property Sheet: User Naming Page

Text description of user0.gif follows.

Text description of the illustration user0.gif

The following fields are mandatory for creation of a new User in the Directory:

Table 9-2 Create User Property Sheet: User Naming Page Mandatory Fields
Field Description

Base

The entry point in the Directory at which the new User will be created

First name

First half (Christian Name) of the new User's full name

Surname

Second half (Surname) of the new User's full name

User ID

The Logon identifier that the user may use to access databases and applications



The following additional fields are not mandatory for creation of a new User in the Directory but may be recorded for the new User if desired.

Table 9-3 Create User Dialog: Non-mandatory Fields
Field Description

Apply Suffix

This is the current value of any common user ID suffix that is always applied to the end of the User ID for a new User. For example, <User ID>.us.acme.com

Email Address

The email address to record in the Directory for the new User, if desired.

cn=

This is the Common Name component (cn=) of the Distinguished Name of the new User in the Directory. By default it is set to the full name of the new User, however you can override the value if you wish to force a particular value for the "cn=" portion of the User's Distinguished Name.



Specifying a Directory Base

All Users in the Directory must exist at a particular "Base" within the Directory. The Base can be any existing Directory Entry such as Country Entry (e.g "c=US") or an Organization Entry (e.g "o=Acme, c=US". Many Users would typically share the same Base. This Base identifies all the Users contained under it as belonging to the same high level organization.

The Base at which to create a new User can be entered in the Base field in the Create User screen. However, you may explore the entire Directory to choose a suitable Base by clicking on the Browse... button. The Browse Directory dialog will appear.

Figure 9-6 Browse Directory Dialog

Text description of user5.gif follows.

Text description of the illustration user5.gif

The Browse Directory screen lets you navigate the directory by drilling down into each entry from the top of the Directory Tree. When a Directory Entry is selected its Distinguished Name is placed in the Selection field. To accept the selected Distinguished Name choose the OK button. This value will then be returned as the selected Base for a new Directory User.


Note:

This value will be preserved for all subsequent operations that create or search for Users in the Directory. However you may change it as many times as you like.




Specifying a new User Password

The second Tab Panel of the New User screen allows you to set an initial password for the new User in the Directory. This will be the new User's initial password for:

Figure 9-7 Create User Property Sheet: Password Page

Text description of user1.gif follows.

Text description of the illustration user1.gif

When Entering a password you may choose to accept a default first time password for the new User or manually enter the first time password for the new User. In either case, the new User must change their own password immediately after its first use.

Specifying an Initial Enterprise Role Assignment

Enterprise Roles are discussed later in this Chapter. At the time of User creation you may select any previously configured Enterprise Roles and grant them to the new User.

Figure 9-8 Create User Property Sheet: Enterprise Roles

Text description of user2.gif follows.

Text description of the illustration user2.gif

To select one or more Enterprise Roles to grant to the new User at this time choose Add... in the Enterprise Roles page of the Create User screen. The Add Enterprise Roles Page will appear from which you can choose any Enterprise Roles in your Oracle Context to assign to the new User.

Figure 9-9 Add Enterprise Roles Dialog

Text description of user3.gif follows.

Text description of the illustration user3.gif

Specifying an Oracle Wallet

An Oracle Wallet containing a new Digital Certificate, Private Key and Certificate Trustpoints may be generated for the new User in an encrypted binary format. The Oracle Wallet will be stored with the new User in the Directory Server as part of the Directory Entry for the User.


Note:

This functionality is only available AFTER you have run the esm -genca command in your environment




Figure 9-10 Create User Property Sheet: Wallet

Text description of user4.gif follows.

Text description of the illustration user4.gif

The Distinguished Name under which the new User will be created is used by default as the Distinguished Name for the Digital Certificate to be contained in the new User's Oracle Wallet. It is always good practice to let the Distinguished Names of User Certificates correspond to their Distinguished Names in the Directory. However, you may edit the Distinguished Name to be used for the Certificate before generating the Wallet by editing the contents of the Issued For: field.

An Oracle Wallet will be created when you click on the Generate Wallet... button.

Browsing Users in the Directory

Enterprise Security Manager allows you to browse all Users that are currently stored in the Directory. This is done by selecting the All Users page from the Directory at the top of the main application tree

Figure 9-11 All Users Page

Text description of screen2.gif follows.

Text description of the illustration screen2.gif

To Search for one or more users the directory, the Search Criteria must be set and the Search Now button used to perform a new search for Users based upon the given Search Criteria. The All Users page will refresh to show the results of this search. There are three factors to User Search Criteria:

Table 9-4
Search Criteria Affect on the Search

Base

This is the Base Entry in the Directory at which the search will be performed. Any Users returned in the search will exist under this Base in the Directory.

Include Subtrees

This determines whether to show all Users in the Directory anywhere under the selected Base or to only show those Users that exist specifically at that Base location in the Directory.

Show Names Containing

This limits the entire search to contain only those Users whose Directory Entries have a Common Name that starts with a specified pattern. This is useful if the exact name or Base of the desired User is not known.



For example, the Search Criteria may be set to search this Directory for a User given only that the Base is dc=oracle, dc=com and the first name is "Larry"

Figure 9-12 Base Search Criteria

Text description of screen3.gif follows.

Text description of the illustration screen3.gif

After searching for Users in the Directory, any one user can be chosen from the list and edited. This is achieved either by selecting the User from the list in the All Users page and choosing the Edit... button or by double clicking on that User in the list.

Figure 9-13 Editing a User

Text description of screen5.gif follows.

Text description of the illustration screen5.gif

When a User in the Directory is selected for Edit, its password, Enterprise Role assignments and Oracle Wallet can be modified in the same way as discussed during creation of a new User in the Directory.

Administering Oracle Contexts

An Oracle Context is a top level Entry in the Directory underneath which is contained the data used by any Directory aware Oracle product. Enterprise Security Manager allows you to manage database and security related information in the Directory under an Oracle Context.


Note:

Users do not need to be contained in the Directory within an Oracle Context. It is assumed that the Directory may define its Users for a wide variety of purposes. Oracle does not require that Users in a Directory to be created within an Oracle Context though it is still possible to do so.




Oracle Context Versions

An Oracle Context in the Directory may either be a version 8i or version 9i Oracle Context. For Enterprise User Security there is some functionality that can only be managed using a 9i Oracle Context, for example, "Password Authenticated Global Users". Enterprise Manager for Oracle9i may be used to manage version 9i Oracle Contexts as well version 8i Oracle Contexts in the Directory.

Oracle Enterprise Security Manager displays in its main application tree all the Oracle Contexts that exist in the Directory Server. It will display both version 9i and version 8i Oracle Contexts, should they exist. In the example below Enterprise Security Manager is connected to an Oracle Internet Directory that has been configured to support the Oracle9i Directory Schema and an Oracle9i Default Oracle Context.

Specifying Properties of an Oracle Context

An Oracle Context has a number of general properties that can be viewed and managed in the General page when an Oracle Context is selected on the tree:

Figure 9-14 Viewing an Oracle Context Properties

Text description of screen4.gif follows.

Text description of the illustration screen4.gif

Table 9-5 Context Property Description
Property Description

Directory Location

This is the Directory Base of the Oracle Context. In the case of the Default Oracle Context this value is empty as the Directory Base is the root of the Directory tree

Version

This identifies whether the Oracle Context supports 8i or 9i functionality

Common User Search Bases

This is the list of Base locations in the Directory at which Users may commonly exist. Identifying a list of User Search Bases allows you to quickly browse the users at those Directory Locations and also indicates to 9i Databases in the Oracle Context where they may find Directory Users that connect to them.

User ID

This is the name of the Attribute in a User Entry that determines the value of that Users's User ID. User Entries have many different attributes. This setting controls the User ID with which Users can authenticate to Oracle9i databases, Directory Servers or Directory enabled Applications. Its default value is, "cn", the Common Name of the Directory User.

Application GUID

This is the name of the Attribute in a User Entry in which unique Application GUID values will exist. It cannot be modified in this release

Password Policy

This is the Password Policy syntax used by Oracle9i database when authenticating Password Authenticated Global Users. It cannot be modified in this release.



Specifying User Search Bases

User Search Bases can be added to or removed from a version 9i Oracle Context using the Oracle Context General page.


Note:

This functionality is not available in version 8i Oracle Contexts.




To remove a User Search Base from the Oracle Context:

  1. Select a Search Base in the Common User Search Bases List and choose Remove... The Search Base will be removed from the List.
  2. Choose Apply; the User Search Base will be removed from the Oracle Context in the Directory

To add a new User Search Base to an Oracle Context:

  1. Choose Add... The Common User Search Bases screen will appear.

Figure 9-15 User Search Base Dialog

Text description of user5.gif follows.

Text description of the illustration user5.gif


Go to previous page Go to next page
Oracle
Copyright © 1996, 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Home
Go To Product List
Book List
Go To Table Of Contents
Contents
Go To Index
Index

Master Index

Feedback