2 Security Features in Oracle Directory Integration and Provisioning

This chapter discusses the most important aspects of security in Oracle Directory Integration and Provisioning. It contains these sections:

• Authentication in Oracle Directory Integration and Provisioning

• Access Control and Authorization and Oracle Directory Integration and Provisioning

• Data Integrity and Oracle Directory Integration and Provisioning

• Data Privacy and Oracle Directory Integration and Provisioning

• Tools Security and Oracle Directory Integration and Provisioning

Authentication in Oracle Directory Integration and Provisioning

Authentication is the process by which the Oracle directory server establishes the true identity of the user connecting to the directory. It occurs when an LDAP session is established by means of the ldapbind operation.

It is important that each component in Oracle Directory Integration and Provisioning be properly authenticated before it is allowed access to the directory.

This section contains these topics:

• Secure Sockets Layer (SSL) and Oracle Directory Integration and Provisioning

• Oracle Directory Integration and Provisioning Server Authentication

• Profile Authentication

Secure Sockets Layer (SSL) and Oracle Directory Integration and Provisioning

You can deploy Oracle Directory Integration and Provisioning with or without Secure Socket Layer (SSL). SSL implementation supports these modes:

• No authentication—Provides SSL encryption of data, but does not use SSL for authentication.

• SSL server authentication—Includes both SSL encryption of data and SSL authentication of the server to the client. In Oracle Directory Integration and Provisioning, the server is the directory server, the client is the directory integration and provisioning server.

  The server verifies its identity to the client by sending a certificate issued by a trusted certificate authority (CA). This mode requires a public key infrastructure (PKI) and SSL wallets to hold the certificates.

To use SSL with Oracle Directory Integration and Provisioning, you must start both the Oracle directory server and Oracle directory integration and provisioning server in the SSL mode.

See Also: The chapter on preliminary tasks and information in Oracle Internet Directory Administrator's Guide for instructions on starting the Oracle directory server in SSL mode

Oracle Directory Integration and Provisioning Server Authentication

You can install and run multiple instances of the directory integration and provisioning server on various hosts. However, when you do this, beware of a malicious user either posing as the directory integration and provisioning server or using an unauthorized copy of it.

To avoid such security issues:

• Ensure that each directory integration and provisioning server is identified properly

• Ensure that, when you start a directory integration and provisioning server, it is properly authenticated before it obtains access to Oracle Internet Directory

Non-SSL Authentication

To use non-SSL authentication, register each directory integration and provisioning server by using the registration tool called odisrvreg.

The registration tool creates:

• An identity entry in the directory. The directory integration and provisioning server uses this entry when it binds to the directory

• An encrypted password. It stores this password in the directory integration and provisioning server entry.

• A private wallet on the local host. This wallet contains the security credentials, including an encrypted password. The name of the wallet is specified in the odi.properties file and it is stored in the $ORACLE_HOME/ldap/odi/conf directory.

When it binds to the directory, the directory integration and provisioning server uses the encrypted password in the private wallet.

Note: Ensure that the wallet is protected against unauthorized access.

See Also: "Manually Registering the Oracle Directory Integration and Provisioning Server" for instructions on registering the directory integration and provisioning server

Authentication in SSL Mode

The identity of the directory server can be established by starting both Oracle Internet Directory and the directory integration and provisioning server in the SSL server authentication mode. In this case, the directory server provides its certificate to the directory integration and provisioning server, which acts as the client of Oracle Internet Directory.

The directory integration and provisioning server is authenticated by using the same mechanism used in the non-SSL mode.

You can also configure the Oracle directory integration and provisioning server to use SSL when connecting to a third-party directory. In this case, you store the connected directory certificates in the wallet as described in "Managing the SSL Certificates of Oracle Internet Directory and Connected Directories".

Profile Authentication

Within Oracle Internet Directory, an integration profile represents a user with its own DN and password. The users who can access the profiles are:

• The administrator of Oracle Directory Integration and Provisioning (DIPAdmin), represented by the DN cn=dipadmin,cn=odi,cn=oracle internet directory

• Members of the Oracle Directory Integration and Provisioning administrator group (DIPAdminGroup), represented by the DN cn=dipadmingroup,cn=odi,cn=oracle internet directory

When the directory integration and provisioning server imports data to Oracle Internet Directory based on an integration profile, it proxy-binds to the directory as that integration profile.The Oracle directory integration and provisioning server can bind in either SSL and non-SSL mode.

Access Control and Authorization and Oracle Directory Integration and Provisioning

Authorization is the process of ensuring that a user reads or updates only the information for which that user has privileges. When directory operations are attempted within a directory session, the directory server ensures that the user— identified by the authorization identifier associated with the session—has the requisite permissions to perform those operations. If the user does not have the necessary permissions, then the directory server disallows the operation. Through this mechanism, called access control, the directory server protects directory data from unauthorized operations by directory users.

To restrict access to only the desired subset of Oracle Internet Directory data, for both the directory integration and provisioning server and a connector, place appropriate access policies in the directory.

This section discusses these policies in detail. It contains these topics:

• Access Controls for the Oracle Directory Integration and Provisioning Server

• Access Controls for Profiles

Access Controls for the Oracle Directory Integration and Provisioning Server

The directory integration and provisioning server binds to the directory both as itself and on behalf of the profile.

• When it binds as itself, it can cache the information in various integration profiles. This enables the directory integration and provisioning server to schedule synchronization actions to be carried out by various connectors.

• When the directory integration and provisioning server operates on behalf of a profile, it proxies as the profile—that is, it uses the profile credentials to bind to the directory and perform various operations. The directory integration and provisioning server can perform only those operations in the directory that are permitted to the profile.

To establish and manage access rights granted to directory integration and provisioning servers, Oracle Directory Integration and Provisioning creates a group entry, called odisgroup, during installation. The DN of odisgroup is cn=odisgroup,cn=odi,cn=oracle internet directory. When a directory integration and provisioning server is registered, it becomes a member of this group.

You control the access rights granted to directory integration and provisioning servers by placing access control policies in the odisgroup entry. The default policy grants various rights to directory integration and provisioning servers for accessing the profiles. For example, the default policy enables the directory integration and provisioning server to compare user passwords between Oracle Internet Directory and a connected directory it binds as proxy on behalf of a profile. It also enables directory integration and provisioning servers to modify status information in the profile—such as the last successful execution time and the synchronization status.

Access Controls for Profiles

To control access to Oracle Internet Directory data by integration profiles, place appropriate access control policies in Oracle Internet Directory. This enables you to protect data synchronized or processed by one profile from interference by another profile. It also enables you to allow only the integration profile that owns synchronization of an attribute to modify that attribute.

See Also: The chapter on access control, specifically, the section security groups, in Oracle Internet Directory Administrator's Guide for instructions on setting access control policies for group entries.

For example, creating a group entry called odipgroup when installing the Oracle Internet Directory enables you to control the access rights granted to various profiles. Rights are controlled by placing appropriate access policies in the odipgroup entry. Each profile is a member of this group. The membership is established when the profile is registered in the system. The default access policy, automatically installed with the product, grants to profiles certain standard access rights for the integration profiles they own. One such right is the ability to modify status information in the integration profile, such as the parameter named orclodipConDirLastAppliedChgTime. The default access policy also permits profiles to access Oracle Internet Directory change logs, to which access is otherwise restricted.

The odisgroup group entries and their default policies are created during the server installation of the Oracle Internet Directory. Oracle Directory Integration and Provisioning-only installations do not create these groups and policies.

Data Integrity and Oracle Directory Integration and Provisioning

Oracle Directory Integration and Provisioning ensures that data has not been modified, deleted, or replayed during transmission by using SSL. This SSL feature generates a cryptographically secure message digest—through cryptographic checksums using either the MD5 algorithm or the Secure Hash Algorithm (SHA) —and includes it with each packet sent across the network.

Data Privacy and Oracle Directory Integration and Provisioning

Oracle Directory Integration and Provisioning ensures that data is not disclosed during transmission by using public-key encryption available with SSL. In public-key encryption, the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the recipient decrypts the message using the recipient's private key.

To exchange data securely between the directory integration and provisioning server and Oracle Internet Directory, you run both components in the SSL mode.

Tools Security and Oracle Directory Integration and Provisioning

You can run all the commonly used tools in the SSL mode to transmit data to Oracle Internet Directory securely. These tools include:

• Oracle Directory Manager —Use it to administer data in the directory.

• The Oracle directory integration and provisioning server registration tool (odisrvreg)—Use it to register the directory integration and provisioning server in the directory.

• The Oracle Directory Integration and Provisioning Server Administration tool

• The Directory Integration and Provisioning Assistant when running in SSL mode

• The Provisioning Subscription Tool when running in the SSL mode