Oracle® Application Server Best Practices Guide 10g (10.1.4.0.1) Part Number B31762-02 |
|
|
View PDF |
This chapter describes best practices for Oracle Internet Directory. It contains the following topics:
Section 3.4, "Use Backup and Restore Utilities to Secure Data"
Section 3.5, "Monitor and Audit Oracle Internet Directory to Improve Availability"
Section 3.6, "Use OPMN to Manage Oracle Internet Directory Processes"
Section 3.7, "Assign Oracle Internet Directory Privileges to Limit Access"
Section 3.8, "Change Access Control Policies to Control User Administration"
Section 3.9, "Use User Attributes and Password Hints to Make Resetting Credentials Easier"
Section 3.10, "Incorporate Group Assignment During User Creation to Avoid Multiple Steps"
Section 3.11, "Configure Active Directory Synchronization to Enable Windows Native Authentication"
Section 3.12, "Oracle Directory Integration Platform Best Practices"
The bulkload utility checks standard LDIF formatted files for schema violations and duplicates, and generates SQL*Loader intermediate files for fast loading into the database tables underlying Oracle Internet Directory. Use the bulkload utility whenever there is an initial bootstrap required. For example, when setting up synchronization with Microsoft Active Directory or other LDAP directory servers.
Oracle recommends passing the LDIF file output from third-party LDAP directories into bulkload check=true
mode, which will alert you to any problems with your existing LDAP schema.
Most third-party LDAP directories (including Oracle Internet Directory) support output to LDIF without any operational attributes (which typically cannot be loaded into another vendor's directory). If you are loading data into Oracle Internet Directory from another directory, which does not support this, you will have to manually remove any operational attributes prior to sending the LDIF file to bulkload generate=yes
mode.
If your input LDIF file is from another Oracle Internet Directory instance, then you must use the restore=yes
option to bulkload.sh
to preserve these operational attributes as is during the bulkload.
Implementation Details
See Also:
Chapter 4, "Oracle Internet Directory Data Management Tools," in the Oracle Identity Management User ReferenceOracle Internet Directory supports both multimaster and fan-out styles of directory replication.
For high availability, consider placing an Oracle Internet Directory multimaster replication group behind a network load balancer to provide a single IP address to your LDAP client applications. If a replicated node becomes unavailable, you can configure the load balancer to re-route requests automatically to an available server.
Additionally, each Oracle Internet Directory node can run on Oracle Real Application Cluster, further improving availability through increased database uptime and data availability.
Implementation Details
See Also:
Chapter 3, "Oracle Internet Directory Management Planning," in the Oracle Identity Management Infrastructure Administrator's Guide
Part III, "Oracle Internet Directory in High Availability Topologies," in the Oracle Application Server High Availability Guide
TLS/SSL is considered the Internet standard protocol for highly secure transportation of data. In addition to the strong PKI authentication using digital certificates, TLS/SSL provides multiple data integrity and data encryption layers to protect your communication channels. SSL provides multiple cipher suites with varieties of encryption algorithms for many security levels.
Oracle Internet Directory supports three TLS/SSL authentication modes:
In this mode, SSL cipher suites use the Diffie-Hellman algorithm to generate a session key for client or server at run time. The session key will be used to encrypt the communication channel. No server or user SSL wallet is necessary. In this mode, the channel will be encrypted using a Diffie-Hellman key.
Note:
Diffie-Hellman algorithm is used to generate an asymmetric key pair for key exchange only not for a symmetric key for encryption key.Server Authentication only mode
This mode essentially uses certificates for authentication. The client needs to verify the server certificate. This mode is most commonly used in the Internet environment since any client that needs to communicate with aa SSL server does not require a certificate. A client can use their user and password identification to authenticate itself to the server. The username and password are protected by SSL encryption when being transferred on the wire.
Server and Client Authentication mode (Mutual authentication)
In this mode, both client and server use X.509 v3 certificates to authenticate each other. First, the client authenticates the server by validating its certificate. In return, the server also requires the client to send its certificate to prove its authenticity.
In addition to choosing an authentication mode, you should choose appropriate security algorithms.
Implementation Details
See Also:
Chapter 17, "Secure Sockets Layer (SSL) and the Directory," in the Oracle Internet Directory Administrator's GuideDepending on your Oracle Application Server enterprise topology, you may want to consider backing up Oracle Internet Directory as part of backing up your entire application server environment.
Implementation Details
See Also:
Chapter 15, "Backup and Restoration of a Directory," in the Oracle Application Server Administrator's Guide before deciding on an overall backup and recovery strategy for all of your Oracle Identity Management Infrastructure component
Section IV, "Backup and Recovery," in the Oracle Application Server Administrator's Guide for general application server backup and recovery strategies
You can monitor and audit Oracle Internet Directory in one of four ways:
The Oracle Enterprise Manager LDAP page provides a simple way to monitor the LDAP service and determine if it is up and running under its associated load for a standalone Oracle Internet Directory
If more detailed information about the underlying DB and detailed statistics are required as well as to monitor other Identity Management components the usage of the Identity Management Grid Control is recommended
You can also check the log files of various LDAP processes to ensure there are no errors showing up.
LDAP audit log service provides more granular information such as security violation information or sensitive events. You can further customize the audit log to specific directory operations and events. Keep in mind that a large amount of data will be generated
Oracle recommends that you perform, at the very least, a weekly review of the audit and error logs. System administrators can do a more regular review with Enterprise Manager or Identity Management Grid Control to provide better availability. Monitoring bind and compare operations can be done by following the approach mentioned in Chapter 14, "Logging, Auditing, and Monitoring the Directory," in the Oracle Internet Directory Administrator's Guide.
Implementation Details
See Also:
Chapter 5, "Identity Management Grid Control Plug-in," in the Oracle Identity Management Infrastructure Administrator's Guide
Chapter 14, "Logging, Auditing, and Monitoring the Directory," in the Oracle Internet Directory Administrator's Guide
In Oracle Application Server, you no longer need to run oidmon
and oidctl
to start and stop Oracle Internet Directory processes. OPMN stores the proper sequences and controls these services.
Implementation Details
See Also:
Chapter 6, "Process Control of Oracle Internet Directory Components," in the Oracle Internet Directory Administrator's GuideWhile it is possible to install Oracle Application Server as an Oracle Internet Directory super user, Oracle recommends that this not be done, as it imparts more privileges than required.
To install Oracle Application Server, a user needs to be a member and owner of the Oracle Application Server administrator's group.
When installing Oracle Application Server, the directory administrator should add the installation user as a member and owner of the administrator's group. The administrator should then remove the member as the owner once the installation has completed.
Oracle Internet Directory administrators should change the default access control policies to better control user administration as required.
Oracle Internet Directory administrators should adjust the default access control and password policies using Oracle Directory Manager, in accordance with specific administrative policies for directory access and passwords. This adjustment includes both value and state parameters.
Implementation Details
See Also:
Chapter 18, "Directory Access Control," and Chapter 19, "Password Policies in Oracle Internet Directory," in the Oracle Internet Directory Administrator's GuideUsers that forget their OracleAS Single Sign-On passwords can reset them on their own by using the Oracle Internet Directory Self-Service Console. You must authenticate yourself in one of the following ways:
If, while previously changing their password, a user specified a password hint question, then the Confirm Additional Personal Information window will prompt the user for the correct answer to the reminder question when attempting a password reset.
Users who have not previously set a password hint will be presented with the Confirm Additional Personal Information window. This window prompts the user for other personal data, as configured by your administrator.
Implementation Details
See Also:
Chapter 4, "Managing Your Profile with the Oracle Internet Directory Self-Service Console," in the Oracle Identity Management Guide to Delegated AdministrationRather than creating users and assigning them to groups as separate steps, consider incorporating the group assignment step during user creation.
Implementation Details
To do this:
Log in to the Oracle Internet Directory Self-Service Console as a Oracle Delegated Administration Services privileged user (orcladmin
or designate).
Select the Configuration tab.
Select User Entry > Add Role.
Search for and select any commonly-subscribed group entries.
Whenever you or any other Oracle Delegated Administration Services privileged user performs a Create User sequence, the list of specified groups will appear in the next-to-last step, in a section called Roles Assignment. Simply click whichever checkboxes are relevant to the newly-created user, and that user will automatically be made a member of all the groups you specify.
See Also:
Chapter 5, "Managing Users and Groups with the Oracle Internet Directory Self-Service Console," in the Oracle Identity Management Guide to Delegated AdministrationPrior to configuring Windows Native Authentication, be sure to first configure the Active Directory Connector and bootstrap the appropriate cn=users
and cn=groups
containers within your desired Oracle Identity Management Realm. Do not configure the External Authentication Plug-in for Active Directory if your goal is to enable Windows Native Authentication
See Also:
Chapter 19, "Integrating with Microsoft Active Directory," in the Oracle Identity Management Integration Guide
Oracle Application Server Single Sign-On Administrator's Guide
This section describes Oracle Directory Integration Platform best practices. It includes the following topics:
Use Oracle Directory Integration Platform to build connectivity between Oracle Internet Directory and third-party directories. This feature provides seamless integration with other Oracle products. It enables the Oracle products to work in the presence of third-party directories in the enterprise and also provides sharing with the same identities in other directories.
You can join or unify the different identities for the same enterprise user from multiple LDAP directories into a single global identity in Oracle Internet Directory using Oracle Directory Integration Platform. Oracle Directory Integration Platform facilitates a true single sign-on environment in an enterprise using Oracle Internet Directory and Oracle Application Server Single Sign-On.
Implementation Details
See Also:
Chapter 3, "Identity Management Infrastructure Deployment Planning," in the Oracle Identity Management Infrastructure Administrator's Guide
Chapter 17, "Third-Party Directory Integration Concepts and Considerations," in the Oracle Identity Management Integration Guide
When configuring Oracle Directory Integration Platform, specify only the containers and attributes, which are required in the connected directory or in Oracle Internet Directory. You can use LDAP filters as part of mapping configuration profiles to screen out unwanted attribute data and keep synchronization simple.
Set each connector and its associated mapping configuration file to an appropriate scheduling interval. No connector needs to fire at the same time or at the same interval as any another, as they are completely independent of one another.
When synchronizing external users and groups into Oracle Internet Directory for use with Oracle Application Server, be sure to establish connectors to the appropriate Identity Management Realm cn=users
and cn=groups
container. Oracle Directory Integration Platform will then provision all inbound user entries with the Oracle-specific attributes needed to enable users to interact with their deployed Oracle applications.
Implementation Details
See Also:
Chapter 17, "Third-Party Directory Integration Concepts and Considerations," in the Oracle Identity Management Integration GuideIf you use Oracle Human Resources as the source of truth for employee data in your enterprise, then you must synchronize between it and Oracle Internet Directory. Since the Last Successful Execution Time
connector profile attribute is used to fetch the desired changes from connected directories at a given time, set it initially to some date in the past. Then enable the profile. Note this technique will potentially cause all entries in the connected directory to be synchronized all at once into Oracle Internet Directory.
It is a good idea to synchronize user data from connected directories to the public cn=users
container within an Oracle Internet Directory Identity Management realm. This way, all users are immediately accessible to OracleAS Single Sign-On and Oracle Delegated Administration Services, such as the Self-Service Console.
Implementation Details
See Also:
Chapter 10, "Synchronization with Oracle Human Resources," in the Oracle Identity Management Integration Guide
Section 9.1, "bulkload," in the Oracle Internet Directory Administrator's Guide