| Oracle® Audit Vault Administrator's Guide Release 10.2.3.1 Part Number E13841-02 |
|
|
View PDF |
| Oracle® Audit Vault Administrator's Guide Release 10.2.3.1 Part Number E13841-02 |
|
|
View PDF |
Managing Authentication Metadata Using Oracle Advanced Security
Changing Oracle Audit Vault User Passwords on a Regular Basis
Oracle Audit Vault includes Oracle Advanced Security and Oracle Database Vault features to protect audit data that it collects and stores.
This chapter explains how to manage Oracle Audit Vault security. You should perform Oracle Audit Vault security tasks in this order of importance:
Secure management communication between the Oracle Audit Vault Server and collection agent, described in Section 5.5.
Manage user authentication metadata, described in Section 5.2.
Section 5.3 explains how Oracle Database Vault protects audit data and provides strong access control.
As part of the Audit Vault Server and the Oracle Audit Vault collection agent installation, two wallets are created. One wallet resides on the Audit Vault Server and this one contains the credentials of the AV_ADMIN user. The Audit Vault Console uses this wallet to communicate with the Oracle Audit Vault database. The Audit Vault Console provides the management service that initiates the communication with collection agents using HTTP. Audit Vault Configuration Assistant (AVCA) modifies the Database Control console server.xml file and other related files to enable Oracle Audit Vault management through the Oracle Enterprise Manager Database Control console. The wallet is located in the $ORACLE_HOME/network/admin/avwallet directory.
The other wallet resides on the Audit Vault collection agent and contains the AV_AGENT credentials. The collection agent uses this wallet to get configuration data from Oracle Audit Vault. This wallet is located in the $ORACLE_HOME/network/admin/avwallet directory. This wallet also contains the credentials used by the collectors to communicate with the source database (Oracle Database, Microsoft SQL Server database, Sybase ASE, or IBM DB2 database). The three ORCLDB collectors, the MSSQLDB collector, the SYBDB collector, and the DB2DB collector all use these credentials to connect to the source database and to:
Open a connection to the source database to read, extract, and send audit records to the Audit Vault repository
Obtain metadata and metrics for all the collectors
Start and stop the collectors
Obtain audit settings as part of Audit Settings management for ORCLDB collectors
The Oracle wallet is a password-protected container that stores credentials, such as certificates, authentication credentials, and private keys, all of which are used by SSL for strong authentication. You can manage Oracle wallets by using Oracle Wallet Manager. Oracle Wallet Manager can perform tasks such as wallet creation, certificate request generation, and importing certificates into the wallet.
Oracle Audit Vault uses third-party network authentication services (PKI-based authentication) to authenticate its user clients. Authentication systems based on public key infrastructure (PKI) issue digital certificates to user clients, which use them to authenticate directly to servers in the enterprise without involving an authentication server. These user certificates, along with the private key of the user and the set of trust points of a user (trusted certificate authorities), are stored in Oracle wallets.
By default, Oracle Database Vault is enabled in the Audit Vault Server. Oracle Database Vault restricts access to the data in the Audit Vault Server from any user, including users who have administrative access. For Oracle Audit Vault, Oracle Database Vault protects the Audit Vault Server by using a realm. To ensure that the data in the Audit Vault Server is protected, do not disable Oracle Database Vault.
The inclusion of Oracle Database Vault provides the DV_OWNER and DV_ACCTMGR roles. The DV_OWNER role manages the database roles and configuration, and the DV_ACCTMGR role manages user accounts. As with all Oracle Database roles, grant these roles only to those users who are responsible for the tasks associated with the role.
Be aware that Oracle Database Vault revokes some privileges from several roles supplied by the Oracle database roles, including SYS and SYSTEM. Oracle Database Vault Administrator's Guide describes roles and privileges that Oracle Database Vault affects. Remember that only the user who has been granted the DV_ACCTMGR role can create, alter, and drop users. However, the DV_ACCTMGR user cannot grant these roles to these users. Only the user who has been granted the AV_ADMIN role can grant the AV_ADMIN and AV_AUDITOR roles to another user.
Table 5-1 shows the roles and privileges an administrative user is granted when that user is granted and Oracle Audit Vault or Oracle Database Vault roles. For detailed information about the Oracle Audit Vault or Oracle Database Vault roles, see Section 1.5.
Table 5-1 Roles and Privileges Granted to Audit Vault or Database Vault Administrators
| Role Granted to User | Roles Granted to This Role | Privileges Granted |
|---|---|---|
|
|
|
|
|
|
|
|
|
No additional roles granted |
|
|
|
|
|
|
|
|
|
Footnote 1 The AV_ADMIN role is granted the AV_AUDITOR role only if you did not create the AV_AUDITOR user during installation.
Table 5-2 shows other database core accounts that are created in the default Oracle Audit Vault installation. Oracle Audit Vault permits operating system authentication to the database. It disables remote authentication to the database if you try to use the SYSDBA privilege, but if it is needed, you can enable it by using a password file. See the sections that discuss postinstallation tasks in the Oracle Audit Vault Installation Guide for more information about unlocking and resetting user passwords and enabling or disabling connections with the SYSDBA privilege.
Table 5-2 Database Core Accounts Created and Privileges Use
| Account | Privileges | Privilege In Use | Password to Use |
|---|---|---|---|
|
ManyFoot 1 |
Yes |
Use same password as user granted |
|
|
|
|
Yes, allowed |
Operating system authentication to the database is enabled by default. |
|
|
|
No, not allowed for remote connection |
To use for remote connection, user must create a password file to enable its use. Password is set when password file is created. |
|
|
Yes, allowed |
Use same password as user granted |
Footnote 1 To find the privileges associated with the user account, log in to SQL*Plus as the user and then run the following query: SELECT * FROM SESSION_ROLES;
This section contains:
You should have a policy in place for changing passwords for the Oracle Audit Vault user accounts. For example, you may require that users change their passwords on a regular basis, such as every 120 days, and that they create passwords that are not easily guessed.
Table 5-3 summarizes guidelines that you must follow when you change passwords for the Oracle Audit Vault user accounts.
Table 5-3 Storage Location of Audit Vault and Source User Name Passwords
| Audit Vault Role | Is Password Stored in Wallet? | How Do I Change the Password? |
|---|---|---|
|
|
Yes |
Use the You must also change the password of this user in the database. To do so, use the See Section 5.4.2. |
|
|
Yes |
Use the You must also change the password of this user in the database. To do so, use the See Section 5.4.3. |
|
Source user on source database |
Yes |
For an Oracle Database source user account, use the Use the See Section 5.4.3 |
|
|
No |
Use the See Section 5.4.5. |
After you have updated the AV_ADMIN user account using the ALTER USER SQL statement, you must update the password credentials of this user.
To change the password of a user who has been granted the AV_ADMIN role:
In the server where you installed the Oracle Audit Vault Server, open a shell.
Log in to SQL*Plus as the user whose password you must change, another user who has been granted the ALTER_USER privilege, or a user with the DV_ACCTMGR role, and then change the password.
For example:
sqlplus avadmindva Enter password: password Connected. SQL> ALTER USER avadminusr IDENTIFIED BY password;
Exit SQL*Plus.
Set the environment variables for the Audit Vault Server home, as described in Section 2.2.2.
From the shell, run the avca create_credential command to change the password credentials of the AV_ADMIN user.
For example:
avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias orcl AVCA started Storing user credentials in wallet... Enter source user username: avadminuser Enter source user password: password Re-enter source user password: password Create credential Modify credential Modify 2 done.
In this example, the dbalias parameter specifies the Audit Vault Server SID in the Audit Vault Server home. You can find this information by running the lsnrctl status command on the computer where you installed the source database. For detailed information about using the avca create_credential command, see Section 6.2.
After you have updated the AV_AGENT stored password credentials, you must update the password credentials of this account.
To change the password credentials for the AV_AGENT user account:
In the server where you installed the Oracle Audit Vault collection agent, open a shell.
Set the environment variables for the Audit Vault collection agent home, as described in Section 2.2.3.
If you installed the collection agent on Microsoft Windows, go to the ORACLE_HOME\agent_dir\bin directory. You do not need to set any environment variables.
Log in to SQL*Plus and use the ALTER USER SQL statement to change the password of the AV_AGENT user.
For example:
sqlplus avadmindva Enter password: password Connected. SQL> ALTER USER avagent_usr IDENTIFIED BY password;
Change the password credential of the AV_AGENT user account.
For example:
avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias av AVCA started Storing user credentials in wallet... Enter source user username: avagentuser Enter source user password: password Re-enter source user password: password Create credential Modify credential Modify 2 done.
For detailed information about using the avca create_credential command, see Section 6.2.
After you have updated the source database stored password credential, you must update the password credentials of this account.
To change the password credentials for the source user account:
In the server where you installed the Audit Vault Server, open a shell and then set the environment variables for the Audit Vault Server home, as described in Section 2.2.2.
In the Audit Vault Server home, use the ALTER USER SQL statement to change the password for the source user account if it is an Oracle Database source user account.
For example:
sqlplus avadmindva
Enter password: password
Connected.
SQL> ALTER USER srcuser_ora IDENTIFIED BY password;
For source user accounts created for Microsoft Windows, Sybase ASE, and IBM DB2, log in to the appropriate source database and then change the password there.
Open a shell for the Audit Vault collection agent, and then set its environment variables as described in Section 2.2.3.
If you installed the collection agent on Microsoft Windows, do not set any environment variables. Instead, go to the ORACLE_HOME\agent_dir\bin directory.
Run the avorcldb setup command.
For example:
avorcldb setup -srcname hrdb.example.com
Enter Source user name: srcuser_ora
Enter Source password: password
adding credentials for user srcuser_ora for connection [SRCDB1]
Storing user credentials in wallet...
Create credential oracle.security.client.connect_string3
done.
updated tnsnames.ora with alias [SRCDB1] to source database
verifying SRCDB1 connection using wallet
For detailed information about using the avorcldb setup command, see Section 8.9. Depending on where you created the source user account, see the following sections:
Microsoft SQL Server: Section 9.9
Sybase ASE: Section 10.9
IBM DB2: Section 11.9
To change the password of a user who has been granted the AV_AUDITOR role, you must change the passwords in both the Audit Vault Server home in the Audit Vault database by using the SQL ALTER_USER command. Log in as the user with the role of Database Vault Account Manager.
For example:
In the server where you installed the Audit Vault Server, open a shell and then set the environment variables for the Audit Vault Server home, as described in Section 2.2.2.
Log in to SQL*Plus as the Database Vault Account Manager (that is, a user who has been granted the DV_ACCTMGR role).
For example:
sqlplus avadmindva
Enter password: password
Connected.
SQL>
Use the ALTER USER SQL statement to change the AV_AUDITOR user account.
For example:
SQL> ALTER USER avauditorusr-name IDENTIFIED BY password;
To test the changed passwords for users who have been granted the AV_ADMIN and AV_AUDITOR roles, log in to the Audit Vault Console as the Audit Vault administrator and then as the Audit Vault auditor. See Section 3.2.3 for instructions on logging in to the Audit Vault Console. If the login is not successful, repeat the procedures described in this section to re-create the passwords, and then retest them.
For the AV_ADMIN role, you must also test that the credentials were stored correctly in the wallet.
Follow these steps:
In the server where you installed the Audit Vault Server, open a shell and then set the environment variables for the Audit Vault Server home, as described in Section 2.2.2.
In SQL*Plus, log in to the Audit Vault Server.
For example, assuming the SID of the Audit Vault Server is av:
sqlplus /@av
To test the AV_AGENT and source database user account passwords, stop the collection agents, and then restart the collection agent and each collector. See Chapter 7 for information about the commands you use to perform this test. If you are able to collect new audit records, then the AV_AGENT and source database user account passwords are working. If you cannot collect audit records, then check the log files (see Appendix A for more information) to determine which user name password might be the cause of the problem. If necessary, re-create the passwords and then retest them.
About Configuring HTTPS Communication for Oracle Audit Vault
Step 2: Configure the Audit Vault Server and Agent HTTPS Communication
You can secure management communication between the Oracle Audit Vault Server and collection agent by using the HTTPS protocol to encrypt data. In this case, you provide X.509 certificates for authentication. This section explains how to configure Secure Sockets Layer (SSL) for the mutual authentication between Oracle Audit Vault on the server side and each collection agent over HTTPS. A certificate authority (CA) must provide these certificates to you, the Oracle Audit Vault administrator.
To accomplish this, you secure the following services on the server side:
Oracle Audit Vault Web application, which you secure by using the avca secure_av command.
XDB services, which you secure by using the avca generate_crs and avca import commands. These commands enable you to generate a
For the agent side, you secure OC4J by using avca secure_agent command.
After you secure the Audit Vault Server and Audit Vault collection agent communication to use HTTPS, you must enable the browser to use HTTPS to access the Audit Vault Console. At this stage, HTTP will no longer be available for the browser user because the browser to the Audit Vault Console communication is also made secure.
Before you follow the procedures described in this section, you must understand how to use keystores, which are in JKS (Java Keystore) format from Sun Microsystems. You can create and manage keystores by using the keystore application from Sun Microsystems. See the following URLs for more information:
http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
See Also:
Oracle Database Advanced Security Administrator's Guide for more information about PKI-based authentication, digital certificates, secure external password stores, and Oracle wallets.To generate the certificate request:
Open a shell for the Audit Vault Server.
Follow the instructions in Section 2.2.2 to set the environment variables for the Audit Vault Server.
Generate a certificate request for Oracle XML Database using the avca generate_csr command.
(The Oracle Audit Vault reporting interface uses Oracle XML Database.)
For example:
$ avca generate_csr -certdn CN=sales_srv.us.example.com,OU=SalesReps,O=RisingDoughCo,ST=CA,C=US -out ca_certificate.cer
In this example, the certificate request file is called ca_certificate.cer.
See Section 6.6 for detailed information about the avca generate_csr command.
Send this certificate request file to a CA to be signed and returned to you.
Import this signed certificate into the wallet using the avca import_cert command.Ensure that you import the trusted CA as well, if the CA is a self-signed one.
For example:
$ avca import_cert -cert user_certificate.cer
See Section 6.8 for detailed information about the avca import_cert command.
Leave the Audit Vault Server shell open.
Next, you can configure both the Audit Vault Server and Oracle XML Database communication using the avca secure_av command, as described in the next section.
To configure the Audit Vault Server and collection agent HTTPS communication:
Access the shell for the Audit Vault Server.
If you have closed this shell, reset its environment variables, as described in Section 2.2.2.
If you prefer open a shell for the Audit Vault collection agent, then set its environment variables, as described in Section 2.2.3. If you installed the collection agent on Microsoft Windows, go to the ORACLE_HOME\agent_dir\bin directory. You do not need to set any environment variables.
Run the keytool utility, located in the $ORACLE_HOME/jdk/bin directory, to generate a keystore.
For an example of using the keytool utility, see the section that explains how to enable SSL with iSQL*Plus in SQL*Plus User's Guide and Reference. This utility creates a storage file named keystore in the current directory.
For detailed information about the keytool utility, visit the following Web sites:
http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
Next, you are ready to configure the mutual authentication between the Audit Vault Server and its collection agents.
Access the shell used for the Audit Vault Server.
Configure the Audit Vault Server communication with the collection agent.
For example:
$ avca secure_av -avkeystore /tmp/avkeystore -avtruststore /tmp/avkeystore
Enter keystore password: password
See Section 6.12 for detailed information about the avca secure_av command.
Open a shell for the Audit Vault collection agent, and then follow the instructions in Section 2.2.3 to set its environment variables.
If you installed the collection agent on Microsoft Windows, go to the ORACLE_HOME\agent_dir\bin directory. You do not need to set any environment variables.
Secure OC4J and configure the collection agent communication with the Audit Vault Server.
For example:
$ avca secure_agent -agentkeystore /tmp/agentkeystore
-agentdn "CN=agent1, OU=SalesReps, O=RisingDoughCo, L=Bredville, ST=ca, C=us"
-avdn "CN=av1, OU=SalesReps, O=RisingDoughCo, L=Bredville, ST=ca, C=us"
Enter keystore password: password
See Section 6.11 for detailed information about the avca secure_agent command.
|
 Copyright © 2007, 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|