14 Managing User Accounts and Access

To manage user accounts and access, you can use both the command line and the Audit Vault Server console.

14.1 About Oracle Audit Vault and Database Firewall Administrative Accounts

Oracle Audit Vault and Database Firewall administrative accounts help you manage user access.

When administrators log in to Oracle Audit Vault and Database Firewall, they have access only to administrative functions, whereas auditors have access only to the auditing functions.

Oracle Audit Vault and Database Firewall has two types of administrative user accounts:

  • Audit Vault Server Super Administrator:

    • Manages system-wide settings

    • Creates user accounts for super administrators and administrators

    • Has access to all targets and target groups

    • Grants access to targets or target groups to administrators

  • Audit Vault Server Administrator: Has access to specific targets or target groups granted by a super administrator. Administrators cannot manage system-wide settings.

After installing Oracle Audit Vault and Database Firewall, a post-installation configuration page lets you create and specify passwords for one super administrator account and one super auditor account for the Audit Vault Server. This super administrator and super auditor created during post installation are Audit Vault Server database users. There is at least one Audit Vault Server database user as super administrator and one as super auditor.

The Audit Vault Server console can be configured to be authenticated using the following methods:

Thereafter, the Audit Vault Server super administrator can create other administrative users, and the super auditor can create other auditor users, for the server.

This chapter describes managing user accounts and passwords for the Oracle Audit Vault and Database Firewall administrator user interfaces.

See Also:

14.2 Security Technical Implementation Guides and Implementation for User Accounts

Oracle Audit Vault and Database Firewall follow STIG guidelines for user accounts.

Oracle Audit Vault and Database Firewall follows the Security Technical Implementation Guides (STIG) and implementation rules for user accounts.

  • The default Oracle Audit Vault and Database Firewall user accounts must have custom passwords.

  • The number of consecutive failed login attempts is 3.

  • When a user exceeds the maximum number of unsuccessful login attempts, the account is locked until a super administrator releases it.

  • Account lockouts will persist until a super administrator resets the user account.

See Also:

Security Technical Implementation Guides for more information about STIG compliance

14.3 Configuring Administrative Accounts for Oracle Audit Vault Server

Learn how to configure administrative accounts for Oracle Audit Vault Server.

14.3.1 Guidelines for Securing Oracle Audit Vault and Database Firewall User Accounts

Review the guidelines for securing Oracle Audit Vault and Database Firewall user accounts.

As a best practice, use the installed Oracle Audit Vault and Database Firewall user accounts only as back-up accounts. Add new user accounts, with unique user names and passwords, for the users who are responsible for the day-to-day Oracle Audit Vault and Database Firewall operations.

Note:

Oracle Audit Vault and Database Firewall does not accept user names with quotation marks. For example, "jsmith" is not a valid user name for an Oracle Audit Vault and Database Firewall user account, or an account created on a target for use by Oracle Audit Vault and Database Firewall.

14.3.2 Creating Local Administrative User

You can create Audit Vault Server administrative accounts to manage administration.

Audit Vault Server super administrators can create both super administrator and administrator user accounts.

  1. Log in to the Audit Vault Server console as a super administrator.
  2. Click the Settings tab.

    The Manage Admins subtab on the main page is selected by default.

  3. Click Add in the top, right corner.
  4. In the Add Admin dialog box, select Local AVDF User.
  5. For Local AVDF User, enter the details to create a database administrator.
  6. Enter the newly created Admin Name.
  7. Select the Admin Type.
  8. Enter the Password and Re-type Password.

    Oracle Audit Vault and Database Firewall does not accept user names with quotation marks, such as "jsmith".

  9. Click Save.

14.3.3 Viewing the Status of Administrator User Accounts

Learn how to view the status of administrator accounts.

As a super administrator, you can view the status of administrator accounts by clicking the Settings tab. The Manage Admins sub tab lists all administrator and super administrator accounts, with their statuses, password expiry dates, the targets and target groups they have access to, etc.

14.3.4 Changing User Account Types for Audit Vault Server

You can change Audit Vault Server administrative account type from administrator to super administrator, or vice versa.

You can change an administrative account type from administrator to super administrator, or vice versa.

Note:

If you change a user's account type from administrator to super administrator, then the user will have access to all targets and target groups.
  1. Log in to the Audit Vault Server as a super administrator.

  2. Click the Settings tab.

    The Manage Admins section appears by default. It displays existing users and the targets or groups to which they have access.

  3. Click the name of the user account that you want to change.

  4. In the Modify Admin dialog, click the edit icon against the Type field.

  5. You can change the type from Admin to Super Admin. If you want to change the type from Super Admin to Admin.

  6. You can also grant or revoke access to any targets or groups as necessary for this user.

  7. Click Save.

14.3.5 Unlocking User Accounts

This procedure explains how to unlock user accounts.

An Oracle Audit Vault and Database Firewall administrator account is locked after at least 3 failed login attempts. A super administrator must unlock user accounts.
  1. Log in to the Audit Vault Server console as a super administrator.
  2. Click the Settings tab.

    The Manage Admin sub tab is selected by default. It displays a list of existing users.

  3. Click the name of the user account you want to unlock.
  4. In the dialog, click Unlock.

    See Also:

    ALTER USER
14.3.5.1 Unlocking Super Administrator or Super Auditor Users

The below process should be used to unlock the last super administrator or last super auditor users. It can also be used as an alternative to unlocking other users through the console.

  1. Log in to the Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Switch to the dvaccountmgr user.

    su - dvaccountmgr
  3. Start SQL*Plus without the user name and password.

    sqlplus /
  4. If the account is locked, run the following command to unlock the account:

    alter user <user name> account unlock;

14.3.6 Deleting Oracle Audit Vault Server Administrator Accounts

You may need to delete Oracle Audit Vault Server Administrator accounts with this procedure.

  1. Log in to the Audit Vault Server as a super administrator.
  2. Click the Settings tab.

    The Manage Admin page appears by default, and displays existing users and the targets or groups to which they have access.

  3. Select the users you want to delete, and then click Delete.

14.4 Configuring sudo Access for Users

Learn about configuring sudo access for users.

14.4.1 About Configuring sudo Access

Learn about configuring sudo access.

The sudo command enables trusted users to have administrative access to systems without having to log in using root user passwords.

When users have sudo access, they can precede an administrative command with sudo, and then be prompted to enter their password. After authentication is complete, and assuming that the command is permitted, the command is processed as if it had been run by the root user.

14.4.2 Configuring sudo Access for Users

Learn about configuring sudo access for users.

You need root privileges to configure sudo access for users.

  1. Log in to the system as the root user.

  2. Create a new user account using the useradd command with the -G support option. This ensures the new user is added to the support group, granting them SSH access to the appliance.

    For example, to create a normal user account for the user psmith:

    # useradd -G support psmith
    
  3. Set a password for the user using the passwd command.

    For example:

    # passwd psmith
    Changing password for user psmith.
    New password: new_password
    Retype new password: new_password
    passwd: all authentication tokens updated successfully
    
  4. Run the visudo utility to edit the /etc/sudoers file.

    # visudo
    

    The sudoers file defines the policies that the sudo command applies.

  5. Find the lines in the sudoers file that grant access to users in the wheel group when enabled.

    ## Allows people in group wheel to run all commands
    # %wheel        ALL=(ALL)       ALL
    
  6. Remove the comment character (#) at the start of the second line, which begins with %wheel.

    This enables the configuration option.

  7. Save your changes and exit the editor.

  8. Add the user account that you created earlier to the wheel group using the usermod command.

    For example:

    usermod -aG wheel psmith
    
  9. Test that the updated configuration enables the user that you created to run commands using sudo.

    1. Use the su command to switch to the new user account that you created.

      # su psmith
      
    2. Use the groups command to verify that the user is in the wheel group.

      $ groups
      psmith wheel
      
    3. Use the sudo command to run the whoami command.

      Because this is the first time that you have run a command using sudo from this user account, the banner message is displayed. You will be prompted to enter the password for the user account.

      $ sudo whoami
      

      The following output should appear:

      We trust you have received the usual lecture from the local System
      Administrator. It usually boils down to these three things:
        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.
      

      Enter the password when prompted:

      [sudo] password for psmith: password
      root
      

      The last line of the output is the user name that is returned by the whoami command. If sudo access has been configured correctly, then this value is root.

14.5 Managing User Access Rights to Targets and Groups

Learn about managing users access rights to targets and groups.

14.5.1 About Managing User Access Rights

Learn about managing user access rights.

Super administrators have access to all targets and target groups and can grant access to specific targets and groups to administrators.

You control access to targets or groups in two ways:

  • Modify a target or group to grant or revoke access for one or more users.

  • Modify a user account to grant or revoke access to one or more targets or groups.

14.5.2 Controlling Access Rights by User

Learn about controlling access rights by user.

  1. Log in to the Audit Vault Server as a super administrator.
  2. Click the Settings tab.

    Click the Manage Admins sub tab. It displays existing users and the targets or groups to which they have access.

  3. Click the name of the user account you want to modify.

    The Modify Admin dialog appears.

  4. In the Targets & Target Groups section:
  5. Click Save.

14.5.3 Controlling Access Rights by Targets or Group

You can control access rights by targets or groups.

  1. Log in to the Audit Vault Server as a super administrator.
  2. Click the Settings tab, and then click Security (which should be selected by default).
  3. Under Manage Admins sub tab, select the name of the administrator whose target access you want to change.
    The Modify Admin window appears.
  4. Click on the edit icon against Type. Select the appropriate type in the list.
  5. In the Targets & Target Groups section:
  6. Click Save.

14.6 Changing User Passwords in Oracle Audit Vault and Database Firewall

Learn how to manage password changes.

14.6.1 Password Requirements

There are several password requirements that you must meet for Oracle Audit Vault and Database Firewall.

You should have a policy in place for changing passwords for Oracle Audit Vault and Database Firewall user accounts. For example, you may require that users change their passwords on a regular basis, such as every 120 days, and that they create passwords that are not easily guessed.

Requirements for Passwords Containing Unicode Characters

If your password contains unicode characters (such as non-English characters with accent marks), then the password requirement is that it:

  • Be between 8 and 30 characters long.

Requirements for English-Only (ASCII) Passwords

If you are using English-only ASCII printable characters, then Oracle AVDF requires that passwords:

  • Be between 8 and 30 characters long.

  • Contain at least one of each of the following:

    • Lowercase letters: a-z.

    • Uppercase letters: A-Z.

    • Digits: 0-9.

    • Punctuation marks: comma (,), period (.), plus sign (+), colon(:), exclamation mark (!), and underscore (_)

  • Not contain double quotes ("), back space, or control characters.

In addition, Oracle recommends that passwords:

  • Not be the same as the user name.

  • Not be an Oracle reserved word.

  • Not be an obvious password (such as welcome, account, database, and user).

  • Not contain any repeating characters.

14.6.2 Changing the Audit Vault Server Administrator Password

Learn how to change the password of an administrator.

Administrators can change their own password. A super administrator can also change the password of other administrators. If a super administrator changes the password of another administrator, then the password automatically expires immediately after it is changed.

14.6.2.1 Changing Your Own Password

Learn how to change your own password as an administrator.

  1. Log in to the Audit Vault Server as an administrator.
  2. In the upper right corner, to the right of your login name, select the menu icon.
  3. Select Change Password from this menu.
  4. In the Change Password window, enter the following fields:
    • Current Password
    • New Password
    • Re-enter New Password
  5. Click Save.

Related Topics

14.6.2.2 Changing the Password of Another Administrator

Learn how to change the password of another administrator as a super administrator.

A super administrator can change the passwords of other administrators. However, the password automatically expires immediately after it is changed by the super administrator. The administrator must follow the instructions in the topic Changing the Expired Password of an Administrator.

  1. Log in to the Audit Vault Server as super administrator.
  2. Click the Settings tab and then if necessary, select Security in the left navigational menu.
  3. Under Manage Admins, select the name of the administrator whose password you want to change.
  4. In the Modify Admin window, click Change Password.
  5. In the Change Password window, enter the following fields:
    • New Password
    • Re-enter New Password
  6. Click Save.

Related Topics

14.6.2.3 Changing the Expired Password of an Administrator

Your password might be expired if a super administrator changes your password, or if it passes the password expiry date.

For Oracle AVDF release 20.4 or earlier, follow these steps:

  1. Log in to the Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Switch to the dvaccountmgr user.

    su - dvaccountmgr
  3. Start SQL*Plus without the user name and password.

    sqlplus /
  4. If the account is locked, run the following command to unlock the account:

    alter user <user name> account unlock;
  5. Run the following command to change the password:

    alter user <user name> identified by <new_password>;

For Oracle AVDF release 20.5 or later, follow these steps:

  1. Log in to AVCLI with your user name.
  2. AVCLI prompts to enter the password. Enter the expired password.

    The following message is displayed:

    The password has expired. Enter the new password:

  3. Enter the new password of your choice. Follow the password requirements.

    The following message is displayed:

    Re-enter password:

  4. Re-enter the new password.
  5. If the following message is displayed, then you have successfully logged in to AVCLI with the new password, and your account is active again:
    
    Connected to: 
            Oracle Audit Vault Server - Version : 20.x.0.0.0
    

    Note:

    If your attempt to log in fails for 3 times or more, then your account gets locked. You need to unlock your account and retry the above mentioned steps.

14.7 Integrating Oracle Audit Vault and Database Firewall with Microsoft Active Directory or OpenLDAP

You can use Microsoft Active Directory or OpenLDAP to control access to Oracle Audit Vault and Database Firewall.

14.7.1 About Microsoft Active Directory or OpenLDAP Integration

You can integrate a Microsoft Active Directory or OpenLDAP server to authenticate users who connect to the Audit Vault Server console.

When users log in to the Audit Vault Server console, they're prompted to select a group from a list of groups. Users are authorized from the group to which they belong and select. After a user is authenticated, access is granted based on the Microsoft Active Directory or OpenLDAP groups to which the user belongs and selects.

A super user can assign the roles to the groups on Oracle Audit Vault Database Firewall. For example, super administrator, super auditor, administrator, or auditor. Oracle Audit Vault and Database Firewall release 20.1 and later supports Microsoft Active Directory and OpenLDAP.

Note:

  • While other LDAP servers may work, they are not tested or certified with Oracle Audit Vault and Database Firewall release 20.1.
  • Oracle AVDF does not support the default local accounts of Microsoft Active Directory (for example administrator). Refer to Microsoft documentation for complete information on default local accounts in Active Directory.
  • Microsoft Active Directory and OpenLDAP users and groups must belong to the domain specified in the topic Configuring an LDAP Server.

14.7.2 Configuring an LDAP Server

You can configure an LDAP server to authenticate users by using Microsoft Active Directory or OpenLDAP.

Prerequisite: The LDAP user must have access to the Microsoft Active Directory or OpenLDAP groups that are being provisioned for access to Oracle AVDF.
  1. Get the SSL/TLS certificate to connect to Microsoft Active Directory or OpenLDAP. This can be sourced from Microsoft Active Directory or OpenLDAP administrator. Using the command certutil -ca.cert client.crt is a common way to generate Active Directory client SSL/TLS certificate.
  2. Copy the SSL/TLS certificate in Base64 encoding format.
  3. Launch the Audit Vault Server console.
  4. Log in to the console as a super administrator.
  5. Click the Settings tab.
  6. Click the LDAP Configuration tab (or Active Directory/LDAP Configuration tab starting with Oracle AVDF release 20.8) in the main page.
  7. Click the Add button.
  8. Enter the Microsoft Active Directory or OpenLDAP server details. In the Active Directory/LDAP Configuration dialog, select either Active Directory (AD) or LDAP radio button.
  9. Provide a new Name for the LDAP server.
  10. Enter the AD/LDAP Host Name / IP Address.
  11. Enter the Port number for the SSL/TLS connection.
  12. Enter the Active Directory/LDAP Username and Password.

    The user must be able to retrieve all groups from the AD/LDAP server.

  13. Enter the Domain Name. For example, foobar.example.com.
  14. Provide the AD/LDAP Server Certificate (SSL/TLS) in Base64 encoding format that was sourced earlier in the initial step.
  15. Enter a new password as the Wallet Password for Storing Certificate. This wallet stores the SSL/TLS certificate you provided for LDAP SSL/TLS connection earlier.
  16. Enter the password again in Re-enter Wallet Password field.
  17. Click Test Connection to verify the details. Fix any errors encountered and proceed to the next step.
  18. Click Save.

    Note:

    Click Delete to delete the Microsoft Active Directory or OpenLDAP configuration. Starting Oracle AVDF 20.4, a dialog appears and prompts for your confirmation.

14.7.3 Creating New Users

Create new users for Microsoft Active Directory or OpenLDAP authentication.

  1. Log in to the Audit Vault Server console as a super administrator or super auditor.
  2. Click the Settings tab.

    The Manage Admins or Manage Auditors subtab on the main page is selected by default.

  3. Click Add in the top, right corner.
  4. In the Add Admin (or Add Auditor) dialog box, select Active Directory/LDAP Group.
  5. For Active Directory/LDAP Group, select the Import Mode.

    OpenLDAP or Active Directory users and groups have to exist in the LDAP server before you can create the admin or auditor on the Audit Vault Server for the same.

  6. If you have selected import mode as Fetch, then provide an LDAP User Name and Password. Alternatively, you can register an Microsoft Active Directory or OpenLDAP group in Oracle Audit Vault Database Firewall that corresponds to an existing group by providing the distinguished name. The LDAP user needs the correct access privileges to view all the groups that exist on the LDAP server.

    Note:

    The user credentials are not stored. Therefore, each time that you choose the Fetch option, you must enter the credentials.
  7. In the Group Name Like field, enter a keyword to search in order to fetch details from a group that has a similar name. Click Fetch at the bottom of the dialog. For example, enter admin keyword to fetch AD or OpenLDAP groups containing admin string in the group name.

    Note:

    A user can be added to a group. A group can have administrator or auditor privileges, but not both. For example, a group with the name AdminAndAuditor can have administrator privileges assigned. However, the same group cannot have auditor privileges. In case there is an attempt to add both the privileges, then it fails. The user SpecialUser can be part of both, the Admin group and the Auditor group. This user SpecialUser may choose to connect with Admin group as administrator, or with Auditor group as auditor.
  8. Select the Domain.
  9. Click the Fetch button at the bottom of the dialog. The values in the Group and User Type fields are populated.
  10. Select the right Group from the drop down menu.
  11. Select the User Type from the drop-down menu, such as, Admin, Super Admin, Auditor, or Super Auditor.
  12. If you have selected the import mode as Manual, then enter the Group Name as distinguished name.
  13. Click Save.

14.7.4 Logging In as an OpenLDAP or Microsoft Active Directory User

After OpenLDAP or Microsoft Active Directory is configured, users can log in to the Audit Vault Server console.

  1. Open the Audit Vault Server console.
  2. Select Active Directory/LDAP Group.
  3. Enter the user name and password.
    For database users, enter the user name and password. For Microsoft Active Directory users, enter the user name (sAMAccountName) and password. Select the domain name from the drop-down list.

    Note:

    The domain name is appended to the user name. This may cause issues if a user has been created with a domain in the user name.

    For example, if you attempt to login as user user@example.com and select the domain company.example.com, then the Audit Vault Server will attempt to look for the user user@example.com@company.example.com.

    Note:

    You must add the user to the Microsoft Active Directory or OpenLDAP group and register the group with the Audit Vault Server. See Creating New Users.
  4. On the following page, select a Group from the drop-down list.
  5. Click Save to log in and complete the authorization.

Note:

Microsoft Active Directory and OpenLDAP users can connect to the Audit Vault Server only through the Audit Vault Server console. They cannot connect to the Audit Vault Server through AVCLI or SQL*Plus.

14.8 Configuring Single Sign-On (SSO) for Audit Vault Server Console Users

Starting in Oracle AVDF 20.11, you can configure SSO for Audit Vault Server console users.

14.8.1 About SSO for Audit Vault Server Console Users

The Audit Vault Server can integrate with an identity provider (IdP) through SAML 2.0 integration, and the IdP can provide single sign-on (SSO) and multifactor authentication (MFA) support. Audit Vault Server doesn't store the SSO user credentials except for the SSO user name.

You can configure SSO for all types of Audit Vault Server console users, including normal administrators and auditors, readonly auditors, and super administrators and super auditors.

To manage SSO configurations, you need to log in to the Audit Vault Server console as a super administrator that is configured as a local AVDF user. You can't create or change SSO configurations in an SSO session.

As always, you cannot drop the last super administrator and super auditor configured as local AVDF user.

14.8.2 Adding SSO Configurations

To configure single sign-on (SSO), add your identity provider (IdP) information to the Audit Vault Server.

Note:

You can add multiple SSO configurations, but only one configuration can be enabled at any time.
  1. Log in to the Audit Vault Server console as a super administrator that's configured as a local AVDF user.
  2. Click the Settings tab.
  3. Click the Single Sign-On (SSO) subtab.
  4. Enter the following information:

    Field Description
    Identity Provider Name A name to identify the IdP in the Audit Vault Server.
    Provider Type

    Identity provider type, such as the following:

    • Microsoft Active Directory Federation Service
    • Microsoft Entra ID (MS-EI)
    • Oracle Access Manager (OAM)

      Note:

      Oracle AVDF 20.11 only: Though OAM is a valid identity provider, there is no option to select it. Instead, select any other identify provider, but in the following fields enter in the information for OAM.

    Note:

    You can't change the provider type after you add an SSO configuration to the Audit Vault Server. To change the provider type, add a new SSO configuration with the new provider type.
    Identity Provider Domain

    Domain name for the IdP.

    For example: login.example.com

    Protocol The protocol is always SAML 2.0.
    SSO Sign-in URL

    URL that you use to sign in to the IdP.

    For example: https://login.example.com/177306dd-a070-419a-b50f-6f71fc63b993/saml2

    SSO Sign-out URL

    URL that you use to sign out of the IdP. For some providers, this might be the same as the sign-in URL.

    For example: https://login.example.com/177306dd-a070-419a-b50f-6f71fc63b993/saml2

    Identity Provider Issuer

    URI for the IdP.

    For example: https://sts.example.net/177306dd-a070-419a-b50f-6f71fc63b993

    Identity Provider Signing Certificate Certificate from the IdP in base-64 format. Either copy and paste the certificate or choose the file and upload it here.
  5. Click Save.
  6. If using Microsoft Azure Active Directory, you will need to include https://<AVDF_IP>/ords/apex_authentication.saml_callback in the Identifier (Entity ID), Reply URL (Assertion Consumer Service URL), and Logout URL fields when configuring Microsoft Azure Active Directory.
  7. To begin using the SSO configuration, you need to enable it. See Enabling SSO Configurations.

14.8.3 Copying the Audit Vault Server SSO Certificate to the Identity Provider

Some identity providers require the Audit Vault Server single sign-on (SSO) certificate and you might need to copy the SSO certificate from the Audit Vault Server.

  1. Log in to the Audit Vault Server console as a super administrator that's configured as a local AVDF user.
  2. Click the Settings tab.
  3. Click the Single Sign-On (SSO) subtab.
  4. Click Copy Certificate.

    The SSO certificate is copied to the clipboard.

14.8.4 Enabling SSO Configurations

To begin using a single sign-on (SSO) configuration, you need to enable it in the Audit Vault Server.

Note:

You can add multiple SSO configurations, but only one configuration can be enabled at any time.

Prerequisites

  • Add the SSO configuration if it's not already defined in the Audit Vault Server. See Adding SSO Configurations.
  • If another SSO configuration is already enabled, you need to disable it in the Audit Vault Server before enabling another SSO configuration. See Disabling an SSO Configuration.

Procedure

  1. Log in to the Audit Vault Server console as a super administrator that's configured as a local AVDF user.
  2. Click the Settings tab.
  3. Click the Single Sign-On (SSO) subtab.
  4. Select the SSO configuration that you want to enable.
  5. Click Enable.

14.8.5 Configuring ORDS After Enabling Oracle Access Manager as the SSO Identity Provider

After enabling Oracle Access Manager (OAM) as the SSO identity provider, you will need to configure Oracle Rest Data Services (ORDS).

Prerequisites

  • Enable the SSO configuration. See Enabling SSO Configurations.
  • Take note of:
    • The fully qualified host name (FQHN) of the Audit Vault Server
    • The FQHN of the OAM server
    • The FQHN of the LDAP server

Procedure

  1. Log in to the Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Switch to the oracle user.

    su - oracle
  3. Set the JAVA_PATH variable:
    export JAVA_PATH=/usr/java/jdk-11/bin
  4. Set the PATH variable:
    export PATH=$JAVA_PATH:/var/lib/oracle/ords/bin:$PATH
  5. Set the following configuration:
    ords --config /var/lib/oracle/ords_conf config set --global security.forceHTTPS true
  6. Set the following configuration through either of the following:
    • Ensure that you input the appropriate FQHN's where necessary.

      ords --config /var/lib/oracle/ords_conf config set --global security.externalSessionTrustedOrigins “https://<FQHN of AV server>:443, http://<FQHN of OAM server>:<port>, https://<FQHN LDAP server configured on OAM server>:<port>, null”
    • You can alternatively use the following since the parameters in the above are optional:

      ords --config /var/lib/oracle/ords_conf config set --global security.externalSessionTrustedOrigins “null”
  7. Exit back to root.
  8. Restart ORDS:
    systemctl restart ords
  9. Test the connection by creating a new OAM user and logging into the Audit Vault Server console as that OAM user.

    See Creating New SSO Users and Logging In to the Audit Vault Server Console as an SSO User for more information.

  10. If configured in high availability, repeat the above steps on the standby Audit Vault Server.

14.8.6 Creating New SSO Users

To create new users for single sign-on (SSO) authentication, follow these steps.

Prerequisite

Ensure the SSO is enabled for users on the identity provider.

Procedure

  1. Log in to the Audit Vault Server console as a super administrator.
  2. Click the Settings tab.
  3. On the Manage Admins subtab, click Add.
  4. In the dialog box, select SAML SSO.
  5. Enter the SSO user name.

    Allowed characters include uppercase and lowercase letters, numbers, and symbols (@.-_!^~+%). The total length of the SSO user name can't exceed 127 characters.

    Note:

    Though AVDF accepts uppercase and lowercase letters, it will store the user name in only uppercase. The identity providers perform a case in-sensitive comparison of the user names.
  6. Select the admin type, Admin or Super Admin.
  7. Click Save.

14.8.7 Logging In to the Audit Vault Server Console as an SSO User

When you log in to the Audit Vault Server console as a single sign-on (SSO) user, you're redirected to the enabled identity provider (IdP) SSO login page.

  1. On the Audit Vault Server console login page, select Single Sign-On.
  2. Click Login.
  3. Enter your SSO user name and password on the SSO login page.

    Note:

    Log out and close your browser at the end of the session. Otherwise, your browser will still be logged in as your SSO user and will allow access to the Audit Vault Server.

14.8.8 Modifying SSO Users

You can change the admin type for an existing single sign-on (SSO) user.

  1. Log in to the Audit Vault Server console as a super administrator.
  2. Click the Settings tab.
  3. On the Manage Admins subtab, click the user that you want to modify.
  4. Click the Change icon next to the Type field.
  5. Select a new admin type.
  6. Click Save.

14.8.9 Disabling an SSO Configuration

You might need to disable a single sign-on (SSO) configuration if you want to modify, delete, or switch to another SSO configuration.

  1. Log in to the Audit Vault Server console as a super administrator that's configured as a local AVDF user.
  2. Click the Settings tab.
  3. Click the Single Sign-On (SSO) subtab.
  4. Select the SSO configuration that you want to disable.
  5. Click Disable.

    You should see the following message:

    Do you want to continue to disable this identity provider?

  6. Click OK to disable the configuration.

14.8.10 Configuring ORDS After Disabling Oracle Access Manager as the SSO Identity Provider

After disabling Oracle Access Manager (OAM) as the SSO identity provider, you will also need to configure Oracle Rest Data Services (ORDS).

Prerequisites

Procedure

  1. Log in to the Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Switch to the oracle user.

    su - oracle
  3. Set the JAVA_PATH variable:
    export JAVA_PATH=/usr/java/jdk-11/bin
  4. Set the PATH variable:
    export PATH=$JAVA_PATH:/var/lib/oracle/ords/bin:$PATH
  5. Execute the following command:
    ords --config /var/lib/oracle/ords_conf config delete --global security.forceHTTPS true
  6. Execute the following command:
    ords --config /var/lib/oracle/ords_conf config delete --global security.externalSessionTrustedOrigins true
  7. Exit back to root.
  8. Restart ORDS:
    systemctl restart ords
  9. If configured in high availability, optionally repeat the above steps on the standby Audit Vault Server.

14.8.11 Modifying an SSO Configuration

You can modify a single sign-on (SSO) configuration if it's disabled in the Audit Vault Server.

Note:

You can't change the provider type after you add an SSO configuration to the Audit Vault Server. To change the provider type, add a new SSO configuration with the new provider type.

Prerequisite

Disable the SSO configuration if it's currently enabled in the Audit Vault Server. See Disabling an SSO Configuration.

Procedure

  1. Log in to the Audit Vault Server console as a super administrator that's configured as a local AVDF user.
  2. Click the Settings tab.
  3. Click the Single Sign-On (SSO) subtab.
  4. Update any of the following information:

    Field Description
    Identity Provider Name A name to identify the IdP in the Audit Vault Server.
    Provider Type

    Identity provider type, such as the following:

    • Microsoft Active Directory Federation Service
    • Microsoft Entra ID (MS-EI)
    • Oracle Access Manager (OAM)

      Note:

      Oracle AVDF 20.11 only: Though OAM is a valid identity provider, there is no option to select it. Instead, select any other identify provider, but in the following fields enter in the information for OAM.

    Note:

    You can't change the provider type after you add an SSO configuration to the Audit Vault Server. To change the provider type, add a new SSO configuration with the new provider type.
    Identity Provider Domain

    Domain name for the IdP.

    For example: login.example.com

    Protocol The protocol is always SAML 2.0.
    SSO Sign-in URL

    URL that you use to sign in to the IdP.

    For example: https://login.example.com/177306dd-a070-419a-b50f-6f71fc63b993/saml2

    SSO Sign-out URL

    URL that you use to sign out of the IdP. For some providers, this might be the same as the sign-in URL.

    For example: https://login.example.com/177306dd-a070-419a-b50f-6f71fc63b993/saml2

    Identity Provider Issuer

    URI for the IdP.

    For example: https://sts.example.net/177306dd-a070-419a-b50f-6f71fc63b993

    Identity Provider Signing Certificate Certificate from the IdP in base-64 format. Either copy and paste the certificate or choose the file and upload it here.
  5. Click Save.

14.8.12 Deleting an SSO Configuration

You can delete a single sign-on (SSO) configuration if it's disabled in the Audit Vault Server.

Prerequisite

Disable the SSO configuration if it's currently enabled in the Audit Vault Server. See Disabling an SSO Configuration.

Procedure

  1. Log in to the Audit Vault Server console as a super administrator that's configured as a local AVDF user.
  2. Click the Settings tab.
  3. Click the Single Sign-On (SSO) subtab.
  4. Select the SSO configuration that you want to delete.
  5. Click Delete.

    After deleting the SSO configuration, existing sessions will receive the following message when logging out:

    Invalid value for parameter: SAML_SIGN_IN_URL

14.9 Unlocking and Locking the AVSYS User

When installing or administering Oracle Audit Vault and Database Firewall (Oracle AVDF), you sometimes need to unlock and relock the AVSYS user.

14.9.1 Unlocking the AVSYS User

Use these steps to temporarily unlock the AVSYS user to complete an installation or administration task.

Prerequisite

Log in to the Audit Vault Server through SSH and switch to the root user.

See Logging In to Oracle AVDF Appliances Through SSH.

Procedure

  1. Switch to the dvaccountmgr user.

    su - dvaccountmgr
  2. Start SQL*Plus without the user name and password.

    sqlplus /
  3. Run the following command to unlock avsys:

    alter user avsys identified by <password> account unlock;
  4. Exit SQL*Plus.

    exit

14.9.2 Locking the AVSYS User

Use these steps to lock the AVSYS user after you've unlocked it to complete an installation or administration task.

Prerequisite

Log in to the Audit Vault Server through SSH and switch to the root user.

See Logging In to Oracle AVDF Appliances Through SSH.

Procedure

  1. Switch to the dvaccountmgr user.

    su - dvaccountmgr
  2. Start SQL*Plus without the user name and password.

    sqlplus /
  3. Run the following command to lock avsys:

    alter user avsys account lock;
  4. Exit SQL*Plus.

    exit

14.10 Updating the Passwords for the AGENTUSR# and AVSRCUSR# Accounts

Though updating the passwords of the AGENTUSR# or AVSRCUSR# database accounts is not recommended, in rare situations, it may be necessary.

To update the AGENTUSR# password

  1. Deactivate the Audit Vault Agents for which the password needs to be updated. See Deactivating and Removing the Audit Vault Agent
  2. Activate all the Audit Vault Agents that were deactivated. See Activating and Starting the Audit Vault Agent

    Be sure to redeploy the Audit Vault Agent using new activation key that is displayed on the Audit Vault Server console.

To update the AVSRCUSR# password

  1. Stop all audit trails. See Stopping, Starting, and Autostart of Audit Trails in Oracle Audit Vault Server.
  2. Unlock the avsys user.

    See Unlocking the AVSYS User.

    Note:

    Remember to relock the avsys account when you've completed this task.
  3. For all the accounts that need their passwords updated:
    alter user <user_name> identified by <password>;
  4. Lock the avsys user.

    See Locking the AVSYS User.

  5. Start all audit trails. See Stopping, Starting, and Autostart of Audit Trails in Oracle Audit Vault Server

14.11 Rotate the AVREPORTUSER Password

Starting in Oracle AVDF 20.13, the password for the AVREPORTUSER user will automatically rotate every 60 days under normal circumstances. More specifically, the password for the AVREPORTUSER user will expire after 90 days, but there is a daily check that will automatically rotate the password if there are less than 30 days until the expiration date, i.e. the password will automatically rotate every 60 days. However, if there are repeated technical issues and the password can't be automatically rotated at any point from days 60-90, then the password can be manually rotated using the following steps.

  1. Log in to the Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Run the following command:
    /usr/bin/python3/usr/local/dbfw/lib/python/avs/scripts/update_avreportuser_user_password.py –FORCE
  3. Force the rotation of the AVREPORTUSER user's password.
    –FORCE
  1. Log in to the Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Unlock the avsys and avreportuser account.
    1. Switch to the dvaccountmgr user.

      su - dvaccountmgr
    2. Start SQL*Plus without the user name and password.

      sqlplus /
    3. Run the following command to unlock avsys and avreportuser and alter the password:

      alter user avsys identified by <avsys_password> account unlock;
      alter user avreportuser identified by <avreportuser_new_password> account unlock;
    4. Exit SQL*Plus.

      exit

    Note:

    Remember to relock the avsys and avreportuser accounts when you've completed this task.
  3. Switch to the oracle user.

    su - oracle
  4. Execute the following command with the new password for the avreportuser account:
    /var/lib/oracle/dbfw/bin/avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias AV_AUDITOR_USER
    1. Follow the prompt to enter avreportuser for source user name.
    2. Provide the new avreportuser password <avreportuser_new_password> twice.
  5. Drop the existing database link avrptusr_link.dbfwdb as oracle user through SQL*Plus:
    sqlplus avsys/<avsys_password>
    drop database link avrptusr_link.dbfwdb;
    exit
  6. Recreate the avrptusr_link.dbfwdb database link as oracle user:
    /var/lib/oracle/dbfw/bin/avca create_report_user_dblink
  7. Lock the avsys user.

    See Locking the AVSYS User.

  8. Log in to the Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  9. Switch to the oracle user.

    su - oracle
  10. Run the following command:
    /usr/local/dbfw/bin/javafwk restart

14.12 Rotating the ORDS_PUBLIC_USER User Password

Starting in Oracle AVDF 20.13, the password for the ORDS_PUBLIC_USER user will automatically rotate every 60 days under normal circumstances. More specifically, the password for the ORDS_PUBLIC_USER user will expire after 90 days, but there is a daily check that will automatically rotate the password if there are less than 30 days until the expiration date, i.e. the password will automatically rotate every 60 days. However, if there are repeated technical issues and the password can't be automatically rotated at any point from days 60-90, then the password can be manually rotated using the following steps.

  1. Log in to the Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Run the following command:
    /usr/bin/python3/usr/local/dbfw/lib/python/avs/scripts/update_ords_public_user_user_password.py
  3. Force the rotation of the ORDS_PUBLIC_USER user's password.
    –FORCE
  1. Unlock the ORDS_PUBLIC_USER user:
    1. Log in to the Audit Vault Server through SSH and switch to the root user.

      See Logging In to Oracle AVDF Appliances Through SSH.

    2. Switch to the dvaccountmgr user.

      su - dvaccountmgr
    3. Start SQL*Plus without the user name and password.

      sqlplus /
    4. Run the following command to unlock ORDS_PUBLIC_USER:

      alter user ORDS_PUBLIC_USER identified by new_password account unlock;
    5. Exit SQL*Plus.

      exit
  2. Update the password in the wallet file
    1. Switch to the root user.

      su - root

      Note:

      If you're using the OCI marketplace image, use the sudo su - command.
    2. Switch to the oracle user.

      su - oracle
    3. Set the JAVA_PATH and PATH variables:
       JAVA_PATH=/usr/java/jdk-11/bin
      export PATH=/var/lib/oracle/ords/bin:$PATH
      export PATH=$JAVA_PATH:$PATH
    4. Open the wallet file and update the password when prompted:
      ords --config /var/lib/oracle/ords_conf config secret db.password
  3. Restart ORDS
    1. Switch to the root user.

      su - root

      Note:

      If you're using the OCI marketplace image, use the sudo su - command.
    2. Run the following command:
      systemctl stop ords
    3. Run the following command:
      systemctl start ords
  1. Unlock the ORDS_PUBLIC_USER user:
    1. Log in to the Audit Vault Server through SSH and switch to the root user.

      See Logging In to Oracle AVDF Appliances Through SSH.

    2. Switch to the dvaccountmgr user.

      su - dvaccountmgr
    3. Start SQL*Plus without the user name and password.

      sqlplus /
    4. Run the following command to unlock ORDS_PUBLIC_USER:

      alter user ORDS_PUBLIC_USER identified by new_password account unlock;
    5. Exit SQL*Plus.

      exit
  2. Update the apex.xml file with the new ORDS_PUBLIC_USER password:
    1. Change directories to where the apex.xml file is located:
      cd var/lib/oracle/ords/conf/ords/conf 
    2. Open the apex.xml file for editing:
      vi apex.xml
    3. Update the password. Make sure to put a ! before the password:
      <entry key="db.password">!new_password</entry>
    4. Save changes and exit editting:
      :wq!
  3. Restart ORDS
    1. Switch to the root user.

      su - root

      Note:

      If you're using the OCI marketplace image, use the sudo su - command.
    2. Run the following command:
      systemctl stop ords
    3. Run the following command:
      systemctl start ords