14 Managing User Accounts and Access
To manage user accounts and access, you can use both the command line and the Audit Vault Server console.
14.1 About Oracle Audit Vault and Database Firewall Administrative Accounts
Oracle Audit Vault and Database Firewall administrative accounts help you manage user access.
When administrators log in to Oracle Audit Vault and Database Firewall, they have access only to administrative functions, whereas auditors have access only to the auditing functions.
Oracle Audit Vault and Database Firewall has two types of administrative user accounts:
-
Audit Vault Server Super Administrator:
-
Manages system-wide settings
-
Creates user accounts for super administrators and administrators
-
Has access to all targets and target groups
-
Grants access to targets or target groups to administrators
-
-
Audit Vault Server Administrator: Has access to specific targets or target groups granted by a super administrator. Administrators cannot manage system-wide settings.
After installing Oracle Audit Vault and Database Firewall, a post-installation configuration page lets you create and specify passwords for one super administrator account and one super auditor account for the Audit Vault Server. This super administrator and super auditor created during post installation are Audit Vault Server database users. There is at least one Audit Vault Server database user as super administrator and one as super auditor.
- Local AVDF: Authentication for local users is through local passwords. See Configuring Administrative Accounts for Oracle Audit Vault Server for more information.
- AD/LDAP: Authentication for AD/LDAP users is through Microsoft Active Directory(AD) or OpenLDAP. See Integrating Oracle Audit Vault and Database Firewall with Microsoft Active Directory or OpenLDAP for more information.
- SSO: Single sign-on (SSO) can be configured starting in Oracle AVDF 20.11. Authentication for SSO users is through SAML 2.0 integration with Microsoft Active Directory Federation Service, Microsoft Entra ID (MS-EI), or Oracle Access Manager. See Configuring Single Sign-On (SSO) for Audit Vault Server Console Users for more information.
Thereafter, the Audit Vault Server super administrator can create other administrative users, and the super auditor can create other auditor users, for the server.
This chapter describes managing user accounts and passwords for the Oracle Audit Vault and Database Firewall administrator user interfaces.
See Also:
-
Oracle Audit Vault and Database Firewall Installation Guide for information on post-installation configuration.
-
Oracle Audit Vault and Database Firewall Auditor's Guide for information on managing auditor accounts.
14.2 Security Technical Implementation Guides and Implementation for User Accounts
Oracle Audit Vault and Database Firewall follow STIG guidelines for user accounts.
Oracle Audit Vault and Database Firewall follows the Security Technical Implementation Guides (STIG) and implementation rules for user accounts.
-
The default Oracle Audit Vault and Database Firewall user accounts must have custom passwords.
-
The number of consecutive failed login attempts is 3.
-
When a user exceeds the maximum number of unsuccessful login attempts, the account is locked until a super administrator releases it.
-
Account lockouts will persist until a super administrator resets the user account.
See Also:
Security Technical Implementation Guides for more information about STIG compliance
14.3 Configuring Administrative Accounts for Oracle Audit Vault Server
Learn how to configure administrative accounts for Oracle Audit Vault Server.
14.3.1 Guidelines for Securing Oracle Audit Vault and Database Firewall User Accounts
Review the guidelines for securing Oracle Audit Vault and Database Firewall user accounts.
As a best practice, use the installed Oracle Audit Vault and Database Firewall user accounts only as back-up accounts. Add new user accounts, with unique user names and passwords, for the users who are responsible for the day-to-day Oracle Audit Vault and Database Firewall operations.
Note:
Oracle Audit Vault and Database Firewall does not accept user names with quotation
marks. For example, "jsmith"
is
not a valid user name for an Oracle Audit Vault
and Database Firewall user account, or an account
created on a target for use by Oracle Audit Vault
and Database Firewall.
14.3.2 Creating Local Administrative User
You can create Audit Vault Server administrative accounts to manage administration.
Audit Vault Server super administrators can create both super administrator and administrator user accounts.
- Log in to the Audit Vault Server console as a super administrator.
- Click the Settings tab.
The Manage Admins subtab on the main page is selected by default.
- Click Add in the top, right corner.
- In the Add Admin dialog box, select Local AVDF User.
- For Local AVDF User, enter the details to create a database administrator.
- Enter the newly created Admin Name.
- Select the Admin Type.
- Enter the Password and Re-type
Password.
Oracle Audit Vault and Database Firewall does not accept user names with quotation marks, such as
"jsmith"
. - Click Save.
14.3.3 Viewing the Status of Administrator User Accounts
Learn how to view the status of administrator accounts.
As a super administrator, you can view the status of administrator accounts by clicking the Settings tab. The Manage Admins sub tab lists all administrator and super administrator accounts, with their statuses, password expiry dates, the targets and target groups they have access to, etc.
14.3.4 Changing User Account Types for Audit Vault Server
You can change Audit Vault Server administrative account type from administrator to super administrator, or vice versa.
You can change an administrative account type from administrator to super administrator, or vice versa.
Note:
If you change a user's account type from administrator to super administrator, then the user will have access to all targets and target groups.-
Log in to the Audit Vault Server as a super administrator.
-
Click the Settings tab.
The Manage Admins section appears by default. It displays existing users and the targets or groups to which they have access.
-
Click the name of the user account that you want to change.
-
In the Modify Admin dialog, click the edit icon against the Type field.
-
You can change the type from Admin to Super Admin. If you want to change the type from Super Admin to Admin.
-
You can also grant or revoke access to any targets or groups as necessary for this user.
Release Oracle AVDF 20.1 and 20.2 Release Oracle AVDF 20.3 and later -
Select the targets or groups to which you want to grant or revoke access.
-
Click Grant or Revoke button.
A green check mark indicates access granted. A red cross mark (X) indicates access revoked.
-
Select the targets or groups to which you want to grant or revoke access. You can also search for the targets or groups in the field under Targets & Target Groups.
- Choose the access rights in the Available column and move them to the Selected column, to grant access. Choose the access rights in the Selected column and move them to the Available column, to revoke access.
-
-
Click Save.
14.3.5 Unlocking User Accounts
This procedure explains how to unlock user accounts.
14.3.5.1 Unlocking Super Administrator or Super Auditor Users
The below process should be used to unlock the last super administrator or last super auditor users. It can also be used as an alternative to unlocking other users through the console.
-
Log in to the Audit Vault Server through SSH and switch to the
root
user. -
Switch to the
dvaccountmgr
user.su - dvaccountmgr
-
Start SQL*Plus without the user name and password.
sqlplus /
-
If the account is locked, run the following command to unlock the account:
alter user <user name> account unlock;
14.4 Configuring sudo Access for Users
Learn about configuring sudo access for users.
14.4.1 About Configuring sudo Access
Learn about configuring sudo access.
The sudo
command enables trusted users to have administrative access to systems without having to log in using root
user passwords.
When users have sudo
access, they can precede an administrative
command with sudo
, and then be prompted to enter their password. After
authentication is complete, and assuming that the command is permitted, the command is
processed as if it had been run by the root
user.
14.4.2 Configuring sudo Access for Users
Learn about configuring sudo access for users.
You need root
privileges to configure sudo
access for users.
-
Log in to the system as the
root
user. -
Create a new user account using the
useradd
command with the-G support
option. This ensures the new user is added to thesupport
group, granting them SSH access to the appliance.For example, to create a normal user account for the user
psmith
:# useradd -G support psmith
-
Set a password for the user using the
passwd
command.For example:
# passwd psmith Changing password for user psmith. New password: new_password Retype new password: new_password passwd: all authentication tokens updated successfully
-
Run the
visudo
utility to edit the/etc/sudoers
file.# visudo
The
sudoers
file defines the policies that thesudo
command applies. -
Find the lines in the
sudoers
file that grant access to users in the wheel group when enabled.## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL
-
Remove the comment character (
#
) at the start of the second line, which begins with%wheel
.This enables the configuration option.
-
Save your changes and exit the editor.
-
Add the user account that you created earlier to the
wheel
group using theusermod
command.For example:
usermod -aG wheel psmith
-
Test that the updated configuration enables the user that you created to run commands using
sudo
.-
Use the
su
command to switch to the new user account that you created.# su psmith
-
Use the
groups
command to verify that the user is in the wheel group.$ groups psmith wheel
-
Use the
sudo
command to run thewhoami
command.Because this is the first time that you have run a command using
sudo
from this user account, the banner message is displayed. You will be prompted to enter the password for the user account.$ sudo whoami
The following output should appear:
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.
Enter the password when prompted:
[sudo] password for psmith: password root
The last line of the output is the user name that is returned by the
whoami
command. Ifsudo
access has been configured correctly, then this value isroot
.
-
14.5 Managing User Access Rights to Targets and Groups
Learn about managing users access rights to targets and groups.
14.5.1 About Managing User Access Rights
Learn about managing user access rights.
Super administrators have access to all targets and target groups and can grant access to specific targets and groups to administrators.
You control access to targets or groups in two ways:
-
Modify a target or group to grant or revoke access for one or more users.
-
Modify a user account to grant or revoke access to one or more targets or groups.
14.6 Changing User Passwords in Oracle Audit Vault and Database Firewall
Learn how to manage password changes.
14.6.1 Password Requirements
There are several password requirements that you must meet for Oracle Audit Vault and Database Firewall.
You should have a policy in place for changing passwords for Oracle Audit Vault and Database Firewall user accounts. For example, you may require that users change their passwords on a regular basis, such as every 120 days, and that they create passwords that are not easily guessed.
Requirements for Passwords Containing Unicode Characters
If your password contains unicode characters (such as non-English characters with accent marks), then the password requirement is that it:
-
Be between 8 and 30 characters long.
Requirements for English-Only (ASCII) Passwords
If you are using English-only ASCII printable characters, then Oracle AVDF requires that passwords:
-
Be between 8 and 30 characters long.
-
Contain at least one of each of the following:
-
Lowercase letters: a-z.
-
Uppercase letters: A-Z.
-
Digits: 0-9.
-
Punctuation marks: comma (,), period (.), plus sign (+), colon(:), exclamation mark (!), and underscore (_)
-
-
Not contain double quotes ("), back space, or control characters.
In addition, Oracle recommends that passwords:
-
Not be the same as the user name.
-
Not be an Oracle reserved word.
-
Not be an obvious password (such as welcome, account, database, and user).
-
Not contain any repeating characters.
14.6.2 Changing the Audit Vault Server Administrator Password
Learn how to change the password of an administrator.
Administrators can change their own password. A super administrator can also change the password of other administrators. If a super administrator changes the password of another administrator, then the password automatically expires immediately after it is changed.
14.6.2.1 Changing Your Own Password
Learn how to change your own password as an administrator.
- Log in to the Audit Vault Server as an administrator.
- In the upper right corner, to the right of your login name, select the menu icon.
- Select Change Password from this menu.
- In the Change Password window, enter the following
fields:
- Current Password
- New Password
- Re-enter New Password
- Click Save.
Related Topics
14.6.2.2 Changing the Password of Another Administrator
Learn how to change the password of another administrator as a super administrator.
A super administrator can change the passwords of other administrators. However, the password automatically expires immediately after it is changed by the super administrator. The administrator must follow the instructions in the topic Changing the Expired Password of an Administrator.
- Log in to the Audit Vault Server as super administrator.
- Click the Settings tab and then if necessary, select Security in the left navigational menu.
- Under Manage Admins, select the name of the administrator whose password you want to change.
- In the Modify Admin window, click Change Password.
- In the Change Password window, enter the following
fields:
- New Password
- Re-enter New Password
- Click Save.
Related Topics
14.6.2.3 Changing the Expired Password of an Administrator
Your password might be expired if a super administrator changes your password, or if it passes the password expiry date.
For Oracle AVDF release 20.4 or earlier, follow these steps:
-
Log in to the Audit Vault Server through SSH and switch to the
root
user. -
Switch to the
dvaccountmgr
user.su - dvaccountmgr
-
Start SQL*Plus without the user name and password.
sqlplus /
-
If the account is locked, run the following command to unlock the account:
alter user <user name> account unlock;
-
Run the following command to change the password:
alter user <user name> identified by <new_password>;
For Oracle AVDF release 20.5 or later, follow these steps:
Related Topics
14.7 Integrating Oracle Audit Vault and Database Firewall with Microsoft Active Directory or OpenLDAP
You can use Microsoft Active Directory or OpenLDAP to control access to Oracle Audit Vault and Database Firewall.
14.7.1 About Microsoft Active Directory or OpenLDAP Integration
You can integrate a Microsoft Active Directory or OpenLDAP server to authenticate users who connect to the Audit Vault Server console.
When users log in to the Audit Vault Server console, they're prompted to select a group from a list of groups. Users are authorized from the group to which they belong and select. After a user is authenticated, access is granted based on the Microsoft Active Directory or OpenLDAP groups to which the user belongs and selects.
A super user can assign the roles to the groups on Oracle Audit Vault Database Firewall. For example, super administrator, super auditor, administrator, or auditor. Oracle Audit Vault and Database Firewall release 20.1 and later supports Microsoft Active Directory and OpenLDAP.
Note:
- While other LDAP servers may work, they are not tested or certified with Oracle Audit Vault and Database Firewall release 20.1.
- Oracle AVDF does not support the default local accounts of Microsoft Active Directory (for example administrator). Refer to Microsoft documentation for complete information on default local accounts in Active Directory.
- Microsoft Active Directory and OpenLDAP users and groups must belong to the domain specified in the topic Configuring an LDAP Server.
14.7.2 Configuring an LDAP Server
You can configure an LDAP server to authenticate users by using Microsoft Active Directory or OpenLDAP.
14.7.3 Creating New Users
Create new users for Microsoft Active Directory or OpenLDAP authentication.
- Log in to the Audit Vault Server console as a super administrator or super auditor.
- Click the Settings tab.
The Manage Admins or Manage Auditors subtab on the main page is selected by default.
- Click Add in the top, right corner.
- In the Add Admin (or Add Auditor) dialog box, select Active Directory/LDAP Group.
- For Active Directory/LDAP Group,
select the Import Mode.
OpenLDAP or Active Directory users and groups have to exist in the LDAP server before you can create the admin or auditor on the Audit Vault Server for the same.
- If you have selected import mode as Fetch, then
provide an LDAP User Name and
Password. Alternatively, you can register an Microsoft Active
Directory or OpenLDAP group in Oracle Audit Vault Database Firewall that corresponds
to an existing group by providing the distinguished name. The LDAP user needs the
correct access privileges to view all the groups that exist on the LDAP server.
Note:
The user credentials are not stored. Therefore, each time that you choose the Fetch option, you must enter the credentials. - In the Group Name Like field, enter a keyword
to search in order to fetch details from a group that has a similar name. Click
Fetch at the bottom of the dialog. For example, enter
admin
keyword to fetch AD or OpenLDAP groups containingadmin
string in the group name.Note:
A user can be added to a group. A group can have administrator or auditor privileges, but not both. For example, a group with the name AdminAndAuditor can have administrator privileges assigned. However, the same group cannot have auditor privileges. In case there is an attempt to add both the privileges, then it fails. The user SpecialUser can be part of both, the Admin group and the Auditor group. This user SpecialUser may choose to connect with Admin group as administrator, or with Auditor group as auditor. - Select the Domain.
- Click the Fetch button at the bottom of the dialog. The values in the Group and User Type fields are populated.
- Select the right Group from the drop down menu.
- Select the User Type from the drop-down menu, such as, Admin, Super Admin, Auditor, or Super Auditor.
- If you have selected the import mode as Manual, then enter the Group Name as distinguished name.
- Click Save.
14.7.4 Logging In as an OpenLDAP or Microsoft Active Directory User
After OpenLDAP or Microsoft Active Directory is configured, users can log in to the Audit Vault Server console.
Note:
Microsoft Active Directory and OpenLDAP users can connect to the Audit Vault Server only through the Audit Vault Server console. They cannot connect to the Audit Vault Server through AVCLI or SQL*Plus.14.8 Configuring Single Sign-On (SSO) for Audit Vault Server Console Users
Starting in Oracle AVDF 20.11, you can configure SSO for Audit Vault Server console users.
14.8.1 About SSO for Audit Vault Server Console Users
The Audit Vault Server can integrate with an identity provider (IdP) through SAML 2.0 integration, and the IdP can provide single sign-on (SSO) and multifactor authentication (MFA) support. Audit Vault Server doesn't store the SSO user credentials except for the SSO user name.
You can configure SSO for all types of Audit Vault Server console users, including normal administrators and auditors, readonly auditors, and super administrators and super auditors.
To manage SSO configurations, you need to log in to the Audit Vault Server
console as a super administrator
that is configured as a local AVDF user. You
can't create or change SSO configurations in an SSO session.
As always, you cannot drop the last super administrator and super auditor configured as local AVDF user.
14.8.2 Adding SSO Configurations
To configure single sign-on (SSO), add your identity provider (IdP) information to the Audit Vault Server.
Note:
You can add multiple SSO configurations, but only one configuration can be enabled at any time.- Log in to the Audit Vault Server console as a super administrator that's configured as a local AVDF user.
- Click the Settings tab.
- Click the Single Sign-On (SSO) subtab.
-
Enter the following information:
Field Description Identity Provider Name A name to identify the IdP in the Audit Vault Server. Provider Type Identity provider type, such as the following:
- Microsoft Active Directory Federation Service
- Microsoft Entra ID (MS-EI)
-
Oracle Access Manager (OAM)
Note:
Oracle AVDF 20.11 only: Though OAM is a valid identity provider, there is no option to select it. Instead, select any other identify provider, but in the following fields enter in the information for OAM.
Note:
You can't change the provider type after you add an SSO configuration to the Audit Vault Server. To change the provider type, add a new SSO configuration with the new provider type.Identity Provider Domain Domain name for the IdP.
For example:
login.example.com
Protocol The protocol is always SAML 2.0. SSO Sign-in URL URL that you use to sign in to the IdP.
For example:
https://login.example.com/177306dd-a070-419a-b50f-6f71fc63b993/saml2
SSO Sign-out URL URL that you use to sign out of the IdP. For some providers, this might be the same as the sign-in URL.
For example:
https://login.example.com/177306dd-a070-419a-b50f-6f71fc63b993/saml2
Identity Provider Issuer URI for the IdP.
For example:
https://sts.example.net/177306dd-a070-419a-b50f-6f71fc63b993
Identity Provider Signing Certificate Certificate from the IdP in base-64 format. Either copy and paste the certificate or choose the file and upload it here. - Click Save.
- If using Microsoft Azure Active Directory, you will need to include
https://<AVDF_IP>/ords/apex_authentication.saml_callback
in the Identifier (Entity ID), Reply URL (Assertion Consumer Service URL), and Logout URL fields when configuring Microsoft Azure Active Directory. - To begin using the SSO configuration, you need to enable it. See Enabling SSO Configurations.
14.8.3 Copying the Audit Vault Server SSO Certificate to the Identity Provider
Some identity providers require the Audit Vault Server single sign-on (SSO) certificate and you might need to copy the SSO certificate from the Audit Vault Server.
- Log in to the Audit Vault Server console as a super administrator that's configured as a local AVDF user.
- Click the Settings tab.
- Click the Single Sign-On (SSO) subtab.
-
Click Copy Certificate.
The SSO certificate is copied to the clipboard.
14.8.4 Enabling SSO Configurations
To begin using a single sign-on (SSO) configuration, you need to enable it in the Audit Vault Server.
Note:
You can add multiple SSO configurations, but only one configuration can be enabled at any time.Prerequisites
- Add the SSO configuration if it's not already defined in the Audit Vault Server. See Adding SSO Configurations.
- If another SSO configuration is already enabled, you need to disable it in the Audit Vault Server before enabling another SSO configuration. See Disabling an SSO Configuration.
Procedure
- Log in to the Audit Vault Server console as a super administrator that's configured as a local AVDF user.
- Click the Settings tab.
- Click the Single Sign-On (SSO) subtab.
- Select the SSO configuration that you want to enable.
-
Click Enable.
14.8.5 Configuring ORDS After Enabling Oracle Access Manager as the SSO Identity Provider
After enabling Oracle Access Manager (OAM) as the SSO identity provider, you will need to configure Oracle Rest Data Services (ORDS).
Prerequisites
- Enable the SSO configuration. See Enabling SSO Configurations.
- Take note of:
- The fully qualified host name (FQHN) of the Audit Vault Server
- The FQHN of the OAM server
- The FQHN of the LDAP server
Procedure
-
Log in to the Audit Vault Server through SSH and switch to the
root
user. -
Switch to the
oracle
user.su - oracle
- Set the
JAVA_PATH
variable:export JAVA_PATH=/usr/java/jdk-11/bin
- Set the
PATH
variable:export PATH=$JAVA_PATH:/var/lib/oracle/ords/bin:$PATH
- Set the following
configuration:
ords --config /var/lib/oracle/ords_conf config set --global security.forceHTTPS true
- Set the following configuration through either of the following:
-
Ensure that you input the appropriate FQHN's where necessary.
ords --config /var/lib/oracle/ords_conf config set --global security.externalSessionTrustedOrigins “https://<FQHN of AV server>:443, http://<FQHN of OAM server>:<port>, https://<FQHN LDAP server configured on OAM server>:<port>, null”
-
You can alternatively use the following since the parameters in the above are optional:
ords --config /var/lib/oracle/ords_conf config set --global security.externalSessionTrustedOrigins “null”
-
- Exit back to
root
. - Restart ORDS:
systemctl restart ords
- Test the connection by creating a new OAM user and logging into the Audit Vault
Server console as that OAM user.
See Creating New SSO Users and Logging In to the Audit Vault Server Console as an SSO User for more information.
- If configured in high availability, repeat the above steps on the standby Audit Vault Server.
14.8.6 Creating New SSO Users
To create new users for single sign-on (SSO) authentication, follow these steps.
Prerequisite
Ensure the SSO is enabled for users on the identity provider.
Procedure
- Click the Settings tab.
-
Enter the SSO user name.
Allowed characters include uppercase and lowercase letters, numbers, and symbols (@.-_!^~+%). The total length of the SSO user name can't exceed 127 characters.Note:
Though AVDF accepts uppercase and lowercase letters, it will store the user name in only uppercase. The identity providers perform a case in-sensitive comparison of the user names.
14.8.7 Logging In to the Audit Vault Server Console as an SSO User
When you log in to the Audit Vault Server console as a single sign-on (SSO) user, you're redirected to the enabled identity provider (IdP) SSO login page.
- On the Audit Vault Server console login page, select Single Sign-On.
- Click Login.
-
Enter your SSO user name and password on the SSO login page.
Note:
Log out and close your browser at the end of the session. Otherwise, your browser will still be logged in as your SSO user and will allow access to the Audit Vault Server.
14.8.8 Modifying SSO Users
You can change the admin type for an existing single sign-on (SSO) user.
- Click the Settings tab.
14.8.9 Disabling an SSO Configuration
You might need to disable a single sign-on (SSO) configuration if you want to modify, delete, or switch to another SSO configuration.
- Log in to the Audit Vault Server console as a super administrator that's configured as a local AVDF user.
- Click the Settings tab.
- Click the Single Sign-On (SSO) subtab.
- Select the SSO configuration that you want to disable.
-
Click Disable.
You should see the following message:
Do you want to continue to disable this identity provider?
- Click OK to disable the configuration.
14.8.10 Configuring ORDS After Disabling Oracle Access Manager as the SSO Identity Provider
After disabling Oracle Access Manager (OAM) as the SSO identity provider, you will also need to configure Oracle Rest Data Services (ORDS).
Prerequisites
- Disable the SSO configuration. See Disabling an SSO Configuration.
Procedure
-
Log in to the Audit Vault Server through SSH and switch to the
root
user. -
Switch to the
oracle
user.su - oracle
- Set the
JAVA_PATH
variable:export JAVA_PATH=/usr/java/jdk-11/bin
- Set the
PATH
variable:export PATH=$JAVA_PATH:/var/lib/oracle/ords/bin:$PATH
- Execute the following
command:
ords --config /var/lib/oracle/ords_conf config delete --global security.forceHTTPS true
- Execute the following
command:
ords --config /var/lib/oracle/ords_conf config delete --global security.externalSessionTrustedOrigins true
- Exit back to
root
. - Restart ORDS:
systemctl restart ords
- If configured in high availability, optionally repeat the above steps on the standby Audit Vault Server.
14.8.11 Modifying an SSO Configuration
You can modify a single sign-on (SSO) configuration if it's disabled in the Audit Vault Server.
Note:
You can't change the provider type after you add an SSO configuration to the Audit Vault Server. To change the provider type, add a new SSO configuration with the new provider type.Prerequisite
Disable the SSO configuration if it's currently enabled in the Audit Vault Server. See Disabling an SSO Configuration.
Procedure
- Log in to the Audit Vault Server console as a super administrator that's configured as a local AVDF user.
- Click the Settings tab.
- Click the Single Sign-On (SSO) subtab.
-
Update any of the following information:
Field Description Identity Provider Name A name to identify the IdP in the Audit Vault Server. Provider Type Identity provider type, such as the following:
- Microsoft Active Directory Federation Service
- Microsoft Entra ID (MS-EI)
-
Oracle Access Manager (OAM)
Note:
Oracle AVDF 20.11 only: Though OAM is a valid identity provider, there is no option to select it. Instead, select any other identify provider, but in the following fields enter in the information for OAM.
Note:
You can't change the provider type after you add an SSO configuration to the Audit Vault Server. To change the provider type, add a new SSO configuration with the new provider type.Identity Provider Domain Domain name for the IdP.
For example:
login.example.com
Protocol The protocol is always SAML 2.0. SSO Sign-in URL URL that you use to sign in to the IdP.
For example:
https://login.example.com/177306dd-a070-419a-b50f-6f71fc63b993/saml2
SSO Sign-out URL URL that you use to sign out of the IdP. For some providers, this might be the same as the sign-in URL.
For example:
https://login.example.com/177306dd-a070-419a-b50f-6f71fc63b993/saml2
Identity Provider Issuer URI for the IdP.
For example:
https://sts.example.net/177306dd-a070-419a-b50f-6f71fc63b993
Identity Provider Signing Certificate Certificate from the IdP in base-64 format. Either copy and paste the certificate or choose the file and upload it here. - Click Save.
14.8.12 Deleting an SSO Configuration
You can delete a single sign-on (SSO) configuration if it's disabled in the Audit Vault Server.
Prerequisite
Disable the SSO configuration if it's currently enabled in the Audit Vault Server. See Disabling an SSO Configuration.
Procedure
- Log in to the Audit Vault Server console as a super administrator that's configured as a local AVDF user.
- Click the Settings tab.
- Click the Single Sign-On (SSO) subtab.
- Select the SSO configuration that you want to delete.
-
Click Delete.
After deleting the SSO configuration, existing sessions will receive the following message when logging out:
Invalid value for parameter: SAML_SIGN_IN_URL
14.9 Unlocking and Locking the AVSYS User
When installing or administering Oracle Audit Vault and Database Firewall
(Oracle AVDF), you sometimes need to unlock and relock the AVSYS
user.
14.9.1 Unlocking the AVSYS User
Use these steps to temporarily unlock the AVSYS
user to
complete an installation or administration task.
Prerequisite
Log in to the Audit Vault Server through SSH and
switch to the root
user.
Procedure
-
Switch to the
dvaccountmgr
user.su - dvaccountmgr
-
Start SQL*Plus without the user name and password.
sqlplus /
-
Run the following command to unlock
avsys
:alter user avsys identified by <password> account unlock;
-
Exit SQL*Plus.
exit
14.9.2 Locking the AVSYS User
Use these steps to lock the AVSYS
user after you've unlocked
it to complete an installation or administration task.
Prerequisite
Log in to the Audit Vault Server through SSH and
switch to the root
user.
Procedure
-
Switch to the
dvaccountmgr
user.su - dvaccountmgr
-
Start SQL*Plus without the user name and password.
sqlplus /
-
Run the following command to lock
avsys
:alter user avsys account lock;
-
Exit SQL*Plus.
exit
14.10 Updating the Passwords for the
AGENTUSR#
and AVSRCUSR#
Accounts
Though updating the passwords of the AGENTUSR#
or
AVSRCUSR#
database accounts is not recommended, in rare situations, it
may be necessary.
To update the AGENTUSR#
password
- Deactivate the Audit Vault Agents for which the password needs to be updated. See Deactivating and Removing the Audit Vault Agent
- Activate all the Audit Vault Agents that were deactivated. See
Activating and Starting the Audit
Vault Agent
Be sure to redeploy the Audit Vault Agent using new activation key that is displayed on the Audit Vault Server console.
To update the AVSRCUSR#
password
- Stop all audit trails. See Stopping, Starting, and Autostart of Audit Trails in Oracle Audit Vault Server.
-
Unlock the
avsys
user.Note:
Remember to relock theavsys
account when you've completed this task. - For all the accounts that need their passwords
updated:
alter user <user_name> identified by <password>;
-
Lock the
avsys
user. - Start all audit trails. See Stopping, Starting, and Autostart of Audit Trails in Oracle Audit Vault Server
14.11 Rotate the AVREPORTUSER Password
Starting in Oracle AVDF 20.13, the password for the AVREPORTUSER
user will automatically rotate every 60 days under normal circumstances. More
specifically, the password for the AVREPORTUSER
user will
expire after 90 days, but there is a daily check that will automatically rotate
the password if there are less than 30 days until the expiration date, i.e. the
password will automatically rotate every 60 days. However, if there are repeated
technical issues and the password can't be automatically rotated at any point
from days 60-90, then the password can be manually rotated using the following
steps.
-
Log in to the Audit Vault Server through SSH and switch to the
root
user. - Run the following
command:
/usr/bin/python3/usr/local/dbfw/lib/python/avs/scripts/update_avreportuser_user_password.py –FORCE
- Force the rotation of the
AVREPORTUSER
user's password.–FORCE
-
Log in to the Audit Vault Server through SSH and switch to the
root
user. - Unlock the
avsys
andavreportuser
account.-
Switch to the
dvaccountmgr
user.su - dvaccountmgr
-
Start SQL*Plus without the user name and password.
sqlplus /
-
Run the following command to unlock
avsys
andavreportuser
and alter the password:alter user avsys identified by <avsys_password> account unlock; alter user avreportuser identified by <avreportuser_new_password> account unlock;
-
Exit SQL*Plus.
exit
Note:
Remember to relock theavsys
andavreportuser
accounts when you've completed this task. -
-
Switch to the
oracle
user.su - oracle
- Execute the following command with the new password for the
avreportuser
account:/var/lib/oracle/dbfw/bin/avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias AV_AUDITOR_USER
- Follow the prompt to enter
avreportuser
forsource user name
. - Provide the new
avreportuser
password<avreportuser_new_password>
twice.
- Follow the prompt to enter
- Drop the existing database link
avrptusr_link.dbfwdb
asoracle
user through SQL*Plus:sqlplus avsys/<avsys_password> drop database link avrptusr_link.dbfwdb; exit
- Recreate the
avrptusr_link.dbfwdb
database link asoracle
user:/var/lib/oracle/dbfw/bin/avca create_report_user_dblink
-
Lock the
avsys
user. -
Log in to the Audit Vault Server through SSH and switch to the
root
user. -
Switch to the
oracle
user.su - oracle
- Run the following
command:
/usr/local/dbfw/bin/javafwk restart
14.12 Rotating the ORDS_PUBLIC_USER
User Password
Starting in Oracle AVDF 20.13, the password for the
ORDS_PUBLIC_USER
user will automatically rotate every 60
days under normal circumstances. More specifically, the password for the
ORDS_PUBLIC_USER
user will expire after 90 days, but there
is a daily check that will automatically rotate the password if there are less
than 30 days until the expiration date, i.e. the password will automatically
rotate every 60 days. However, if there are repeated technical issues and the
password can't be automatically rotated at any point from days 60-90, then the
password can be manually rotated using the following steps.
-
Log in to the Audit Vault Server through SSH and switch to the
root
user. - Run the following
command:
/usr/bin/python3/usr/local/dbfw/lib/python/avs/scripts/update_ords_public_user_user_password.py
- Force the rotation of the
ORDS_PUBLIC_USER
user's password.–FORCE
- Unlock the
ORDS_PUBLIC_USER
user:-
Log in to the Audit Vault Server through SSH and switch to the
root
user. -
Switch to the
dvaccountmgr
user.su - dvaccountmgr
-
Start SQL*Plus without the user name and password.
sqlplus /
-
Run the following command to unlock
ORDS_PUBLIC_USER
:alter user ORDS_PUBLIC_USER identified by new_password account unlock;
-
Exit SQL*Plus.
exit
-
- Update the password in the wallet file
-
Switch to the
root
user.su - root
Note:
If you're using the OCI marketplace image, use thesudo su -
command. -
Switch to the
oracle
user.su - oracle
- Set the
JAVA_PATH
andPATH
variables:JAVA_PATH=/usr/java/jdk-11/bin export PATH=/var/lib/oracle/ords/bin:$PATH export PATH=$JAVA_PATH:$PATH
- Open the wallet file and update the password when
prompted:
ords --config /var/lib/oracle/ords_conf config secret db.password
-
- Restart ORDS
-
Switch to the
root
user.su - root
Note:
If you're using the OCI marketplace image, use thesudo su -
command. - Run the following
command:
systemctl stop ords
- Run the following
command:
systemctl start ords
-
- Unlock the
ORDS_PUBLIC_USER
user:-
Log in to the Audit Vault Server through SSH and switch to the
root
user. -
Switch to the
dvaccountmgr
user.su - dvaccountmgr
-
Start SQL*Plus without the user name and password.
sqlplus /
-
Run the following command to unlock
ORDS_PUBLIC_USER
:alter user ORDS_PUBLIC_USER identified by new_password account unlock;
-
Exit SQL*Plus.
exit
-
- Update the
apex.xml
file with the newORDS_PUBLIC_USER
password:- Change directories to where the
apex.xml
file is located:cd var/lib/oracle/ords/conf/ords/conf
- Open the
apex.xml
file for editing:vi apex.xml
- Update the password. Make sure to put a
!
before the password:<entry key="db.password">!new_password</entry>
- Save changes and exit
editting:
:wq!
- Change directories to where the
- Restart ORDS
-
Switch to the
root
user.su - root
Note:
If you're using the OCI marketplace image, use thesudo su -
command. - Run the following
command:
systemctl stop ords
- Run the following
command:
systemctl start ords
-