Table of Contents

• List of Examples
• List of Figures
• List of Tables
• Title and Copyright Information
• Preface
  • Intended Audience
  • Documentation Accessibility
  • Related Documents
  • Conventions
• Changes in This Release for Oracle Database Enterprise User Security Administrator's Guide
  • Changes in this Release for Release 19c Version 19.1
    • New Features
  • Changes in Oracle Database Release 18c Version 18.1
    • New Features
  • Changes in Oracle Database 12c Release 2 (12.2.0.1)
    • New Features
• 1 Introducing Enterprise User Security
  • 1.1 Introduction to Enterprise User Security
    • 1.1.1 The Challenges of User Management
    • 1.1.2 Enterprise User Security: The Big Picture
      • 1.1.2.1 How Oracle Internet Directory Implements Identity Management
        • 1.1.2.1.1 About Identity Management Realms
        • 1.1.2.1.2 About Identity Management Realm-Specific Oracle Contexts
      • 1.1.2.2 Enterprise Users Compared to Database Users
      • 1.1.2.3 About Enterprise User Schemas
        • 1.1.2.3.1 Private or Exclusive Schemas
        • 1.1.2.3.2 Shared Schemas
      • 1.1.2.4 How Enterprise Users Access Database Resources with Database Links
      • 1.1.2.5 How Enterprise Users Are Authenticated
    • 1.1.3 About Enterprise User Security Directory Entries
      • 1.1.3.1 Enterprise Users
      • 1.1.3.2 Enterprise Roles
      • 1.1.3.3 Enterprise Domains
      • 1.1.3.4 Database Server Entries
      • 1.1.3.5 User-Schema Mappings
      • 1.1.3.6 Administrative Groups
      • 1.1.3.7 Password Policies
  • 1.2 About Using Shared Schemas for Enterprise User Security
    • 1.2.1 Overview of Shared Schemas Used in Enterprise User Security
    • 1.2.2 How Shared Schemas Are Configured for Enterprise Users
    • 1.2.3 How Enterprise Users Are Mapped to Schemas
  • 1.3 Enterprise User Proxy
  • 1.4 About Using Current User Database Links for Enterprise User Security
  • 1.5 Enterprise User Security Deployment Considerations
    • 1.5.1 Security Aspects of Centralizing Security Credentials
      • 1.5.1.1 Security Benefits Associated with Centralized Security Credential Management
      • 1.5.1.2 Security Risks Associated with Centralized Security Credential Management
    • 1.5.2 Security of Password-Authenticated Enterprise User Database Login Information
      • 1.5.2.1 What Is Meant by Trusted Databases
      • 1.5.2.2 Protecting Database Password Verifiers
    • 1.5.3 Considerations for Defining Database Membership in Enterprise Domains
    • 1.5.4 Choosing Authentication Types between Clients, Databases, and Directories for Enterprise User Security
      • 1.5.4.1 Typical Configurations
• 2 Getting Started with Enterprise User Security
  • 2.1 Configuring Your Database to Use the Directory
  • 2.2 Registering Your Database with the Directory
  • 2.3 Registering an Oracle RAC Database with the Directory
  • 2.4 Creating a Shared Schema in the Database
  • 2.5 Mapping Enterprise Users to the Shared Schema
  • 2.6 Connecting to the Database as an Enterprise User
  • 2.7 Using Enterprise Roles
  • 2.8 Using Proxy Permissions
  • 2.9 Using Pluggable Databases
    • 2.9.1 Wallet Location for Pluggable Databases
    • 2.9.2 Wallet Root for Pluggable Databases
    • 2.9.3 Connecting to a Directory Service
      • 2.9.3.1 Comparison of the dsi.ora and ldap.ora Files
      • 2.9.3.2 About Using a dsi.ora File
      • 2.9.3.3 Creating the dsi.ora File
      • 2.9.3.4 About Using an ldap.ora File
      • 2.9.3.5 Creating the ldap.ora File
    • 2.9.4 Default Database DN Format
    • 2.9.5 Plugging and Unplugging PDBs
    • 2.9.6 Switching Containers
• 3 Configuration and Administration Tools Overview
  • 3.1 Enterprise User Security Tools Overview
  • 3.2 Oracle Internet Directory Self-Service Console
  • 3.3 Oracle Net Configuration Assistant
    • 3.3.1 Starting Oracle Net Configuration Assistant
  • 3.4 Database Configuration Assistant
    • 3.4.1 Starting Database Configuration Assistant
  • 3.5 Oracle Wallet Manager
    • 3.5.1 Starting Oracle Wallet Manager
    • 3.5.2 The orapki Command-Line Utility
  • 3.6 Oracle Enterprise Manager
  • 3.7 User Migration Utility
  • 3.8 Duties of an Enterprise User Security Administrator/DBA
• 4 Enterprise User Security Configuration Tasks and Troubleshooting
  • 4.1 Enterprise User Security Configuration Overview
  • 4.2 Enterprise User Security Configuration Roadmap
  • 4.3 Preparing the Directory for Enterprise User Security (Phase One)
    • 4.3.1 Configuring Directory Access for Enterprise Users
    • 4.3.2 About the Database Wallet and Password
      • 4.3.2.1 Sharing Wallets and sqlnet.ora Files Among Multiple Databases
  • 4.4 Configuring Enterprise User Security Objects in the Database and the Directory (Phase Two)
  • 4.5 Configure Enterprise User Security for the Authentication Method You Require (Phase Three)
    • 4.5.1 Configuring Enterprise User Security for Password Authentication
    • 4.5.2 Configuring Enterprise User Security for Kerberos Authentication
    • 4.5.3 Configuring Enterprise User Security for SSL Authentication
      • 4.5.3.1 Viewing the Database DN in the Wallet and in the Directory
  • 4.6 Enabling Current User Database Links
  • 4.7 Troubleshooting Enterprise User Security
    • 4.7.1 ORA-n Errors for Password-Authenticated Enterprise Users
    • 4.7.2 ORA-n Errors for Kerberos-Authenticated Enterprise Users
    • 4.7.3 ORA-n Errors for SSL-Authenticated Enterprise Users
    • 4.7.4 NO-GLOBAL-ROLES Checklist
    • 4.7.5 USER-SCHEMA ERROR Checklist
    • 4.7.6 DOMAIN-READ-ERROR Checklist
• 5 Administering Enterprise User Security
  • 5.1 Administering Identity Management Realms
    • 5.1.1 Identity Management Realm Versions
    • 5.1.2 Setting Properties of an Identity Management Realm
      • 5.1.2.1 Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base Identity Management Realm Attributes
    • 5.1.3 Setting the Default Database-to-Directory Authentication Type for an Identity Management Realm
    • 5.1.4 Managing Identity Management Realm Administrators
  • 5.2 Administering Enterprise Users
    • 5.2.1 Creating New Enterprise Users
    • 5.2.2 Setting Enterprise User Passwords
    • 5.2.3 Granting Enterprise Roles to Enterprise Users
    • 5.2.4 Granting Proxy Permissions to Enterprise Users
    • 5.2.5 Creating User-Schema Mappings for Enterprise Users
    • 5.2.6 Creating Label Authorizations for Enterprise Users
  • 5.3 Configuring User-Defined Enterprise Groups
    • 5.3.1 Granting Enterprise Roles to User-Defined Enterprise Groups
  • 5.4 Configuring Databases for Enterprise User Security
    • 5.4.1 Creating User-Schema Mappings for a Database
    • 5.4.2 Adding Administrators to Manage Database Schema Mappings
  • 5.5 Administering Enterprise Domains
    • 5.5.1 Creating an Enterprise Domain
    • 5.5.2 Adding Databases to an Enterprise Domain
    • 5.5.3 Creating User-Schema Mappings for an Enterprise Domain
    • 5.5.4 Configuring Enterprise Roles
    • 5.5.5 Configuring Proxy Permissions
    • 5.5.6 Configuring User Authentication Types and Enabling Current User Database Links
    • 5.5.7 Configuring Domain Administrators
• 6 Using Oracle Wallet Manager
  • 6.1 About Oracle Wallet Manager
    • 6.1.1 What Is Oracle Wallet Manager?
    • 6.1.2 Wallet Password Management
    • 6.1.3 Strong Wallet Encryption
    • 6.1.4 Microsoft Windows Registry Wallet Storage
    • 6.1.5 ACL Settings Needed for Wallet Files Created Using Wallet Manager
    • 6.1.6 Backward Compatibility
    • 6.1.7 Public-Key Cryptography Standards (PKCS) Support
    • 6.1.8 Multiple Certificate Support
    • 6.1.9 LDAP Directory Support
  • 6.2 Starting Oracle Wallet Manager
  • 6.3 General Process for Creating an Oracle Wallet
  • 6.4 Managing Oracle Wallets
    • 6.4.1 Required Guidelines for Creating Oracle Wallet Passwords
    • 6.4.2 Creating a New Oracle Wallet
      • 6.4.2.1 Creating a Standard Oracle Wallet
      • 6.4.2.2 Creating an Oracle Wallet to Store Hardware Security Module Credentials
    • 6.4.3 Opening an Existing Oracle Wallet
    • 6.4.4 Closing an Oracle Wallet
    • 6.4.5 Exporting an Oracle Wallet to a Third-Party Environment
    • 6.4.6 Exporting an Oracle Wallet to a Tools That Does Not Support PKCS #12
    • 6.4.7 Uploading an Oracle Wallet to an LDAP Directory
    • 6.4.8 Downloading an Oracle Wallet from an LDAP Directory
    • 6.4.9 Saving Changes to an Oracle Wallet
    • 6.4.10 Saving the Open Wallet to a New Location
    • 6.4.11 Saving an Oracle Wallet to the System Default Directory Location
    • 6.4.12 Deleting an Oracle Wallet
    • 6.4.13 Changing the Oracle Wallet Password
    • 6.4.14 Using Auto Login for Oracle Wallets to Enable Access Without Human Intervention
      • 6.4.14.1 About Using Auto Login for Oracle Wallets
      • 6.4.14.2 Enabling Auto Login for Oracle Wallets
      • 6.4.14.3 Disabling Auto Login for Oracle Wallets
  • 6.5 Managing Certificates for Oracle Wallets
    • 6.5.1 About Managing Certificates for Oracle Wallets
    • 6.5.2 Managing User Certificates for Oracle Wallets
      • 6.5.2.1 About Managing User Certificates
      • 6.5.2.2 Adding a Certificate Request
      • 6.5.2.3 Importing the User Certificate into an Oracle Wallet
      • 6.5.2.4 Importing Certificates and Wallets Created by Third Parties
      • 6.5.2.5 Removing a User Certificate from an Oracle Wallet
      • 6.5.2.6 Removing a Certificate Request
      • 6.5.2.7 Exporting a User Certificate
      • 6.5.2.8 Exporting a User Certificate Request
    • 6.5.3 Managing Trusted Certificates for Oracle Wallets
      • 6.5.3.1 Importing a Trusted Certificate
      • 6.5.3.2 Removing a Trusted Certificate
      • 6.5.3.3 Exporting a Trusted Certificate to Another File System Location
      • 6.5.3.4 Exporting All Trusted Certificates to Another File System Location
• 7 Enterprise User Security Manager (EUSM) Command Reference
  • 7.1 About Using a Secure External Password Store
  • 7.2 About SSL Port Connectivity through EUSM to OID
  • 7.3 Enterprise User Security Manager (EUSM) Command Summary
    • 7.3.1 createDomain
    • 7.3.2 deleteDomain
    • 7.3.3 listDomains
    • 7.3.4 listDomainInfo
    • 7.3.5 addDomainAdmin
    • 7.3.6 removeDomainAdmin
    • 7.3.7 listDomainAdmins
    • 7.3.8 addDatabase
    • 7.3.9 removeDatabase
    • 7.3.10 addDBAdmin
    • 7.3.11 listDBAdmins
    • 7.3.12 listDBInfo
    • 7.3.13 removeDBAdmin
    • 7.3.14 createMapping
    • 7.3.15 deleteMapping
    • 7.3.16 listMappings
    • 7.3.17 setCulinkStatus
    • 7.3.18 setAuthTypes
    • 7.3.19 createRole
    • 7.3.20 deleteRole
    • 7.3.21 addGlobalRole
    • 7.3.22 removeGlobalRole
    • 7.3.23 grantRole
    • 7.3.24 revokeRole
    • 7.3.25 listEnterpriseRoles
    • 7.3.26 listEnterpriseRolesOfUser
    • 7.3.27 listEnterpriseRoleInfo
    • 7.3.28 listGlobalRolesInDB
    • 7.3.29 listSharedSchemasInDB
    • 7.3.30 createProxyPerm
    • 7.3.31 deleteProxyPerm
    • 7.3.32 addTargetUser
    • 7.3.33 removeTargetUser
    • 7.3.34 grantProxyPerm
    • 7.3.35 revokeProxyPerm
    • 7.3.36 listProxyPermissions
    • 7.3.37 listProxyPermissionsOfUser
    • 7.3.38 listProxyPermissionInfo
    • 7.3.39 listTargetUsersInDB
    • 7.3.40 setDBOIDAuth
    • 7.3.41 listDBOIDAuth
    • 7.3.42 addToPwdAccessibleDomains
    • 7.3.43 removeFromPwdAccessibleDomains
    • 7.3.44 listPwdAccessibleDomains
    • 7.3.45 listRealmCommonAttr
    • 7.3.46 createAppCtxNamespace
    • 7.3.47 deleteAppCtxNamespace
    • 7.3.48 listAppCtxNamespaces
    • 7.3.49 createAppCtxAttribute
    • 7.3.50 deleteAppCtxAttribute
    • 7.3.51 listAppCtxAttributes
    • 7.3.52 createAppCtxAttributeValue
    • 7.3.53 deleteAppCtxAttributeValue
    • 7.3.54 listAppCtxAttributeValues
    • 7.3.55 createAppCtxUsers
    • 7.3.56 deleteAppCtxUsers
    • 7.3.57 listAppCtxUsers
• A Using the User Migration Utility
  • A.1 Benefits of Migrating Local or External Users to Enterprise Users
  • A.2 Introduction to the User Migration Utility
    • A.2.1 Bulk User Migration Process Overview
      • A.2.1.1 Step 0: About Using a Secure External Password Store
      • A.2.1.2 Step 1: (Phase One) Preparing for the Migration
      • A.2.1.3 Step 2: Verify User Information
      • A.2.1.4 Step 3: (Phase Two) Completing the Migration
    • A.2.2 About the ORCL_GLOBAL_USR_MIGRATION_DATA Table
      • A.2.2.1 Which Interface Table Column Values Can Be Modified Between Phase One and Phase Two?
    • A.2.3 Migration Effects on Users' Old Database Schemas
    • A.2.4 Migration Process
  • A.3 Prerequisites for Performing Migration
    • A.3.1 Required Database Privileges
    • A.3.2 Required Directory Privileges
    • A.3.3 Required Setup to Run the User Migration Utility
  • A.4 User Migration Utility Command-Line Syntax
  • A.5 Accessing Help for the User Migration Utility
  • A.6 User Migration Utility Parameters
    • A.6.1 Keyword: HELP
    • A.6.2 Keyword: PHASE
    • A.6.3 Keyword: DBLOCATION
    • A.6.4 Keyword: DIRLOCATION
    • A.6.5 Keyword: DBADMIN
    • A.6.6 Keyword: ENTADMIN
    • A.6.7 Keyword: USERS
    • A.6.8 Keyword: USERSLIST
    • A.6.9 Keyword: USERSFILE
    • A.6.10 Keyword: KREALM
    • A.6.11 Keyword: MAPSCHEMA
    • A.6.12 Keyword: MAPTYPE
    • A.6.13 Keyword: CASCADE
    • A.6.14 Keyword: CONTEXT
    • A.6.15 Keyword: LOGFILE
    • A.6.16 Keyword: PARFILE
    • A.6.17 Keyword: DBALIAS
    • A.6.18 Keyword: ENTALIAS
    • A.6.19 Keyword: WALLETLOCATION
    • A.6.20 Keyword: KEYALIAS
    • A.6.21 Keyword: KEYSTORE
  • A.7 User Migration Utility Usage Examples
    • A.7.1 Migrating Users While Retaining Their Own Schemas
    • A.7.2 Migrating Users and Mapping to a Shared Schema
      • A.7.2.1 Mapping Users to a Shared Schema Using Different CASCADE Options
        • A.7.2.1.1 Mapping Users to a Shared Schema with CASCADE=NO
        • A.7.2.1.2 Mapping Users to a Shared Schema with CASCADE=YES
      • A.7.2.2 Mapping Users to a Shared Schema Using Different MAPTYPE Options
        • A.7.2.2.1 About Using the SUBTREE Mapping Level Option
    • A.7.3 Migrating Users Using the PARFILE, USERSFILE, and LOGFILE Parameters
  • A.8 Troubleshooting Using the User Migration Utility
    • A.8.1 Common User Migration Utility Error Messages
      • A.8.1.1 Resolving Error Messages Displayed for Both Phases
      • A.8.1.2 Resolving Error Messages Displayed for Phase One
      • A.8.1.3 Resolving Error Messages Displayed for Phase Two
    • A.8.2 Common User Migration Utility Log Messages
      • A.8.2.1 Common Log Messages for Phase One
      • A.8.2.2 Common Log Messages for Phase Two
    • A.8.3 Summary of User Migration Utility Error and Log Messages
    • A.8.4 Tracing for UMU
• B SSL External Users Conversion Script
  • B.1 Using the SSL External Users Conversion Script
  • B.2 Converting Global Users into External Users
• C Integrating Enterprise User Security with Microsoft Active Directory
  • C.1 About Direct Integration with Microsoft Active Directory
  • C.2 Set Up Synchronization Between Active Directory and Oracle Internet Directory
  • C.3 Set Up Active Directory to Interoperate with Oracle Client
  • C.4 Set Up Oracle Database to Interoperate with Microsoft Active Directory
  • C.5 Set Up Oracle Database Client to Interoperate with Microsoft Active Directory
  • C.6 Obtain an Initial Ticket for the Client
  • C.7 Configure Enterprise User Security for Kerberos Authentication
• D Upgrading from Oracle9i to Oracle Database Release 18c Version 18.1
  • D.1 Upgrading Oracle Internet Directory from Release 9.2 to Release 9.0.4
  • D.2 Upgrading Oracle Database from Release 9.2.0.8 to Oracle Database Release 18c Version 18.1
  • D.3 Upgrading Oracle Database from Release 10g (10.1) and Higher to Oracle Database Release 18c Version 18.1
• Glossary
• Index