9 Managing LDAP User Authentication and Authorization in Oracle Key Vault
You can configure a connection between Oracle Key Vault and an LDAP server (currently Microsoft Active Directory) so that their users can access Oracle Key Vault.
- About Managing LDAP User Authentication and Authorization in Oracle Key Vault
You can configure Oracle Key Vault users to be centrally managed in the configured LDAP directory server. - Privilege Grants and Revokes for LDAP Users
LDAP users have limited access to Oracle Key Vault role and privilege grants. - Configuring the LDAP Directory Server Connection to Oracle Key Vault
Both the LDAP administrator and Oracle Key Vault administrator play a role in configuring the LDAP directory server connection to Oracle Key Vault. - Logins to Oracle Key Vault as an LDAP User
An LDAP user who has been properly configured can log in to the Oracle Key Vault management console. - Managing the LDAP Configuration
You can enable, validate, modify, disable, and delete the LDAP configuration. - Managing LDAP Groups
You can modify or delete LDAP group mappings. - Managing Oracle Key Vault-Generated LDAP Users
You cannot administer the actual LDAP user account in the LDAP directory server but you can administer the Oracle Key Vault-generated user account that is created the first time the LDAP user logs in to Oracle Key Vault.
9.1 About Managing LDAP User Authentication and Authorization in Oracle Key Vault
You can configure Oracle Key Vault users to be centrally managed in the configured LDAP directory server.
Oracle Key Vault supports only Microsoft Active Directory as an LDAP provider. This type of configuration enables you to manage authentication and authorization of Oracle Key Vault users in an LDAP directory server so that LDAP users can perform the following operations:
- Log in to the Oracle Key Vault management console and perform administrative tasks for which they are authorized.
- Run Oracle Key Vault RESTful services commands at the command line.
In a large enterprise, centrally managing users and their authorization not only brings operational efficiencies in user management but also significantly improves compliance, control, and security. For example, when terminating an employee, an LDAP administrator can lock the user's account in the LDAP directory server to end the employee’s access to various systems, including Oracle Key Vault.
By centrally managing Oracle Key Vault users in an LDAP directory server, you eliminate the need to maintain user account policies and password policies for LDAP users in each Oracle Key Vault instance. Instead, you can manage these policies centrally in the LDAP directory server.
This feature implements automatic provisioning of LDAP users in Oracle Key Vault. When an LDAP user successfully logs in to Oracle Key Vault the first time, Oracle Key Vault automatically creates an Oracle Key Vault user account for this user, based on the user account information from the LDAP directory server. You cannot modify this user account except for granting or revoking Oracle Key Vault privileges. Other changes to the user account, such as changing the user's password, must be performed to the actual account in its LDAP directory server. The automatic provisioning of users is not only beneficial for new Oracle Key Vault deployments but also when access to an existing Oracle Key Vault deployment must be granted to other employees, including provisioning of new employees.
To enable authentication and authorization of LDAP users with Oracle Key Vault, an Oracle Key Vault administrator must perform the following configuration in Oracle Key Vault:
- Configure a connection to LDAP directory server.
- Map one or more Oracle Key Vault administrative roles or user groups with LDAP groups.
Most of the configuration work is performed by an Oracle Key Vault administrator using the Oracle Key Vault management console.
The general process for using Oracle Key Vault in an LDAP directory server is as follows:
- An administrator for the LDAP directory server identifies the LDAP users who need access to Oracle Key Vault, along with their authorization requirements in Oracle Key Vault. This administrator configures one or more LDAP groups, depending on the required separation of roles and duties of these users. This administrator then assigns specific users to respective LDAP groups.
- To enable the Oracle Key Vault administrator to configure a connection to the LDAP directory server, the LDAP administrator creates an LDAP user account (called service directory user). Oracle Key Vault uses this user account to connect to the LDAP directory server and fetch the necessary information from the LDAP directory server during the user login process. The LDAP administrator provides the details of this LDAP user as well as the trust certificate of the LDAP directory server to an Oracle Key Vault administrator.
- The Oracle Key Vault administrator uses the Oracle Key Vault management console to configure the connection between Oracle Key Vault and the LDAP directory server.
- The Oracle Key Vault administrator then maps each LDAP group to the appropriate Oracle Key Vault user group or administrative role. These user groups must be granted the appropriate privileges that you want the LDAP user to have. The privileges of these users in Oracle Key Vault are determined based on the Oracle Key Vault administrative roles or user groups that are mapped to the user’s LDAP groups. For example, if the Oracle Key Vault group has been granted the Audit Manager role, then the LDAP user will be indirectly granted the Audit Manager role.
- The LDAP users are now able to log in to Oracle Key Vault and perform tasks for which they are authorized. After first successful login, a new user account is automatically created in Oracle Key Vault.
- In addition to the administrative roles and privileges granted to the user through LDAP group mappings, you can directly grant privileges to LDAP user account after it has been created in Oracle Key Vault.
Authorization for an LDAP user session is a combination of the authorization granted through the LDAP groups as well as the authorization that is granted to the LDAP user locally. Authorization through LDAP groups is granted at the login time and is effective only for that session. During logon of an LDAP user, Oracle Key Vault fetches the user’s LDAP groups from the directory server and determines mapped administrative roles and groups that are effective for the current user session. The set of these mapped user groups is referred to as effective user group membership of the LDAP user.
Note that you cannot add an LDAP user as a member of an Oracle Key Vault user group directly.
Any changes to the user’s membership in the LDAP groups or to the mapping between the user’s LDAP groups and Oracle Key Vault user groups or administrative roles do not affect the administrative roles and user group memberships that are currently effective for the existing user sessions. However, any changes to the privileges that have been granted to or revoked from the Oracle Key Vault user groups take effect immediately and apply to all existing sessions.
Note the following:
- You can perform the LDAP configuration with a Microsoft Active Directory version that supports the LDAP-v3 protocol.
- You can perform the LDAP configuration in a primary-standby environment. No special configuration is necessary.
- In multi-master cluster environments, the LDAP configuration is effective on all cluster nodes. You can configure node-specific configuration of LDAP directory server and hosts.
- For LDAP directory servers that support multiple domains, access to users from different domains is enabled by setting up multiple LDAP configurations, one for each domain.
9.2 Privilege Grants and Revokes for LDAP Users
LDAP users have limited access to Oracle Key Vault role and privilege grants.
Note the following restrictions with regard to LDAP users, Oracle Key Vault user groups, endpoint privileges, and wallet privileges:
- You cannot directly add an LDAP user as a member of an Oracle Key Vault user group.
- Because the endpoint privileges (Create Endpoint, Manage Endpoint, Create Endpoint Group, and Manage Endpoint Group) cannot be granted to Oracle Key Vault user groups, LDAP users cannot have access to these privileges.
- After the LDAP user is created in Oracle Key Vault, this user can be granted wallet privileges locally. However, the LDAP user cannot be directly granted endpoint or endpoint group privileges.
- Administrator roles cannot be directly granted to an LDAP user account in Oracle Key Vault. LDAP users cannot be granted endpoint privileges either directly or through an Oracle Key Vault user group.
9.3 Configuring the LDAP Directory Server Connection to Oracle Key Vault
Both the LDAP administrator and Oracle Key Vault administrator play a role in configuring the LDAP directory server connection to Oracle Key Vault.
- Step 1: Prepare the LDAP Directory Server
Before the Oracle Key Vault administrator can create a connection to an LDAP directory server, the LDAP administrator must perform preparation tasks. - Step 2: Create the LDAP Connection in Oracle Key Vault
An Oracle Key Vault user who has the System Administrator role uses the Oracle Key Vault management console to create the LDAP connection. - Step 3: Map LDAP Groups to Oracle Key Vault User Groups
An Oracle Key Vault user who has the Key Administrator role can map LDAP groups to Oracle Key Vault user groups or administrative roles.
9.3.1 Step 1: Prepare the LDAP Directory Server
Before the Oracle Key Vault administrator can create a connection to an LDAP directory server, the LDAP administrator must perform preparation tasks.
9.3.2 Step 2: Create the LDAP Connection in Oracle Key Vault
An Oracle Key Vault user who has the System Administrator role uses the Oracle Key Vault management console to create the LDAP connection.
9.3.3 Step 3: Map LDAP Groups to Oracle Key Vault User Groups
An Oracle Key Vault user who has the Key Administrator role can map LDAP groups to Oracle Key Vault user groups or administrative roles.
Related Topics
9.4 Logins to Oracle Key Vault as an LDAP User
An LDAP user who has been properly configured can log in to the Oracle Key Vault management console.
- About Logins to Oracle Key Vault as an LDAP User
After the LDAP directory server configuration with Oracle Key Vault is complete, LDAP users can log in to Oracle Key Vault if they have valid authorization. - Logging in to Oracle Key Vault as an LDAP User
An LDAP user who is a member of an LDAP group that has been mapped to an Oracle Key Vault user group or administrative role can log in to the Oracle Key Vault management console.
9.4.1 About Logins to Oracle Key Vault as an LDAP User
After the LDAP directory server configuration with Oracle Key Vault is complete, LDAP users can log in to Oracle Key Vault if they have valid authorization.
The login is successful if:
- The user provides the correct LDAP credential.
- The user’s LDAP groups from the LDAP directory server map to at least one of the Oracle Key Vault user groups or administrative roles.
At the login time, user's authorization is determined based on the LDAP groups of which this user is a member. The user is granted administrative roles or privileges of the user groups that are mapped to user's LDAP groups. When a user successfully logs into Oracle Key Vault for the first time, a new user account is automatically created in Oracle Key Vault. (Ensure that you understand how privilege grants and revokes work for LDAP users.)
In a multi-master cluster environment, an LDAP user can log in to any node in the cluster. The first time that the LDAP user logs in to a node, a single Oracle Key Vault-generated user account is created for this user. This account will apply to all nodes in the cluster.
Valid LDAP users can execute Oracle Key Vault RESTful services commands. Oracle Key Vault RESTful Services Administrator's Guide describes how to use the RESTful services.
Related Topics
Parent topic: Logins to Oracle Key Vault as an LDAP User
9.4.2 Logging in to Oracle Key Vault as an LDAP User
An LDAP user who is a member of an LDAP group that has been mapped to an Oracle Key Vault user group or administrative role can log in to the Oracle Key Vault management console.
Parent topic: Logins to Oracle Key Vault as an LDAP User
9.5 Managing the LDAP Configuration
You can enable, validate, modify, disable, and delete the LDAP configuration.
- Enabling an LDAP Configuration
A user who has the System Administrator role can enable an LDAP configuration. - Modifying an LDAP Configuration
A user who has the System Administrator role can modify an LDAP configuration. - Testing an LDAP Configuration
A user who has the System Administrator role can test an LDAP configuration. - Disabling an LDAP Configuration
A user who has the System Administrator role can disable an LDAP configuration. - Deleting an LDAP Configuration
A user who has the System Administrator role can delete an LDAP configuration.
9.5.1 Enabling an LDAP Configuration
A user who has the System Administrator role can enable an LDAP configuration.
- Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
- Select the System tab, then Settings from the left navigation bar.
- In Network Services, click LDAP to display the Manage LDAP Configuration page.
- Select the check box for the LDAP configuration and then click the Enable button.
- In the confirmation window, click OK.
Parent topic: Managing the LDAP Configuration
9.5.2 Modifying an LDAP Configuration
A user who has the System Administrator role can modify an LDAP configuration.
Parent topic: Managing the LDAP Configuration
9.5.3 Testing an LDAP Configuration
A user who has the System Administrator role can test an LDAP configuration.
- Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
- Select the System tab, then Settings from the left navigation bar.
- In Network Services, click LDAP to display the Manage LDAP Configuration page.
- Select the LDAP configuration name to display the Edit LDAP Configuration page.
- Click Test Connection(s).
Parent topic: Managing the LDAP Configuration
9.5.4 Disabling an LDAP Configuration
A user who has the System Administrator role can disable an LDAP configuration.
- Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
- Select the System tab, then Settings from the left navigation bar.
- In Network Services, click LDAP to display the Manage LDAP Configuration page.
- Select the check boxes for the configurations to disable, and then click Disable.
- In the confirmation window, click OK.
Parent topic: Managing the LDAP Configuration
9.5.5 Deleting an LDAP Configuration
A user who has the System Administrator role can delete an LDAP configuration.
- Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
- Select the System tab, then Settings from the left navigation bar.
- In Network Services, click LDAP to display the Manage LDAP Configuration page.
- Select the check boxes for the LDAP configurations that you want to delete and then click one of the following buttons:
- Click Delete if there are no mappings defined in Oracle Key Vault for any LDAP groups associated with the LDAP configuration.
- Click Force Delete if there are group mappings defined for this LDAP configuration. You must have both the System Administrator and Key Administrator role to perform this operation. Otherwise, first delete all LDAP group mappings defined for the LDAP configuration before a user with the System Administrator role deletes the LDAP configuration.
- In the confirmation window, select OK.
Parent topic: Managing the LDAP Configuration
9.6 Managing LDAP Groups
You can modify or delete LDAP group mappings.
- About Managing LDAP Groups
The LDAP group can be mapped to Oracle Key Vault administrator roles and one or more user groups. - Creating an LDAP Group Mapping
After you have created an LDAP connection, you can create one or more LDAP group mappings. - Modifying an LDAP Group Mapping
You can modify the mappings for an LDAP group after you have configured the LDAP connection. - Validating LDAP Group Mappings
In the event that LDAP groups change in the LDAP directory server, a user who has the Key Administrator role can validate their mappings in Oracle Key Vault. - Deleting LDAP Group Mappings
A user who has the Key Administrator role can delete one or more LDAP groups and associated mappings from Oracle Key Vault.
9.6.1 About Managing LDAP Groups
The LDAP group can be mapped to Oracle Key Vault administrator roles and one or more user groups.
A user with the Oracle Key Vault administrator role can modify an LDAP group’s mapping with the Oracle Key Vault administrator roles or user groups depending upon the type of administrator role the user has. This user, however, cannot modify an LDAP group in the LDAP directory server. If an LDAP group mapping changes, then the authorization of the users who are members of the LDAP group changes as well.
Local Oracle Key Vault users cannot be members of an LDAP group.
Parent topic: Managing LDAP Groups
9.6.2 Creating an LDAP Group Mapping
After you have created an LDAP connection, you can create one or more LDAP group mappings.
Parent topic: Managing LDAP Groups
9.6.3 Modifying an LDAP Group Mapping
You can modify the mappings for an LDAP group after you have configured the LDAP connection.
Parent topic: Managing LDAP Groups
9.6.4 Validating LDAP Group Mappings
In the event that LDAP groups change in the LDAP directory server, a user who has the Key Administrator role can validate their mappings in Oracle Key Vault.
- Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
- Select the Users tab, then Manage LDAP Mappings from the left navigation bar.
- Under LDAP Group Mappings, select the check boxes for the group mappings that you want to validate.
- Select the Validate button.
- In the confirmation window, click OK.
Parent topic: Managing LDAP Groups
9.6.5 Deleting LDAP Group Mappings
A user who has the Key Administrator role can delete one or more LDAP groups and associated mappings from Oracle Key Vault.
- Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
- Select the Users tab, then Manage LDAP Mappings from the left navigation bar.
- In the LDAP Group Mappings page, select the check boxes for the LDAP groups that you want to delete.
- Click Delete.
- In the confirmation window, click OK.
Parent topic: Managing LDAP Groups
9.7 Managing Oracle Key Vault-Generated LDAP Users
You cannot administer the actual LDAP user account in the LDAP directory server but you can administer the Oracle Key Vault-generated user account that is created the first time the LDAP user logs in to Oracle Key Vault.
- About Managing LDAP Users
The LDAP user account in Oracle Key Vault is an automatically created account that is based on the LDAP user account in the configured LDAP directory server. - Finding Information About an Oracle Key Vault-Generated LDAP User
You can find information about the Oracle Key Vault-generated LDAP user accounts. - Validation of Oracle Key Vault-Generated LDAP Users
You can find if an LDAP user account that is associated with the Oracle Key Vault-generated LDAP user account is a valid account. - Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges
Users who have either the Key Administrator role or regular users who have privileges to manage wallets can modify the wallet privileges of Oracle Key Vault-generated LDAP user account. - Deleting Oracle Key Vault-Generated LDAP Users
A user who has the System Administrator role can delete an LDAP user account from Oracle Key Vault.
9.7.1 About Managing LDAP Users
The LDAP user account in Oracle Key Vault is an automatically created account that is based on the LDAP user account in the configured LDAP directory server.
Oracle Key Vault creates this account the first time that the LDAP user logs in to Oracle Key Vault, capturing the first name, last name, and email attributes of the user. These values cannot be changed in Oracle Key Vault; they can only be changed in their LDAP directory server corresponding account by a privileged LDAP administrator. If these values change, then Oracle Key Vault updates the user account with these values the next time the LDAP user logs in to Oracle Key Vault. Except for granting and revoking wallet privileges to and from this user from Oracle Key Vault, the Oracle Key Vault administrator cannot make any changes to this account.
In a multi-master cluster environment, there is no need for user name conflict resolution because the uniqueness of the account is guaranteed by the LDAP directory server where the LDAP user account exists. If the LDAP user logs in to different nodes in the cluster, then an identical user account is created, and this account is uniform across the cluster. Each of these account creations is timestamped. The Oracle Key Vault synchronization process keeps the most recent account creation timestamp value (that is, from the node where this user was created last). Hence, throughout the cluster environment, the timestamp value is the same as the most recent user account creation timestamp.
Parent topic: Managing Oracle Key Vault-Generated LDAP Users
9.7.2 Finding Information About an Oracle Key Vault-Generated LDAP User
You can find information about the Oracle Key Vault-generated LDAP user accounts.
Parent topic: Managing Oracle Key Vault-Generated LDAP Users
9.7.3 Validation of Oracle Key Vault-Generated LDAP Users
You can find if an LDAP user account that is associated with the Oracle Key Vault-generated LDAP user account is a valid account.
- About the Validation of Oracle Key Vault-Generated LDAP Users
An Oracle Key Vault-generated user account still exists in Oracle Key Vault if the LDAP user account has been deleted in the source LDAP directory server. - Validating Oracle Key Vault-Generated LDAP Users
A user who has the System Administrator role can manually validate Oracle Key Vault-Generated LDAP users.
Parent topic: Managing Oracle Key Vault-Generated LDAP Users
9.7.3.1 About the Validation of Oracle Key Vault-Generated LDAP Users
An Oracle Key Vault-generated user account still exists in Oracle Key Vault if the LDAP user account has been deleted in the source LDAP directory server.
A user who has the System Administrator role can find if the Oracle Key Vault-generated user account still exists in the source LDAP directory server by validating it in Oracle Key Vault. In a multi-master cluster environment, the validation of an Oracle Key Vault-Generated LDAP user account applies to all nodes in the cluster.
Oracle Key Vault periodically checks the validity of the LDAP user accounts and marks them as NOT FOUND
if the following events take place:
- The LDAP user account does not exist in the LDAP directory server.
- The LDAP configuration that is associated with the LDAP user account is deleted.
Oracle Key Vault automatically deletes invalid LDAP user accounts after the number of days configured in the Defunct LDAP Users Grace Period setting (in the Edit LDAP Configuration page) have passed. You can delete an LDAP user account from Oracle Key Vault any time.
Parent topic: Validation of Oracle Key Vault-Generated LDAP Users
9.7.3.2 Validating Oracle Key Vault-Generated LDAP Users
A user who has the System Administrator role can manually validate Oracle Key Vault-Generated LDAP users.
Parent topic: Validation of Oracle Key Vault-Generated LDAP Users
9.7.4 Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges
Users who have either the Key Administrator role or regular users who have privileges to manage wallets can modify the wallet privileges of Oracle Key Vault-generated LDAP user account.
- About Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges
The wallet privileges that you can change are Read Only, Read and Modify, or Manage Wallet. - Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges (Key Administrators)
A user who has the Key Administrator role can grant and revoke wallet privileges for any wallet to LDAP users in Oracle Key Vault. - Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges (Regular Users)
A regular user who has privileges to manage wallets can grant and revoke privileges for these wallets to LDAP users in Oracle Key Vault.
Parent topic: Managing Oracle Key Vault-Generated LDAP Users
9.7.4.1 About Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges
The wallet privileges that you can change are Read Only, Read and Modify, or Manage Wallet.
You cannot change the corresponding LDAP account in the LDAP directory, but you can change the wallet privileges of the Oracle Key Vault-generated LDAP user account. Changes to the privileges granted directly to the LDAP user account in Oracle Key Vault are applied immediately, even to the existing sessions of the same user. If the LDAP user account is modified on the LDAP server (such as a change in LDAP group membership of the user), then the changes take effect from the next user login. In a multi-master cluster environment, changes to an LDAP user apply to all nodes in the cluster and can be performed in any node.
9.7.4.2 Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges (Key Administrators)
A user who has the Key Administrator role can grant and revoke wallet privileges for any wallet to LDAP users in Oracle Key Vault.
- Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
- Select the Users tab, then Manage Users from the left navigation bar.
- Under Manage Users, scroll down to the Manage LDAP Users section.
- Select the name of the LDAP user account to display the LDAP User Details page.
- In the Access to Wallets pane, do the following:
- Click Save.
9.7.5 Deleting Oracle Key Vault-Generated LDAP Users
A user who has the System Administrator role can delete an LDAP user account from Oracle Key Vault.
NOT FOUND
) and then deletes these accounts after the Defunct LDAP Users Grace Period setting (on the Edit LDAP Configuration page) passes.
Parent topic: Managing Oracle Key Vault-Generated LDAP Users