Weitere ähnliche Inhalte Ähnlich wie Password Policies in Oracle Access Manager. How to improve user authentication security for your Oracle E-Business Suite environment. (UKOUG APPS16 edition) (20) Mehr von Andrejs Prokopjevs (6) Kürzlich hochgeladen (18) Password Policies in Oracle Access Manager. How to improve user authentication security for your Oracle E-Business Suite environment. (UKOUG APPS16 edition)1. Password Policies in
Oracle Access Manager
How to improve user authentication security
for your Oracle E-Business Suite.
ANDREJS PROKOPJEVS
Lead Applications Database Consultant
2. About me
© 2016 Pythian 2
Apps DBA from Riga, Latvia.
Speaking SQL since 2001.
In Oracle world since 2004.
“In love” with Oracle EBS since 2006.
Andrejs Prokopjevs
Lead Applications Database Consultant
At Pythian since 2011
@aprokopjevs
prokopjevs@pythian.com
https://www.pythian.com/blog/author/prokopjevs/
4. TECHNICAL EXPERTISE
© 2016 Pythian 4
Infrastructure: Transforming and
managing the IT infrastructure
that supports the business
DevOps: Providing critical velocity
in software deployment by adopting
DevOps practices
Cloud: Using the disruptive
nature of cloud for accelerated,
cost-effective growth
Databases: Ensuring databases
are reliable, secure, available and
continuously optimized
Big Data: Harnessing the transformative
power of data on a massive scale
Advanced Analytics: Mining data for
insights & business transformation
using data science
5. Systems currently
managed by Pythian
EXPERIENCED
Pythian experts
in 35 countries
GLOBAL
Millennia of experience
gathered and shared over
19 years
EXPERTS
11,800 2400
© 2016 Pythian 5
6. THE TOP 1.5% GLOBALLY
© 2016 Pythian 6
2015
Resumes
Reviewed:
12,711
Behavioral
Interviews
Conducted:
394
Technical
Tests
Sent: 4062
Passed: 562
Job Offers
Made: 189
Accepted:
174
7. We are hiring !!!
Please visit:
https://www.pythian.com/careers/
HOT !!! Oracle Apps DBA
position in APAC region.
© 2016 Pythian 7
8. Agenda
• Current Oracle E-Business Suite password security limitations.
• Implementation of password policy management in Oracle Access Manager
releases. Comparing the capabilities and why you should upgrade your OAM to the
latest 11gR2.
• A use case example of most common configuration.
• Demo.
© 2016 Pythian 8
10. Why this is important?
• #1 - We now live in the “cloud” era.
• Less people / organizations are storing their sensitive private data in the isolated local
segment.
• Cloud services (SaaS / PaaS)
• And the shift is still only at the beginning point.
• Personal examples:
• Corporate examples:
© 2016 Pythian 10
11. Why this is important?
• #2 – Today’s Hardware capacity.
• Modern CPU chip power is huge enough that it might take “seconds” to break your weak
password.
• Examples:
• Standard dictionary word password: hours / days / weeks online, seconds offline.
• At least 10 characters with special characters: centuries online, years offline.
• Any idea how these statistics will change in next 5-10 years?
© 2016 Pythian 11
12. Why this is important?
• #3 – Social Engineering.
• One of the most dreadful security concerns today.
• Examples: Facebook / Instagram / Twitter / etc.
© 2016 Pythian 12
13. Why this is important?
• #4 – Let us remember few recent cases.
• August 2014 – iCloud famous 10+ celebrity photo leak.
• May 2016 - 100 million LinkedIn member emails and password hashes leaked in 2012.
• August 2016 - 68 million Dropbox logins and password hashes leaked in 2012.
• September 2016 - at least 500 million Yahoo accounts, leak dates back to late 2014.
• October 2016 - AdultFriendFinder - 339 million names, addresses and phone numbers. Stolen
data stretched back over the last 20 years. Affected sites: Cams.com, iCams.com, and
Stripshow.com, as well as Penthouse.com.
© 2016 Pythian 13
15. Few guidelines… as a starter
• #1 – Master rule – everything that is shared online must be considered as “public”,
disregards of the “privacy rules” set.
• #2 – Your password is the first line of defense. It is in your power to make it
stronger.
• #3 – Today’s must-have – Two-Factor Authentication. Configure and use it
everywhere the cloud service provides a support for it.
© 2016 Pythian 15
17. So what’s about Oracle E-Business Suite?
• Is it somehow different that password security is not a concern?
• NO! Username / Password is the same first line of defense.
• My EBS instance is not a cloud service, it is isolated in my local network, why should
I care?
• “Isolated in my local network” doesn’t mean you are not vulnerable.
• VPN / Work From Home / Bring Your Own Device is a risk.
• Internal threat.
• We are doing bi-yearly security awareness training.
• That’s great. But it’s not a 100% guarantee, is it? Enforcing password policies in your
organization is something that could make that guarantee much stronger.
© 2016 Pythian 17
19. Standard password policy in Oracle E-Business Suite
• SIGNON_PASSWORD_% profile options.
• Signon Password Case (SIGNON_PASSWORD_CASE).
▪ Case sensitivity for passwords.
• Signon Password Custom (SIGNON_PASSWORD_CUSTOM).
▪ Custom java class which enables the use of custom, client specific, password policy.
• Signon Password Failure Limit (SIGNON_PASSWORD_FAILURE_LIMIT).
▪ Max number of unsuccessful login attempts before the lockout.
• Signon Password Hard To Guess (SIGNON_PASSWORD_HARD_TO_GUESS).
▪ Enables password requirements: 1) at least one letter and at least one number 2) doesn’t contain username
3) doesn’t contain repeating characters.
• Signon Password Length (SIGNON_PASSWORD_LENGTH).
▪ Minimum length of a password.
• Signon Password No Reuse (SIGNON_PASSWORD_NO_REUSE).
▪ Number of days before reusing an earlier used password.
• With some cosmetical changes this hasn’t changed since 11i (10+ years). © 2016 Pythian 19
20. Standard password policy in Oracle E-Business Suite
• Security User Define form (FNDSCAUS).
• Password expiration.
▪ Days – password lifetime.
▪ Accesses – how many times
▪ None – no expiration.
• Password expiration is handled on a user level. There is no centralized control !!!
© 2016 Pythian 20
21. Does it look like a modern password policy of year 2016?
• Not really. L
• But we have “Signon Password Custom” available.
• Custom Java class.
• Loaded to the database.
▪ loadjava -user apps/apps -verbose -resolve -force MyCustomPasswordValidation.java
• Do I need to learn Java now and support this custom class? Do I need to code all
these rules myself?
© 2016 Pythian 21
package oracle.apps.fnd.security;
...
if (do_a_triple_flipover_with_your_right_knee_up_shouting_chupakabra(password) == true) {
return true;
} else {
return false;
}
22. Does it look like a modern password policy of year 2016?
© 2016 Pythian 22
23. Standard password policy in Oracle E-Business Suite
• Non-reversable hash support for passwords.
• R12: New Feature: Enhance Security With Non-Reversible Hash Password (Doc ID
457166.1)
▪ R12.1.x - Patch 21276707:R12.FND.B
R12.2.3+ - Patch 21276707:R12.FND.C
▪ SHA-1 is being deprecated.
© 2016 Pythian 23
25. History of the Password Policy implementation
• Oracle Single Sign-On 10g
• Password policy is controlled by Oracle Internet Directory standard pwd policies.
• /sso/ and /oiddas/ pages support the UI.
• Full password lifecycle is managed, with some limitations.
• Full user management suite.
© 2016 Pythian 25
26. History of the Password Policy implementation
• Oracle Access Manager 10g
• Bound to Identity Server only.
• Full user management suite through Identity Server. Full password lifecycle is managed.
• Based on Oblix schema object classes and attributes.
• LDAP directory own policies should be same or weaker, or even just disabled.
• “validate_password” is the only standard plugin that supports the built-in password policy
functionality and UI pages.
• 0 successful production implementations seen in the practice. Mostly because of the
customization requirements (multi domain support, multi user base sub-trees, non-Oblix
schema attribute requirement, and more).
• Adding C based custom plugin changes or external custom UI pages is always evaluated as
too costly and unnecessary effort. Usually replaced with an external User Management system
directly managing the LDAP directory.
© 2016 Pythian 26
27. History of the Password Policy implementation
• Oracle Access Manager 11g Release 1
• Independed Oracle Access Manager is finally here.
• You can use *any* LDAP directory. There is no dependency on schema, attributes.
• But... Password policies are removed. L
• You can use LDAP directory own policies, but it is not smoothly managed during the login
process. If something is not right – max LDAP error in the oam_server1 logs, and just a System
error in the UI.
• Only Oracle Identity Manager (OIM) integration with OAM provides the full user management
suite, desired password policy implementation, UI support for full password lifecycle.
• $$$ J
© 2016 Pythian 27
28. History of the Password Policy implementation
• Oracle Access Manager 11g Release 2
• Same cool independed Oracle Access Manager 11gR1, overall.
• But on steroids (integrated federation, mobile and social, and many more).
• Password policies are back. J
• LDAP directory own policies should be same or weaker, or disabled.
• Oracle Identity Manager (OIM) integration with OAM is still there and provides the same “more
advanced” policy implementation, UI support for full password lifecycle, and full user
management suite.
• $$$ J … nothing changed
© 2016 Pythian 28
29. OAM 11gR2 native password policy – what it is?
• Most of the current modern rules are
there.
• Expiration and Lockout support.
• Provides the
“UserPasswordPolicyPlugin”
Authentication Plugin that can be used
with various types of authentication
worklow.
© 2016 Pythian 29
30. OAM 11gR2 native password policy – what it is?
• It is still based on OAM 10g Oblix schema object classes and attributes.
• But mandatory are only related to password management.
• For user data reference – you have a choice. Usable for OAM 10g upgrade use cases.
• List:
▪ obPasswordCreationDate
▪ obPasswordHistory
▪ obPasswordChangeFlag
▪ obuseraccountcontrol
▪ obpasswordexpirydate
▪ obLockoutTime
▪ obLoginTrvCount
▪ oblastsuccessfullogin
▪ oblastfailedlogin
• It is not mandatory to pre-assign Oblix object classes to your existing user entries.
• IMPORTANT: User Identity Store configured Bind DN user must have required ACI
permissions to adjust these attributes !!!. © 2016 Pythian 30
31. OAM 11gR2 native password policy – what it is NOT?
• It is NOT a complete password lifecycle management tool.
• Self service is missing (password change on-demand, forgot your password)
• Standard password management pages are not operational without a valid OAM
user authentication request process (request_id).
• Direct access just ends with a System error.
• Customizations is a solution.
• Login page customization is supported by both ECC and DCC.
• Password Policy page customization is supported only by DCC.
▪ ER Bug 17800099 - OAM 11G R2 : PASSWORD POLICY: NEED STEPS TO CUSTOMIZE PASWORD
SERVICE PAGES
▪ Was targeted for release 11.1.2.3.0, but it’s not there yet.
• Or implement OIM. $$$ J
© 2016 Pythian 31
32. More advantages of Oracle Access Manager
• Windows Native Authentication
• Kerberos / RADIUS
• Certificates
• Social (Google, Facebook, more)
• Multi-Step authentication support.
• RSA (same RADIUS)
• OTP – Oracle Mobile Authenticator
© 2016 Pythian 32
Sorry Windows Mobile users…
33. Licensing
• Usage of Oracle Access Manager requires additional license. It is not included with
E-Business Suite licensing model.
• Oracle EBS Single Sign-On implementation requires an Oracle Internet Directory
(Oracle Unified Directory supported from R12.2.5 only) – again licensed separately.
• Standard pack:
▪ Oracle Directory Services Plus.
▪ Oracle Access Manager.
▪ Both are covered with Oracle Identity and Access Management Suite Plus license pack.
• Also includes Oracle Identity Manager.
▪ Database separate license is not required if used only for Metadata Repository data.
• “Extra” features of OAM requires an additional licensing.
▪ Like Mobile and Social for OTP.
© 2016 Pythian 33
34. Candy
• What to do if you have an allergy on additional extra component overhead that you
do not want, do not need and do not want to license?
• Challenge #1: Web server protection.
• You can replace mod_webgate with something else, like mod_auth_kerb (WNA).
• Challenge #2: What to do with EBS, OID or OUD?
• Leave your EBS local as it was before SSO
• Write your own authentication solution (ebsSDK)
• mod_rewrite: redirect your AppsLocalLogin.jsp to your own authentication processing.
© 2016 Pythian 34
36. Configuring the password policy
• OAM Console
• Application Security – Password Policy
• Full reference:
▪ Fusion Middleware Administrator's Guide for
Oracle Access Management
▪ 24.3.1 Password Policy Configuration Page
▪ https://docs.oracle.com/cd/E52734_01/oam/
AIAAG/GUID-7850A074-9EE3-45EE-9150-
5DD96B9D13CD.htm#GUID-200E3E90-
21CC-439C-BF4E-
0468CA455148__BABDBBHE
© 2016 Pythian 36
37. Configuring the password policy
• OAM Console
• Application Security – Password Policy
• Console is doing it’s own math. If something is not going inline, there will be a
warning about that.
• Example: If we put value 1 into both Minimum Uppercase and Lowercase Characters fields,
Minimum Alphabetic Characters is expected to be the sum.
© 2016 Pythian 37
38. User Identity Store
• OAM Console
• Configuration – User Identity Stores
• Password Management feature to be enabled.
• “Use Oblix User Schema” should not be enabled as we are using standard Oracle schema.
• Other 4 parameters are needed to point to correct attributes for “Can Include X” policy setting
verification.
© 2016 Pythian 38
39. User Identity Store
• OAM Console
• Configuration – User Identity Stores
• Do not forget about the mandatory Oblix attributes in use !
• “Bind DN” LDAP user should have WRITE permissions to manage these attributes.
• Also to add the required object classes to the user entry if found missing.
• Do not use a super user account like I do here J
© 2016 Pythian 39
40. User Identity Store
• ACI grant example (Oracle Unified Directory)
© 2016 Pythian 40
ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd <<EOF
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///dc=example,dc=com")(version 3.0; acl "OAM app user entry level aci
example"; allow (read,search,compare)
userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";)
-
add: aci
aci: (targetattr="*")(version 3.0; acl "OAM app user attribute level aci read example"; allow
(read,search,compare) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";)
-
add: aci
aci: (targetattr="obPasswordCreationDate || obPasswordHistory || obPasswordChangeFlag ||
obuseraccountcontrol || obpasswordexpirydate || obLockoutTime || obLoginTrvCount ||
oblastsuccessfullogin || oblastfailedlogin || userPassword")(version 3.0; acl "OAM app user
attribute level aci write example"; allow (write)
userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";)
EOF
41. User Identity Store
• Reminder about LDAP directory own password policy.
• Policy should be set the same or weaker.
• Or just completely disabled.
© 2016 Pythian 41
42. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• Let us create new module with name “LDAP_EBS_with_password_policy”.
© 2016 Pythian 42
43. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• 3 steps to be configured. “User Password Status Step” is one for the policy.
© 2016 Pythian 43
44. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• User Identification Step
▪ KEY_LDAP_FILTER: default value should be (uid={KEY_USERNAME})
▪ KEY_IDENTITY_STORE_REF: your EBS User Identity Store (OIDIdentityStore)
▪ KEY_SEARCH_BASE_URL: leave empty for plugin to use default Identity store’s User Search Base DN.
© 2016 Pythian 44
45. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• User Authentication Step
▪ KEY_IDENTITY_STORE_REF: your EBS User Identity Store (OIDIdentityStore)
▪ KEY_PROP_AUTHN_EXCEPTION: Enable or disable the propagation of LDAP errors. Must be TRUE if
password policy plugin is used in the chain.
▪ KEY_ENABLE_AUTHN_FAILOVER and KEY_PROP_AUTHN_LEVEL: These parameters are not yet
documented.
© 2016 Pythian 45
46. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• User Password Status Step
▪ PLUGIN_EXECUTION_MODE: This plugin can be used as a
replacement for User Authentication Plugin too. We are going to
set it as PSWDONLY to be a separate 3rd
step.
▪ OBJECTCLASS_EXTENSION_SUPPORTED: Must be set to
TRUE in order to automatically adjust affected user entries with
Oblix object classes.
▪ KEY_IDENTITY_STORE_REF: your EBS User Identity Store
(OIDIdentityStore)
© 2016 Pythian 46
47. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• User Password Status Step
▪ URL_ACTION: Redirection behavior between the pages. Default: REDIRECT_POST.
▪ NEW_USERPSWD_BEHAVIOR: Action for new user not marked by the policy. We’ll use
FORCEPASSWORDCHANGE.
• Actually should be FORCECHANGEPASSWORD.
• Configuring OAM Password Policy Parameter NEW_USERPSWD_BEHAVIOR To Force Password
Changes for Existing Passwords Not Working (Doc ID 1563172.1)
• Documentation bug.
▪ POLICY_SCHEMA: Just OAM10G, as everything is based on Oblix schema standards.
▪ CHALLENGES_SUPPORTED: This parameter is not yet documented. Default: FALSE.
▪ DISABLED_STATUS_SUPPORT: User Account disabled status support – TRUE.
© 2016 Pythian 47
48. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• Full parameter reference
▪ Fusion Middleware Administrator's Guide for Oracle Access Management
▪ Table 24-8 User Password Step Details
▪ https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-30780A11-8254-4AE3-9A15-
C759C08E872D.htm#GUID-9FE10CF0-A4E7-4F7F-81A9-859EC85AEA80__CFFEHBFJ
© 2016 Pythian 48
50. Configure EBS to use the new Authentication Module
• OAM Console
• Application Security – Access Manager – Authentication Schemes
• Expecting that EBS is already integrated.
• Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2
(11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1)
• EBSAuthScheme
• Authentication Module:
LDAP_EBS_with_password_policy
• Challenge Parameters:
OverrideRetryLimit=0
© 2016 Pythian 50
51. Testing
• Did I forget something important to mention?
• Hint:
© 2016 Pythian 51
<LIBOVD-40082> <Could not modify entry.javax.naming.directory.SchemaViolationException: [LDAP:
error code 65 - Entry cn=testuser1,ou=people,dc=example,dc=com cannot not be modified because the
resulting entry would have violated the server schema: Entry
cn=testuser1,ou=people,dc=example,dc=com violates the Directory Server schema configuration
because it includes attribute oblastsuccessfullogin which is not allowed by any of the
objectclasses defined in that entry]; remaining name 'cn=testuser1,ou=people,dc=example,dc=com'
52. LDAP directory schema extension
• We forgot Oblix schema extension.
• Reference:
▪ Fusion Middleware Administrator's Guide for Oracle Access Management
▪ Table 24-6 Location of Oracle-provided LDIFs for LDAP Providers
▪ https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-E0DF807A-6432-4261-A119-
9AECAC56AD53.htm#GUID-48382B33-54CB-407D-8CAA-2A69CDEA50FB__CFFEJEEE
• OUD example:
▪ Object classes: oblixPersonPwdPolicy and oblixorgperson
▪ Attributes: obPasswordCreationDate, obPasswordHistory, obPasswordChangeFlag, obuseraccountcontrol,
obpasswordexpirydate, obLockoutTime, obLoginTrvCount, oblastsuccessfullogin, oblastfailedlogin
© 2016 Pythian 52
ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd --defaultAdd
-f $OAM_HOME/oam/server/pswdservice/ldif/OUD_PWDPersonSchema.ldif
53. Summary
• Even latest R12.2.6 is not meeting today’s modern password policy standards out-
of-the-box. We can code a custom java class, but that requires Java skills, courage
and good release management.
• Oracle Access Manager is the only certified SSO solution for EBS. It has the
support of today’s standards, but costs additional resources as it is a separate
component and separately licensed.
• 11gR2 upgrade is highly recommended. Provides support for other more secure
authentication methods, like Multi-Step Authentication, OTP usage.
• Password policy setup is well documented and quite straightforward.
• Except few nuances noted. J
© 2016 Pythian 53