7. 7DOAG Security Day 2016
LDAP-Directory Anbindung
Database
Client
(1) Connect
Leonard.
Nimoy/
BIGDB
Oracle DB
Überprüft
Passwort Hash,
ordnet User
Rollen und
Schema zu
(2) Request
Leonard.Nimoy
(3) Returned
Leonard.Nimoy
LDAP
Server
Ablage für User,
Rollen & EUS
Konfiguration
SQL> alter user ... identified externally;
9. 9DOAG Security Day 2016
Synchronisation
• Keine AD-Schema-
änderungen nötig
• AD Agent muss auf AD-
Kontrollern laufen und
Klartext-Passwörter
mitlesen
Proxy:
• AD-Schema-
änderungen nötig
• Password Filter muss auf
AD-Controllern laufen
• AD Update Recht muss
vorhanden sein
Virtualisierung:
• Nur AD-
Schemaänderung:
Orclcommonattribute
• Rollentrennung DBA/AD
Active Directory Verzeichnisintegration
DB FARM
OVD
Database
Client
SqlPlus,
Java, etc
(AUTH)
Map Users,
Schema,Roles
HashesGroups
OID
DB FARM
Oracle
OID
Database
Client
SqlPlus,
Java, etc
(AUTH)
Map Users,
Schema,Roles
SYNC
(DIP)
oidpwdcn.dll
DB FARM
OUD
Database
Client
SqlPlus,
Java, etc
(AUTH)
Map Users,
Schema,Roles
Hashes
Groups
oidpwdcn.dll
orclCommonAttribute
10. 10DOAG Security Day 2016
Kerberos-AD-
Anbindung
Benutzerdaten-
prüfung (2)
AD
Domain Controller
Key Distribu3on Center (KDC)
Authen3ca3on Service (AS)
Ticket Gran3ng Service (TGS)
AuthenRsierung (1)
Benutzer-Ticket TGT (3)
Client-PC
Ticket-Cache
ST für Anwendungsserver
mit TGT prüfen (6)
Anforderung Service Ticket ST mit TGT (5)
Domänenanmeldung
User
Password
TGT (4)
ST (7)
DB Server
Prüfung des ST (9)
Tausch eines gemein-
samen Schlüssels
11. 11DOAG Security Day 2016
PKI-Authentifizierung
Private Key Private Key Benutzer /
Applikation
Datenbank
Zertifizierungsstelle (CA)
User
.csr
SSL Handshake
User/CA
Certs
DB
.csr
DB/CA
Certs
12. 12DOAG Security Day 2016
Enterprise User Security (EUS)
Oracle Internet Directory Datenbanken
Enterprise User
User
DBA
RoleEnterpriseUser
RoleEnterpriseDBA
Enterprise Rollen Enterprise User Enterprise Rollen
RoleUserGlobal1
RoleUserGlobal2
RoleDBAGlobal
RoleUserLocal1
RoleUserLocal2
Resource
DBA
13. 13DOAG Security Day 2016
AD-Integration mit Oracle
Unified Directory (OUD) & Kerberos
DB FARM
OUD
Database
Client
SqlPlus,
Java, etc
(EUS)
Map Users,
Schema,Roles
Groups
OracleContext
OUD Proxy Setup:
• Lesender AD-Benutzer
• Leserechte auf DB-
Usereinträge im AD
• Oracle Context im LDAP
• Software: OUD, WebLogic,
ADF
• Funktioniert auch mit EUS
[linux7 Oracle_OUD1]$ ./oud-proxy-setup
[linux6]$ okinit testuser
[linux7]$ oklist
Kerberos Ticket
14. 14DOAG Security Day 2016
Secure External Password Store (1)
$ orapki wallet create -wallet "/u01/app/oracle/wallet"
-auto_login_local
Oracle PKI Tool : Version 11.2.0.4.0 - Production
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights
reserved.
Enter wallet password:
$ sqlplus /@ORCL
SQL*Plus: Release 12.1.0.2.0 Production on Wed Jan 13 15:38:50
2016
Copyright (c) 1982, 2014, Oracle. All rights reserved.
ERROR:
ORA-12578: TNS:wallet open failed
Enter user-name:
15. 15DOAG Security Day 2016
0x00 - 0x4C Header:
0x00 - 0x02 First 3 bytes are always A1 F8 4E (wallet recognition?)
0x03 Type = SSO: 36; LSSO: 38
0x04 - 0x06 00 00 00
0x07 Version (10g: 05; 11g: 06)
0x08 - 0x0A 00 00 00
0x0B - 0x0C 11g: always the same (41 35)
0x0D - 0x1C DES key
0x1D - 0x4C DES secret (DES -> CBC -> PKCS7 padding) which contains the PKCS#12
password
0x4D - EOF PKCS#12 data (ASN.1 block)
_________________________________________________________________________________________
$ ./ssoDecrypt.sh ../PX-Linux11/cwallet.sso
sso key: c29XXXXXXXXXX96
sso secret: 71c61e1XXXXXXXXXX99c77d747fa0f53e79ccd170409964b
p12 password (hex): 1e482XXXXXXXXXX1f1f0b296f6178021c
Secure External Password Store (2)
16. 16DOAG Security Day 2016
Trennung von Schema-Owner
und Zugriffs-Benutzer
2 3 n .. 4 1
APPLICATION SCHEMA
DB USER
1
2
3
n
17. 17DOAG Security Day 2016
Anforderung Alte Wallets AD-Kerberos SSL-PKI EUS
Schutz des Passworts gegen Auslesen ★ ✔ ✔
Adminaufwand verringert für Passwortänderung ✖ ✔ ✔
Nachvollziehbarkeit von Änderungen verbessert ✖ ✔ ✔
Individuelle Benutzerkennungen ✖ ✔ ✔
Zentrale Benutzerverwalt. & Passwortrichtlinien ✔
Zentrale Rollenverwaltung ✔
Lösung für alle Zugriffe geeignet ★ ★
CA erforderlich ✔
Kerberos Roll-out erforderlich ✔
Wallets können weiterhin verwendet werden ★ ✔
Lizenkosten Directory entstehen
Kosten-Nutzen-Analyse
21. 21DOAG Security Day 2016
Kerberos User Login
SQL> create user USER01 identified externally as 'USER01@TESTED.LCL';
User created.
SQL> grant connect to user01;
[oracle@ioaotow01 ~]$ okinit user01
Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production
Copyright (c) 1996, 2014 Oracle. All rights reserved.
Password for user01@TESTED.LCL:
________________________________________________________________________________________________
[oracle@ioaotow01 ~]$ oklist
Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 08-FEB-2016 16:24:43
Copyright (c) 1996, 2014 Oracle. All rights reserved.
Ticket cache: /oracle/diag/krb/cc/krb5cc_99
Default principal: user01@TESTED.LCL
Valid Starting Expires Principal
08-Feb-2016 14:11:20 08-Feb-2016 22:11:11 krbtgt/TESTED.LCL@TESTED.LCL
08-Feb-2016 14:11:33 08-Feb-2016 22:11:11 oracle/ioaotow01@TESTED.LCL
08-Feb-2016 14:16:40 08-Feb-2016 22:11:11 oracle/ioaotow01.tested.lcl@TESTED.LCL
________________________________________________________________________________________________
[oracle@ioaotow01 ~]$ sqlplus /@TESTDB
SQL*Plus: Release 12.1.0.2.0 Production on Mon Feb 8 16:24:51 2016
Copyright (c) 1982, 2014, Oracle. All rights reserved.
Last Successful login time: Mon Feb 08 2016 14:17:35 +01:00
Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With
the Partitioning, OLAP, Advanced Analytics and Real Application Testing options
SQL> show user; USER is "USER01@TESTED.LCL
23. 23DOAG Security Day 2016
Kerberos & Datenbank 12c
• Neu geschriebener Stack
• RC4-HMAC-NT / W2012 Server
• ORA-12638: Credential retrieval failed
– SQLNET.AUTHENTICATION_SERVICES=
(BEQ,TCPS,KERBEROS5PRE,KERBEROS5)
• Bugs....
Reading List:
Doc ID 1958479.1: "Bug 19931730, The keytab has/uses arcfour-hmac encryption which currently has an open 12c bug:19636771. The workaround for this
is to use AES encryption in the keytab"
Doc ID 1611643.1: Bug 17497520 : KERBEROS CONNECTIONS USING A 12C CLIENT AND THE OKINIT REQUESTED TGT ARE FAILING
Doc ID 182979.1: Oracle is not able to parse the krb5.conf file due to the tabs between the assignment operator in the domain to realm mapping section.
Doc ID 185897.1: Kerberos Troubleshooting Guide
Master Note For Kerberos Authentication (Doc ID 1375853.1)
WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1): "While creating the keytab file, SSO hostname value
was given without specifying fully qualified domain"
How To Configure EUS Kerberos Authentication For Database Administrative Users (SYSDBA and SYSOPER) (Doc ID 2081984.1): "On a 12c database sqlplus
connection fails with ORA-1017 and this is caused by
Bug 19307420 : KERBEROS AUTHENTICATED EUS USER FAILS WITH ORA-01017 FOR ADMINISTRATIVE LOGIN."
Configuring ASO Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory KDC (Doc ID 1304004.1)
Microsoft Technet: Service Logons Fail Due to Incorrectly Set SPNs
Laurent Schneider: The long long route to Kerberos
Microsoft Technet:
FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows
Server 2008 R2 domain controller joins the domain
WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1)
Case Study: Configuring the Kerberos Adapter in a Windows Environment (Kevin Reardon, Consulting Technical Advisor)
24. 24DOAG Security Day 2016
PKI: Zertifikate und Wallets
Datenbank-Server
1. Leeres Wallet erstellen
2. Key und Zertifikat-Request stellen
3. Request durch CA signieren lassen (Z.B. CN=db12c)
4. CA Zertifikat importieren (CN=myCA)
5. Signiertes Zertifikat importieren
Client
1. Leeres Wallet erstellen
2. Key und Zertifikat-Request stellen
3. Request durch CA signieren lassen (Z.B. CN=jans)
4. CA Zertifikat importieren (CN=myCA)
5. Signierte Zertifikat importieren
30. 30DOAG Security Day 2016
Anmeldung mit User/Passwort und SSL
$ sqlplus user/pwd@DB12C
Connected.
SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual;
SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
------------------------------------------------------------------------
tcps
SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual;
SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD')
------------------------------------------------------------------------
PASSWORD
31. 31DOAG Security Day 2016
PKI: Anmeldung mit Zertifikat
SQL> create user JANS identified externally as 'CN=jans';
SQL> grant create session to JANS;
$ sqlplus /@DB12C
Connected.
SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual;
SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
---------------------------------------------------
tcps
SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual;
SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD')
-----------------------------------------------------
SSL
32. 32DOAG Security Day 2016
PKI: JDBC
• Auch per JDBC kann SSL verwendet werden
• Integration auch über keytool
String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)
(HOST=servernam e)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))");
Properties props = new Properties();
props.setProperty("user", "scott");
props.setProperty("password", "tiger");
props.setProperty("javax.net.ssl.trustStore",
"/truststore/ewallet.p12");
props.setProperty("javax.net.ssl.trustStoreType","PKCS12");
props.setProperty("javax.net.ssl.trustStorePassword","welcome123"); Connection conn
= DriverManager.getConnection(url, props);
http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf
How to configure Oracle SQLDeveloper to use a SSL connection that was configured as
per Note 401251.1
33. 33DOAG Security Day 2016
PKI: ODBC
Oracle ODBC Treiber verwenden: Oracle Data Access Components (ODAC)
34. 34DOAG Security Day 2016
Be a Certificate Authority (CA)
• AD Certificate Service
• Kommerzielle Produkte
– Auch Open Source:
• EBJCA
• OpenXPKI
• Alle Schritte sind in OpenSSL implementiert
– Nicht mit selbstsignierten Zertifikaten zu verwechseln
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
openssl ca -policy policy_anything -config loopca-url.cnf -out Certs/$1.pem
-infiles Reqs/$1.req
37. 37DOAG Security Day 2016
Jan Schreiber
Loopback.ORG GmbH, Hamburg
database intelligence | operaRons excellence | bi soluRons
jans@loopback.org
blogs.loopback.org
Vielen Dank für Ihre Aufmerksamkeit!