How to Use Microsoft User Credentials In Oracle Key Manager

by Scott Painter, March 2012


You can use your existing Microsoft user credentials in Oracle Key Manager provided you import them with the Oracle Enterprise Single Sign-On Logon Manager GUI.




Introduction

Today, when you create Oracle Key Manager users and assign them roles that grant various privileges, you must define these users in the Oracle Key Manager system itself; there is no vehicle for using existing user IDs and associated credentials from identity management systems, such as LDAP or Microsoft Active Directory. Until identity management is implemented in Oracle Key Manager, you must track and manage the additional user names and authentication credentials associated with Oracle Key Manager.

OTN is all about helping you become familiar enough with Oracle technologies to make an informed decision. Articles, software downloads, documentation, and more. Join up and get the technical resources you need to do your job.

Password management is an ongoing challenge, but now there is an immediate solution for Microsoft Windows users of the Oracle Key Manager GUI: Use Oracle Enterprise Single Sign-On Logon Manager, a component of Oracle Enterprise Single Sign-On Suite Plus, to manage passwords and to provide user credentials to Oracle Key Manager.

Note: Oracle Key Manager was tested with Oracle Enterprise Single Sign-On Logon Manager version 11.1.1.5.0. Oracle Enterprise Single Sign-On Logon Manager cannot be used with the Oracle Key Manager console or with the Oracle Key Manager CLI. It can be used only with the Oracle Key Manager GUI.

The following basic steps occur during an Oracle Key Manager logon that is enabled with Oracle Enterprise Single Sign-On Logon Manager:

  • The user requests access to Oracle Key Manager from a Windows desktop. The Oracle Enterprise Single Sign-On Logon Manager agent intercepts the user request on the desktop.
  • Oracle Enterprise Single Sign-On Logon Manager retrieves the user record and then fills in the appropriate credentials for the Oracle Key Manager. The Oracle Key Manager username and password are then sent to Oracle Key Manager.
  • The user is granted access to Oracle Key Manager.

Oracle Enterprise Single Sign-On Suite Plus

Oracle Enterprise Single Sign On Suite Plus provides user security, including regulatory compliance (HIPAA, GLB, SOX), and it provides a single source for user identity management. Oracle Enterprise Single Sign-On Suite Plus supports an extensive list of directories and databases as a central repository for user credentials, application logon templates, password policies, and client settings.

You can leverage these features of Oracle Enterprise Single Sign-On Suite Plus for Oracle Key Manager users. By default, Oracle Enterprise Single Sign-On Logon Manager securely stores users credentials using the Triple-DES MS CAPI encryption algorithm.

Oracle Enterprise Single Sign-On Suite Plus includes the following product components:

  • Oracle Enterprise Single Sign-On Logon Manager. Provides interfaces to network and computer logons as well as sign-on to applications, enabling users to log on one time with a single password. It satisfies the requirement for using single sign-on with Oracle Key Manager (the client GUI that is used for the administration of the Oracle Key Manager cluster and its appliances) on Microsoft Windows desktops.
  • Oracle Enterprise Single Sign-On Password Reset. Provides a recovery mechanism for users who forget their desktop passwords.
  • Oracle Enterprise Single Sign-On Kiosk Manager. Provides initial user authentication and automatic user sign-off to kiosk environments, enabling secure kiosk computing at any location within the enterprise.
  • Oracle Enterprise Single Sign-On Authentication Manager. Enables you to use any combination of tokens, smart cards, biometrics, and passwords to control user access to applications, making it easier to implement advanced authentication strategies.
  • Oracle Enterprise Single Sign-On Provisioning Gateway. Enables you to directly distribute user credentials, usernames, and passwords to Oracle Enterprise Single Sign-On Suite Plus.

Oracle Key Manager User Administration

As an Oracle Key Manager administrator, a basic configuration task you perform is creating users and assigning them roles. Users authenticate with the Oracle Key Manager GUI using password-based authentication. (Users of the Oracle Key Manager CLI may use either password-based authentication or certificate-based authentication.) Figure 1 provides an example listing of Oracle Key Manager users and their roles:

Figure 1

Figure 1. User List in the Oracle Key Manager GUI

Each Oracle Key Manager system also requires you to define an M of N quorum. Each member of this quorum has an identity and a corresponding passphrase known to that quorum member. Various administrative operations that have security implications require the approval of a minimum number (M) of the N quorum members.

The following section describes how you can define credentials for various Oracle Key Manager user entities in Oracle Enterprise Single Sign-On Logon Manager.

Oracle Enterprise Single Sign-On Logon Manager

First, you install the Oracle Enterprise Single Sign-On Logon Manager agent on the various Windows desktop systems that users will use to access Oracle Key Manager. Then, you configure the Oracle Enterprise Single Sign-On Logon Manager to recognize the Oracle Key Manager logon screens and the users' Oracle Key Manager logon credentials. The following sections describe these steps in greater detail.

Installing Oracle Enterprise Single Sign-On Logon Manager

You should install the Oracle Enterprise Single Sign-On Logon Manager agent on systems in which the Oracle Key Manager is installed. The installation process allows you to choose logon method plug-ins for the Oracle Enterprise Single Sign-On Logon Manager agent to use. For example, there are plug-ins for Windows logon, graphical identification and authentication (GINA) logon via a Windows domain, LDAP logon, and so on.

Configuring Oracle Enterprise Single Sign-On Logon Manager

The next step is to use the setup wizard (shown in Figure 2) to choose the primary logon method and then set up the Oracle Key Manager logon.

Figure 2

Figure 2. Oracle Enterprise Single Sign-On Logon Manager Setup Wizard—Primary Logon

Note: Oracle Enterprise Single Sign-On Logon Manager's auto-prompt setting is enabled by default. Oracle Enterprise Single Sign-On Logon Manager automatically detects password-protected applications or Websites. Consider disabling this feature if you are using Oracle Enterprise Single Sign On Logon Manager only with Oracle Key Manager and not with other applications.

Configuring Oracle Key Manager User Logons

After installing and configuring Oracle Enterprise Single Sign-On Logon Manager, you can use it to define the Oracle Key Manager logon account credentials, as shown in Figure 3.

Figure 3

Figure 3. Configuring Application Logon Credentials in Oracle Enterprise Single Sign-On Logon Manager

Configuring Users Who Have Multiple Oracle Key Manager Credentials

Some users might have multiple Oracle Key Manager user accounts, for example, separate accounts for their different roles, as shown in Figure 4. It's possible, therefore, that a user has an Oracle Key Manager user account for administering the key management appliance (KMA) as a compliance officer and another account that has the quorum role and is used strictly to approve Oracle Key Manager system changes that require quorum member approval.

Another use of multiple Oracle Key Manager user accounts is when an enterprise has more than one Oracle Key Manager system. For example, there might be a test system and a production system. You can configure Oracle Enterprise Single Sign-On Logon Manager to handle all these extra Oracle Key Manager logon credentials with a single sign-on for a particular user.

Figure 4

Figure 4. Account List in Oracle Enterprise Single Sign-On Logon Manager

Configuring Oracle Key Manager Quorum Users

As mentioned previously, it is possible to have Oracle Enterprise Single Sign-On Logon Manager manage Oracle Key Manager user accounts that have the quorum role. The quorum role was added in Oracle Key Manager 2.2, so using Oracle Enterprise Single Sign-On Logon Manager in earlier releases is less helpful.

Configuring Oracle Key Manager ELOM/ILOM Logins

Oracle Key Manager KMAs contain a service processor that provides "lights out management" for the appliances. Depending upon the specific KMA, the service process can be either an embedded lights out manager (ELOM) or an integrated lights out manager (ILOM).

Regardless of the specific type, these service processors contain a Web server that you can configure with various user accounts. You can also configure Oracle Enterprise Single Sign-On Logon Manager to manage these login accounts using the Web option in the New Logon dialog box (shown in Figure 3). Be sure to check the Oracle Enterprise Single Sign-On Logon Manager Release Notes for a list of supported Web browsers.

Managing Passwords in Oracle Enterprise Single Sign-On Logon Manager

The password management features of Oracle Enterprise Single Sign-On Logon Manager allow you to manually change Oracle Key Manager passwords. They also allow you to have Oracle Enterprise Single Sign-On Logon Manager randomly generate a password that conforms to the Oracle Key Manager password policy.

The Oracle Enterprise Single Sign-On Logon Manager best practices and administrator documentation goes into detail on how to leverage the password management features. For example, Oracle Key Manager does not force a password change policy upon its users, but having an enterprise password change policy is a best practice. You can configure Oracle Enterprise Single Sign-On Logon Manager to define a password change policy that can be used to assist Oracle Key Manager users with password change reminders.

Single Sign-On Using Oracle Enterprise Single Sign-On Logon Manager and Oracle Key Manager

After you install and configure Oracle Enterprise Single Sign-On Logon Manager, it's simple to authenticate once to the enterprise's identity management system and then access Oracle Key Manager and have Oracle Enterprise Single Sign-On Logon Manager supply the correct logon credentials.

Using Single Sign-On with Microsoft Windows

As mentioned earlier, the installation and setup wizard requires you to select a primary logon method. A variety of choices are supported, but the simplest is the basic Windows logon, which supplies a username and passphrase for authentication to a Windows desktop system. Once authenticated, the Oracle Enterprise Single Sign-On Logon Manager agent uses its account configuration to assist with application logon.

Logging On to Oracle Key Manager

Figure 5 shows an example of an Oracle Key Manager user logon assisted by the Oracle Enterprise Single Sign-On Logon Manager agent. In this example, the user has multiple Oracle Key Manager accounts and Oracle Enterprise Single Sign-On Logon Manager provides a dialog box allowing the user to select which credentials to use for the logon session.

Figure 5

Figure 5. Oracle Key Manager Logon Assisted by Oracle Enterprise Single Sign-On Logon Manager Agent

Providing Oracle Key Manager Quorum Approvals

Various Oracle Key Manager operations (for example, creating a new user) require quorum approval. When an operation requires quorum approval, users who have quorum membership can have their quorum split-key credentials provided by Oracle Enterprise Single Sign-On Logon Manager. This capability provides another area of credential management for these special Oracle Key Manager users and is most useful in Oracle Key Manager release 2.2 or higher when approving pending quorum operations.

Conclusion

If you are using the Microsoft Windows platform for accessing Oracle Key Manager systems, Oracle Enterprise Single Sign-On Logon Manager can facilitate single sign-on and many other benefits that come with the supported identify management solutions.

Resources

Here are URLs for the resources referenced earlier in this document:

And here are some additional resources:

Revision 1.0, 03/21/2012

Follow us on Facebook, Twitter, or Oracle Blogs.