How-To Document

How to set up Enterprise User Security

Date: 27-Oct-2005

Introduction

Enterprise User Security simplifies user management by enabling database user accounts to be centrally managed in an LDAP directory. From a user's standpoint, managing passwords in multiple databases is confusing and from an administrator's perspective, managing user authorizations in multiple databases is an error prone and costly management task. With Oracle Internet Directory, the core of Oracle Identity Management, Oracle provides a scalable, standards-based directory that helps you overcome this management burden.

Pre-Requisites:

1. Install Oracle Application Server 10g (10.1.2.), including the Identity Management option
2. Install Oracle Database 10g

Tasks:

1. Tell the Database to use an LDAP directory
2. Register the Database with OID
3. Configuring Enterprise Users: Match all users to a global database schema
4. Configuring Enterprise Users: Match users to appropriate global database roles

Send us your comments

Tell the Database to use an LDAP directory:

1. On your database server, start Network Configuration Assistant with "netca":
   
   Click on Directory Usage Configuration and click "Next":

2. Pick Oracle Internet Directory from the drop-down list and click on 'Next':
   

3. Enter the fully qualified domain name (FQDN) of the host where OID is running, as well
   as the port and SSL-port used by OID. Click on "Next":
   

4. Choose an OracleContext from the drop-down list.
   
   The root context (“cn=OracleContext”) should not be used, since this encompasses
   all information stored in the directory, not just the one pertaining to your
   organization/database/user group.
   In this case, the realm (which is the container for your organization/database/user group) is
   defined by the domain qualifiers "dc=us,dc=oracle,dc=com", the common name of the
   context is "OracleContext". Click "Next":

5. Confirm and click on "Next":
   

6. Click on "Finish":
   
   
   
   NetCA created a new file "ldap.ora" in $ORACLE_HOME/network/admin

Register the Database with OID:

1. On your database server, start Enterprise Security Manager with "esm":
   
   Provide the log in credentials to Oracle Internet Directory for "cn=orcladmin", then click "OK".
   Should Enterprise Security Manager not be present, install it from the client-CD.

2. Next, navigate down the hierarchy to find users in OID:
   
   "cn=dbcreator,cn=users,dc=us,dc=oracle,dc=com" is the only user who has the authority to register databases with OID;
   unregistering a database can only be done by "cn=orcladmin,cn=users,dc=us,dc=oracle,dc=com". Also take note of the users "Joe" and
   "Nina", we will use their accounts later to test the configuration.
   The OracleDBCreators admin group is present by default in each IdM realm. When dbcreator is not listed, create the user in OID by going to http://:7777/oiddas/ui/oideushome/ and adding dbcreator to the OracleDBCreators admin group.
   Click "File" and "exit":

3. On your database server, start the Database Configuration Assistant with "dbca":
   
   Click "Next":

4. Select "Configure Database Options" and click "Next":
   

5. Select the Database which should be registered with your LDAP server and click "Next":
   

6. Select "Yes, register the database" and fill in the required fields: User DN is the "Distinguished Name" of the user
   in the directory who has authority to register databases. Click "Next":
   
   Two wallets will be put into $ORACLE_BASE/admin/<sid>/wallet/: ewallet.p12 and cwallet.sso; cwallet.sso is an auto-open
   wallet which is used by Oracle components to communicate securely with each other.
   The encrypted wallet ewallet.p12 can also be used with Transparent Data Encryption (link to Oracle-by-Example),
   when the same wallet password has been used.

7. Click "Next"
   

8. Click on "Finish":
   

9. Click on "OK":
   

10. The configuration in progress:
    

11. Click "No" to exit from dbca
    

Configuring Enterprise Users: Match all users to a global database schema

1. Switch to a terminal window and connect to the database with "sqlplus / as sysdba"
   
   Create a shared schema:
   create user global_ident_schema_user identified globally
   Grant connect to this schema user:
   grant connect to global_ident_schema_user
   This schema is created so that later users who are defined in OID can connect through it (it's like a role).
   The users in OID need to be matched to this schema.

2. On your database server, start Enterprise Security Manager with "esm":
   
   Provide the log in credentials to Oracle Internet Directory for "cn=orcladmin", then click "OK".

3. Drill down to "OracleDefaultDomain":
   
   Click the "Database Schema Mapping" tab above the right window. Click "Add..."

4. Navigate to the "Users" subtree in your directory:
   
   Enter global_ident_schema_users into the "Schema" field; this maps all users under the "cn=Users,dc=us,dc=oracle,dc=com"
   subtree to this shared schema, which was created earlier in the database. Click "OK"

5. Close Enterprise Security Manager and open a terminal window:
   
   Connect to your database with joe/welcome1; Joe is an enterprise user defined in OID; global_ident_schema_user
   is identified as the session_user connecting to the database; but Joe's identity is preserved by the external_name,
   which reveals his identity stored in OID: Try the same for Nina.
   Joe, Nina and all other users in the cn=Users,dc=us,dc=oracle,dc=com subtree can now connect to your database;
   they are limited in what they can do only by the privileges granted to the global_ident_schema_user schema, which
   is connect at the moment.
   All users have the same privileges, since they connect through the same global schema. This is not practical, so let's change it:

Configuring Enterprise Users: Match users to appropriate global database roles

1. Drop and re-create the schema global_ident_schema_user:
   
   This time, we do not grant "connect" to this schema, but we create a globally identified role ("dbaccess") and grant
   "connect" to this role. It will be matched to an "Enterprise Role" in OID:

2. Exit from your SQL - prompt and start Enterprise Security Manager with "esm":
   
   Provide the log in credentials to Oracle Internet Directory for "cn=orcladmin", then click "OK".

3. Navigate to the "OracleDefaultDomain". Find the database you registered earlier with OID: In this example, it's "orcl":
   
   Click on "Operations" in the top left corner of ESM and select "Create Enterprise Role" from the drop-down menu.

4. Enter the name of the Enterprise Role: "dbaccess_ent_role":
   
   Click "OK"

5. Now the enterprise role in OID must be matched with the globally identified role in your database; navigate to the enterprise role you just created and click on the "Database Global Roles" tab above the right window.
   
   Click "Add..."

6. Click on the name of the database that contains the globally identified role: "orcl"
   

7. Enter the credentials requiered to log into your database as "system"
   

8. From the list of available global roles, pick "dbaccess".
   
   Click "OK"

9. Navigate to the enterprise role and click on the "Users" tab above the right window.
   
   Click "Add..."

10. Navigate to "cn=Users" and scroll down to find 'Joe':
    
    Highlight "Joe" and click "OK"

11. Joe is now the only user who is included in dbaccess_ent_role, which is mapped to the global database role dbaccess, which contains the Connect role:
    
    Click "File" and "Exit"

12. Verify by connecting as Joe:
    

13. Compare to Nina, who is not a member of the dbaccess_ent_role:
    

Click here if you want to continue with the next chapter "OID-enabled Oracle Label Security"

Click here if you want to learn how to synchronize Oracle Enterprise Users with Novell eDirectory