Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
I will make a deal with you: If you refer me to a company that needs
database support, from a few hours per week to full time, and I am able to sign
a contract with them.
Then I will give you 10% of the monthly
contract or deal price every month. When
the contract ends, and we re-sign the contract, I will again give you 10% of
the monthly contract price. This will go
on until the company no longer employs or contracts me or my agents to look
after their databases.
I can do this, because that 10% is my
marketing budget. When we re-sign the
contract, in the future, it may depend on you giving the thumbs up again, and
that is worth 10% of the monthly contract price, to be given to you as
commission.
Contact:
Franz
Security,
Authentication Methods - Part 4
Directory-Based Services
Authentication through a central directory makes
authentication, and administration in a complex environment efficient.
Directory based services include the following components:
·
Oracle Internet
Directory, uses the Lightweight Directory Access Protocol (LDAP). It enables information about users or
enterprise users to be stored and managed centrally. Enterprise user information is accessible
centrally in the Oracle Internet Directory.
You can also integrate Oracle Internet Directory with Active Directory,
and iPlanet. Keep in mind that database
users must be created with passwords, in every database that they need to
access. Oracle Internet Directory lets
you manage the security attributes and privileges for users, including users
authenticated by X.509 certificates.
Oracle Internet Directory also enforces attribute-level access
control. Attribute-Level access control
enables read, write, or update privileges on specific attributes that are
restricted to specific users, such as the enterprise security
administrator. Directory queries and
responses can use SSL encryption for enhanced protection during authentication
and other interactions.
·
Oracle Enterprise
Security Manager, provides centralized privilege management, which makes
administration easier, and enhances the security. You can store and retrieve roles from Oracle
Internet Directory using Enterprise Security Manager.
Authentication by
the Oracle Database
The oracle database server authenticates users that attempt
to connect to the database. The
authentication is based on information that is stored in the database
itself. Of course this is providing that
the users are created with a password.
If the user provides an incorrect password, then the connection is
refused. The user passwords are stored
in the data dictionary in an encrypted format to prevent unauthorized
alteration to the passwords. A user can
change their own password at any time.
The DBA can limit certain protocols that are allowed by a
client or a database connection. This
can be done, by setting the SQLNET_ALLOWED_LOGON_VERSION parameter in the
sqlnet.ora file. Then over and above
everything else, each connection is tested to see if it meets the minimal
version specified. The parameter in
oracle 10g, can have the value 10, 9, or 8.
8 is the default in 10g. In 10g
the recommended value is 10. If the
client connection does not meet the minimum requirement, the authentication
fails with the ORA-28040 message.
·
ORA-28040: No matching authentication protocol
Cause: No acceptible authentication protocol for both client
and server
Action: Administrator should set SQLNET_ALLOWED_LOGON_VERSION
parameter on both client and servers to values that matches
the minimum version
supported in the system.
Database Authentication includes the following:
·
Password Encryption
While Connecting. This is the default
way that Oracle operates
·
Account Locking
·
Password lifetime and
Expiration
·
Password History
·
Password Complexity
Verification
Password
Encryption While Connecting
Passwords are always encrypted automatically and
transparently using Advanced Encryption Standard (AES), for client/server and
server/server connections, before sending them across the network.
Account Locking
Oracle can lock a users account after a certain number of
consecutive failed login attempts. The
account can become unlocked after a specified amount of time, it may require
the DBA to unlock the account. This is
set up in the default profile, or the profile that is allocated to the user.
You can use the CREATE PROFILE statement or ALTER PROFILE
statement to set this up in the way required.
The DBA can also lock accounts manually, and then they will
have to be unlocked again by the DBA.
Password Lifetime and Expiration
A lifetime for passwords can be set in days, typically 180
days or six months is the setting. After
the password expires, the password must be reset or changed, before the user
can log in again.
The DBA can also manually set the users password state to
expired, which changes the user account status to expired. The password must then be changed before the
user can log in again.
Password History
This feature checks that the same password is not reused
for a specified amount of time, or for a specified number of password
changes. This is set up in the PROFILE
that is assigned to the user.
Password Complexity Verification
This verifies certain parameters to make sure that the
password is not too easy to guess. There
is a sample Oracle password verification routine that is laid out in the PL/SQL
script $ORACLE_HOME/rdbms/admin/utlpwdmg.sql
You can invoke a password verification routine from the
profile. Of course you will need to
first create it using the mentioned verification routine package, or create
your own routine. Such a verification
function will check the basic requirements for your password:
·
Minimal lf a certain
number of characters, 8 characters is a good standard
·
The password should
not be the same as the username
·
The password should
include at least one alphabetic character, one numeric character, and one
punctuation mark
·
Should not match any
word in an internal list of words or in a dictionary table of words
·
Should differ from
previous passwords by a certain number of character, three is a good standard
Franz Devantier,
Need a database health check, or a security audit?
devantierf@gmail.com
Classifieds
No comments:
Post a Comment