Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
I will make a deal with you: If you refer me to a company that needs
database support, from a few hours per week to full time, and I am able to sign
a contract with them.
Then I will give you 10% of the monthly
contract or deal price every month. When
the contract ends, and we re-sign the contract, I will again give you 10% of
the monthly contract price. This will go
on until the company no longer employs or contracts me or my agents to look
after their databases.
I can do this, because that 10% is my
marketing budget. When we re-sign the
contract, in the future, it may depend on you giving the thumbs up again, and
that is worth 10% of the monthly contract price, to be given to you as
commission.
Contact:
Franz
Security,
Authentication Methods - Part 5
Multitier Authentication and Authorization
Client identities must be preserved through the
middle-tier. A middle tier uses
connection Pooling to allow multiple users to access the data server without
each of them needing a separate connection.
In such a configuration the Oracle Call Interface (OCI) is used to
create lightweight sessions, which allows database password authentication for
each user. This method preserves the
identity of the real user through the middle tier without the overhead of a
separate database connection for each user.
In a Multitier environment, oracle controls the security,
by limiting privileges, and preserving client identities through all the tiers,
and auditing the actions taken on behalf of the real clients or users.
You can create lightweight sessions without passwords, if
appropriate on an internal application server.
However security is better with passwords. If you are moving through firewalls, then you
want to maintain the security of users accessing data on the inside of
firewalls.
Clients,
Application Servers, and Database Servers
In a
multitier environment, an application server is the interface between the
client and the database servers. The
application server validates the credentials of a client, for example a
web-browser. The database server can
audit the operations that are performed by the application server.
Authentication is a multitier environment is based on trust
regions. Client authentication is the
domain of the application server. The
application server is authenticated by the database server.
·
The client provides
proof of authenticity to the application server. This may be with a password or with a X.509
certificate
·
The application server
will first authenticate the client, and then authenticate itself to the
database server
·
The database server
authenticates the application server.
The database server verifies that the client exists, and verifies that
the application server has the privilege to connect on behalf of this
client. The application server can also
enable a role for the client on whose behalf it connects. The application server may have obtained
these roles from a directory, which will then serve as an authorization repository. The application will request that these roles
should be enabled. The database server
will enable them, but first check the following requirements:
o
DB Server will check
that the client has these roles by checking its internal role repository
o
DB Server will check
that the application server has the privilege to connect on behalf of the user,
and therefore use these roles, as the user would be able to use these roles
Multitier Authentication
·
Security Issues for
Middle-Tier Applications’
Security for
middle-tier applications must address the following key issues
o Accountability: the database
server must be able to distinguish between the actions of a client and the
actions an application takes on behalf of a client. It must be possible to audit both kinds of
actions
o Differentiation: The database
server must be able to distinguish between a client accessing the database
directly, and an application server acting wither for itself or on behalf of a
client(Browser)
o Least Privilege: The least privileges should be granted to the
clients, and the middle-tiers, in order for them to perform the necessary
actions, to minimize the dangers of malicious or accidental inappropriate
actions
Identity Issues
in a multi-tier Environment
In a multitier environment, the identity of the client is
maintained through all the tiers of the clients connection in order to maintain
useful audit records. If the identity of
the originating client is lost, the accountability for that client is
lost. In such a case, it is no longer
possible to distinguish operations performed by the application server on
behalf of the client, and operations that are performed by the application
server itself.
Restricted Privileges in a Multitier Environment
The privileges must be limited to only those privileges
that are required to complete the required tasks.
Client Privileges
The client privileges should be as limited as possible,
because in a multi-tier environment, operations are performed by the application
server on behalf of the client.
Application Server Privileges
The application server privileges should be limited to
those privileges that are required to complete the request on the database
server from the client. The application
server should not have the privileges to perform unneeded or unwanted
operations on the database server.
Authentication of Database Administrators
Database Administrators (DBA), perform special operations
on the database, like shutting down and starting up, and other maintenance
tasks, that should not be performed by normal database users. Oracle provides for secure authentication of
DBA users, for which you can either use operating system authentication or
password files.
Database
Administration Authentication Methods
TO use Operating system authentication, a DBA will need to
establish a group at the operating system level, and assign DBA privileges to
that group. Then you can add the names
of the persons who should have those privileges to that group. On Unix/Linux systems the special group is
called the “dba” group.
On Microsoft Windows systems, users who connect with the
SYSDBA privilege can take advantage of the Windows native authentication. If these uses work with the Oracle database
using their domain accounts, then you must explicitly grant them local
administrative privileges and the ORA_DBA membership.
The Oracle database server uses password files to keep
track of those database user names that have been granted the SYSDBA and
SYSOPER privileges.
·
SYSOPER lets DBA’s
perform STARTUP, SHUTDOWN, ALTER DATABASE MOUNT/OPEN, ALTER DATABASE BACKUP,
ARCHIVE LOG, AND RECOVER. SYSOPER also
includes the RESTRICTED SESSION privilege.
·
SYSDBA has all system
privileges with ADMIN OPTION, including the SYSOPER system privileges, and
permits CREATE DATABASE and time-based recovery.
Password file authentication is enabled by default. You administer the password file with the
ORAPWD utility. In order to share a
password file between different databases, the initialization parameter
REMOTE_LOGIN_PASSWORDFILE parameter needs to be changed to SHARED in the
init.ora file and/or the spfile. The
default value of this parameter is EXCLUSIVE.
Franz Devantier,
Need a database health check, or a security audit?
devantierf@gmail.com
Classifieds
No comments:
Post a Comment