Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
I will make a deal with you: If you refer me to a company that needs
database support, from a few hours per week to full time, and I am able to sign
a contract with them.
Then I will give you 10% of the monthly
contract or deal price every month. When
the contract ends, and we re-sign the contract, I will again give you 10% of
the monthly contract price. This will go
on until the company no longer employs or contracts me or my agents to look
after their databases.
I can do this, because that 10% is my
marketing budget. When we re-sign the
contract, in the future, it may depend on you giving the thumbs up again, and
that is worth 10% of the monthly contract price, to be given to you as
commission.
Contact:
Franz
Security
Administering Authentication - Part 1
The process of authentication involves verifying the identity of a
user, the identity of a device, or the identity of an entity in a computer
system. Authentication is often a
prerequisite to granting access to resources on a computer or system.
User Authentication Methods
There are several ways that a user can be
authenticated by Oracle, before they are allowed to create a database session.
Method of Authentication
|
Type Authentication
|
Identified
and authenticated by the database.
|
Database
Authentication
|
Authenticated
by the operating system or network service.
|
External
Authentication
|
Authenticated
globally by Secure Sockets Layer (SSL), called global users, whose
database access is through global roles, authorized by an enterprise
directory.
|
Global
Authentication and Authorization
|
Allowed to
connect through a middle-tier server that authenticates the user, assumes
that identity, and can enable specific roles for the user.
|
Proxy Authentication
and Authorization
|
Database Authentication
This is the default, database authentication. With database authentication the
administration and authentication is performed entirely by the Oracle Database
Server. To achieve this goal you must
specify a password for the user when you create a user, or when you alter a
user. Users have the ability to change
their passwords at any time. Passwords
are always stored in an encrypted format, to make them difficult to hack. Passwords must always consist of single-byte
characters, even if your database uses a multibyte character set. Usernames on the other hand can consist of
multibyte characters, because user names are not encrypted.
It is good practice to encode your user names and passwords
in ASCII or EBCDIC characters only. This
practice will mean that you maintain compatibility of your usernames to future
changes to your database character set.
If your usernames or passwords expand in size, when migrated to a new
target character set, then you can experience login difficulties. Authentication of user logins can therefore
after a migration to a target character set.
For example the user jöan (o with an umlaut) in a migration
from WE8MSWIN1252 character set to UTF8 character set, will change from 5 bytes
to 6 bytes. Therefore the user “jöan”
will no longer be able to login after the migration. If the user jöan was rather based on ASCII or
EBCDIC characters, for example “joan”, then the user joan would still be able
to log in after the character set migration.
It is good practice to make use of password management to
enhance security with database authentication.
This can include account locking, password aging and expiration,
password history, and password complexity verification.
Creating a User Who Is Authenticated by the Database
Here is an example of creating a user that is authenticated
by the database.
SQL> CREATE USER peter IDENTIFIED BY Pumpkin123?;
Notice that the password is longer than 8 characters in
length. It includes both upper and
lowercase characters, it includes numbers, and a punctuation mark, and is not
the same as the username etc.
There are advantages to using database authentication:
-> Because user accounts and all of the authentication
are controlled by the database, there is no reliance on any external mechanisms
to authenticate the user.
-> Oracle can be configured to exercise strong password
management features, in order to enhance the security.
-> When the number of database users is relatively
small, it is easier to administer, than using other methods of authentication.
External Authentication
When you choose to use external authentication for a user,
there is a separation of duties. The
user account is still maintained by the Oracle Database Server, but password
administration and user authentication is performed by an external
service. There are different methods
that this external service can be configured.
It could be the operating system, or a network service such as Oracle
Net. When you are using external
authentication, your database will rely on the underlying operating system or
network authentication service to restrict access to the database accounts.
In this type of login to the database a password is not
used. The operating system or the
network service will authenticate the users.
There are basically two steps to set this type of authentication up.
1. The first step is to set the initialization parameter
OS_AUTHENT_PREFIX, you can set this to a certain value or an empty set of
double quotes. The default value is
OPS$, which is used for backwards compatibility of previous versions of the
Oracle Database Server. It is better to
rather use the value of “” or ‘’ for the prefix, so that the username in the
database, can be the same as the username in the operating system.
SQL> ALTER SYSTEM
SET OS_AUTHENT_PREFIX=”” SCOPE=SPFILE;
System altered.
SQL> create pfile from spfile; -- So that you have the latest and usable
initSID.ora file
Now you restart the database, and the parameter will come
into effect.
What will happen now is that the usernames in side Oracle
will have the prefix at the beginning of every user name. So you will take the operating system name,
and prefix it with this prefix, and then you have the database username. So for example if user fred, that is fred had
logged into the Operating system as fred, wants to log into the database, the
Oracle will add the prefix in front of the user name, to match it to the
database user name. So it will become
fred in the Oracle Database. So the
operating system “fred” can log into the database without authentication,
because the operating system has already authenticated him. In the database he will be seen as user fred.
2. The second step is to create the user in the database.
SQL> CREATE USER
fred IDENTIFIED EXTERNALLY;
We are not quite there yet, but we will continue the
discussion in part two of this article.
Franz Devantier,
Need a database health check, or a security audit?
devantierf@gmail.com
Classifieds
No comments:
Post a Comment