Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
I will make a deal with you: If you refer me to a company that needs
database support, from a few hours per week to full time, and I am able to sign
a contract with them.
Then I will give you 10% of the monthly
contract or deal price every month. When
the contract ends, and we re-sign the contract, I will again give you 10% of
the monthly contract price. This will go
on until the company no longer employs or contracts me or my agents to look
after their databases.
I can do this, because that 10% is my
marketing budget. When we re-sign the
contract, in the future, it may depend on you giving the thumbs up again, and
that is worth 10% of the monthly contract price, to be given to you as
commission.
Security
Administering Authentication - Part 2
Operating System Authentication
By default Oracle allows the operating system authenticated
logins only over secure connections.
This means that you can’t use Oracle NET or a shared server
configuration. This restriction in 10g,
prevents a remote user from impersonating another operating system user over a
network connection.
In 10g, setting REMOTE_OS_AUTHENT to TRUE in the database
initialization file forces the RDBMS to accept the client operating system
username received over a non-secure connection, and use it for account
access. Generally clients such as PC’s
and laptops are not considered to be secure clients, and REMOTE_OS_AUTHENT is
set to FALSE by default. This does
create a more secure environment.
Any changes to the REMOTE_OS_AUTHENT parameter takes effect
after the database is restarted. The
advantage of Operating System Authentication is that the database audit trail
and the OS audit trail correspond to each other. Also it may be quicker to log in, in this
way, because you don’t have to specify a separate database user name, once you
have been authenticated onto the operating system.
Network Authentication
Network security does not work through this mechanism, but
only comes into effect or is performed with Oracle Advanced Security. You can configure a third party service such
as Kerberos, to perform the authentication.
If you are using Oracle Advanced security as your only external
authentication service, then it does not matter what you have set
REMOTE_OS_AUTHENT to. This is because
Oracle Advanced Security allows only secure connections.
Advantages of External Authentication
There are some advantages to external authentication as
compared to getting authenticated within the database.
-> You have more choices of authentication available;
for example smart cards, fingerprints, Kerberos, or the Operating System.
-> Single sign-on is supported is supported in a number
of Network Authentication services, such as Kerberos. Single Sign-on enables users to have fewer
passwords to remember.
-> If you are using some kind of external authentication
process, then you may find that it is less administrative overhead, then if you
did the Authentication in the Oracle Database
Global Authentication and Authorization
Advanced Security enables you to centralize the management
of user-related information, including of course authorizations, into a
LDPA-based directory service. Users can
then be identified in the database as Global Users. This means that the users are authenticated
by SSL and that the management of these users is not in the database, but in a
centralized directory service. This
means that secure global roles can be defined in the database; authorizations
for such global roles are carried out by the directory service.
Users don’t have to be managed in a directory service, but
may in fact be authorized by SSL, and have local database roles in the databse.
Centralized management of users, enables you to go to the
next level of authentication, and that is enterprise users, and enterprise
roles. Enterprise roles consist of a
number of global roles. Enterprise users
are defined and managed in the Directory service. Enterprise users have unique identities
across the enterprise and can be assigned enterprise roles that determine their
access privileges across multiple databases and systems.
Franz Devantier,
Need a database health check, or a security audit?
devantierf@gmail.com
Classifieds
No comments:
Post a Comment