The OCI Phyton SDK has functions, like GenerateAutonomousDatabaseWalletDetails and generate_autonomous_database_wallet, to generate the database wallet.
Is there any function that allows adding user credentials on the wallet for the available service names? Something similar to what can be done with mkstore and createCredentials option.
No, there is no function for adding user credentials. Perhaps somewhat aside, but the 'user' and 'password' would be specific to the database instance, would have to be pre-created in the database and given access privileges, are not tied to a cloud user identity it any way. The exception being the ADMIN user, who is both an IAM user and a database user.
The underlying connection APIs expect the 'user' and 'password' of these database users in addition to the TLS credentials and the encryption mechanics it provides.
Related
I need to create a user in an oracle database that only allows connections through JDBC and not through some IDE for example, is this possible?
There's no good, foolproof way to do what you're asking (limit connections based on connection protocol, or other client-side parameters). Any of the session parameters that you could base a database logon trigger or smart application role on can be spoofed or altered to bypass your security filter. The generally accepted approach is to secure a user account's permissions so that it doesn't matter how they connect - their access to and view of the data is always the same.
If you want to limit access just to your application server, do this using firewall rules on the database server that only allow inbound connections from the app server IP on the database port, or (if you have Enterprise Edition) use Oracle Connection Manager to filter access by IP address and Oracle Service Name.
Basically it hard to set this up really securely.
You can use such an approach:
Create DB user with no privileges on Application schema (except for connect)
Grant user password protected ROLE: APP_ROLE. Having access to APP_SCHEMA tables.
In your app, after DB logon execute:
SET ROLE APP_ROLE IDENTIFIED BY "some role's password";
Then execute:
ALTER SESSION SET CURRENT_SCHEMA='APPL_SCHEMA';
So even if anybody know username and password for database, he can connect, but is not allowed to see any data. APP_ROLE's password is hard-coded in your app, or is passed to your app from outer source (config file or databases global context).
So basically you need two passwords to access database data:
user's password
role's password
Is it possible using Custom Credential Provider to make windows logon without real password of local user?
I'm already able to install/register sample code from Microsoft, and even able to debug it.
My expectation from this mechanism: User inputs some password and my implementation performs some comparison against local database of my password (stored as sqlite database).
Reality: local user password MUST be passed to LSA subsystem within
ICredentialProviderCredential::GetSerialization(...)
Frankly speaking I'm trying to use some sort of -one-time-coupon codes as passwords, to login to a kiosk-like workstation.
This is the main reason for developing custom credential provider.
Your provider must return to the Logon UI or Cred UI the authentication information. It can be a login/password pair or a certificate based authentication.
Inside of your database you can store a real user's password and return it after checking your own OTP.
We are in the planning phase of configuring our soon-to-be-upgraded databases (19c) to authenticate directly against AD (no oracle proxy). I have read a handful of documents from Oracle on how to do this. Most of the documentation focuses around using passwords (password filter/verifier). The only problem is that our AD administrators are dead-set against implementing Oracle's password filter into our existing AD infrastructure. That being said, one of the security guys said we could implement the oracle authentication using Kerberos instead. From what I have read, and the documents are scattered all over the place, and nothing that detailed, to use Kerberos:
1) The client no longer uses a username/password - they connect using a wallet-style connection (e.g. /#dbname)
2) Not only does the Oracle DB need some configuration changes, but so does every client that plans on using Kerberos
I don't know anything about Kerberos, how it works, and what goes on when you implement this, but I was hoping for, at the end of this is:
1) No client changes/installs (only the oracle DB would have config changes)
The user will continue to provide credentials as before - completely transparent
2) No need for the password filter as our admins have a "beef" against it
So my question is:
If using Kerberos directly against AD on >=18c:
1) Does the client user still provide a username and password to authenticate against AD, or does the client simply get "accepted" due to the tickets/tokens/configuration that occurs on the client (i.e. the client is simply trusted)?
2) Is there client config changes that need to occur, or does the client reach out to the DB and the DB, with its config changes, does all the legwork to authenticate against AD based off of client info being passed
3) Does any additional manual component need to occur on occasion (periodically retrieving a ticket/token/something) (because, say, it expires)
So in the end, we want to have complete transparency with every client and using something other than the password verifier with AD.
Thanks in advance.
-Jim
It sounds like you want to authenticate Windows clients against an Oracle database over a network using Active Directory without making any client changes.
This is pretty open-ended and complex StackOverflow question.
Probably you've been reading the docs about Third Party Network Authentication using Oracle Advanced Security. You can use Kerberos, SSL, RADIUS, PKI, etc. For most of these options, you need to do some setup on the client, because both the Oracle client and server need to authenticate or verify with the third-party system.
I think you need Enterprise User Security (using Oracle Internet Directory). Assuming you go with password-based authentication, you don't need client changes. In this scenario, Oracle Internet Directory can synchronize its user directory with AD, so your users can use their same username/password. However, when they change their AD password, they'll need to change their Oracle password separately.
On a different note, you may be able to alleviate your AD admins' fears about Oracle password complexity requirements, since you can change or remove those to fit your AD requirements.
I need to be able to store a user's Exchange password so I can use it to perform some task later on, using EWS. I know storing passwords in plain text is a horrid crime, so what options do I have?
In my case, my application will have access to an administrative account that will have the ability to use impersonation to work with users' Calendars. I need to store the password of this admin account so I can use it while authenticating with the Exchange server at a later time. I am not planning on using the EWS Managed API.
I have a user that created a calendar app with similar requirements. By default, an account that has these permissions globally is horrible and not recommended. Impersonation roles were granted by department that required access to the app to reduce risk scope. However if you require this globally, here's what I recommended for mitigating the account/password exposure:
Restrict the accounts functionality to Exchange services only. Features like log on locally and other general domain user privileges are not needed for an EWS service account that only needs mailbox access and impersonation roles. In this case, the account cannot log onto a computer nor can it be used for RDP. This limits exposure for malicious use.
The user/pass can be stored in your applications database and the connection string would also be stored outside of your application, there's a lot here: https://security.stackexchange.com/questions/22817/how-to-encrypt-database-connection-credentials-on-a-web-server and encrypting the password within the database; further reading: http://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting/a/d-id/1269374
Restrict DB server and management access. This is a larger issue than it should be if the database server is shared between groups. Audit the database server access, and re-restrict if you have too many cooks in the kitchen. The database server should also not be directly accessed by user networks but that may be a larger issue to tackle.
Restrict access to the application. As in, is it available externally or only available inside your perimeter? Either way, the application should also include authentication just to access, using Kerberos or some other SSL auth, make sure the application cannot be used to DoS the EWS services from over-access.
Create a one-off throttling policy on Exchange for this user and assign accordingly to prevent the application from breaking EWS or limiting regular user functionalities. This is something Blackberry admins learned the hard way if they didn't follow recommendations. When BES server wouldn't properly tear down connections, web services would start dropping valid client requests. As such BES had to instruct users to create a one off throttling policy for various Exchange features. I did the same for the user that created my EWS app. And a few times it saved me.
Really it will boil down to good application design and coordinating requirements with the Exchange team.
Don't's:
Don't store the username/password in Apache/IIS pages or the connection string
Don't grant global permissions for the account if you don't have to
Don't allow unauthenticated access to the application and allow unlimited connection times
Hope this helps.
There are a few users which have (1) username, (2) password and (3) role attributes.
I want to use credentials of a user to authenticate and authorize for EJB service operations (WebLogic 12c App Server).
At the same time, i want to use those credentials for connection to persistence storage (Oracle 11g Database), cause my customer wants to restrict db object access depend on user role attribute.
Is there WebLogic or Oracle Database facilities to do so?
Is there any way to do so?
Very glad to see all your responses. Thank you.