SSO with Active-Directory and Oracle on C# (VS 2010) - oracle

Here is what we have :
An Oracle database driven software which requires users authentication to start the application.
An Active-Directory controller with which users authenticate to log on a session
Oracle 10, Windows Server 2008, Windows 7 WS, C# (2010), DevExpress, old VB6 Framework
Here is what we'd like to do:
Use the MS credentials to authenticate users skipping login in our application
Map users' authentication informations (with A-D) to an Oracle privileges table
Remove the login box unless the user has not enough privileges to use the app
Any clue, book reference, tutorial, guide, howto, sample, documentation will be MUCH appreciated!

Reading your Question, I was delighted to see you were in the same box as I was.
We, have an Oracle 9i driven application. I read with much interest that of Oracle 10g having AD functionalities, but regrettably we could not have our hands on it, but nevertheless be happy of what we have.
In this context, there is nothing but designing your own solution. For that, we have converted our Oracle username to AD equivalent username. Our idea was for each user session, the application checks whether the user is already authenticated with AD, if then we will create a session by applying a new application generated password to the AD authenticated user and then to connect to the Oracle DB using it. The Password generated is not known to the user or neither anybody planning that it will be in encrypted form. For each session, the password is generated and applied to the user.
There were drawbacks like overhead of changing password regularly but we could not find a better solution, If you have pls. share with us for the benefit of the community.

Related

Oracle Apex - Using AD authentication, can the username / password be inherited from Windows

We are looking to introduce LDAP authentication to an existing Oracle Apex (Application Express 4.2.5) application to allow us to utilise active directory groups. Setting this up is fairly simple and works fine, however we have been asked if its possible to inherit the username / password from the users network login and pass this through the apex login so the user only has to login once.
Is this possible?
I think the term you're looking for is "Single sign on"
There is quite a bit of information on this out there, and I think it's changed a bit over time. Exact solution probably really depends on infrastructure factors.
https://www.slideshare.net/nielsdb/single-signon-for-apex-apps

Apex "security module"?

My manager keeps talking about how I will be "developing" an Application Express "security module", however from what she told me we need to have, I don't see what there would be to develop, seeing as Apex already has authorization/groups which allow for various groups of people to see various content.
Is there something that I am missing? What does she mean by a "module", or is it just general wording?
APEX provides several different ways to authenticate users. One approach is to use the "Application Express" authentication scheme and just to create APEX users. Another approach is to use the "Database Account" authentication scheme and to create Oracle users. A third option is to create a custom authentication scheme and to implement your own user management functionality.
Application Express authentication tends to be the easiest to deploy for a small application but tends to get unwieldy over time. It's hard, for example, to give an application administrator the ability to create APEX accounts. You can't tie an APEX account in to a single sign-on solution. It's not easy to integrate with the permission management systems that other applications use. If you're deploying an application in a large company, the last thing the security department needs is one more place where they need to create user accounts, manage privileges, de-activate accounts when someone leaves or changes roles, etc.
Database authentication tends to be more scalable than APEX authentication since Oracle database account provisioning is likely already part of your organization's authentication and authorization infrastructure. On the other hand, that still means that you're creating an Oracle database user for every user you want to create in your application which probably involves a call to a DBA (technically, you could create database users from your application, but most DBAs are going to be concerned about the security implications of that). If you intend to create an internet-facing application with tens of thousands of users, database accounts may get unwieldy.
I'd wager that the vast majority of medium to large-scale APEX applications use a custom authentication scheme. That may involve creating a USER table where you store the username & the hash of the password or a query against an LDAP/ AD repository. That sort of approach provides the most flexibility since you can code whatever you'd like into the authentication system. You can hook into whatever custom authentication/ single sign-on solution the organization happens to use. It probably makes creating new users from within the application much easier (obviously depending on how the authentication system is designed).
My assumption is that your manager is expecting that you'll be writing a custom authentication scheme for your APEX applications.

How to securely store database credentials for Windows application?

I have a python application designed to run as a service on Linux, and I've been asked to install it on a Windows XP box in an office where there are no Linux machines (for me, this makes it a bizarre and confusing place as I have virtually no experience developing for Windows).
On Linux the application has its own user, and the application and database credential file reside in an encrypted folder accessible only by that user. (I'd like to state that I am not a cryptologist, and that if there are already glaring security errors in this set up I'm very happy to have them pointed out to me!)
How can I achieve an equivalent level of security by similar or different means on a Windows XP machine? That is to say, how can I prevent those who have access to the computer or the disk altering the program or reading the credentials?
A little background: the host windows box is a workstation used every day by users with non-administrative privileges. The secure assets are personal data roughly as sensitive as, for example, a school report. The application is intended to be used by about 10 people who authenticate to the application with individual passwords (stored salted and hashed in the database).
There is a very similar question that received the answer:
on Windows you would store the credentials in the registry in a location protected by an ACL
However, it doesn't touch on the aspect of protecting the program files, and further it seems to assume a higher level of Windows experience than I currently enjoy :) I have no idea how to protect registry items with an ACL, nor how I would then be able to access the protected keys from my program. Simple instructions for a developer in an unfamiliar environment would be greatly appreciated!
Your question is unclear about what your application does and what your security requirements are. I'm going to make some assumptions, and provide an answer based on them. If these assumptions are incorrect, please clarify in a comment and I'll update.
I'm assuming you have an application that:
stores sensitive data in a database stored in a DBMS installed on the workstation
is installed on a shared workstation
each user has their own login (non-admin)
allows different users to log on and interract with their data
user runs applicaiton which connects to a service
service connects with database, delivers data to users
service runs under its own user account
If this is correct, then you shouldn't have much issue.
The service can run under any account, but it would be easy enough to have it run under one of the standards (Local Machine or Network Service). Configure the database so that only this account can access it. In Sql Server, I'd only grant that user account (and admins on the box) login and access rights to the database.
This is the only security you need, if the users aren't admins. Now, when the frontend connects to the service, the user can provide the username/password and the service can authenticate against salted and hashed passwords stored in the database. All this is secure as long as 1) each user has their own login 2) communications are secure (using named pipes or SSL) and 3) no virii or keyloggers are running under an admin's credentials.
You can configure your service as to what account it runs under by running services.msc (or right-clicking on MyComputer and selecting Manage or clicking on Services under the Admin tools menu in Control Panel or probably in a number of different ways).
Bring up the list of services, right click on your app and hit Properties. From there, make it look like this:

Legacy application with JDBC and JNDI REALM authentication

My application currently relies on JDBC realm authentication. Recent needs have forced us to think about having LDAP authentication as well. We are thinking about using Active Directory for both authentication as well as authorization (roles). As a standalone test, I was able to authenticate my application with AD. But here is the confusion I have going forward.
If the user chooses LDAP authentication when he logs in, I authenticate the user with AD, get the user's roles and do I replicate(create a new) windows user in my database?. I have to have the user in the database, because many parts of the application is designed to retrieve the user from database
If the users chooses local login, I still should have JDBCRealm somewhere that I should use to authenticate the user. Is it possible to have multiple realms in tomcat? (I sort of know it is possible, but havent seen much documentation around it)
Any thoughts, comments, suggestions would immensely help me
Thanks
K
If you can run your app on Tomcat 6, there is a realm called CombinedRealm that will let you do what you are trying to do: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm. It is possible to do what you want in older versions but it's a real pain. You basically will have to implement your own custom Realm. I've not yet used this new CombinedRealm, but if it works as advertised it will save you a lot of effort and pain. Trust me.

Can Oracle TDE protect data from the DBA?

oracle experts.
My client of mine wants to deploy an application that has to hold credit card numbers in a database. The client is obviously concerned with security.
We are particularly concerend with one painful issue. How can we make sure that only authorized users with a 'business need to know' are allowed to access the data? How can we protect the data from the DBA?
One obvious solution is to encrypt at the application level. We don't want to do that.
An oracle product that came up as a possible solution is Orace TDE (Transparent Data Encryption). It seems to cover the on-disk encryption case well. However, there have been disputing claims if it can be used to hide data from someone with DBA privileges.
I want to be very specific about the use case we're dealing with. We have an up and running application, 24/7/365, that is doing data access constantly. That means that the Oracle wallet is open and data is being decrypted by the database. AT THE SAME TIME a DBA should still be unable to access the data.
I know that Oracle is marketing Oracle Database Vault for this very issue. Given that all I want to do is block DBA access from just one particular table, do I really need the Vault or can I use TDE?
Assistance would be much appreciated,
Or
My guess is that you need Oracle Vault. TDE makes it impossible to read the datafiles but a simple select will still retrieve the data unencrypted.
But ask the dudes or dudettes who made the claim that TDE is sufficient, to explain how to do it without Oracle Vault.
Edit: Two threads on this issue:
http://forums.oracle.com/forums/thread.jspa?messageID=3249532&#3249532
http://forums.oracle.com/forums/thread.jspa?messageID=3261345&#3261345
"there have been disputing claims if it can be used to hide data from someone with DBA privileges."
Probably because there can be conflicting ideas about what constitutes DBA privileges. There is a DBA database role, a SYSDBA privilege and someone who can login as oracle (or Administrator) to the server at the operating system level, each with higher privileges
Privileges can be revoked from the DBA role, so that is even more vague.
VPD can ensure that, for example, the credit-card column is only visible to users logged in from a specific IP (eg the application server), as a certain user or with a certain role.
While a user with DBA role would be able to change the VPD privileges, or grant themselves the appropriate role or impersonate the relevant user, this would show up in the audit log.
i came across a similiar problem with one of our customers. During the evaluation process i have found a possible solution from a german security company. It seems they have developed a system that should prevent the DBA to access any sensitive data. Take a look at their website. It didnĀ“t take a deeper look yet, so i cannot give you further information about this solution.
There are certain alternative companies with DB encryption and access control solutions that implement a strict separation of duties between DBA and Security Admin.
You may want to take a look into D'Amo from a Korean company, Penta Security Systems.
Disclaimer: I have worked as a DB consultant and deployed the solution to many of my customers.

Resources