Configuring Enterprise User Security for SSL Authentication

The configuration steps in this section assume the following:

  • You have obtained the appropriate PKI credentials and used Oracle Wallet Manager to create wallets for the directories, databases, and clients that you want to include in your Enterprise User Security implementation.

  • You have confirmed that each enterprise user entry in Oracle Internet Directory is provisioned with a unique PKI credential. However, in this release an enterprise user can have different DNs in his or her PKI certificate and Oracle Internet Directory entry. Also in this release, the database entry can have different DNs in its PKI certificate and Oracle Internet Directory entry.

    You must provision user certificates in their respective Oracle Internet Directory user entries in order to support using different DNs in the certificate and the directory. A user certificate is provisioned in to the usercertificate attribute of the user entry. If you prefer not to provision the certificates, then you must make sure that the subject DNs in the certificates match the user DNs in the directory.

    Oracle Internet Directory 10g Release2 (10.1.2) includes certificate matching rules to support the new functionality of being able to use different DNs in the certificate and the directory. The orclpkimatchingrule attribute in Oracle Internet Directory determines the type of match that is used.

    The default value of orclpkimatchingrule is 2. This enables you to support both provisioned and non-provisioned user entries. The database finds out a user's Oracle Internet Directory DN based on a search for the user's certificate provisioned in the directory. If the certificate search fails, then the database reverts to using an exact match between the user's certificate DN and his or her Oracle Internet Directory DN.

    If all users have certificates provisioned in Oracle Internet Directory, then you can set the orclpkimatchingrule to 1. This instructs Oracle Internet Directory to always conduct a certificate search. For instance, if your certificate authority does not support two common names in certificate DNs but the directory DNs are using two common names, then you would need to provision all user certificates into the directory. You can then set the orclpkimatchingrule to 1.

    If you do not want to support the functionality of using different DNs in the PKI certificate and Oracle Internet Directory, then you can set the orclpkimatchingrule value to 0. You use this setting if all certificate DNs match directory DNs and you do not wish to provision the certificates.

    You can also create your own mapping rules to map certificate DNs to directory DNs in Oracle Internet Directory 10g Release 2 (10.1.2.0.2). To use mapping rules, orclpkimatchingrule is set to 3 or 4.

    When you want to use the mapping rule for all users, set orclpkimatchingrule to 3. If you also need to support certificate-based search and exact match, then set orclpkimatchingrule to 4.

    Table 4-3 describes the values of the orclpkimatchingrule attribute.


    Table 4-3 Oracle Internet Directory Matching Rules

    Value Rule

    orclpkimatchingrule=0

    Exact match. The bind is based on the subject DN of the client certificate. This DN is compared with the DN of the user in the directory.

    orclpkimatchingrule=1

    Certificate hash. The bind is based on the hashed value of the certificate.

    orclpkimatchingrule=2

    (default)

    Certificate hash/exact match. The bind is based on the hashed value of the certificate. If this operation fails, then a bind based on the subject DN of the client certificate is performed.

    orclpkimatchingrule=3

    Mapping rule only.

    orclpkimatchingrule=4

    Mapping rule/certificate hash/exact match. The bind is based on the mapping rule. If this operation fails, a bind based on the hashed value of the certificate is performed. If this operation fails, then a bind based on an exact match of the certificate is performed.


    Note:

    A certificate search will fail if there is no user entry under the realm's user search base with that certificate, or if you are using an older version of Oracle Internet Directory that does not support the certificate search functionality. If the certificate search fails, then the database will revert to the old behavior of matching the user DN with the certificate DN for a successful connection.

  • You have enabled SSL for your client-database Oracle Net connections as described in "Enabling SSL" in the Oracle Database Security Guide. Ensure that you included the following steps when you enabled SSL:

    • Enabled SSL for your database listener on TCPS and provided a corresponding TNS name

    • Stored your database PKI credentials in the database wallet that Database Configuration Assistant automatically created during database registration

  • You have configured an SSL instance with two-way authentication for Oracle Internet Directory as described in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

  • You have prepared your directory by completing the tasks described in "Preparing the Directory for Enterprise User Security (Phase One)".

  • You have configured your Enterprise User Security objects in the database and the directory by completing the tasks described in "Configuring Enterprise User Security Objects in the Database and the Directory (Phase Two)".

To configure Enterprise User Security for SSL authentication, perform the following tasks:

Task 1: Enable the Enterprise Domain to Accept SSL Authentication

By default, OracleDefaultDomain is configured to accept all types of authentication. If this has been changed or if you are using another domain, then use Oracle Enterprise Manager to enable SSL authentication for your enterprise domain by performing the following steps:

  1. Log in to Enterprise Manager Cloud Control, as an administrative user.

  2. To navigate to your database, select Databases from the Targets menu.

  3. Click the database name in the list that appears. The database page appears.

  4. Under the Administration menu, select Security, Enterprise User Security. The Oracle Internet Directory Login page appears.

  5. Enter the distinguished name (DN) of a directory user who can administer enterprise users in the User field. Enter the user password in the Password field. Click Login.

    The Enterprise User Security page appears.

  6. Click Manage Enterprise Domains.

    The Manage Enterprise Domains page appears. This page lists the enterprise domains in the identity management realm.

  7. Select OracleDefaultDomain. Click Configure.

    The Configure Domain page appears.

  8. Click the Configuration tab.

  9. Under User Authentication Types Accepted, select SSL.

  10. Click OK.

Task 2: Set the LDAP_DIRECTORY_ACCESS Initialization Parameter to SSL

You can change this initialization parameter either by editing your database initialization parameter file or by issuing an ALTER SYSTEM SQL command with the SET clause.

For example, the following ALTER SYSTEM command changes the LDAP_DIRECTORY_ACCESS parameter value to SSL in the server parameter file:

ALTER SYSTEM SET LDAP_DIRECTORY_ACCESS=SSL SCOPE=SPFILE

See Also:

Task 3: Connect as an SSL-Authenticated Enterprise User

Connecting as an SSL-authenticated enterprise user involves ensuring that you have the appropriate Oracle wallet features configured and that you do not have a wallet location specified in the client sqlnet.ora file. If the client sqlnet.ora file contains a wallet location, then multiple users and databases cannot share that file. Only the server sqlnet.ora file must have a value for the wallet location parameter.

See Also:

"Saving an Oracle Wallet to the System Default Directory Location" for the default location of a user's wallet when the authentication used between the user and the database is SSL

To connect as an SSL-authentication enterprise user, perform the following steps:

  1. Use Oracle Wallet Manager to download a user wallet from the directory. See "Downloading an Oracle Wallet from an LDAP Directory".

  2. Use Oracle Wallet Manager to enable autologin for the user wallet. Enabling autologin generates a single sign-on (.sso) file and enables authentication to the SSL adapter. See "Using Auto Login for Oracle Wallets to Enable Access Without Human Intervention" for information about using the autologin feature of Oracle Wallet Manager.

  3. Set the TNS_ADMIN environment variable (to point to the client's sqlnet.ora file) for the client if the client Oracle home points to a server Oracle home. (Because a server must have a wallet location set in its sqlnet.ora file and a client cannot have a wallet location specified there, the server and client cannot share sqlnet.ora files.)

    If you have a separate client Oracle home, then you do not need to set the TNS_ADMIN environment variable.

  4. Launch SQL*Plus and enter the following at the command line:

    SQL> /@connect_identifier
    

    where connect_identifer is the Oracle Net service name you set up when you configured SSL for the database client.

    If your connection succeeds, then the system responds with Connected to:.... This is the confirmation message of a successful connect and setup. If an error message is displayed, then see "ORA-# Errors for SSL-Authenticated Enterprise Users".

    If you do connect successfully, then check that the appropriate global roles were retrieved from the directory, by entering the following at the SQL*Plus prompt:

    select * from session_roles
    

    If the global roles were not retrieved from the directory, then see "NO-GLOBAL-ROLES Checklist".

You have completed SSL-authenticated Enterprise User Security configuration.

Note:

For security purposes, ensure that you disable auto login for the user wallet after logging out from the enterprise user session with the database. This is especially important if the client computer is shared by more than one user. See "Disabling Auto Login for Oracle Wallets" for information about using Oracle Wallet Manager to disable auto login for an Oracle wallet.