Transcription
Oracle DatabaseEnterprise User Security Administrator'sGuide21cF31396-01December 2020
Oracle Database Enterprise User Security Administrator's Guide, 21cF31396-01Copyright 2000, 2020, Oracle and/or its affiliates.Primary Author: Apoorva SrinivasContributors: Rod Ward, Tanvir Ahmed, Chi Ching Chui, Santanu Datta, Janis Greenberg, Rishabh Gupta,Pat Huey, Min-Hank Ho, Yong Hu, Sudha Iyer, Sumit Jeloka, Supriya Kalyanasundaram, Srinidhi Kayoor,Lakshmi Kethana, Manoj Kamani, Van Le, Nina Lewis, Stella Li, Chao Liang, Gopal Mulagund, SarmaNamuduri, Janaki Narasinghanallur, Hozefa Palitanawala, Eric Paapanen, Vikram Pesati, Andy Philips,Richard Smith, Deborah Steiner, Srividya Tata, Philip Thornton, Ramana Turlapati, Sudheesh Varma, AnandVerma, Peter Wahl , Alan WilliamsThis software and related documentation are provided under a license agreement containing restrictions onuse and disclosure and are protected by intellectual property laws. Except as expressly permitted in yourlicense agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverseengineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.The information contained herein is subject to change without notice and is not warranted to be error-free. Ifyou find any errors, please report them to us in writing.If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it onbehalf of the U.S. Government, then the following notice is applicable:U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software,any programs embedded, installed or activated on delivered hardware, and modifications of such programs)and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Governmentend users are "commercial computer software" or "commercial computer software documentation" pursuantto the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such,the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works,and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programsembedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oraclecomputer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in thelicense contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloudservices are defined by the applicable contract for such services. No other rights are granted to the U.S.Government.This software or hardware is developed for general use in a variety of information management applications.It is not developed or intended for use in any inherently dangerous applications, including applications thatmay create a risk of personal injury. If you use this software or hardware in dangerous applications, then youshall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure itssafe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of thissoftware or hardware in dangerous applications.Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks oftheir respective owners.Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks areused under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc,and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registeredtrademark of The Open Group.This software or hardware and documentation may provide access to or information about content, products,and services from third parties. Oracle Corporation and its affiliates are not responsible for and expresslydisclaim all warranties of any kind with respect to third-party content, products, and services unless otherwiseset forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will notbe responsible for any loss, costs, or damages incurred due to your access to or use of third-party content,products, or services, except as set forth in an applicable agreement between you and Oracle.
ContentsPreface1Intended AudiencexxiDocumentation AccessibilityxxiRelated DocumentsxxiiConventionsxxiiiIntroducing Enterprise User Security1.11.2Changes in this Release for Release 21c1.1.1New Features1-11.1.2Deprecation and Desupported Features1-1Introduction to Enterprise User SecurityThe Challenges of User Management1-21.2.2Enterprise User Security: The Big Picture1-21.2.2.1How Oracle Internet Directory Implements Identity Management1-41.2.2.2Enterprise Users Compared to Database Users1-51.2.2.3About Enterprise User Schemas1-71.2.2.4How Enterprise Users Access Database Resources withDatabase Links1-8How Enterprise Users Are Authenticated1-81.2.31.41-21.2.11.2.2.51.31-1About Enterprise User Security Directory Entries1-101.2.3.1Enterprise Users1-101.2.3.2Enterprise Roles1-111.2.3.3Enterprise Domains1-131.2.3.4Database Server Entries1-131.2.3.5User-Schema Mappings1-151.2.3.6Administrative Groups1-151.2.3.7Password Policies1-17About Using Shared Schemas for Enterprise User Security1-181.3.1Overview of Shared Schemas Used in Enterprise User Security1-191.3.2How Shared Schemas Are Configured for Enterprise Users1-191.3.3How Enterprise Users Are Mapped to Schemas1-20Enterprise User Proxy1-22iii
1.5About Using Current User Database Links for Enterprise User Security1-241.6Enterprise User Security Deployment Considerations1-251.6.1Security Aspects of Centralizing Security Credentials1.6.1.1Security Benefits Associated with Centralized Security CredentialManagement1-26Security Risks Associated with Centralized Security CredentialManagement1-26Security of Password-Authenticated Enterprise User Database LoginInformation1-261.6.1.21.6.21.6.2.1What Is Meant by Trusted Databases1-271.6.2.2Protecting Database Password Verifiers1-271.6.31.6.4Considerations for Defining Database Membership in EnterpriseDomains1-28Choosing Authentication Types between Clients, Databases, andDirectories for Enterprise User Security1-281.6.4.1231-26Typical Configurations1-29Getting Started with Enterprise User Security2.1Configuring Your Database to Use the Directory2-12.2Registering Your Database with the Directory2-42.3Registering an Oracle RAC Database with the Directory2-72.4Creating a Shared Schema in the Database2-82.5Mapping Enterprise Users to the Shared Schema2-82.6Connecting to the Database as an Enterprise User2-92.7Using Enterprise Roles2-92.8Using Proxy Permissions2-142.9Using Pluggable Databases2-182.9.1Wallet Location for Pluggable Databases2-192.9.2Wallet Root for Pluggable Databases2-192.9.3Connecting to a Directory Service2-202.9.3.1Comparison of the dsi.ora and ldap.ora Files2-202.9.3.2About Using a dsi.ora File2-202.9.3.3Creating the dsi.ora File2-222.9.3.4About Using an ldap.ora File2-222.9.3.5Creating the ldap.ora File2-232.9.4Default Database DN Format2-242.9.5Plugging and Unplugging PDBs2-242.9.6Switching Containers2-24Configuration and Administration Tools Overview3.1Enterprise User Security Tools Overview3-1iv
3.2Oracle Internet Directory Self-Service Console3-23.3Oracle Net Configuration Assistant3-23.3.13.4Database Configuration Assistant3.4.13.54Starting Oracle Net Configuration AssistantStarting Database Configuration AssistantOracle Wallet Manager3-43-43-43.5.1Starting Oracle Wallet Manager3-53.5.2The orapki Command-Line Utility3-53.6Oracle Enterprise Manager3-53.7User Migration Utility3-63.8Duties of an Enterprise User Security Administrator/DBA3-7Enterprise User Security Configuration Tasks and Troubleshooting4.1Enterprise User Security Configuration Overview4-14.2Enterprise User Security Configuration Roadmap4-44.3Preparing the Directory for Enterprise User Security (Phase One)4-44.3.1Configuring Directory Access for Enterprise Users4-104.3.2About the Database Wallet and Password4-114.3.2.14.44.5Sharing Wallets and sqlnet.ora Files Among Multiple Databases4-12Configuring Enterprise User Security Objects in the Database and theDirectory (Phase Two)4-13Configure Enterprise User Security for the Authentication Method You Require(Phase Three)4-174.5.1Configuring Enterprise User Security for Password Authentication4-174.5.2Configuring Enterprise User Security for Kerberos Authentication4-194.5.3Configuring Enterprise User Security for SSL Authentication4-224.5.3.153-3Viewing the Database DN in the Wallet and in the Directory4-274.6Enabling Current User Database Links4-274.7Troubleshooting Enterprise User Security4-284.7.1ORA-n Errors for Password-Authenticated Enterprise Users4-284.7.2ORA-n Errors for Kerberos-Authenticated Enterprise Users4-314.7.3ORA-n Errors for SSL-Authenticated Enterprise Users4-334.7.4NO-GLOBAL-ROLES Checklist4-354.7.5USER-SCHEMA ERROR Checklist4-354.7.6DOMAIN-READ-ERROR Checklist4-36Administering Enterprise User Security5.1Administering Identity Management Realms5-15.1.1Identity Management Realm Versions5-25.1.2Setting Properties of an Identity Management Realm5-2v
5.1.2.15.1.35.1.45.25.35.55-3Managing Identity Management Realm Administrators5-45-55.2.1Creating New Enterprise Users5-65.2.2Setting Enterprise User Passwords5-65.2.3Granting Enterprise Roles to Enterprise Users5-75.2.4Granting Proxy Permissions to Enterprise Users5-85.2.5Creating User-Schema Mappings for Enterprise Users5-95.2.6Creating Label Authorizations for Enterprise UsersConfiguring User-Defined Enterprise GroupsGranting Enterprise Roles to User-Defined Enterprise GroupsConfiguring Databases for Enterprise User Security5-105-105-115-115.4.1Creating User-Schema Mappings for a Database5-125.4.2Adding Administrators to Manage Database Schema Mappings5-12Administering Enterprise Domains5-135.5.1Creating an Enterprise Domain5-145.5.2Adding Databases to an Enterprise Domain5-145.5.3Creating User-Schema Mappings for an Enterprise Domain5-155.5.4Configuring Enterprise Roles5-165.5.5Configuring Proxy Permissions5-185.5.6Configuring User Authentication Types and Enabling Current UserDatabase Links5-19Configuring Domain Administrators5-205.5.765-3Setting the Default Database-to-Directory Authentication Type for anIdentity Management RealmAdministering Enterprise Users5.3.15.4Setting Login Name, Kerberos Principal Name, User SearchBase, and Group Search Base Identity Management RealmAttributesUsing Oracle Wallet Manager6.1About Oracle Wallet Manager6-16.1.1What Is Oracle Wallet Manager?6-26.1.2Wallet Password Management6-26.1.3Strong Wallet Encryption6-26.1.4Microsoft Windows Registry Wallet Storage6-26.1.5ACL Settings Needed for Wallet Files Created Using Wallet Manager6-36.1.6Backward Compatibility6-36.1.7Public-Key Cryptography Standards (PKCS) Support6-46.1.8Multiple Certificate Support6-46.1.9LDAP Directory Support6-66.2Starting Oracle Wallet Manager6-76.3General Process for Creating an Oracle Wallet6-7vi
6.46.5Managing Oracle Wallets6.4.1Required Guidelines for Creating Oracle Wallet Passwords6-86.4.2Creating a New Oracle Wallet6-96.4.2.1Creating a Standard Oracle Wallet6.4.2.2Creating an Oracle Wallet to Store Hardware Security ModuleCredentials6-96-106.4.3Opening an Existing Oracle Wallet6-116.4.4Closing an Oracle Wallet6-126.4.5Exporting an Oracle Wallet to a Third-Party Environment6-126.4.6Exporting an Oracle Wallet to a Tools That Does Not Support PKCS #126-136.4.7Uploading an Oracle Wallet to an LDAP Directory6-146.4.8Downloading an Oracle Wallet from an LDAP Directory6-156.4.9Saving Changes to an Oracle Wallet6-166.4.10Saving the Open Wallet to a New Location6-166.4.11Saving an Oracle Wallet to the System Default Directory Location6-176.4.12Deleting an Oracle Wallet6-176.4.13Changing the Oracle Wallet Password6-186.4.14Using Auto Login for Oracle Wallets to Enable Access Without HumanIntervention6-196.4.14.1About Using Auto Login for Oracle Wallets6-196.4.14.2Enabling Auto Login for Oracle Wallets6-196.4.14.3Disabling Auto Login for Oracle Wallets6-20Managing Certificates for Oracle Wallets6-206.5.1About Managing Certificates for Oracle Wallets6-206.5.2Managing User Certificates for Oracle Wallets6-216.5.2.1About Managing User Certificates6-216.5.2.2Adding a Certificate Request6-216.5.2.3Importing the User Certificate into an Oracle Wallet6-236.5.2.4Importing Certificates and Wallets Created by Third Parties6-256.5.2.5Removing a User Certificate from an Oracle Wallet6-266.5.2.6Removing a Certificate Request6-276.5.2.7Exporting a User Certificate6-276.5.2.8Exporting a User Certificate Request6-28Managing Trusted Certificates for Oracle Wallets6-296.5.376-86.5.3.1Importing a Trusted Certificate6-296.5.3.2Removing a Trusted Certificate6-306.5.3.3Exporting a Trusted Certificate to Another File System Location6-316.5.3.4Exporting All Trusted Certificates to Another File System Location6-31Enterprise User Security Manager (EUSM) Command Reference7.1About Using a Secure External Password Store7-2vii
7.2About SSL Port Connectivity through EUSM to OID7-37.3Enterprise User Security Manager (EUSM) Command tTargetUsersInDB7-68viii
7-95Using the User Migration UtilityA.1Benefits of Migrating Local or External Users to Enterprise UsersA-1A.2Introduction to the User Migration UtilityA-2A.2.1Bulk User Migration Process OverviewA.2.1.1Step 0: About Using a Secure External Password StoreA-3A.2.1.2Step 1: (Phase One) Preparing for the MigrationA-4A.2.1.3Step 2: Verify User InformationA-5A.2.1.4Step 3: (Phase Two) Completing the MigrationA-5A.2.2About the ORCL GLOBAL USR MIGRATION DATA TableA.2.2.1A.3A-2Which Interface Table Column Values Can Be Modified BetweenPhase One and Phase Two?A-5A-6A.2.3Migration Effects on Users' Old Database SchemasA-7A.2.4Migration ProcessA-8Prerequisites for Performing MigrationA-9A.3.1Required Database PrivilegesA-9A.3.2Required Directory PrivilegesA-9A.3.3Required Setup to Run the User Migration UtilityA-9A.4User Migration Utility Command-Line SyntaxA-10A.5Accessing Help for the User Migration UtilityA-12A.6User Migration Utility ParametersA-12A.6.1Keyword: HELPA-12A.6.2Keyword: PHASEA-13ix
A.7A.6.3Keyword: DBLOCATIONA-13A.6.4Keyword: DIRLOCATIONA-13A.6.5Keyword: DBADMINA-14A.6.6Keyword: ENTADMINA-14A.6.7Keyword: USERSA-14A.6.8Keyword: USERSLISTA-15A.6.9Keyword: USERSFILEA-15A.6.10Keyword: KREALMA-15A.6.11Keyword: MAPSCHEMAA-16A.6.12Keyword: MAPTYPEA-16A.6.13Keyword: CASCADEA-17A.6.14Keyword: CONTEXTA-17A.6.15Keyword: LOGFILEA-18A.6.16Keyword: PARFILEA-18A.6.17Keyword: DBALIASA-18A.6.18Keyword: ENTALIASA-19A.6.19Keyword: WALLETLOCATIONA-19A.6.20Keyword: KEYALIASA-19A.6.21Keyword: KEYSTOREA-20User Migration Utility Usage ExamplesA.7.1Migrating Users While Retaining Their Own SchemasA-20A.7.2Migrating Users and Mapping to a Shared SchemaA-21A.7.2.1A.7.2.2A.7.3A.8Mapping Users to a Shared Schema Using Different CASCADEOptionsA-22Mapping Users to a Shared Schema Using Different MAPTYPEOptionsA-24Migrating Users Using the PARFILE, USERSFILE, and LOGFILEParametersTroubleshooting Using the User Migration UtilityA.8.1Common User Migration Utility Error MessagesA-26A-27A-27A.8.1.1Resolving Error Messages Displayed for Both PhasesA-28A.8.1.2Resolving Error Messages Displayed for Phase OneA-29A.8.1.3Resolving Error Messages Displayed for Phase TwoA-32A.8.2BA-20Common User Migration Utility Log MessagesA-32A.8.2.1Common Log Messages for Phase OneA-32A.8.2.2Common Log Messages for Phase TwoA-33A.8.3Summary of User Migration Utility Error and Log MessagesA-34A.8.4Tracing for UMUA-35SSL External Users Conversion ScriptB.1Using the SSL External Users Conversion ScriptB-2x
B.2CDConverting Global Users into External UsersB-4Integrating Enterprise User Security with Microsoft Active DirectoryC.1About Direct Integration with Microsoft Active DirectoryC-1C.2Set Up Synchronization Between Active Directory and Oracle InternetDirectoryC-2C.3Set Up Active Directory to Interoperate with Oracle ClientC-2C.4Set Up Oracle Database to Interoperate with Microsoft Active DirectoryC-3C.5Set Up Oracle Database Client to Interoperate with Microsoft Active DirectoryC-3C.6Obtain an Initial Ticket for the ClientC-3C.7Configure Enterprise User Security for Kerberos AuthenticationC-4Upgrading from Oracle9i to Oracle Database Release 18c Version18.1D.1Upgrading Oracle Internet Directory from Release 9.2 to Release 9.0.4D-1D.2Upgrading Oracle Database from Release 9.2.0.8 to Oracle DatabaseRelease 18c Version 18.1D-2Upgrading Oracle Database from Release 10g (10.1) and Higher to OracleDatabase Release 18c Version 18.1D-2D.3GlossaryIndexxi
List of Examples2-1Creating a Shared Schema2-82-2Mapping Enterprise Users to the Shared Schema2-82-3Connecting to the Database as an Enterprise User2-92-4Using Enterprise Roles2-102-5Using Proxy Permissions2-147-1Creating a Domain in the Realm with SSL Port Conectivity to OID and UsingPasswords Stored in the Oracle Wallet7-87-2Creating a Domain in the Realm with SSL Port Conectivity to OID7-87-3Creating a Domain in the Realm with non-SSL Port Conectivity to OID7-97-4Deleting a Domain from the Realm with SSL Port Conectivity to OID and UsingPasswords Stored in the Oracle Wallet7-107-5Deleting a Domain from the Realm with SSL Port Conectivity to OID7-107-6Deleting a Domain from the Realm with non-SSL Port Conectivity to OID7-107-7Lists the domains in the realm with SSL Port Conectivity to OID and UsingPasswords Stored in the Oracle Wallet7-117-8Lists the domains in the realm with SSL Port Conectivity to OID7-117-9Lists the domains in the realm with non-SSL Port Conectivity to OID7-117-10Listing the Domain Information with SSL Port Conectivity to OID and UsingPasswords Stored in the Oracle Wallet7-127-11Listing the Domain Information with SSL Port Conectivity to OID7-137-12Listing the Domain Information with non-SSL Port Conectivity to OID7-137-13Adding a Domain Administrator with SSL Port Conectivity to OID and UsingPasswords Stored in the Oracle Wallet7-147-14Adding a Domain Administrator with SSL Port Conectivity to OID7-147-15Adding a Domain Administrator with non-SSL Port Conectivity to OID7-147-16Removing a Domain Administrator with SSL Port Conectivity to
1 Introducing Enterprise User Security 1.1 Changes in this Release for Release 21c 1-1 1.1.1 New Features 1-1 1.1.2 Deprecation and Desupported Features 1-1 1.2 Introduction to Enterprise User Security 1-2 1.2.1 The Challenges of User Managemen
