Skip to Main Content
  • Questions

  • Help with trying to decide with authentication approach should be setup

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, John.

Asked: July 09, 2021 - 12:25 am UTC

Last updated: July 23, 2021 - 7:20 am UTC

Version: 19c

Viewed 1000+ times

You Asked

Please help me keep my sanity by pointing me in the right direction when deciding the authentication approach to use with Oracle 19c databases. This is a very confusing topic since it deals with a few areas that require experience with Microsoft Active Directory or other nonRDBMS software. Also, each one of them isn't simple to use and Oracle training didn't go into implementing each of these when I attended in early 2000.

This is driving me insane especially since I thought that database authentication was already secure enough.

Here are all of the Oracle authentication methods that I know exist:
- Oracle database authentication  ( create user identified by password )
- Operating System authentication ( create OPS$user identified externally ) 
- Kerberos / Radius (create user identified externally as 'kerberos_name' )
- certificate_DN  ( create user identified externally as 'certificat_DN' ) (is this SSL authentication?)
- Globally as 'directory_DN' ( create user identified GLOBALLY as 'directory_DN') ( Sigh ... this sounds so much like other authentication options.)


I'm not sure if these are authentication approaches, but I know they mingle with authentication and add to the confusion:
- Centrally Managed Users
- Enterprise User Security

Also, knowning when Microsoft Active Directory can be used is confusing. I think these require Microsoft Active Directory:
- Kerberos
- Centrally Managed Users
To muddy the water more, based on what I have seen, Kerberos can be used with Centrally Managed Users which is confusing since it seems like Kerberos with AD is enough.

Finally, I keep seeing that Oracle Internet Directory is needed in some cases. The only one that seems to need is "Enterprise User Security" which seems like if we have Microsoft Active Directory, we would use "Centrally Managed Users" setup.

I know i've mentioned a lot above. It would be nice if you can at a minimum tell me which one I should focus on to setup a secure authentication approach without going overboard. Which approach would recommend to use for the most secure authentication with the following in our infrastructure:

- Enterprise Edition Oracle 19c on Linux with April 2021 RU applied
- SQLNET.TCP.INVITED_NODES 
- FAILED_LOGIN_ATTEMPTS=3
- orc12c_verify_function
- We don't allow use of password file 
- Limit access through Oracle "grants"
- We have changed all default passwords
- We use profiles to expire passwords regularly
- Microsoft active directory which we aren't using.  
- We use CA signed SSL certificates with strong encryption algorithms with FIPS-140-2 configured between database server and clients so we could use "Authentication with Public Key Infrastructure".  
- Our databases are only accessed through the applications not by individual users


Why isn't the above good enough? The only thing we aren't using is Microsoft Active directory or SSL Client Authentication. I thought that having Oracle database authentication with a complex password with the use of CA signed certificates would be a secure authentication approach. Why would Oracle feel the need to add more authentication approaches and confuse most of us? With this approach, a client needs to know the password. A client needs to have been given the CA signed certificate in order to be allowed to connect to the database. A client is forced to use a complex password, is only given limited password attempts with FAILED_LOGIN_ATTEMPTS=3, Finally, we have TCP.INVITED_NODES setup so only those clients with IPs in that list are allowed to connect. Geezzz, why is more needed?

Thanks for your help,

John

and Connor said...

OK, a lot to unpack here :-)

A lot of this depends on your business requirements. In particular, most of the Kerberos/Global/AD solutions are driven by businesses wanting their users to have single signon, for both the sake of convenience but also consistent auditability of user actions across the enterprise. They are more "indirect" improvements to security, eg, if my OS audit says "Connor McDonald" logged on to his PC but the database says "CONNORMC" logged on, then we have work to tie those actions together etc.

The need for Oracle Internet Directory is largely historical because we didn't have any native directory access from within the database, except to our own product, so it was used as a bridge between the database and whatever non-Oracle solution (typically AD) that was in use in your org. That need was removed from 18c onwards.

Why isn't the above good enough?


I think its fine, but I dont work for your company :-) My person opinion is that as long as you have rigor around your rules, good auditing and no plaintext traffic you're doing fine. That's pretty much how our cloud databases are setup.

Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Follow-up question to drive home which Oracle single sign-on approach should be used in 19c

John, July 15, 2021 - 10:32 am UTC

Thanks, Connor. Your input helped clarify things, a lot.

So what we have setup is a great security solution, but if we want to allow a single sign-on approach to the database, which approach would you recommend in 19c?

Based on what I have read in Oracle 19c documents for database authentication, Kerberos allows for single sign-on and it claims the following:

- "Least intrusive authentication mechanism for Active Directory integration"
- "ZERO changes to the Active Directory schema, no need for plugins installed in Active Directory"

Therefore, it seems like Kerberos is the easiest to setup that will allow for single sign-on. Then why in the world did Oracle have to come up with both of these AD based single sign-on authentication approaches:

"Enterprise User Security" and "Centrally Managed Users"!

As far as I know, Kerberos authentication option has been around since at least Oracle 8i.

Finally, is Kerberos "a trusted third-party authentication system" or is it part of the Oracle installation? I see that $ORACLE_HOME/bin has oklist, okinit, okdstry Kerberos binaries so it looks like Kerberos is part of the Oracle installation. In other words, do we need to purchase the "Kerberos software" and who is the vendor of it?
Connor McDonald
July 21, 2021 - 3:36 am UTC

Kerberos is open source, so not ours and no purchase needed. However, some security in Oracle *do* need to the Advanced Security Option.

In terms of multiple options, we cater to different requirements.

eg You already have a directory in place (typically AD) and you want to hook database auth into that, versus perhaps you have no user management solution and you want to use Oracle to be the entire user management/SSO solution.

Different requirements for different people.

A reader, July 21, 2021 - 4:32 pm UTC

Thank you, Connor. One more follow-up question:

In 19c, why would an organization choose Kerberos authentication over Centralized User Management?

Connor McDonald
July 23, 2021 - 7:20 am UTC

Ultimately it comes down to choice, but for example, maybe you've had your own Kerberos implementation extensively throughout your organisation ... and *now* you're adding Oracle into the mix.


more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database