Please help me keep my sanity by pointing me in the right direction when deciding the authentication approach to use with Oracle 19c databases. This is a very confusing topic since it deals with a few areas that require experience with Microsoft Active Directory or other nonRDBMS software. Also, each one of them isn't simple to use and Oracle training didn't go into implementing each of these when I attended in early 2000.
This is driving me insane especially since I thought that database authentication was already secure enough.
Here are all of the Oracle authentication methods that I know exist:
- Oracle database authentication ( create user identified by password )
- Operating System authentication ( create OPS$user identified externally )
- Kerberos / Radius (create user identified externally as 'kerberos_name' )
- certificate_DN ( create user identified externally as 'certificat_DN' ) (is this SSL authentication?)
- Globally as 'directory_DN' ( create user identified GLOBALLY as 'directory_DN') ( Sigh ... this sounds so much like other authentication options.)
I'm not sure if these are authentication approaches, but I know they mingle with authentication and add to the confusion:
- Centrally Managed Users
- Enterprise User Security
Also, knowning when Microsoft Active Directory can be used is confusing. I think these require Microsoft Active Directory:
- Kerberos
- Centrally Managed Users
To muddy the water more, based on what I have seen, Kerberos can be used with Centrally Managed Users which is confusing since it seems like Kerberos with AD is enough.
Finally, I keep seeing that Oracle Internet Directory is needed in some cases. The only one that seems to need is "Enterprise User Security" which seems like if we have Microsoft Active Directory, we would use "Centrally Managed Users" setup.
I know i've mentioned a lot above. It would be nice if you can at a minimum tell me which one I should focus on to setup a secure authentication approach without going overboard. Which approach would recommend to use for the most secure authentication with the following in our infrastructure:
- Enterprise Edition Oracle 19c on Linux with April 2021 RU applied
- SQLNET.TCP.INVITED_NODES
- FAILED_LOGIN_ATTEMPTS=3
- orc12c_verify_function
- We don't allow use of password file
- Limit access through Oracle "grants"
- We have changed all default passwords
- We use profiles to expire passwords regularly
- Microsoft active directory which we aren't using.
- We use CA signed SSL certificates with strong encryption algorithms with FIPS-140-2 configured between database server and clients so we could use "Authentication with Public Key Infrastructure".
- Our databases are only accessed through the applications not by individual users
Why isn't the above good enough? The only thing we aren't using is Microsoft Active directory or SSL Client Authentication. I thought that having Oracle database authentication with a complex password with the use of CA signed certificates would be a secure authentication approach. Why would Oracle feel the need to add more authentication approaches and confuse most of us? With this approach, a client needs to know the password. A client needs to have been given the CA signed certificate in order to be allowed to connect to the database. A client is forced to use a complex password, is only given limited password attempts with FAILED_LOGIN_ATTEMPTS=3, Finally, we have TCP.INVITED_NODES setup so only those clients with IPs in that list are allowed to connect. Geezzz, why is more needed?
Thanks for your help,
John