Thursday, December 15, 2016

Centrify and Oracle Demystified

Background
The article below, is a modified repost of a very popular response from the Centrify community.  We are often asked by prospects or customers how Centrify fits with Oracle.  Oracle means a lot of things to different people, I think this article does a good job at clarifying it.


I have ORACLE {x.y.z} and I want to know how Centrify can help

"Oracle" means a lot of things to different people because of the large portfolio of products:
  • Oracle Solaris - supported OS for the Centrify Standard, Enterprise and Express versions
  • Oracle Linux - supported OS for Centrify Standard, Enterprise and Express versions
  • Oracle WebLogic - Centrify provides a Java SSO Plugin that provides SPNEGO leveraging adclient
  • Oracle Database - Centrify provides the ability to use externally identified users (in AD via adclient with PAM or Kerberos)
  • Oracle Database - Centrify provides shared account password management for Oracle database acounts
  • Oracle e-Business Suite - Centrify provides provide SAML SSO integration with Identity Service

Let's run through these, (big caveat, I am not an Oracle expert - everything I'll explain will be from an Identity, Access Control and Security context)

Customers and prospects come to us because they have these kinds of challenges and requirements:

a) OS-level:  They want to increase accountability and provide Oracle DBAs with Access and Privilege Management rules:
Given that identity is Centralized in AD, our customers can group systems Oracle Database systems in a zone, child zone or computer role and assign roles like this one:

The management of these assignments is made easy with AD group management, this means that Oracle DBAs will be only able to sign-in via SSH, run the commands outlined (not more) and they'll be able to do so without impacting their productivity.


Users sign-in with SSO or via password and can perform their jobs like here.
[lisa.simpson@engcen7 ~]$ dzdo -l
AD Password:
User lisa.simpson may run the following commands on this host:
    (root) service oracle-xe*
    (oracle) sqlplus *
    (root) su oracle
    (root) su - oracle
    (root) adflush
[lisa.simpson@engcen7 ~]$ dzdo su - oracle
Last login: Thu Aug 20 10:50:03 PDT 2015
-bash-4.2$ exit
logout
[lisa.simpson@engcen7 ~]$ dzdo service oracle-xe restart
Restarting oracle-xe (via systemctl):                      [  OK  ]
[lisa.simpson@engcen7 ~]$ dzdo vi /etc/passwd
Sorry, user lisa.simpson is not allowed to execute '/usr/bin/vi /etc/passwd' as root on engcen7.centrify.vms.

With no need to deal with knowing PASSWORDS.

They can get also multi-factor authentication, session capture and replay of what a person does in a system, as well as Server and Domain Isolation using IPSEC.

b) They want to Centralize the administration and provide authentication services to Oracle tools and applications: 
First, it's good to know that Oracle supports two types of users(*).
  • Users identified within Oracle  (they are stored and authenticated within the Oracle database) and
  • Externally identified users (these are OS-authenticated users)
(*) I know, this is simplistic.  They offer way much more than that.

The role of Centrify in UNIX OS Authentiation
Centrify offers identity services, authentication and authorization using Active Directory.  We use UNIX frameworks like  Pluggable Authentication Modules (PAM) and Name Server Switch (NSS).  We also enable Kerberos in an over simplistic way, and maintain the system keytab, krb5.conf file based on the dynamically changing AD environment.  Most importantly, we make sure that it will work well with Microsoft Active Directory and Microsoft's Kerberos extensions (MS-KILE)

Oracle natively supports OS Authentication for externally identified users (in the case of modern UNIX/Linux == PAM or SSO via Kerberos).

Example # 2, logging in to Oracle tools
a) for an internal user:

$ sqlplus
SQL*Plus: Release 11.2.0.2.0 Production on Thu Jan 9 10:02:25 2014
Copyright (c) 1982, 2011, Oracle.  All rights reserved.

Enter user-name: sysdba
Enter password:

SQL*Plus: Release 11.2.0.2.0 Production on Thu Jan 9 10:03:01 2014
Copyright (c) 1982, 2011, Oracle.  All rights reserved.

b) for an externally identified user (this can be a centrified ad user, a local user, ldap or even NIS user):

$ sqlplus /nolog
SQL*Plus: Release 11.2.0.2.0 Production on Thu Jan 9 10:08:42 2014

Copyright (c) 1982, 2011, Oracle.  All rights reserved.

SQL>
In this sequence, Oracle leverages the OS authentication and since I had a session with a valid user, then I effectively I'm not prompted.

c) They may have Apps that use Oracle WebLogic and want to extend SSO
We provide a J2EE SSO Plugin for this.
Please select what type of J2EE server to configure:
[0] Tomcat.
[1] JBoss.
[2] WebLogic Server.
[3] WebSphere Application Server.
[4] Exit this configuration program.
This entry explains all about this:
http://community.centrify.com/t5/Get-Started-How-To-s/HOWTO-Install-configure-and-test-the-Centrify-Java-SSO-Module/ba-p/19185
This plugin for SPNEGO is slowly being phased for SAML support, given that the Java platforms support it.

HOWEVER..... what organizations are looking to do the most is this:

d) They want to provide AD users for SSO in their oracle database-based applications
 This is where the devil meets the details. Here are some of them:
  • Oracle costs:  Many organizations are hopeful that they can do SSO without investing in expensive oracle tools, but that's not the case.  Traditionally Oracle required the Advanced Security Option to even do Kerberos, they later stated that ASO was free, but then there was another component (Enterprise User Security) required.
  • Oracle guidance:  Oracle recommends internally identified users as their best practice.
  • Advent of Federation:  This will help a lot and we provide a "behind-kicking" solution with Centrify Identity Service
But the biggest of all devils is: how the application is designed. If the application is designed and has logic based on users in a table, this becomes a bit of a challenge.  Ideally developers should move to support Kerberos or Federated authentication, but unfortunately (and just like many infrastructure folks) they are in the business of creating complexity rather than eliminating it.

e) They want to manage shared credentials from Oracle Databases
Customers may want to manage the password lifecycle of
  • Request/Approve - we provide a built-in workflow engine or they can use ServiceNow
  • Check-out/Check-in - the process or retrieving or returning the password to the vault (can be time based)
  • Rotate/Update - password rotation based on policy or upon check-in automatically
  • Enforce Policy (e.g. MFA or others) and review history
for the passwords of shared accounts from Oracle Databases.

For that, with our Centrify Privilege Service, we provide shared account password management for SQL Server and Oracle Databases (plus more to come!)

Docs: https://docs.centrify.com/en/centrify/serverref/index.html?version=1481662594#page/cloudhelp%2Fsvr_mgr_oracle.html%23ww1119449
SAPM for Oracle is available for versions 11g and 12c

f) They have Oracle e-Business Suite and want quick, simple and robust SAML federation
Customers want more than what traditional federation solutions can provide, with Identity Service we provide:
  • More than 3,000 turnkey web or mobile apps
  • Self-service for applications, devices, password reset and OATH tokens
  • Built-in Policy and Multi-factor authentication (modern/traditional via RADIUS)
  • Multiple identity sources including AD, LDAP, Google Directory, Social Directory or Federation
  • Workflow and Approvals
  • Mobile device, application and configuration management
  • The ability to publish on-premise applications without the need of VPN access
and most importantly, you can get going in minutes/hours instead of days.

Onboarding EBS is a simple exercise.

Bottom-line:
  • Centrify will help you with your Oracle Linux and Solaris systems, integrate them to AD, provide privileged user management, session capture and replay, IPSec-based isolation and will do Shared Account Password Management for those platforms.  Will provide the best AD integration and enable Kerberos like plug-n-play.
  • The bullet above will help you with all Oracle "externally identified" users for tools and apps (via PAM or Kerberos).  Centrify Server Suite will not help you with users inside Oracle databases, for this you will need privilege Service and that's for shared passwords.
  • We also provide an SPNEGO plugin for SSO for Oracle WebLogic  (but ideally you'll use SAML moving forward)
  • When it relates to Oracle database based apps, the details are very important (cost, application, guidance and federation).
  • Shared Account Password management for Oracle 11g and 12c accounts, our Privilege Service can provide those capabilities.
  • If you have Oracle EBS, you can get all the benefits of Identity Service plus the ability to provide turnkey Federation/SSO

No comments:

Post a Comment