Skip Headers

Oracle Internet Directory Administrator's Guide
Release 9.0.2

Part Number A95192-01
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Go to previous page Go to next page

31
Security in the Oracle Directory Integration Platform

This chapter discusses the most important aspects of security in the Oracle Directory Integration platform. It contains these sections:

Authentication

Authentication is the process by which the Oracle directory server establishes the true identity of the user connecting to the directory. It occurs when an LDAP session is established by means of the ldapbind operation.

It is important that each component in the Oracle Directory Integration platform be properly authenticated before it is allowed access to the directory.

Secure Sockets Layer (SSL) and the Oracle Directory Integration Platform

You can deploy the Oracle Directory Integration platform either with or without Secure Socket Layer (SSL). SSL implementation supports these modes:

To use SSL with the Oracle Directory Integration platform, you must start both the Oracle directory server and the Oracle directory integration server in the SSL mode.

See Also:

Chapter 3, "Preliminary Tasks and Information" for instructions on starting the Oracle directory server in SSL mode

Oracle Directory Integration Server Authentication

You can install and run multiple instances of the directory integration server on various hosts. When you do this, beware of a malicious user either posing as the directory integration server or using an unauthorized copy of it.

To avoid such security issues:

Non-SSL Authentication

To use non-SSL authentication, register each directory integration server by using the registration tool called odisrvreg.

The registration tool creates:

When it binds to the directory, the directory integration server uses the encrypted password in the private wallet.


Note:

Ensure that the wallet is protected against unauthorized access.


See Also:

"Registering the Oracle Directory Integration Server" for instructions about registering the directory integration server

Authentication in SSL Mode

The identity of the directory server can be established by starting both Oracle Internet Directory and the directory integration server in the SSL server authentication mode. The directory server provides its certificate to the directory integration server, which acts the client of Oracle Internet Directory.

The directory integration server is authenticated by using the same mechanism used in the non-SSL mode.

Profile Authentication

Within Oracle Internet Directory, an integration profile represent a user with its own DN and password. This information is stored in the integration profile of the agent. To protect the profile from unauthorized access, establish appropriate access control policies for it in the directory such that only an integration platform administrator or a user designated by the Oracle Internet Directory administrator can create the integration profiles.

When the directory integration server imports data to OID based on an integration profile, it binds to the directory as that integration profile and uses the profile name and password for binding. The Oracle Directory Integration platform uses this mechanism to authenticate agents in both the SSL and non-SSL mode.

Access Control and Authorization

Authorization is the process of ensuring that a user reads or updates only the information for which that user has privileges. When directory operations are attempted within a directory session, the directory server ensures that the user-- identified by the authorization identifier associated with the session--has the requisite permissions to perform those operations. Otherwise, the operation is disallowed. Through this mechanism, the directory server protects directory data from unauthorized operations by directory users. This mechanism is called access control.

To restrict access to only the desired subset of Oracle Internet Directory data, for both the directory integration server and the agents, place appropriate access policies in the directory. The following section discusses these policies in detail.

Access Controls for the Oracle Directory Integration Server

The directory integration server binds to the directory both as itself and on behalf of the agent.

To establish and manage access rights granted to directory integration servers, the Oracle Directory Integration platform creates a group entry, called odisgroup, during installation. When a directory integration server is registered, it becomes a member of this group.

You control the access rights granted to directory integration servers by placing access control policies in the odisgroup entry. The default policy grants various rights to directory integration servers for accessing the profiles. For example, the default policy enables the directory integration server to compare user passwords for authenticating agents when it binds on their behalf. It also enables directory integration servers to modify status information in the profile--such as the last successful execution time and the synchronization status.

Access Controls for Agents

To control access to Oracle Internet Directory data by integration profiles, place appropriate access control policies in Oracle Internet Directory. This enables you to protect data synchronized or processed by one agent from interference by other agents. It also enables you to allow only the integration profile that owns synchronization of an attribute to modify that attribute.

See Also:

For example, creating a group entry called odipgroup when installing the Oracle Internet Directory enables controlling the access rights granted to various agents. Rights are controlled by placing appropriate access policies in the odipgroup entry. Each agent is a member of this group. The membership is established when the agent is registered in the system. The default access policy, automatically installed with the product, grants to agents certain standard access rights for the integration profiles they own. One such right is the ability to modify status information in the integration profile, such as the parameter named orclodipConDirLastAppliedChgTime. The default access policy also permits agents to access Oracle Internet Directory change logs, to which access is otherwise restricted.

The odisgroup group entries and their default policies are created during the server installation of the Oracle Internet Directory. Client-only installations do not create these groups and policies.

Data Integrity

The Oracle Directory Integration platform ensures that data has not been modified, deleted, or replayed during transmission by using SSL. This SSL feature generates a cryptographically secure message digest--through cryptographic checksums using either the MD5 algorithm or the Secure Hash Algorithm (SHA) --and includes it with each packet sent across the network.

Data Privacy

The Oracle Directory Integration platform ensures that data is not disclosed during transmission by using public-key encryption available with SSL. In public-key encryption, the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the recipient decrypts the message using the recipient's private key.

To exchange data securely between the directory integration server and Oracle Internet Directory, you run both components in the SSL mode.

Tools Security

You can run all the commonly used tools in the SSL mode to transmit data to Oracle Internet Directory securely. These tools include:


Go to previous page Go to next page
Oracle
Copyright © 1999, 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index