Windows Oracle -Web - Copyright Oracle Corporation Japan, All rights reserved.

Windows Oracle -Web - Copyright Oracle Corporation Japan, 2004. All rights reserved.

Agenda Oracle Windows Windows Oracle 1 / Active Directory/Enterprise User Security 1-1 Windows 1-2 Kerberos 1-3 Enterprise User Security 2 Web OracleAS- Single Sign On/Active Directory 2-1 Oracle Application Server 10 g 2-2 Oracle Identity Management Single Sign On 2-3 Oracle Internet Directory Active Directory Copyright Oracle Corporation Japan, 2004. All rights reserved. 2 / 45

Windows Oracle Database 10g 64-bit Itanium 2004/6 Oracle Database 10g (10.1.0) (32-bit) 2004/5 Oracle9i Release 2 (9.2.0) 64-bit Itanium Oracle9i Database Release 2(9.2.0) Oracle8i Enterprise Edition R8.1.7 Oracle Fail Safe Oracle8 Enterprise Edition R8.0 Oracle Parallel Server Option Oracle7 Server R7.3 Oracle7 Server R7.2 Oracle7 Server R7.1 Oracle7 Server R7.0 2003/5 2002/9 2002/1 1998/1 1997/9 1997/7 Win2003 (32/64-bit) Win2000 NT 4.0 EE 1996/12 NT 4.0 Windows NT DBMS 1996/1 NT 3.51 NT 1995/5 NT 3.5 1994/6 NT 3.1 (2003/5) (2000/2) (1997/11) (1996/12) (1996/1) (1994/12) (1993/ ) Copyright Oracle Corporation Japan, 2004. All rights reserved. 3 / 45

Microsoft.NET Oracle Oracle Data Provider for.net.net DB Visual Studio He VS F1 Server Explorer Intellisense XML.NET Web Services WS-I Web Services WSDL.NET J2EE Web Copyright Oracle Corporation Japan, 2004. All rights reserved. 4 / 45

Agenda Oracle Windows Windows Oracle 1 / Active Directory/Enterprise User Security 1-1 Windows 1-2 Kerberos 1-3 Enterprise User Security 2 Web OracleAS- Single Sign On/Active Directory 2-1 Oracle Application Server 10 g 2-2 Oracle Identity Management Single Sign On 2-3 Oracle Internet Directory Active Directory Copyright Oracle Corporation Japan, 2004. All rights reserved. 5 / 45

Client/Server Windows Oracle SCOTT Active Directory (Windows Windows Oracle AD Window EXAMPLE sqlplus /@orcl EXAMPLE SCOTT Oracle RDBMS Windows Oracle ID/ Copyright Oracle Corporation Japan, 2004. All rights reserved. 6 / 45

Windows Oracle :Web Directory/Security Single Sign-On Oracle Portal Windows Oracle E-Business Suite Release 11i User sign-on Microsoft AD(Active Directory) & KDC(Key Distribution Center) Oracle Internet Directory Copyright Oracle Corporation Japan, 2004. All rights reserved. 7 / 45

Oracle ID 3 Windows C/S Web... ID 10 1 Copyright Oracle Corporation Japan, 2004. All rights reserved. 8 / 45

Agenda Oracle Windows Windows Oracle 1 / Active Directory/Enterprise User Security 1-1 Windows 1-2 Kerberos 1-3 Enterprise User Security 2 Web OracleAS- Single Sign On/Active Directory 2-1 Oracle Application Server 10 g 2-2 Oracle Identity Management Single Sign On 2-3 Oracle Internet Directory Active Directory Copyright Oracle Corporation Japan, 2004. All rights reserved. 9 / 45

( SCOTT Active Directory (Windows Windows Oracle Windows Window EXAMPLE sqlplus scott/tiger@orcl Oracle RDBMS SCOTT Windows Oracle Copyright Oracle Corporation Japan, 2004. All rights reserved. 10 / 45

Windows SCOTT Active Directory (Windows Windows Oracle AD Window EXAMPLE sqlplus /@orcl EXAMPLE SCOTT Oracle RDBMS Windows Oracle ID/ Copyright Oracle Corporation Japan, 2004. All rights reserved. 11 / 45

1. REMOTE_OS_AUTHENT=FALSE OS_AUTHENT_PREFIX= OPS$ 2. SQLNET.ORA SQLNET.AUTHENTICATION_SERVICES = (NTS) 3. CREATE USER.. EXTERNALLY 4. GRANT CONNECT TO < > 1. SQLNET.ORA SQLNET.AUTHENTICATION_SERVICES = (NTS) Copyright Oracle Corporation Japan, 2004. All rights reserved. 12 / 45

SQL> CREATE USER OPS$EXAMPLE KAINOUE IDENTIFIED EXTERNALLY; SQL> GRANT CONNECT TO OPS$EXAMPLE KAINOUE ; OPS$EXAMPLE KAINOUE OS_AUTHENT_PREFIX Copyright Oracle Corporation Japan, 2004. All rights reserved. 13 / 45

Administration Assistant for Windows Copyright Oracle Corporation Japan, 2004. All rights reserved. 14 / 45

NTLM Windows AD Windows FOO REMOTE_OS_AUTHENT=TRUE EXAMPLE JAMES Admin Database Smith FOO SMITH SMITH Windows SQL> SELECT * FROM V$SESSION_CONNECT_INFO; SID AUTHENTI OSUSER NETWORK_SERVICE_BANNER --- -------- --------------- ------------------------------------- 151 OS smith Windows NT TCP/IP NT Protocol Adapter 151 OS smith Oracle Advanced Security: encryption service 151 OS smith Oracle Advanced Security: crypto-checksumming Copyright Oracle Corporation Japan, 2004. All rights reserved. 15 / 45

Agenda Oracle Windows Windows Oracle 1 / Active Directory/Enterprise User Security 1-1 Windows 1-2 Kerberos 1-3 Enterprise User Security 2 Web OracleAS- Single Sign On/Active Directory 2-1 Oracle Application Server 10 g 2-2 Oracle Identity Management Single Sign On 2-3 Oracle Internet Directory Active Directory Copyright Oracle Corporation Japan, 2004. All rights reserved. 16 / 45

Kerberos? Windows Kerberos Windows 2000 2003 Windows 2000 XP Kerberos 3... KDC TGT +ID ST Copyright Oracle Corporation Japan, 2004. All rights reserved. 17 / 45

Kerberos TGT 1. 3 KDC 2.ID TGT ST (ST) 3. Copyright Oracle Corporation Japan, 2004. All rights reserved. 18 / 45

Kerberos Windows Oracle Kerberos Active Directory KDC (Active Directory) 1. AD KDC(Key Distribution Center) 2. Kerberos Advanced Security Option Copyright Oracle Corporation Japan, 2004. All rights reserved. 19 / 45

Windows LM NTLM v2 Kerberos 3 KDC TGT +ID ST Copyright Oracle Corporation Japan, 2004. All rights reserved. 20 / 45

Kerberos (1/3) Active Directory (DC/KDC) (2) TGT (1) TGT Ticket Granting Ticket DC Domain Controller KDC Key Distribution Center Copyright Oracle Corporation Japan, 2004. All rights reserved. 21 / 45

Kerberos (2/3) TGT 1. Active Directory (DC/KDC) 2. ST ST 3. ST Service Ticket Copyright Oracle Corporation Japan, 2004. All rights reserved. 22 / 45

Kerberos (3/3) Active Directory (DC/KDC) ST 1. 2 ST Copyright Oracle Corporation Japan, 2004. All rights reserved. 23 / 45

Kerberos KDC 1. Kerberos 2. KeyTab 1. SQLNET.ORA SQLNET.AUTHENTICATION_SERVICES = (KERBEROS5), etc 2. CREATE USER.. EXTERNALLY 3. GRANT CONNECT TO < > 1. SQLNET.ORA SQLNET.AUTHENTICATION_SERVICES = (KERBEROS5), etc Copyright Oracle Corporation Japan, 2004. All rights reserved. 24 / 45

Agenda Oracle Windows Windows Oracle 1 / Active Directory/Enterprise User Security 1-1 Windows 1-2 Kerberos 1-3 Enterprise User Security 2 Web OracleAS- Single Sign On/Active Directory 2-1 Oracle Application Server 10 g 2-2 Oracle Identity Management Single Sign On 2-3 Oracle Internet Directory Active Directory Copyright Oracle Corporation Japan, 2004. All rights reserved. 25 / 45

SCOTT Active Directory (Windows SCOTT Active Directory Database Copyright Oracle Corporation Japan, 2004. All rights reserved. 26 / 45

SCOTT SCOTT Active Directory (Windows AD Oracle Internet Directory ( ) Copyright Oracle Corporation Japan, 2004. All rights reserved. 27 / 45

Enterprise User Security 3 SSL Kerberos * 3 *Enterprise User Security Kerberos Oracle10g Copyright Oracle Corporation Japan, 2004. All rights reserved. 28 / 45

EUS SSL Kerberos PKI Kerberos PKI SSL / Kerberos / SSL / SSL Advanced Security Option Advanced Security Option 2 3 2 3 2 3 AD Copyright Oracle Corporation Japan, 2004. All rights reserved. 29 / 45

Agenda Oracle Windows Windows Oracle 1 / Active Directory/Enterprise User Security 1-1 Windows 1-2 Kerberos 1-3 Enterprise User Security 2 Web OracleAS- Single Sign On/Active Directory 2-1 Oracle Application Server 10 g 2-2 Oracle Identity Management Single Sign On 2-3 Oracle Internet Directory Active Directory Copyright Oracle Corporation Japan, 2004. All rights reserved. 30 / 45

Oracle Application Server Oracle Application Server 10 g J2EE Single Sign On Oracle Identity Management Copyright Oracle Corporation Japan, 2004. All rights reserved. 31 / 45

local system local system Oracle Identity Management Directory... etc. SSO Copyright Oracle Corporation Japan, 2004. All rights reserved. 32 / 45

Oracle Application Server 10 g Security Cluster User HTTP/ HTTPS Authentication Authorization HTTP J2EE Encryption JAAS JavaACC SSO OracleAS Portal etc. Oracle Net Database SSO HTTP/ HTTPS HTTP Cookie SSO LDAP/ LDAPS LDAP/ LDAPS Oracle Identity Management Sync / Replica Other Repository Copyright Oracle Corporation Japan, 2004. All rights reserved. 33 / 45

Agenda Oracle Windows Windows Oracle 1 / Active Directory/Enterprise User Security 1-1 Windows 1-2 Kerberos 1-3 Enterprise User Security 2 Web OracleAS- Single Sign On/Active Directory 2-1 Oracle Application Server 10 g 2-2 Oracle Identity Management Single Sign On 2-3 Oracle Internet Directory Active Directory Copyright Oracle Corporation Japan, 2004. All rights reserved. 34 / 45

Oracle Identity Management Oracle Identity Management Oracle Application Server 10 g SSO LDAP Directory Directory Copyright Oracle Corporation Japan, 2004. All rights reserved. 35 / 45

Oracle Identity Management Oracle Identity Management SSO Single Sign-On Directory Database User Directory Delegation Service PKI Provisioning / Integration Certificate Authority Application Server Copyright Oracle Corporation Japan, 2004. All rights reserved. 36 / 45

Oracle Identity Management Oracle Identity Management User Database - - Directory Application Server Copyright Oracle Corporation Japan, 2004. All rights reserved. 37 / 45

OracleAS Single Sign-On Application Server Web SSO Cookie mod_osso OracleAS Portal SSO SDK AP Oracle Internet Directory User (1) request (3) response (2) login Oracle HTTP Server with mod_osso OracleAS Single Sign-On Copyright Oracle Corporation Japan, 2004. All rights reserved. 38 / 45

OracleAS Single Sign-On Web Copyright Oracle Corporation Japan, 2004. All rights reserved. 39 / 45

Oracle User (1) SSO J2EE (5) w/sso OracleAS Portal (6) Database SSO (2) (4)SSO (3) Oracle Identity Management Directory DB access Copyright Oracle Corporation Japan, 2004. All rights reserved. 40 / 45

3rd Party SSO (1) request (3) response Oracle HTTP Server with mod_osso 2b. ticket User 2c. ticket check (2) login 3 rd Party SSO 2a. redirect / login 2d. ticket check Sync Oracle Identity Management Windows Copyright Oracle Corporation Japan, 2004. All rights reserved. 41 / 45

Agenda Oracle Windows Windows Oracle 1 / Active Directory/Enterprise User Security 1-1 Windows 1-2 Kerberos 1-3 Enterprise User Security 2 Web OracleAS- Single Sign On/Active Directory 2-1 Oracle Application Server 10 g 2-2 Oracle Identity Management Single Sign On 2-3 Oracle Internet Directory Active Directory Copyright Oracle Corporation Japan, 2004. All rights reserved. 42 / 45

AD -AD AD OID - Active Directory OID jp.axa.com sales group1 SCOTT JOE group2 JAMES FORD SMITH jp.oracle.com OracleContext ActiveChgImp) Users SCOTT JOE JAMES FORD SMITH Mapping Rule(ActiveChgImp) DomainRules ou=group1,ou=sales,dc=jp,dc=axa,dc=com:cn=users,dc=jp,dc=oracle,dc=com: ou=group2,ou=sales,dc=jp,dc=axa,dc=com:cn=users,dc=jp,dc=oracle,dc=com: Copyright Oracle Corporation Japan, 2004. All rights reserved. 43 / 45

AD -AD AD OID - Active Directory OID Copyright Oracle Corporation Japan, 2004. All rights reserved. 44 / 45

Copyright Oracle Corporation Japan, 2004. All rights reserved. 45 / 45