Centralized Authentication and Authorization for Oracle Databases Using Kerberos Authentication and OUD Proxy Authorization

1. Challenges

1.1   Business challenges

A financial company based in San Francisco, CA uses the Oracle databases (900+) as a critical component in its IT infrastructure. It manages users and privileges on an individual database basis, which means that it faces many challenges, including:

  • Higher administrative costs for named user management
  • Insecure and time consuming administration of users
  • Error prone privileges management in multiple databases
  • Complexity of procedures for obtaining audit reports verifying user access to databases
  • Compliance risks due to an ineffective de-provisioning process of DB users

The business would also like to implement segregation of duties for managing Oracle database named user accounts by transitioning database account and privilege assignment duties from the Oracle database team to the identity and access management team.

1.2   Technical challenges

The key to meeting the business challenges is to centralize user authentication and authorization. However, to achieve centralization, this company faces some technical challenges. The centralization solution must meet the following requirements:

  • Use the existing Microsoft active directory for centralized authorization i.e., role management
  • Should NOT require changes to active directory schema
  • Should NOT require placing any DLLs on active directory domain controllers
  • Should NOT synchronize user data to another directory
  • Should be scalable and highly available

2. ZionTech implemented solution

Based on technical requirements, the solution is to configure databases for Kerberos authentication and deploy the Oracle Unified Directory (OUD) proxy for AD with Enterprise User Security for authorization.

2.1 Centralized Authentication

  • Kerberos authentication uses the Oracle Database Enterprise Edition and the ASO (advanced security option) feature. It supports Enterprise user security (EUS).
  • The database is integrated with the Microsoft Key Distribution Center (MSKDC).
  • The authentication process supports heterogeneous systems.

2.2 Centralized Authorization:

Enterprise user security (EUS), an Oracle Database Enterprise Edition feature, leverages the Oracle directory services and provides the ability to centrally manage database users and role memberships in a LDAP directory.

  • An Oracle unified directory (OUD) proxy is deployed in a highly available architecture and is connected to the existing active directory for EUS.
  • Oracle databases are EUS enabled and required metadata is stored under a special naming context in OUD.
  • Global roles are created in databases and mapped to active directory groups.
  • Users once authenticated with Kerberos will be then authorized using groups in the active directory through an OUD proxy.

3. Results

3.1   Benefits

This solution provided the following benefits:

  • This architecture enabled the organization to achieve centralized authentication and authorization to Oracle databases by providing a unified view of identity.
  • The user experiences single sign on (SSO) when using a supported client from a workstation that is part of the active directory domain.
  • Users from a workstation that is not part of the active directory domain can still access databases with Kerberos authentication by providing their Windows passwords using the Okinit tool.
  • The required configuration for enabling Kerberos and EUS for a database fits nicely into the organization’s standard database creation automated process.

3.2   ROI

  • Reduced auditing and administration costs
  • Increased security
  • Improved compliance
  • Rapid deployment
  • No additional administration
  • Eliminated help desk calls