Oracle® Label Security Administrator's Guide 10g Release 1 (10.1) Part Number B10774-01 |
|
|
View PDF |
Managing Oracle Label Security metadata in a centralized LDAP repository provides many benefits. Policies and user label authorizations can be easily provisioned and distributed throughout the enterprise. In addition, when employees are terminated their label authorizations can be revoked in one place and the change automatically propagated throughout the enterprise. This chapter describes the integration between Oracle Label Security and Oracle Internet Directory, in the following sections:
Previous releases of Oracle Label Security have relied on the Oracle database as the central repository for policy and user label authorizations. This architecture leveraged the scalability and high availability of the Oracle database, but didn't leverage the identity management infrastructure, which includes the Oracle Internet Directory. This directory is part of Oracle's Identity Management Platform. Integrating your installation of Oracle Label Security with the Oracle Internet Directory allows label authorizations to be part of your standard provisioning process.
These advantages accrue also to directory-stored information about policies, user labels, and privileges that Oracle Label Security assigns to users. These labels and privileges are specific to the installation's policies defining access control on tables and schemas. (When a site is not using Oracle Internet Directory, then such information is stored locally in the database.)
The following Oracle Label Security information is stored in the directory:
Database-specific metadata is not stored in the directory. Examples include
The following three notes identify important aspects of integrating your installation of Oracle Label Security with Oracle Internet Directory:
Note: Managing Oracle Label Security policies directly in the directory is done using a new command-line tool, the Oracle Label Security administration tool ( |
Note: In this release, the GUI version of Oracle Policy Manager (OPM) cannot be used to manage policies, labels, or user authorization information in the directory. |
For sites that use Oracle Internet Directory, databases retrieve Oracle Label Security policy information from the directory. Administrators use the olsadmintool
policy administration tool to operate directly on the directory to insert, alter, or remove metadata as needed. Since enterprise users can log in to multiple databases using the credentials stored in Oracle Internet Directory, it is logical to store their Oracle Label Security policy authorizations and privileges there as well. An administrator can then modify these authorizations and privileges simply by updating these metadata in the directory. (Other aspects of managing enterprise users are done by the Enterprise Security Manager.)
For distributed databases, centralized policy management removes the need for replicating policies, since the appropriate policy information is available in the directory. Changes are effective without further effort, synchronized with policy information in the databases by means of the Directory Integration Platform.
See Also:
Synchronization using the Directory Integration Platform is described in the Oracle Internet Directory Administrator's Guide. |
Figure 5-1 illustrates the structure of metadata storage in Oracle Internet Directory.
Figure 5-2 illustrates applying different policies stored in Oracle Internet Directory to the databases accessed by different enterprise users. Determining the policy to be applied is controlled by the directory entries corresponding to the user and the accessed database.
Text description of the illustration aso-type.gif
Text description of the illustration policies.gif
In this example, the directory has information about two Oracle Label Security policies: Alpha, applying to database DB1, and Beta, applying to database DB2 Although both policies are known to each database, only the appropriate one is applied in each case. In addition, enterprise users who are to access rows protected by Oracle Label Security are listed in profiles within the Oracle Label Security attributes in Oracle Internet Directory.
As Figure 5-2 shows, the connections between different databases and the directory are established over either SSL or SASL. The database always binds to the directory as a known identity using password-based authentication. Links between databases and their clients (such as a sqlplus session, any PL/SQL programs , and so on) can use either SSL or non-SSL connections. The example of Figure 5-2 assumes that users are logged on through password authentication. The choice of connection type depends on the enterprise user model.
The Oracle Label Security policy administration tool operates directly on metadata in Oracle Internet Directory. Changes in the directory are then propagated to the Directory Integration Platform (DIP) Server, which is configured to send changes to the databases at specific time intervals.
The databases update the policy information in Oracle Internet Directory only when policies are being applied to tables or schemas. These updates ensure that policies that are in use will not be dropped from the directory.
See Also:
|
You can configure a database for OID-enabled Label Security at any time after database creation or during custom database creation. OID-enabled label security relies on the Entrerprise User security feature.
See Also:
Details about Enterprise User Security appear in:
|
To achieve this goal, do the following major tasks:
See Also:
|
When configuring for OID-enabled OLS, DBCA also does the following things in addition to registering the database:
See Also:
Bootstrapping Databases for more information. |
Registering the database and configuring OLS can be done in one invocation of DBCA.
The Customize dialog appears, showing two configuration options, for standalone OLS or for OID-enabled OLS.
See:
Directory Integration Platform (DIP) Provisioning Profiles for more details. |
Once the the database is configured for OID-enabled OLS, further considerations regarding enterprise user security may apply.
See Also:
Please refer to the Oracle Advanced Security Administrator's Guide, Chapter 13, Administering Enterprise User Security, for further concepts, tools, steps, and procedures. |
To perform this task, you use DBCA, which does the following things:
Note: Specific instructions for DB unregistration appear in the Oracle Advanced Security Administrator's Guide. No special steps are required when OID-enabled OLS is configured. |
A user profile is a set of user authorizations and privileges. Profiles are maintained as part of each Oracle Label Security policy stored in the Directory.
If a user is added to a profile, he acquires the authorizations and privileges defined in that profile for that particular policy, which include the following attributes:
See Also:
|
An enterprise user can belong to only one profile, or none.
The integration of Oracle Label Security and Oracle Internet Directory enables the following capabilities:
In Oracle Internet Directory, Oracle-related metadata is stored under cn=OracleContext. Within Label Security, each policy holds the information and parameters shown in Table 5-1:
When Oracle Label Security is used without Oracle Internet Directory, it supports automatic creation of data labels by means of a label function. However, when Oracle Label Security is used with Oracle Internet Directory, such functions can create labels only using data labels that are already defined in the directory.
Type of Entry | Contents | Meaning/Sample Usage/References |
---|---|---|
Policy Name |
The name assigned to this policy at its creation |
Used in olsadmintool commands such as |
Column Name |
The name of the column that will hold the label values relevant to this policy |
Column is added to database: See Chapter 4 (The Policy Label Column and Label Tags & Inserting Labeled Data); & The HIDE Policy Column Option in Chapter 8; & Appendix B.
|
Enforcement Options |
Any combination of the following entries:
|
See the discussions in Chapter 8 and Appendix B. and |
Options |
Enabled: |
|
Levels |
Name and number for each level |
Used in |
Compartments |
Name and number for each compartment |
Used in |
Groups |
Name, number, and parent for each group |
Used in |
Profiles |
Maximum and default read labels,
|
Policies can have one or more profiles, each of which can be assigned to many users. Profiles reduce the need to set up label authorizations for individual users. All users with the same set of labels and privileges are grouped in a single profile. Each profile represents a different set of labels, privileges, and users. Each profile in a policy is unique. |
Data Labels |
Full name and number for each valid data label |
|
Administrators |
Name of each administrator authorized to modify the parameters within this policy. |
Policy administrators can modify parameters within a policy. They are not necessarily also policy creators, who have the right to create or remove policies or policy administrators: See Security Roles and Permitted Actions. |
When Oracle Label Security is used with Oracle Internet Directory, data labels must be pre-defined in the directory.
They cannot be created "on the fly" by a label function, as is possible when label security is not integrated with the directory.
Administrators listed within a policy are those individuals authorized to do the following policy-specific administrative tasks:
There is a higher level of administrators, called policy creators, who can create and remove Oracle Label Security policies and the policy administrators named within them.
After a new database is registered with Oracle Internet Directory (OID), the administrator can install OID-enabled Oracle Label Security (OLS) on that database. This installation process automatically creates a Directory Integration Platform (DIP) provisioning profile enabling policy information to be periodically refreshed in the future by downloading it to the database. See Directory Integration Platform (DIP) Provisioning Profiles.
When configuring the database for OID enabled OLS, the DBCA tool puts all the policy information in OID into the database. At any point, the administrator can decide to bootstrap the database with the policy information again, using the bootstrap utility script at $ORACLE_HOME/bin/olsoidsync
. The parameters it requires are as follows:
olsoidsync --dbtnsname <database TNS name> --dbuser <database user> --dbuserpassword <database user password> [-c] [-r] [-b <admin context>] -h <OID host> [-p <port>] -D <bind DN> -w <bind password> For example, olsoidsync --dbtnsname db1 --dbuser lbacsys --dbuserpassword lbacsys -c -b 'ou=Americas,o=Oracle,c=US' -h yippee -D cn=policycreator -w welcome1
The olsoidsync command pulls policy information from OID and populates the information in the database. Users must provide the database TNS name, the database username, the database user's password, the administrative context (if any), the OID hostname, the bind DN and bind password, and optionally the OID port number.
The optional "-c" switch causes the command to drop all the existing policies in the database and refresh it with policy information from OID.
The optional "-r" switch causes the command to drop all the policy metadata (without dropping the policies themselves) and refresh the policies with new metadata from OID.
Without these two switches, the command will only create new policies from OID, and will halt on any errors encountered during the refresh.
Oracle Label Security metadata in the directory is synchronized with the databases using the Oracle Directory Provisioning Integration Service of the Directory Integration Platform.
Changes to the label security data in the directory are conveyed by the provisioning integration service in the form of provisioning events. A software agent receives these events and generates appropriate SQL or PL/SQL statements to update the database. After these statements are executed, Oracle Label Security data dictionaries are updated to match the changes already made in the directory.
Oracle Label Security subscribes itself to the Provisioning Integration Service automatically during installation. The provisioning service stores the information associated with each database in the form of a provisioning profile. The software agent uses the identity of the user "DIP" to connect to the database, and the password "DIP", when synchronizing the changes in OID with the database.
If the password for the user DIP is changed, that information needs to be updated in the provisioning profile of the provisioning integration service.
The steps to change the database connection information in the DIP profile are as follows:
Note: The database character set must be compatible with Oracle Internet Directory (OID) for OID-enabled Oracle Label Security (OLS) to work correctly. Only then can there be successful synchronization of the Label Security metadata in OID with the Database. Please refer to Chapters 2 and 3 of Oracle Database Globalization Support Guide for more information on Character sets and Globalization Support parameters. |
See Also:
|
The DIP server synchronizes policy changes in the directory with the connected databases, using a separate DIP provisioning profile created for each database. This profile is created automatically as part of the installation process for OID-enabled Oracle Label Security. The administrator can use the provisioning tool oidprovtool to modify the password for a database profile, using the script $ORACLE_HOME/bin/oidprovtool. Each such profile contains the following information:
Here is an example of using oidprovtool, followed by an explanation of the parameters in this example:
oidprovtool operation=modify ldap_host=yippee ldap_port=389 ldap_user=cn=defense_admin ldap_user_password=welcome1 application_dn='cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US' organization_dn='ou=Americas,o=Oracle,c=US' interface_name=LBACSYS.OLS_DIP_NTFY interface_type=PLSQL interface_connect_info=yippee:1521:db1:dip:newdip schedule=60 event_subscription= 'ENTRY:cn=LabelSecurity,cn=Products,cn=OracleContext, ou=Americas,o=Oracle,c=US:ADD(*)' event_subscription= 'ENTRY:cn=LabelSecurity,cn=Products, cn=OracleContext,ou=Americas, o=Oracle,c=US:MODIFY(*)' event_subscription='ENTRY:cn=LabelSecurity,cn=Products, cn=OracleContext, ou=Americas,o=Oracle,c=US:DELETE'
This sample oidprovtool command creates and enables a new DIP provisioning profile with the following attributes:
To start the DIP server, use $ORACLE_HOME/bin/oidctl. For example:
oidctl server=odisrv connect=db2 config=0 instance=0 start
This command will start the DIP server by connecting to db2 (the OID database) with config set 0 and instance number 0.
See also:
Chapter 30 of the Oracle Internet Directory Administrator's Guide regarding Directory Integration Server Administration. |
You can change the password for the interface_connect_info
, which is the database password, by using the oidprovtool modify command, but first you must disable the profile. After changing the password, you then re-enable the profile.
You can disable the Oracle Label Security provisioning profile using oidprovtool, specifying simply the disable operation and the first six original parameters shown here. (The other original parameters are not needed.) The command form is:
oidprovtool operation=disable ldap_host=< > ldap_port=< > ldap_user_dn=< > ldap_user_password=< > application_dn=< > organization_dn=< >
Using parameters from the example given in the previous section, this command would look like this:
oidprovtool operation=disable ldap_host=yippee ldap_port=389
ldap_user=cn=defense_admin ldap_user_password=welcome1 application_dn='cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US' organization_dn='ou=Americas,o=Oracle,c=US'
To modify the password in the connection information, use the oidprovtool command, specifying the modify
operation, the first six original parameters, and the new DIPuser password given in the connection info. The command form is:
oidprovtool operation=modify ldap_host=< > ldap_port=< >
ldap_user_dn=< > ldap_user_password=< > application_dn=< > organization_dn=< > interface_connect_info=< new_connect _info >
Using parameters from the example given in the previous section, this command would look like this:
oidprovtool operation=modify ldap_host=yippee ldap_port=389
ldap_user=cn=defense_admin ldap_user_password=welcome1 application_dn='cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US' organization_dn='ou=Americas,o=Oracle,c=US' interface_connect_info=yippee:1521:db1:dip:NewestDIPpassword
Similarly, you can re-enable the Directory Integration Platform provisioning profile using oidprovtool as follows, again specifying simply the desired operation and the first six original parameters. (The other original parameters are not needed.) The command form is:
oidprovtool operation=enable ldap_host=< > ldap_port=< > ldap_user_dn=< >
ldap_user_password=< > application_dn=< > organization_dn=< >
Again using parameters from the example given in the previous section, this command would look like this:
oidprovtool operation=enable ldap_host=yippee ldap_port=389
ldap_user=cn=defense_admin ldap_user_password=welcome1 application_dn='cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US' organization_dn='ou=Americas,o=Oracle,c=US'
To manage Oracle Label Security policies in Oracle Internet Directory, certain entities are given access control rights in the directory. The access control mechanisms are provided by Oracle Internet Directory.
Table 5-3 describes, in abstract terms, these entities and the tasks they are enabled to perform.
Table 5-4, "Access Levels Allowed by Users in OID", lists the specific access level operations permitted or disallowed for policy creators, policy administrators, and label security users.
Entries | Policy Creators | Policy Administrators | Databases |
---|---|---|---|
cn=Policies |
can modify |
no access |
no access |
cn=Admins,cn=Policy1 |
can modify |
no access |
no access |
uniqueMember: cn=Policy1 |
can browse |
can browse |
can modify |
cn=PolicyCreators |
no accessFoot 1 |
no access |
no access |
cn=Levels,cn=Policy1 |
can browse and delete |
can modify |
no access |
cn=Compartments,cn=Policy1 |
can browse and delete |
can modify |
no access |
cn=Groups,cn=Policy1 |
can browse and delete |
can modify |
no access |
cn=AuditOptions,cn=Policy1 |
can browse and delete |
can modify |
no access |
cn=Profiles,cn=Policy1 |
can browse and delete |
can modify |
no access |
cn=Labels,cn=Policy1 |
can browse and delete |
can modify |
no access |
cn=DBServers |
no accessFoot 2 |
no access |
no access |
When Oracle Internet Directory is enabled with Oracle Label Security, the procedures listed in Table 5-5 are superseded. Only LBACSYS is allowed to execute these procedures.
For some of the procedures listed in the table, the functionality they provided is replaced by the olsadmintool
command named in the second column (and explained in Appendix B).
The following procedures are allowed to be executed only by policy administrators (enterprise users defined in Oracle Internet Directory):