1 DOAG Security Day 2016
Enterprise Security Reloaded
DOAG Security Day 17.03.2016
2 DOAG Security Day 2016
Jan Schreiber Loopback.ORG GmbH, Hamburg
Database Operations & Security
Data Warehouse & Business Intelligence
Oracle Architektur & Performance
3 DOAG Security Day 2016
Table
USER: SYSTEM PW: MANAGER
USER: SCOTTPW: TIGER
USER: OLAPSYS PW: OLAPSYS
USER: ANONYMOUS PW: ANONYMOUS
Table 8-2 Oracle 9i Default Accounts and Passwords
4 DOAG Security Day 2016 Quelle:XKCD
5 DOAG Security Day 2016
Quelle:XKCD
6 DOAG Security Day 2016
Oracle Hash Algorithmen
3DEShash(upper(username||password))
passwordhash(20bytes)=sha1(password
+salt(10bytes))
S8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A; H:DC9894A01797D91D92ECA1DA66242209; T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F75 7FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C
Uralt:
11g:
12.1.0.2:
11gHash
md5digest(‘USER:XDB:password')
PBKDF2-basedSHA512hash
7 DOAG Security Day 2016
LDAP-Directory Anbindung
Database Client
(1) Connect Leonard. Nimoy/ BIGDB
Oracle DB
Überprüft Passwort Hash,
ordnet User Rollen und Schema zu
(2) Request Leonard.Nimoy
(3) Returned Leonard.Nimoy
LDAP Server
Ablage für User, Rollen & EUS Konfiguration
SQL> alter user ... identified externally;
8 DOAG Security Day 2016
Jeder nur ein Kreuz – Hashes im Verzeichnis
9 DOAG Security Day 2016
Synchronisation • Keine AD-Schema-
änderungen nötig • AD Agent muss auf AD-
Kontrollern laufen und Klartext-Passwörter mitlesen
Proxy: • AD-Schema-
änderungen nötig • Password Filter muss auf
AD-Controllern laufen • AD Update Recht muss
vorhanden sein
Virtualisierung: • Nur AD-
Schemaänderung: Orclcommonattribute
• Rollentrennung DBA/AD
Active Directory Verzeichnisintegration
DB FARM
OVD
Database Client
SqlPlus, Java, etc
(AUTH) Map Users,
Schema,Roles Hashes Groups
OID
DB FARM
Oracle OID
Database Client
SqlPlus, Java, etc
(AUTH)
Map Users, Schema,Roles
SYNC (DIP)
oidpwdcn.dll
DB FARM
OUD
Database Client
SqlPlus, Java, etc
(AUTH)
Map Users, Schema,Roles
Hashes
Groups
oidpwdcn.dll
orclCommonAttribute
10 DOAG Security Day 2016
Kerberos-AD-Anbindung
Benutzerdaten-prüfung (2)
AD
DomainControllerKeyDistribu3onCenter(KDC)Authen3ca3onService(AS)TicketGran3ngService(TGS)
AuthenRsierung(1)Benutzer-TicketTGT(3)
Client-PC
Ticket-CacheSTfürAnwendungsserver
mitTGTprüfen(6)
AnforderungServiceTicketSTmitTGT(5)
Domänenanmeldung User
Password
TGT(4)
ST(7)
DBServer
PrüfungdesST(9)
Tauscheinesgemein-samenSchlüssels
11 DOAG Security Day 2016
PKI-Authentifizierung
PrivateKey PrivateKeyBenutzer / Applikation
Datenbank
Zertifizierungsstelle (CA)
User.csr
SSLHandshake
User/CACerts
DB.csr
DB/CACerts
12 DOAG Security Day 2016
Enterprise User Security (EUS) OracleInternetDirectory Datenbanken
EnterpriseUser
User
DBA
RoleEnterpriseUser
RoleEnterpriseDBA
EnterpriseRollen EnterpriseUser EnterpriseRollen
RoleUserGlobal1
RoleUserGlobal2
RoleDBAGlobal
RoleUserLocal1
RoleUserLocal2
Resource
DBA
13 DOAG Security Day 2016
AD-Integration mit Oracle Unified Directory (OUD) & Kerberos
DB FARM
OUD
Database Client
SqlPlus, Java, etc
(EUS)
Map Users, Schema,Roles
Groups
OracleContext
OUD Proxy Setup: • Lesender AD-Benutzer • Leserechte auf DB-
Usereinträge im AD • Oracle Context im LDAP • Software: OUD, WebLogic,
ADF • Funktioniert auch mit EUS
[linux7 Oracle_OUD1]$ ./oud-proxy-setup [linux6]$ okinit testuser [linux7]$ oklist
KerberosTicket
14 DOAG Security Day 2016
Secure External Password Store (1) $ orapki wallet create -wallet "/u01/app/oracle/wallet" \
-auto_login_local Oracle PKI Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Enter wallet password: $ sqlplus /@ORCL SQL*Plus: Release 12.1.0.2.0 Production on Wed Jan 13 15:38:50 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. ERROR: ORA-12578: TNS:wallet open failed Enter user-name:
15 DOAG Security Day 2016
0x00 - 0x4C Header: 0x00 - 0x02 First 3 bytes are always A1 F8 4E (wallet recognition?) 0x03 Type = SSO: 36; LSSO: 38 0x04 - 0x06 00 00 00 0x07 Version (10g: 05; 11g: 06) 0x08 - 0x0A 00 00 00 0x0B - 0x0C 11g: always the same (41 35) 0x0D - 0x1C DES key 0x1D - 0x4C DES secret (DES -> CBC -> PKCS7 padding) which contains the PKCS#12
password 0x4D - EOF PKCS#12 data (ASN.1 block) _________________________________________________________________________________________
$ ./ssoDecrypt.sh ../PX-Linux11/cwallet.sso sso key: c29XXXXXXXXXX96 sso secret: 71c61e1XXXXXXXXXX99c77d747fa0f53e79ccd170409964b p12 password (hex): 1e482XXXXXXXXXX1f1f0b296f6178021c
Secure External Password Store (2)
16 DOAG Security Day 2016
Trennung von Schema-Owner und Zugriffs-Benutzer
2 3 n..41
APPLICATIONSCHEMA
DBUSER
1
23
n
17 DOAG Security Day 2016
Anforderung AlteWallets AD-Kerberos SSL-PKI EUS
SchutzdesPasswortsgegenAuslesen ★ ✔ ✔
AdminaufwandverringertfürPasswortänderung ✖ ✔ ✔
NachvollziehbarkeitvonÄnderungenverbessert ✖ ✔ ✔
IndividuelleBenutzerkennungen ✖ ✔ ✔
ZentraleBenutzerverwalt.&Passwortrichtlinien ✔
ZentraleRollenverwaltung ✔
LösungfüralleZugriffegeeignet ★ ★
CAerforderlich ✔
KerberosRoll-outerforderlich ✔
Walletskönnenweiterhinverwendetwerden ★ ✔
LizenkostenDirectoryentstehen
Kosten-Nutzen-Analyse
18 DOAG Security Day 2016
Kerberos: SPN-
Useraccount im AD
19 DOAG Security Day 2016
Kerberos Key Table PS C:\Users\Administrator> ktpass.exe -princ oracle/[email protected] -mapuser ioaotow01 -crypto RC4-HMAC-NT -pass XXX -out c:\ioaotow-hmac2.keytab -ptype KRB5_NT_PRINCIPAL Targeting domain controller: test-dchh01.tested.lcl Successfully mapped oracle/ioaotow01.tested.lcl to ioaotow01. Password successfully set! Key created. Output keytab to c:\ioaotow-hmac2.keytab: Keytab version: 0x502 keysize 73 oracle/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 13 etype 0x17 (RC4-HMAC) keylength 16 (0xbd54ec4ab1feb299c0969b67f1d9deb8) _______________________________________________________________________________
[oracle@ioaotow01 TESTDB-KERB5]$ oklist -k ioaotow01.keytab Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 13-JAN-2016 15:11:59 Copyright (c) 1996, 2014 Oracle. All rights reserved. Service Key Table: ioaotow01.keytab Ver Timestamp Principal 4 01-Jan-1970 01:00:00 oracle/[email protected]
20 DOAG Security Day 2016
Database Kerberos Konfiguration krc5.conf dns_lookup_realm = false [domain_realm] .tested.lcl = TESTED.LCL tested.lcl = TESTED.LCL __________________________________________________________________ sqlnet.ora GeneralSejngsNAMES.DIRECTORY_PATH=(TNSNAMES, HOSTNAME) SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS,KERBEROS5PRE,KERBEROS5) KerberosSejngsSQLNET.KERBEROS5_CONF=/etc/krb5.conf SQLNET.KERBEROS5_CONF_MIT=true SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle SQLNET.KERBEROS5_KEYTAB=/oracle/product/12.1.0/dbhome_1/network/
admin/ioaotow01.keytab SQLNET.KERBEROS5_CC_NAME=/oracle/diag/krb/cc/krb5cc_99
21 DOAG Security Day 2016
Kerberos User Login SQL>createuserUSER01identifiedexternallyas'[email protected]';Usercreated.SQL>grantconnecttouser01;
[oracle@ioaotow01 ~]$ okinit user01 Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production Copyright (c) 1996, 2014 Oracle. All rights reserved. Password for [email protected]: ________________________________________________________________________________________________ [oracle@ioaotow01 ~]$ oklist Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 08-FEB-2016 16:24:43 Copyright (c) 1996, 2014 Oracle. All rights reserved. Ticket cache: /oracle/diag/krb/cc/krb5cc_99 Default principal: [email protected] Valid Starting Expires Principal 08-Feb-2016 14:11:20 08-Feb-2016 22:11:11 krbtgt/[email protected] 08-Feb-2016 14:11:33 08-Feb-2016 22:11:11 oracle/[email protected] 08-Feb-2016 14:16:40 08-Feb-2016 22:11:11 oracle/[email protected] ________________________________________________________________________________________________ [oracle@ioaotow01 ~]$ sqlplus /@TESTDB SQL*Plus: Release 12.1.0.2.0 Production on Mon Feb 8 16:24:51 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. Last Successful login time: Mon Feb 08 2016 14:17:35 +01:00 Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options SQL> show user; USER is "[email protected]
22 DOAG Security Day 2016
Kerberos Datenbank-Anmeldung
am Windows-PC
23 DOAG Security Day 2016
Kerberos & Datenbank 12c
• Neu geschriebener Stack • RC4-HMAC-NT / W2012 Server • ORA-12638: Credential retrieval failed
– SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS,KERBEROS5PRE,KERBEROS5)
• Bugs.... Reading List: Doc ID 1958479.1: "Bug 19931730, The keytab has/uses arcfour-hmac encryption which currently has an open 12c bug:19636771. The workaround for this is to use AES encryption in the keytab" Doc ID 1611643.1: Bug 17497520 : KERBEROS CONNECTIONS USING A 12C CLIENT AND THE OKINIT REQUESTED TGT ARE FAILING Doc ID 182979.1: Oracle is not able to parse the krb5.conf file due to the tabs between the assignment operator in the domain to realm mapping section. Doc ID 185897.1: Kerberos Troubleshooting Guide Master Note For Kerberos Authentication (Doc ID 1375853.1) WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1): "While creating the keytab file, SSO hostname value was given without specifying fully qualified domain" How To Configure EUS Kerberos Authentication For Database Administrative Users (SYSDBA and SYSOPER) (Doc ID 2081984.1): "On a 12c database sqlplus connection fails with ORA-1017 and this is caused by Bug 19307420 : KERBEROS AUTHENTICATED EUS USER FAILS WITH ORA-01017 FOR ADMINISTRATIVE LOGIN." Configuring ASO Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory KDC (Doc ID 1304004.1) Microsoft Technet: Service Logons Fail Due to Incorrectly Set SPNs Laurent Schneider: The long long route to Kerberos Microsoft Technet: FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1) Case Study: Configuring the Kerberos Adapter in a Windows Environment (Kevin Reardon, Consulting Technical Advisor)
24 DOAG Security Day 2016
PKI: Zertifikate und Wallets
Datenbank-Server
1. Leeres Wallet erstellen
2. Key und Zertifikat-Request stellen
3. Request durch CA signieren lassen (Z.B. CN=db12c)
4. CA Zertifikat importieren (CN=myCA)
5. Signiertes Zertifikat importieren
Client
1. Leeres Wallet erstellen
2. Key und Zertifikat-Request stellen
3. Request durch CA signieren lassen (Z.B. CN=jans)
4. CA Zertifikat importieren (CN=myCA)
5. Signierte Zertifikat importieren
25 DOAG Security Day 2016
PKI: Server-Wallet
$ mkdir $ORACLE_BASE/admin/loopds/pki
$ orapki wallet create -wallet \ $ORACLE_BASE/admin/loopds/pki -auto_login -pwd XXX
$ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki \ -dn 'CN=db12c' -keysize 2048 -pwd XXX
$ orapki wallet export -wallet $ORACLE_BASE/admin/loopds/pki \ -dn 'CN=db12c' \ -request ~/db12c.csr
$ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki \ -cert myca.pem –trusted_cert –pwd XXX
$ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki \ -cert db12c.pem –user_cert –pwd XXX
26 DOAG Security Day 2016
PKI: Client-Wallet
$ orapki wallet create -wallet \ $ORACLE_HOME/owm/wallets/client -auto_login -pwd XXX
$ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client \
-dn 'CN=jans' -keysize 2048 -pwd XXX
$ orapki wallet export -wallet $ORACLE_HOME/owm/wallets/client \ -dn 'CN=jans' \ -request ~/jans.csr
$ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client \ -cert myca.pem –trusted_cert –pwd XXX
$ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client \ -cert jans.pem –user_cert –pwd XXX
27 DOAG Security Day 2016
Display Wallet
[oracle@linux11 ~]$ orapki wallet display -wallet /u01/app/oracle/product/11.2.0/dbhome_1/network/pki Oracle PKI Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. _________________________________________________________________________________________ Requested Certificates: User Certificates: Subject: CN=LOOPDS Trusted Certificates: Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: CN=LBO Root Certificate II,OU=LoopCA,O=Loopback.ORG GmbH,O=Loopback.ORG,L=Hamburg,ST=No-State,C=DE Subject: OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
28 DOAG Security Day 2016
PKI: Listener-Konfiguration
SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = $ORACLE_BASE/admin/loopds/pki) ) ) LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = db12c.loopback.org)(PORT = 1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = db12c.loopback.org)(PORT = 2484)) ) )
29 DOAG Security Day 2016
PKI: TNS-Konfiguration
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS) NAMES.DIRECTORY_PATH= (TNSNAMES, HOSTNAME) SSL_CLIENT_AUTHENTICATION = TRUE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = $ORACLE_BASE/admin/loopds/pki) ) )
30 DOAG Security Day 2016
Anmeldung mit User/Passwort und SSL
$ sqlplus user/pwd@DB12C Connected. SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual; SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') ------------------------------------------------------------------------tcps SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual; SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD') ------------------------------------------------------------------------PASSWORD
31 DOAG Security Day 2016
PKI: Anmeldung mit Zertifikat
SQL> create user JANS identified externally as 'CN=jans'; SQL> grant create session to JANS; $ sqlplus /@DB12C Connected. SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual; SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') --------------------------------------------------- tcps SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual; SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD') ----------------------------------------------------- SSL
32 DOAG Security Day 2016
PKI: JDBC
• Auch per JDBC kann SSL verwendet werden • Integration auch über keytool
String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)
(HOST=servernam e)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))"); Properties props = new Properties(); props.setProperty("user", "scott"); props.setProperty("password", "tiger"); props.setProperty("javax.net.ssl.trustStore",
"/truststore/ewallet.p12"); props.setProperty("javax.net.ssl.trustStoreType","PKCS12");
props.setProperty("javax.net.ssl.trustStorePassword","welcome123"); Connection conn = DriverManager.getConnection(url, props);
http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf
How to configure Oracle SQLDeveloper to use a SSL connection that was configured as per Note 401251.1
33 DOAG Security Day 2016
PKI: ODBC OracleODBCTreiberverwenden:OracleDataAccessComponents(ODAC)
34 DOAG Security Day 2016
Be a Certificate Authority (CA)
• AD Certificate Service • Kommerzielle Produkte
– Auch Open Source: • EBJCA • OpenXPKI
• Alle Schritte sind in OpenSSL implementiert – Nicht mit selbstsignierten Zertifikaten zu verwechseln
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem openssl ca -policy policy_anything -config loopca-url.cnf -out Certs/$1.pem\
-infiles Reqs/$1.req
35 DOAG Security Day 2016
Windows AD CA mit Autoenrollment
36 DOAG Security Day 2016
Certificate Chaining für Sub-CA
37 DOAG Security Day 2016
Jan Schreiber Loopback.ORG GmbH, Hamburg
databaseintelligence|operaRonsexcellence|bisoluRons
[email protected] blogs.loopback.org
Vielen Dank für Ihre Aufmerksamkeit!