Password Policies in Oracle Access Manager OGH Tech17 · Password Policies in Oracle Access Manager...

Password Policies in Oracle Access ManagerHow to improve user authentication security for your Oracle E-Business Suite.

ANDREJS PROKOPJEVSLead Applications Database Consultant

About me

© 2017 Pythian 2

Apps DBA from Riga, Latvia.

Speaking SQL since 2001.In Oracle world since 2004.“In love” with Oracle EBS since 2006.

Andrejs ProkopjevsLead Applications Database Consultant

At Pythian since 2011

@aprokopjevs

[email protected]

https://www.pythian.com/blog/author/prokopjevs/

ABOUT PYTHIAN

Pythian’s 400+ IT professionals help companies adopt and manage disruptive technologies to better compete

© 2017 Pythian 3

TECHNICAL EXPERTISE

© 2017 Pythian 4

Infrastructure: Transforming and managing the IT infrastructure that supports the business

DevOps: Providing critical velocityin software deployment by adoptingDevOps practices

Cloud: Using the disruptivenature of cloud for accelerated, cost-effective growth

Databases: Ensuring databasesare reliable, secure, available and continuously optimized

Big Data: Harnessing the transformative power of data on a massive scale

Advanced Analytics: Mining data for insights & business transformationusing data science

Systems currently managed by Pythian

EXPERIENCED

Pythian experts in 35 countries

GLOBAL

Millennia of experience gathered and shared over

19 years

EXPERTS

11,800 2400

© 2017 Pythian 5

Agenda

• Why this is important?• Password policy limitations in Oracle E-Business Suite.• Implementation of password policy management in OAM. Why 11gR2.

• An example of most common configuration.• Demo.

© 2017 Pythian 6

Why this is important?

© 2017 Pythian 7


• #1 - We now live in the “cloud” era.

• Less people / organizations are storing their sensitive data in the isolated local segment.• Cloud services (SaaS / PaaS)• And the shift is still only at the beginning point.

© 2017 Pythian 8


• #2 – Today’s Hardware capacity.

• With modern CPU chip power it takes “seconds” to break your weak password.

• Standard dictionary word password: hours / days / weeks online, seconds offline.

• At least 10 characters with special characters: centuries online, years offline.

• Any idea how these statistics will change in next 5-10 years?

© 2017 Pythian 9


• #3 – Social Engineering.

• One of the most dreadful security concerns today.

© 2017 Pythian 10


• Few examples:

• August 2014 – iCloud famous 10+ celebrity photo leak.• May 2016 - 100 million LinkedIn member emails and password hashes leaked in 2012.• August 2016 - 68 million Dropbox logins and password hashes leaked in 2012.• September 2016 - at least 500 million Yahoo accounts, leak dates back to late 2014.• October 2016 - AdultFriendFinder - 339 million names, addresses and phone numbers. Stolen

data stretched back over the last 20 years.

© 2017 Pythian 11

Few guidelines… as a starter

• #1 – Your password is the first line of defense. It is in your power to make it stronger.

• #2 – Today’s must-have – Two-Factor Authentication. New trend – Multi-Factor Authentication.

• #3 – Master rule – everything that is shared online must be considered as “public”, disregards of the “privacy rules” set.

© 2017 Pythian 12

Oracle E-Business Suite

© 2017 Pythian 13

So what’s about Oracle E-Business Suite?

• Is it somehow different?• No, Username / Password is the same first line of defense.

• Non-vulnerable product?• ~10-20 quarterly released security fixes via CPU patch release.• “Isolated in my local network” doesn’t mean you are not vulnerable.• VPN / Work From Home / Bring Your Own Device is a risk.• Internal threat.

• We are doing bi-yearly security awareness training.• That’s great. But it’s not a 100% guarantee, is it?• Enforcing password policies in your organization is something that could make that guarantee

much stronger.

© 2017 Pythian 14

Standard password policy in Oracle E-Business Suite

• SIGNON_PASSWORD_% profile options.

© 2017 Pythian 15

Standard password policy in Oracle E-Business Suite• SIGNON_PASSWORD_% profile options.

• Signon Password Case (SIGNON_PASSWORD_CASE).▪ Case sensitivity for passwords.

• Signon Password Custom (SIGNON_PASSWORD_CUSTOM).▪ Custom java class which enables the use of custom, client specific, password policy.

• Signon Password Failure Limit (SIGNON_PASSWORD_FAILURE_LIMIT).▪ Max number of unsuccessful login attempts before the lockout.

• Signon Password Hard To Guess (SIGNON_PASSWORD_HARD_TO_GUESS).▪ Enables password requirements: 1) at least one letter and at least one number 2) doesn’t contain username

3) doesn’t contain repeating characters.• Signon Password Length (SIGNON_PASSWORD_LENGTH).

▪ Minimum length of a password.• Signon Password No Reuse (SIGNON_PASSWORD_NO_REUSE).

▪ Number of days before reusing an earlier used password.

• With some cosmetical changes this hasn’t changed since 11i (10+ years).© 2017 Pythian 16


• Security User Define form (FNDSCAUS).• Password expiration.

▪ Days – password lifetime.▪ Accesses – how many times ▪ None – no expiration.

• Password expiration is handled on a user level. There is no centralized control !!!

© 2017 Pythian 17

Does it look like a modern password policy of year 2017?

• Not really. L• But we have “Signon Password Custom” available.

• Custom Java class.

• Loaded to the database.▪ loadjava -user apps/apps -verbose -resolve -force MyCustomPasswordValidation.java

• Do I need to learn Java now and support this custom class?• Do I need to code all these rules myself?

© 2017 Pythian 18

package oracle.apps.fnd.security;...if (do_a_triple_flipover_with_your_right_knee_up_shouting_chupakabra(password) == true) {return true;

} else {return false;

}

Does it look like a modern password policy of year 2016?

© 2017 Pythian 19


• Non-reversable hash support for passwords.• R12: New Feature: Enhance Security With Non-Reversible Hash Password (Doc ID

457166.1)▪ Patch 21276707 - R12.1.x / R12.2.3+▪ SHA-1 is deprecated !

▪ Patch 25430466: FND SECURITY RUP MAR-2017

© 2017 Pythian 20

Oracle Access Manager

© 2017 Pythian 21

History of the Password Policy implementation

• Oracle Single Sign-On 10g

• Password policy is controlled by Oracle Internet Directory standard password policies.• SSO and OIDDAS pages support the UI.

• Full password lifecycle is managed, with some limitations.• Full user management suite.

© 2017 Pythian 22


• Oracle Access Manager 10g

• Bound to own Identity Server only with full user management suite.• Full password lifecycle is managed.• Based on Oblix schema object classes and attributes.

• LDAP directory own policies should be same or weaker, or even just disabled.

• “validate_password” - only standard authentication plugin that supports the built-in password policy management.

• 0 successful production implementations seen in the practice. Mostly because of the customization requirements (multi domain and multi user sub-tree support, non-Oblix schema attribute requirement, and more).

• Usually replaced with an external User Management system directly managing the LDAP directory.

© 2017 Pythian 23


• Oracle Access Manager 11g Release 1

• Independed Oracle Access Manager is finally here.• You can use most of the LDAP v3 compliant directories. No dependency on schema and

attributes.

• But... Password policy support is removed. L• You can use LDAP directory own policies, but for OAM it is an LDAP error, which just ends with

a system error.

• Only Oracle Identity Manager (OIM) integration with OAM provides the full user management suite, desired password policy implementation and UI support for full password lifecycle.

• $$$ J

© 2017 Pythian 24


• Oracle Access Manager 11g Release 2

• Same old independed OAM 11g, overall.• But on steroids (integrated federation, mobile and social, and many more).

• Basic password policy support is back and free. J• LDAP directory own policies should be same or weaker, or disabled.

• Oracle Identity Manager (OIM) integration with OAM is still there and provides the same “more advanced” policy implementation with UI support for full password lifecycle, self services, and full user management suite.

• $$$ … nothing changed

© 2017 Pythian 25

OAM 11gR2 native password policy – what it is?

• Most of the current modern rules are there.

• Expiration and Lockout support.

• Provides the “UserPasswordPolicyPlugin” authentication plugin that can be used with various combinations of authentication workflow.

© 2017 Pythian 26

OAM 11gR2 native password policy – what it is?

• It is still based on OAM 10g Oblix schema object classes and attributes.• But mandatory are only related to password management.

▪ obPasswordCreationDate▪ obPasswordHistory▪ obPasswordChangeFlag▪ obuseraccountcontrol▪ obpasswordexpirydate▪ obLockoutTime▪ obLoginTrvCount▪ oblastsuccessfullogin▪ oblastfailedlogin

• For user data reference – you have a choice. Usable for OAM 10g upgrade scenarios.• It is not mandatory to pre-assign Oblix object classes to your existing user entries.

• IMPORTANT: User Identity Store configured Bind DN user must have required ACI permissions to adjust these attributes !!! © 2017 Pythian 27

OAM 11gR2 native password policy – what it is NOT?

• It is NOT a complete password lifecycle management tool.• Self service is missing: password change on-demand, forgot your password.

• Standard UI pages requires valid OAM authentication request id.• Direct access just ends with a system error.

• Customizations is a solution.• Login page customization is supported by both ECC and DCC.• Password Policy page customization is supported only by DCC.

▪ ER Bug 17800099 - OAM 11G R2 : PASSWORD POLICY: NEED STEPS TO CUSTOMIZE PASWORD SERVICE PAGES

▪ Was targeted for release 11.1.2.3.0, but it’s not there yet.

• Or implement OIM. $$$ J

© 2017 Pythian 28

More advantages of Oracle Access Manager

• Windows Native Authentication• Kerberos / RADIUS• Certificates

• Social (Google, Facebook, more)

• Multi-Factor authentication support.• RSA (same RADIUS)• OTP – Oracle Mobile Authenticator.

• Update: Officially Google Authenticator compliant.© 2017 Pythian 29

Sorry Windows Mobile users…

Licensing

• Oracle Access Manager is separately licensed.• Oracle E-Business Suite implementation requires an Oracle Internet Directory

(Oracle Unified Directory supported from R12.2.5 only) – again licensed separately.

• Standard pack:▪ Oracle Directory Services Plus.▪ Oracle Access Manager.

▪ Both are covered with Oracle Identity and Access Management Suite Plus license pack.• Also includes Oracle Identity Manager.

▪ Database separate license is not required if used only for Metadata Repository data.

• “Extra” features of OAM requires an additional licensing.▪ Like Mobile and Social for OTP.

© 2017 Pythian 30

Example of most common configuration

© 2017 Pythian 31

Configuring the password policy

• OAM Console• Application Security – Password Policy

• Full reference:• Administrator's Guide for Oracle Access

Management

© 2017 Pythian 32

24.3.1 Password Policy Configuration Pagehttps://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-7850A074-

9EE3-45EE-9150-5DD96B9D13CD.htm#GUID-200E3E90-21CC-439C-BF4E-0468CA455148__BABDBBHE

Configuring the password policy

• OAM Console• Application Security – Password Policy

• Console is doing it’s own math. If something is not inline, there will be a warning.

• Example: If we put value 1 into both Minimum Uppercase and Lowercase Characters fields then Minimum Alphabetic Characters value is expected to be the sum of above.

© 2017 Pythian 33

User Identity Store

• OAM Console• Configuration – User Identity Stores

• Password Management feature must be enabled.• “Use Oblix User Schema” - if we use full Oblix schema for everything.• If disabled, only password lifecycle attributes are in use.• Other 4 parameters are needed to point the correct attributes to be used with “Can Include X”

policies.

© 2017 Pythian 34

User Identity Store

• OAM Console• Configuration – User Identity Stores

• Do not forget about the mandatory Oblix attributes in use !

• “Bind DN” LDAP user should have WRITE permissions to manage these attributes.• Also to add the required object classes to the user entry if found missing.

• Do not use a super user account like I do here J© 2017 Pythian 35

User Identity Store

• ACI grant example (Oracle Unified Directory)

© 2017 Pythian 36

ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd <<EOF

dn: dc=example,dc=comchangetype: modifyadd: aciaci: (target="ldap:///dc=example,dc=com")(version 3.0; acl "OAM app user entry level aciexample"; allow (read,search,compare) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";)-add: aciaci: (targetattr="*")(version 3.0; acl "OAM app user attribute level aci read example"; allow (read,search,compare) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";)-add: aciaci: (targetattr="obPasswordCreationDate || obPasswordHistory || obPasswordChangeFlag || obuseraccountcontrol || obpasswordexpirydate || obLockoutTime || obLoginTrvCount || oblastsuccessfullogin || oblastfailedlogin || userPassword")(version 3.0; acl "OAM app user attribute level aci write example"; allow (write) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";)

EOF

User Identity Store

• Reminder about LDAP directory own password policy.

• Policy should be set the same or weaker.• Or just completely disabled.

© 2017 Pythian 37

Authentication module

• OAM Console• Application Security – Plug-ins – Authentication Modules

• Let us create new module with name “LDAP_EBS_with_password_policy”.

© 2017 Pythian 38



• 3 steps to be configured:• User Identification Step• User Authentication Step• User Password Status Step

▪ The one that triggers the policy.

© 2017 Pythian 39



• User Identification Step▪ KEY_LDAP_FILTER: default value should be (uid={KEY_USERNAME})▪ KEY_IDENTITY_STORE_REF: your User Identity Store (OIDIdentityStore)▪ KEY_SEARCH_BASE_URL: leave empty for plugin to use default Identity store’s User Search Base DN.

© 2017 Pythian 40



• User Authentication Step▪ KEY_IDENTITY_STORE_REF: your User Identity Store

(OIDIdentityStore)

▪ KEY_PROP_AUTHN_EXCEPTION: enables the propagation of LDAP errors. Must be TRUE if password policy plugin is used in the chain.

▪ KEY_ENABLE_AUTHN_FAILOVER and KEY_PROP_AUTHN_LEVEL parameters are not yet documented.

© 2017 Pythian 41



• User Password Status Step▪ PLUGIN_EXECUTION_MODE: this plugin can be used as a

replacement for User Authentication Plugin too, but we are going to set it as PSWDONLY for a separate 3rd step.

▪ OBJECTCLASS_EXTENSION_SUPPORTED: must be set to TRUE in order to automatically adjust affected user entries with Oblix object classes.

▪ KEY_IDENTITY_STORE_REF: your User Identity Store (OIDIdentityStore)

© 2017 Pythian 42



• User Password Status Step▪ URL_ACTION: redirection behavior between the pages, default REDIRECT_POST.

▪ NEW_USERPSWD_BEHAVIOR: action for new user entry not covered by the policy, and we will enable it via FORCEPASSWORDCHANGE.• Actually should be FORCECHANGEPASSWORD. Documentation bug.• Configuring OAM Password Policy Parameter NEW_USERPSWD_BEHAVIOR To Force Password

Changes for Existing Passwords Not Working (Doc ID 1563172.1)

▪ POLICY_SCHEMA: just OAM10G, as everything is based on Oblix schema standards.▪ CHALLENGES_SUPPORTED: this parameter is not yet documented, default FALSE.▪ DISABLED_STATUS_SUPPORT: User Account disabled status support – TRUE.

© 2017 Pythian 43



• Full parameter reference• Administrator's Guide for Oracle Access Management

© 2017 Pythian 44

Table 24-8 User Password Step Detailshttps://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-30780A11-8254-4AE3-9A15-C759C08E872D.htm#GUID-9FE10CF0-A4E7-4F7F-81A9-859EC85AEA80__CFFEHBFJ

Configure EBS to use the new Authentication Module

• OAM Console• Application Security – Access Manager – Authentication Schemes

• Expecting that EBS is already integrated.• Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2

(11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1)

• EBSAuthScheme• Authentication Module:

LDAP_EBS_with_password_policy• Challenge Parameters:

OverrideRetryLimit=0

© 2017 Pythian 46

Testing

• Did I forget something important to mention?

• Hint:

© 2017 Pythian 47

<LIBOVD-40082> <Could not modify entry.javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Entry cn=testuser1,ou=people,dc=example,dc=com cannot not be modified because the resulting entry would have violated the server schema: Entry cn=testuser1,ou=people,dc=example,dc=com violates the Directory Server schema configuration because it includes attribute oblastsuccessfullogin which is not allowed by any of the objectclasses defined in that entry]; remaining name 'cn=testuser1,ou=people,dc=example,dc=com'

LDAP directory schema extension

• We forgot Oblix schema extension.• Reference:

• Administrator's Guide for Oracle Access Management

• OUD example:

▪ Object classes: oblixPersonPwdPolicy and oblixorgperson▪ Attributes: obPasswordCreationDate, obPasswordHistory, obPasswordChangeFlag, obuseraccountcontrol,

obpasswordexpirydate, obLockoutTime, obLoginTrvCount, oblastsuccessfullogin, oblastfailedlogin

© 2017 Pythian 48

ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd --defaultAdd-f $OAM_HOME/oam/server/pswdservice/ldif/OUD_PWDPersonSchema.ldif

Table 24-6 Location of Oracle-provided LDIFs for LDAP Providershttps://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-E0DF807A-6432-4261-A119-9AECAC56AD53.htm#GUID-48382B33-54CB-407D-8CAA-

2A69CDEA50FB__CFFEJEEE

Summary

• Even latest R12.2.7 is not meeting today’s modern password policy standards out-of-the-box. We can code a custom java class, but that requires Java skills, courage, luck, and good release management process.

• Oracle Access Manager is the only certified SSO solution for EBS. It has the support of today’s standards, but costs additional resources, is a separate component, and is separately licensed.

• 11gR2 upgrade is highly recommended. Provides support for other more secure authentication methods, like Multi-Factor Authentication.

• Password policy setup is well documented and quite straightforward.• Except few nuances noted. J

© 2017 Pythian 49

Password Policies in Oracle Access Manager OGH Tech17 · Password Policies in Oracle Access Manager...

Documents

Transcript of Password Policies in Oracle Access Manager OGH Tech17 · Password Policies in Oracle Access Manager...