PPT
【文档说明】les__Proxy数据库安全审计课件.ppt,共(25)页,237.501 KB,由小橙橙上传
转载请保留链接:https://www.ichengzhen.cn/view-92278.html
以下为本文档部分文字说明:
Copyright©2009,Oracle.Allrightsreserved.UsingProxyAuthenticationCopyright©2009,Oracle.Allrightsreserved.9-
2ObjectivesAftercompletingthislesson,youshouldbeabletodothefollowing:•Describehowproxyauthenticationworks•Manageusersa
uthenticatedbyproxyauthentication•AuditusersauthenticatedbyproxyCopyright©2009,Oracle.Allrightsreserved.9-3UserAuthenticationI
dentifytheuserinthefollowingways:•Basicauthentication–Databaseuseridentifiedbyapassword–Databaseuseridentifiedbytheoperatingsystem
•Strongauthentication•EnterpriseUserSecurity•ProxyauthenticationCopyright©2009,Oracle.Allrightsreserved.9-4SecurityChall
engesofThree-TierComputing•Identifytherealuser•Authenticatetheendusertothedatabase•Restricttheprivilegesofthemi
ddletierApplicationserverDatabaseUserCopyright©2009,Oracle.Allrightsreserved.9-5IdentifyingtheRealUser•Thedatabaseneedstheend-useridentit
yforthefollowingsecurityfunctions:–Authentication–Dataaccesscontrol–Auditing•Application-levelsecurityrequiresthat:–Securitymustbecodedineve
ryapplication–ApplicationsmustbetheonlymethodtoaccessthedataApplicationserverDatabaseUserAbuserCopyright©2009,Oracle.Allrightsreserved.9-7Commo
nImplementationsofAuthentication•Passthrough:Theuserisunknowntotheapplication.•Onebig-applicationuser:Theuserisunknowntothedatabase.
•Othermethods:–Theuserisreauthenticatedtothedatabase.–Theuserisidentifiedtothedatabase.–Theuserisproxied.Appl
icationserverDatabaseUserCopyright©2009,Oracle.Allrightsreserved.9-9UserReauthenticationTypesofauthentication
inthree-tiersystems:•Middletier-to-databaseauthentication•Client-to-middletierauthentication•Clientreauthenticationthroughthemiddletiertothedata
base:–Doestheenduserneedtologinmultipletimes?–Cantheenduser’sdatabaseaccountinformationbestoredintheapplication?–Cantheuserbeauthenticatedbyusi
ngLightweightDirectoryAccessProtocol(LDAP)?–Point-to-pointprotocols,suchassecuresocketslayer(SSL),canauthentic
atetoonlyonenode.•SingleauthenticationCopyright©2009,Oracle.Allrightsreserved.9-11RestrictingthePrivilegesoftheMiddleTier•Middletierwithhighprivileg
es:–Connectswithonedatabaseuserforallapplicationusers–Hasallprivilegesforallapplicationusersforallconn
ections–Doesnotidentifytheendusertothedatabase.•Middletierwithlimitedprivileges:–Adjustsprivilegesbyuseridentity
–MayidentifyusertodatabaseCopyright©2009,Oracle.Allrightsreserved.9-12ImplementingProxyAuthenticationSolutionsProxyauthenticationsolutionsdependon
thetypeoftheenduser:•Knowntothedatabase:–Databaseuserandenterpriseuser–Possibletoreauthenticatetothedatabase–
Auditingactionstakenonbehalfoftherealuser•Unknowntothedatabase:–Enduserknownonlytotheapplication–Supportfor
application-usermodels–LimitingtheprivilegeofthemiddletierCopyright©2009,Oracle.Allrightsreserved.9-14AuthenticatingDatabaseandEn
terpriseUsers•UseOracleCallInterface(OCI)orJavaDatabaseConnectivity(JDBC).•Theauthenticationprocessincludesthefollowingsteps:1
.Theclientauthenticatestothemiddletier.2.Themiddletierauthenticatestothedatabase.3.Themiddletiercreatestheend
user’ssession.4.Thedatabaseverifiesthatthemiddletiercan:—Createthesessionfortheuser—Assigntherolesassignedtotheuser•Databas
euserscanbe:–Authenticatedtotheapplicationserver–ReauthenticatedtothedatabaseCopyright©2009,Oracle.Allrightsreserved.9-16UsingProxyAuthent
icationforDatabaseUsers•Authenticatetheuserwithoutadatabasepassword:•Authenticatetheuserwithadatabasepassword:ALTERUSER
phallGRANTCONNECTTHROUGHAPPSVR;ALTERUSERphallGRANTCONNECTTHROUGHAPPSVRAUTHENTICATIONREQUIREDPASSWORD;Copyright©2009
,Oracle.Allrightsreserved.9-18UsingProxyAuthenticationforEnterpriseUsers•Authenticatetheuserwithadistinguishedname:•Authenticatetheuserw
ithacertificate:ALTERUSERphallGRANTCONNECTTHROUGHAPPSVRAUTHENTICATEDUSINGDISTINGUISHEDNAME;ALTERUSERphallGRANTCONNECTTHROUGHAPPSVRA
UTHENTICATEDUSINGCERTIFICATETYPE'X.509'VERSION'3';Copyright©2009,Oracle.Allrightsreserved.9-20ProxyAccessThro
ughSQL*PlusProxyaccessthroughSQL*Pluswhen:•Userisknowntothedatabase•Userisunknowntothedatabase(EnterpriseUserProxy)CONNECTrajeev[APPSVR]/rajeev_p
wdCONNECTAPPSVR[PHALL]/appsvr_pwdCopyright©2009,Oracle.Allrightsreserved.9-21EnterpriseUserProxyUseenterpriseus
erswithcurrentapplications.•Letthedirectoryauthenticatetheusers.•Connectasadatabaseuser.CONNECTgeorge[APPSVR]/george_pwdgeorgegeorge[APPSVR]A
PPSVRCopyright©2009,Oracle.Allrightsreserved.9-22EnterpriseUserProxy:ExampleCONNECTRAJEEV[PARTS_GUEST]/pwdCONNECTJIM[PARTS_GUEST]/pwdRajee
vJimPARTS_DBCopyright©2009,Oracle.Allrightsreserved.9-24RevokingProxyAuthentication•Revokeproxyauthen
ticationthroughamiddletier:•DonotusetheAUTHENTICATEDUSINGorAUTHENTICATIONREQUIREDclausewithREVOKE.ALTERUSERphallREVOKECONNECTTHROUG
HAPPSVR;Copyright©2009,Oracle.Allrightsreserved.9-25Application-UserModel•UsetheOCI,thinJDBC,orthickJDBC.•End-useridentityissetbythemiddletie
r.•Theauthenticationprocessisasfollows:1.Themiddletierauthenticatestothedatabase.2.Theenduserauthenticatestothemiddletier.3.Themiddletieralloca
tesasessiontotheuser,identifyingtheuserwithclient_identifier.4.Optionally,themiddletiercanenablerolestorestricttheprivilegesof
theuser.•Examples:–Certificate–ApplicationusernameandpasswordCopyright©2009,Oracle.Allrightsreserved.9-27DataDictionaryViewsforProxyAuthentication•
DBA_PROXIES:Allproxyconnections•USER_PROXIES:Connectionsthatthecurrentuserisallowedtoproxy•PROXY_USERS:
Userswhocanassumetheidentityofotherusers•V$SESSION_CONNECT_INFO:Networkconnectionsforallcurrentsessions•V$SESSIO
N:Session-connectdetails:–ThePROGRAMcolumnshows―proxy-user…‖–TheMODULEcolumnshows―proxy-user…‖Copyright©2009,Oracle.Allrightsreserved
.9-28DataDictionaryViews:DBA_PROXIESandUSER_PROXIESSQL>SELECTproxy,client,authentication,2authorization_constra
int3FROMdba_proxiesPROXYCLIENTAUTHAUTHORIZATION_CONSTRAINT--------------------------------------------------HRUSERPHALL
NOPROXYMAYACTIVATEROLEAPPSVRPHALLNONOCLIENTROLESMAYBEACTIVATEDHRUSERPFAYYESPROXYMAYACTIVATEALLCLIENTROLESCopyright©2009,Oracl
e.Allrightsreserved.9-29DataDictionaryViews:V$SESSION_CONNECT_INFOSQL>selectSID,AUTHENTICATION_TYPE,2OS
USER,NETWORK_SERVICE_BANNER3fromv$session_connect_infowhereSID=148;SIDAUTHENTICAOSUSERNETWORK_SERVICE_BANNER---------------
---------------------------------------------148DATABASEoracleTCP/IPNTProtocolAdapterforLinux:Version11.1.0.6.0-Production148DATABASEoracleOrac
leAdvancedSecurity:encryptionserviceforLinux:Version11.1.0.6.0-Production148DATABASEoracleOracleAdvancedSecurity:crypto
-checksummingserviceforLinux:Version11.1.0.6.0-ProductionCopyright©2009,Oracle.Allrightsreserved.9-30AuditingActio
nsTakenonBehalfoftheRealUser•AuditSELECTsontheEMPLOYEEStablethatHRAPPSERVERinitiatesforPHALLasfollows:•AuditSELECTsontheEMPLOYEEStablethatHR
APPSERVERinitiatesforanyuserasfollows:•ThestatementsinthisslideauditonlySELECTsinitiatedbyHRAPPSERVER.•YoucannotauditCONNECTONBEHALFOF
'DN'.AUDITSELECTTABLEONemployeesBYhrappserverONBEHALFOFphall;AUDITSELECTTABLEONemployeesBYhrappserverONBEHALFOFANY;Copyright©2009,Oracle.A
llrightsreserved.9-32DataDictionaryViews:DBA_STMT_AUDIT_OPTS•DBA_STMT_AUDIT_OPTSdescribesthecurrentsystemauditingoptions.•USE
R_NAMEcolumn:–ANYCLIENT:Auditingaccessbyaproxy–NULL:Systemwideauditing•PROXY_NAMEcolumn:–Thenameoftheproxyuserperforminganoperationfortheclient–N
ULLiftheclientisperformingtheoperationdirectlyCopyright©2009,Oracle.Allrightsreserved.9-33DataDictionaryViews:DBA_AUDIT_TRAIL•Theseviewslista
udit-trailentries:–DBA_AUDIT_TRAIL–USER_AUDIT_TRAIL•TheCOMMENT_TEXTcolumncanindicatehowtheuserhasbeenauthenticated:–
DATABASE:Authenticationdonebythepassword–NETWORK:AuthenticationdonebyOracleNetServicesorOracleAdvancedSecur
ity–PROXY:Authenticationbyanotheruser–EXTERNALNAME:Thedistinguishedname(DN)oftheEnterpriseUserSecurity(EUS)userCopyright©2009,Or
acle.Allrightsreserved.9-34Practice9Overview:ImplementingProxyAuthenticationThispracticecoversthefollowingtopics:•Implementingandtestingdataba
seproxyauthentication•ImplementingEUSproxyCopyright©2009,Oracle.Allrightsreserved.9-35SummaryInthislesson,youshouldhavelearne
dhowto:•Describehowproxyauthenticationworks•Manageusersauthenticatedbyproxyauthentication•Auditusersauthenticatedbyproxy
辽公网安备 21102102000191号
营业执照
