PPT
【文档说明】les__Proxy数据库安全审计课件.ppt,共(25)页,237.501 KB,由小橙橙上传
转载请保留链接:https://www.ichengzhen.cn/view-92278.html
以下为本文档部分文字说明:
Copyright©2009,Oracle.Allrightsreserved.UsingProxyAuthenticationCopyright©2009,Oracle.Allrightsreserved.9-2ObjectivesAftercompletingthislesson,
youshouldbeabletodothefollowing:•Describehowproxyauthenticationworks•Manageusersauthenticatedbyproxyauthentication•Audi
tusersauthenticatedbyproxyCopyright©2009,Oracle.Allrightsreserved.9-3UserAuthenticationIdentifytheuserinthefollowingways:•Bas
icauthentication–Databaseuseridentifiedbyapassword–Databaseuseridentifiedbytheoperatingsystem•Strongauthentication•Enterprise
UserSecurity•ProxyauthenticationCopyright©2009,Oracle.Allrightsreserved.9-4SecurityChallengesofThree-TierComputing•Ide
ntifytherealuser•Authenticatetheendusertothedatabase•RestricttheprivilegesofthemiddletierApplicationserverDatabaseUserCopyright©2009,O
racle.Allrightsreserved.9-5IdentifyingtheRealUser•Thedatabaseneedstheend-useridentityforthefollowingsecu
rityfunctions:–Authentication–Dataaccesscontrol–Auditing•Application-levelsecurityrequiresthat:–Securitymustbecodedineveryapplication–
ApplicationsmustbetheonlymethodtoaccessthedataApplicationserverDatabaseUserAbuserCopyright©2009,Oracle.Allrigh
tsreserved.9-7CommonImplementationsofAuthentication•Passthrough:Theuserisunknowntotheapplication.•Onebig-applicationuse
r:Theuserisunknowntothedatabase.•Othermethods:–Theuserisreauthenticatedtothedatabase.–Theuserisidentifiedtot
hedatabase.–Theuserisproxied.ApplicationserverDatabaseUserCopyright©2009,Oracle.Allrightsreserved.9-9UserReauthenticationTypesofauthent
icationinthree-tiersystems:•Middletier-to-databaseauthentication•Client-to-middletierauthentication•Clientreauthenticationthroughthe
middletiertothedatabase:–Doestheenduserneedtologinmultipletimes?–Cantheenduser’sdatabaseaccountinformationbestor
edintheapplication?–CantheuserbeauthenticatedbyusingLightweightDirectoryAccessProtocol(LDAP)?–Point-to-pointpr
otocols,suchassecuresocketslayer(SSL),canauthenticatetoonlyonenode.•SingleauthenticationCopyright©2009,Oracl
e.Allrightsreserved.9-11RestrictingthePrivilegesoftheMiddleTier•Middletierwithhighprivileges:–Connectswithonedatabaseuserforallapplicationusers–H
asallprivilegesforallapplicationusersforallconnections–Doesnotidentifytheendusertothedatabase.•Middle
tierwithlimitedprivileges:–Adjustsprivilegesbyuseridentity–MayidentifyusertodatabaseCopyright©2009,Oracle.Allrightsreserved.9-12ImplementingProxy
AuthenticationSolutionsProxyauthenticationsolutionsdependonthetypeoftheenduser:•Knowntothedatabase:–Datab
aseuserandenterpriseuser–Possibletoreauthenticatetothedatabase–Auditingactionstakenonbehalfoftherealuser•Unknowntothed
atabase:–Enduserknownonlytotheapplication–Supportforapplication-usermodels–LimitingtheprivilegeofthemiddletierCopyright©20
09,Oracle.Allrightsreserved.9-14AuthenticatingDatabaseandEnterpriseUsers•UseOracleCallInterface(OCI)orJavaDatabaseConnectivity(JDBC).•Theau
thenticationprocessincludesthefollowingsteps:1.Theclientauthenticatestothemiddletier.2.Themiddletierauthenticatestoth
edatabase.3.Themiddletiercreatestheenduser’ssession.4.Thedatabaseverifiesthatthemiddletiercan:—Createthesessionfortheuser—Assigntherolesassignedtothe
user•Databaseuserscanbe:–Authenticatedtotheapplicationserver–ReauthenticatedtothedatabaseCopyright©2009,Oracle.Allrightsreserved.9-16
UsingProxyAuthenticationforDatabaseUsers•Authenticatetheuserwithoutadatabasepassword:•Authenticatetheuserwithadatabasepassword:ALT
ERUSERphallGRANTCONNECTTHROUGHAPPSVR;ALTERUSERphallGRANTCONNECTTHROUGHAPPSVRAUTHENTICATIONREQUIREDPASSWORD;Copyri
ght©2009,Oracle.Allrightsreserved.9-18UsingProxyAuthenticationforEnterpriseUsers•Authenticatetheuserwithadistinguishedname:•Authen
ticatetheuserwithacertificate:ALTERUSERphallGRANTCONNECTTHROUGHAPPSVRAUTHENTICATEDUSINGDISTINGUISHEDNAME;ALTERUSERphallGRANTCONN
ECTTHROUGHAPPSVRAUTHENTICATEDUSINGCERTIFICATETYPE'X.509'VERSION'3';Copyright©2009,Oracle.Allrightsreserved.9-20Pr
oxyAccessThroughSQL*PlusProxyaccessthroughSQL*Pluswhen:•Userisknowntothedatabase•Userisunknowntothedatabase(EnterpriseUserProxy)CO
NNECTrajeev[APPSVR]/rajeev_pwdCONNECTAPPSVR[PHALL]/appsvr_pwdCopyright©2009,Oracle.Allrightsreserved.9-21EnterpriseUserProxyUseenterpriseuserswit
hcurrentapplications.•Letthedirectoryauthenticatetheusers.•Connectasadatabaseuser.CONNECTgeorge[APPSVR]/g
eorge_pwdgeorgegeorge[APPSVR]APPSVRCopyright©2009,Oracle.Allrightsreserved.9-22EnterpriseUserProxy:ExampleCONNECTRAJEEV[PARTS_G
UEST]/pwdCONNECTJIM[PARTS_GUEST]/pwdRajeevJimPARTS_DBCopyright©2009,Oracle.Allrightsreserved.9-24RevokingProxyAuthe
ntication•Revokeproxyauthenticationthroughamiddletier:•DonotusetheAUTHENTICATEDUSINGorAUTHENTICATIONREQUIREDclausewithREVOKE.ALTERUSERphall
REVOKECONNECTTHROUGHAPPSVR;Copyright©2009,Oracle.Allrightsreserved.9-25Application-UserModel•UsetheOCI,thinJDBC,orthickJDBC.•En
d-useridentityissetbythemiddletier.•Theauthenticationprocessisasfollows:1.Themiddletierauthenticatestothedatabase.2.Theenduserauthenticatesto
themiddletier.3.Themiddletierallocatesasessiontotheuser,identifyingtheuserwithclient_identifier.4.Optionally,themiddletiercanenablerolestorest
ricttheprivilegesoftheuser.•Examples:–Certificate–ApplicationusernameandpasswordCopyright©2009,Oracle.Allright
sreserved.9-27DataDictionaryViewsforProxyAuthentication•DBA_PROXIES:Allproxyconnections•USER_PROXIES:Connect
ionsthatthecurrentuserisallowedtoproxy•PROXY_USERS:Userswhocanassumetheidentityofotherusers•V$SESSION_CONNECT_INFO:
Networkconnectionsforallcurrentsessions•V$SESSION:Session-connectdetails:–ThePROGRAMcolumnshows―proxy-user…‖–TheMOD
ULEcolumnshows―proxy-user…‖Copyright©2009,Oracle.Allrightsreserved.9-28DataDictionaryViews:DBA_PROXIESandUSER_PROXIES
SQL>SELECTproxy,client,authentication,2authorization_constraint3FROMdba_proxiesPROXYCLIENTAUTHAUTHORIZATION_CONS
TRAINT--------------------------------------------------HRUSERPHALLNOPROXYMAYACTIVATEROLEAPPSVRPHALLNONOCLIENTROLESMAYBEACTIVA
TEDHRUSERPFAYYESPROXYMAYACTIVATEALLCLIENTROLESCopyright©2009,Oracle.Allrightsreserved.9-29DataDictionaryViews:V$SESSION_CONNECT
_INFOSQL>selectSID,AUTHENTICATION_TYPE,2OSUSER,NETWORK_SERVICE_BANNER3fromv$session_connect_infowhereSID=148;SIDAUTHENTICAOSUSERNETWORK_S
ERVICE_BANNER------------------------------------------------------------148DATABASEoracleTCP/IPNTProtocolAdapter
forLinux:Version11.1.0.6.0-Production148DATABASEoracleOracleAdvancedSecurity:encryptionserviceforLinux:Version11.1.0.6.0-Production148DATABASEoracl
eOracleAdvancedSecurity:crypto-checksummingserviceforLinux:Version11.1.0.6.0-ProductionCopyright©2009,Oracle.Allrightsreserved.9-30A
uditingActionsTakenonBehalfoftheRealUser•AuditSELECTsontheEMPLOYEEStablethatHRAPPSERVERinitiatesforPHALLasfollows:•AuditSELECTsontheEMPLOYEEStablet
hatHRAPPSERVERinitiatesforanyuserasfollows:•ThestatementsinthisslideauditonlySELECTsinitiatedbyHRAPPSERVER.•Youcannotaudit
CONNECTONBEHALFOF'DN'.AUDITSELECTTABLEONemployeesBYhrappserverONBEHALFOFphall;AUDITSELECTTABLEONemployeesBYhrappse
rverONBEHALFOFANY;Copyright©2009,Oracle.Allrightsreserved.9-32DataDictionaryViews:DBA_STMT_AUDIT_OPTS•DBA_STMT_AUDIT_OPTSdescribesthecurrentsyste
mauditingoptions.•USER_NAMEcolumn:–ANYCLIENT:Auditingaccessbyaproxy–NULL:Systemwideauditing•PROXY_NAMEcolumn:–Thena
meoftheproxyuserperforminganoperationfortheclient–NULLiftheclientisperformingtheoperationdirectlyCopyright©2009,Or
acle.Allrightsreserved.9-33DataDictionaryViews:DBA_AUDIT_TRAIL•Theseviewslistaudit-trailentries:–DBA_AUDIT_TRAIL–USER_A
UDIT_TRAIL•TheCOMMENT_TEXTcolumncanindicatehowtheuserhasbeenauthenticated:–DATABASE:Authenticationdonebythepassword–NETWORK:Authent
icationdonebyOracleNetServicesorOracleAdvancedSecurity–PROXY:Authenticationbyanotheruser–EXTERNALNAME:Thedistinguishedname(DN)oftheEnterpriseUserSecu
rity(EUS)userCopyright©2009,Oracle.Allrightsreserved.9-34Practice9Overview:ImplementingProxyAuthenticationThispracti
cecoversthefollowingtopics:•Implementingandtestingdatabaseproxyauthentication•ImplementingEUSproxyCopyright©2009,Oracle.Allrightsreserved.9-35Sum
maryInthislesson,youshouldhavelearnedhowto:•Describehowproxyauthenticationworks•Manageusersauthenticatedbyproxyauthentication•Auditusersauthenticated
byproxy
辽公网安备 21102102000191号
营业执照
