9
Enterprise Security Management

This chapter describes the component of Oracle Enterprise Manager used to administer Enterprise User Security for the Advanced Security Option. The chapter explains use of Enterprise Manager within a simple scenario in which an Oracle Internet Directory Server is used as the central repository for users in a large organization. It contains the following sections

• Overview of Enterprise Security Manager
• Introduction to Directory Servers
• Entailing and Configuring Your Enterprise Security Environment
• Administering Users
• Administering Oracle Contexts
• Command Line Tool

Overview of Enterprise Security Manager

Oracle Enterprise Security Manager provides an easy-to-use graphical interface to administer enterprise user security and access control for large numbers of databases in your enterprise environment through the Oracle Internet Directory server. You use Oracle Enterprise Security Manager to perform the following tasks:

• Manage Database Security Under Oracle Contexts in a Directory
• Manage Users in a Directory

You start this Enterprise Security Manager via the MS Windows Start menu, or by issuing the "esm" command on a UNIX command line. Upon logging in, Enterprise Security Manager appears as shown in Figure 9-1, "Enterprise Security Manager", given that the Directory contains at least the Oracle9i Default Oracle Context.

Figure 9-1 Enterprise Security Manager

Text description of the illustration screen0.gif

Enterprise Security Manager manages one Directory Server, identified at the top of the main application tree. It has a series of menu operations that apply to this Directory Server.

Users are managed in the Directory using Enterprise Security Manager. The application shows the directory to which it is connected and allows you to add, delete and browse Users in that Directory. Enterprise Security Manager may also be used to manage Oracle Contexts in the Directory. An Oracle Context is an area of structured information in the Directory recognizable to Oracle8i and Oracle9i products as well as an administrator hierarchy for management of the data in Oracle Contexts for different Oracle product areas.

This chapter is presented in two parts; Administering U.0sers and Administering Oracle Contexts. It will use the example the "AppsOnline" Application Service Provider to illustrate both facets of Enterprise User Security management.

Introduction to Directory Servers

A Directory Server may be used a general purpose means to centralize definitions of user and server access information over an entire network. As well as storing naming information, the Directory may be employed to centralize password definitions, digital certificates and application authorizations for the users that it defines. This is possible, in the particular case of Oracle Internet Directory, as it allows for secured access and modification of sensitive information held in the Directory such as passwords or application authorizations.

This chapter shall use as its example an Application Service Provider called, "AppsOnline". AppsOnline has a large set of Oracle9i Databases that it uses to host different types of Application Software for its customers. AppsOnline needs to manage administrative access to these databases for its IT staff.

Figure 9-2 AppsOnline Hierarchy

Text description of the illustration appsonli.gif

AppsOnline maintains Oracle9i databases upon which are hosted three types of Application for its customers; Human Resources, Inventory and Billing. One customer, "TaxTime.com" subscribes to AppsOnline for its Human Resources Applications. A second customer, "CelticTravel.com" subscribes to the company for its Billing Applications. A third company, "UKMusic.com" subscribes to the company for its Inventory Management Applications.

AppsOnline dedicates some of its databases to each customer and manages these databases on behalf of the customer. The company has used an Oracle Internet Directory to hold information about their own employees, the databases on which they host Applications, and the customers for whom they provide a service. In the course of their business, they may wish to manage administrative access to their databases by their IT employees and manage access rights to information in these databases based upon each type of customer Application that they support.

This chapter will illustrate how Oracle Enterprise Manager may be used in this example scenario.

Entailing and Configuring Your Enterprise Security Environment

Task 1: Configure an Oracle Internet Directory

Oracle9i Enterprise User Security is based wholly around an Oracle Internet Directory. The Directory Server must be properly installed and configured before Enterprise Manager may be used to manage Enterprise User Security. The following stages of Oracle Internet Directory configuration must be complete before proceeding

1. Either an Oracle8i or Oracle9i Internet Directory is installed, running and accessible over both standard LDAP and Secure Sockets Layer enabled LDAP (LDAP/SSL). For more information please refer to the Oracle Internet Directory Administrators Guide.
2. The Oracle Internet Directory has been configured to support Oracle9i Directory Schema Objects and contains an Oracle9i Default Oracle Context. In the case of a version 9i Oracle Internet Directory these requirements may already be in place. However, the Oracle9i Directory Schema Objects and Default Oracle Context may be configured on the Directory Server using The Oracle Net Configuration Assistant. For more information please refer to the Oracle Net Configuration Assistant Administrators Guide.

Task 2: Install Oracle Enterprise Manager

Oracle Enterprise Manager is automatically installed with the Oracle9i Enterprise Edition Server Install and includes all necessary functionality for Enterprise User Security. Oracle Enterprise Manager is also installed by default with the Oracle9i Infrastructure Install at the same time as Oracle Internet Directory. Oracle Enterprise Manager may also be installed separately in its own ORACLE_HOME using the custom install option.

Task 3: Configure Oracle Enterprise Manager for Enterprise User Security

Oracle Enterprise Manager may be used to manage Enterprise User Security in two modes of operation. The Oracle9i Enterprise Manager Console may be used to connect to the Oracle9i Management Server (OMS) and discover a Directory Server to manage. Alternatively, a dedicated application called, "Enterprise Security Manager" may be launched from the same ORACLE_HOME as Enterprise Manager and used to connect directly to the Directory Server. In either mode of operation functionality is identical. Only the latter mode, using the Enterprise Security Manager application, will be used in this chapter.

Enterprise Security Manager does not require any special configuration for it to run. However all Oracle Databases in the enterprise that need to avail of Enterprise User Security should be accessible over Oracle Net from the Enterprise Manager ORACLE_HOME.

Task 4: Start Oracle Enterprise Security Manager

To launch Enterprise Security Manager from the Enterprise Manager ORACLE_HOME, enter the following at the command line:

> esm

This will cause the Directory Log On box to appear

Figure 9-3 Directory Login Dialog

Text description of the illustration logon.gif

Task 5: Log On To the Directory

Enterprise Security Manager offers three ways to connect to a Directory Server by selecting the appropriate option in the Log On Box. These options are listed in the table below

Table 9-1 Directory Connection Methods

Authentication Type	Description
Password Authentication	Uses Simple Authentication requiring a distinguished name or a known directory nickname and a password
SSL Client Authentication	Uses two-way SSL Authentication in which both the client and server use Oracle Wallets containing digital certificates. The subsequent connection will then be encrypted.
Native Authentication	Applies only to Microsoft Windows NT or Windows 2000 and uses Operating System level authentication to log on to a Microsoft Active Directory

For example, Password Authentication may be selected when using the orcladmin Oracle Internet Directory super user name and password to log on.

Administering Users

Enterprise Security Manager may be used to Create Users in the Directory. This is done by selecting "Create Enterprise User..." from the Operations Menu.

Figure 9-4 Operations Menu

Text description of the illustration menu0.gif

The Create User Window will appear in which to enter the name and location of the new User in the Directory.

Oracle Wallets

Oracle wallets are data structures that contain a user private key, a user certificate, and a set of trust points (the list of root certificates the user trusts). Enterprise Security Manager functionality pertaining to Oracle Wallets will only appear in the Create User or Edit User screens when running in an ORACLE_HOME that has been configured for this purpose to use Oracle PKI Products. First, you must generate a Certificate Signing Authority for Enterprise Security Manager. This is done by running "esm -genca" on the command line. The following example displays the expected output from running this utility.

> esm -genca
Generating CA Private Key. Please Wait..

Enter a Wallet Administrator Password to protect access 
to your CA private key: test_password

A CA has been created for Enterprise Security Manager. 
You must remember your Wallet Administrator Password. It is required 
by Enterprise Security Manager to generate new Oracle Wallets.

Specifying a new User Name

Figure 9-5 Create User Property Sheet: User Naming Page

Text description of the illustration user0.gif

The following fields are mandatory for creation of a new User in the Directory:

Table 9-2 Create User Property Sheet: User Naming Page Mandatory Fields

Field	Description
Base	The entry point in the Directory at which the new User will be created
First name	First half (Christian Name) of the new User's full name
Surname	Second half (Surname) of the new User's full name
User ID	The Logon identifier that the user may use to access databases and applications

The following additional fields are not mandatory for creation of a new User in the Directory but may be recorded for the new User if desired.

Table 9-3 Create User Dialog: Non-mandatory Fields

Field	Description
Apply Suffix	This is the current value of any common user ID suffix that is always applied to the end of the User ID for a new User. For example, <User ID>.us.acme.com
Email Address	The email address to record in the Directory for the new User, if desired.
cn=	This is the Common Name component (cn=) of the Distinguished Name of the new User in the Directory. By default it is set to the full name of the new User, however you can override the value if you wish to force a particular value for the "cn=" portion of the User's Distinguished Name.

Specifying a Directory Base

All Users in the Directory must exist at a particular "Base" within the Directory. The Base can be any existing Directory Entry such as Country Entry (e.g "c=US") or an Organization Entry (e.g "o=Acme, c=US". Many Users would typically share the same Base. This Base identifies all the Users contained under it as belonging to the same high level organization.

The Base at which to create a new User can be entered in the Base field in the Create User screen. However, you may explore the entire Directory to choose a suitable Base by clicking on the Browse... button. The Browse Directory dialog will appear.

Figure 9-6 Browse Directory Dialog

Text description of the illustration user5.gif

The Browse Directory screen lets you navigate the directory by drilling down into each entry from the top of the Directory Tree. When a Directory Entry is selected its Distinguished Name is placed in the Selection field. To accept the selected Distinguished Name choose the OK button. This value will then be returned as the selected Base for a new Directory User.

Specifying a new User Password

The second Tab Panel of the New User screen allows you to set an initial password for the new User in the Directory. This will be the new User's initial password for:

• Directory log on
• Database log on to databases that support Password Authenticated Global Users
• A new Oracle Wallet, if created for the new User at this time.

Figure 9-7 Create User Property Sheet: Password Page

Text description of the illustration user1.gif

When Entering a password you may choose to accept a default first time password for the new User or manually enter the first time password for the new User. In either case, the new User must change their own password immediately after its first use.

Specifying an Initial Enterprise Role Assignment

Enterprise Roles are discussed later in this Chapter. At the time of User creation you may select any previously configured Enterprise Roles and grant them to the new User.

Figure 9-8 Create User Property Sheet: Enterprise Roles

Text description of the illustration user2.gif

To select one or more Enterprise Roles to grant to the new User at this time choose Add... in the Enterprise Roles page of the Create User screen. The Add Enterprise Roles Page will appear from which you can choose any Enterprise Roles in your Oracle Context to assign to the new User.

Figure 9-9 Add Enterprise Roles Dialog

Text description of the illustration user3.gif

Specifying an Oracle Wallet

An Oracle Wallet containing a new Digital Certificate, Private Key and Certificate Trustpoints may be generated for the new User in an encrypted binary format. The Oracle Wallet will be stored with the new User in the Directory Server as part of the Directory Entry for the User.

Figure 9-10 Create User Property Sheet: Wallet

Text description of the illustration user4.gif

The Distinguished Name under which the new User will be created is used by default as the Distinguished Name for the Digital Certificate to be contained in the new User's Oracle Wallet. It is always good practice to let the Distinguished Names of User Certificates correspond to their Distinguished Names in the Directory. However, you may edit the Distinguished Name to be used for the Certificate before generating the Wallet by editing the contents of the Issued For: field.

An Oracle Wallet will be created when you click on the Generate Wallet... button.

Browsing Users in the Directory

Enterprise Security Manager allows you to browse all Users that are currently stored in the Directory. This is done by selecting the All Users page from the Directory at the top of the main application tree

Figure 9-11 All Users Page

Text description of the illustration screen2.gif

To Search for one or more users the directory, the Search Criteria must be set and the Search Now button used to perform a new search for Users based upon the given Search Criteria. The All Users page will refresh to show the results of this search. There are three factors to User Search Criteria:

Table 9-4

Search Criteria	Affect on the Search
Base	This is the Base Entry in the Directory at which the search will be performed. Any Users returned in the search will exist under this Base in the Directory.
Include Subtrees	This determines whether to show all Users in the Directory anywhere under the selected Base or to only show those Users that exist specifically at that Base location in the Directory.
Show Names Containing	This limits the entire search to contain only those Users whose Directory Entries have a Common Name that starts with a specified pattern. This is useful if the exact name or Base of the desired User is not known.

For example, the Search Criteria may be set to search this Directory for a User given only that the Base is dc=oracle, dc=com and the first name is "Larry"

Figure 9-12 Base Search Criteria

Text description of the illustration screen3.gif

After searching for Users in the Directory, any one user can be chosen from the list and edited. This is achieved either by selecting the User from the list in the All Users page and choosing the Edit... button or by double clicking on that User in the list.

Figure 9-13 Editing a User

Text description of the illustration screen5.gif

When a User in the Directory is selected for Edit, its password, Enterprise Role assignments and Oracle Wallet can be modified in the same way as discussed during creation of a new User in the Directory.

Administering Oracle Contexts

An Oracle Context is a top level Entry in the Directory underneath which is contained the data used by any Directory aware Oracle product. Enterprise Security Manager allows you to manage database and security related information in the Directory under an Oracle Context.

Oracle Context Versions

An Oracle Context in the Directory may either be a version 8i or version 9i Oracle Context. For Enterprise User Security there is some functionality that can only be managed using a 9i Oracle Context, for example, "Password Authenticated Global Users". Enterprise Manager for Oracle9i may be used to manage version 9i Oracle Contexts as well version 8i Oracle Contexts in the Directory.

Oracle Enterprise Security Manager displays in its main application tree all the Oracle Contexts that exist in the Directory Server. It will display both version 9i and version 8i Oracle Contexts, should they exist. In the example below Enterprise Security Manager is connected to an Oracle Internet Directory that has been configured to support the Oracle9i Directory Schema and an Oracle9i Default Oracle Context.

Specifying Properties of an Oracle Context

An Oracle Context has a number of general properties that can be viewed and managed in the General page when an Oracle Context is selected on the tree:

Figure 9-14 Viewing an Oracle Context Properties

Text description of the illustration screen4.gif

Table 9-5 Context Property Description

Property	Description
Directory Location	This is the Directory Base of the Oracle Context. In the case of the Default Oracle Context this value is empty as the Directory Base is the root of the Directory tree
Version	This identifies whether the Oracle Context supports 8i or 9i functionality
Common User Search Bases	This is the list of Base locations in the Directory at which Users may commonly exist. Identifying a list of User Search Bases allows you to quickly browse the users at those Directory Locations and also indicates to 9i Databases in the Oracle Context where they may find Directory Users that connect to them.
User ID	This is the name of the Attribute in a User Entry that determines the value of that Users's User ID. User Entries have many different attributes. This setting controls the User ID with which Users can authenticate to Oracle9i databases, Directory Servers or Directory enabled Applications. Its default value is, "cn", the Common Name of the Directory User.
Application GUID	This is the name of the Attribute in a User Entry in which unique Application GUID values will exist. It cannot be modified in this release
Password Policy	This is the Password Policy syntax used by Oracle9i database when authenticating Password Authenticated Global Users. It cannot be modified in this release.

Specifying User Search Bases

User Search Bases can be added to or removed from a version 9i Oracle Context using the Oracle Context General page.

To remove a User Search Base from the Oracle Context:

1. Select a Search Base in the Common User Search Bases List and choose Remove... The Search Base will be removed from the List.
2. Choose Apply; the User Search Base will be removed from the Oracle Context in the Directory

To add a new User Search Base to an Oracle Context:

1. Choose Add... The Common User Search Bases screen will appear.

Figure 9-15 User Search Base Dialog

Text description of the illustration user5.gif

• Navigate the Directory to select a desired Directory Entry as a User Search Base. You may also edit the contents of the Selection field in this screen to manually define the User Search Base.
• Choose OK in the Common User Search Bases screen. The selected Entry will be added to the list of User Search Bases in the Oracle Context General Page.
• Choose Apply; the User Search Base will be added to the Oracle Context in the Directory

  Specifying Oracle Context Administrators

  An Oracle Context may define sets of Directory Users that are enabled as different categories of Administrator. Each category has varying levels of privilege for operations within an Oracle Context. Some administrator categories are only available to version 9i Oracle Contexts and some are available to both version 8i and version 9i Oracle Contexts. The Administrator Categories for an Oracle Context are as follows:

  Table 9-6 Oracle Context Administrator Categories

  Administrator Category	Definition	Version 9i	Version 8i
  Full Context Management	All possible Administrator privileges for all product areas in the Oracle Context	YES	NO
  Directory User Management	Ability to view Directory User password reminders	YES	NO
  Database Security Management	Ability to manage all Enterprise Domains and Enterprise Roles in the Oracle Context	YES	YES
  Database Registration	Ability only to register a new database in the Oracle Context	YES	YES
  Oracle Net Management	Ability to manage Oracle Net objects in the Oracle Context	YES	NO

  
  
  

  Oracle Context Administrators are managed using the Administrators Page of an Oracle Context selected on the main application tree.

  Figure 9-16 Oracle Context: Administrators Page

  

  Text description of the illustration screen6.gif

  To remove a User from a list of Oracle Context Administrators:

  1. Choose the type of Administrator to remove from the Categories combo box. The list of Administrators will refresh to show those of the type that you have selected.
  2. Select a User by clicking on that User in the list of Administrators.
  3. Choose Remove. The selected User will be removed from the list.
  4. Choose Apply; the User will be removed as an Oracle Context Administrator of the category that you have selected.

  To add a new User a list of Oracle Context Administrators:

  1. Choose Add... The Add Users screen will appear. This page is used to locate and select one or more Users in the Directory. There are three components to the page. At the top is a Directory Search Tree. In the middle are Search Criteria controls that identify the Users to be returned by the search. At the bottom of the page is the result of the search from which one or more desired Users may be selected.

  Figure 9-17 User Search Results

  

  Text description of the illustration screen7.gif

• Navigate the Directory to select a desired Directory Entry as a User Search Base. You may also edit the contents of the Selection field in this screen to manually define the User Search Base.
• Set the "Include Subtrees" Search Criteria option. The effect of selecting this option will be to search for Users not only as the specified Base but also in all possible levels underneath that Base in the Directory.
• Enter any known User Name in the Show Names Containing field to which Users returned by the search must conform. The effect of using the Show Names Containing field is to limit the search only to Users in the Directory who have a Common Name value that is or starts with the specified text.
• Choose Search Now. If there are any Users in the Directory at the Base you have selected that match your Search Criteria they will be listed in the screen.
• Select the desired User either by clicking on the it in the list and choosing OK or by double clicking on it. Multiple Users can be selected from the list by selecting a range of Users and choosing OK. The new Users will then appear in the list of Administrators under the category that you have selected.
• Choose Apply; the new Administrators will be added to the Oracle Context in the Directory under the category that you have selected.

  Note: This screen is used at all points in Enterprise Security Manager where it is necessary to choose one or more Users from the Directory.

  
  
  

  Accessible Domains

  When an Oracle Context is selected in the main application tree you may manage the list of Enterprise Domains within that Oracle Context whose databases may accept password authenticated connections from users that have their "Database Access Restriction" enabled. To add an Enterprise Domain to the list choose "Add.." and select one of the current Enterprise Domains from the resulting dialog. To remove an Enterprise Domain from the list, select it in the Accessible Domains page and choose "Remove..."

  A "Database Access Restriction" may be applied to whole subtree of Users in the Directory when it is selected under the "Users, by Search Base" tree under an Oracle Context. With this option is set, all users under that subtree may only use their passwords to access databases that exist in Enterprise Domains that have been included in the list of Accessible Domains for the Oracle Context.

  The default condition for any Enterprise Domain is not to be a member of the Accessible Domains for its Oracle Context. By identifying any Enterprise Domain to be one of the Accessible Domains and also by electing certain Users to have a Database Access Restriction, you are enforcing that it is only certain known databases that may access those Users' database logon settings in the Directory.

  Note: This feature is only available to version 9 Oracle Contexts.

  
  
  

  Managing Database Security

  The Directory may be used as a central repository that controls authentication and authorization on multiple databases for Users. Enterprise Security Manager allows you to manage an Oracle Context in the Directory for the purpose of database security.

  Oracle8i or 9i Databases are published to the Directory within an Oracle Context using the Oracle Database Configuration Assistant. For more information see the Oracle DBCA Guide. Once databases have been published to the Directory, Enterprise Security Manager may be used to mange User access to those databases. This is achieved using the following Objects in the Oracle Context:

  Table 9-7 Oracle Context Objects

  Object in the Oracle Context	Description
  Database	This is a Directory Entry representing a published database.
  Enterprise Domain	This is a grouping of databases published in the Directory upon which a common User access model for database security can be implemented
  Enterprise Role	This is an Authorization that spans multiple databases within an Enterprise Domain. It is an "Enterprise Level" Role to which can be granted individual roles on each of the databases in an Enterprise Domain.

  
  
  

  Enterprise Security Manager displays Databases and Enterprise Domains in its main application tree. Using our example of the AppsOnline Application Service provider, each of the company's databases have been published into the 9i Default Oracle Context in the Directory.

  Registering a Database with an Oracle Context

  You register a database with an Oracle Context by selecting Register Database from the Enterprise Security Manager Operations menu. Selecting this menu option displays the Register Database dialog (shown in the following figure).

  Figure 9-18 Register Database Dialog

  

  Text description of the illustration regdb.gif

  In addition to selecting the Oracle Context in which the database will reside, database registration also entails supplying the requisite connect information, as shown in the figure above. From this dialog, you can specify a database in one of three ways:

  • Specify the SID, ORACLE_HOME, and hostname. Enterprise Security Manager will not verify the validity of these entries, hence, they must be valid, known values for a remote database.
  • You can store a TNS connect string. Oracle Net LDAP Naming will be created.
  • You can store a wallet for the database. This implies that a databse can download that wallet using Oracle Wallet Manager while configuring for Enterprise User Security. You must enter a password to protect that wallet.

  Figure 9-19 Security Manager Application Tree

  

  Text description of the illustration screen8.gif

  In this example AppsOnline manages Oracle9i databases that host Applications for three customers; "UKMusic.com", "CelticTravel.com" and "TaxTime.com". Applications for UKMusic are hosted using databases INV11i-1 and INV11i-2. Applications for CelticTravel are hosted using databases BILL11i-1 and BILL11i-2. Applications for TaxTime are hosted using databases HR11i-1, HR11i-2, HR11i-3 and HR11i-4.

  Given that the types of application hosted for each customer are different, only those databases that are used to support a common application type implement the same security model for their User Access. AppsOnline has decided to define three Enterprise Domains, one for each customer that it services.

  Administering Databases

  After a database has been published to an Oracle Context in the Directory, Enterprise Security Manager may be used to view and modify security characteristic of that database.

  Managing Database Administrators

  An Database Administrator is a Directory User that only has privileges to modify that Database in the Oracle Context. Database Administrators may be managed using the Administrators Page when a Database is selected under an Oracle Context in the main application tree.

  To remove a User from the list of Database Administrators:

  1. Select a User by clicking on that User in the list of Administrators.
  2. Choose Remove. The selected User will be removed from the list.
  3. Choose Apply; the User will be removed as an Database Administrator for that database in the Oracle Context.

  To add a new User to the list of Enterprise Domain Administrators:

  1. Choose Add... The Add Users screen will appear. This page is used to locate and select one or more Users in the Directory as discussed earlier. Select one or more desired users from the Directory to add as Database Administrators. The new Users will then appear in the in the Administrators Page.
  2. Choose Apply; the new Administrators will be added to the database in the Oracle Context.

  Managing Database Schema Mappings

  Database Schema Mappings allow databases that are registered in the Directory to accept connections from users without having any dedicated database schemas for them. For example, when user SCOTT connects to a database there must actually exist a database schema called "SCOTT" for that log on to be successful. This becomes difficult to maintain if there are thousands of Users and perhaps hundreds of databases in a very large enterprise.

  Users that exist in the Directory do not need to have dedicated schemas on every Oracle8i or 9i database to which they might connect.

  A database may use a "Schema Mapping" to share one database schema between any number of Users that exist in the Directory. The Schema Mapping is a pair of values; the Base in the Directory at which Users exist and the name of the database schema that they will use.

  Figure 9-20 Database Schema Mappings

  

  Text description of the illustration intdir.gif

  Database Schema Mappings may be managed using the Database Schema Mappings Page when a database is selected under an Oracle Context in the main application tree. This page contains a list of database schema name and Directory Base pairs.

  Figure 9-21 Database Schema Mapping Page

  

  Text description of the illustration screen16.gif

  To remove a Mapping from the list of Database Schema Mappings n the Enterprise Domain:

  1. Select a Mapping by clicking on that Mapping in the list.
  2. Choose Remove. The selected Mapping will be removed from the list.
  3. Choose Apply; the Mapping will be removed from the Enterprise Domain and no longer used by any databases in the Enterprise Domain.

  To add a new Mapping to the list of Database Schema Mappings in the Enterprise Domain:

  1. Choose Add... The Add Database Schema Mappings screen will appear. This page is used to locate and select one Base in the Directory and pair it with a database schema name to make a Database Schema Mapping. There are two components to the page. There is a Directory Search Tree from which to select a Base and a field in which to enter a schema name.

  Figure 9-22 Add Database Schema Mappings

  

  Text description of the illustration screen15.gif

• Navigate the Directory to select a desired Directory Entry as a Base for the Database Schema Mapping. This may be any Directory Entry but should be above the subtree of Users in the Directory for which you want t o perform the mapping. You may also edit the contents of the Selection field in this screen to manually define this Base.
• Enter the name of the database schema for which this Mapping will be made and choose OK. This must be a valid name for a schema that already exists on that database.The new Database Schema Mapping will then appear in the Database Schema Mappings Page.
• Choose Apply; the new Database Schema Mapping will be added to the selected database in the Oracle Context.

  Administering Enterprise Domains

  An Oracle Context will always contain at least one Enterprise Domain called, "OracleDefaultDomain". The OracleDefaultDomain is part of the Oracle Context when it is first created in the Directory. When a new database is registered into an Oracle Context it automatically becomes a member of the OracleDefaultDomain in that Oracle Context. You may create and remove your own Enterprise Domains but you cannot remove the OracleDefaultDomain from an Oracle Context.

  To create a new Enterprise Domain:

  An Enterprise Domain can be created in an Oracle Context either from the Operations Menu or by using a Right Mouse Button click on an Oracle Context selected in the main application tree:

  Figure 9-23 Creating an Enterprise Domain

  

  Text description of the illustration screen9.gif

  The Create Enterprise Domain screen will appear.

  Figure 9-24 Create Enterprise Domain Dialog

  

  Text description of the illustration screen10.gif

  1. Choose the Oracle Context in which the Enterprise Domain is to be created from the Oracle Context drop down list. If the Create Enterprise Domain screen has been invoked using a Right Mouse Button click from an Oracle Context in the main application tree then the name of that Oracle Context will already be selected.
  2. Enter the name of the new Enterprise Domain in the Domain Name filed.
  3. Choose OK. The new Enterprise Domain will be created in the Oracle Context and appears on the main application tree.

  To remove an Enterprise Domain:

  1. Click on the Enterprise Domain to remove in the main application tree.
  2. Choose Remove Enterprise Domain either from the Operations Menu or by using a Right Mouse Button Click on the Enterprise Domain in the main application tree.

  Figure 9-25 Remove Enterprise Domain Menu Option

  

  Text description of the illustration screen11.gif

• Enterprise Security Manager will ask you to confirm the operation before the Enterprise Domain is removed from the Oracle Context.

  Note: You cannot remove an Enterprise Domain from an Oracle Context if that Enterprise Domain still contains any Enterprise Roles.

  
  
  

  Specifying Database Membership of an Enterprise Domain

  Database membership of an Enterprise Domain in the Oracle Context may be managed using the Databases Page when an Enterprise Domain is selected on the main application tree:

  Figure 9-26 Security Manager Databases Page

  

  Text description of the illustration screen12.gif

  To remove a database from an Enterprise Domain:

  1. Select a database in the list and choose Remove... The database will be removed from the list.
  2. Choose Apply; the database will be removed from the Enterprise Domain in the Oracle Context.

  To add a database to an Enterprise Domain:

  Note: You may only add databases as members of an Enterprise Domain that exist in the same Oracle Context as the Enterprise Domain. An Enterprise Domain cannot contain as its members, databases published in a different Oracle Context. Neither can any database in an Oracle Context be added as a member of two Enterprise Domains.

  
  
  
  1. Choose Add... The Add Databases screen will appear. This screen lists all the databases in the Oracle Context

  Figure 9-27 Add Databases Dialog

  

  Text description of the illustration screen13.gif

• Select a database to add as a new member of the Enterprise Domain.
• Choose OK in the Add Databases screen. The selected database will be added to the list of databases in the Databases Page.
• Choose Apply; the new database will be added to the Enterprise Domain in the Oracle Context.

  Managing Database Security Options for an Enterprise Domain

  The Databases Page may be used to manage database security options that will apply to all the databases that are members of the Enterprise Domain. These options are as follows:

  Table 9-8

  Database Security Option	Description
  Enable Current User Database Links	Any pair of databases will only allow use of Current User Database Links if they exist in an Enterprise Domain in which this setting is enabled.
  User Authentication	All databases in the Enterprise Domain will enforce the type of authentication that its clients must use based on this property. Its values are: Password Authentication only. Oracle Net SSL Authentication only using Oracle Wallets. Either Password or Oracle Net SSL Authentication.

  
  
  

  Managing Enterprise Domain Administrators

  An Enterprise Domain Administrator is a Directory User that only has privileges to modify the content of that Enterprise Domain. Enterprise Domain Administrators may be managed using the Administrators Page when an Enterprise Domain is selected under an Oracle Context in the main application tree.

  To remove a User from the list of Enterprise Domain Administrators:

  1. Select a User by clicking on that User in the list of Administrators.
  2. Choose Remove. The selected User will be removed from the list.
  3. Choose Apply; the User will be removed as an Enterprise Domain Administrator for that Enterprise Domain in the Oracle Context.

  To add a new User to the list of Enterprise Domain Administrators:

  1. Choose Add... The Add Users screen will appear. This page is used to locate and select one or more Users in the Directory as discussed earlier. Select one or more desired users from the Directory to add as Enterprise Domain Administrators. The new Users will then appear in the Administrators Page.
  2. Choose Apply; the new Administrators will be added to the Enterprise Domain in the Oracle Context.

  Managing Enterprise Domain Database Schema Mappings

  Database Schema Mappings may be managed for each database in an Oracle Context as discussed earlier. Schema Mappings may also be performed for each Enterprise Domain in an Oracle Context using the Database Schema Mappings Page with an Enterprise Domain selected in the main application tree. These Mappings apply to all databases that are members of the Enterprise Domain. Therefore, each database in the Enterprise Domain must have a schema of the same name used in the Mapping.

  Figure 9-28 Matching Database and Schema Names Used in the Mappings

  

  Text description of the illustration screen14.gif

  To remove a Mapping from the list of Database Schema Mappings in the Enterprise Domain:

  1. Select a Mapping by clicking on that Mapping in the list.
  2. Choose Remove. The selected Mapping will be removed from the list.
  3. Choose Apply; the Mapping will be removed from the Enterprise Domain and no longer used by any databases in the Enterprise Domain.

  To add a new Mapping to the list of Database Schema Mappings in the Enterprise Domain:

  1. Choose Add... The Add Database Schema Mappings screen will appear. This page is used to locate and select one Base in the Directory as discussed earlier. Enter a new Database Schema Mapping to add to the Enterprise Domain.
  2. Choose Apply; the new Database Schema Mapping will be added to the Enterprise Domain selected in the Oracle Context.

  Administering Enterprise Roles

  An Enterprise Domain within an Oracle Context may contain one or more Enterprise Roles.

  In the example discussed earlier, AppsOnline has created three Enterprise Domains that group the databases it uses to serve each of its customers. This permits the company to define Enterprise Roles for each Enterprise Domain. An Enterprise Role is a set of Oracle Role based authorizations across on or more databases in an Enterprise Domain.

  A simple Enterprise Role is defined by AppsOnline for DBA privileges on its databases in the "Tax Time" Enterprise Domain:

  Figure 9-29 "Tax Time" Enterprise Domain

  

  Text description of the illustration taxtime.gif

  Creating a new Enterprise Role:

  An Enterprise Role can be created in an Enterprise Domain either from the Operations Menu or by using a Right Mouse Button click on an Enterprise Domain selected in the main application tree:

  Figure 9-30 Enterprise Role Creation

  

  Text description of the illustration screen17.gif

  The Create Enterprise Role dialog appears.

  Figure 9-31 Create Enterprise Role Dialog

  

  Text description of the illustration screen18.gif

  1. Choose the Oracle Context containing the Enterprise Domain in which the new Enterprise Role is to be created from the Oracle Context drop down list. If the Create Enterprise Role screen has been invoked using a Right Mouse Button click from an Enterprise Domain selected in the main application tree, then the name of that Oracle Context will already be selected.
  2. Choose the Enterprise Domain in which the new Enterprise Role is to be created from the Enterprise Domain list. If the Create Enterprise Role screen has been invoked using a Right Mouse Button click from an Enterprise Domain selected in the main application tree, then the name of that Enterprise Domain will already be selected.
  3. Enter the name of the new Enterprise Role in the Role Name filed.
  4. Choose OK. The new Enterprise Role will be created in the Enterprise Domain and appears on the main application tree.

  Removing an Enterprise Role:

  1. Click on the Enterprise Role to remove in the main application tree.
  2. Choose Remove Enterprise Role either from the Operations Menu or by using a Right Mouse Button Click on the Enterprise Domain in the main application tree.

  Figure 9-32 Removing an Enterprise Role

  

  Text description of the illustration screen19.gif

• Enterprise Security Manager will ask you to confirm the operation before the Enterprise Role is removed from the Enterprise Domain.

  Specifying Database Global Role Membership of an Enterprise Role

  Database Role membership of an Enterprise Role in an Enterprise Domain may be managed using the Database Global Roles Page when an Enterprise Role is selected on the main application tree. This page lists the names of each Global Role that belongs to the Enterprise Role along with the name of the database on which that Global Role exists.

  Figure 9-33 Database Global Roles Page

  

  Text description of the illustration screen20.gif

  When populating an Enterprise Role with different database roles it is only possible to reference roles on databases that are configured to be "Global Roles" on those databases. A Global Role on a database is identical to a normal Role, except that the administrator of the database has elected it only to be authorized via the Directory. A database administrator cannot locally grant and revoke Global Roles to users of the database.

  Removing a Database Global Role from an Enterprise Role:

  1. Select a Global Role in the list and choose Remove... The Global Role will be removed from the list.
  2. Choose Apply; the Global Role will be removed from the Enterprise Role in the Enterprise Domain.

  Adding a Global Role to an Enterprise Role:

  1. Choose Add... The Add Database Global Roles screen will appear. This screen lists all the databases in the Enterprise Domain from which Global Roles may be selected to add to this Enterprise Role

  Figure 9-34 Add Global Database Roles Dialog

  Text description of the illustration screen21.gif

  2. Select a database from which to obtain Global Roles. A screen will appear in which you must enter logon details to authenticate to the database and fetch Global Roles. Typically this would be a DBA logging on to that database.

  Figure 9-35 Database Logon

  

  Text description of the illustration screen22.gif

  The name of the database appears in the Service field by default.You may use this name to connect to the database if your ORACLE_HOME has LDAP enabled as it Oracle Net Naming method or if this name appears as a TNS alias in your local Oracle Net configuration. Otherwise you may overwrite the content of the Service field with any other TNS alias configured for that database or by a connect string in the format:

  <host>:<port>:<oracle sid>
  
  

  For example, "cartman:1521:broncos"

  3. Choose OK. Enterprise Security Manager will connect to the given database and fetch the list of Global Roles supported on that database. The list of values, if any, will appear in the Add Database Global Roles screen.

  Figure 9-36 Add Global Database Roles Dialog

  

  Text description of the illustration screen23.gif

• Select on or more of the Global Roles from the list of returned values and choose OK. These Global Roles will then appear in the Database Global Roles Page
• Choose Apply; the new Global Roles will be added to the Enterprise Role in the Enterprise Domain.

  Managing Enterprise Role Grantees

  An Enterprise Role Grantee is a Directory User to whom has been granted an Enterprise Role and therefore all database Global Roles contained within that Enterprise Role. Enterprise Role Grantees may be managed using the Enterprise Users Page when an Enterprise Role is selected under an Enterprise Domain in the main application tree.

  Removing a User from the List of Enterprise Role Grantees:

  1. Select a User by clicking on that User in the list of Grantees.
  2. Choose Remove. The selected User will be removed from the list.
  3. Choose Apply; the User will be removed as a Grantee for that Enterprise Role in the Enterprise Domain.

  Adding a New User to the list of Enterprise Role Grantees:

  1. Choose Add... The Add Users screen will appear. This page is used to locate and select one or more Users in the Directory as discussed earlier. Select one or more desired users from the Directory to add as Enterprise Role Grantees. The new Users will then appear in the Enterprise Users Page

  Figure 9-37 Enterprise Users Page

  

  Text description of the illustration screen24.gif

• Choose Apply; the new Grantees will be added to the Enterprise Role in the Enterprise Domain.

  Enterprise Role Grantees will also appear in the Enterprise Users tree under a selected Enterprise Role. A User selected on this tree can be edited as discussed in Part 1.

  Figure 9-38 Enterprise Role Grantees

  

  Text description of the illustration screen25.gif

  Command Line Tool

  In addition to the graphical user interface, Enterprise Security Manger also provides a full-featured command line interface that allows you to perform security administration operations from other applications or from custom scripts.

  Command line operations are invoked using the "esm" control utility. For example:

  esm -cmd [operation] [options]
  esm -cmd help [operation]
  

  A complete list of operations and options, including definitions and usage syntax, is available online by invoking the tool's online help from the command line.

  >esm -cmd help

  The following example shows the help output.

  Example 9-1 Command Line Help Output

  Usage :
  esm -cmd [operation] [options]
  esm -cmd help [operation]
  
  Operations :
  [search, createUser, deleteUser, createWallet, createDomain, deleteDomain, createRole, 
  deleteRole, grantEnterpriseRole, revokeEnterpriseRole, addGlobalRole, removeGlobalRole, 
  addContextAdministrator, removeContextAdministrator, addPasswordAccessibleDomain, 
  removePasswordAccessibleDomain, addDomainAdministrator, removeDomainAdministrator, 
  addDomainDatabase, removeDomainDatabase, addDatabaseAdministrator, 
  removeDatabaseAdministrator, createMapping, removeMapping]
  
  Options :
  (* mandatory)
  -U         SSL Authentication Mode - Should be SIMPLE / SSL / NATIVE
  -h         LDAP Server *
  -p         LDAP Server Port *
  -D         Bind DN (required for SIMPLE Login)
  -w         Bind Password (required for SIMPLE Login)
  -W         Wallet Location (required for SSL Login)
  -P         Wallet Password (required for SSL Login)
  -dn        DN * (for user, domain, enterprise role, context or database)
  -objectType Type of Object for search [user | database | domain | enterpriseRole |
  context | schemaMapping | database | domainDatabase | fullContextAdministrator |
  directoryUserAdministrator | oracleNetAdministrator | databaseSecurityAdministrator | 
  databaseRegistrationAdministrator | databaseAdministrator | domainAdministrator]
  -firstname          User First Name
  -lastname           User Last Name
  -userID             User ID
  -password           User Directory Authentication Password
  -wcheck             User Wallet Check (true / false)
  -context            Oracle Context DN
  -userDN             User DN (required for assign / revoke operations)
  -domainDN          Domain DN (required for assign / revoke operations)
  -adminType          Administrator Type [context | user | databaseSecurity | 
  databaseInstall
  | network]
  -databaseRoleDN     Database Global Role (in format <Database
  DN>,GlobalRole=<GlobalRoleDN)>
  -databaseDN         Database DN (required for assign / revoke operations)
  -walletPwd          Wallet Password (required for Wallet creation)
  -rootPwd            Root Password (required for Wallet Creation)
  -target             Mapping Target Schema
  -value              Mapping Directory Entry
  -level              Mapping Level [1 (Entry)| 0 (Subtree)]
  
  

  You may also display help pertaining to a specific Enterprise Security Manager operation by specifying the exact operation along with the help command:

  esm -cmd help <operation>

  Help for specific operations provides a usage sample. For example, executing "esm -cmd help createUser" from the command line displays the following help text:

  Usage :
  esm -cmd [operation] [options]
  esm -cmd help [operation]
  
  Operations :
  createUser
  
  Options :
  (* mandatory)
  -U                  SSL Authentication Mode - Should be SIMPLE / SSL / NATIVE
  -h                  LDAP Server *
  -p                  LDAP Server Port *
  -D                  Bind DN (required for SIMPLE Login)
  -w                  Bind Password (required for SIMPLE Login)
  -W                  Wallet Location (required for SSL Login)
  -P                  Wallet Password (required for SSL Login)
  -dn                 User DN *
  -firstname          User First Name *
  -lastname           User Last Name *
  -userID             User ID
  -password           User Directory Authentication Password
  -wcheck             User Wallet Check  (true / false)
  
  Example :
  esm -cmd createUser -U SIMPLE -D orcladmin -w welcome -h dlsun1279.us.oracle.com -p 389 
  -dn
  cn=TestUser -firstname Test -lastname User -userID RM -password testpass -wcheck false
  
  

  An example of how the command line tool can be used is provided with your Enterprise Manager installation. The shell script "esmdemo" is located in the ORACLE_HOME/sysman/admin directory and showcases Enterprise Security Manager command line usage. Running this script performs sample operations using the command line tool. View the contents of this script to see working examples of how the command line tool can be used.