|
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) B14082-02 |
|
 Previous |
 Next |
|
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) B14082-02 |
|
|
Previous |
Next |
Password verifiers are the security credentials used to authenticate users to Oracle components other than Oracle Internet Directory. This chapter explains how Oracle Internet Directory centrally stores these password verifiers.
This chapter contains these topics:
About Centralized Storage of User Authentication Credentials
Storing and Managing Password Verifiers for Authenticating to Oracle Internet Directory
Storing and Managing Password Verifiers for Authenticating to Oracle Components
When a user leaves a company or changes jobs, that user's privileges should change the same day to guard against misuse of old or unused accounts and privileges. Without centralized password administration, an administrator in a large enterprise with user accounts and passwords distributed over many databases may not be able make the changes as quickly as good security requires.
Oracle Internet Directory centrally stores security credentials to make their administration easy for both end users and administrators. It stores:
Passwords for authenticating users to the directory itself
Password verifiers for authenticating users to other Oracle components
Users can store non-Oracle authentication credentials if the non-Oracle applications are directory enabled. These applications must create their own container under the Products entry.
Oracle Internet Directory stores a user's directory password in the userPassword attribute. You can protect this password by storing it as a Base64 encoded string of a one-way hashed value by using one of Oracle Internet Directory's supported hashing algorithms. Storing passwords as one-way hashed values—rather than as encrypted values—more fully secures them because a malicious user can neither read nor decrypt them.
The default userPassword hashing algorithm for Oracle Internet Directory has been changed from MD4 to SHA-1. This default scheme is in effect for new installations only. All userPassword attributes created after a new install will be one-way hashed using SHA-1, then stored in Oracle Internet Directory.When you perform an upgrade, the default hashing scheme in effect prior to upgrade is retained. For example, if the default scheme prior to the upgrade was MD4, then MD4 remains the default scheme after the upgrade. To ensure greater security of userPasswords, change the default scheme to SHA-1 immediately after the upgrade. When you change the default scheme to SHA-1, user login is unaffected. For greater security, require users to reset their passwords so that SHA-1 values hash values are stored in Oracle Internet Directory.
Oracle Internet Directory stores the user password in a reversible encrypted format in an operational attribute called orclrevpwd. This attribute is generated only if the attribute orclpwdencryptionenable in the password policy entry is set to 1. The orclrevpwd attribute can be queried only by using the SSL one-way and two-way authentication mechanisms. This attribute cannot be queried over non-SSL sessions.
This section contains these topics:
During authentication to a directory server, clients supply a password to the directory server in clear text. The directory server hashes this password by using the hashing algorithm specified in the DSE attribute userpassword. It then verifies it against the hashed password stored in the binding entry's userPassword attribute. If the hashed password values match, then the server authenticates the user. If they do not match, then the server sends the user an "Invalid Credentials" error message.
For external users, Oracle Internet Directory generates the attribute orclrevpwd during authentication. In particular this attribute is generated when clients authenticate using ldapcompare on the user's cleartext password. If the attribute orclrevpwd does not exist, then the Oracle Internet Directory server generates this attribute using the cleartext password provided for authentication. However this attribute is not generated if external users are authenticated against Oracle Internet Directory using ldapbind
During installation, Oracle Universal Installer prompts you to set the one-way hashing scheme for protecting user passwords to the directory. It presents you with these options:
MD4 —A one-way hash function that produces a 128-bit hash, or message digest
MD5—An improved and more complex version of MD4
SHA—Secure Hash Algorithm, which produces a 160-bit hash, longer than MD5. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.
SSHA—Salted Secure Hash Algorithm. This is similar to SHA, but is generated by using a random salt with the password.
SMD5—Salted MD5. This is similar to MD5, but is generated by using a random salt with the password.
UNIX Crypt—The UNIX hashing algorithm
The hashing algorithm value you specify at installation is stored in the orclCryptoScheme attribute in the root DSE. You can change that value by using either Oracle Directory Manager or ldapmodify.
You must be a super user to manage password protection by using Oracle Directory Manager.
To change the type of password protection by using Oracle Directory Manager:
In the navigator pane, expand Oracle Internet Directory Servers and select the directory server instance for which you want to reset password hashing. The corresponding tab pages for that directory server appear in the right pane.
In the System Operational Attributes tab page, in the Password Encryption field, select the type of password hashing you want to use. Options are:
Choose Apply.
|
Note: The No Encryption option specifies that user passwords are stored in clear text. |
The following example changes the password hashing algorithm to SHA by using an LDIF file named my_ldif_file:
ldapmodify -D cn=orcladmin -w welcome -h myhost -p 389 -v -f my_ldif_file
The LDIF file, my_ldif_file, contains:
dn: changetype: modify replace: orclcryptoscheme orclcryptoscheme: SHA
Oracle components store both passwords and password verifiers in Oracle Internet Directory. This section contains these topics:
Example: How Password Verification Works for an Oracle Component
Managing Password Verifier Profiles for Oracle Components by Using Oracle Directory Manager
Managing Password Verifier Profiles for Oracle Components by Using Command-Line Tools
Oracle components can store their password values in Oracle Internet Directory as password verifiers. A password verifier is a hashed version of a clear text password, which is then encoded as a BASE64 encoded string.
You can choose one of these hashing algorithms to derive a password verifier:
MD5—An improved, and more complex, version of MD4
SHA—Secure Hash Algorithm, which produces a 160-bit hash, longer than MD5. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.
SSHA and SMD5
UNIX Crypt—The UNIX hashing algorithm
SASL/MD5—Simple Authentication and Security Layer/MD5, which adds authentication support to connection-based protocols and uses a challenge-response protocol.
O3LOGON—A proprietary Oracle algorithm for generating verifiers. It is similar to SASL/MD5 in that it uses a challenge-response protocol.
ORCLWEBDAV—A proprietary algorithm identical to SASL/MD5 which takes the user name in the format username@realm.
ORCLLM—Oracle's representation of the SMBLM algorithm. The SMBLM algorithm is Oracle's representation of the LM variant of the SMB/CIFS challenge/response authentication algorithm.
ORCLNT—Oracle's representation of the SMBNT algorithm. The SMBNT algorithm is Oracle's representation of the NT variant of the SMB/CIFS challenge/response authentication algorithm.
During Oracle application installation, the Oracle Universal Installer creates for that application a password verifier profile entry containing all the necessary password verification information. It places this entry, as shown in Figure 16-1, immediately below the application entry, which resides under the products entry, which, in turn, resides under the realm-specific Oracle Context.
This verifier profile entry is applicable to users in the specified realm only. For verifier generation to take effect, you must set the orclcommonusersearchbase attribute in the common entry of the realm-specific Oracle context to the appropriate value.
Both the directory and Oracle components store the user password in the user entry, but in different attributes. Whereas the directory stores user passwords in the userPassword attribute, Oracle components store user password verifiers in the authPassword, orclPasswordVerifier, or orclpassword attribute. Table 16-1 describes each of the attributes used by Oracle components.
Table 16-1 Attributes for Storing Password Verifiers in User Entries
| Attribute | Description |
|---|---|
|
|
Attribute for storing a password to an Oracle component when that password is the same as that used to authenticate the user to the directory, namely, Several different applications can require the user to enter the same clear text password used for the directory, but each application may hash it with a different algorithm. In this case, the same clear text password can become the source of several different password verifiers. This attribute is multivalued and can contain all the other verifiers that different applications use for this user's clear text password. If the |
|
|
Attribute for storing a password to an Oracle component when that password is different from that used to authenticate the user to the directory, namely, Like |
|
|
Attribute for storing only the 03LOGON verifier for enterprise users. The 03LOGON verifier is synchronized with the When Oracle Internet Directory is installed, a database security profile entry is created by default in the Root Oracle Context. The presence of this entry triggers the generation of 03LOGON verifiers for user entries associated with the |
Each of these attribute types has appID as an attribute subtype. This attribute subtype uniquely identifies a particular application. For example, the appID can be the ORCLGUID of the application entry. This attribute subtype is generated during application installation.
In Figure 16-2, various Oracle components store their password verifiers in Oracle Internet Directory. Oracle Application Server Single Sign-On uses the same password as that for the directory, and hence stores it in the authPassword attribute.The other applications use different passwords and hence store their verifiers in orclPasswordVerifier attribute.
The following is an example of an application-specific verifier profile entry. Any application that chooses not to use the common verifier framework must create its own verifier profile entry, similar to the one given in the following example. The orclappid will be set to the GUID of the application container and it will also be used as a subtype in the verifier attributes authpassword and orclpasswordverifier.
dn: cn=IFSVerifierProfileEntry,cn=IFS,cn=Products,cn=OracleContext,o=Oracle,dc=com objectclass:top objectclass:orclpwdverifierprofile cn:IFSVerifierProfileEntry orclappid:8FF2DFD8203519C0E034080020C34C50 orclpwdverifierparams;authpassword: crypto:SASL/MDS $ realm:dc=com orclpwdverifierparams;orclpasswordverifier: crypto:ORCLLM orclpwdverifierparams;authpassword: crypto:ORCLWEBDAV $ realm:dc=com
$ usernameattribute: mail $ usernamecase: lower $ nodomain: TRUE
SASL/MD5 and ORCLWEBDAV verifiers are generated by using user name, realm, and password. The user name attribute to be used can be specified in the verifier profile entry. The case of the user name can also be specified as either upper or lower. The ORLWEBDAV verifier is generated by appending the name of the identity management realm to the user name. If this is not required, then the verifier profile entry must specify nodomain: TRUE.
In the previous example, ORCLWEBDAV verifier is generated by using the value of the mail attribute without appending the name of the realm. Also, the user name is converted to lower case before generating the verifier.
To save you from having to create a profile for each Oracle component, and to enable sharing of password verifiers across all components, Oracle Internet Directory provides a default set of password verifiers. The default verifier types are MD5, MD5-IFS (SASL/MD5 with the user name set to the value of the nickname attribute and realm = Authorized_Users), WEBDAV, ORCLLM, and ORCLNT.
Two profile entries are required: one for applications using personal identification numbers (PINs), which use numeric values only, and another for applications using alphanumeric passwords.
The verifiers for PIN-based applications—for example, the voice mail application in OracleAS Unified Messaging—are stored in the orclpasswordverifier;orclcommonpin attribute. The subtype orclcommonpin is used to distinguish numeric PINs from alphanumeric passwords. Any application that uses numeric PINs can directly query or compare against the attribute orclpasswordverifier;orclcommonpin.
The verifiers for alphanumeric password-based applications—for example, Oracle Internet File System—can be stored in either:
The authpassword;orclcommonpwd attribute—If an application requires its verifier to be synchronized with the userpassword attribute
The orclpasswordverifier;orclcommonpwd attribute—If synchronization with the userpassword attribute is not required
The subtype orclcommonpwd is used to distinguish alphanumeric passwords from numeric PINs. The verifier attributes subtyped by orclcommonpwd can be queried against.
These profile entries also contain the list of subscribed applications and these are specified as values in the uniquemember attribute in the profile entries. By default, the DN of the Oracle Application Server Single Sign-On identity is one of the subscribed applications. This means that Oracle Application Server Single Sign-On is a proxy member for all its partner applications. All applications not based on Oracle Application Server Single Sign-On must add their identities (DNs) to the uniquemember attribute in the appropriate profile entry.
The following is an example of the profile entries.
Cn=defaultSharedPwdProfileEntry, cn=common, cn=products, cn=oraclecontext Objectclass: orclpwdverifierprofile Cn: orclcommonpwdprofileentry Orclappid: orclcommonpwd Orclpwdverifierparams;authpassword: crypto:SASL/MD5 $ realm:Authorized_Users Orclpwdverifierparams;authpassword: crypto:ORCLWEBDAV $ realm:Authorized_Users Orclpwdverifierparams;authpassword: crypto:ORCLLM Orclpwdverifierparams;authpassword: crypto:ORCLNT Orclpwdverifierparams;orclpasswordverifier: crypto:SSHA Uniquemember: cn=SSO,cn=Products,cn=OracleContext Uniquemember: cn=IFS,cn=Products,cn=OracleContext Cn=defaultSharedPINProfileEntry, cn=common, cn=products, cn=oraclecontext Objectclass: orclpwdverifierprofile Cn: orclcommonpinprofileentry Orclappid: orclcommonpin Orclpwdverifierparams;orclpasswordverifier: crypto:MD5 Orclpwdverifierparams;orclpasswordverifier: crypto:SSHA Uniquemember: cn=SSO,cn=Products,cn=OracleContext Uniquemember: cn=Unified Messaging,cn=Products,cn=OracleContext
For PIN-based applications, authpassword is not an option. Such applications use the orclpasswordverifier attribute.
Figure 16-3 shows an example of password verification for an Oracle component. In this example, the Oracle component stores its password verifiers in the directory.
The user tries to log in to an application by entering a user name and a clear text password.
The application sends the clear text password to the directory server. If the application stores password verifiers in the directory, then the application requests the directory server to compare this password value with the corresponding one in the directory.
The directory server:
Generates a password verifier by using the hashing algorithm specified for the particular application
Compares this password verifier with the corresponding password verifiers in the directory. For the compare operation to be successful, the application must provide its appID as the subtype of the verifier attribute. For example:
ldapcompare -p389 -D "DN_of_the_appplication_entity" -w "password" \ -b "DN_of_the_user" -a orclpasswordverifier; appID \ -v password_of_the_user
Notifies the application of the results of the compare operation.
Depending on the message from the directory server, the application either authenticates the user or not.
If an application does not use the compare operation, then it:
Hashes the clear text password entered by the user
Retrieves from the directory the hashed value of the clear text password as entered by the user
Initiates a challenge to the user to which the client responds. If the response is correct, then the application authenticates the user.
You can use Oracle Directory Manager to view and modify password verifier profile entries.
To view an application's password verifiers:
In the navigator pane, expand Oracle Internet Directory Servers, then directory server instance.
Select Password Verifier Management. The right pane displays two columns:
Path to Password Verifier Entry column lists the full DN of each password verifier profile entry
Password Verifier Entry column lists the corresponding RDNs of each password verifier profile entry
Choose the password verifier you want to view. This displays the Password Verifier Profile dialog box for that password verifier. The fields in this dialog box are described in Table A-14.
To modify the hashing algorithm used to generate a password verifier, in the Password Verifier Profile dialog box, enter the new value in the Oracle Password Parameters field.
You can view and modify password verifier profiles by using command-line tools.
To view an application's password verifier, perform a search specifying the DN of the password verifier profile.
This example changes the hashing algorithm in an application password verifier profile entry. This password verifier synchronizes with the user's directory password.
ldapmodify -p 389 -h my_host -v <<EOF dn: cn=MyAppVerifierProfileEntry,cn=MyApp,cn=Products,cn=OracleContext, o=my_company,dc=com changetype: modify replace: orclPwdVerifierParams orclPwdVerifierParams;authPassword: crypto:SASL/MD5 $ realm:dc=com EOF
The password verifiers described previously are static password verifiers. That is, they are generated with preconfigured parameters, typically during application installation. Some applications, including Oracle Calendar, Oracle Email, and Oracle Wireless and Voice, require Oracle Internet Directory to generate dynamic password verifiers.
This section contains these topics:
Oracle Internet Directory generates a dynamic password verifier when an application requests one. Dynamic verifiers are based on application parameters that are not available until run time.
In order to generate a dynamic password verifier, Oracle Internet Directory needs a user password that was previously stored in a reversible encrypted format. Oracle Internet Directory stores such values in the operational attributes orclrevpwd and orclunsyncrevpwd. Encrypted values based on userpassword are stored in the parameter orclrevpwd. Encrypted values based on passwords other than userpassword, such as the numeric PINs used by Oracle Calendar, are stored in the parameter orclunsyncrevpwd.
If you are deploying applications that use userpassword and that need dynamic password verifiers, you must ensure that Oracle Internet Directory generates the orclrevpwd parameter. Oracle Internet Directory generates the attribute orclrevpwd when you provision a user if the attribute orclpwdencryptionenable in the realm password policy entry is set to 1. Therefore, you must set orclpwdencryptionenableto 1 before you provision users. Alternatively, if users were provisioned before you set orclpwdencryptionenable, all users must reset their user passwords to trigger the generation of the encrypted value.
If you are deploying applications that use a numeric PIN and that need dynamic password verifiers, you must ensure that Oracle Internet Directory can use the crypto type 3DES in order to generate the value stored in orclunsyncrevpwd. You must specify 3DES as a value of the attribute orclpwdverifierparams;orclpasswordverifier in the common verifier profile entry under the root oracle context. The default DN of this entry is cn=DefaultSharedPINProfileEntry,cn=Common,cn=Products, cn=OracleContext. To set the value, you would specify:
dn: cn=DefaultSharedPinProfileEntry, cn=Common,
cn=Products, cn=Oraclecontext
cn: DefaultSharedPinProfileEntry
orclappid: orclcommonpin
orclpwdverifierparams;orclpasswordverifier: crypto:MD5
orclpwdverifierparams;orclpasswordverifier: crypto:3DES
