Password Policies in Oracle Access Manager. How to improve user authentication security for your Oracle E-Business Suite environment. (UKOUG APPS16 edition)

Password Policies in Oracle Access ManagerHow to improve user authentication security for your Oracle E-Business Suite.

ANDREJS PROKOPJEVSLead Applications Database Consultant

About me

© 2016 Pythian 2

Apps DBA from Riga, Latvia.

Speaking SQL since 2001.In Oracle world since 2004.“In love” with Oracle EBS since 2006.

Andrejs ProkopjevsLead Applications Database Consultant

At Pythian since 2011

@aprokopjevs

[email protected]

https://www.pythian.com/blog/author/prokopjevs/

ABOUT PYTHIAN

Pythian’s 400+ IT professionals help companies adopt and manage disruptive technologies to better compete

© 2016 Pythian 3

TECHNICAL EXPERTISE

© 2016 Pythian 4

Infrastructure: Transforming and managing the IT infrastructure that supports the business

DevOps: Providing critical velocityin software deployment by adoptingDevOps practices

Cloud: Using the disruptivenature of cloud for accelerated, cost-effective growth

Databases: Ensuring databasesare reliable, secure, available and continuously optimized

Big Data: Harnessing the transformative power of data on a massive scale

Advanced Analytics: Mining data for insights & business transformationusing data science

Systems currently managed by Pythian

EXPERIENCED

Pythian experts in 35 countries

GLOBAL

Millennia of experience gathered and shared over

19 years

EXPERTS

11,800 2400

© 2016 Pythian 5

THE TOP 1.5% GLOBALLY

© 2016 Pythian 6

2015 Resumes Reviewed:

12,711

Behavioral InterviewsConducted:

394

Technical Tests

Sent: 4062 Passed: 562

Job OffersMade: 189Accepted:

174

We are hiring !!!

Please visit:https://www.pythian.com/careers/

HOT !!! Oracle Apps DBA position in APAC region.

© 2016 Pythian 7

Agenda

• Current Oracle E-Business Suite password security limitations.• Implementation of password policy management in Oracle Access Manager

releases. Comparing the capabilities and why you should upgrade your OAM to the latest 11gR2.

• A use case example of most common configuration.• Demo.

© 2016 Pythian 8

Why this is important?

© 2016 Pythian 9


• #1 - We now live in the “cloud” era.

• Less people / organizations are storing their sensitive private data in the isolated local segment.

• Cloud services (SaaS / PaaS)• And the shift is still only at the beginning point.

• Personal examples:

• Corporate examples:

© 2016 Pythian 10


• #2 – Today’s Hardware capacity.

• Modern CPU chip power is huge enough that it might take “seconds” to break your weak password.

• Examples:• Standard dictionary word password: hours / days / weeks online, seconds offline.• At least 10 characters with special characters: centuries online, years offline.

• Any idea how these statistics will change in next 5-10 years?

© 2016 Pythian 11


• #3 – Social Engineering.

• One of the most dreadful security concerns today.

• Examples: Facebook / Instagram / Twitter / etc.

© 2016 Pythian 12


• #4 – Let us remember few recent cases.

• August 2014 – iCloud famous 10+ celebrity photo leak.

• May 2016 - 100 million LinkedIn member emails and password hashes leaked in 2012.• August 2016 - 68 million Dropbox logins and password hashes leaked in 2012.• September 2016 - at least 500 million Yahoo accounts, leak dates back to late 2014.• October 2016 - AdultFriendFinder - 339 million names, addresses and phone numbers. Stolen

data stretched back over the last 20 years. Affected sites: Cams.com, iCams.com, and Stripshow.com, as well as Penthouse.com.

© 2016 Pythian 13


© 2016 Pythian 14

Few guidelines… as a starter

• #1 – Master rule – everything that is shared online must be considered as “public”, disregards of the “privacy rules” set.

• #2 – Your password is the first line of defense. It is in your power to make it stronger.

• #3 – Today’s must-have – Two-Factor Authentication. Configure and use it everywhere the cloud service provides a support for it.

© 2016 Pythian 15

Oracle E-Business Suite

© 2016 Pythian 16

So what’s about Oracle E-Business Suite?

• Is it somehow different that password security is not a concern?• NO! Username / Password is the same first line of defense.

• My EBS instance is not a cloud service, it is isolated in my local network, why should I care?• “Isolated in my local network” doesn’t mean you are not vulnerable.• VPN / Work From Home / Bring Your Own Device is a risk.• Internal threat.

• We are doing bi-yearly security awareness training.• That’s great. But it’s not a 100% guarantee, is it? Enforcing password policies in your

organization is something that could make that guarantee much stronger.

© 2016 Pythian 17

Standard password policy in Oracle E-Business Suite

• SIGNON_PASSWORD_% profile options.

© 2016 Pythian 18

Standard password policy in Oracle E-Business Suite• SIGNON_PASSWORD_% profile options.

• Signon Password Case (SIGNON_PASSWORD_CASE).▪ Case sensitivity for passwords.

• Signon Password Custom (SIGNON_PASSWORD_CUSTOM).▪ Custom java class which enables the use of custom, client specific, password policy.

• Signon Password Failure Limit (SIGNON_PASSWORD_FAILURE_LIMIT).▪ Max number of unsuccessful login attempts before the lockout.

• Signon Password Hard To Guess (SIGNON_PASSWORD_HARD_TO_GUESS).▪ Enables password requirements: 1) at least one letter and at least one number 2) doesn’t contain username

3) doesn’t contain repeating characters.• Signon Password Length (SIGNON_PASSWORD_LENGTH).

▪ Minimum length of a password.• Signon Password No Reuse (SIGNON_PASSWORD_NO_REUSE).

▪ Number of days before reusing an earlier used password.

• With some cosmetical changes this hasn’t changed since 11i (10+ years).© 2016 Pythian 19


• Security User Define form (FNDSCAUS).• Password expiration.

▪ Days – password lifetime.▪ Accesses – how many times ▪ None – no expiration.

• Password expiration is handled on a user level. There is no centralized control !!!

© 2016 Pythian 20

Does it look like a modern password policy of year 2016?

• Not really. L• But we have “Signon Password Custom” available.

• Custom Java class.

• Loaded to the database.▪ loadjava -user apps/apps -verbose -resolve -force MyCustomPasswordValidation.java

• Do I need to learn Java now and support this custom class? Do I need to code all these rules myself?

© 2016 Pythian 21

package oracle.apps.fnd.security;...if (do_a_triple_flipover_with_your_right_knee_up_shouting_chupakabra(password) == true) {return true;

} else {return false;

}

Does it look like a modern password policy of year 2016?

© 2016 Pythian 22


• Non-reversable hash support for passwords.• R12: New Feature: Enhance Security With Non-Reversible Hash Password (Doc ID

457166.1)▪ R12.1.x - Patch 21276707:R12.FND.B

R12.2.3+ - Patch 21276707:R12.FND.C▪ SHA-1 is being deprecated.

© 2016 Pythian 23

Oracle Access Manager

© 2016 Pythian 24

History of the Password Policy implementation

• Oracle Single Sign-On 10g

• Password policy is controlled by Oracle Internet Directory standard pwd policies.• /sso/ and /oiddas/ pages support the UI.• Full password lifecycle is managed, with some limitations.• Full user management suite.

© 2016 Pythian 25


• Oracle Access Manager 10g

• Bound to Identity Server only.• Full user management suite through Identity Server. Full password lifecycle is managed.• Based on Oblix schema object classes and attributes.• LDAP directory own policies should be same or weaker, or even just disabled.

• “validate_password” is the only standard plugin that supports the built-in password policy functionality and UI pages.

• 0 successful production implementations seen in the practice. Mostly because of the customization requirements (multi domain support, multi user base sub-trees, non-Oblixschema attribute requirement, and more).

• Adding C based custom plugin changes or external custom UI pages is always evaluated as too costly and unnecessary effort. Usually replaced with an external User Management system directly managing the LDAP directory.

© 2016 Pythian 26


• Oracle Access Manager 11g Release 1

• Independed Oracle Access Manager is finally here.• You can use *any* LDAP directory. There is no dependency on schema, attributes.• But... Password policies are removed. L• You can use LDAP directory own policies, but it is not smoothly managed during the login

process. If something is not right – max LDAP error in the oam_server1 logs, and just a System error in the UI.

• Only Oracle Identity Manager (OIM) integration with OAM provides the full user management suite, desired password policy implementation, UI support for full password lifecycle.

• $$$ J

© 2016 Pythian 27


• Oracle Access Manager 11g Release 2

• Same cool independed Oracle Access Manager 11gR1, overall.• But on steroids (integrated federation, mobile and social, and many more).• Password policies are back. J• LDAP directory own policies should be same or weaker, or disabled.

• Oracle Identity Manager (OIM) integration with OAM is still there and provides the same “more advanced” policy implementation, UI support for full password lifecycle, and full user management suite.

• $$$ J … nothing changed

© 2016 Pythian 28

OAM 11gR2 native password policy – what it is?

• Most of the current modern rules are there.

• Expiration and Lockout support.

• Provides the “UserPasswordPolicyPlugin” Authentication Plugin that can be used with various types of authentication worklow.

© 2016 Pythian 29

OAM 11gR2 native password policy – what it is?

• It is still based on OAM 10g Oblix schema object classes and attributes.• But mandatory are only related to password management. • For user data reference – you have a choice. Usable for OAM 10g upgrade use cases.• List:

▪ obPasswordCreationDate▪ obPasswordHistory▪ obPasswordChangeFlag▪ obuseraccountcontrol▪ obpasswordexpirydate▪ obLockoutTime▪ obLoginTrvCount▪ oblastsuccessfullogin▪ oblastfailedlogin

• It is not mandatory to pre-assign Oblix object classes to your existing user entries.

• IMPORTANT: User Identity Store configured Bind DN user must have required ACI permissions to adjust these attributes !!!. © 2016 Pythian 30

OAM 11gR2 native password policy – what it is NOT?

• It is NOT a complete password lifecycle management tool.• Self service is missing (password change on-demand, forgot your password)

• Standard password management pages are not operational without a valid OAM user authentication request process (request_id).• Direct access just ends with a System error.

• Customizations is a solution.• Login page customization is supported by both ECC and DCC.• Password Policy page customization is supported only by DCC.

▪ ER Bug 17800099 - OAM 11G R2 : PASSWORD POLICY: NEED STEPS TO CUSTOMIZE PASWORD SERVICE PAGES

▪ Was targeted for release 11.1.2.3.0, but it’s not there yet.

• Or implement OIM. $$$ J© 2016 Pythian 31

More advantages of Oracle Access Manager

• Windows Native Authentication• Kerberos / RADIUS• Certificates

• Social (Google, Facebook, more)

• Multi-Step authentication support.• RSA (same RADIUS)• OTP – Oracle Mobile Authenticator

© 2016 Pythian 32

Sorry Windows Mobile users…

Licensing

• Usage of Oracle Access Manager requires additional license. It is not included with E-Business Suite licensing model.

• Oracle EBS Single Sign-On implementation requires an Oracle Internet Directory (Oracle Unified Directory supported from R12.2.5 only) – again licensed separately.

• Standard pack:▪ Oracle Directory Services Plus.▪ Oracle Access Manager.▪ Both are covered with Oracle Identity and Access Management Suite Plus license pack.

• Also includes Oracle Identity Manager.▪ Database separate license is not required if used only for Metadata Repository data.

• “Extra” features of OAM requires an additional licensing.▪ Like Mobile and Social for OTP.

© 2016 Pythian 33

Candy

• What to do if you have an allergy on additional extra component overhead that you do not want, do not need and do not want to license?

• Challenge #1: Web server protection.• You can replace mod_webgate with something else, like mod_auth_kerb (WNA).

• Challenge #2: What to do with EBS, OID or OUD?• Leave your EBS local as it was before SSO• Write your own authentication solution (ebsSDK)• mod_rewrite: redirect your AppsLocalLogin.jsp to your own authentication processing.

© 2016 Pythian 34

Example of most common configuration

© 2016 Pythian 35

Configuring the password policy

• OAM Console• Application Security – Password Policy

• Full reference:▪ Fusion Middleware Administrator's Guide for

Oracle Access Management▪ 24.3.1 Password Policy Configuration Page

▪ https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-7850A074-9EE3-45EE-9150-5DD96B9D13CD.htm#GUID-200E3E90-21CC-439C-BF4E-0468CA455148__BABDBBHE

© 2016 Pythian 36

Configuring the password policy

• OAM Console• Application Security – Password Policy

• Console is doing it’s own math. If something is not going inline, there will be a warning about that.• Example: If we put value 1 into both Minimum Uppercase and Lowercase Characters fields,

Minimum Alphabetic Characters is expected to be the sum.

© 2016 Pythian 37

User Identity Store

• OAM Console• Configuration – User Identity Stores

• Password Management feature to be enabled.• “Use Oblix User Schema” should not be enabled as we are using standard Oracle schema.• Other 4 parameters are needed to point to correct attributes for “Can Include X” policy setting

verification.

© 2016 Pythian 38

User Identity Store

• OAM Console• Configuration – User Identity Stores

• Do not forget about the mandatory Oblix attributes in use !• “Bind DN” LDAP user should have WRITE permissions to manage these attributes.• Also to add the required object classes to the user entry if found missing.

• Do not use a super user account like I do here J

© 2016 Pythian 39

User Identity Store

• ACI grant example (Oracle Unified Directory)

© 2016 Pythian 40

ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd <<EOF

dn: dc=example,dc=comchangetype: modifyadd: aciaci: (target="ldap:///dc=example,dc=com")(version 3.0; acl "OAM app user entry level aciexample"; allow (read,search,compare) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";)-add: aciaci: (targetattr="*")(version 3.0; acl "OAM app user attribute level aci read example"; allow (read,search,compare) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";)-add: aciaci: (targetattr="obPasswordCreationDate || obPasswordHistory || obPasswordChangeFlag || obuseraccountcontrol || obpasswordexpirydate || obLockoutTime || obLoginTrvCount || oblastsuccessfullogin || oblastfailedlogin || userPassword")(version 3.0; acl "OAM app user attribute level aci write example"; allow (write) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";)

EOF

User Identity Store

• Reminder about LDAP directory own password policy.• Policy should be set the same or weaker.• Or just completely disabled.

© 2016 Pythian 41

Authentication module

• OAM Console• Application Security – Plug-ins – Authentication Modules

• Let us create new module with name “LDAP_EBS_with_password_policy”.

© 2016 Pythian 42



• 3 steps to be configured. “User Password Status Step” is one for the policy.

© 2016 Pythian 43



• User Identification Step▪ KEY_LDAP_FILTER: default value should be (uid={KEY_USERNAME})▪ KEY_IDENTITY_STORE_REF: your EBS User Identity Store (OIDIdentityStore)▪ KEY_SEARCH_BASE_URL: leave empty for plugin to use default Identity store’s User Search Base DN.

© 2016 Pythian 44



• User Authentication Step▪ KEY_IDENTITY_STORE_REF: your EBS User Identity Store (OIDIdentityStore)▪ KEY_PROP_AUTHN_EXCEPTION: Enable or disable the propagation of LDAP errors. Must be TRUE if

password policy plugin is used in the chain.▪ KEY_ENABLE_AUTHN_FAILOVER and KEY_PROP_AUTHN_LEVEL: These parameters are not yet

documented.

© 2016 Pythian 45



• User Password Status Step▪ PLUGIN_EXECUTION_MODE: This plugin can be used as a

replacement for User Authentication Plugin too. We are going to set it as PSWDONLY to be a separate 3rd step.

▪ OBJECTCLASS_EXTENSION_SUPPORTED: Must be set to TRUE in order to automatically adjust affected user entries with Oblix object classes.

▪ KEY_IDENTITY_STORE_REF: your EBS User Identity Store (OIDIdentityStore)

© 2016 Pythian 46



• User Password Status Step▪ URL_ACTION: Redirection behavior between the pages. Default: REDIRECT_POST.▪ NEW_USERPSWD_BEHAVIOR: Action for new user not marked by the policy. We’ll use

FORCEPASSWORDCHANGE.• Actually should be FORCECHANGEPASSWORD.• Configuring OAM Password Policy Parameter NEW_USERPSWD_BEHAVIOR To Force Password

Changes for Existing Passwords Not Working (Doc ID 1563172.1)• Documentation bug.

▪ POLICY_SCHEMA: Just OAM10G, as everything is based on Oblix schema standards.▪ CHALLENGES_SUPPORTED: This parameter is not yet documented. Default: FALSE.▪ DISABLED_STATUS_SUPPORT: User Account disabled status support – TRUE.

© 2016 Pythian 47



• Full parameter reference▪ Fusion Middleware Administrator's Guide for Oracle Access Management▪ Table 24-8 User Password Step Details

▪ https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-30780A11-8254-4AE3-9A15-C759C08E872D.htm#GUID-9FE10CF0-A4E7-4F7F-81A9-859EC85AEA80__CFFEHBFJ

© 2016 Pythian 48



• Workflow

© 2016 Pythian 49

Configure EBS to use the new Authentication Module

• OAM Console• Application Security – Access Manager – Authentication Schemes

• Expecting that EBS is already integrated.• Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2

(11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1)

• EBSAuthScheme• Authentication Module:

LDAP_EBS_with_password_policy• Challenge Parameters:

OverrideRetryLimit=0

© 2016 Pythian 50

Testing

• Did I forget something important to mention?

• Hint:

© 2016 Pythian 51

<LIBOVD-40082> <Could not modify entry.javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Entry cn=testuser1,ou=people,dc=example,dc=com cannot not be modified because the resulting entry would have violated the server schema: Entry cn=testuser1,ou=people,dc=example,dc=com violates the Directory Server schema configuration because it includes attribute oblastsuccessfullogin which is not allowed by any of the objectclasses defined in that entry]; remaining name 'cn=testuser1,ou=people,dc=example,dc=com'

LDAP directory schema extension

• We forgot Oblix schema extension.• Reference:

▪ Fusion Middleware Administrator's Guide for Oracle Access Management▪ Table 24-6 Location of Oracle-provided LDIFs for LDAP Providers

▪ https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-E0DF807A-6432-4261-A119-9AECAC56AD53.htm#GUID-48382B33-54CB-407D-8CAA-2A69CDEA50FB__CFFEJEEE

• OUD example:

▪ Object classes: oblixPersonPwdPolicy and oblixorgperson▪ Attributes: obPasswordCreationDate, obPasswordHistory, obPasswordChangeFlag, obuseraccountcontrol,

obpasswordexpirydate, obLockoutTime, obLoginTrvCount, oblastsuccessfullogin, oblastfailedlogin

© 2016 Pythian 52

ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd --defaultAdd-f $OAM_HOME/oam/server/pswdservice/ldif/OUD_PWDPersonSchema.ldif

Summary

• Even latest R12.2.6 is not meeting today’s modern password policy standards out-of-the-box. We can code a custom java class, but that requires Java skills, courage and good release management.

• Oracle Access Manager is the only certified SSO solution for EBS. It has the support of today’s standards, but costs additional resources as it is a separate component and separately licensed.

• 11gR2 upgrade is highly recommended. Provides support for other more secure authentication methods, like Multi-Step Authentication, OTP usage.

• Password policy setup is well documented and quite straightforward.• Except few nuances noted. J

© 2016 Pythian 53

Demo

© 2016 Pythian 54

THANK YOUQ & A

© 2016 Pythian 55

Presentations & Public Speaking

Password Policies in Oracle Access Manager. How to improve user authentication security for your Oracle E-Business Suite environment. (UKOUG APPS16 edition)