Oracle Database
Connector name |
|
Connector type | Executable |
Type (UI field value) | Oracle Database |
Target system versions supported / tested | |
Connector status / support | Bravura Security-Verified This connector has been tested and is fully supported by Bravura Security. |
Bravura Security Fabric can manage database-level accounts using the connector agtora for Oracle. Bravura Security Fabric can bind to any Oracle DBMS server (version 11.2+) using OCI, and issue SQL commands to enumerate users (SELECT), validate current passwords (test bind or SELECT)and reset passwords (ALTER USER, UPDATE or invoke a stored procedure).
The Bravura Security Fabric administrator can specify alternate SQL commands, and therefore can manage application passwords as well as DBMS connect passwords.
Bravura Security Fabric can create, delete , enable, disable, modify, and rename database users in any specified Oracle server. It creates new Oracle users by cloning existing ones, copying and adjusting their roles and privileges in the process. It can also manage the membership of Oracle database users in Oracle database roles.
The following Bravura Security Fabric operations are supported by this connector:
user verify password
get server information
user change password
administrator reset password
administrator verify password
enable account
disable account
check account enabled
unlock account
create account
delete account
add user to group
delete user from group
create group
delete group
update attributes
run command
List:
accounts
attributes
groups
members
Note
Bravura Security Fabric supports group management on Oracle database targets, using what Oracle refers to as roles.
For a full list and explanation of each connector operation, see Connector operations.
Bravura Security Fabric can also manage passwords for accounts defined wholly within an Oracle application in tables, rather than database-level accounts, using the scripted connector for Oracle Database Hosted Applications (agtorascript). See Oracle Database Hosted Applications for details.
In either case, no software is installed on the Oracle database server.
Preparation
Before Bravura Security Fabric can manage database-level accounts in Oracle, you must:
Install the client software.
Configure a target administrator.
Create at least one template account.
Note
The following instructions are for Oracle database 19c. Details may vary depending on your version of the software. The client software must be at least version 11.2.
Installing client software
Bravura Security Fabric communicates with the Oracle server via OCI. Before you can target Oracle database, you must install the Oracle Client (Administrator) on the Bravura Security Fabric server.
The 64-bit version of the Oracle Client is required for Connector Pack 3.0 and higher.
Add a TNS entry for the Oracle database on which Bravura Security Fabric will manage accounts. To do this:
On the Bravura Security Fabric server, launch Oracle Net Configuration Assistant.
Select Local Net Service Name.
Click Next .
Click Add on the page.
Click Next .
Type the Oracle service name on page.
Click Next .
Select a network protocol on page.
Click Next .
Type Oracle database server’s Host Name and Port Number.
Ensure that you can connect to the database using a valid user name and password during testing.
Click Next .
Type the Net Service Name .
Remember this Net Service Name for the local naming method connection which will be needed when adding the target system to Bravura Security Fabric .
Click Next to finish.
Alternatively, you can setup connection to Oracle database server by using a tnsnames.ora file provided by your Oracle database administrator. See your Oracle documentation regarding how to specify a connection by configuring a tnsnames.ora file without using Oracle Net Configuration Assistant (NetCA) for more information.
Ensure that the ORACLE_HOME environment variable is set to a valid Oracle home directory which contains OCI.dll. The value of this environment variable must be set either system-wide or for the psadmin local user.
Configuring a target system administrator
Bravura Security Fabric uses a designated account (for example, PSADMIN) on the Oracle database server to perform operations.
The target system administrator account requires least privileges to access Oracle system tables as listed below in order to manage users, roles and privileges also privileges to access common objects is needed when targeting an Oracle pluggable database in Oracle 12c or newer versions if the target system administrator is a local user. The required privileges may vary depending on the operations supported or required:
connect sys/<sysdbapassword> as sysdba;
-- Create the target admin
-- Note that Oracle stores the user ID in target administrator account uppercase
-- unless you enclose it in quotes
create user PSADMIN
identified by "<password>"
-- Optional
default tablespace USERS
temporary tablespace TEMP;
-- Create session
grant CREATE SESSION to PSADMIN;
-- Listing accounts
grant select on sys.dba_users to PSADMIN;
-- Listing groups and group owners (aka Oracle roles)
grant select on sys.dba_role_privs to PSADMIN;
grant select on sys.dba_roles to PSADMIN;
-- Listing account attributes
grant select on sys.dba_ts_quotas to PSADMIN;
grant select on sys.dba_rsrc_consumer_group_privs to PSADMIN;
grant select on sys.dba_tab_privs to PSADMIN;
grant select on sys.dba_sys_privs to PSADMIN;
grant select on sys.proxy_users to PSADMIN;
grant select on sys.user$ to PSADMIN;
grant select on sys.dba_profiles to PSADMIN;
-- Password reset/lock/unlock of an account
grant alter user to PSADMIN;
grant select on sys.user$ to PSADMIN;
grant select on sys.dba_profiles to PSADMIN;
-- Creating an account
grant create user to PSADMIN;
-- Deleting an account
grant drop user to PSADMIN;
-- Adding/removing an account to/from a group (aka Oracle role)
grant grant any role to PSADMIN;
-- To allow special groups (RESOURCE,DBA) include the following:
-- grant grant any privilege to PSADMIN;
-- Creating/Deleting a group (aka Oracle role)
grant create role to PSADMIN;
grant drop any role to PSADMIN;Note
Ensure to add a prefix C## or c## to the target system administrator account if the account is created as common user in an Oracle root container database; Also grant the target system administrator account permissions to access common roles and objects etc. if the target system administrator account is created as a local user in an Oracle pluggable database and the Oracle pluggable database is configured as a target system.
The connector agtora also supports external authentication by using Windows user login credentials to authenticate the target system administrator. Consult Oracle documentation for more details regarding how to create Oracle database users authenticated externally.
Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the target system to Bravura Security Fabric .
Creating a template account
Bravura Security Fabric uses template accounts as models or "blueprints" for creating new Oracle accounts. The following example illustrates how you can create a template account on your Oracle server:
create user IDM_TEMP_ACCT identified by Out_standing1 default tablespace EXAMPLE quota 10M on EXAMPLE profile APP_USER password expire;
See your database administrator or Oracle documentation for more information if required.
Targeting an Oracle Database
For each Oracle, add a target system (Manage the system > Resources > Target systems):
Type is Oracle Database .
Address :
Server: The TNS Name configured previously or TNS entry
Alternatively, you can specify the connect descriptor; for example:
(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=hostdbsvr)(PORT = 1521)))(CONNECT_DATA=(SID=ORACLE)(SERVER=DEDICATED)))(key: server)
Authentication type: Target system administrator authentication type, either "Database" or "External", default is "Database".
(key:authType)
Administrator ID and Password are the login ID and password for the target system administrator you configured in earlier.
Set Administrator ID and Password to the Windows login user’s credentials when external authentication is selected, in the format of <DOMAIN>\<USERNAME> . Ensue the runas option is enabled for the administrator. Also ensure NTS is enabled in sqlnet.ora .
If the target administrator’s ID contains lowercase characters, enclose it in double quotes.
Bravura Security Fabric normally connects to Oracle database with "SYSTEM" administrator privileges. Higher level privileges may be required; for example, for create user or reset password operations. To allow Bravura Security Fabric to connect with "sysdba" privileges, specify the administrator ID followed by /SYSDBA (all uppercase), for example, sys/SYSDBA .
The full list of target system parameters is explained in Target system options.
Handling account attributes
You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using in the Manage the system (PSA) module. To do this, select Oracle Database from the Manage the system > Resources > Account attributes > Target system type menu.
This section describes the attributes that Bravura Security Fabric uses to compose values, set flags, or control behavior in Oracle. For information about the native Oracle attributes managed by Bravura Security Fabric, consult your Oracle documentation.
account_status
The account status of a user can be set to OPEN, LOCKED, EXPIRED, or EXPIRED & LOCKED.
The following attribute values must be specified in the format <option name>=<value>, where each option/value pair is separated by a comma:
consumer_group
Corresponds to the Granted switch privilege
granted_group=DEFAULT_CONSUMER_GROUP, grant_option=NO, initial_group=YES
object_privileges
Object privileges (grants) granted to a user
object_name=DBA_USERS, privilege=SELECT, grant_option=NO
quotas
the table space in which a user can allocate space and the maximum amount of space the user can allocate in each table space
tablespace_name=DBA_USERS, max_bytes=10485760
To specify an unlimited quota, set the max_bytes to - 1.
roles
roles granted to a user, including the ability to grant the role to other users
tablespace_name=DBA_USERS, max_bytes=10485760
system_privileges
privileges granted to a user, including the ability to grant the privilege to other users
privilege=CREATE SESSION, admin_option=NO
Troubleshooting
If you experience any problems, verify that:
The Oracle client software is installed on the Bravura Security Fabric server.
The Oracle libraries are on the system-wide search path (PATH variable). If not, add the appropriate directory to the PATH environment variable and restart the Bravura Security Fabric server.
The ORACLE_HOME environment variable is set to the directory containing OCI.dll.
The Bravura Security Fabric server has been restarted after installing the Oracle client. The Bravura Security Fabric server must be restarted so that the web server can read the new PATH .
You can use the TNSPING program, included with the Oracle client, to test your target system address.
You can issue an alter user command on each Oracle database to reset a user’s password while logged in with the administrative account.
Ensure Oracle database is open when the target system is a pluggable database and the target administrator is not one of the built-in account, SYSDBA, SYSOPER, SYSBACKUP, or SYSDG.
The name of every user-created common user must begin with the characters c## or C##, no local user name should begin with the characters c## or C##.
Oracle database connector compliance with Oracle database, certain operation may not proceed based on the database type the Bravura Security Fabric targeted. For example, attempts of reset common user password when the target system is a pluggable database and create local user on the root container database will not be allowed, the operation will fail. This is expected.