Oracle Database Hosted Applications
Connector name |
|
Connector type | Executable with configuration SQL script |
Type (UI field value) | Oracle Database (Script) |
Target system versions supported / tested |
|
Connector status / support | Bravura Security-Verified This connector has been tested and is fully supported by Bravura Security. |
Installation / setup | You must write a script file to define SQL commands used in the interaction between the No connector software is installed on the Oracle Applications server or the back-end database. |
Bravura Security Fabric can manage passwords and/or accounts defined wholly inside Oracle application tables using the scripted connector for Oracle (agtorascript). This connector uses the Oracle client software to bind to the Oracle database server and issues SQL commands that you provide in a script file.
Bravura Security Fabric can perform operations on applications that have an Oracle back-end database by connecting to the Oracle server using OCI, and either directly updating user records (for example, SQL UPDATE) or by calling stored procedures.
Bravura Pass and Bravura Privilege can manage passwords on Oracle Applications / Oracle Financials by using the application’s stored procedures to update user profiles. Bravura Identity can create, delete, enable, disable, modify, and rename Oracle Applications users in one or more instances of Oracle Applications. All the basic operations are supported by calling the appropriate application’s stored procedures included by default in all Oracle Applications installations.
No connector software is installed on the Oracle Applications server or the back-end database.
The following Bravura Security Fabric operations are supported by this connector:
user verify password
user change password
get server information
administrator reset password
administrator reset+expire password
expire password
unexpire password
administrator verify password
verify+reset password
enable account
disable account
check account enabled
create account
delete account
expire account
check account expiry
unexpire account
lock account
unlock account
check account lock
add user to group
delete user from group
create group
delete group
add group to group
remove group from group
update attributes
list account attributes
List:
accounts
attributes
groups
members
computer objects
subscribers
update subscriber attributes/password
For a full list and explanation of each connector operation, see Connector operations.
This connector also supports custom operations, as defined in the configuration script .
Bravura Security Fabric can also manage Oracle database-level accounts using the connector for Oracle database (agtora). See Oracle Database for details.
Bravura Security Fabric can also manage accounts defined inside Oracle tables using the scripted connector for Oracle E-Business Suite (agtoraebiz).
Preparation
Before Bravura Security Fabric can manage application accounts in an Oracle, you must:
Install the client software.
Define a connection name.
Configure a target system administrator.
Create at least one template account to provision accounts for this target.
Write a script to configure connector behavior
Note
The following instructions are for Oracle 19c. Details may vary depending on your version of the software. You must install at least version 11.2.
Installing client software
Bravura Security Fabric communicates with the Oracle server via OCI. Before you can target Oracle database, you must install the Oracle Client (Administrator) on the Bravura Security Fabric server.
The 64-bit version of the Oracle Client is required for Connector Pack 3.0 and higher.
Defining a connection name
Add a TNS entry for the Oracle database on which Bravura Security Fabric will manage accounts. To do this:
On the Bravura Security Fabric server, launch Oracle Net Configuration Assistant.
Select
Local Net Service Name.Click Next .
Click Add on the page.
Click Next .
Type the Oracle service name on page.
Click Next .
Select a network protocol on page.
Click Next .
Type Oracle database server’s Host Name and Port Number.
Ensure that you can connect to the database using a valid user name and password during testing.
Click Next .
Type the Net Service Name.
Remember this Net Service Name for the local naming method connection which will be needed when adding the target system to Bravura Security Fabric .
Click Next to finish.
Alternatively, you can setup connection to Oracle database server by using a tnsnames.ora file provided by your Oracle database administrator. See your Oracle documentation regarding how to specify a connection by configuring a tnsnames.ora file without using Oracle Net Configuration Assistant (NetCA) for more information.
Ensure that the ORACLE_HOME environment variable is set to a valid Oracle home directory which contains OCI.dll. The value of this environment variable must be set either system-wide or for the psadmin local user.
Configuring a target system administrator
Bravura Security Fabric uses a designated account (for example, psadmin) on the Oracle target system to carry out Bravura Security Fabric operations. The target system administrator requires Oracle back end database privileges that grant execution of SQL commands used in the written script.
Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the Oracle target system to Bravura Security Fabric .
Creating a template account
Bravura Security Fabric uses template accounts as models or "blueprints" for creating new application accounts in a Oracle database.
The steps required to create a template account depend on your application. Consult your systems administrator or application documentation for more information.
To learn how to create a template for Oracle database-level accounts, see Creating a template account .
Writing a script to configure connector behavior
You must write a script file to define SQL commands used in the interaction between the agtorascript connector and the Oracle database. A sample script, agtorascript . cfg is contained in the samples directory. Note that any sample script may need customizations in order to work with your system.
Learn about writing script files for SQL application connectors.
Stored Procedure calls
Calls to stored procedures must be called in an anonymous PL/SQL block. The SQL key-value for the operation must include the anonymous PL/SQL block. The anonymous PL/SQL block begins with "Begin and ends with End;".
For example, write:
"sql"= "begin app.adduser(:acctID, :newPW); end;"
When an ora-20410 error code is returned by a stored procedure, Bravura Security Fabric displays the message text to the end user. These messages should be meaningful to the end user and describe something they can act on alone. If another error code is returned, Bravura Security Fabric displays the code only; because these errors are not likely to be meaningful to end users, describe internal errors, or contain security vulnerabilities. It is expected the user will pass on the code to an administrator.
Stored procedure calls can be made for operations that list users, groups, or group members. The stored procedure needs to return a SYS_REFCURSOR and that parameter needs to be bound to a built-in variable ’cursorret’:
"sql"= "begin app.listusers(:cursorret); end;"
The columns defined in the returns KVGroup need to match the sequence of the cursor returned by the procedure.
Binding versus substitution
There are two options available for binding values for Oracle. The script connector agtorascript can either bind using names or text substitution.
Binding by name is the preferred method of linking the variable data with the SQL statement. Substitution should be used when binding isn’t available.
For example, a sql key-value in the script that includes binding:
"sql" = "insert into people (id, name, passwd) values (:acctID, :fullname, :newPW)"
For calls involving DDL (for example: alter user or create table), bind variables cannot be used. In these cases, substitution variables must be used instead; for example:
"sql" = "alter user %k:_acctID% identified by %k:_newPW%"
Targeting Oracle Database hosted applications
For each Oracle hosted application, add a target system (Manage the system > Resources > Target systems):
Type is Oracle Database (Script) .
Address uses:
Server The TNS Name
Alternatively, you can specify the connect descriptor in place of the TNS name; for example:
(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=hostdbsvr) > (PORT = 1521)))(CONNECT_DATA=(SID=ORACLE)(SERVER=DEDICATED)))(key: server)
Instance Optional script variable instance name.
(key: instance)
Script file The script file must be in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory and describes the SQL commands used in the interaction between the connector and the database.
(key: script)
The address is entered in the format:
{server=<TSN name;[instance=<script_variable_instance>;]script=<script filename>;}Administrator ID and Password are the login ID and password for the target system administrator you configured earlier.
Bravura Security Fabric normally connects to the Oracle database with "system" administrator privileges. Higher level privileges may be required; for example, for create user operations. To allow Bravura Security Fabric to connect with "sysdba" privileges, specify the administrator ID followed by /SYSDBA (all uppercase).
The full list of target system parameters is explained in Target system options .
Handling account attributes
In order for Bravura Security Fabric to manage attributes, you must first add the attributes to Bravura Security Fabric.
See Account attributes in the Bravura Security Fabric configuration documentation for more information.