Securing an Oracle Private Cloud using Oracle Directory Suite Prepared by: Eric Mader, Zirous, Inc. @zirous_eric Session ID: 266
Agenda Oracle Private Clouds and Oracle Enterprise Manager 13c Oracle Directory Suite 11g Securing an Oracle Private Cloud Leveraging Existing LDAP Directory Infrastructures Active Directory Virtualization Demo
Oracle Private Clouds and Oracle Enterprise Manager 13c
Private Cloud Features of EMCC 13c Cloud Service Model first introduced in 12c Cloud Software Library installed by default starting with 12.1.0.4. Provides support for IaaS and PaaS service models PaaS includes Database, Middleware, and Testing as a Service Users with lesser roles are able to request, create and manage IT resources within constraints. EMCC High Availability is important non-dba users need to access console for Self Service features.
Private Cloud Features of EMCC 13c Required plug-ins that are not deployed by default.
Private Cloud Features of EMCC 13c Different plug-ins needed for IaaS, DBaaS, etc.
EMCC 13c Cloud Anatomy Model Source: http://docs.oracle.com/cd/e73210_01/emclo/img/guid-5dbaba84-f66e- 47AA-AA6D-79DDF200E086-default.png
Private Cloud Security EMCC Private Cloud leverages standard Enterprise Manager security model no need to give full admin roles!! All Cloud Users and Roles may be defined locally. Cloud-specific Roles VERY BROAD: EM_CLOUD_ADMINISTRATOR EM_SSA_ADMINISTRATOR EM_SSA_USER EM_SSA_USER_BASE
Private Cloud Security EXAMPLE: SSA_USER_DBAAS Extends EM_SSA_USER (basically gives Self Service Portal access) Additional Resource Privileges: Cloud Service Families VIEW Any Service Family Cloud Service Templates Job System Configured as a standard role in Cloud Control
EMCC 13c Supported Authentication Schemes Repository-Based (a.k.a. Local EMCC Users) Oracle Access Manager SSO-Based Enterprise User Security-Based LDAP-Based Supports Oracle Internet Directory and Microsoft Active Directory
Oracle Identity Management 11g Oracle Unified Directory 11.1.2.3
Oracle Unified Directory LDAPv3-compliant directory server De-facto replacement for Oracle Internet Directory Still supported: 11.1.1.9 (never released an 11.1.2 version) Originally branded Sun Microsystems OpenDS Uses local Oracle Berkley DB instead of Oracle Database Contains compatibility layer for OID Handy for Oracle Database Enterprise User Security
Oracle Unified Directory Management performed through Oracle Directory Services Manager web-based console
OUD Deployment Tips Non-DBA Users need to access Enterprise Manager Cloud Control A.K.A. High Availability is important! LDAP users cannot authenticate if directory tier is down! Deploy multiple OUD instances in Replication Topology Works really well across sites!! Keep OUD patched cumulative Critical Patch Updates released quarterly Latest version: 11.1.2.3.170117 Bundled with IAM Suite patch: 25038775 Use latest certified JDK update: Version 7, Update 131
Protecting Cloud Control with Oracle Unified Directory
Creating New OUD Instance (oud-setup) LDAP Secure Access (LDAPS) listener must be enabled:
Creating New OUD Instance (oud-setup) Select Enable for EUS option:
Creating LDAP Group for EM Access Create an EM_ACCESS group in OUD using ODSM:
Register Cloud Control with OUD Registration is performed with the emctl utility: $ emctl config auth oid -ldap_host "demooud" \ -ldap_port "1389" -ldap_principal "cn=ds-manager" \ -user_base_dn "ou=users,dc=example,dc=com" \ -group_base_dn "ou=groups,dc=example,dc=com" \ -ldap_credential "Qwer1234" -sysman_pwd "Qwer1234" \ -enable_auto_provisioning \ -auto_provisioning_minimum_role "EM_ACCESS"
Validating Login using Oracle Unified Directory User Authentication, then Authorization
Creating LDAP User for EM Access Create a user in OUD using ODSM DO NOT add it to EM_ACCESS group!!:
Creating LDAP User for EM Access Attempt a login using new user credentials:
Creating LDAP User for EM Access Add user to the EM_ACCESS group using ODSM:
Creating LDAP User for EM Access Attempt to login using same user credentials:
Creating LDAP User for EM Access Not able to access Cloud Self Service Portal:
Mapping EM Cloud Roles to OUD Groups Create group in OUD named OUD_USER_DBAAS:
Mapping EM Cloud Roles to OUD Groups Group membership provides EM External Role with same name:
Mapping EM Cloud Roles to OUD Groups
Mapping EM Cloud Roles to OUD Groups BRETT1 now able to access Cloud Self Service Portal:
Leveraging Existing Directories
OUD Proxy Server Very similar to Oracle Virtual Directory, or server chaining in Oracle Internet Directory Leverages different backend server types: Oracle Unified Directory, Oracle Directory Server Enterprise Edition, or Microsoft Active Directory Server acts as a true proxy with attribute joining All user accounts are managed in backend directory Custom attributes may be stored locally and joined to user objects Groups can be stored locally
DEMO Simple Oracle DBaaS Private Cloud protected with Oracle Unified Directory
Please Complete Your Session Evaluation Evaluate this session in your COLLABORATE app. Pull up this session and tap "Session Evaluation" to complete the survey. Session ID: 266
Eric Mader eric.mader@zirous.com @zirous_eric Q&A