20
Using Oracle Enterprise Security Manager

This chapter describes how to use Oracle Enterprise Security Manager to administer database security in an enterprise domain of Oracle8i databases. It contains the following sections:

• Introduction

• Installing and Configuring Oracle Enterprise Security Manager

• Navigating Oracle Enterprise Security Manager

• Administering Enterprise Databases, Domains, and Users

• Managing Security Administrators

Introduction

Oracle Enterprise Security Manager is an administration tool that provides a graphical user interface to manage enterprise users, enterprise domains, databases, and enterprise roles that are held in a directory server.

Installing and Configuring Oracle Enterprise Security Manager

The following tasks describe how to use Oracle Enterprise Security Manager to install Oracle Management Server and Oracle Enterprise Manager:

• Task 1: Install Oracle Enterprise Security Manager

• Task 2: Configure Oracle Enterprise Security Manager

• Task 3: Start Oracle Enterprise Security Manager

• Task 4: Log Into the Directory

Task 1: Install Oracle Enterprise Security Manager

Oracle Enterprise Security manager is automatically installed when you install Oracle Enterprise Manager. See the platform-specific installation documentation for Oracle Enterprise Manager.

Task 2: Configure Oracle Enterprise Security Manager

Oracle Enterprise Security Manager must be able to connect to databases published in the directory. For each database there should be a TNS alias that matches the global name of the database and its common name in the directory.

Use the Net8 Configuration Assistant to create a tnsnames.ora file in ORACLE_HOME/network/admin, and create service names for the databases to be managed. This is not necessary if all databases to be managed are set up to listen for incoming TCP connections on port 1521 (part of the default setup) and their global database names are exactly hostname.domain.

Use the Net8 Configuration Assistant to set up directory access. This creates an ldap.ora file on ORACLE_HOME/network/admin.

Task 3: Start Oracle Enterprise Security Manager

To start Oracle Enterprise Security Manager, enter the following at the command line:

oemapp esm


If the ldap.ora file is not configured, you receive the following alert:

If this happens, exit Oracle Enterprise Security Manager and run Net8 Configuration Assistant to set up directory access, then restart Oracle Enterprise Security Manager. Alternatively, you can:

• Manually connect to the directory server as described in Task 4.

• Configure the administrative context.

If the ldap.ora file is properly configured, Oracle Enterprise Security Manager starts and automatically connects to the directory server.

• Windows NT: If you are using Microsoft Active Directory, Oracle Enterprise Security Manager logs in to the directory using native authentication.

• UNIX: Oracle Enterprise Security Manager attempts to connect to the directory server by using SSL. If this fails, it attempts to connect by using anonymous authentication.

On startup, Oracle Enterprise Security Manager displays the following window:

If the result of automatic login is not acceptable, log out and log back in again with a specific user name:

1. From the menu bar, choose Directory > Logout.

2. From the menu bar, choose Directory > Login. This displays the Directory Server Login dialog box.

3. Proceed to Task 4 for instructions about filling in the fields in this dialog box.

Task 4: Log Into the Directory

To log into the directory:

1. From the Oracle Enterprise Security Manager menu bar, choose Directory > Login.

2. Select the authentication type from Table 20-1:

   Table 20-1 Authentication Types

   Authentication Type	Description
   Password Authentication	Uses simple authentication requiring a user distinguished name (DN) and password.
   SSL Client Authentication	Uses two-way SSL authentication in which both client and server use Oracle wallets containing digital certificates.
   Native Authentication	Windows NT or Windows 2000 only. Relies on the operating system to determine how you log in.

   The Directory Server Login window appears:

   
   
3. If you are using SSL, enter the wallet location and the wallet password.

4. Enter the server and port number; if you are using SSL, you must enter the directory's SSL port number.

5. Choose OK.

Navigating Oracle Enterprise Security Manager

This section describes some basic features of Oracle Enterprise Security Manager, in the following sections:

• Changing a Search Base

• Browsing the Directory

Changing a Search Base

By default, when Oracle Enterprise Security Manager performs a search, it uses as its search base the administrative context you have already set. To use a search base other than the configured administrative context, do the following:

1. On the menu bar, choose Edit > Preferences; the Edit LDAP Preferences window appears:

   
   

2. In the Enterprise Users Base field, enter a distinguished name (DN) as the base of the search.

   You can also choose Browse Directory to navigate to a directory object to use as the base of the search.

3. Choose Accept.

Browsing the Directory

A Browse Directory button appears frequently as you use Oracle Enterprise Security Manager. Whenever you click a Browse Directory button, Oracle Enterprise Security Manager displays a dialog box that allows you to focus your search by specifying a naming context and directory search criteria. In each context, you use this dialog box in the same way.

For example:

To change the administrative context to c=acme,c=us:

1. Navigate to the Oracle Enterprise Security Manager initial screen (Task 3), and choose Browse Directory; the corresponding dialog box appears.

2. In the Naming Context field, enter c=us.

3. In the Directory Search Attributes field, in the Searchable Attribute Value column, in the object class row, enter organization. The entries for organizations in the U.S. appear in the Directory Search Results: Directory Entry field.

4. In the Directory Search Results: Directory Entry field, select a directory entry to use as the new administrative context, and choose OK. This returns you to the Oracle Enterprise Security Manager initial screen. The administrative context you specified appears in the Administrative Context field.

Use the same steps when browsing for directory objects in other contexts (for example, when using the Edit LDAP Preferences dialog box to change the base of a search).

Administering Enterprise Databases, Domains, and Users

The following instructions assume you are running Oracle Enterprise Manager and have invoked the Oracle Enterprise Security Manager.

Managing enterprise users involves working in the three top level nodes in the Oracle Enterprise Security Manager navigator window. These three nodes are discussed in the following sections:

• Administering Databases

• Administering Enterprise Domains

• Administering Enterprise Users

  
  

Administering Databases

This section describes how to manage user/schema separation for a database.

See Also: Shared Schemas, for a conceptual overview of this feature Managing Database Administrators

To map an enterprise user to a database schema:

1. In the navigator pane of the Enterprise Security Manager window, expand Administrative Context > Database.

2. Select a server to support user/schema separation; the corresponding tab pages appear in the right pane of the window.

   
   

3. In the Database Schema Mapping tab page, in the Schema Assignments window, in the Directory Entry column, enter either the full or partial DN of an entry to map to a shared schema. You can also choose the Browse Directory button to navigate to that DN.

4. In the same row, in the Schema column, enter the name of an existing schema for that database.

5. If this is a full DN, choose the check box in the Entry column; if this is a partial DN, choose the check box in the Subtree column.

   
   

6. Choose Apply; the database object is updated in the directory, and an empty row is added in the Schema Assignments window. This lets you add future additional mappings.

Administering Enterprise Domains

There is initially one enterprise domain listed under the Enterprise Domains node in the Oracle Enterprise Security Manager navigator: Oracle Default Domain. Each enterprise domain you define in the LDAP directory is added under the Enterprise Domains node. The following sections describe how to administer enterprise domains:

• Managing User/Schema Separation

• Creating an Enterprise Domain

• Adding a Database to an Enterprise Domain

• Creating an Enterprise Role within an Enterprise Domain

• Assigning Enterprise Users to an Enterprise Role

• Removing a Database from an Enterprise Domain

• Deleting an Enterprise Domain

Managing User/Schema Separation

Administering Databases discussed how to manage user/schema separation for an individual database. This section describes how to manage user/schema separation for all the databases in a given domain.

To map an enterprise user to a database schema:

1. In the navigator pane of the Enterprise Security Manager window, expand Administrative Context > Enterprise Domains.

2. Select an enterprise domain to support user/schema separation; the corresponding tab pages appear in the right pane of the window.

   
   

3. Choose the Database Schema Mapping tab.

4. In the Schema Assignments window, in the Directory Entry column, enter either a full or partial DN to map to a shared schema. You can also choose the Browse Directory button to navigate to the DN.

5. In the same row, in the Schema column, enter the name of an existing schema supported by all the databases in the domain.

6. If this is a full DN, choose the check box in the Entry column; if this is a partial DN, choose the check box in the Subtree column.

   
   

7. Choose Apply; the database object is updated in the directory, and an empty row is added in the Schema Assignments window. This lets you add future additional mappings.

Creating an Enterprise Domain

An enterprise domain contains databases and enterprise roles. You can create a new enterprise domain by naming it, and defining where it is to be located in the directory.

To create an enterprise domain:

1. Choose Object > Create on the menu bar; the Create Directory Object window appears:

   
   

2. In the Type menu, choose Enterprise Domain.

3. In the Name field, enter the name of the new enterprise domain.

4. In the Base field, Oracle Enterprise Security Manager displays the name of the administrative context. To use a different administrative context, you can change the values in this field. However, be careful to enter the name of a valid administrative context--one that contains and Oracle Context.

5. Choose Create.The new enterprise domain appears at the bottom of the Enterprise Domains node.

6. In the navigator pane of the Enterprise Security Manager window, select the name of the new enterprise domain you created; the corresponding group of tab pages appear in the right pane of the window.

   
   

7. You can optionally choose the All Databases trusted check box; this lets databases within the enterprise domain have current user database links between them.

   Note: Individual Database Administrators still have the capability to configure their databases to not trust other databases.

You have now created an enterprise domain and can proceed to add databases to it.

Adding a Database to an Enterprise Domain

Upon database installation, you directed Oracle Database Configuration Assistant to publish the database in the directory. Once you have created an enterprise domain, you can view a list of all databases registered in the directory, select a database from that list, and assign it to the enterprise domain you created.

A database should exist in only one enterprise domain at a time. Therefore, you should assign a database to an enterprise domain only if the database has a value of unassigned on the Databases Property page.

To assign a database to an enterprise domain:

1. In the navigator pane of the Enterprise Security Manager window, expand Administrative Context > Enterprise Domains.

2. In the navigator pane of the window, select an enterprise domain to add a database to.

3. In the right pane of the window, in the Available region, select a database name.

4. Choose the down arrow to move the selected database to the Selected list.

5. Choose Apply.

   See Also: Step 4: Use Oracle Database Configuration Assistant to Register the Database in the Directory.

Creating an Enterprise Role within an Enterprise Domain

Once you have created an enterprise domain and added a database to it, you can create an enterprise role within it.

An enterprise role is a set of global roles that operate on multiple databases within an enterprise domain. An enterprise role is assigned to one or more enterprise users. The Enterprise Database Administrator uses these enterprise roles to assign sets of global roles on multiple databases to a selected user.

You cannot create two enterprise roles with the same name within a single enterprise domain. However, you can create enterprise roles with the same name in separate enterprise domains. Enterprise roles with the same name that exist in separate enterprise domains have no implied relationship.

Note: The database obtains a user's global roles when the user logs in. If you change a user's global roles, those changes do not take effect until the next time the user logs in.

To create an enterprise role in an enterprise domain:

1. In the navigator pane of the Enterprise Security Manager window, expand Administrative Context > Enterprise Domains and select the enterprise domain name; the corresponding group of tab pages appear in the right pane of the window.

2. On the menu bar, choose Object > Create; the Create Directory Objects dialog window appears:

   
   

3. From the Type menu, select Enterprise Role.

4. In the Name field, enter the name of the new enterprise role.

   Note that the directory base chosen for the new enterprise role derives from the currently selected enterprise domain; you cannot edit this value.

5. Choose Create.

6. In the navigator pane of the window, expand Enterprise Domains > enterprise_domain_name > Enterprise Roles.

7. In the navigator pane, in the Enterprise Domains subtree, select the name of the enterprise role you just created; the corresponding group of tab pages appear in the right pane of the window.

   
   

8. Choose the Global Roles tab.

9. Select a database; the Database Login window appears:

   
   

10. Supply the correct information about the selected database; choose OK. The selected database roles appear in the Available Global Role(s) region of the window:

    
    

    If no database service has been configured:

    • In the Global Roles tab page, right-click the database name in the Selected Databases field.

    • Choose Reconnect.

    • Specify a new service name.

      Note: Although Oracle Enterprise Security Manager provides this database configuration convenience, be sure to properly configure the Oracle Enterprise Security Manager Net8 client environment to support connectivity to databases as they are named in the directory server.

11. In the Available Global Role(s) field, select an available role.

12. Click the down arrow to move the role into the Selected Global Role(s) region of the window.

13. Repeat steps 9 through 12 for each database to select roles from.

14. Choose Apply.

You have created an enterprise role within an enterprise domain of databases, and can assign this enterprise role to any enterprise user.

Assigning Enterprise Users to an Enterprise Role

To assign an enterprise user to an enterprise role:

1. In the navigator pane of the Enterprise Security Manager window, expand Administrative Context > Enterprise Domains > enterprise_domain_name > Enterprise Roles.

2. In the navigator pane of the window, select the enterprise role; the corresponding group of tab pages appears in the right pane.

3. In the right pane of the window, select the Enterprise/Users Groups tab.

4. In the Available region, select enterprise users to assign to the role.

5. Choose the down arrow; the enterprise users appear in the Selected window.

   
   

6. Choose Apply; the enterprise users appear under the Enterprise Role node in the navigator pane of the window.

Removing a Database from an Enterprise Domain

1. In the navigator pane of the Enterprise Security Manager window, expand Administrative Context > Enterprise Domains.

2. In the navigator pane of the window, select the name of an enterprise domain to remove a database from.

3. In the Databases tab page, in the Selected window, select a database to remove from the enterprise domain.

4. Choose the up button to move the database from the Selected window to the Available window.

5. Choose Apply.

Deleting an Enterprise Domain

To delete an enterprise domain, you must first delete all of its enterprise roles. Otherwise, an error message appears.

To delete an Enterprise Domain:

1. In the navigator pane of the Enterprise Security Manager window, expand Administrative Contexts > Enterprise Domains.

2. In the navigator pane of the window, select the name of an enterprise domain to delete.

3. Choose the Delete Object button to the left of the navigator pane; a window asks you to confirm the deletion.

4. Choose Yes; the selected enterprise domain is removed from the enterprise domains tree.

Administering Enterprise Users

This section describes:

• Creating a New Enterprise User

• Granting an Enterprise Role to an Enterprise User

• Deleting an Enterprise User

Creating a New Enterprise User

Oracle Enterprise Security Manager lets you create new enterprise users if the users do not already exist in the directory server:

1. From the menu bar, choose Object > Create; the Create Directory Object window appears.

2. From the Type menu, choose Enterprise User.

3. In the Name field, enter the name of the new enterprise user.

4. In the Base field, accept the default, or enter a new search base as described in Browsing the Directory.

5. Choose Create. The enterprise user you created appears in the navigator pane of the window, under the Enterprise Users/Groups node. When you select the new enterprise user, the corresponding tab page appears in the right pane of the window.

   Note: In the preceding procedure, the directory user entry that Oracle Enterprise Security Manager creates is associated with only the top and person object classes. To associate that user entry with other object classes, you must do so in a separate procedure.

Granting an Enterprise Role to an Enterprise User

Once you have created an enterprise user, you can assign enterprise roles to that user.

You can grant multiple enterprise roles to enterprise users, and these roles can exist in different enterprise domains. You can grant these roles in two ways:

• Assign enterprise users to each enterprise role, as described in Assigning Enterprise Users to an Enterprise Role.

• Grant one or more enterprise roles to each enterprise user, as described in this section.

When a database needs to authorize access to a global user, it searches the directory for the enterprise role(s) within its enterprise domain that are granted to that user.

To grant an enterprise role to an enterprise user:

1. In the navigator pane of the Enterprise Security Manager window, expand Administrative Context > Enterprise Users.

   
   

2. Select the name of an enterprise user; the corresponding group of tab pages appears in the right pane of the window.

3. In the Available Enterprise Role(s) window, select an enterprise role to grant to the enterprise user.

4. Choose the down arrow; the selected role is moved from the Available Role(s) list to the Selected Role(s) list.

5. Choose Apply.

Deleting an Enterprise User

You can delete an enterprise user only if that user has no enterprise roles. To delete an enterprise user:

1. Expand Administrative Context > Enterprise Users/Groups.

   
   

2. Select an enterprise user to delete.

3. On the menu bar, choose Object > Delete; an alert asks you to confirm the deletion.

4. Choose Yes; the enterprise user is deleted from the tree in the navigator pane of the window.

Managing Security Administrators

Use Oracle Enterprise Security Manager to define administrators, as described in the following sections:

• Managing Database Security Administrators

• Managing Database Installation Administrators

• Managing Database Administrators

• Managing Enterprise Domain Administrators

  See Also: Oracle Context.

Managing Database Security Administrators

To manage Database Security Administrators, you must be a member of the Database Security Administrators group.

To define a user as a Database Security Administrator:

1. In the navigator pane of the Enterprise Security Manager window, select Administrative Contexts.

2. In the right pane of the window, select the Database Security Administrators tab; enterprise user names appear in the Available field.

   
   

3. Select an enterprise user to define as an administrator.

4. Choose the down arrow to move the user to the Selected window.

5. Choose Apply.

Managing Database Installation Administrators

To manage Database Installation Administrators, you must be a member of the Database Security Administrators group.

To define a user as a Database Installation Administrator:

1. In the navigator pane of the Enterprise Security Manager window, select Administrative Contexts.

2. In the right pane of the window, select the Database Installation Administrators tab; enterprise user names appear in the Available field.

3. Select an enterprise user to define as an administrator.

4. Choose the down arrow to move the user to the Selected window.

5. Choose Apply.

Managing Database Administrators

To manage database administrators, you must be either a member of the Database Security Administrators group or a Database Administrator for this particular database.

1. In the navigator pane of the Enterprise Security Manager window, expand Administrative Context > Database.

   
   

2. Select a database to assign administrators to; the corresponding group of tab pages appears in the right pane of the window.

3. Select the Database Administrators tab; the Available window displays user names of enterprise users available in the current user search base.

4. Select an enterprise user to define as an administrator.

5. Choose the down arrow to move the user to the Selected window.

6. Choose Apply.

Managing Enterprise Domain Administrators

To manage Enterprise Domain Administrators, you must be either a member of the Database Security Administrators group or a domain administrator for this particular domain.

1. In the navigator pane of the Enterprise Security Manager window, expand Administrative Context > Enterprise Domains.

   
   

2. Select an enterprise domain to assign administrators to; the corresponding group of tab pages appears in the right pane of the window.

3. Select the Enterprise Domain Administrators tab; the Available window displays user names of enterprise users available in the current user search base.

4. Select an enterprise user to specify as an administrator.

5. Choose the down arrow to move the user to the Selected window.

6. Choose Apply.