Virtual Identity Dialogue

Between OpenWorld 2007 (which is next week) preparation and delivery of a hosted beta for our upcoming 11g release - there hasn't been much time for blogging.

But I wanted to post some of the stuff we're doing next week at OOW 2007.

We of course will have a booth for Oracle Directory Services which will cover OVD, OID and our new OS Authorization Services project.

There are something like 21 different presentations on identity management this year.

Here are a few that should have the most directory service focused content:

S291988 - User Identity at Global Service Provider Scale - Nov 15 at 1:00 pm

This presentation will discus how telco/ISP/Cable providers are using Oracle Directory Services to meet their directory service needs. One of the items we should be showing in that presentation is a demo of our new Universal User Provider (UUP) service which is an evolution of OVD to provide support for new telco protocols like Diameter. Also it will cover how OID has literally lapped the competition when it comes to directory scalability.
---

S292195 Using Oracle Authentication Services for Operating Systems with Linux: An In-Depth Overview - Nov 15 at 2:30 PM

This presentation will cover our new Oracle Authorization Services for OS project/product.

---
Finally as part of the Windows/.NET integration sessions - there will be a presentation on using Database Security with Active Directory which will be on November 15 at 1pm.

Saw this post today from one of our partners speaking on Oracle's "Green" initiatives from an employee perspective.

First - let me say I'm not a tree-hugging environmentalist. I am clearly in the Lombard school of environmentalism (meaning - the threat of Global Warming is overblown, there are much bigger problems and fear-mongering of the type Gore has used in his movie hurts more than helps - in particular the actual science that is going on).

That being said - one of the interesting things we're doing at OOW 2007 this year is at least for the Oracle booth's -we are moving to electronic delivery of our collateral materials. This is a good thing on a number of fronts. Sure it does mean less printing which is good from an environmental perspective (at the very least we cut down on the amount of trash that can pile up in places) but there are other benefits that I think that are even better. It also means less things to carry around the conference (and potentially lose).

This means that we can actually provide more material instead of having to pick and choose based on physical space. For example - I am now able to make sure customer's get our Enterprise User Security Use Case guide instead of just the EUS datasheet. That is something that just wouldn't be practical otherwise.

So if you are visiting Oracle booth's - make sure to get your badge scanned. This will insure that you get the proper materials sent to you (via a link in an email).

Hopefully we'll be able to do something similar for other conferences.

As you probably know we announced Oracle Virtual Machine at OOW 2007.

I was going to write something up on it - but Pat Shuff sums up everything I would like to say and more.

This post is to help clear up something posted by James McGovern recently.

His question:
"wonder why Oracle employees such as Tom Kyte, Mary Ann Davidson, Roger Sullivan, Amit Zavery or Mark Wilcox hasn't chimed in on when Oracle will support direct authentication against Active Directory without requiring an additional product?"

First - let me say - I'm sorry I haven't responded sooner. Frankly - I didn't know this thread was out there. Since I normally don't get trackbacks to this blog and people who want a response leave a comment - I had been ignoring reading my own Technorati watchlist. I'll try to do a better job of watching it from now on.

Second - we already support "direct authentication against Active Directory" without requiring an additional product. I'll elaborate in another post but suffice to say - the database supports both Kerberos and RADIUS. You can use either one to authenticate to the database using your AD credentials without any other product (though both to the best of my knowledge (check with your account rep) require an Advanced Security Option license for your database).

If you had attended OOW 2007 and came to the "Database integration with Active Directory & Windows Security" you would have seen this in action.

James McGovern first linked to a post about "We Are Microsoft" which apparently is doing some type of challenge to write code for charitable organizations.

It's an interesting idea (though I'm not sure how this really makes MSFT any more "ethical" than Oracle or any other software company as he mentions in his original post) though I think has potential for more problems than help. At the end of the day - writing software is the "easy" part. Maintaining and supporting is where the real work is. 

I would rather think that instead of having one-off competition to write something for a charity - which by the way is going to be real good marketing for MSFT dev tools - some type of community formation would be better long term view. You know "teach a person to fish - feed them for life" kind of thing.

Also Oracle like many organizations does many different charitable/philanthropic events. We have Oracle Volunteer Days in September (which happens globally), the company matches our charitable gifts (to a limit) and then there is Oracle Education Foundation. Which is the primary sponsor of ThinkQuest - which helps teach kids around the world.

Personally - I'd rather see more investments made into things like microcredit projects like Kiva or innovative solutions like BoGo Lights  (basically replacing kerosene lamps with more efficient, cleaner & safer solar-powered LED flashlights). Those types of projects typically have a larger return on investment. Though in these projects - the ROI is not measured in cash but in turn of people helped. See "Billion Bootstraps" for what I mean of this concept.

Comment/Question from my earlier post.

Question: "Hmmm. So requiring another license is semantically different than
requiring another product? I guess if everyone can't use it without
procuring something then he is correct. How about also supporting natively via LDAP without requiring either a license or another product?"

Answer: There is not a mere semantic difference here. I believe Mr. McGovern (whom I referenced in my first post but is not who asked the follow-up question) is confusing Enterprise User Security (EUS) as being the only way to integrate AD passwords with the database. EUS is functionality that makes it easier to manage users and roles in the database which also allows you to store your password verifiers (e.g. the password hashes normally stored in the database) in the directory. This allows simple username & password authentication to use passwords stored in the directory.

My point in my earlier post is that if you don't want EUS (and frankly if you just want password integration, EUS is probably not the option I would recommend since you're not getting any of the additional EUS features) - then you can use Kerberos or RADIUS.

However, I realized on my flight home that I left out one more option out that to to my knowledge doesn't require any other software or license - that is if both the Database Client and Oracle Database are running on Windows - then they will by default leverage "Windows Native Authentication" (WNA). The link is to the 11g docs but it is a feature that exists in at least 10g DB. WNA on the database can also allow you to use AD to maintain database roles.

But again this depends upon the database running on Windows & you needing to have enabled the Windows options on the database.

Again I don't believe WNA requires any additional license but I would suggest that you contact your account representative to confirm (I'm just the functional & technology guy - not licensing guru - in particular for products outside of my realm).

In another future post I will detail why the database works with LDAP via OID/OVD.

FYI - If you are interested in Database Security options - I would suggest reading David Knox's book on the subject - "Effective Oracle Database 10g Security by Design". David has spent most of his professional life dealing & implementing the subject plus is a really nice guy.

Yet another article talking about how easy passwords can be cracked.

I'm beginning to tire of these articles. Not that it isn't good reminder that passwords shouldn't be your only form of security - but they're the technical equivalent of repeated signs on the factory wall saying "breathing paint fumes can harm your health" while working in a paint factory.

Meaning - while technically correct - you can't easily avoid them so a sign without any other precautions (in the paint factory - things like gas masks) - are not very helpful.

In the technical world - while it's nice to think of ways of avoiding passwords using tokens, thumbprint readers or perhaps Vulcan mind-melds - these things don't catch on for various reasons. The reality is they're not going anyway anytime soon.

Which is why I am pretty excited by one of our newest products (it's still hard to fathom that we're now a rather old acquisition at just over 2 years) - Oracle Adaptive Access Management (OAAM) aka Bahrosa.

At the core what OAAM does is provide adaptive risk analysis. So for example on sensitive transactions you can build rules that say "normally you only move money from savings to checking between 9am and 4pm from an IP in Dallas" so that when someone tries to move money at 2 am from say El Salvador (just picking random place) - it can prompt you a security question. Or page someone. Or stop it. Or all of the above.

That way if you're on vacation and needing to get some more money to buy another drink at your resort hotel - you're cool. But if not - it will help protect you.

Another feature (and one that is very cool to see) is the strong authentication feature.

What the strong authentication feature does is that it uses some sophisticated technology to present alternative entry mechanisms to enter passwords.

For example instead of entering your password into a text field - it will present you a virtual keyboard. The keyboard is overlayed a picture (that you choose during registration). And everytime you're presented with the keyboard - the keyboard and image shift alignment a bit. And the image is timestamped.

Plus actual keys are never transmitted - thus it makes it very hard to Phish and keylog.

And while maybe we'll get past passwords in the future - you will probably still need fraud detection.

So if you are doing business online (either consumer or internally focused) you might want to check OAAM out.

One of the popular questions from OOW was how to deal with large number of databases and how to manage client connection information that is stored in TNSNAMES.ORA without actually maintaining individual TNSNAMES.ORA files. So I thought I would answer it here as well.

As you probably know TNSNAMES.ORA is the file the database client uses to translate things like:
sqlplus hr@ORCL
into an actual database connection (which means things like knowing what hostname and port to connect to).

In 9i the database added a feature to lookup this information via a proprietary service called the Names Service (though I think OID was also an option). This was deprecated in 10g so that it could be managed via LDAP. And by LDAP that meant OID though you could use Active Directory if you met a proper set of conditions (covered in the docs but I will likely cover it here in the future as well).

10g docs can be found here.
11g docs can be found here.

This one has been kicking around in the "post to the homepage bin" for a while. Finally got a chance to do that.

Jackson Shaw recently wrote a post "Listen up Oracle and IBM!! You should support direct authentication against Active Directory"

In short - he wants Oracle products to integrate with AD using Kerberos.

To be honest I'm a bit puzzled here. I suppose we just need to do a better job of getting the word out.

The database has supported Kerberos for a very long time - at least since 9i.

Oracle Single Sign-On - aka our "classic" Web SSO product which has been a part of Oracle Application Server has supported Windows Native Authentication which leverages Kerberos over HTTP for a while now.

The same goes for Oracle Access Manager which is the Web Access Management technology we acquired via Oblix a couple of years ago.

Between the database, OSSO and OAM - that covers the vast majority of Oracle technologies since most of them can use one or the other for authentication.

FYI - Oracle Virtual Directory even has the ability to translate simple LDAP binds to OVD to Kerberos authentication calls to Active Directory (good if you can do LDAP over SSL to OVD but can't do it across all of your AD servers for cost or management reasons & still want secure LDAP binds).

Obviously some applications may still use a native thick-client to authenticate and it may not support Kerberos. For those  that's where Oracle Enterprise SSO can provide secure desktop SSO. And since it integrates with Windows authentication - technically it leverages Kerberos :).

Finally as we gaze into the future - the predicted model is that technologies like Secure Token Services (STS) will emerge. These systems will allow the translation/exchange of security tokens from one service to another. Thus we will have a standard model to translate a SAML token into a Keberos TGT. Things like STS are really the only way to get to a point where we can more seamlessly integrate different SSO systems.