Tuesday Jan 19, 2016

Security Roundup January 19 2016

Here are my favorite security related links for the week. Remember you need to have a database security assessment. Contact me - mark dot wilcox at oracle dot com.

Sunday Jan 10, 2016

Security Link Roundup - January 11, 2016

This week's security link round-up. Make sure to call your Oracle representative and ask for a database security assessment.

Monday Jan 04, 2016

Security Link Roundup - January 4, 2016

January 4, 2016 Oracle Consulting Security Link Roundup

I'm Mark Wilcox.

The Chief Technology Officer for Oracle Consulting- Security in North America and this is my weekly roundup of security stories that interested me.


Database of 191 million U.S. voters exposed on Internet: researcher

So 2016 starts off with another headline of a database breach.

In this case 191 million records of US voters.

This is ridiculous.

And could have been prevented.

And a sobering reminder to contact your Oracle represenative and ask them for a database security assessment by Oracle consulting.

Secure Protocol for Mining in Horizontally Scattered Database Using Association Rule

Data mining is a hot topic - it's essential to marketing, sales and innovation. Because companies have lots of information on hand but until you start mining it, you can't really do anything with it.

And often that data is scattered across multiple databases.

In this academic paper from the "International Journal on Recent and Innovation Trends in Computing and Communication" the authors describe a new protocol that they claim respects privacy better than other options.

On the other hand - Oracle already has lots of security products (for example database firewall, identity governance) that you can implement today to help make sure only the proper people have access to the data.

So make sure to call your Oracle represenative and ask for a presentation by Oracle Consulting on how Oracle security can help protect your data mining databases.

A Guide to Public Cloud Security Tools

Cloud computing is happening.

And most people are still new to the space.

This is a good general article into the differences in security between public and private clouds.

Plus has a list of tools to help you with cloud security.

And if you are wanting to use cloud to host Oracle software - please call your Oracle represenative and ask them to arrange a meeting with Oracle Consulting Security to talk about how Oracle can help do that securely.

Survey: Cloud Security Still a Concern Heading into 2016

Security continues to be the biggest concern when it comes to cloud.

While there are challenges - I find securing cloud computing alot simpler than on-premise.

Assuming your cloud hosting is with one of the major vendors such as Oracle or Amazon.

And if you are wanting to use cloud to host Oracle software - please call your Oracle represenative and ask them to arrange a meeting with Oracle Consulting Security to talk about how Oracle can help do that securely.

"Holy crap, Marie."

I watch a lot of reruns of "Everybody Loves Raymond" and I feel like this story is another rerun.

Except unlike Raymond this is a rerun of a bad TV show.

Encrypting a database is one of the best ways to secure your data from hackers.

So before you start storing data in the cloud, in particular with an Oracle database make sure you have Oracle Consulting do a security assessment for you.

That way you can know what potential problems you have before you start storing sensitive production data.

image credit unsplash.

Wednesday Dec 11, 2013

How To Do Single Sign On (SSO) for Web Services

A recent question on our internal list was

"A customer has OAM and wants to do SSO to SOAP Web Services".

In this case the customer was using Webcenter Content (the product formerly known as Unified Content Manager UCM). But the scenario applies to any SOAP Web Service.

My answer was well received and there isn't anything proprietary here so I thought I would share to make it easier for people to find and for me to refer to later.

First - There is no such thing as SSO in web services.

There is only identity propagation.

Meaning that I log in as Fabrizio into OAM, connect to a Web application protected by OAM.

That Web application is a Web Services client and I want to tell the client to tell the Web Services that Fabrizio is using the service.

The first step to set this up is to protect the web services via OWSM.

The second step is to translate the OAM token into a WS-Security token.

There are 3 ways to this second step:

1 - If you are writing manual client and don't want any other product involved - use OAM STS

2 - Use Oracle Service Bus (which most likely will also use OAM STS but should make this a couple of mouse clicks)

3 - Use OAG - which doesn't need to talk to STS. It has a very simple way to convert OAM into WS-Security header.

If you're not using OSB already - I would recommend OAG. It's by far the simplest plus you get the additional benefits of OAG.

PS - You can use OSB and OAG together in many scenarios - I was only saying to avoid OSB here because the service was already exposed and there was no benefit I could see for having OSB. If you have a reason to have OSB - let me know. I only know OSB at a very high level since my area of focus is security.

Thursday Aug 29, 2013

The Difference Between Access Manager 10g and 11g Webgates

A common question we get is what is the difference between Access Manager 10g and Access Manager 11g webgates.

My colleague Yagnesh who covers webgates put together a simple list:

Here is 11g features:

  • Oracle Universal Installer for platform. Generic for all platforms
  • Host-based cookie
  • Individual WebGate OAMAuthnCookie_ making it more secure
  • A per agent key, and server key, are used. Agent key is stored in wallet file and Server key is stored in Credential store
  • One per-agent secret key shared between 11g WebGate and OAM Server One OAM Server key
  • OAM 11g supports cross-network-domain single sign-on out of the box. Oracle recommends you use Oracle Identity Federation for this situation.
  • Capability to act as a detached credential collector
  • Webgate Authorization Caching
  • Diagnostic page to tune parameters
  • Has separate install and configuration option. Hence, single install and multiple instance configuration is supported.

And 10g:

  • InstallShield and One installer per platform
  • Domain-based cookie
  • ObSSOCookie (one for all 10g Webgates)
  • Global shared secret stored in the directory server only (not accessible to WebGate)
  • There is just one global shared secret key per OAM deployment which is used by all the WebGates
  • OAM 10g provides a proprietary multiple network domain SSO capability that predates Oracle Identity Federation. Complex configuration is required.
  • One Web server configuration supported per WebGate. Need to have multiple WebGates for multiple instances.

Fresh, Informative and Fun - Join Us For Your Opening Presentation at Open World 2013

Join us on Monday September 23, 2013 for Senior Vice President Amit Jasuja's presentation.

It's called "CON8808 - Oracle Identity Management: Enabling Business Growth in the New Economy".

The title is boring but the presentation will be fresh, informative and fun.

This is our annual presentation to share our thoughts on where the world is going in terms of identity management and letting customers who are leading the way let you know how they are getting there.

And we will deliver this to you in a way that promises to be as entertaining as it is informative.

Click here and schedule yourself for Amit's session before we run out of room

Wednesday May 02, 2012

If You Are Interested In OUD - You Need To Be Reading Sylvain Duloutre's Blog

My colleague Sylvain Duloutre is writing a series of posts about Oracle Unified Directory (OUD) including how to co-habitate and migrate from DSEE to OUD which is how we believe most existing DSEE customers who adopt OUD will make the move.
You can read his blog here.

Friday Apr 20, 2012

Announcing Oracle Optimized Solution for Oracle Unified Directory

I'm happy today to be able to share that we released an optimized solution for Oracle Unified Directory. It's one of the first public announcements we can make of several cool & useful things we've been working on. We have more coming from identity & access team. Which reminds me - for my loyal readers here - since December 2011 - besides covering directory - I am also now on the Oracle Access Manager Suite team. My colleague Sylvain post summed it up nicely what it is:
Oracle Optimized Solution for Oracle Unified Directory is a complete solution - Software and Harware engineered to work together. It implements Oracle Unified Directory software on Oracle's SPARC T4 servers to provide highly available and extremely high performance directory services for the entire enterprise infrastructure and applications. The solution is architected, optimized, and tested to deliver simplicity, performance, security, and savings in enterprise environments. More details available at http://www.oracle.com/us/solutions/1571310
While that post is short - it is dense with information. So to explain it simpler - within Oracle we have a team (Optimized Solutions) who work with our product teams to show how our customers can get the best performance out of our hardware when running a specific software package. Instead of just giving you a generic tuning guide for our product - we've gone through the tuning steps and tested the configuration(s) for you. Thus besides giving you great performance - it's faster & simpler deployment because you can reduce the time it takes to run a tuning exercise from scratch. Optimized solutions simplifies that exercise because we've already done most (if not all) of the work for you. Click here to learn more about our Optimized Solution for Oracle Unified Directory.

Thursday Feb 23, 2012

Oracle Identity Management (OID, OVD, OIF) 11gR1 Patchset 5 ( Released.

I'm sure you've seen the flood of announcements from the other Fusion Middleware products about the release. We got in on the fun too. You can download it here. And for a fresh install - you can start directly from For the most part this is just a bug fix release for us. But there are a couple of enhancements I would like to share.

Oracle Virtual Directory

The biggest enhancement I would highlight is that we have dramatically simplified configuring OVD for Enterprise User Security (EUS). EUS has been something that has always worked but required to execute lots of individual steps. We now have this setup as a wizard and OVD's own Local Store Adapter holds most of the meta-data. So less work on the enterprise LDAP and fewer steps. It should mean initial EUS configuration by most people can now be done in less than a day.

Directory Integration Platform

DIP has been part of Oracle for over a decade but until it required OID. Now it can be used with DSEE or OUD as its metadata store. This now means that if you want to deploy DSEE or OUD but need to synchronize groups & users from AD - you can do it without needing any type of custom code or bringing in a full provisioning product.

Thursday Oct 13, 2011

How To Simplify Your Password Management With Oracle Enterprise Single Sign-On

We're doing another free webcast - this time on Enterprise Single Sign-On. Click here to register
Addressing Your Password Nightmares with an Enterprise Single Sign-On Platform

Webcast Date: Wednesday, October 19, 2011 
Webcast Time: US Pacific 10am PDT

STEP 1: Please complete the registration form below, to take part in the Live Oracle Webcast event. 

Studies estimate that nearly 25 percent of all help desk calls are related to password resets. The modern enterprise IT environment demands a balance between the intense security required to meet a variety of compliance standards and the need for flexibility and ease-of-use on the part of end-users. 

Enterprise single sign-on (ESSO) can help strike that balance and protect your business. ESSO built into your identity management platform can offer even more. It can reduce risk, enhance user productivity, cut costs, and provide a long-term solution to password management. 

Join us for this live complimentary Webcast where industry experts from Oracle will discuss:
How to slash your password related help desk costs and improve user experience 
The benefits of ESSO integrated into an identity management platform 
Best practices for a successful ESSO deployment
You’ll also have the opportunity to get answers to your most nagging security questions during the live Q&A. 

Friday Sep 02, 2011

How To Use Oracle Identity Management To Rescue Delayed IBM Identity Management Deployments

Oracle Identity Management Webinars

If your organization has a delayed IBM-based identity management deployment this webinar will show reasons why this might be and how Oracle can help.

In particular you will learn how Oracle Identity Management can:

  • Mobilize and complete your identity management project
  • Coexist with or replace your existing IBM identity management point solution
  • Reduce security risk and improve regulatory compliance

Click Here To Register.

Learn How To Save 48% On Your Access Management Deployment

Oracle Identity Management Webinar logo We're hosting an upcoming webinar with the Aberdeen group that will show you research that will show how using an Identity Management platform can save you significant money vs a point-solution based deployment. Click Here to register.

Wednesday Aug 24, 2011

Remember Your Password Or You Won't Get Your Donut

People have trouble remembering complex passwords. Click here to see one organization's ingenious way to get their employees to remember them. Click it or no donut for you.

Thursday Aug 18, 2011

Best Practice For Oracle Virtual Directory (OVD) Backup and Disaster Recovery.

I'm writing this in response to a question on one of our mailing lists because of the current nature of the Oracle docset (something the doc team is working on) - it's kind of hard to figure out in a concise form. Here are the things to do:
  • Make sure to have 2 or more OVD instances deployed in production. OVD provides tools to keep the configurations in synch between systems
  • If you have an external DR site - then synchronize the OVD configuration to this external site. Note this will assume that hostnames will be same in the DR site as primary. If not - then will require manual tweaking of the names.
  • OVD keeps all of its configuration in files in the $ORACLE_INSTANCE directory. Back this directory up. If you needed to recover - this can be restored. Most likely would need to re-register the instance with OPMN and EM - which is covered in the OVD documentation.

Thursday Jul 28, 2011

Oracle Unified Directory Webcast Q&A Results Posted

We have posted the answers to the questions from the Q&A from the OUD introduction webcast.

This is the blog for Oracle Consulting Security North America team. Edited by Mark Wilcox - Chief Technology Officer for Oracle Consulting Security - North America.


« September 2016