Wall-to-wall SSO and EUS

After introducing Kerberos, and getting SSO to the database working, it's time for some excitement: combine Single Sign On (SSO) with Enterprise User Security (EUS).
Sure, I blogged about Enterprise Security a long time ago (See the "Enterprise Security" entries of 2005), but there I used certificates; in fact another identity.
In this entry, some of the 2005 stuff returns, but parts will differ.

The latest and the greatest.

For those of you how wonder why I bother to blog about this "ancient" version, read the statement of direction on SSO server (note 979951.1 on MOS). Basically, when you use Portal, Forms or Discoverer, you need OSSO 10GR3 (even Forms 11G).
It's not that ancient when it will be around for some time...

Goal.

What I want, is the same a the previous entry on SSO, but I do not wish to create users: I want to use EUS instead.

Preparations.

In addition to what's already in place, I need a complete SSO infrastructure.
The brave may want to do this Enterprise-sized setup, for now I'll just go with the "all-in-one" Identity Management install. Even patched it to 10.1.4.3.

Steps

In order to achieve all this, I would need to:

1. Set up synchronization between Active Directory and OID
2. Set up Enterprise Security in the database(s)
   
3. Set up a trusted relation between OSSO Application Server and AD
4. As a bonus: try to persuade Forms menu security to use EUS

I will blog about these - stay tuned...

APEX V3.1.2 Runtime Adminitration

Currently working on a third party developed application, that does user management from within the application. Nothing special, you'd say.
Nope, it is not. But for the part, where a new user needs to get privileges to add other users... The query used to check whether a user can administer application users is a join over the view FLOWS_030100.APEX_WORKSPACE_APEX_USERS, specifically the column IS_ADMIN. Now, promoting an APEX application user to administrator is simple in the developer environment. In a runtime only environment, it is a little bit harder.

In fact, I can install new versions of the application by logging on to the database with SQL*Plus as workspace owner, and run the script. One of the first things this script does is:

begin wwv_flow_api.set_security_group_id(
   p_security_group_id => APEX_UTIL.FIND_SECURITY_GROUP_ID('NAME'));
end;
/

After that, it continues with the creation of the flow (after the flow was dropped):

wwv_flow_api.create_flow(
  p_id    => 100,
  p_display_id=> 100,
  p_owner => 'OWNER',
  p_name => 'NAME',

... etc...

However, owner corresponds with an Oracle database account, and there's a policy to have different application accounts from the database accounts. So in the workspace import (wwv_flow_fnd_user_api.create_company), there's a difference between Workspace schema (p_company_schemas) and provisioning schema (p_first_schema_provisioned) on one side, and the Workspace Administrator (wwv_flow_fnd_user_api.create_fnd_user) on the other.

As stated: I can log on to the database as owner (Oracle account) and install the application. However, what I cannot do is:

begin wwv_flow_api.set_security_group_id(
   p_security_group_id => APEX_UTIL.FIND_SECURITY_GROUP_ID('NAME'));
end;
/
begin
apex_util.edit_user(
   p_user_id               =>      apex_util.get_user_id('APP_ADMIN'),
   p_user_name             =>      'APP_ADMIN',
   p_developer_privs       =>      'ADMIN:');
end;
/

It simply results in:

ERROR at line 1:
ORA-20001: User requires ADMIN privilege to perform this operation.
ORA-06512: at "FLOWS_030100.WWV_FLOW_FND_USER_API", line 76
ORA-06512: at "FLOWS_030100.WWV_FLOW_FND_USER_API", line 1192
ORA-06512: at "FLOWS_030100.HTMLDB_UTIL", line 756
ORA-06512: at line 2

The workaround is to execute this code as SYS (SYSTEM should work, too).

I suspect is is to do with the fact, the Workspace Administrator name differs from the owner of the application. Or, in technical terms, FLOWS_030100.APEX_WORKSPACE_APEX_USERS.USER_NAME does not correspond with the pseudo column USER.

WNA and Firefox

Where IE supports Windows Native Authentication sort of 'Out of the Box', Firefox does not. Here's how to enable Windows Native Authentication (WNA) in forefox:
- type 'about:config' in the address bar
- navigate to the entry 'network.negotiate-auth.trusted-uris' (tip: set the search filter to "network.negotiate"
- enter the domains you want WNA to act upon, e.g. "home.local".
Multiple domains are to be separated by commas; e.g. "home.local,home.networked" - earlier releases indicate that a leading dot is required (e.g. ".home.local" instaed of "home.local")

Passwords: store them in a Wallet!

Working on OID and database registrations, I found the wallet created by the DBCA does not need to be signed. Basically - it's empty!
Well, not quite; although the oracle Wallet Manager, owm, only shows "there's something", details can be retrieved using mkstore:

oracle10@infra mkstore -wrl /oracle/infra/admin/dev/wallet -list
Enter password:

Oracle Secret Store entries:
ORACLE.SECURITY.DN
ORACLE.SECURITY.PASSWORD
oracle10@infra mkstore -wrl /oracle/infra/admin/dev/wallet -viewEntry ORACLE.SECURITY.DN
Enter password:

ORACLE.SECURITY.DN = cn=infra,cn=OracleContext,dc=home,dc=local
oracle10@infra mkstore -wrl /oracle/infra/admin/dev/wallet -viewEntry ORACLE.SECURITY.PASSWORD
Enter password:

ORACLE.SECURITY.PASSWORD = RJT01YL5
oracle10@infra

The password you need to provide, is the password you specified for the wallet at the time you registered the database.
So, if you ever want to know the password of database registration, this is how. Works for 10.2 databases, should work for 10.1 (as 10.1 also knows mkstore), does not work for 9.2 or lower.

Another great option of mkstore (and the reason I found this...) is to store credentials for a database - great for securing database links and batch processes.
More on that in the security manual, here, and an example.

Broken code (SHA, MD5)

Just when you thought you had it all secured, it turns out that the encryption method, regarded most safe and created by the NSA, is broken. Not just now, but about a year ago.
A chinese mathematician, Xiaoyun Wang, uses collision search to break SHA-0, SHA-1 and MD5, which she successfully did. [Edit nov-2007: About the whole world refers to the link I used as well, but it's invalid; I believe this is the correct one, if not, browse this for all publications]

Hashes
What Xiaoyun ('Little Cloud') Wang and her associates Yiqun Lisa Yin, and Hongbo Yu did, was looking into the hash-algorithms. These are mathematical formulas, that, when applied to a file, create a stream of a couple of hundred bits (a string), that is characteristic for the file the algorithm was applied to. In fact, it's some sort of fingerprint: changing one bit in the file causes the hash to change, too. That is why hashes allow you to determine whether files have been tampered with: send the file/document, send the hash. Compute the hash at the receiver's end, and check whether the hashes match.
In order to facilitate this, a hashing algorith must forfill certain prerequisites:

• The result (the hash) is unique; no two different documents or files generate the same hash.
• It may not allow to reconstruct the original data from the hash

When two different files result in the same hash value, this is known as a collision.
Collisions
What Wang does, is looking for collisions. And she found them. For the MD5 as well as for the SHA1 hashing algorithms. MD5 is old (developed in 1991), and supposedly not used very much anymore. It is, however, remarkably often found.
Xiaoyun Wang detects collisions by looking carefully at the original data when it is being hashed. She develops a feeling for that data, and thus "feels" when collisions might occur. All in all, she reduces the original 2^80 combinations, via a subset (reduction to 2^64) to 2^39 possible sequences. Breakable in about a day, on a fast PC.
The standing ovation when this was presented at Eurocrypt, was deserved, I'd say! As well as the best paper award. Nice detail about the Eurocrypt site: their certificate is untrusted...
Soon after the publication, German mathematicians tried sign a PDF document and a Postscript file with a forged digital signature.

Panic
A Dutch researcher, De Weger, created a forged certificate, based on signatures, provided by Wang. Two different certificates had the same hash value, even though only one was genuine.

Wang went on, and announced to have broken SHA1 as well. That caused a bit of a stir, as it is often used hashing method for securing HTTP traffic, the Secure Socket Layer, or SSL.

She was not granted a visum to speak in the USA about her work. Now, who's an austrich here? Getting typical for the US, it seems, this kind of reaction.
[edit feb 2017: Google and CWI hacked SHA-1 160 bits. "Again?, you would say]

Hier is een link naar een Nederlands artikel over haar. Uitleg over botsingen.

Finally: Enterprise Security

It's about time, so here we go:
Stop the 9i instance on my test server (limited memory...) and the listener, kick 10g Release 1 into live, and a listener, and start all iAS processes:
[oracle10@csdb01 oracle10]$ lsnrctl start
LSNRCTL for Linux: Version 10.1.0.4.0 - Production on 25-SEP-2005 14:42:31
Copyright (c) 1991, 2004, Oracle. All rights reserved.
Starting /o/oracle10/10gR1/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 10.1.0.4.0 - Production
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "o10gR1" has 1 instance(s).
Instance "o10gR1", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully

[oracle10@csdb01 oracle10]$ sqlplus "/ as sysdba"
SQL*Plus: Release 10.1.0.4.0 - Production on Sun Sep 25 14:42:40 2005
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to an idle instance.
SQL> startup
ORACLE instance started.
Total System Global Area 285212672 bytes
Fixed Size 778856 bytes
Variable Size 120593816 bytes
Database Buffers 163577856 bytes
Redo Buffers 262144 bytes
Database mounted.
Database opened.
SQL>
[oracle10@csdb01 oracle10]$ /o/ias10/opmn/bin/opmnctl startall
opmnctl: starting opmn and all managed processes...
[oracle10@csdb01 oracle10]$ /o/ias10/bin/emctl start iasconsole
TZ set to Europe/Amsterdam
Oracle Enterprise Manager 10g Application Server Control Release 10.1.2.0.0
Copyright (c) 1996, 2004 Oracle Corporation. All rights reserved.
http://csdb01.cs.nl:1810/emd/console/aboutApplication
Starting Oracle Enterprise Manager 10g Application Server Control ....... started successfully.
[oracle10@csdb01 oracle10]$ /o/ias10/oca/bin/ocactl start

OracleAS Certificate Authority 10g (10.1.2)

Copyright (c) 2003, 2004, Oracle Corporation. All rights reserved.

OracleAS Certificate Authority administrator password:
OCA service started.
[oracle10@csdb01 oracle10]$
OK - ready for test 1: Verify the Database Server can Bind to OID; actually, I already did that, but here is the code once more:
ldapbind -h csdb01 -p 3160 -U 3 -W file:/etc/wallets/oracle10 -P welcome1
That results in a successful bind, and concludes test1.
Second in test (if you are wondering where these tests come from: it's the March 2005 revision of Metalink note 185275.1): Verify the database is registered:
SQL> show parameter RDBMS_SER NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ rdbms_server_dn string
Hmm.. Need to change that:
SQL> alter system set 2 rdbms_server_dn='CN=o10gR1,CN=OracleContext,DC=nl, DC=cs' scope=spfile; System altered.
OK Done. Need to bounce the database; and verify:
NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ rdbms_server_dn string CN=o10gR1,CN=OracleContext,DC= nl, DC=cs
Make sure you have the server in the correct context in the Enterprise Security Manager!

Steps 3 through 6 have been completed successfully, here are some snapshots:

Navigating...


Continued Jan, 25th, 2006: and this is where it ended... Why this post was in draft status for so long, I don't remember; I do remember however, I got really fed up with the horrible errors I received when testing the lot.
The listener core dumped, as well as under Windows, as under Linux. For all of these versions: 9.2.0.4, 9.2.0.6, 10.1.0.4 and 10.2! By the time I'd figured all that out, I failed to see the (probable) cause of all this: dn has domain suffix in the wrong sequence. Just reread the 'Enterprise Security' threads... ;).

In the mean time, I discussed the setup and possibilities with a collegue, and he got it to work. Seen it, helped him out, just (...) need to document it properly. Will be done, rest assured.
Edit: Well, I got it working, finally - just take a look here.