Enterprise User Security (EUS) in the Oracle Database

Enterprise User Security (EUS) is an important component of the Oracle database that allows you to centrally manage the database users across the enterprise. Enterprise users are the users that are defined and managed in a directory. Every enterprise user has a unique identity across the enterprise. The Enterprise User Security relies on the Oracle Identity Management infrastructure, which uses an LDAP-compliant directory service to centrally store and manage the users.

Protegrity supports the following authentication methods:

• Password-based authentication
• SSL-based authentication
• Kerberos-based authentication

In the following list, the type of user is followed by the value returned:

• Password-authenticated enterprise user: nickname (same as the login name)
• Password-authenticated database user: the database username (same as the schema name)
• SSL-authenticated enterprise user: the DN in the user’s PKI certificate
• SSL-authenticated external user: the DN in the user’s PKI certificate
• Kerberos-authenticated enterprise user: Kerberos principal name
• Kerberos-authenticated external user: Kerberos principal name, which is the same as the schema name

The Oracle database protector supports the retrieval of the user information using the AUTHENTICATED_IDENTITY parameter that returns the identity used for the authentication.

Using the EUS Feature

The instructions and examples provided in the section use Kerberos-based authentication.

Note:

• Ensure that the username in the ESA policy contains only the username and does not include the domain name. For example, USER1.
• Currently, only one domain name is supported.

To use the EUS feature:

1. To create a Kerberos ticket for the enterprise user, run the following command:

   okinit <username>
   

2. Press ENTER. The command prompts for the password of the enterprise user.

   [oracle@db ~]$ okinit USER1
   Kerberos Utilities for Linux: Version 18.0.0.0.0 - Production on 15-DEC-2021 06:07:06
   Copyright (c) 1996, 2017 Oracle. All rights reserved.
   Configuration file : /u01/app/oracle/product/18.0.0/dbhome_1/network/admin/kerberos/krb5.conf.
   Password for USER1@TESTLAB.COM:
   

3. Enter the password.
4. Press ENTER.
5. To verify whether the authentication ticket is generated successfully, run the following command:

   oklist
   

6. Press ENTER. The command displays the authentication ticket details.

   [oracle@db ~]$ oklist
   Kerberos Utilities for Linux: Version 18.0.0.0.0 - Production on 15-DEC-2021 06:07:37
   Copyright (c) 1996, 2017 Oracle. All rights reserved.
   Configuration file : /u01/app/oracle/product/18.0.0/dbhome_1/network/admin/kerberos/
   krb5.conf.
   Ticket cache: FILE:/tmp/krb5cc_54321
   Default principal: USER1@TESTLAB.COM
   Valid starting Expires Service principal
   12/15/21 06:07:06 12/15/21 16:07:06 krbtgt/TESTLAB.COM@TESTLAB.COM
   renew until 12/16/21 06:07:06
   [oracle@db ~]$
   

7. To login to the Oracle database, run the following command:

   sqlplus /@<database_name>
   

8. Press ENTER. The SQL prompt appears.
9. To verify the authentication method, run the following command:

   select sys_context('USERENV','AUTHENTICATION_METHOD') from dual;
   

10. Press ENTER. The command displays the authentication method.

    select sys_context('USERENV','AUTHENTICATION_METHOD') from dual;
    SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD')
    --------------------------------------------------------------------------------
    KERBEROS
    

11. To view the user, run the following command:

    select user from dual;
    

12. Execute a sample protect operation.

    SQL> select pty.ins_encrypt('AES128', 'Original data', 0) from dual;
    PTY.INS_ENCRYPT('AES128','ORIGINALDATA',0)
    --------------------------------------------------------------------------------
    3713D5C1E058701568115B28885707CA
    SQL>
    

13. Execute a sample unprotect operation.

    SQL> select pty.sel_decrypt('AES128', pty.ins_encrypt('AES128', 'Protegrity', 0) , 0) from dual;
    PTY.SEL_DECRYPT('AES128',PTY.INS_ENCRYPT('AES128','PROTEGRITY',0),0)
    --------------------------------------------------------------------------------
    Protegrity
    SQL>
    

Retrieving User Information

This section describes how to use the AUTHENTICATED_IDENTITY parameter to retrieve the information of an enterprise user.

To fetch the information of an enterprise user, run the following query:

select sys_context( 'userenv', 'AUTHENTICATED_IDENTITY' ) from dual;

Note: The AUTHENTICATED_IDENTITY parameter contains the information of the enterprise user and returns the identity that is used in the authentication.