Monday, October 16, 2023

OUD Feature Highlight: EUS/CMU Password Storage Scheme

Beginning with Oracle Unified Directory (OUD) 12c Patch Set 4, Oracle began adding new features and functionality along with bug fixes with each bundle patch release.  The What's New section of the documentation covers new features as they are added with each bundle patch release.

One such feature enhancement introduced a new password storage scheme that is used by Enterprise User Security (EUS) and Centrally managed Users (CMU) architectures for password based user authentication to the Oracle database. 

This new password scheme is a proprietary blend of multiple rounds of PBKDF2 SHA-512, which is much stronger than the storage scheme used for earlier Oracle database versions (e.g. 10g and 11g).  The full list of password storage schemes offered by OUD 12cPS4 are available here.

With the EUS architecture configuration where OUD is the identity store for authentication, identity management solutions like Oracle Identity Manager, SailPoint and others can simply update the password using normal password update and OUD password policy will automatically generate this password hash for database authentication.

With the EUS or CMU architectures where Active Directory (AD) is the identity store, the individual user's orclCommonAttribute value needs to be updated with this new hash in order for password based authentication to work properly.

The standard method of updating the user's orclCommonAttribute attribute value is through the deployment of the password filter to all AD domain controllers.  When a user updates their password with Ctrl-Alt-Delete feature of Windows, the Oracle's password filter (orapwdfltr.dll) captures the clear text password that was entered by the user, hashes the password, and stores the hashed value into the orclCommonAttribute attribute of the user's AD object.  See Doc ID 2640135.1 for more information on how to obtain and deploy the latest version of this password filter.

There is an alternative approach to populating the user's orclCommonAttribute in AD that has the same end result but does not require the password filter.  You can use the OUD encode-password command to generate the hashed value of the password and then update orclCommonAttribute in the user's AD entry.  This approach could be dove tailed into your provisioning solution as well.  Here is a sample workflow:

1. Install OUD.  
Note: If integrating with Identity Management solution, OUD would most likely need to be installed on the host(s) where the Identity Management solution is running in order to securely handle the password.

2. Use the OUD encode-password command to generated the hash of the user's password.

$ export JAVA_HOME=/opt/ods/poc/sw/jdk1.8.0_381
$ mkdir /opt/ods/poc/mw_oud12c/oud/locks
$ echo Johns-N3w_P4ssw0rd > /opt/ods/poc/cfg/
$ /opt/ods/poc/mw_oud12c/oud/bin/encode-password -s MR-SHA512 -f /opt/ods/poc/cfg/
Encoded Password: "{MR-SHA512}vGhKrQ39OEvg9vSOCJzm1TA/Eues1RN37ra+1rOuf6hfAPTFLd00CIVihRZ279OXNYbIEl2G/bjdaqOKxnuaye6rVgZcbdAjSZ9CTweXihU="

3. Use ldapmodify or equivalent API to update the orclCommonAttribute of the user's entry in AD.

$ /opt/ods/poc/mw_oud12c/oud/bin/ldapmodify -h -p 636 -X -Z -D 'cn=Administrator,cn=Users,dc=example,dc=com' -j /opt/ods/poc/cfg/ <<EOF
dn: cn=John Doe,cn=Users,dc=example,dc=com
changeType: modify
replace: orclCommonAttribute
orclCommonAttribute: {MR-SHA512}vGhKrQ39OEvg9vSOCJzm1TA/Eues1RN37ra+1rOuf6hfAPTFLd00CIVihRZ279OXNYbIEl2G/bjdaqOKxnuaye6rVgZcbdAjSZ9CTweXihU=
Processing MODIFY request for cn=John Doe,cn=Users,dc=example,dc=com
MODIFY operation successful for DN cn=John Doe,cn=Users,dc=example,dc=com

4. Test that the authentication works with the updated password.

$ORACLE_HOME/bin/sqlplus jdoe/Johns-N3w_P4ssw0rd@$ORACLE_SID

I hope that you found this helpful!



    No comments: