Go to main content
1/19
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Intended Audience
Documentation Accessibility
Related Documents
Conventions
Changes in This Release for Oracle Database Enterprise User Security Administrator's Guide
Changes in Oracle Database 12
c
Release 2 (12.2)
New Features
1
Introducing Enterprise User Security
Introduction to Enterprise User Security
The Challenges of User Management
Enterprise User Security: The Big Picture
How Oracle Internet Directory Implements Identity Management
About Identity Management Realms
About Identity Management Realm-Specific Oracle Contexts
Enterprise Users Compared to Database Users
About Enterprise User Schemas
Private or Exclusive Schemas
Shared Schemas
How Enterprise Users Access Database Resources with Database Links
How Enterprise Users Are Authenticated
About Enterprise User Security Directory Entries
Enterprise Users
Enterprise Roles
Enterprise Domains
Database Server Entries
User-Schema Mappings
Administrative Groups
Password Policies
About Using Shared Schemas for Enterprise User Security
Overview of Shared Schemas Used in Enterprise User Security
How Shared Schemas Are Configured for Enterprise Users
How Enterprise Users Are Mapped to Schemas
Enterprise User Proxy
About Using Current User Database Links for Enterprise User Security
Enterprise User Security Deployment Considerations
Security Aspects of Centralizing Security Credentials
Security Benefits Associated with Centralized Security Credential Management
Security Risks Associated with Centralized Security Credential Management
Security of Password-Authenticated Enterprise User Database Login Information
What Is Meant by Trusted Databases
Protecting Database Password Verifiers
Considerations for Defining Database Membership in Enterprise Domains
Choosing Authentication Types between Clients, Databases, and Directories for Enterprise User Security
Typical Configurations
2
Getting Started with Enterprise User Security
Configuring Your Database to Use the Directory
Registering Your Database with the Directory
Creating a Shared Schema in the Database
Mapping Enterprise Users to the Shared Schema
Connecting to the Database as an Enterprise User
Using Enterprise Roles
Using Proxy Permissions
Using Pluggable Databases
Wallet Location for Pluggable Databases
Default Database DN Format
Plugging and Unplugging PDBs
Switching Containers
3
Configuration and Administration Tools Overview
Enterprise User Security Tools Overview
Oracle Internet Directory Self-Service Console
Oracle Net Configuration Assistant
Starting Oracle Net Configuration Assistant
Database Configuration Assistant
Starting Database Configuration Assistant
Oracle Wallet Manager
Starting Oracle Wallet Manager
The orapki Command-Line Utility
Oracle Enterprise Manager
User Migration Utility
Duties of an Enterprise User Security Administrator/DBA
4
Enterprise User Security Configuration Tasks and Troubleshooting
Enterprise User Security Configuration Overview
Enterprise User Security Configuration Roadmap
Preparing the Directory for Enterprise User Security (Phase One)
About the Database Wallet and Password
Sharing Wallets and sqlnet.ora Files Among Multiple Databases
Configuring Enterprise User Security Objects in the Database and the Directory (Phase Two)
Configure Enterprise User Security for the Authentication Method You Require (Phase Three)
Configuring Enterprise User Security for Password Authentication
Configuring Enterprise User Security for Kerberos Authentication
Configuring Enterprise User Security for SSL Authentication
Viewing the Database DN in the Wallet and in the Directory
Enabling Current User Database Links
Troubleshooting Enterprise User Security
ORA-n Errors for Password-Authenticated Enterprise Users
ORA-n Errors for Kerberos-Authenticated Enterprise Users
ORA-n Errors for SSL-Authenticated Enterprise Users
NO-GLOBAL-ROLES Checklist
USER-SCHEMA ERROR Checklist
DOMAIN-READ-ERROR Checklist
5
Administering Enterprise User Security
Administering Identity Management Realms
Identity Management Realm Versions
Setting Properties of an Identity Management Realm
Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base Identity Management Realm Attributes
Setting the Default Database-to-Directory Authentication Type for an Identity Management Realm
Managing Identity Management Realm Administrators
Administering Enterprise Users
Creating New Enterprise Users
Setting Enterprise User Passwords
Granting Enterprise Roles to Enterprise Users
Granting Proxy Permissions to Enterprise Users
Creating User-Schema Mappings for Enterprise Users
Creating Label Authorizations for Enterprise Users
Configuring User-Defined Enterprise Groups
Granting Enterprise Roles to User-Defined Enterprise Groups
Configuring Databases for Enterprise User Security
Creating User-Schema Mappings for a Database
Adding Administrators to Manage Database Schema Mappings
Administering Enterprise Domains
Creating an Enterprise Domain
Adding Databases to an Enterprise Domain
Creating User-Schema Mappings for an Enterprise Domain
Configuring Enterprise Roles
Configuring Proxy Permissions
Configuring User Authentication Types and Enabling Current User Database Links
Configuring Domain Administrators
6
Using Oracle Wallet Manager
About Oracle Wallet Manager
What Is Oracle Wallet Manager?
Wallet Password Management
Strong Wallet Encryption
Microsoft Windows Registry Wallet Storage
ACL Settings Needed for Wallet Files Created Using Wallet Manager
Backward Compatibility
Public-Key Cryptography Standards (PKCS) Support
Multiple Certificate Support
LDAP Directory Support
Starting Oracle Wallet Manager
General Process for Creating an Oracle Wallet
Managing Oracle Wallets
Required Guidelines for Creating Oracle Wallet Passwords
Creating a New Oracle Wallet
Creating a Standard Oracle Wallet
Creating an Oracle Wallet to Store Hardware Security Module Credentials
Opening an Existing Oracle Wallet
Closing an Oracle Wallet
Exporting an Oracle Wallet to a Third-Party Environment
Exporting an Oracle Wallet to a Tools That Does Not Support PKCS #12
Uploading an Oracle Wallet to an LDAP Directory
Downloading an Oracle Wallet from an LDAP Directory
Saving Changes to an Oracle Wallet
Saving the Open Wallet to a New Location
Saving an Oracle Wallet to the System Default Directory Location
Deleting an Oracle Wallet
Changing the Oracle Wallet Password
Using Auto Login for Oracle Wallets to Enable Access Without Human Intervention
About Using Auto Login for Oracle Wallets
Enabling Auto Login for Oracle Wallets
Disabling Auto Login for Oracle Wallets
Managing Certificates for Oracle Wallets
About Managing Certificates for Oracle Wallets
Managing User Certificates for Oracle Wallets
About Managing User Certificates
Adding a Certificate Request
Importing the User Certificate into an Oracle Wallet
Importing Certificates and Wallets Created by Third Parties
Removing a User Certificate from an Oracle Wallet
Removing a Certificate Request
Exporting a User Certificate
Exporting a User Certificate Request
Managing Trusted Certificates for Oracle Wallets
Importing a Trusted Certificate
Removing a Trusted Certificate
Exporting a Trusted Certificate to Another File System Location
Exporting All Trusted Certificates to Another File System Location
A
Using the User Migration Utility
Benefits of Migrating Local or External Users to Enterprise Users
Introduction to the User Migration Utility
Bulk User Migration Process Overview
Step 1: (Phase One) Preparing for the Migration
Step 2: Verify User Information
Step 3: (Phase Two) Completing the Migration
About the ORCL_GLOBAL_USR_MIGRATION_DATA Table
Which Interface Table Column Values Can Be Modified Between Phase One and Phase Two?
Migration Effects on Users' Old Database Schemas
Migration Process
Prerequisites for Performing Migration
Required Database Privileges
Required Directory Privileges
Required Setup to Run the User Migration Utility
User Migration Utility Command-Line Syntax
Accessing Help for the User Migration Utility
User Migration Utility Parameters
Keyword: HELP
Keyword: PHASE
Keyword: DBLOCATION
Keyword: DIRLOCATION
Keyword: DBADMIN
Keyword: ENTADMIN
Keyword: USERS
Keyword: USERSLIST
Keyword: USERSFILE
Keyword: KREALM
Keyword: MAPSCHEMA
Keyword: MAPTYPE
Keyword: CASCADE
Keyword: CONTEXT
Keyword: LOGFILE
Keyword: PARFILE
User Migration Utility Usage Examples
Migrating Users While Retaining Their Own Schemas
Migrating Users and Mapping to a Shared Schema
Mapping Users to a Shared Schema Using Different CASCADE Options
Mapping Users to a Shared Schema with CASCADE=NO
Mapping Users to a Shared Schema with CASCADE=YES
Mapping Users to a Shared Schema Using Different MAPTYPE Options
About Using the SUBTREE Mapping Level Option
Migrating Users Using the PARFILE, USERSFILE, and LOGFILE Parameters
Troubleshooting Using the User Migration Utility
Common User Migration Utility Error Messages
Resolving Error Messages Displayed for Both Phases
Resolving Error Messages Displayed for Phase One
Resolving Error Messages Displayed for Phase Two
Common User Migration Utility Log Messages
Common Log Messages for Phase One
Common Log Messages for Phase Two
Summary of User Migration Utility Error and Log Messages
Tracing for UMU
B
SSL External Users Conversion Script
Using the SSL External Users Conversion Script
Converting Global Users into External Users
C
Integrating Enterprise User Security with Microsoft Active Directory
Set Up Synchronization Between Active Directory and Oracle Internet Directory
Set Up Active Directory to Interoperate with Oracle Client
Set Up Oracle Database to Interoperate with Microsoft Active Directory
Set Up Oracle Database Client to Interoperate with Microsoft Active Directory
Obtain an Initial Ticket for the Client
Configure Enterprise User Security for Kerberos Authentication
D
Upgrading from Oracle9
i
to Oracle Database 12
c
Release 2 (12.2)
Upgrading Oracle Internet Directory from Release 9.2 to Release 9.0.4
Upgrading Oracle Database from Release 9.2.0.8 to Oracle Database 12
c
Release 2 (12.2)
Upgrading Oracle Database from Release 10
g
(10.1) and Higher to Oracle Database 12
c
Release 2 (12.2)
Glossary
Index
Scripting on this page enhances content navigation, but does not change the content in any way.