With the introduction of Oracle 18c, eusm is officially designated as an Enterprise User Security Utility. It is now officially documented of the Enterprise User Security Administrator’s Guide. Before we had to be content with the somewhat sparse MOS note 1085065.1 EUSM, Command Line Tool For EUS Administration and Some EUS Good to Knows. In addition, the tool was improved with the latest release. Up to and including Oracle 12c Release 2 it was not possible to establish a secure connection with the LDAP using eusm. The tool does use SASL authentication but still required always an unencrypted LDAP connection to the directory server. For sensitiv environments with enhanced security requirements like Banks, incurrence companies etc. is the use of unencrypted network traffic a nogo. But the new documentation for eusm starts with a short paragraph “About SSL Port Connectivity through EUSM to OID”, which made me confidence.
So there are additional parameters to support SSL:
ldap_ssl_portssl port of the directory server.keystorepath to PKCS12 format of keystore. A file path parameter takes the path to the PKCS12 format of the keystore (for example, ewallet.p12 file)key_passto control the behavior of the keystore password eg. interactive or via commandline
Initial I did get confused by the example. A file named ewallet.p12 is usually an Oracle wallet. Thats why I did start to use an Oracle wallet as keystone for eusm. But this was complete rubbish. Leaning back and thinking again helped. eusm is written in java and the parameter is named keystone. Java and keystore results in a java kestore, doesn’t it? So I was a bit more successful with my second attempt.
Configure the keystore
As soon as one realised that the required keystore file is a java keystore of type PKCS12 it is straight forward. eusm just requires the root certificate to validate the OUD certificate during the initialisation of the LDAPS connection. In an enterprise environment this certificate can be obtained from the internal certification authority. Alternatively this may also be exported from an other keystore. In my EUS test environment I do not have an enterprise CA. Therefor I have to get the corresponding certificate directly from Oracle directory server.
Login to directory server to export the certificate.
keytool -export -noprompt -rfc \
-alias server-cert \
-keystore ${OUD_INSTANCE_HOME}/OUD/config/keystore \
-storepass $(cat ${OUD_INSTANCE_HOME}/OUD/config/keystore.pin) \
-file /u01/config/oud_trusted_cert.txt
Certificate stored in file
Copy the file to the database server and import it into a java keystore. The java keytool will create a new java keystore, if you specify a keystore file which does not yet exist. Do not to specify PKCS12 as the store type. You an either specify the keystore password interactively or use -storepass to provide the password via command line. I do use the password from the keystore pin file $ORACLE_BASE/network/admin/keystore.pin.
$ORACLE_HOME/jdk/bin/keytool -import -trustcacerts \ -alias oud_root_certificate \ -storetype pkcs12 \ -keystore $ORACLE_BASE/network/admin/keystore.jks \ -storepass $(cat $ORACLE_BASE/network/admin/keystore.pin) \ -import -file /u01/oud/oud_trusted_cert.txt Owner: CN=oud, O=Oracle Unified Directory Self-Signed Certificate Issuer: CN=oud, O=Oracle Unified Directory Self-Signed Certificate Serial number: c8cff33 Valid from: Thu Feb 28 06:39:40 UTC 2019 until: Sat Feb 27 06:39:40 UTC 2021 Certificate fingerprints: MD5: E2:C2:43:8B:CD:EB:95:9E:F1:FC:D8:C3:FF:A7:91:AF SHA1: 80:0D:9E:89:1B:BC:69:99:02:6A:E7:B5:A6:D2:63:E9:59:5A:C3:BF SHA256: C7:14:54:1A:C3:FE:28:72:6E:B0:16:82:42:C9:6E:3B:43:BE:D6:C7:3A:31:60:1B: 60:1D:8D:5E:7F:66:D9:7B Signature algorithm name: SHA1withRSA Subject Public Key Algorithm: 1024-bit RSA key Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore
List the content of your java keystore file.
$ORACLE_HOME/jdk/bin/keytool -list \ -keystore $ORACLE_BASE/network/admin/keystore.jks \ -storepass $(cat $ORACLE_BASE/network/admin/keystore.pin) Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry oud_root_certificate, Mar 1, 2019, trustedCertEntry, Certificate fingerprint (SHA1): 80:0D:9E:89:1B:BC:69:99:02:6A:E7:B5:A6:D2:63:E9: 59:5A:C3:BF
The method is the same if you use an enterprise certificate. You just have to use the root certificate provided by the CA.
Usage of eusm
To establish a connection via SSL, you have to enter the java keystore and the keystore password or -K when invoking eusm. The following command does list the EUS Domain. The password is omitted and has to be specified via command line.
eusm listDomains realm_dn="dc=trivadislabs,dc=com" \ ldap_host=oud \ ldap_ssl_port=1636 \ ldap_user_dn="cn=eusadmin,cn=oraclecontext" \ ldap_user_password=eusadmin \ keystore=$ORACLE_BASE/network/admin/keystore.jks -K Enter keystore password (key_pass): LIST OF DOMAINS IN REALM: dc=trivadislabs,dc=com OracleDefaultDomain
This command does list all the domain mappings. The password is now specified via parameter key_pass.
eusm listMappings domain_name="OracleDefaultDomain" \ realm_dn="dc=trivadislabs,dc=com" \ ldap_host=oud \ ldap_ssl_port=1636 \ ldap_user_dn="cn=eusadmin,cn=oraclecontext" \ ldap_user_password=eusadmin \ keystore=/u00/app/oracle/network/admin/keystore.jks \ key_pass=$(cat $ORACLE_BASE/network/admin/keystore.pin) LIST OF DATABASE SCHEMA MAPPINGS:: Mapping Name: MAPPING0 Mapping Type: SUBTREE Mapping DN: ou=People,dc=trivadislabs,dc=com Mapping schema:EUS_USERS Mapping Level :DOMAIN
Below you see an excerpt of the OUD access log file. The log entry for the CONNECT command does show the LDAPS protocol.
[01/Mar/2019:14:49:12 +0000] CONNECT conn=1111 from=172.18.0.3:34126 to=172.18.0.2:1636 protocol=LDAPS [01/Mar/2019:14:49:13 +0000] BIND REQ conn=1111 op=0 msgID=1 type=SIMPLE dn="cn=eusadmin,cn=oraclecontext" version=3 [01/Mar/2019:14:49:13 +0000] BIND RES conn=1111 op=0 msgID=1 result=0 authDN="cn=eusadmin,cn=oraclecontext" etime=0 [01/Mar/2019:14:49:13 +0000] SEARCH REQ conn=1111 op=1 msgID=2 base="dc=trivadislabs,dc=com" scope=base filter="(objectclass=*)" attrs="orclversion" [01/Mar/2019:14:49:13 +0000] SEARCH RES conn=1111 op=1 msgID=2 result=0 nentries=1 etime=1 [01/Mar/2019:14:49:13 +0000] SEARCH REQ conn=1111 op=2 msgID=3 base="cn=OracleDefaultDomain,cn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=trivadislabs,dc=com" scope=one filter="(|(objectClass=orclDBEntryLevelMapping)(objectclass=orclDBSubtreeLevelMapping))" attrs="cn,orcldbdistinguishedname,orcldbnativeuser,objectclass" [01/Mar/2019:14:49:13 +0000] SEARCH RES conn=1111 op=2 msgID=3 result=0 nentries=1 etime=1 [01/Mar/2019:14:49:13 +0000] DISCONNECT conn=1111 reason="Client Disconnect"
Conclusion
It took way to long until eusm becomes officially available. Since it was part of the binaries already since Oracle 11c. The fact that LDAPS is finally also supported is a significant step towards general improvement of the security of databases as well directory servers. It does getting much easier to harden directory servers and limit access on the LDAPS protocol. A little unfortunate in my opinion is the Oracle documentation regarding the configuration of the java keystore. A simple example would have simplified the setup.
Some links related to this blog post:
- Enterprise User Security Administrator’s Guide chapter 7 Enterprise User Security Manager (EUSM) Command Reference
- Master Note For Enterprise User Security [1376365.1]
- EUSM, Command Line Tool For EUS Administration and Some EUS Good to Knows [1085065.1]