Databases Reference
In-Depth Information
distributed database environment introduces additional security considerations. For
example, user accounts needed to support server connections must exist in all of the
distributed databases forming the system. As database links (which define connections
between distributed database instances) are created, you will need to allow the user
accounts and roles needed at each site.
Distributed security management
For large implementations, you may want to configure global authentication across
these distributed databases for users and roles. Global authentication allows you to
maintain a single authentication list for multiple distributed databases. Where this type
of external authentication is required, Oracle's Advanced Security Option, discussed in
the next section, provides a solution.
Enterprise Manager is commonly used to configure valid application users to Oracle's
LDAP-compliant OID server. A user who accesses an application for which he is not
authenticated is redirected to a login server. There, he is prompted for a username and
password that are checked against the OID server. A cookie is returned and the user is
redirected from the login server to the application.
Oracle Identity Management, described earlier in this chapter, can be used to manage
security across multiple platforms and security systems.
Multitier security
In typical three-tier implementations, the Oracle WebLogic Server runs some of the
application logic, serves as an interface between the clients and database servers, and
provides much of the Oracle Identity Management (OIM) infrastructure. The Oracle
Internet Directory provides directory services running as applications on an Oracle
Database. The directory synchronization service, provisioning integrated service, and
delegated administrative service are part of OID. Security in middle-tier applications is
controlled by applications' privileges and the preservation of client identities through
all three tiers.
Deploying multiple tiers, common with large applications or web-based applications,
can also call for proxy authentication. The application connects to code in the middle
tier, which accesses the database through a proxy, frequently through shared connecā
tions. Some databases associate security with a session, which means that sessions must
be reestablished when the user identity changes. This limitation makes the multitier
approach harder.
Oracle separates authentication from sessions, so the use of a proxy in the middle tier
is feasible. A single session can support different users with different identities. Prior to
Oracle 10
g
Release 2, the only way to take advantage of this capability was by using the
OCI interface, which was code-intensive. Since Oracle Database 10
g
Release 2, this
limitation was lifted, so standard SQL and SQL tools, such as SQL*Plus, could use proxy
authentication.
