To diagnose and resolve user login authentication issues, you must know the locations of the WebLogic domain, and log files, as follows:. This section assumes that the install used the default locations. If you specified different install locations, you must modify the paths accordingly. When a user logs in to Oracle Business Intelligence without Single Sign-On, authentication and user profile lookup occurs. In a Single Sign-On SSO environment, authentication is performed outside the Oracle Business Intelligence system, and identity is asserted instead, but user profile lookup still occurs.
Authentication and identity assertion is performed by authentication providers and asserters respectively, and is configured using Oracle WebLogic Server Administration Console. The user profile is looked up within the Identity Store to retrieve various attributes, such as email, display name, description, language etc.
Successful login to Oracle Business Intelligence requires that the first configured authentication provider contains your user population. The login process flow begins with the user credentials entered in the login screen, being sent to Presentation Services , and then to the BI Server. The BI Server attempts to authenticate the user credentials by calling the BI Security web service deployed in the WebLogic Managed Server, and protected by a web service security policy.
This section helps you to identify causes of authentication failure when logging in to Oracle Business Intelligence. The figures below are cause and effect diagrams that you can use to identify possible causes of user login authentication failure. Once you have identified the likely cause of user login identification failure, refer to Resolving User Login Authentication Failures for information about how to resolve the issues.
Ensure that the correct Oracle Business Intelligence certified authenticator is configured for the identity store. The above diagram helps you identify alternative causes of login failure if you cannot identify them using the first diagram.
However, if you still cannot identify the causes of login failure after using the above diagram, contact Oracle Support at:. Ensure that if the attribute specified for username is set to something other than the default value for the WebLogic authenticator, the OPSS configuration matches.
Control flags are set as in Oracle Business Intelligence Release Ensure that in Oracle Business Intelligence Release This section explains user login authentication failures, describes how to resolve them, and contains the following topics:. Is User Account Locked? The first check is whether the user cannot log in to Oracle Business Intelligence due to a simple error for example, did the user enter the wrong password?
If other users can log in to Oracle Business Intelligence , but one user cannot, check that user's credentials. Alternatively, see Is User Account Locked? Many LDAP authenticators lock a user account when attempts to log in exceed a specified threshold. For example, an account may be locked after more than three failed login attempts to defeat a potential automated attack.
Refer to the documentation for your chosen identity store to discover how to unlock user accounts. To require that appsrv provides authentication credentials for the user Sarah, use the following syntax:. When you use password-based proxy authentication, Oracle Database passes the password of the client to the middle-tier server. The middle-tier server then passes the password as an attribute to the data server for verification.
The main advantage to this type of authentication is that the client computer does not have to have Oracle software installed on it to perform database operations. How the middle-tier responds for proxy authentication depends on how the user is authenticated, either as an enterprise user or a password-authenticated user.
If the middle tier connects to the database as a client who is an enterprise user, then either the distinguished name, or the X. If the user is a password-authenticated enterprise user, then the middle tier must provide, as a minimum, a globally unique name for the user. To configure proxy authentication with enterprise users, configure the application server and the middle tier to use the appropriate Oracle Call Interface settings:.
Oracle Database first checks the user name against the database. If it finds no user, then the database checks the user name in the directory. This user name must be globally unique. You can use client identifiers to preserve user identity in middle tier systems; you also can use them independently of the global application context. About Client Identifiers.
These application users are known to an application but unknown to the database. Many applications use session pooling to set up several sessions to be reused by multiple application users.
Users authenticate themselves to a middle-tier application, which uses a single identity to log in to the database and maintains all the user connections. In this model, application users are users who are authenticated to the middle tier of an application, but who are not known to the database.
In this model, the middle tier passes a client identifier to the database upon the session establishment. The client identifier could actually be anything that represents a client connecting to the middle tier, for example, a cookie or an IP address. The client identifier, representing the application user, is available in user session information and can also be accessed with an application context by using the USERENV naming context.
In this way, applications can set up and reuse sessions, while still being able to keep track of the application user in the session. Applications can reset the client identifier and thus reuse the session for a different user, enabling high performance. For example, suppose a Web-based application that provides information to business partners has three types of users: gold partner, silver partner, and bronze partner, representing different levels of information available.
Instead of each user having his or her own session set up with individual application contexts, the application could set up global application contexts for gold partners, silver partners, and bronze partners. This provides performance benefits through session reuse and through accessing global application contexts set up once, instead of having to initialize application contexts for each session individually.
Global Application Contexts for how to implement global application contexts. In these situations, the application typically connects as a single database user and all actions are taken as that user. Because all user sessions are created as the same user, this security model makes it difficult to achieve data separation for each user. This avoids the overhead of setting up a separate session and separate attributes for each user, and enables reuse of sessions by the application.
For example, the user Daniel connects to a Web Expense application. Daniel is not a database user; he is a typical Web Expense application user. Daniel completes his Web Expense form and exits the application. Then, Ajit connects to the Web Expense application. This avoids the overhead of setting up a new connection to the database and the overhead of setting up a global application context.
It does not have to be the application user name. Then, on the next request to the server, the information is propagated and stored in the server sessions. If DMS is not available, then use the connection. If it exceeds 64, then the additional bytes are truncated. Global Application Contexts for information about using client identifiers in a global application context.
Oracle Database provides data dictionary views that list information about user authentication, such as roles that users have or profiles they use. Table lists the data dictionary views. For detailed information about these views, see Oracle Database Reference. Lists the names and granted administrative privileges of the administrative users who are included in the password file.
About Authentication Authentication means verifying the identity of a user, device, or other entity who wants to use data, resources, or applications. Configuring Password Protection You can secure user passwords in a variety of ways, such as controlling the password creation requirements or using password management policies.
Oracle Database provides built-in password protections designed to protect user passwords. These password protections are as follows: Password encryption. Minimum Requirements for Passwords Oracle provides a set of minimum requirements for passwords. Using a Password Management Policy A password management policy can create and enforce a set of restrictions that can better secure user passwords. About Managing Passwords Database security systems that depend on passwords require that passwords be kept secret at all times.
For example: sqlplus sys as sysdba Enter password: password. Password Settings in the Default Profile A profile is a collection of parameters that sets limits on database resources. Disabling and Enabling the Default Password Security Settings Oracle provides scripts that you can use to disable and enable the default password security settings. If your applications use the default password security settings from Oracle Database 10 g release 2 Manually update the database security configuration.
Automatically Locking User Accounts After Failed Logins Oracle Database can lock a user's account after a specified number of consecutive failed log-in attempts. Explicitly Locking a User Account When you explicitly lock a user account, the account cannot be unlocked automatically. In a multitenant environment, after you have locked a common user account in the root, this user cannot log in to any PDB that is associated with this root, nor can this account be unlocked in a PDB.
In addition, you can lock a common account locally in a PDB, which will prevent the common user from logging in to that PDB. Controlling the User Ability to Reuse Previous Passwords You can ensure that users do not reuse their previous passwords for a specified amount of time or for a specified number of password changes.
About Controlling Password Aging and Expiration You can specify a password lifetime, after which the password expires. Checking the Status of a User Account You can check the status of any account, whether it is open, in grace, or expired. Password Change Life Cycle After a password is created, it follows a lifecycle and grace period in four phases. Managing the Complexity of Passwords Oracle Database provides a set of functions that you can use to manage the complexity of passwords.
About Password Complexity Verification Complexity verification checks that each password is complex enough to protect against intruders who try to guess user passwords. How Oracle Database Checks the Complexity of Passwords Oracle Database provides four password verification functions to check password complexity. The password complexity functions enable you to customize how users access your data. The password verification functions are located in the SYS schema.
This function checks for the following requirements when users create or modify passwords: The password is not the same as the user name, nor is it the user name spelled backward or with the numbers 1— appended. The password includes at least 1 numeric and 1 alphabetic character. The password differs from the previous password by at least 3 characters.
The following internal checks are also applied: The password contains no fewer than 8 characters and does not exceed 30 characters. This function checks for the following requirements when users create or modify passwords: The password contains no fewer than 8 characters and includes at least 1 numeric and 1 alphabetic character. The password is not the same as the user name or the user name reversed.
The password is not the same as the database name. The password contains at least one special character. The following internal checks are also applied: The password does not exceed 30 characters. This function checks for the following requirements when users create or modify passwords: The password must contain at least 2 upper case characters, 2 lower case characters, 2 numeric characters, and 2 special characters.
The following internal checks are also applied: The password contains no fewer than nine characters and does not exceed 30 characters. About Customizing Password Complexity Verification Oracle Database enables you to customize password complexity for your site.
Enabling Password Complexity Verification The utlpwdmg. Managing Password Case Sensitivity You can manage the password case sensitivity for passwords from user accounts that were created in previous releases. Management of Case Sensitivity for Secure Role Passwords For better security, you should ensure that the passwords for secure roles are case sensitive. The following example shows how to enable case sensitivity in password files.
How Case Sensitivity Affects Passwords Used in Database Link Connections When you create a database link connection, you must define a user name and password for the connection. How a user enters his or her password for connections depends on the release in which the database link was created: Users can connect from a pre-Oracle Database 12 c database to a Oracle Database 12 c database.
About the 12C Version of the Password Hash The 12C version of the password hash protects against password-based security threats by including support for mixed case passwords that is, passwords that have both upper and lower case characters.
Oracle Database 12C Password Version Configuration Guidelines By default, Oracle Database authenticates users three versions of the password hash, the 10G password version, the 11G password version, and the 12C password version. During authentication, the following scenarios are possible, based on the kinds of password version that exist for the account, and on the version of the client software being used: Accounts with only the 10G password version: If you want to force the server to generate the newer password versions for older accounts, an administrator must expire the password for any account that has only the 10G password version and none of the more secure password versions, 11G or 12C.
Configuring Oracle Database to Use the 12C Password Version Exclusively Often intruders will attempt to downgrade the authentication to use weaker password versions. Run the following SQL statement to find the password versions of your users. Remind users to log in within a reasonable period of time such as 30 days. Enable the Exclusive Mode configuration as follows: Create a back up copy of the sqlnet.
Yes Yes Yes Yes. Note: If you are using an older Oracle Database client such as Release Configuring Oracle Database Client to Use the 12C Password Version Exclusively Often intruders will try to provision a fake server in an attempt to downgrade the authentication and trick the client into using a weaker version of the password hash. To prevent the use of the 10G version of the password hash, or both the 10G and 11G password versions, after you configure the server, configure the clients to run in Exclusive Mode, as follows: To use the client Exclusive Mode setting to permit both the 11G and 12C password versions: SQLNET.
Managing the Secure External Password Store for Password Credentials The secure external password store is a client-side wallet that is used to store password credentials.
About the Secure External Password Store You can store password credentials database connections by using a client-side Oracle wallet. Note: The external password store of the wallet is separate from the area where public key infrastructure PKI credentials are stored. Configuring a Client to Use the External Password Store You can configure a client to use the secure external password store feature by using the mkstore command-line utility.
Note: If an application uses SSL for encryption, then the sqlnet. Managing External Password Store Credentials You can use the mkstore command-line utility to list, add credentials to, modify credentials in, and delete credentials from the external password store.
Listing External Password Store Contents You can view the contents, including specific credentials, of a client wallet external password store. Adding Credentials to an External Password Store You can store multiple credentials in one client wallet. Modifying Credentials in an External Password Store You can modify the database login credentials that are stored in the wallet if the database connection strings change.
Deleting Credentials from an External Password Store You can delete login credentials for a database from a wallet if the database no longer exists or to disable connections to a specific database.
Authentication of Database Administrators You can authenticate database administrators by using strong authentication, from the operating system, or from the database using passwords. About Authentication of Database Administrators Database administrators perform special administrative operations, such as shutting down or starting databases.
Strong Authentication, Centralized Management for Administrators Strong authentication methods for centrally managing database administrators include directory authentication, Kerberos authentication, and Secure Sockets Layer SSL authentication.
Consider using this type of authentication for database administration for the following situations: You have concerns about password file vulnerability. Your site has very strict security requirements. Configuring Directory Authentication for Administrative Users Oracle Internet Directory configures directory authentication for administrative users.
Configure the administrative user by using the same procedures you would use to configure a typical user. Configuring Kerberos Authentication for Administrative Users Oracle Internet Directory can be used to configure Kerberos authentication for administrative users.
Configure the client to use SSL: Configure the client wallet and user certificate. Store the database PKI credentials in the database wallet. You can use Wallet Manager do this. Note: In a multitenant environment, you can use operating system authentication for a database administrator only for the CDB root, not for PDBs. See Also: Oracle Database Platform Guide for Microsoft Windows for information about the Windows-specific operating system groups Oracle Database Platform Guide for Microsoft Windows for information about Oracle Database services on Windows Your Oracle Database operating system-specific documentation for information about configuring operating system authentication of database administrators.
Examples of password security risks are as follows: An intruder could steal or attack the password file. Many users do not change the default password. The password could be easily guessed. The password is vulnerable if it can be found in a dictionary.
Database Authentication of Users Database authentication of users entails using information within the database itself to perform the authentication. About Database Authentication Oracle Database can authenticate users attempting to connect to a database by using information stored in that database itself. See Also: About Password Complexity Verification for information about password complexity verification functions Using a Password Management Policy for more information about password management.
Advantages of Database Authentication There are three advantages of using the database to authenticate users. These advantages are as follows: User accounts and all authentication are controlled by the database. It is easier to administer when there are small user communities. Creating Users Who Are Authenticated by the Database When you create a user who is authenticated by the database, you assign this user a password.
Operating System Authentication of Users Oracle Database can authenticate by using information that is maintained by the operating system. Using the operating system to authenticate users has both advantages and disadvantages.
This functionality has the following benefits: Once authenticated by the operating system, users can connect to Oracle Database more conveniently, without specifying a user name or password. Audit trails in the database and operating system can use the same user names. For example: Authenticate users by the operating system. However, you should be aware of the following drawbacks to using the operating system to authenticate users: A user must have an operating system account on the computer that must be accessed.
Network Authentication of Users You can authenticate users over a network by using Secure Sockets Layer with third-party services.
About Authentication Using Third-Party Services You must use third-party network authentication services if you want to authenticate Oracle Database users over a network. Authentication with Kerberos Kerberos is a trusted third-party authentication system that relies on shared secrets. Authentication with Directory-Based Services Using a central directory can make authentication and its administration efficient.
Directory-based services include the following: Oracle Internet Directory , which uses the Lightweight Directory Access Protocol LDAP , uses a central repository to store and manage information about users called enterprise users whose accounts were created in a distributed environment.
Authentication with Public Key Infrastructure Authentication systems based on public key infrastructure PKI issue digital certificates to user clients. Oracle Database provides a PKI for using public keys and certificates, consisting of the following components: Authentication and secure session key management using SSL. It performs the following operations: Generates a public-private key pair and creates a certificate request for submission to a certificate authority, and creates wallets Installs a certificate for the entity Manages X.
Global User Authentication and Authorization Global user authentication and authorization enables you to centralize the management of user-related information. Note: You can also have users authenticated by Secure Sockets Layer SSL , whose authorizations are not managed in a directory, that is, they have local database roles only. Configuration of Users Who Are Authorized by a Directory Service You can configure either a global user or multiple enterprise users to be authorized by a directory service.
Creating a Global User Who Has a Private Schema You can create a user account who has a private schema by providing an identifier distinguished name , or DN meaningful to the enterprise directory.
However, be aware that you must create this user in every database that the user must access, plus the directory. Advantages of Global Authentication and Global Authorization There are several advantages of global user authentication and authorization. Enables centralized management of users and privileges across the enterprise. See Also: Oracle Database Enterprise User Security Administrator's Guide for additional information about global authentication and authorization and enterprise users and roles.
Configuring an External Service to Authenticate Users and Passwords An external service, which is either the operating system or the network, is used to administer passwords and authenticate users. About External Authentication With external authentication, Oracle Database maintains the user account, but an external service performs the password administration and user authentication.
This external service can be the operating system or a network service, such as Oracle Net. Advantages of External Authentication External authentication provides several advantages. These advantages are as follows: More choices of authentication mechanisms are available, such as smart cards, fingerprints, Kerberos, or the operating system. Creating a User Who Is Authenticated Externally Externally authenticated users are authenticated by the operating system or network service.
Authentication of User Logins By Using the Operating System Oracle Database allows operating system-authenticated logins only over secure connections, which precludes using Oracle Net and a shared server configuration.
Authentication of User Logins Using Network Authentication Oracle strong authentication performs network authentication, which you can configure to use a third-party service such as Kerberos. Multitier Authentication and Authorization Oracle Database secures middle-tier applications by limiting privileges, preserving client identities through all tiers, and auditing actions by clients. Administration and Security in Clients, Application Servers, and Database Servers In a multitier environment, an application server provides data for clients and serves as an interface to one or more database servers.
The following operations take place: The end user provides proof of authenticity to the application server, typically, by using a password or an X.
The database verifies the following requirements: That the client has these roles by checking its internal role repository That the application server has the privilege to connect on behalf of the user and thus to use these roles as the user could Figure shows an example of multitier authentication.
Preserving User Identity in Multitiered Environments Oracle Database supports the use of a middle tier server for proxy authentication and the use of client identifiers to identify application users who are not known to the database. You can design a middle-tier server to authenticate clients in a secure fashion by using the following three forms of proxy authentication: The middle-tier server authenticates itself with the database server and a client, in this case an application user or another application, authenticates itself with the middle-tier server.
Distinguished name DN Certificate In all cases, an administrator must authorize the middle-tier server to act on behalf of the client. Advantages of Proxy Authentication In multitier environments, proxy authentication preserves client identities and privileges through all tiers in middle-tier applications and by auditing client actions. Three-tier systems provide the following benefits to organizations: Organizations can separate application logic from data storage, partitioning the former in application servers and the latter in databases.
Application servers and Web servers enable users to access data stored in databases. Users like using a familiar, easy-to-use browser interface. To create proxy user accounts, users must have special privileges.
Guidelines for Creating Proxy User Accounts Oracle provides special guidelines for when you create proxy user accounts. These accounts are as follows: Database user accounts, which are authenticated by passwords External user accounts, which are authenticated by external sources, such as Secure Socket Layer SSL or Kerberos Global user accounts, which are authenticated by an enterprise directory service Oracle Internet Directory. Note the following: The proxy user can only perform activities that the user preston has privileges to perform.
See Also: Oracle Database Enterprise User Security Administrator's Guide for information about managing proxy users in an enterprise user environment Auditing SQL Statements and Privileges in a Multitier Environment for details about auditing operations done on behalf of a user by a middle tier. Using Proxy Authentication with the Secure External Password Store Use a secure external password store if you are concerned about the password used in proxy authentication being obtained by a malicious user.
To use proxy authentication with the secure external password store:. These tools enable a middle tier to set up several user sessions within a single database connection, each of which uniquely identifies a connected user connection pooling These sessions reduce the network overhead of creating separate network connections from the middle tier to the database.
If you want to authenticate from clients through a middle tier to the database, then the full authentication sequence from the client to the middle tier to the database occurs as follows: The client authenticates to the middle tier, using whatever form of authentication the middle tier will accept.
Limits to the Privileges of the Middle Tier Least privilege is the principle that users should have the fewest privileges necessary to perform their duties and no more. Note: Instead of using default roles, create your own roles and assign only necessary privileges to them. Authorizing a Middle Tier to Proxy and Authenticate a User You can authorize a middle-tier server to connect as a user. Authorizing a Middle Tier to Proxy a User Authenticated by Other Means You can authorize a middle tier to proxy a user that has been authenticated by other means.
In this case, the middle tier must provide user authentication credentials. Using Password-Based Proxy Authentication When you use password-based proxy authentication, Oracle Database passes the password of the client to the middle-tier server.
Using Proxy Authentication with Enterprise Users How the middle-tier responds for proxy authentication depends on how the user is authenticated, either as an enterprise user or a password-authenticated user. Using Client Identifiers to Identify Application Users Unknown to the Database You can use client identifiers to preserve user identity in middle tier systems; you also can use them independently of the global application context.
How Client Identifiers Work in Middle Tier Systems Many applications use session pooling to set up several sessions to be reused by multiple application users. For example: connection. User Authentication Data Dictionary Views Oracle Database provides data dictionary views that list information about user authentication, such as roles that users have or profiles they use.
Sets the maximum times a user try to log in and to fail before locking the account. Sets the number of days that a user has to change his or her password before it expires. Sets the number of days the user can use his or her current password. Sets the number of password changes required before the current password can be reused.
Sets the number of days before which a password cannot be reused. Server runs in Exclusive Mode? Generate the 10G password version? Generate the 11G password version? AuditLogHandler auditLog. The console login creates an audit entry in the EM related audit table. If this audit entry is not successful for some reason, then the console login will fail.
Console login needs to create an entry into the Audit tables but the necessary partitions had not been created for this table. There is resource issue at the repository database, for example ORA or ORA due to insert into the the audit table fails. Stopping Oracle Management Server Oracle Management Server Successfully Stopped. AdminServer Successfully Stopped. Oracle Management Server is Down. Starting Oracle Management Server Starting WebTier WebTier Successfully Started.
Oracle Management Server Successfully Started. Oracle Management Server is Up. Login successful.
0コメント