1. Administrator's Guide
  2. Managing LDAP User Authentication and Authorization in Oracle Key Vault

8 Managing LDAP User Authentication and Authorization in Oracle Key Vault

You can configure a connection between Oracle Key Vault and an LDAP server (currently Microsoft Active Directory) so that their users can access Oracle Key Vault.

About Managing LDAP User Authentication and Authorization in Oracle Key Vault

You can configure Oracle Key Vault users to be centrally managed in the configured LDAP directory server.

Oracle Key Vault supports only Microsoft Active Directory as an LDAP provider. This type of configuration enables you to manage authentication and authorization of Oracle Key Vault users in an LDAP directory server so that LDAP users can perform the following operations:

  • Log in to the Oracle Key Vault management console and perform administrative tasks for which they are authorized.
  • Run Oracle Key Vault RESTful services commands at the command line.

In a large enterprise, centrally managing users and their authorization not only brings operational efficiencies in user management but also significantly improves compliance, control, and security. For example, when terminating an employee, an LDAP administrator can lock the user's account in the LDAP directory server to end the employee’s access to various systems, including Oracle Key Vault.

By centrally managing Oracle Key Vault users in an LDAP directory server, you eliminate the need to maintain user account policies and password policies for LDAP users in each Oracle Key Vault instance. Instead, you can manage these policies centrally in the LDAP directory server.

This feature implements automatic provisioning of LDAP users in Oracle Key Vault. When an LDAP user successfully logs in to Oracle Key Vault the first time, Oracle Key Vault automatically creates an Oracle Key Vault user account for this user, based on the user account information from the LDAP directory server. You cannot modify this user account except for granting or revoking Oracle Key Vault privileges. Other changes to the user account, such as changing the user's password, must be performed to the actual account in its LDAP directory server. The automatic provisioning of users is not only beneficial for new Oracle Key Vault deployments but also when access to an existing Oracle Key Vault deployment must be granted to other employees, including provisioning of new employees.

To enable authentication and authorization of LDAP users with Oracle Key Vault, an Oracle Key Vault administrator must perform the following configuration in Oracle Key Vault:

  1. Configure a connection to LDAP directory server.
  2. Map one or more Oracle Key Vault administrative roles, endpoint or endpoint group privileges, or user groups with LDAP groups.

Most of the configuration work is performed by an Oracle Key Vault administrator using the Oracle Key Vault management console.

To enable the Oracle Key Vault administrator to configure a connection to the LDAP directory server, the LDAP administrator creates an LDAP user account (called service directory user). Oracle Key Vault uses this user account to connect to the LDAP directory server and fetch the necessary information from the LDAP directory server during the user login process. The LDAP administrator provides the details of this LDAP service directory user as well as the trust certificate of the LDAP directory server to an Oracle Key Vault administrator.

The general process for using Oracle Key Vault with an LDAP directory server is as follows:

  1. An administrator for the LDAP directory server identifies the LDAP users who need access to Oracle Key Vault, along with their authorization requirements in Oracle Key Vault. This administrator configures one or more LDAP groups, depending on the required separation of roles and duties of these users. This administrator then assigns specific users to respective LDAP groups.
  2. Authorization for LDAP users is through the LDAP mappings from LDAP groups to administrative roles, endpoint or endpoint group privileges, and the user groups.
  3. The Oracle Key Vault administrator uses the Oracle Key Vault management console to configure the connection between Oracle Key Vault and the LDAP directory server.
  4. To configure the authorization for LDAP users, the Oracle Key Vault administrator then maps each LDAP group to one or more of these roles or privileges:
    • Administrative roles
    • Endpoint or Endpoint group privileges
    • User groups (for granting access to wallets)
    You cannot map an LDAP group to a virtual wallet directly. To grant the wallet access to an LDAP group member(s) you need to first configure a user group with the appropriate wallet access permissions. Afterward, map the LDAP group with the user group. In Oracle Key Vault, the authorization of an LDAP user is determined on the basis of mappings of administrative roles, endpoint or endpoint group privileges, or the user groups to the user’s LDAP groups. For example, if an LDAP group is mapped to the Audit Manager role, then Oracle Key Vault assigns the Audit Manager role to the LDAP group member’s session.
  5. The LDAP users are now able to log in to Oracle Key Vault and perform tasks for which they are authorized. After first successful login, a new user account is automatically created in Oracle Key Vault.
  6. In addition to the administrative roles and privileges granted to the user through LDAP group mappings, you can directly grant wallet access permissions to an LDAP user account after it has been created in Oracle Key Vault. You cannot directly grant Oracle Key Vault administrative roles, endpoint or endpoint group privileges to an LDAP user.

Authorization for an LDAP user session is a combination of the authorization granted through the LDAP groups as well as the authorization that is granted to the LDAP user locally. Authorization through LDAP groups is granted at the login time and is effective only for that session. During logon of an LDAP user, Oracle Key Vault fetches the user’s LDAP groups from the directory server and determines mapped administrative roles, endpoint and endpoint group privileges, and user groups that are effective for the current user session. The set of these mapped user groups is referred to as effective user group membership of the LDAP user.

Note that you cannot add an LDAP user as a member of an Oracle Key Vault user group directly.

Any changes to the user’s membership in the LDAP groups or to the LDAP group mappings do not affect the administrative roles, privileges, and user group memberships that are currently effective for the existing user sessions. However, any changes to the privileges that are granted to or revoked from the Oracle Key Vault user groups take effect immediately and apply to all existing sessions.

Note the following:

  • You can perform the LDAP configuration with a Microsoft Active Directory version that supports the LDAP-v3 protocol.
  • You can perform the LDAP configuration in a primary-standby environment. No special configuration is necessary.
  • In multi-master cluster environments, the LDAP configuration is effective on all cluster nodes. You can configure node-specific configuration of LDAP directory server and hosts.
  • For LDAP directory servers that support multiple domains, access to users from different domains is enabled by setting up multiple LDAP configurations, one for each domain.

Parent topic: Managing LDAP User Authentication and Authorization in Oracle Key Vault

Considerations for Granting Privileges to LDAP Users

You can grant privileges to the LDAP users in Oracle Key Vault subject to certain rules and considerations.

Note the following considerations with regard to LDAP users, Oracle Key Vault admin roles, user groups, endpoint privileges, and wallet privileges:

  • You cannot directly add an LDAP user as a member of an Oracle Key Vault user group.
  • When a local Oracle Key Vault user with the Create Endpoint privilege creates an endpoint, Oracle Key Vault grants the Manage Endpoint privilege on that endpoint to the local user. For LDAP users, however, when creating an endpoint, Oracle Key Vault grants the Manage Endpoint privilege to the LDAP group through which the LDAP user inherited the Create Endpoint privilege. When the LDAP user inherits the Create Endpoint privilege from more than one LDAP groups, the Manage Endpoint privilege is granted to the LDAP group with the earliest creation timestamp in Oracle Key Vault. Similar behavior applies for the Endpoint Group privileges.
  • After the LDAP user account is created in Oracle Key Vault, you can directly grant this user wallet privileges locally. However, it is recommended that you grant the wallet privileges to LDAP users through the LDAP group mappings
  • You cannot directly grant the administrator roles, endpoint, endpoint group, and monitor privilege to an LDAP user account in Oracle Key Vault. An LDAP user account in Oracle Key Vault inherits these privileges through LDAP group mappings only.

Parent topic: Managing LDAP User Authentication and Authorization in Oracle Key Vault

Configuring the LDAP Directory Server Connection to Oracle Key Vault

Both the LDAP administrator and Oracle Key Vault administrator play a role in configuring the LDAP directory server connection to Oracle Key Vault.

Parent topic: Managing LDAP User Authentication and Authorization in Oracle Key Vault

Step 1: Prepare the LDAP Directory Server

Before the Oracle Key Vault administrator can create a connection to an LDAP directory server, the LDAP administrator must perform preparation tasks.

  1. As the LDAP administrator (or a user who has the appropriate privileges), log in to the LDAP directory server.
  2. Create or designate existing LDAP groups that you want to map to Oracle Key Vault.
  3. Assign users to these LDAP groups.
    The group will determine the privileges that its member users will have in Oracle Key Vault when the connection configuration is complete. If a user must have specific privileges that are not covered by any existing LDAP groups, then create a specific group for this user.
  4. Create a service directory user account if such an account does not yet exist, and then provide this account name and its password to the Oracle Key Vault administrator.
    This service directory user account will be used in the LDAP configuration that the Oracle Key Vault administrator will create. Oracle Key Vault will use this account to perform necessary LDAP actions, such as searches. If this user account changes in the future, then notify the Oracle Key Vault administrator immediately.
  5. Obtain the trust certificate for the LDAP directory server and then provide this certificate to the Oracle Key Vault administrator.
    This certificate will be used in the LDAP configuration that the Oracle Key Vault administrator will create.

Parent topic: Configuring the LDAP Directory Server Connection to Oracle Key Vault

Step 2: Create the LDAP Connection in Oracle Key Vault

An Oracle Key Vault user who has the System Administrator role uses the Oracle Key Vault management console to create the LDAP connection.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, then Settings from the left navigation bar.
  3. In Network Services, click LDAP to display the Manage LDAP Configuration page.
  4. Click Add to display the Add LDAP Configuration page.
  5. Enter the following settings:
    • Configuration Name: Enter a name for the LDAP configuration. The maximum character length is 120 bytes.
    • Directory Type: Ensure that Microsoft Active Directory is selected from this list.
    • Service Directory User Name: Enter the service directory user account that the LDAP administrator provided. You can enter this name using any of the following formats:
      • NetBIOS Domain Name\Account Name: For example, global\johndoe
      • User principal name: For example, johndoe@example.com
    • Service Directory User Password: Enter the password that the LDAP administrator provided with the service directory user account. If the password changes in the LDAP directory server, you must update it in Oracle Key Vault.
    • Hostname: Enter either a host name or an IP address for the Microsoft Active Directory domain controller (server) that will service the client requests.
    • LDAPS Port: Enter the port number. 636, the default, is the standard port number for LDAP connections for Secure Sockets Layer (SSL) connections.
    • Trusted Certificate: Either paste the contents of the server trust certificate of the LDAP directory server that the LDAP administrator provided, or upload the certificate as a file.
    • Domain Name: This setting is auto-populated when you complete the preceding settings and click the Get Domain Name button. This is the name of the Microsoft Active Directory domain of which the specified host (domain controller) is a member. You cannot change this setting.
    • Search Base DN: This setting is auto-populated when you complete the preceding settings and click the Get Domain Name button. It represents a distinguished name of the search base object, which defines the location in the directory from which the LDAP search begins. This setting is useful for environments where the number of users and groups in a directory is very large, and if the users and groups that are relevant for managing Oracle Key Vault access are placed under this directory container. Setting the base DN to this directory container can help to improve performance for user and group searches. Optionally, modify this search base.
    • Defunct LDAP Users Grace Period (in days): Enter the duration in days after which the users deleted in LDAP directory server are automatically deleted from Oracle Key Vault. This value also defines the duration after which the users whose LDAP configuration no longer exists are deleted from Oracle Key Vault automatically. Enter a positive integer of 0 or higher. The default is 15 days.
  6. Click Test Connection to ensure that the connection works.
  7. Click Add to complete the configuration.
    The Manage LDAP Configuration page appears, with the new configuration listed under LDAP Configuration Name.

Related Topics

Parent topic: Configuring the LDAP Directory Server Connection to Oracle Key Vault

Step 3: Mapping LDAP Groups in Oracle Key Vault

You can configure authorization for LDAP users in Oracle Key Vault by creating LDAP group mappings and granting them appropriate roles and privileges.

An Oracle Key Vault user who has the Key Administrator role can create an LDAP group mapping. At the creation time, the Key Administrator can also optionally map the LDAP group to certain roles and privileges that the Key Administrator is authorized to grant. Depending upon the specific roles and privileges that you want to grant to the LDAP group, users with different administrator roles may need to perform the authorization grant to the LDAP group after the LDAP group mapping is created.

  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Configure the Oracle Key Vault user groups that you want to map to the LDAP groups. You can grant wallet privileges to an LDAP group through Oracle Key Vault user group.
    Ensure that these user groups have the appropriate Oracle Key Vault privileges, and that you understand how privilege grants and revokes work for LDAP users.
  3. Select the Users tab, and then Manage LDAP Mappings from the left navigation bar.
  4. Click Create to display the Create LDAP Group Mapping page.
  5. Enter the following settings:
    • Domain: From the list, select the domain that is associated with the LDAP directory server configuration for which you want to define the mapping.
    • LDAP Group: From the list, select the LDAP group. You can choose from the following:
      • Fetch All Groups provides a listing of all available groups that you can add. Select the group from the menu following this label. If the number of LDAP groups exceeds the number of objects that can be returned in a single search result, then an error is returned. Narrow down your LDAP group search by using either the Filter by CN (Common Name) or Specify DN (Distinguished Name) options.
      • Filter by CN (Common Name) enables you to select from a filtered list by CN. In the field that appears when you select this choice, enter the CN prefix, and in the list following it, select as needed. For example, to search for all the LDAP groups that start with the common name Admin, enter Admin. If the number of LDAP groups that match the Filter by CN (Common Name) criteria exceeds the number of objects that can be returned in a single search result, then an error is returned. Narrow down your LDAP group search by further refining the Filter by CN (Common Name) search or use the Specify DN (Distinguished Name) option.
      • Specify DN (Distinguished Name) enables you to select from a filtered list by DN. In the field that appears when you select this choice, enter the complete DN for the group, and in the list following it, select as needed.
    • Roles: Optionally, grant the Key Administrator role to the LDAP group. (Remember that you cannot grant a role that is different from the role you currently have. Also, you must have received the role with the Allow Forward Grant option.)

      If you want to grant the user the System Administrator or Audit Manager role, then a user who has the Key Administrator role first must create an LDAP group mapping (with or without mapping to any roles, privileges, and user groups). After the LDAP group mapping is created, a user who is granted the System Administrator or Audit Manager role with the Allow Forward Grant option then can edit the existing LDAP group mapping to map it with the corresponding administrative role.

    • Privileges: Optionally, select the Create Endpoint Group to assign privileges to LDAP group.

      If you want to grant the LDAP group the Create Endpoint privilege, then a user who has the Key Administrator role must first create an LDAP group mapping. After the LDAP group mapping is created, a user who is granted the System Administrator role then can edit the existing LDAP group mapping to map it with the Create Endpoint privilege.

    • Similarly, if you want to grant the LDAP group the Monitor privilege, then a user who has the Key Administrator role must first create an LDAP group mapping. After the LDAP group mapping is created, a user with the System Administrator role can then edit the existing LDAP group mapping to grant the Monitor privilege.
    • Access on Endpoint Groups Optionally, select the required endpoint group to grant the Manage Endpoint Group privilege for it to the LDAP group.

      If you want to grant the LDAP group the Manage Endpoint privilege on an endpoint, then a user who has the Key Administrator role must first create an LDAP group mapping. After the LDAP group mapping is created, a user who is granted the System Administrator role then can edit the existing LDAP group mapping to grant the Manage Endpoint privilege on an endpoint by selecting the endpoint from the Access on Endpoints area.

    • User Groups: Optionally, select the Oracle Key Vault user groups that you want to map to the LDAP group.

      You can find information about a user group by clicking its Details button.

  6. Click Create.
    The LDAP Access Mappings page appears, where the new mapping is included in the list.
  7. Define more LDAP group mappings as necessary.
At this stage, the configuration is complete and LDAP users can log in to Oracle Key Vault.

Related Topics

Parent topic: Configuring the LDAP Directory Server Connection to Oracle Key Vault

Logins to Oracle Key Vault as an LDAP User

An LDAP user who has been properly configured can log in to the Oracle Key Vault management console.

  • About Logins to Oracle Key Vault as an LDAP User
    After the LDAP directory server configuration with Oracle Key Vault is complete, LDAP users can log in to Oracle Key Vault if they have valid authorization.
  • Logging in to Oracle Key Vault as an LDAP User
    An LDAP user who is a member of an LDAP group that has been mapped to any Oracle Key Vault administrative role, user group, or endpoint or endpoint group privileges can log in to the Oracle Key Vault management console.

Parent topic: Managing LDAP User Authentication and Authorization in Oracle Key Vault

About Logins to Oracle Key Vault as an LDAP User

After the LDAP directory server configuration with Oracle Key Vault is complete, LDAP users can log in to Oracle Key Vault if they have valid authorization.

The login is successful if:

  • The user provides the correct LDAP credential.
  • The user’s LDAP groups from the LDAP directory server map to at least one of the Oracle Key Vault administrative roles, endpoint or endpoint group privileges, or user groups.

At the login time, user's authorization is determined based on the LDAP groups of which this user is a member. The user is granted administrative roles, endpoint or endpoint group privileges, and the privileges of the user groups that are mapped to user's LDAP groups. When a user successfully logs into Oracle Key Vault for the first time, a new user account is automatically created in Oracle Key Vault. (Ensure that you understand how privilege grants work for LDAP users.)

In a multi-master cluster environment, an LDAP user can log in to any node in the cluster. The first time that the LDAP user logs in to a node, a single Oracle Key Vault-generated user account is created for this user. This account will apply to all nodes in the cluster.

Valid LDAP users can run the Oracle Key Vault RESTful services commands. Oracle Key Vault RESTful Services Administrator's Guide describes how to use the RESTful services utility.

Related Topics

Parent topic: Logins to Oracle Key Vault as an LDAP User

Logging in to Oracle Key Vault as an LDAP User

An LDAP user who is a member of an LDAP group that has been mapped to any Oracle Key Vault administrative role, user group, or endpoint or endpoint group privileges can log in to the Oracle Key Vault management console.

  1. Open a web browser.
  2. Connect using an HTTPS connection and the IP address of Oracle Key Vault.
    For example, to log in to a server whose IP address is 192.0.2.254, enter:
    https://192.0.2.254
  3. After the login screen appears, enter the following credentials:
    • Domain: From the list, select the domain of the LDAP user.
    • User Name: Enter your user name using one of the following formats:
      • NetBIOS Domain Name\Account Name: For example, global\johndoe

        For convenience, when a user specifies the user name in the NetBIOS Domain Name or User Principal Name format (described next), the domain name in the drop-down list is automatically selected based on the pattern matching of the NetBIOS domain name or the domain name of the user principal name with the names of the configured domains. You can select the domain manually, as needed. The domain name Local is not an Active Directory domain. The use of the domain Local indicates that the user account was created locally.

      • User principal name: For example, johndoe@example.com
      • Login name: For example, johndoe. This name must match the sAMAccountName attribute of the LDAP user account.
    • Password: Enter your password.
  4. Click Login.
LDAP users who have the appropriate Oracle Key Vault authorization can also run the Oracle Key Vault RESTful services utility commands.

Related Topics

Parent topic: Logins to Oracle Key Vault as an LDAP User

Managing the LDAP Configuration

You can enable, validate, modify, disable, and delete the LDAP configuration.

Parent topic: Managing LDAP User Authentication and Authorization in Oracle Key Vault

Enabling an LDAP Configuration

A user who has the System Administrator role can enable an LDAP configuration.

An LDAP configuration is effective only when it has been enabled. By default, after an LDAP configuration is created, it is enabled. In a multi-master cluster environment, the enablement of an LDAP configuration apply to all nodes in the cluster and can be performed in any node.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, then Settings from the left navigation bar.
  3. In Network Services, click LDAP to display the Manage LDAP Configuration page.
  4. Select the check box for the LDAP configuration and then click the Enable button.
  5. In the confirmation window, click OK.

Parent topic: Managing the LDAP Configuration

Modifying an LDAP Configuration

A user who has the System Administrator role can modify an LDAP configuration.

In a multi-master cluster environment, changes to an LDAP configuration apply to all nodes in the cluster and can be performed in any node. However, be aware that a node-specific host configuration takes precedence over cluster-wide host configuration.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, then Settings from the left navigation bar.
  3. In Network Services, click LDAP to display the Manage LDAP Configuration page.
  4. Select the LDAP configuration name to display the Edit LDAP Configuration page.
  5. Modify the following settings as necessary:
    • Configuration Name: Update the name of the configuration.
    • Service Directory User Name: Update the service directory user name.
    • Service Directory User Password: Update the service directory user's password.
    • Trusted Certificate: Either paste the contents of the server trust certificate of the LDAP directory server that the LDAP administrator provided, or upload the certificate as a file.
    • Search Base DN: Update the base DN that is used for searching users and groups
    • Defunct LDAP Users Grace Period (in days): Enter a new grace period value. The default is 15.
    • Under Servers, do the following:
      • To add a new server, click Add and then provide the Hostname, Port, and Service Directory User Password. To test the connection, click Test Server. Then click Add. You can only select a server that is in the same domain as the current server.
      • To remove a server, select its check box and then click Delete.
  6. Click Test Connection(s) to ensure that the new configuration settings work.
  7. Click Save.

    Note:

    Do not add the same LDAP server (domain controller) more than once using different host names and IP addresses. You should add an LDAP server only once. At the cluster or node-specific configuration level, Oracle Key Vault does not allow the addition of a server with the duplicate host name. However, it cannot prevent the addition of the multiple server entries for the same server using different values for the host name. For example, you may add the server once using its host name and another time using its IP address. Such configuration is not recommended.

Parent topic: Managing the LDAP Configuration

Testing an LDAP Configuration

A user who has the System Administrator role can test an LDAP configuration.

In a multi-master cluster environment, you can test the LDAP configuration from any node in the cluster. The test connection validates the connection to LDAP hosts that are effective for the current cluster node. If node-specific LDAP hosts are configured, then the connection to those hosts is validated.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, then Settings from the left navigation bar.
  3. In Network Services, click LDAP to display the Manage LDAP Configuration page.
  4. Select the LDAP configuration name to display the Edit LDAP Configuration page.
  5. Click Test Connection(s).

Parent topic: Managing the LDAP Configuration

Disabling an LDAP Configuration

A user who has the System Administrator role can disable an LDAP configuration.

Disabling an LDAP configuration effectively makes the configuration unavailable for use. Users from the disabled LDAP configuration are denied access when they try to log in into Oracle Key Vault. However, disabling an LDAP configuration does not affect users who are currently logged in using the configuration. In a multi-master cluster environment, the disablement of an LDAP configuration applies to all nodes in the cluster and can be performed in any node.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, then Settings from the left navigation bar.
  3. In Network Services, click LDAP to display the Manage LDAP Configuration page.
  4. Select the check boxes for the configurations to disable, and then click Disable.
  5. In the confirmation window, click OK.

Parent topic: Managing the LDAP Configuration

Deleting an LDAP Configuration

A user who has the System Administrator role can delete an LDAP configuration.

In a multi-master cluster environment, the deletion of an LDAP configuration applies to all nodes in the cluster and can be performed from any node. However, deleting an LDAP configuration does not log out users who are currently logged in using the configuration.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, then Settings from the left navigation bar.
  3. In Network Services, click LDAP to display the Manage LDAP Configuration page.
  4. Select the check boxes for the LDAP configurations that you want to delete and then click one of the following buttons:
    • Click Delete if there are no mappings defined in Oracle Key Vault for any LDAP groups associated with the LDAP configuration.
    • Click Force Delete if there are group mappings defined for this LDAP configuration. You must have both the System Administrator and Key Administrator role to perform this operation. Otherwise, first delete all LDAP group mappings defined for the LDAP configuration before a user with the System Administrator role deletes the LDAP configuration.
  5. In the confirmation window, select OK.
When you delete an LDAP configuration, the associated LDAP user accounts are not deleted immediately. Oracle Key Vault deletes these accounts after number of days that were specified in the Defunct LDAP Users Grace Period setting in the Edit LDAP Configuration page have passed. You can delete an LDAP user account any time. If you recreate the identical LDAP configuration before associated LDAP user accounts are deleted, then Oracle Key Vault will make these user accounts valid again.

Parent topic: Managing the LDAP Configuration

Managing LDAP Groups

You can modify or delete LDAP group mappings.

  • About Managing LDAP Groups
    The LDAP group can be mapped to Oracle Key Vault administrator roles, endpoint and endpoint group privileges, and user groups.
  • Creating an LDAP Group Mapping
    After you have created an LDAP configuration, you can create one or more LDAP group mappings.
  • Modifying an LDAP Group Mapping
    You can modify an LDAP group mapping to change its mapped roles, endpoint or endpoint group privileges, and user groups.
  • Validating LDAP Group Mappings
    In the event that LDAP groups change in the LDAP directory server, a user who has the Key Administrator role can validate their mappings in Oracle Key Vault.
  • Deleting LDAP Group Mappings
    A user who has the Key Administrator role can delete one or more LDAP groups and associated mappings from Oracle Key Vault.

Parent topic: Managing LDAP User Authentication and Authorization in Oracle Key Vault

About Managing LDAP Groups

The LDAP group can be mapped to Oracle Key Vault administrator roles, endpoint and endpoint group privileges, and user groups.

An Oracle Key Vault user who has the Key Administrator role can create an LDAP group mapping. At the creation time, the Key Administrator can also optionally map the LDAP group to certain roles and privileges that the Key Administrator is authorized to grant. Depending upon the specific roles and privileges that you want to grant to the LDAP group, users with different administrator roles may need to perform the authorization grant to the LDAP group after the LDAP group mapping is created.

Local Oracle Key Vault users cannot be members of an LDAP group.

Parent topic: Managing LDAP Groups

Creating an LDAP Group Mapping

After you have created an LDAP configuration, you can create one or more LDAP group mappings.

You can map LDAP groups to one or more Oracle Key Vault administrative roles, user groups, endpoint or endpoint groups privileges.

  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, then Manage LDAP Mappings from the left navigation bar.
  3. In the LDAP Group Mappings page, click Create.
    The Create LDAP Group Mapping page appears.
  4. Enter the following settings:
    • Domain: From the list, select the domain that is registered with Oracle Key Vault.
    • LDAP Group: From the list, select the LDAP group. You can choose from the following:
      • Fetch All Groupsprovides a listing of all available groups that you can add. Select the group from the menu following this label. If the number of LDAP groups exceeds the number of objects that can be returned in a single search result, then an error is returned. Narrow down your LDAP group search by using either the Filter by CN (Common Name) orSpecify DN (Distinguished Name) options.
      • Filter by CN (Common Name) enables you to select from a filtered list by CN. In the field that appears when you select this choice, enter the CN prefix, and in the list following it, select as needed. For example, to search for all the LDAP groups that start with the common name Admin, enter Admin. If the number of LDAP groups that match the Filter by CN (Common Name) criteria exceeds the number of objects that can be returned in a single search result, then an error is returned. Narrow down your LDAP group search by further refining the Filter by CN (Common Name) search or use the Specify DN (Distinguished Name) option.
      • Specify DN (Distinguished Name) enables you to select from a filtered list by DN. In the field that appears when you select this choice, enter the complete DN for the group, and in the list following it, select as needed.
    • Roles: Optionally, select one or more Oracle Key Vault roles to map to the LDAP group.
    • Audit Manager
    • Key Administrator:
    • System Administrator
    Note the following:
    • Allow Forward Grant check box: For each role that you select, a check box forAllow Forward Grant appears. If you want the LDAP group members to be able to grant or revoke the administrative role to and from other users, then select the Allow Forward Grant check box. Only the users who are granted a specific role with the Allow Forward Grant option can grant this role to others including granting it to LDAP users through an LDAP group mapping.

      Remember that you cannot grant a role that is different from the role you currently have. Also, you must have received the role with the Allow Forward Grant option to be able to grant it to an LDAP group mapping.

    • If your site follows strict separation-of-duty guidelines and the user with the Key Administrator role does not have the System Administrator and Audit Manager roles, then granting the System Administrator or Audit Manager role to an LDAP group is a two step-process:
      1. A user who has the Key Administrator role must first create an LDAP group mapping (with or without mapping any roles or privileges).
      2. After the LDAP group mapping is created, a user who is granted the System Administrator or Audit Manager role with the Allow Forward Grant option then can edit the existing LDAP group mapping to map it with the corresponding administrative role and also optionally select the Allow Forward Grant option.
    • Privileges: Optionally, select Create Endpoint or Create Endpoint Group privilege to map to the LDAP group.
      You need to have the System Administrator role to grant the Create Endpoint privilege. If the user creating the LDAP group mapping does not have the System Administrator role, then granting the Create Endpoint privilege to an LDAP group is a two step-process:
      1. A user who has the Key Administrator role must first create an LDAP group mapping.
      2. After the LDAP group mapping is created, a user who is granted the System Administrator role then can edit the existing LDAP group mapping to map it with the Create Endpoint privilege.
    • Access on Endpoints and Endpoint Groups: Optionally, select the required endpoints or the endpoint groups to grant the Manage Endpoint or Manage Endpoint Group privilege on them to the LDAP group. You need to have the System Administrator role to grant the Manage Endpoint privilege on an endpoint. If the user creating the LDAP group mapping does not have the System Administrator role, then granting the Manage Endpoint privilege on an endpoint to an LDAP group is a two step-process:
    1. A user who has the Key Administrator role must first create an LDAP group mapping.
    2. After the LDAP group mapping is created, a user who is granted the System Administrator role then can edit the existing LDAP group mapping to grant the Manage Endpoint privilege on an endpoint by selecting the endpoint from the Access on Endpoints.
    • User Groups: Under user groups select the Oracle Key Vault user groups that you want to map to the LDAP group.
    You can find information about a user group by clicking its Details button.
  5. Click Create.
    After the LDAP group mapping is created, mapped roles, privileges and user group mappings take effect when an LDAP group member user logs into Oracle Key Vault. Changes in the LDAP group mapping do not affect the authorization granted to the users in their existing sessions.

Parent topic: Managing LDAP Groups

Modifying an LDAP Group Mapping

You can modify an LDAP group mapping to change its mapped roles, endpoint or endpoint group privileges, and user groups.

Depending upon the specific roles and privileges that you want to grant or revoke to and from the LDAP group, users with different administrator roles may need to perform the authorization grant to the LDAP group.
  1. Log in to the Oracle Key Vault management console as a user who has the necessary authorization to grant the role or privileges to others. For example, to map the Audit Manager role to an LDAP group, you must have the Audit Manager role with the Allow Forward Grant option.
  2. Select the Users tab, then Manage LDAP Mappings from the left navigation bar.
  3. Under LDAP Group Mappings, find the LDAP group whose privileges you want to change.
  4. Select the Edit button for this LDAP group to display the Edit LDAP Group Mapping page
  5. Modify the following settings, as necessary:
    • Roles: Optionally, select one or more Oracle Key Vault roles to map to the LDAP group.

      Remember that you cannot grant or revoke a role that is different from the role you currently have. Also, you must have received the role with the Allow Forward Grant option to be able to grant it to an LDAP group mapping.

      To grant the admin roles to the LDAP group mapping, select the corresponding check boxes from the available roles:

    • Audit Manager
    • Key Administrator
    • System Administrator

    Note the following:

    • Allow Forward Grant check box:For each role that you select, a check box for Allow Forward Grant appears. If you want the LDAP group members to be able to grant or revoke the administrative role to and from other users, then select the Allow Forward Grant check box. Only the users who are granted a specific role with the Allow Forward Grant option can grant this role to others including granting it to LDAP users through an LDAP group mapping.

      To revoke the admin roles previously granted to the LDAP group mapping, deselect the check boxes for the corresponding roles. If you want to only revoke the Allow Forward Grant option, then deselect the corresponding Allow Forward Grant check box.

    • Privileges: Optionally, you may grant or revoke the Create Endpoint, Create Endpoint Group, or Monitor privilege to and from the LDAP group mapping.

      You need the System Administrator role to grant or revoke the Create Endpoint privilege or Monitor privilege, and the Key Administrator role to grant, or revoke the Create Endpoint Group privilege.

      To grant the Create Endpoint, Create Endpoint Group, or Monitor privilege, select the check box for the corresponding privilege.

      To revoke the Create Endpoint, Create Endpoint Group, or Monitor privilege, deselect the check box for the corresponding privilege.

    • Access on Endpoints and Endpoint Groups: Optionally, you may grant or revoke the Manage Endpoint or Manage Endpoint Group privilege on one or more endpoints or endpoint groups to and from the LDAP group mapping.

    You need the System Administrator role to grant or revoke the Manage Endpoint privilege and the Key Administrator role to grant or revoke the Manage Endpoint Group privilege.

    To grant the Manage Endpoint privilege on endpoints:
    1. In the Access on Endpoints area, select the endpoints for which you want to revoke the Manage Endpoint privilege.
    2. Click Remove.
    3. Click OK to confirm in the dialog box. After changes are successfully saved, the control stays in the Edit LDAP Group Mapping page.
    To revoke the Manage Endpoint Group privilege on endpoint groups:
    1. In the Access on Endpoint Groups area, select the endpoint groups for which you want to revoke the Manage Endpoint Group privilege.
    2. Click Remove.
    3. Click OK to confirm in the dialog box. After changes are successfully saved, the control stays in the Edit LDAP Group Mapping page.

    • User Groups: Optionally, you may grant or revoke the wallet access by adding or removing the user groups mapping of the LDAP group.

      You need the Key Administrator role to map the user groups.

      To add the Oracle Key Vault user group mapping:

      1. In the User Groups area, select from the available Oracle Key Vault user groups to associate with this LDAP group.
      2. Click Save

      To revoke the Manage Endpoint Group privilege on endpoint groups:

      1. In the User Groups Mapped area, select the user groups for which you want to remove the mapping.
      2. Click Remove User Groups.

    Optionally, select the Details button of the Oracle Key Vault group to modify the user group's settings and privileges.

Oracle Key Vault determines the LDAP user’s authorization for the current session only at the login time. During the login process, Oracle Key Vault fetches the user's LDAP groups from the LDAP directory server and then determines the mapped Oracle Key Vault administrative roles, endpoint or endpoint group privileges, and user groups for the current session. Any changes to the user's membership in the LDAP groups or changes to the LDAP group mapping do not affect user’s authorization for existing sessions. Note, however, that any changes to the privileges that are granted to the Oracle Key Vault user groups take effect immediately and apply to all existing sessions.

Parent topic: Managing LDAP Groups

Validating LDAP Group Mappings

In the event that LDAP groups change in the LDAP directory server, a user who has the Key Administrator role can validate their mappings in Oracle Key Vault.

In a multi-master cluster environment, the validation of an LDAP group mapping applies to all nodes in the cluster and can be performed in any node.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, then Manage LDAP Mappings from the left navigation bar.
  3. Under LDAP Group Mappings, select the check boxes for the group mappings that you want to validate.
  4. Select the Validate button.
  5. In the confirmation window, click OK.

Parent topic: Managing LDAP Groups

Deleting LDAP Group Mappings

A user who has the Key Administrator role can delete one or more LDAP groups and associated mappings from Oracle Key Vault.

In a multi-master cluster environment, the LDAP group mapping deletion applies to all nodes in the cluster and can be performed in any node.
  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, then Manage LDAP Mappings from the left navigation bar.
  3. In the LDAP Group Mappings page, select the check boxes for the LDAP groups that you want to delete.
  4. Click Delete.
  5. In the confirmation window, click OK.

Parent topic: Managing LDAP Groups

Managing Oracle Key Vault-Generated LDAP Users

You cannot administer the actual LDAP user account in the LDAP directory server but you can administer the Oracle Key Vault generated user account that is created the first time the LDAP user logs in to Oracle Key Vault.

Parent topic: Managing LDAP User Authentication and Authorization in Oracle Key Vault

About Managing LDAP Users

The LDAP user account in Oracle Key Vault is an automatically created account that is based on the LDAP user account in the configured LDAP directory server.

Oracle Key Vault creates this account the first time that the LDAP user logs in to Oracle Key Vault, capturing the first name, last name, and email attributes of the user. These values cannot be changed in Oracle Key Vault; they can only be changed in their LDAP directory server corresponding account by a privileged LDAP administrator. If these values change, then Oracle Key Vault updates the user account with these values the next time the LDAP user logs in to Oracle Key Vault. Except for granting and revoking wallet privileges to and from this user from Oracle Key Vault, the Oracle Key Vault administrator cannot make any changes to this account.

In a multi-master cluster environment, there is no need for user name conflict resolution because the uniqueness of the account is guaranteed by the LDAP directory server where the LDAP user account exists. If the LDAP user logs in to different nodes in the cluster, then an identical user account is created, and this account is uniform across the cluster. Each of these account creations is timestamped. The Oracle Key Vault synchronization process keeps the most recent account creation timestamp value (that is, from the node where this user was created last). Hence, throughout the cluster environment, the timestamp value is the same as the most recent user account creation timestamp.

Parent topic: Managing Oracle Key Vault-Generated LDAP Users

Finding Information About an Oracle Key Vault-Generated LDAP User

You can find information about the Oracle Key Vault-generated LDAP user accounts.

You cannot change the LDAP user account in Oracle Key Vault; instead you must modify the account in the LDAP directory server where the user account exists. If you want to move the user to a different LDAP group, you must do this in the LDAP directory server.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator, Key Administrator, or Audit Manager role.
  2. Select the Users tab, and then Manage Users from the left navigation bar.
  3. In the Manage Users page, scroll down to Manage LDAP Users area. You can find the following information for each LDAP user.
    You can find the following information:
    • The user's distinguished name (DN)
    • User status
    • Setup Time
    • LDAP Configuration Name
    • Domain Name
  4. Click the user name of an LDAP user to see its detailed information including granted administrative roles, endpoint or endpoint group privileges, and user group mappings.

Parent topic: Managing Oracle Key Vault-Generated LDAP Users

Validation of Oracle Key Vault-Generated LDAP Users

You can find if an LDAP user account that is associated with the Oracle Key Vault-generated LDAP user account is a valid account.

Parent topic: Managing Oracle Key Vault-Generated LDAP Users

About the Validation of Oracle Key Vault-Generated LDAP Users

An Oracle Key Vault-generated user account still exists in Oracle Key Vault if the LDAP user account has been deleted in the source LDAP directory server.

A user who has the System Administrator role can find if the Oracle Key Vault-generated user account still exists in the source LDAP directory server by validating it in Oracle Key Vault. In a multi-master cluster environment, the validation of an Oracle Key Vault-Generated LDAP user account applies to all nodes in the cluster.

Oracle Key Vault periodically checks the validity of the LDAP user accounts and marks them as NOT FOUND if the following events take place:

  • The LDAP user account does not exist in the LDAP directory server.
  • The LDAP configuration that is associated with the LDAP user account is deleted.

Oracle Key Vault automatically deletes invalid LDAP user accounts after the number of days configured in the Defunct LDAP Users Grace Period setting (in the Edit LDAP Configuration page) have passed. You can delete an LDAP user account from Oracle Key Vault any time.

Validating Oracle Key Vault-Generated LDAP Users

A user who has the System Administrator role can manually validate Oracle Key Vault-Generated LDAP users.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the Users tab, then Manage Users from the left navigation bar.
  3. In the Manage Users page, scroll down to the Manage LDAP Users section.
  4. Select the check box of the LDAP users that you want to validate.
  5. Click Validate.
    If an LDAP account is not valid, then a NOT FOUND message appears.

Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges

Users who have either the Key Administrator role or regular users who have privileges to manage wallets can modify the wallet privileges of Oracle Key Vault-generated LDAP user account.

Parent topic: Managing Oracle Key Vault-Generated LDAP Users

About Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges

The wallet privileges that you can change are Read Only, Read and Modify, or Manage Wallet.

You cannot change the corresponding LDAP account in the LDAP directory, but you can change the wallet privileges of the Oracle Key Vault-generated LDAP user account. Changes to the privileges granted directly to the LDAP user account in Oracle Key Vault are applied immediately, even to the existing sessions of the same user. If the LDAP user account is modified on the LDAP server (such as a change in LDAP group membership of the user), then the changes take effect from the next user login. In a multi-master cluster environment, changes to an LDAP user apply to all nodes in the cluster and can be performed in any node.

Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges (Key Administrators)

A user who has the Key Administrator role can grant and revoke wallet privileges for any wallet to LDAP users in Oracle Key Vault.

  1. Log in to the Oracle Key Vault management console as a user who has the Key Administrator role.
  2. Select the Users tab, then Manage Users from the left navigation bar.
  3. Under Manage Users, scroll down to the Manage LDAP Users section.
  4. Select the name of the LDAP user account to display the LDAP User Details page.
  5. In the Access to Wallets pane, do the following:
    1. Click Add to display the Add Access to User page.
    2. Under Select Wallet, select the wallets to which you want to grant privileges to the LDAP user.
    3. Under Select Access Level, select Read Only, Read and Modify, or Manage Wallet.
    4. Click Save.
      The wallet privilege is added as a direct privilege for this user, as opposed to a wallet privilege that is available through an LDAP group. If the user already has a wallet privilege from the LDAP group to which they are assigned, then the user has a union of the privileges from both the direct privilege grant and the LDAP group privilege grant.
  6. Click Save.
Modifying an Oracle Key Vault-Generated LDAP User Account Wallet Privileges (Regular Users)

A regular user who has privileges to manage wallets can grant and revoke privileges for these wallets to LDAP users in Oracle Key Vault.

  1. Log in to the Oracle Key Vault management console as a user who has privileges to manage wallets.
  2. Select the Keys & Wallets tab, and then Wallets from the left navigation bar.
    The Wallets page lists the wallets for which this user has privileges.
  3. Select the Edit icon for the wallet whose privileges you want to modify.
    The Wallet Access Settings area lists all the users who have privileges for this wallet.
  4. In the Wallet Access Settings area, click Add.
  5. In the Add Access to Wallets page, under Select Endpoint/User Group, select Users from the Type menu.
  6. Select the check boxes for the user to whom you want to grant privileges.
  7. In the Select Access Level area, select Read Only, Read and Modify, or Manage Wallet.
  8. Click Save.
    The wallet privilege is added as a direct privilege for this user, as opposed to a wallet privilege that is available through an LDAP group. If the user already has a wallet privilege from the LDAP group to which they are assigned, then the user has a union of the privileges from both the direct privilege grant and the LDAP group privilege grant.

Deleting Oracle Key Vault-Generated LDAP Users

A user who has the System Administrator role can delete an LDAP user account from Oracle Key Vault.

If an LDAP user account is deleted from the LDAP directory server, during a periodic check, Oracle Key Vault automatically first marks such user accounts as invalid (NOT FOUND) and then deletes these accounts after the Defunct LDAP Users Grace Period setting (on the Edit LDAP Configuration page) passes.
If you inadvertently delete an Oracle Key Vault-generated LDAP user account, then the next time the user logs in, the account is recreated. However, the user would no longer own any objects that they created before the deletion. In a multi-master cluster environment, the removal of an Oracle Key Vault-Generated LDAP user account applies to all nodes in the cluster and can be performed in any node.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the Users tab, then Manage Users from the left navigation bar.
  3. In the Manage Users page, scroll down to the Manage LDAP Users section.
  4. Select the check box of the LDAP users that you want to remove.
  5. Click Delete.
  6. In the confirmation window, click OK.
    The user account is deleted immediately.

Parent topic: Managing Oracle Key Vault-Generated LDAP Users