1. Administering Oracle Unified Directory
  2. Advanced Administration: Security, Access Control, and Password Policies
  3. Configuring Security Between the Proxy and the Data Source

27 Configuring Security Between the Proxy and the Data Source

You can configure security between the proxy and the remote LDAP servers.

The following topics describe how to configure security between the proxy and the remote LDAP servers:

You can configure security between the proxy and the remote LDAP servers as follows:

27.1 About Security Between the Proxy and Remote LDAP Servers

For security management, network groups can be enabled to classify incoming client connections. You can use network groups to restrict operations that can be performed, based on how the connection has been classified.

Use this functionality, for example, to restrict access to clients that connect from a specified IP address only. For more information, see Configuring Network Groups Using dsconfig.

For secure client authentication between the proxy and remote LDAP servers, the certificate of the proxy must be imported into the truststore of each remote LDAP server. In this case, you must configure a keystore manually. For details, see Configuring Key Manager Providers.

The proxy security does not bypass the back-end ACI.

27.2 About Proxy Manages Secure Connections

The proxy manages the security with the client and with the directory server, and supports both SSL and StartTLS.

When you configure security, you must specify how the proxy connects to the remote LDAP server by indicating if the proxy should use SSL always, never, or user. If you specify always, the connection with the remote LDAP server will always be secured using SSL, regardless of how the client connects to the proxy. If you specify never, the connection between the proxy and the remote LDAP directory server will not be secured, regardless of whether the client connects to the proxy with a secure connection. If specify user, the security between the proxy and the remote LDAP directory servers will be the same as the security between the client and the proxy. For example, if the client connects over SSL, the connection with the remote LDAP server will also use SSL. One notable exception is if the client connects using StartTLS, in which case the proxy will connect to the remote LDAP servers using SSL.

Note:

If you want the modifications of the privileges of a user used by proxy to bind on the remote server to take effect, then you must set the maintain-authenticated-users flag to true on the remote server. By default, it is set to false.

Be aware that for an open connection, which is bound with a determined authDN, importing that entry with dn: authDN using import-ldif command does not modify the properties (access rights, privileges, and so on) of that authDN in those already established connections. The new properties for the authDN as a result of import-ldif are effective only for new binds as authDN. In this scenario, setting maintain-authenticated-users:true does not help. Consider the following example.

For example, in a proxy scenario if the bind mode for the remote LDAP server is set as use-specific-id and the remote-ldap-server-bind-dn is cn=my_proxy_manager,dc=com, then the proxy keeps a pool of open connections with the remote LDAP server bound as authDN='cn=my_proxy_manager,dc=com'. Now, if the user entry cn=my_proxy_manager,dc=com stored in the remote LDAP server does not have password-reset privilege, then the operation to modify the password that arrives at proxy server fails, because of insufficient privileges. So, you might attempt to re-load the data in the remote LDAP server by importing an ldif file that would add the required password-reset privilege to the cn=my_proxy_manager,dc=com user entry. However, the new privilege will still not be taken into account for those connections already opened.

For more information see Understanding the Modes of Secure Connection.

27.3 Understanding the Modes of Secure Connection

Secure connection with remote LDAP servers is handled by proxy.

The proxy handles connections to the remote LDAP servers in three SSL security modes:

  • always

  • never

  • user

You can view or edit these settings using the dsconfig --advanced command. Choose Extension from the main menu.

The remote-ldap-server-ssl-policy property manages the three SSL security modes.

When the remote-ldap-server-ssl-policy property is set to always or user, the proxy needs to trust the remote LDAP servers. To achieve this, you must manually import the certificates of each remote LDAP server into the proxy's truststore.

The following topics explain the modes of secure connection:

27.3.1 About always Secure Mode

With the remote-ldap-server-ssl-policy property set to always, all connections made from the proxy to the remote LDAP servers are fully secure SSL connections, regardless how the client connects to the proxy.

In this mode, the pool size refers to one type of connection pool: secure LDAPS connections.

In the always secure mode, the certificate of each remote LDAP server must be imported into the proxy's truststore. If there is a large number of back-end LDAP servers that are not Oracle Unified Directory servers, and if certificates were not managed during installation, importing certificates into the truststore of the proxy can be a constraint. For test environment purposes, you can speed up this process by using the ssl-trust-all parameter. This parameter requests the proxy to trust all remote LDAP servers.

27.3.2 About never Secure Mode

With the remote-ldap-server-ssl-policy property set to never, none of the connections from the proxy to the remote LDAP servers are secure SSL connections.

In this mode, the monitoring connection by the proxy of the remote LDAP servers is never secure.

In this mode, the pool size refers to one type of connection pool: unsecure LDAP connections.

27.3.3 About user Secure Mode

With the remote-ldap-server-ssl-policy property set to user, incoming requests from clients to the proxy dictate whether the connection between the proxy and remote LDAP servers should be secure, regardless of how the client connects to the proxy.

If the incoming client request is secure, whether SSL or StartTLS, the connection from the proxy to the remote LDAP servers is a secure SSL connection.

If the incoming client request is not secure, the connection from the proxy to the remote LDAP servers is not a secure SSL connection.

In this mode, the monitoring connection between the proxy and the remote LDAP servers is never secure.

Two pools of connections are created, one secure and one unsecure. This is shown in Figure 27-1. In the scenario on the left, the client connects to the proxy using an unsecure connection, and the unsecure pool of connections from the proxy to the remote LDAP servers is used. In the scenario on the right, the client connects to the proxy using a secure connection, whether SSL or StartTLS, and the secure SSL pool of connections from the proxy to the remote LDAP servers is used.

Figure 27-1 Connections in the user Secure Mode

Description of Figure 27-1 follows
Description of "Figure 27-1 Connections in the user Secure Mode"

In the user mode, the certificate of each remote LDAP server must be imported into the proxy's truststore. If there is a large number of remote LDAP servers that are not Oracle Unified Directory servers, and if certificates were not managed during installation, importing certificates into the truststore of the proxy can be a constraint. In a test environment, you can speed up this process by using the ssl-trust-all parameter. This parameter requests the proxy to trust all remote LDAP servers.

When the remote-ldap-server-ssl-policy property is set to user, the pool size refers to two types of connection pools: unsecure LDAP connections and secure LDAPS connections. If for example the pool-initial-size is set to 5 connections, as shown in Figure 27-2, then when the LDAP Extension is initialized, there will be one pool of 5 LDAP connections and one pool of 5 LDAPS connections, or a total of 10 connections. Each pool evolves separately after this initialization, based on parameters set for that pool.

Note:

By default, pool-initial-size is set to 10 connections.

Figure 27-2 Multiple Pools of Connections

Description of Figure 27-2 follows
Description of "Figure 27-2 Multiple Pools of Connections"

27.4 Configuring Security Between Proxy and Data Source Using dsconfig

The dsconfig tool accesses the server over a secured connection with certificate authentication. If you run dsconfig in non-interactive mode, as dsconfig -n, specification of the trust store parameters depends on whether you run the command locally or remotely.

For more information on running the command locally or remotely, see Using the dsconfig Command.

Other configurations using dsconfig are explained in the following sections:

27.4.1 Configuring Security Between the Proxy and Directory Servers Using dsconfig

This task highlights the main steps required to configure security for connections to remote LDAP servers. Where the process is similar to that provided for configuring security between the proxy and the client, pointers are given to the related procedure.

Perform the following steps to configure security between proxy and directory server using dsconfig:

  1. If the remote LDAP servers do not require client authentication to be passed from the proxy, proceed directly to step 2.

    If the remote LDAP servers require client authentication to be passed from the proxy, perform the following sub-steps:

    1. Configure a keystore for remote LDAP server connections.

      To do this, use the Java keytool command to generate a certificate on the proxy server. The keystore must be configured manually. For details, see Configuring Key Manager Providers.

      Self-sign the certificate or have the certificate signed by an external certificate authority. For details, see Configuring Key Manager Providers.

    2. Configure a key manager provider on the proxy for the keystore for remote LDAP server connections.

      For details, see Configuring Key Manager Providers. This key manager provider can be separate to that used for handling secure connections to clients.

    3. If the remote LDAP servers require client authentication, the certificate of the proxy must be imported into the truststore of each remote LDAP server.

      For information about importing and exporting certificates on Oracle Unified Directory, see Configuring Key Manager Providers.

  2. For the proxy to establish secure connections with the remote LDAP servers, configure a truststore.

    All remote LDAP servers requiring a secure connection need to have their certificates imported into the proxy truststore. All of these remote LDAP server certificates can be imported into a single proxy truststore or distributed among multiple proxy truststores. You can have as many proxy truststores as there are remote LDAP server certificates to be imported.

    An LDAP proxy extension targeting a secured connection to a remote LDAP data source must reference the appropriate truststore manager in its configuration. This reference enables the LDAP proxy extension to access the imported remote LDAP server certificate, to accept the secure connection.

  3. Each truststore requires a proxy trust manager provider.

    To list the proxy trust manager providers, use the dsconfig list-trust-manager-providers command. For example: 

    $ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X -n \
list-trust-manager-providers

    To create a proxy trust manager provider, use the dsconfig create-trust-manager-provider command. For example: 

    $ dsconfig -h localhost -p 4444 -D "cn=Directory Manager"  -j pwd-file -X -n \
create-trust-manager-provider \
--provider-name Backend\ Servers \
--type file-based --set enabled:true \
--set trust-store-file:/localhost/config/backend-servers-truststore \
--set trust-store-type:JKS \
--set trust-store-pin-file:/installPath/config/backend-servers-truststore.pin

  4. Import the certificates of the remote LDAP servers into the proxy truststore.

27.4.2 About the Configurable LDAP Extension Properties Relevant to Security

When managing connections to remote LDAP servers using dsconfig, several configurable LDAP Extension security connection properties are available.

For information about managing LDAP extensions, see Configuring Communication With Remote LDAP Servers. Configurable properties that either directly or indirectly relate to security considerations include the following:

  • remote-ldap-server-ssl-policy

    This important value governs the overall security mode of the connections between the proxy and remote LDAP servers. Its use is covered in the section Understanding the Modes of Secure Connection.

  • pool-increment

    If the remote-ldap-server-ssl-policy property is set to user, two pools of connections are created and the incremental change of size of each pool is set to pool-increment. For more information on this property, see Modifying the Properties of an LDAP Server Extension.

  • pool-initial-size

    If the remote-ldap-server-ssl-policy property is set to user, two pools of connections are created and the initial size, and minimum size, of each pool is set to pool-initial-size. In this case, therefore, there will initially be twice the total number of connections indicated in pool-initial-size. For details, see Modifying the Properties of an LDAP Server Extension.

  • pool-max-size

    If the remote-ldap-server-ssl-policy property is set to user, two pools of connections are created and the maximum size of each pool is set to pool-max-size.

    The default value is 1000 connections. For more information on this property, see Modifying the Properties of an LDAP Server Extension.

  • remote-ldap-server-ssl-port

    The port number for SSL connections from the proxy to the remote LDAP server.

  • ssl-client-alias

    When a keystore is created for client authentication, several keys can be stored in it. Use this property to specify which key to use. For more information about keystores, see Getting SSL Up and Running Quickly and Configuring Key Manager Providers.

  • ssl-key-manager-provider

    Specifies a key manager provider to use for the LDAP Server Extension. The key manager provider is not mandatory and can be used if the remote LDAP server is configured for client authentication. The referenced key manager provider must be enabled. For more information about key manager providers, see Configuring Key Manager Providers.

  • ssl-trust-all

    If this parameter is set to true, all remote LDAP servers are trusted. The default value is false. Setting this value to true avoids having to import certificates from remote LDAP servers but is insecure.

    Note:

    Although the interactive dsconfig --advanced command offers Blind Trust as a possible trust manager provider, Blind Trust is not supported for the proxy server. Instead, if you want to avoid the import of certificates, set the ssl-trust-all parameter to true. This presents an insecure deployment and is not recommended for production environments, only for testing purposes.

    If the remote-ldap-server-ssl-policy is set to never, then the value of the ssl-trust-all parameter is irrelevant. All connections between the proxy will be insecure (unencrypted) in this case. For more information on the remote-ldap-server-ssl-policy, see Understanding the Modes of Secure Connection.

  • ssl-trust-manager-provider

    Specifies which trust manager provider to use for the LDAP Server Extension. The trust manager provider is mandatory unless the ssl-trust-all parameter is set to true. The referenced trust manager provider must be enabled.

  • ssl-protocol

    Governs the SSL/TLS protocol that would be used during SSL communication with the remote LDAP server. This property takes system default values and can be overridden with valid SSL/TLS protocols as required. See Supported TLS Protocols and Cipher Suites by Oracle Unified Directory to understand about system default values.

  • ssl-cipher-suite

    Governs the SSL/TLS cipher suite that would be used during SSL communication with the remote LDAP server. This property takes system default values and can be overridden with valid SSL/TLS cipher suites as required. See Supported TLS Protocols and Cipher Suites by Oracle Unified Directory to understand about system default values.