18
Using Oracle Enterprise Login Assistant

Use Oracle Enterprise Login Assistant to manage wallets and passwords, including those stored locally or in an LDAP directory, and to enable or disable secure SSL connections.

You can use Oracle Enterprise Login Assistant for both (i) SSL-authenticated enterprise users, and (ii) password-authenticated enterprise users.

This chapter describes Oracle Enterprise Login Assistant, and contains the following topics:

• About Oracle Enterprise Login Assistant
• Managing Credentials for Certificate-Authenticated Enterprise Users
• Managing Credentials for Password-Authenticated Enterprise Users

About Oracle Enterprise Login Assistant

Oracle Enterprise Login Assistant is a client-side tool that can be used by both certificate-based and password-based enterprise users.

For certificate-based users, it provides easy access to existing wallets and PKI certificates, while masking their underlying complexity. Once users securely open their wallets using Enterprise Login Assistant, they can be authenticated to a centrally-located LDAP directory service with a single sign-on (SSO), and can thence connect to multiple databases without providing additional database passwords. They can also use Enterprise Login Assistant to upload encrypted wallets to and download them from the LDAP directory, and they can update directory passwords (Oracle Internet Directory only), database passwords, and wallet passwords.

For password-based users, Enterprise Login Assistant provides the capability to set up and manage a single, global password for accessing multiple databases thus obviating the need to set up and manage wallets and certificates. Password-based users must enter this password for each respective database connection.

For all enterprise users, this provides strong authentication, secure connections, and enhanced ease-of-use.

Starting Oracle Enterprise Login Assistant

Refer to the Oracle operating system-specific documentation for Oracle Enterprise Login Assistant startup instructions.

Managing Credentials for Certificate-Authenticated Enterprise Users

This part contains the following topics:

• Opening Existing Wallet on Local System
• Connecting to LDAP Directory and Downloading New Wallet
• Changing Passwords
• Uploading Wallet to LDAP Directory
• Logging Out and Disabling SSL Connection

Opening Existing Wallet on Local System

Upon startup, Oracle Enterprise Login Assistant searches for an installed wallet in the default system location that is defined in the Oracle operating system-specific documentation. If it finds an installed wallet, the login window appears (Figure 18-1):

Figure 18-1 Enterprise Login Assistant Login Window (wallet found)

Text description of the illustration ela0008.gif

To establish a secure SSL connection using your local wallet:

1. Choose the Local Copy button.
2. Enter the wallet password.
3. To change password(s). choose the Change passwords button ; Figure 18-5 appears. See: Changing Passwords.
4. Choose the Login button.

   Enterprise Login Assistant creates a copy of the wallet in the local file system, and you are returned to the logged-in state; the Logged-In Window appears (Figure 18-2). This step enables autologin.

   Note: Oracle wallets are always encrypted upon creation in both the LDAP directory and the local file system. However, when autologin is enabled, the wallet is obfuscated to enable autologin access. See Also: obfuscation

Figure 18-2 Enterprise Login Assistant Logged-In Window

Text description of the illustration ela0005.gif

If Enterprise Login Assistant does not find a wallet installed on the local system, the following window appears (Figure 18-3):

Figure 18-3 Enterprise Login Assistant Login Window (wallet not found)

Text description of the illustration ela0001.gif

To download a new wallet from the LDAP directory see the next section.

Connecting to LDAP Directory and Downloading New Wallet

Enterprise Login Assistant can download a wallet from an LDAP directory to your local system.

To connect to an LDAP directory and download a wallet:

1. Choose the Directory Service button (Figure 18-3).

Figure 18-4 Enterprise Login Assistant Directory Login Window

Text description of the illustration ela0003.gif

• Enter your distinguished name (DN) or directory UserID and password.
• Choose the Login button.

  Enterprise Login Assistant attempts to connect to the directory and download a wallet. If there is no directory service, it prompts for the directory service hostname and port (contact your System Administrator for further details).

• Enterprise Login Assistant stores the wallet in the default location on the local system and attempts to decrypt it using the directory password. If the directory password does not match the wallet password, you are prompted for the wallet password.

  Note: Default Wallet Location: UNIX: /etc/oracle/wallets/<username> Windows: c:\winnt\profile <user>\oracle\wallets

• Enterprise Login Assistant creates an obfuscated copy of the wallet in the local file system, and you are returned to the logged-in state; the Logged-In Window appears (Figure 18-2). This confirms that the wallet was successfully copied to the local system and that autologin is enabled.

  Changing Passwords

  You can use Enterprise Login Assistant to change the following passwords:

  • The wallet password

    This password is used to access your local wallet.

  • The directory password

    This password is used to bind to Oracle Internet Directory.

  • The database password

    This is the single, global password used by enterprise users to authenticate to multiple databases.

  To change a password:

  1. Choose the Change password button from the Logged In Window (Figure 18-2); the Change Enterprise Password Window appears (Figure 18-5):

  Figure 18-5 Enterprise Login Assistant Change Password Window

  

  Text description of the illustration ela0007.gif

• Choose one of the following Password Change Options:
  • Directory and Oracle Database Password
  • Directory Password Only
  • Oracle Database Password Only
  • Local Wallet Password Only
• Enter your distinguished name (DN) or directory UserID in the User field.
• Enter your existing password in the Old password field.
• Enter your new password (in accordance with your password policy) in the New password field, and confirm it by entering it again--in the Confirm password field.
• Enter an optional password hint in the Reminder field (see the Caution note that follows); choose the OK button.

  If the Old password you entered matches the existing password(s), Enterprise Login Assistant updates the selected password(s) with the new password and optional hint, displaying the following message to confirm successful update:

  Password changed successfully.

  Choose the OK button to exit the dialog box.

  Caution: Although Oracle Enterprise Login Assistant provides reminders (hints) to aid in the recovery of lost wallets, such reminders are not encrypted--and should only be used with restricted access control lists (ACLs). See: Oracle Internet Directory Administrator's Guide for information about configuring ACLs. Consider the following guidelines for reminders: Reminders are not required, and their use should be avoided. The system is more secure without reminders--the existence of an unencrypted reminder provides unauthorized third parties a potential opportunity to surreptitiously derive the password. However, if there is an enterprise requirement for wallet recovery in the event of a lost wallet password, reminders can be useful--if access is restricted by ACLs (imperative). Reminders can only entered for wallets stored in an LDAP directory. If you choose Local Wallet Password Only, neither a distinguished name nor a UserID is required, and you cannot enter a Reminder. If reminders are employed, you should formulate enterprise-wide rules to ensure the quality of the reminder. The final test of a good reminder is that it is meaningful only to the intended user, and does not compromise the security of the associated password.

  Note: Your enterprise installation may have special security requirements. Security Administrators can adjust the access controls in the LDAP directory to prevent users from updating certain passwords, or to force users to make all passwords identical.

Uploading Wallet to LDAP Directory

To upload a wallet to an LDAP directory:

1. Choose the Upload Wallet button in the Logged-In Window (Figure 18-2).
2. If you have already authenticated to the LDAP directory service in the current session, a copy of the wallet is uploaded to the directory, replacing the existing wallet.
3. If you have not yet authenticated to the LDAP directory service in the current session, Enterprise Login Assistant prompts you for your distinguished name (DN) or directory UserID and password to connect you to the directory before Step 2 is performed.

Logging Out and Disabling SSL Connection

Use Oracle Enterprise Login Assistant to disable single sign-on communications from server-side applications.

To log out and disable the SSL connection:

1. Choose the Logout button from the Logged-In Window (Figure 18-2).

   Enterprise Login Assistant displays the following warning:

   If you log out, your applications will no longer use the security credentials of your wallet.

2. Choose the Yes button to continue; you are returned to the Login Window (Figure 18-1).

Managing Credentials for Password-Authenticated Enterprise Users

This part contains the following topics:

• Changing Passwords

Changing Passwords

You can use Enterprise Login Assistant to change the following passwords:

• The directory password

  This password is used to bind to Oracle Internet Directory.

• The database password

  This is the single, global password used by enterprise users to authenticate to multiple databases.