In parts one, two, and three of this series I looked at configuring the database server and client software for smart card authentication. In this post I will discuss required updates to the database initialization parameters, how to gather the necessary information to create the externally authenticated database user, and how to create the user.
Getting the DN from the User’s Public Key
The good news is that if you are using DOD-signed server certificates – or any commercially generated certificates that share a common trust chain for the client and the server – you do not need to exchange public keys between clients and servers. You will, however, need to get the Distinguished Name (DN) from the user’s public certificate key in order to link their database account to the CAC / PIV certificate.
A user’s public key can be read from a digitally signed e-mail, or from the Microsoft Certificate Store on your workstation if you have previously exchanged signed or encrypted e-mail with the user.
- From MCS: If reading the key from the Microsoft Certificate Store, from the Windows Control Panel open Internet Options. Select the “Content” tab and click the “Certificates” button. Then select the client certificate you want click “View”. On the “Details” tab, scroll down and select “Subject”.
- From E-Mail: If reading from the signature certificate attached to a signed e-mail, click on the certificate icon ( ) in the e-mail. Click the “Details…” button, then select the “Signer” certificate and click the “View Details…” button. On the Signature window, click “View Certificate…” On the “Details” tab, scroll down and select “Subject”.
The Subject field should contain information like the following:
CN = DOE.JOHN.I.1234567890 OU = CONTRACTOR OU = PKI OU = DoD O = U.S. Government C = US
To construct the DN, remove spaces around the “=” and place commas between each attribute, like so:
Note: Do not remove the embedded space in “U.S. Government”.
Database Configuration Steps
The OS_AUTHENT_PRIFIX parameter must be null, and REMOTE_OS_AUTHENT must be FALSE.
SQL> alter system set remote_os_authent=false scope=spfile; SQL> alter system set os_authent_prefix='' scope=spfile;
The instance will need to be restarted for these changes to take effect.
Creating the Database User
The user within the database must be created specifying the distinguished name (DN) from their public key, obtained in the previous section. For example:
SQL> create user jdoe identified externally as 'CN=DOE.JOHN.I.1234567890,OU=CONTRACTOR,OU=PKI,OU=DoD,O=U.S. Government,C=US';
At a minimum the user should be granted the “create session” privilege so that they are able to connect.
SQL> grant create session to jdoe;
Note: While users which are identified externally can be granted proxy privileges to connect through to other schemas (as in the case of developers accessing an application schema in a test environment), they cannot be granted privileges like SYSDBA that require credentials to be stored in the database password file.