In the entries of the first of October we showed the single account usages between Oracle Enterprise Linux Operating (OEL) system accounts and Oracle database accounts. One would say why not go for Single Sign On (SSO) using kerberos rightaway. Indeed that would simplify the usages of the accounts.
There are a number of technical and license reasons I'll get to later, but it is also a social reason.
One of the reasons is the SSO would be based on Kerberos in combination with MS Active Directory (AD) . For many companies the AD is doing the domain authentication.
For the OEL machines to be able to use keberos authentication they would have to be added to the windows domains as machines. Before large enterprises to go for this kinds of integration they need to get used to the idea. Alot of evangilizing is necessary before that can be achieved.
Using single account between OS and database is a step in getting used to that idea.
Management will start asking for SSO soon afterwards. Cross "IT Ecosphere" integration is than easier too.
Other reasons for not quickly implementing OEL Kerberos authentication:
1) Kerberized clients, like kerberized Putty for SSH, need to be used. To role these out in large Enterprise takes a lot of explaining and time.
2) MIT Kerberos for Windows DLL's needs to be implemented to integrate the Kerberos with OEL. To role this out in thousands of clients takes a lot of time and explaining.
These extra installations could be prevented when the Oracle Database administrators for whom we are implementing this solution would use the sqlplus client form the windows client prompt. Since the windows client is already authenticated to the windows domain. This windows run client could then be used for Kerberos authentication to the Oracle database. Skipping the authentication to the OEL OS.
But the Oracle DBA's are very used to there Unix prompt and can also only slowly change there attitude. Here again that will need some time.
To implemented kerberos Authentication for the oracle database is fairly simple and following the steps in the Oracle manual will get you there.But to be able to use kerberos for windows one needs to have the Advanced Security Option licensed from Oracle.
This extra costs is not always within the budget of even large Enterprises.
Al in al the roadmap to security should be taken in small steps, so to get all stakeholders used to the little bit of technical solutions to take them onto the path of the next level.
No comments:
Post a Comment