Mark Wilcox

Subscribe to Mark Wilcox feed
Blog from Oracle Consulting Security Team
Updated: 2 hours 5 min ago

Test Blog Entry for Migration

Tue, 2017-03-21 14:29
Adding a blog entry for the purposes of testing the upcoming blog migration.

Security Link Roundup - January 4, 2016

Mon, 2016-01-04 10:50

January 4, 2016 Oracle Consulting Security Link Roundup

I'm Mark Wilcox.

The Chief Technology Officer for Oracle Consulting- Security in North America and this is my weekly roundup of security stories that interested me.


Database of 191 million U.S. voters exposed on Internet: researcher

So 2016 starts off with another headline of a database breach.

In this case 191 million records of US voters.

This is ridiculous.

And could have been prevented.

And a sobering reminder to contact your Oracle represenative and ask them for a database security assessment by Oracle consulting.

Secure Protocol for Mining in Horizontally Scattered Database Using Association Rule

Data mining is a hot topic - it's essential to marketing, sales and innovation. Because companies have lots of information on hand but until you start mining it, you can't really do anything with it.

And often that data is scattered across multiple databases.

In this academic paper from the "International Journal on Recent and Innovation Trends in Computing and Communication" the authors describe a new protocol that they claim respects privacy better than other options.

On the other hand - Oracle already has lots of security products (for example database firewall, identity governance) that you can implement today to help make sure only the proper people have access to the data.

So make sure to call your Oracle represenative and ask for a presentation by Oracle Consulting on how Oracle security can help protect your data mining databases.

A Guide to Public Cloud Security Tools

Cloud computing is happening.

And most people are still new to the space.

This is a good general article into the differences in security between public and private clouds.

Plus has a list of tools to help you with cloud security.

And if you are wanting to use cloud to host Oracle software - please call your Oracle represenative and ask them to arrange a meeting with Oracle Consulting Security to talk about how Oracle can help do that securely.

Survey: Cloud Security Still a Concern Heading into 2016

Security continues to be the biggest concern when it comes to cloud.

While there are challenges - I find securing cloud computing alot simpler than on-premise.

Assuming your cloud hosting is with one of the major vendors such as Oracle or Amazon.

And if you are wanting to use cloud to host Oracle software - please call your Oracle represenative and ask them to arrange a meeting with Oracle Consulting Security to talk about how Oracle can help do that securely.

"Holy crap, Marie."

I watch a lot of reruns of "Everybody Loves Raymond" and I feel like this story is another rerun.

Except unlike Raymond this is a rerun of a bad TV show.

Encrypting a database is one of the best ways to secure your data from hackers.

So before you start storing data in the cloud, in particular with an Oracle database make sure you have Oracle Consulting do a security assessment for you.

That way you can know what potential problems you have before you start storing sensitive production data.

image credit unsplash.

How To Do Single Sign On (SSO) for Web Services

Wed, 2013-12-11 08:38

A recent question on our internal list was

"A customer has OAM and wants to do SSO to SOAP Web Services".

In this case the customer was using Webcenter Content (the product formerly known as Unified Content Manager UCM). But the scenario applies to any SOAP Web Service.

My answer was well received and there isn't anything proprietary here so I thought I would share to make it easier for people to find and for me to refer to later.

First - There is no such thing as SSO in web services.

There is only identity propagation.

Meaning that I log in as Fabrizio into OAM, connect to a Web application protected by OAM.

That Web application is a Web Services client and I want to tell the client to tell the Web Services that Fabrizio is using the service.

The first step to set this up is to protect the web services via OWSM.

The second step is to translate the OAM token into a WS-Security token.

There are 3 ways to this second step:

1 - If you are writing manual client and don't want any other product involved - use OAM STS

2 - Use Oracle Service Bus (which most likely will also use OAM STS but should make this a couple of mouse clicks)

3 - Use OAG - which doesn't need to talk to STS. It has a very simple way to convert OAM into WS-Security header.

If you're not using OSB already - I would recommend OAG. It's by far the simplest plus you get the additional benefits of OAG.

PS - You can use OSB and OAG together in many scenarios - I was only saying to avoid OSB here because the service was already exposed and there was no benefit I could see for having OSB. If you have a reason to have OSB - let me know. I only know OSB at a very high level since my area of focus is security.

The Difference Between Access Manager 10g and 11g Webgates

Thu, 2013-08-29 11:00

A common question we get is what is the difference between Access Manager 10g and Access Manager 11g webgates.

My colleague Yagnesh who covers webgates put together a simple list:

Here is 11g features:

  • Oracle Universal Installer for platform. Generic for all platforms
  • Host-based cookie
  • Individual WebGate OAMAuthnCookie_ making it more secure
  • A per agent key, and server key, are used. Agent key is stored in wallet file and Server key is stored in Credential store
  • One per-agent secret key shared between 11g WebGate and OAM Server One OAM Server key
  • OAM 11g supports cross-network-domain single sign-on out of the box. Oracle recommends you use Oracle Identity Federation for this situation.
  • Capability to act as a detached credential collector
  • Webgate Authorization Caching
  • Diagnostic page to tune parameters
  • Has separate install and configuration option. Hence, single install and multiple instance configuration is supported.

And 10g:

  • InstallShield and One installer per platform
  • Domain-based cookie
  • ObSSOCookie (one for all 10g Webgates)
  • Global shared secret stored in the directory server only (not accessible to WebGate)
  • There is just one global shared secret key per OAM deployment which is used by all the WebGates
  • OAM 10g provides a proprietary multiple network domain SSO capability that predates Oracle Identity Federation. Complex configuration is required.
  • One Web server configuration supported per WebGate. Need to have multiple WebGates for multiple instances.

Fresh, Informative and Fun - Join Us For Your Opening Presentation at Open World 2013

Thu, 2013-08-29 09:25

Join us on Monday September 23, 2013 for Senior Vice President Amit Jasuja's presentation.

It's called "CON8808 - Oracle Identity Management: Enabling Business Growth in the New Economy".

The title is boring but the presentation will be fresh, informative and fun.

This is our annual presentation to share our thoughts on where the world is going in terms of identity management and letting customers who are leading the way let you know how they are getting there.

And we will deliver this to you in a way that promises to be as entertaining as it is informative.

Click here and schedule yourself for Amit's session before we run out of room

If You Are Interested In OUD - You Need To Be Reading Sylvain Duloutre's Blog

Wed, 2012-05-02 14:38
My colleague Sylvain Duloutre is writing a series of posts about Oracle Unified Directory (OUD) including how to co-habitate and migrate from DSEE to OUD which is how we believe most existing DSEE customers who adopt OUD will make the move.
You can read his blog here.

Announcing Oracle Optimized Solution for Oracle Unified Directory

Fri, 2012-04-20 02:03
I'm happy today to be able to share that we released an optimized solution for Oracle Unified Directory. It's one of the first public announcements we can make of several cool & useful things we've been working on. We have more coming from identity & access team. Which reminds me - for my loyal readers here - since December 2011 - besides covering directory - I am also now on the Oracle Access Manager Suite team. My colleague Sylvain post summed it up nicely what it is: Oracle Optimized Solution for Oracle Unified Directory is a complete solution - Software and Harware engineered to work together. It implements Oracle Unified Directory software on Oracle's SPARC T4 servers to provide highly available and extremely high performance directory services for the entire enterprise infrastructure and applications. The solution is architected, optimized, and tested to deliver simplicity, performance, security, and savings in enterprise environments. More details available at While that post is short - it is dense with information. So to explain it simpler - within Oracle we have a team (Optimized Solutions) who work with our product teams to show how our customers can get the best performance out of our hardware when running a specific software package. Instead of just giving you a generic tuning guide for our product - we've gone through the tuning steps and tested the configuration(s) for you. Thus besides giving you great performance - it's faster & simpler deployment because you can reduce the time it takes to run a tuning exercise from scratch. Optimized solutions simplifies that exercise because we've already done most (if not all) of the work for you. Click here to learn more about our Optimized Solution for Oracle Unified Directory.

Oracle Identity Management (OID, OVD, OIF) 11gR1 Patchset 5 ( Released.

Thu, 2012-02-23 15:51
I'm sure you've seen the flood of announcements from the other Fusion Middleware products about the release. We got in on the fun too. You can download it here. And for a fresh install - you can start directly from For the most part this is just a bug fix release for us. But there are a couple of enhancements I would like to share. Oracle Virtual Directory The biggest enhancement I would highlight is that we have dramatically simplified configuring OVD for Enterprise User Security (EUS). EUS has been something that has always worked but required to execute lots of individual steps. We now have this setup as a wizard and OVD's own Local Store Adapter holds most of the meta-data. So less work on the enterprise LDAP and fewer steps. It should mean initial EUS configuration by most people can now be done in less than a day. Directory Integration Platform DIP has been part of Oracle for over a decade but until it required OID. Now it can be used with DSEE or OUD as its metadata store. This now means that if you want to deploy DSEE or OUD but need to synchronize groups & users from AD - you can do it without needing any type of custom code or bringing in a full provisioning product.

How To Simplify Your Password Management With Oracle Enterprise Single Sign-On

Thu, 2011-10-13 12:11
We're doing another free webcast - this time on Enterprise Single Sign-On. Click here to register
Addressing Your Password Nightmares with an Enterprise Single Sign-On Platform

Webcast Date: Wednesday, October 19, 2011 
Webcast Time: US Pacific 10am PDT

STEP 1: Please complete the registration form below, to take part in the Live Oracle Webcast event. 

Studies estimate that nearly 25 percent of all help desk calls are related to password resets. The modern enterprise IT environment demands a balance between the intense security required to meet a variety of compliance standards and the need for flexibility and ease-of-use on the part of end-users. 

Enterprise single sign-on (ESSO) can help strike that balance and protect your business. ESSO built into your identity management platform can offer even more. It can reduce risk, enhance user productivity, cut costs, and provide a long-term solution to password management. 

Join us for this live complimentary Webcast where industry experts from Oracle will discuss:
How to slash your password related help desk costs and improve user experience 
The benefits of ESSO integrated into an identity management platform 
Best practices for a successful ESSO deployment
You’ll also have the opportunity to get answers to your most nagging security questions during the live Q&A. 

How To Use Oracle Identity Management To Rescue Delayed IBM Identity Management Deployments

Fri, 2011-09-02 06:35
Oracle Identity Management Webinars

If your organization has a delayed IBM-based identity management deployment this webinar will show reasons why this might be and how Oracle can help.

In particular you will learn how Oracle Identity Management can:

  • Mobilize and complete your identity management project
  • Coexist with or replace your existing IBM identity management point solution
  • Reduce security risk and improve regulatory compliance

Click Here To Register.

Learn How To Save 48% On Your Access Management Deployment

Fri, 2011-09-02 06:30
Oracle Identity Management Webinar logo We're hosting an upcoming webinar with the Aberdeen group that will show you research that will show how using an Identity Management platform can save you significant money vs a point-solution based deployment. Click Here to register.

Remember Your Password Or You Won't Get Your Donut

Wed, 2011-08-24 04:26
People have trouble remembering complex passwords. Click here to see one organization's ingenious way to get their employees to remember them. Click it or no donut for you.

Best Practice For Oracle Virtual Directory (OVD) Backup and Disaster Recovery.

Thu, 2011-08-18 05:03
I'm writing this in response to a question on one of our mailing lists because of the current nature of the Oracle docset (something the doc team is working on) - it's kind of hard to figure out in a concise form. Here are the things to do:
  • Make sure to have 2 or more OVD instances deployed in production. OVD provides tools to keep the configurations in synch between systems
  • If you have an external DR site - then synchronize the OVD configuration to this external site. Note this will assume that hostnames will be same in the DR site as primary. If not - then will require manual tweaking of the names.
  • OVD keeps all of its configuration in files in the $ORACLE_INSTANCE directory. Back this directory up. If you needed to recover - this can be restored. Most likely would need to re-register the instance with OPMN and EM - which is covered in the OVD documentation.

Oracle Unified Directory Webcast Q&A Results Posted

Thu, 2011-07-28 07:10
We have posted the answers to the questions from the Q&A from the OUD introduction webcast.

Moving OVD 11g Test to Production Configurations

Mon, 2011-07-25 03:43
Just back from vacation - during which we launched our new Oracle Unified Directory (OUD). And I'll be spending a lot of time writing about that since it's new product. But here's a useful 11g OVD piece of information. If you need to migrate test to production configurations on 11g OVD and you apply the latest patchset ( aka Patchset 4) we have new migration scripts that are particularly useful for off-line migrations: For off-line Test-To-Production migration of OVD, customers can use Movement Scripts to:
  1. Create a configuration archive of OVD instance using 'copyConfig' script.
  2. Extract the move plan using 'extractMovePlan' script & edit the move plan appropriately.
  3. Copy the configuration archive & move plan to Production server(s) & execute 'pasteConfig' script.

Introducing Oracle Unified Directory 11g

Fri, 2011-07-15 13:48
=> July 21, 2011 at 10:00am PT / 1:00pm ET / 19:00 CET Enterprises face many choices for managing identity data: to virtualize or not to virtualize, to synchronize data or store data. The choice of directory server means choosing between multiple vendors and compromising between features and performance. Oracle Unified Directory 11g defines a new category in the directory server market. Join us for this launch webcast to learn how Oracle Unified Directory 11g provides scalability and a complete directory server solution. Register by clicking here.

A New OVD Customer Case Study

Wed, 2011-04-13 03:23

The EMEA sales team just published a new case study for Ruhr-Universität Bochum a university in Germany.

They use OVD to provide an LDAP interface to their master identity data which is stored in an Oracle database. This allowed them to avoid needing to synchronize the data to another LDAP - which resulted in faster and more reliable identity services.

Posted via email from Virtual Identity Dialogue

Choosing The Right Directory For The Cloud - Recording of Mark Wilcox Webcast from March 24, 2011

Thu, 2011-03-31 00:14

Last week I delivered a webcast on Choosing the Right Directory For the Cloud and the recording for the event is now live.

Even if you don't really have any interest in directories on the cloud - I encourage you to listen to the Q&A after my short (about 20 minutes) presentation.

Lots of interesting questions - most of which are not directory-centric.

Posted via email from Virtual Identity Dialogue