{"id":19,"date":"2022-07-01T18:36:50","date_gmt":"2022-07-01T18:36:50","guid":{"rendered":"https:\/\/olyareri.nl\/?p=19"},"modified":"2022-07-01T18:36:51","modified_gmt":"2022-07-01T18:36:51","slug":"securing-oracle-saas-and-paas-solutions-using-ip-whitelisting-and-mfa","status":"publish","type":"post","link":"https:\/\/olyareri.nl\/?p=19","title":{"rendered":"Securing Oracle SaaS and PaaS solutions using IP whitelisting and MFA"},"content":{"rendered":"\n

With more and more business applications in the cloud, the need for tighter security increases. Setting up Multi-Factor Authentication (MFA) is one way to achieve this. In this article, we will show how to set up MFA and IP whitelisting for the Oracle Cloud.<\/strong><\/p>\n\n\n\n

<\/p>\n\n\n\n

User laptops can be hacked, and malware can accidentally be installed, thus passwords will be compromised. However, in the pre-cloud era, business applications were less exposed to the outside world. Now, anyone in the world could in theory access your<\/strong> business application. The only security measure in between: a username\/password combination.<\/p>\n\n\n\n

IP whitelisting<\/h2>\n\n\n\n

Using IP whitelisting, we can make sure only IP addresses coming from a specific country (or continent) can access your cloud applications. More elaborate schemes one can implement are those in which you restrict specific roles (admin and such) to only login from a short list of IP addresses.<\/p>\n\n\n\n

For the Oracle cloud, you can configure this using the Oracle Identity Cloud Service (IDCS).<\/p>\n\n\n\n

Defining sign-on policies<\/h2>\n\n\n\n

In Oracle IDCS, we can define multiple sign-on policies. Each policy defines a set of rules, and a list of applications for which these rules apply. The default sign-on policy allows any authenticated user access to the IDCS application (see fig 1).<\/p>\n\n\n\n

\"\"\/<\/a>
Figure 1: The default sign-on policy allows all access<\/figcaption><\/figure>\n\n\n\n

Each rule within a sign-on policy helps in determining whether a user may or may not sign on. Each rule can either grant or restrict access. By means of setting a rule priority, we can control the order in which rules are evaluated.<\/p>\n\n\n\n

Adding a second sign-on policy for a specific application allows us to configure access specifically for a single application (see figures 2 and 3).  In our example, we are going to define specific sign-on policies for Oracle Integration Cloud (PaaS). If one defines a specific sign-on policy for a particular application, IDCS will use that instead of the \u2018Default\u2019 one.<\/p>\n\n\n\n

\"\"\/<\/a>
Figure 2: Adding a sign-on policy for a specific application<\/figcaption><\/figure>\n\n\n\n
\"\"\/<\/a>
Figure 3: Adding a specific application to sign-on policy. If desired, multiple applications can be added<\/figcaption><\/figure>\n\n\n\n

Now, we need to allow access to this application, based on a particular (corporate) IP range.
In figures 4, 5 and 6 you can see how to:<\/p>\n\n\n\n

–        Define a network perimeter.
–        Add a rule to the policy to allow access for all users within a particular IP address range.<\/p>\n\n\n\n

\"\"\/<\/a>
Figure 4: Adding network perimeter<\/a><\/figcaption><\/figure>\n\n\n\n
\"\"\/<\/a>
Figure 5: Adding network perimeter listing all corporate IP addresses. Please mind this is an internal IP range used for illustration purposes only<\/figcaption><\/figure>\n\n\n\n
\"\"\/<\/a>
Figure 6: Sign-on rule whitelisting the corporate IP range<\/figcaption><\/figure>\n\n\n\n

We add a second rule to restrict all other access to Oracle Integration Cloud (fig 7 and 8).<\/p>\n\n\n\n

\"\"\/<\/a>
Figure 7: Rule to deny all access<\/figcaption><\/figure>\n\n\n\n
\"\"\/<\/a>
Figure 8: Sign-on policy rules to allow only corporate, whitelisted addresses<\/figcaption><\/figure>\n\n\n\n

Say, we would like people outside the corporate address range to be able to login, but with additional authentication.<\/p>\n\n\n\n

Setting up MFA in Oracle Cloud<\/h2>\n\n\n\n

Enabling Multi-Factor Authentication (MFA) in the Oracle Cloud is rather simple. In your IDCS console, navigate to Security -> MFA and simply check some boxes (see figures 9 and 10).<\/p>\n\n\n\n

\"\"\/<\/a>
Figure 9: MFA menu<\/figcaption><\/figure>\n\n\n\n
\"\"\/<\/a>
Figure 10: Enable MFA by checking boxes<\/figcaption><\/figure>\n\n\n\n

Next, we add a new rule to our Integration sign-on policy. This rule will allow all other IP addresses to access the system, but it will require the user to present an additional factor (see figure 11 and 12).<\/p>\n\n\n\n

\"\"\/<\/a>
Figure 11: Adding second rule for all IP addresses outside of corporate range, to make use of MFA<\/figcaption><\/figure>\n\n\n\n
\"\"\/<\/a>
Figure 12: Three sign-on rules. First rule allows access whenever someone logs in from the corporate IP range. Second rule defines users who have to use a second authentication factor. Last rule denies all access<\/figcaption><\/figure>\n\n\n\n

Log in using MFA<\/h2>\n\n\n\n

With the new sign-on policy in place, we\u2019re going to try to log in our Oracle Integration Cloud instance.<\/p>\n\n\n\n

\"\"<\/a>
Figure 13: First, we sign on using our username\/password credentials<\/figcaption><\/figure>\n\n\n\n

Oracle now requests a second authentication token (figure 14). To get access, we download a mobile app (Oracle Verificator). After downloading, the app needs to be matched with this particular cloud account. Luckily, this is very easy. On the first login attempt, IDCS detects that no mobile app was coupled to this account. A quick and easy QR code pops up to match this account to your mobile authenticator app.<\/p>\n\n\n\n

\"\"<\/a>
Figure 14: MFA: 2-Step Verification<\/figcaption><\/figure>\n\n\n\n