WMS: 11287 Quarterly QA Update

oci-adb-iam/cleanup/cleanup.md

@@ -56,19 +56,35 @@ This lab assumes that you have completed the previous labs and created all resou
     <copy>oci iam group delete --group-id $DB_ADMIN_OCID</copy>
     ```
 
-5. You may now close your cloud shell session, as you will use the OCI Console to delete the final resource. Click on the hamburger icon in the top left corner. Choose **Identity and Security** then **Policies**.
+5. You may now close your cloud shell session, as you will use the OCI Console to delete the final resources. Click on the hamburger icon in the top left corner. Choose **Identity and Security** then **Policies**.
 
     ![Identity and Security](https://oracle-livelabs.github.io/common/images/console/id-policies.png " ")
 
-6. Ensure that you are in your root compartment, and you should see the policiy called **grant-adb-access**. Click the box next to its name then click delete.
+6. Ensure that you are in your root compartment, and you should see the policiy called **grant-adb-access**. Check the box next to its name then click **Delete**.
 
     ![Policy Page - Delete](images/delete-policy.png)
 
+7. Next you will click on the **Profile** icon in the top right corner and choose **My profile**.
+
+    ![Navigate to user profile](images/user-profile.png)
+
+8. Scroll down to the bottom of the page, choose **Database passwords**. Find the database password that you created in this lab, identified by the description "DB password for your OCI account". Check the box next to it and choose **Delete**.
+
+    ![Delete database password](images/delete-database-password.png)
+
+## Appendix: Delete federated IAM user
+
+1. This step is only necessary if you followed the steps in the Lab 1 appendix to create a federated IAM user. Log out of OCI with the federated user. Log back in with your original user and delete the federated user with the following command.
+
+    ```
+    <copy>oci iam user delete --user-id [Federated user OCID]</copy>
+    ```
+
 Your OCI tenancy should now be cleared of all lab resources.
 
 ## Acknowledgements
 * **Author**
   * Richard Evans, Database Security Product Management
   * Miles Novotny, Solution Engineer, North America Specialist Hub
   * Noah Galloso, Solution Engineer, North America Specialist Hub
-* **Last Updated By/Date** - Miles Novotny, December 2022
+* **Last Updated By/Date** - Miles Novotny, April 2023

oci-adb-iam/db-credentials-and-login/db-credentials-and-login.md

@@ -3,33 +3,35 @@
 ## Introduction
 
 Now that you have enabled IAM as the identity provider of your ADB, in this lab you will
-create IAM credentails for your user and use them to connect to the database. First we connect with our IAM username and password, then with a token. Using a token lets you connect to the database without a password, and is possible for you because of the OCI_TOKEN parameter you added to the tnsnames.ora file in the previous lab. Not needing a password is useful if you have hundreds of databases in your environment, as managing passwords for each DB can be time consuming.
+create IAM database credentials for your user and use them to connect to the database. First we connect with our IAM database username and password, then with a token. Using a token lets you connect to the database without a password, and is possible for you because of the OCI_TOKEN parameter you added to the tnsnames.ora file in the previous lab. Using a token instead of a password is more secure since the password verifier isn’t used and sent across the network.
 
 *Estimated Lab Time*: 15 minutes
 
 Watch the video below for a quick walk-through of the lab.
 [Create IAM Credentials and log into the database](videohub:1_tth3qivl)
 
 ### Objectives
-- Create IAM credentials for users of your ADB
-- Use IAM credentials to log into and query the database
-- Use a IAM Token to connect to and query the database
+- Create IAM database credentials for users of your ADB
+- Use IAM database credentials to log into and query the database
+- Use an IAM Token to connect to and query the database
 
 ### Prerequisites
 This lab assumes that you have completed the introduction lab.
 
 ### Prerequisites
 This lab assumes that you have completed the previous labs and successfully enabled IAM as your database identity provider.
 
+>**Note:** An IAM database password is not the same as your IAM console password. The IAM database password is created separately in your IAM user profile.
+
 ## Task 1: Connect to the database as your OCI user.
 
-1. Create IAM credentials for your OCI user
+1. Create an IAM database credential for your OCI user
 
     ```
     <copy>oci iam user create-db-credential --user-id $OCI_CS_USER_OCID --password Oracle123+Oracle123+ --description "DB password for your OCI account"</copy>
     ```
 
-2. Connect to database with IAM credentials as your OCI user. All values you see should match the output below except for **AUTHENTICATED\_IDENTITY** and **ENTERPIRSE\_IDENTITY**. These are unique to your user.
+2. Connect to the database with the IAM database credentials as your OCI user. All values you see should match the output below except for **AUTHENTICATED\_IDENTITY** and **ENTERPRISE\_IDENTITY**. These are unique to your user.
 
     ```
     <copy>sql /nolog <<EOF
@@ -45,7 +47,7 @@ This lab assumes that you have completed the previous labs and successfully enab
     ```
 
     ```
-    <copy>SYS_CONTEXT('SYS_SESSION_ROLES','SR_DBA_ROLE')    
+    SYS_CONTEXT('SYS_SESSION_ROLES','SR_DBA_ROLE')    
     _________________________________________________
     FALSE                                             
 
@@ -77,7 +79,7 @@ This lab assumes that you have completed the previous labs and successfully enab
 
     SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')    
     ____________________________________________
-    tcps</copy>
+    tcps
     ```
 
 3. Add your OCI user to the **DB_ADMIN** group.
@@ -86,7 +88,7 @@ This lab assumes that you have completed the previous labs and successfully enab
     <copy>oci iam group add-user --user-id $OCI_CS_USER_OCID --group-id $DB_ADMIN_OCID</copy>
     ```
 
-4. Connect to the database with IAM credentials again. Because the **DB\_ADMIN** IAM group is mapped to the **SR\_DBA\_ROLE** ADB group you will see the first query of this script now return TRUE. Again, all all values you see should match the output below except for **AUTHENTICATED\_IDENTITY** and **ENTERPIRSE\_IDENTITY**. These are unique to your user.
+4. Connect to the database with IAM credentials again. Because the **DB\_ADMIN** IAM group is mapped to the **SR\_DBA\_ROLE** ADB group you will see the first query of this script now return TRUE. Again, all all values you see should match the output below except for **AUTHENTICATED\_IDENTITY** and **ENTERPRISE\_IDENTITY**. These are unique to your user.
 
     ```
     <copy>sql /nolog <<EOF
@@ -102,7 +104,7 @@ This lab assumes that you have completed the previous labs and successfully enab
     ```
 
     ```
-    <copy>SYS_CONTEXT('SYS_SESSION_ROLES','SR_DBA_ROLE')    
+    SYS_CONTEXT('SYS_SESSION_ROLES','SR_DBA_ROLE')    
     _________________________________________________
     TRUE                                              
 
@@ -134,18 +136,19 @@ This lab assumes that you have completed the previous labs and successfully enab
 
     SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')    
     ____________________________________________
-    tcps</copy>
+    tcps
     ```
 
 ## Task 2: Connect to the database with a token.
 
-1. Generate a token used for database access. It is possible to generate this token because of the OCI_TOKEN parameter we added to the tnsnames.ora file in the previous lab. Not needing a password is useful if you have hundreds of databases in your environment, as managing passwords for each DB can be time consuming.
+1. Generate a token used for database access. It is possible to use a token when using a ‘/’ (slash) login because of the OCI_TOKEN parameter we added to the connect string in the tnsnames.ora file in the previous lab. Using a token instead of a password is more secure since you’re not using and sending a password verifier to the database.
+>**Note:** The IAM token is stored in a default location which is also known by the database client. A directory location can also be specified when retrieving and using the token.
 
     ```
     <copy>oci iam db-token get</copy>
     ```
 
-2. Connect to the database using your token. Notice that the **AUTHENTICATION\_METHOD** is now listed as **TOKEN\_GLOBAL**, rather than **PASSWORD\_GLOBAL**, which it is when you access the database with an IAM username and password.
+2. Connect to the database using your token. Notice that the **AUTHENTICATION\_METHOD** is now listed as **TOKEN\_GLOBAL**, rather than **PASSWORD\_GLOBAL**, which it is when you access the database with an IAM username and IAM database password.
 
     ```
     <copy>sql /@lltest_high <<EOF
@@ -160,7 +163,7 @@ This lab assumes that you have completed the previous labs and successfully enab
     ```
 
     ```
-    <copy>SYS_CONTEXT('SYS_SESSION_ROLES','SR_DBA_ROLE')    
+    SYS_CONTEXT('SYS_SESSION_ROLES','SR_DBA_ROLE')    
     _________________________________________________
     TRUE                                              
 
@@ -192,7 +195,7 @@ This lab assumes that you have completed the previous labs and successfully enab
 
     SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')    
     ____________________________________________
-    tcps</copy>
+    tcps
     ```
 
 You may now **proceed to the next lab.**
@@ -207,4 +210,4 @@ You may now **proceed to the next lab.**
   * Richard Evans, Database Security Product Management
   * Miles Novotny, Solution Engineer, North America Specialist Hub
   * Noah Galloso, Solution Engineer, North America Specialist Hub
-* **Last Updated By/Date** - Miles Novotny, December 2022
+* **Last Updated By/Date** - Miles Novotny, April 2023

oci-adb-iam/introduction/introduction.md

@@ -1,8 +1,8 @@
 # Introduction
 
-### Why use Identity and Access Management with Autonomous Database
+## About this Workshop
 
-Managing users on a database-by-database basis is cumbersome, especially when working with a large number of databases. It can lead to mistakes where database user accounts exist long after the user has left the organization. Additionally, users within organizations change teams or are promoted but often never have their privileges from their previous role revoked. This causes them to end up overprivileged for their current responsibilities. Integrating database users with Oracle Identity and Access Management (IAM) is a quick and easy way to simplify user management across multiple ADBs and improve security.
+Managing users on a database-by-database basis is cumbersome, especially when working with a large number of databases. It can lead to mistakes where database user accounts exist long after the user has left the organization. Additionally, users within organizations change teams or are promoted but often never have their privileges from their previous role revoked. This causes them to end up overprivileged for their current responsibilities. Integrating database users with Oracle Identity and Access Management (IAM) is a quick and easy way to simplify user management across OCI managed databases such as the Autonomous Database, ExaCS, Base DBS and ExaCC.
 
 Estimated Workshop Time: 1 hour
 
@@ -12,7 +12,7 @@ In this workshop, you will learn how to:
 * Provision an Autonomous Database
 * Set IAM as the identity provider of your ADB
 * Grant IAM users access to your ADB
-* Access and interact with your ADB using IAM credentials
+* Access and interact with your ADB using IAM database password
 * Access and interact with your ADB using a token
 
 ### Prerequisites
@@ -21,6 +21,10 @@ In order to do this workshop, you need
 
 * An Oracle Free Tier, Always Free, Paid or LiveLabs Cloud Account
 
+### Note
+
+Some screenshots and videos may be different than what you see. These screenshots and videos were with a tenancy with IAM and not using IAM with Identity Domains. However, the functionality remains the same. Only use the default (root) domain when working with IAM with Identity Domains.
+
 ## Learn More
 
 * [Oracle Identity and Access Management](https://www.oracle.com/security/identity-management/)
@@ -31,4 +35,4 @@ In order to do this workshop, you need
   * Richard Evans, Database Security Product Management
   * Miles Novotny, Solution Engineer, North America Specalist Hub
   * Noah Galloso, Solution Engineer, North America Specalist Hub
-* **Last Updated By/Date** - Miles Novotny, December 2022
+* **Last Updated By/Date** - Miles Novotny, April 2023

oci-adb-iam/oci-wallet-and-enable-iam/oci-wallet-and-enable-iam.md

@@ -32,15 +32,15 @@ This lab assumes that you have completed the previous labs and have created all
     <copy>oci db autonomous-database generate-wallet --autonomous-database-id $ADB_OCID --password Oracle123+ --file $HOME/adb_wallet/lltest_wallet.zip</copy>
     ```
 
-3. Navigate to the adb_wallet directory.
+## Task 2: Enable OCI IAM as the identity provider and provision global schema and role
+
+1. Navigate to the adb_wallet directory.
 
     ```
     <copy>cd $HOME/adb_wallet</copy>
     ```
 
-## Task 2: Enable OCI IAM as the identity provider
-
-1. Open the SQL command line, then connect to the database using the wallet file.
+2. Open the SQL command line, then connect to the database using the wallet file.
     >**Note:** This command only works from inside the adb_wallet folder. Insure that you have navigated to it as shown in the previous steps.
 
     >**Note:** When using SQL, do not paste commands using Crtl-V as hidden characters will also be inserted resulting in an error of unknown command. You can use Crtl-Shift-V as a substitute if using a keyboard to insert copied code.
@@ -54,33 +54,33 @@ This lab assumes that you have completed the previous labs and have created all
     conn admin/Oracle123+Oracle123+@lltest_high</copy>
     ```
 
-2. Query to select the identity provider, and see that it is **NONE** by default.
+3. Query to select the identity provider, and see that it is **NONE** by default.
 
     ```
     <copy>select name, value from v$parameter where name ='identity_provider_type';</copy>
     ```
 
 
     ```
-    <copy>NAME                      VALUE    
+    NAME                      VALUE    
     _________________________ ________
-    identity_provider_type    NONE</copy>
+    identity_provider_type    NONE
     ```
 
-3. Now enable IAM as the identity provider. Query the idenity provider again to see it updated to **OCI_IAM**.
+4. Now enable IAM as the identity provider. Query the idenity provider again to see it updated to **OCI_IAM**.
 
     ```
     <copy>exec dbms_cloud_admin.enable_external_authentication('OCI_IAM');
     select name, value from v$parameter where name ='identity_provider_type';</copy>
     ```
 
     ```
-    <copy>NAME                      VALUE      
+    NAME                      VALUE      
     _________________________ __________
-    identity_provider_type    OCI_IAM</copy> 
+    identity_provider_type    OCI_IAM
     ```
 
-4. Create the **user\_shared** user and grant it permissions to create sessions. Create the **sr\_dba\_role** role and grant it permissions. Quit the SQL session.
+5. Create the **user\_shared** user and grant it permissions to create sessions. Create the **sr\_dba\_role** role and grant it permissions. Quit the SQL session.
 
     ```
     <copy>create user user_shared identified globally as 'IAM_GROUP_NAME=All_DB_Users';
@@ -117,14 +117,27 @@ This lab assumes that you have completed the previous labs and have created all
     cat sqlnet.ora</copy>
     ```
 
-4. Append the TOKEN_AUTH parameter to the ADB instance's tnsname.ora entry so that an authorization token can be used instead of a password.
+    The sqlnet.ora file should appear like this.
+
+    ```
+    WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = (DIRECTORY=/home/{your OCI users directory}/adb_wallet)))
+    SSL_SERVER_DN_MATCH=yes
+    ```
+
+4. Append the TOKEN_AUTH parameter to the ADB instance's tnsnames.ora entry so that an authorization token can be used instead of a password.
 
     ```
     <copy>head -1 tnsnames.ora.orig | sed -e 's/)))/)(TOKEN_AUTH=OCI_TOKEN)))/' > tnsnames.ora
 
     cat tnsnames.ora</copy>
     ```
 
+    The tnsnames.ora file should appear like this. Some values may vary, depending on your region, for example.
+
+    ```
+    lltest_high = (description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=adb.us-phoenix-1.oraclecloud.com))(connect_data=(service_name={your database service name}))(security=(ssl_server_cert_dn="CN=adwc.uscom-east-1.oraclecloud.com, OU=Oracle BMCS US, O=Oracle Corporation, L=Redwood City, ST=California, C=US")(TOKEN_AUTH=OCI_TOKEN)(TOKEN_AUTH=OCI_TOKEN)))
+    ```
+
 You may now **proceed to the next lab.**
 
 ## Learn More
@@ -137,4 +150,4 @@ You may now **proceed to the next lab.**
   * Richard Evans, Database Security Product Management
   * Miles Novotny, Solution Engineer, North America Specialist Hub
   * Noah Galloso, Solution Engineer, North America Specialist Hub
-* **Last Updated By/Date** - Miles Novotny, December 2022
+* **Last Updated By/Date** - Miles Novotny, April 2023