1. Manuals
  2. Brands
  3. Oracle Manuals
  4. Software
  5. Oracle Database B10772-01
  6. Administrator's manual

Oracle Database B10772-01 Administrator's Manual

Database
Hide thumbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
Table of Contents

Advertisement

Quick Links

Download this manual
Oracle
Database
Advanced Security Administrator's Guide
10g Release 1 (10.1)
Part No. B10772-01
December 2003

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Oracle Database B10772-01 and is the answer not in the manual?

Questions and answers

Related Manuals for Oracle Oracle Database B10772-01

Summary of Contents for Oracle Oracle Database B10772-01

  • Page 1 Oracle Database Advanced Security Administrator's Guide 10g Release 1 (10.1) Part No. B10772-01 December 2003...
  • Page 2 Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1) Part No. B10772-01 Copyright © 1996, 2003 Oracle Corporation. All rights reserved. Primary Author: Laurel P. Hale Contributors: Rajbir Chahal, Min-Hank Ho, Michael Hwa, Sudha Iyer, Adam Lindsey Jacobs, Supriya Kalyanasundaram, Lakshmi Kethana, Andrew Koyfman, Van Le, Nina Lewis, Stella Li, Janaki Narasinghanallur, Vikram Pesati, Andy Philips, Richard Smith, Deborah Steiner, Philip Thornton, Ramana Turlapati...
  • Page 3 responsible for the performance of the Kerberos software, does not provide technical support for the software, and shall not be liable for any damages arising out of any use of the Kerberos software. Copyright © 1985-2002 by the Massachusetts Institute of Technology. All rights reserved.
  • Page 4 derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code. OpenVision Technologies, Inc., has donated this Kerberos Administration system to M.I.T. for inclusion in the standard Kerberos 5 distribution.

  • Page 5: Table Of Contents

    Contents List of Figures List of Tables Send Us Your Comments ....................... xxiii Preface ................................. xxv What's New in Oracle Advanced Security? ..............xxxvii Part I Getting Started with Oracle Advanced Security Introduction to Oracle Advanced Security Security Challenges in an Enterprise Environment..............1-1 Security in Enterprise Grid Computing Environments ............
  • Page 6 2 Configuration and Administration Tools Overview Network Encryption and Strong Authentication Configuration Tools ........2-2 Oracle Net Manager ........................2-2 Oracle Advanced Security Kerberos Adapter Command-Line Utilities ......2-5 Public Key Infrastructure Credentials Management Tools ............2-6 Oracle Wallet Manager ........................ 2-6 orapki Utility ..........................
  • Page 7 4 Configuring Network Data Encryption and Integrity for Thin JDBC Clients About the Java Implementation....................... 4-1 Java Database Connectivity Support ..................4-1 Securing Thin JDBC........................4-2 Implementation Overview ......................4-3 Obfuscation............................ 4-3 Configuration Parameters........................4-4 Client Encryption Level: ORACLE.NET.ENCRYPTION_CLIENT........4-4 Client Encryption Selected List: ORACLE.NET.ENCRYPTION_TYPES_CLIENT ....
  • Page 8 Task 1: Install Kerberos ........................ 6-2 Task 2: Configure a Service Principal for an Oracle Database Server........6-2 Task 3: Extract a Service Table from Kerberos ................. 6-3 Task 4: Install an Oracle Database Server and an Oracle Client ..........6-4 Task 5: Install Oracle Net Services and Oracle Advanced Security ........
  • Page 9 How SSL Works with Other Authentication Methods ............7-10 SSL and Firewalls ..........................7-12 SSL Usage Issues..........................7-14 Enabling SSL ............................. 7-15 Task 1: Install Oracle Advanced Security and Related Products ........7-15 Task 2: Configure SSL on the Server..................7-15 Task 3: Configure SSL on the Client ..................
  • Page 10 Opening an Existing Wallet....................... 8-13 Closing a Wallet .......................... 8-13 Importing Third-Party Wallets ....................8-13 Exporting Oracle Wallets to Third-Party Environments ............8-14 Exporting Oracle Wallets to Tools that Do Not Support PKCS #12 ........8-14 Uploading a Wallet to an LDAP Directory ................8-15 Downloading a Wallet from an LDAP Directory ..............
  • Page 11 Task 1: Create New Principals and Accounts................. 10-5 Task 2: Install the Key of the Server into a Keytab File............10-6 Task 3: Configure DCE CDS for Use by Oracle DCE Integration ........10-6 Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration ..10-8 DCE Address Parameters......................
  • Page 12 Considerations for Choosing Authentication Types between Clients, Databases, and Directories for Enterprise User Security................11-28 Enterprise User Security Configuration Tasks and Troubleshooting Enterprise User Security Configuration Overview..............12-1 Enterprise User Security Configuration Roadmap ..............12-4 Preparing the Directory for Enterprise User Security..............12-5 Configuring Enterprise User Security Objects in the Database and the Directory ...
  • Page 13 Browsing Users in the Directory .................... 13-12 Administering Enterprise Domains.................... 13-15 Creating a New Enterprise Domain..................13-16 Defining Database Membership of an Enterprise Domain ..........13-17 Managing Database Security Options for an Enterprise Domain ........13-19 Managing Enterprise Domain Administrators ..............13-20 Managing Enterprise Domain Database Schema Mappings..........
  • Page 14 Integrating Authentication Devices Using RADIUS About the RADIUS Challenge-Response User Interface............C-1 Customizing the RADIUS Challenge-Response User Interface..........C-2 Oracle Advanced Security FIPS 140-1 Settings Configuration Parameters......................... D-1 Server Encryption Level Setting ....................D-2 Client Encryption Level Setting....................D-2 Server Encryption Selection List....................D-2 Client Encryption Selection List ....................
  • Page 15 orapki wallet create ........................E-13 orapki wallet display........................E-13 orapki wallet export ........................E-13 Entrust-Enabled SSL Authentication Benefits of Entrust-Enabled Oracle Advanced Security.............. F-2 Enhanced X.509-Based Authentication and Single Sign-On ..........F-2 Integration with Entrust Authority Key Management ............F-2 Integration with Entrust Authority Certificate Revocation............
  • Page 16 Prerequisites for Performing Migration..................G-8 Required Database Privileges ....................G-8 Required Directory Privileges....................G-9 Required Setup to Run the User Migration Utility ..............G-9 User Migration Utility Command Line Syntax................G-10 Accessing Help for the User Migration Utility ................G-11 User Migration Utility Parameters ....................
  • Page 17 xvii...

  • Page 18: List Of Figures

    List of Figures 1–1 Encryption ..........................1-5 1–2 Strong Authentication with Oracle Authentication Adapters ........1-8 1–3 How a Network Authentication Service Authenticates a User ........1-9 1–4 Centralized User Management with Enterprise User Security........1-13 1–5 Oracle Advanced Security in an Oracle Networking Environment ......1-15 1–6 Oracle Net with Authentication Adapters...............
  • Page 19 11–3 Related Entries in a Realm Oracle Context..............11-16 Enterprise User Security Configuration Flow Chart............12-3 12–1 13–1 Enterprise Security Manager Console Home Page ............13-9 Enterprise Security Manager Console Edit User Window: Basic Information ..13-10 13–2 13–3 Enterprise Security Manager: Add Enterprise Roles Window........13-12 Enterprise Security Manager: Main Window (All Users Tab)........
  • Page 21 List of Tables 1–1 Authentication Methods and System Requirements ............. 1-17 Oracle Wallet Manager Navigator Pane Objects ............. 2-8 2–1 2–2 Oracle Wallet Manager Toolbar Buttons ................ 2-10 Oracle Wallet Manager Wallet Menu Options............... 2-10 2–3 2–4 Oracle Wallet Manager Operations Menu Options............2-11 2–5 Oracle Wallet Manager Help Menu Options ..............
  • Page 22 11–3 Enterprise User Security: Supported Authentication Types for Connections between Clients, Databases, and Directories ................. 11-28 13–1 Identity Management Realm Properties ................13-5 13–2 Enterprise User Security Identity Management Realm Administrators ..... 13-7 13–3 Directory Search Criteria ....................13-14 13–4 Enterprise Security Manager Database Security Options..........

  • Page 23: Send Us Your Comments

    Send Us Your Comments Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1) Part No. B10772-01 Oracle Corporation welcomes your comments and suggestions on the quality and usefulness of this document. Your input is an important part of the information used for revision. Did you find any errors? Is the information clearly presented? Do you need more information? If so, where?
  • Page 24 xxiv...

  • Page 25: Preface

    Preface Welcome to the Oracle Database Advanced Security Administrator's Guide for the 10g Release 1 (10.1) of Oracle Advanced Security. Oracle Advanced Security contains a comprehensive suite of security features that protect enterprise networks and securely extend them to the Internet. It provides a single source of integration with multiple network encryption and authentication solutions, single sign-on services, and security protocols.
  • Page 26 Audience The Oracle Database Advanced Security Administrator's Guide is intended for users and systems professionals involved with the implementation, configuration, and administration of Oracle Advanced Security including: Implementation consultants System administrators Security administrators Database administrators (DBAs) Organization This document contains the following chapters: Part I, "Getting Started with Oracle Advanced Security"...
  • Page 27 Part III, "Oracle Advanced Security Strong Authentication" Chapter 5, "Configuring RADIUS Authentication" This chapter describes how to configure Oracle for use with RADIUS (Remote Authentication Dial-In User Service). It provides an overview of how RADIUS works within an Oracle environment, and describes how to enable RADIUS authentication and accounting.
  • Page 28 parameters, and how clients outside of DCE can access Oracle databases using another protocol such as TCP/IP. Part IV, "Enterprise User Security" Chapter 11, "Getting Started with Enterprise User Security" This chapter describes the Oracle LDAP directory and database integration that enables you to store and manage users' authentication information in Oracle Internet Directory.

  • Page 29: Related Documentation

    Appendix D, "Oracle Advanced Security FIPS 140-1 Settings" This appendix describes the sqlnet.ora configuration parameters required to comply with the FIPS 140-1 Level 2 evaluated configuration. Appendix E, "orapki Utility" This appendix provides the syntax for the orapki command line utility. This utility must be used to manage certificate revocation lists (CRLs).
  • Page 30 Printed documentation is available for sale in the Oracle Store at http://oraclestore.oracle.com/ To download free release notes, installation documentation, white papers, or other collateral, please visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free and can be done at http://otn.oracle.com/membership/ If you already have a username and password for OTN, then you can go directly to the documentation section of the OTN Web site at...
  • Page 31 Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C by Bruce Schneier. New York: John Wiley & Sons, 1996. SSL & TLS Essentials: Securing the Web by Stephen A. Thomas. New York: John Wiley & Sons, 2000. Understanding and Deploying LDAP Directory Services by Timothy A. Howes, Ph.D., Mark C.
  • Page 32 Convention Meaning Example Uppercase monospace typeface indicates You can specify this clause only for a NUMBER UPPERCASE elements supplied by the system. Such column. monospace elements include parameters, privileges, (fixed-width) You can back up the database by using the datatypes, RMAN keywords, SQL font BACKUP command.
  • Page 33 Convention Meaning Example Brackets enclose one or more optional DECIMAL (digits [ , precision ]) items. Do not enter the brackets. Braces enclose two or more items, one of {ENABLE | DISABLE} which is required. Do not enter the braces. A vertical bar represents a choice of two {ENABLE | DISABLE} or more options within brackets or braces.
  • Page 34 Convention Meaning Example Lowercase typeface indicates lowercase SELECT last_name, employee_id FROM programmatic elements that you supply. employees; For example, lowercase indicates names sqlplus hr/hr of tables, columns, or files. CREATE USER mjones IDENTIFIED BY ty3MU9; Note: Some programmatic elements use a mixture of UPPERCASE and lowercase.
  • Page 35 Convention Meaning Example Special characters The backslash (\) special character is C:\>exp scott/tiger TABLES=emp sometimes required as an escape QUERY=\"WHERE job='SALESMAN' and character for the double quotation mark sal<1600\" (") special character at the Windows C:\>imp SYSTEM/password FROMUSER=scott command prompt. Parentheses and the TABLES=(emp, dept) single quotation mark (') do not require an escape character.
  • Page 36 Documentation Accessibility Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community.

  • Page 37: What's New In Oracle Advanced Security

    What's New in Oracle Advanced Security? This section describes new features of Oracle Advanced Security 10g Release 1 (10.1) and provides pointers to additional information. New features information from the previous release is also retained to help those users migrating to the current release.
  • Page 38 Engineering Task Force (IETF) to be the successor to SSL version 3.0. TLS is a configurable option provided in Oracle Net Manager. Chapter 7, "Configuring Secure Sockets Layer See Also: Authentication" for configuration details Support for Hardware Security Modules, including Oracle Wallet Manager Integration In this release, Oracle Advanced Security supports hardware security modules which use APIs that conform to the RSA Security, Inc., Public-Key...
  • Page 39 See Also: "Certificate Validation with Certificate Revocation Lists" page 7-35 for details Appendix E, "orapki Utility" for details about orapki command line utility New Features in Enterprise User Security Kerberos Authenticated Enterprise Users Kerberos-based authentication to the database is available for users managed in an LDAP directory.
  • Page 40 – Oracle Database recognition of standard password verifiers, which is also new in this release. Tool Changes – New Tool: Enterprise Security Manager Console The Enterprise Security Manager Console, which is based on the Oracle Internet Directory Delegated Administration Service (DAS), is new in this release.
  • Page 41 Oracle9i Release 2 (9.2) New Features in Oracle Advanced Security The new features for Oracle Advanced Security in release 2 (9.2) include the following: Support for Advanced Encryption Standard (AES) AES is a new cryptographic algorithm standard developed to replace Data Encryption Standard (DES).
  • Page 42 xlii...

  • Page 43: Part I Getting Started With Oracle Advanced Security

    Part I Getting Started with Oracle Advanced Security This part introduces Oracle Advanced Security, describing the security solutions it provides, its features, and its tools. It contains the following chapters: Chapter 1, "Introduction to Oracle Advanced Security" Chapter 2, "Configuration and Administration Tools Overview"...

  • Page 45: Introduction To Oracle Advanced Security

    Introduction to Oracle Advanced Security This chapter introduces Oracle Advanced Security, summarizing the security risks it addresses, and describing its features. These features are available to database and related products that interface with Oracle Net Services, including Oracle Database, Oracle Application Server, and Oracle Identity Management infrastructure.

  • Page 46: Security In Enterprise Grid Computing Environments

    Security Challenges in an Enterprise Environment Security in Enterprise Grid Computing Environments Security in an Intranet or Internet Environment Common Security Threats Security in Enterprise Grid Computing Environments Grid computing is a computing architecture that coordinates large numbers of servers and storage to act as a single large computer. It provides flexibility, lower costs, and IT investment protection because inexpensive, off-the-shelf components can be added to the grid as business needs change.

  • Page 47: Common Security Threats

    Security Challenges in an Enterprise Environment the amount of information that organizations place on computers. Employee and financial records, customer orders, product information, and other sensitive data have moved from filing cabinets to file structures. The volume of sensitive information on the Web has thus increased the value of data that can be compromised.

  • Page 48: Solving Security Challenges With Oracle Advanced Security

    Solving Security Challenges with Oracle Advanced Security Password-Related Threats In large systems, users typically must remember multiple passwords for the different applications and services that they use. For example, a developer can have access to a development application on a workstation, a PC for sending e-mail, and several computers or intranet sites for testing, reporting bugs, and managing configurations.

  • Page 49: Data Encryption

    Solving Security Challenges with Oracle Advanced Security Data Encryption Sensitive information that travels over enterprise networks and the Internet can be protected by encryption algorithms. An encryption algorithm transforms information into a form that can be deciphered with a decryption key. Figure 1–1 shows how encryption works to ensure the security of a transaction.
  • Page 50 Solving Security Challenges with Oracle Advanced Security Selecting the network encryption algorithm is a user configuration option, providing varying levels of security and performance for different types of data transfers. Prior versions of Oracle Advanced Security provided three editions: Domestic, Upgrade, and Export—each with different key lengths.
  • Page 51 Solving Security Challenges with Oracle Advanced Security 197, Advanced Encryption Standard (AES) is a new cryptographic algorithm standard developed to replace DES. AES is a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits, which are referred to as AES-128, AES-192, and AES-256, respectively.

  • Page 52: Strong Authentication

    Solving Security Challenges with Oracle Advanced Security Strong Authentication Authentication is used to prove the identity of the user. Authenticating user identity is imperative in distributed environments, without which there can be little confidence in network security. Passwords are the most common means of authentication.
  • Page 53 Solving Security Challenges with Oracle Advanced Security How Centralized Network Authentication Works Figure 1–3 shows how a centralized network authentication service typically operates: Figure 1–3 How a Network Authentication Service Authenticates a User User Authentication Oracle Server Server . . . A user (client) requests authentication services and provides identifying information, such as a token or password.
  • Page 54 Solving Security Challenges with Oracle Advanced Security The client passes these credentials to the Oracle server concurrent with a service request, such as connection to a database. The server sends the credentials back to the authentication server for authentication. If the authentication server accepts the credentials, then it notifies the Oracle Server, and the user is authenticated.
  • Page 55 Solving Security Challenges with Oracle Advanced Security protocol. RADIUS can be used with a variety of authentication mechanisms, including token cards and smart cards. See Chapter 5, "Configuring RADIUS Authentication" for information about configuring and using this adapter. Smart Cards A RADIUS-compliant smart card is a credit card-like hardware device.
  • Page 56 Solving Security Challenges with Oracle Advanced Security Oracle Advanced Security SSL can be used to secure communications between any client and any server. You can configure SSL to provide authentication for the server only, the client only, or both client and server. You can also configure SSL features in combination with other authentication methods supported by Oracle Advanced Security (database usernames and passwords, RADIUS, and Kerberos).

  • Page 57: Enterprise User Management

    Solving Security Challenges with Oracle Advanced Security Enterprise User Management Enterprise user management is provided by the Enterprise User Security feature of Oracle Advanced Security. Enterprise User Security enables storing database users and their corresponding administrative and security information in a centralized directory server.
  • Page 58 Solving Security Challenges with Oracle Advanced Security Passwords Kerberos Secure Sockets Layer (SSL) with digital certificates For detailed discussions of Enterprise User Security See Also: concepts, configuration, and management, refer to the following chapters in this manual: Chapter 11, "Getting Started with Enterprise User Security" Chapter 12, "Enterprise User Security Configuration Tasks and Troubleshooting"...

  • Page 59: Oracle Advanced Security Architecture

    Oracle Advanced Security Architecture Oracle Advanced Security Architecture Oracle Advanced Security complements an Oracle server or client installation with advanced security features. Figure 1–5 shows the Oracle Advanced Security architecture within an Oracle networking environment. Figure 1–5 Oracle Advanced Security in an Oracle Networking Environment Client Application Two-Task Common...

  • Page 60: Secure Data Transfer Across Network Protocol Boundaries

    Secure Data Transfer Across Network Protocol Boundaries Figure 1–6 Oracle Net with Authentication Adapters Oracle Oracle Oracle Call Forms Party Tools Server Interface Tools Oracle Reports Oracle Advanced Security Oracle Net Kerberos RADIUS Adapter Adapter Adapter Adapter Kerberos RADIUS Oracle Net Services Administrator's Guide for more See Also: information about stack communications in an Oracle networking...

  • Page 61: Oracle Advanced Security Restrictions

    Oracle Advanced Security Restrictions Oracle Advanced Security is not available with Oracle Note: Database Standard Edition. Table 1–1 Authentication Methods and System Requirements Authentication Method System Requirements Kerberos MIT Kerberos Version 5, release 1.1 The Kerberos authentication server must be installed on a physically secure machine.
  • Page 62 Oracle Advanced Security Restrictions 1-18 Oracle Database Advanced Security Administrator's Guide...

  • Page 63: Configuration And Administration Tools Overview

    Configuration and Administration Tools Overview Configuring advanced security features for an Oracle database includes configuring encryption, integrity (checksumming), and strong authentication methods for Oracle Net Services. Strong authentication method configuration can include third-party software, as is the case for Kerberos or RADIUS, or it may entail configuring and managing a public key infrastructure, as is required for Secure Sockets Layer (SSL).

  • Page 64: Network Encryption And Strong Authentication Configuration Tools

    Network Encryption and Strong Authentication Configuration Tools Network Encryption and Strong Authentication Configuration Tools Oracle Net Services can be configured to encrypt data using standard encryption algorithms, and for strong authentication methods, such as Kerberos, RADIUS, and SSL. The following sections introduce the Oracle tools you can use to configure these advanced security features for an Oracle Database: Oracle Net Manager Oracle Advanced Security Kerberos Adapter Command-Line Utilities...
  • Page 65 Network Encryption and Strong Authentication Configuration Tools To start Oracle Net Manager as a standalone application: (UNIX) From $ORACLE_HOME/bin, enter the following at the command line: netmgr (Windows) Choose Start > Programs > Oracle - HOME_NAME > Configuration and Migration Tools > Net Manager Navigating to the Oracle Advanced Security Profile The Oracle Net Manager interface window contains two panes: the navigator pane and the right pane, which displays various property sheets that enable you to...
  • Page 66 Network Encryption and Strong Authentication Configuration Tools Figure 2–1 Oracle Advanced Security Profile in Oracle Net Manager Oracle Advanced Security Profile Property Sheets The Oracle Advanced Security Profile contains the following property sheets, which are described in the following sections: Authentication Property Sheet Other Params Property Sheet Integrity Property Sheet...

  • Page 67: Oracle Advanced Security Kerberos Adapter Command-Line Utilities

    Network Encryption and Strong Authentication Configuration Tools Authentication Property Sheet Use this property sheet to select a strong authentication method, such as Kerberos Version 5 (KERBEROS5), Windows NT native authentication (NTS), or RADIUS. Other Params Property Sheet Use this property sheet to set other parameters for the authentication method you selected on the Authentication property sheet.

  • Page 68: Public Key Infrastructure Credentials Management Tools

    Public Key Infrastructure Credentials Management Tools Public Key Infrastructure Credentials Management Tools The security provided by a public key infrastructure (PKI) depends on how effectively you store, manage, and validate your PKI credentials. The following Oracle tools are used to manage certificates, wallets, and certificate revocation lists so your PKI credentials can be stored securely and your certificate validation mechanisms kept current: Oracle Wallet Manager...
  • Page 69 Public Key Infrastructure Credentials Management Tools (UNIX) From $ORACLE_HOME/bin, enter the following at the command line: (Windows) Choose Start > Programs > Oracle - HOME_NAME > Integrated Management Tools > Wallet Manager Navigating the Oracle Wallet Manager User Interface The Oracle Wallet Manager interface includes two panes, a toolbar, and various menu items as shown in Figure 2–2.

  • Page 70: Oracle Wallet Manager Navigator Pane Objects

    Public Key Infrastructure Credentials Management Tools Navigator Pane The navigator pane provides a graphical tree view of the certificate requests and certificates stored in the Oracle home where Oracle Wallet Manager is installed. You can use the navigator pane to view, modify, add, or delete certificates and certificate requests.
  • Page 71 Public Key Infrastructure Credentials Management Tools text box. To request a certificate from a certificate authority, you can copy this request into an e-mail or export it into a file. Figure 2–3 Certificate Request Information Displayed in Oracle Wallet Manager Right Pane Toolbar The toolbar contains buttons that enable you to manage your wallets.

  • Page 72: Oracle Wallet Manager Toolbar Buttons

    Public Key Infrastructure Credentials Management Tools Table 2–2 Oracle Wallet Manager Toolbar Buttons Toolbar Button Description Creates a new wallet Open Wallet Enables you to browse your file system to locate and open an existing wallet Save Wallet Saves the currently open wallet Delete Wallet Deletes wallet currently selected in the navigator pane Help...

  • Page 73: Oracle Wallet Manager Operations Menu Options

    Public Key Infrastructure Credentials Management Tools Table 2–3 (Cont.) Oracle Wallet Manager Wallet Menu Options(Cont.) Option Description Change Password Changes the password for the currently open wallet. You must supply the old password before you can create a new one. Auto Login Sets the auto login feature for the currently open wallet.

  • Page 74: Orapki Utility

    Public Key Infrastructure Credentials Management Tools Help Menu Table 2–5 describes the contents of the Help menu. Table 2–5 Oracle Wallet Manager Help Menu Options Option Description Contents Opens Oracle Wallet Manager online help. Opens Oracle Wallet Manager online help and displays the Search for Help on Search tab.

  • Page 75: Enterprise User Security Configuration And Management Tools

    Enterprise User Security Configuration and Management Tools Enterprise User Security Configuration and Management Tools Enterprise users are database users who are stored and centrally managed in an LDAP directory, such as Oracle Internet Directory. Table 2–6 provides a summary of the tools that are used to configure and manage Enterprise User Security.

  • Page 76: Enterprise Security Manager And Enterprise Security Manager Console

    Enterprise User Security Configuration and Management Tools Starting Database Configuration Assistant To start Database Configuration Assistant: (UNIX) From $ORACLE_HOME/bin, enter the following at the command line: dbca (Windows) Choose Start > Programs > Oracle - HOME_NAME > Database Administration > Database Configuration Assistant See Also: "To register a database in the directory:"...
  • Page 77 Enterprise User Security Configuration and Management Tools Logging in to Enterprise Security Manager Console Navigating Enterprise Security Manager Console User Interface Enterprise Security Manager Initial Installation and Configuration Overview The following tasks provide an overview of the initial Enterprise Security Manager installation and configuration: Task 1: Install Enterprise Security Manager Task 2: Configure an Oracle Identity Management Infrastructure...
  • Page 78 Enterprise User Security Configuration and Management Tools OracleAS Single Sign-On server must be installed and configured to authenticate enterprise user security administrators when they log in to the Enterprise Security Manager Console, an element of Enterprise Security Manager. See Also: Oracle Internet Directory Administrator's Guide for information about using Oracle Internet Directory Configuration Assistant to create or upgrade an identity management realm in the...

  • Page 79: Enterprise Security Manager Authentication Methods

    Enterprise User Security Configuration and Management Tools Figure 2–4 Directory Server Login Window Log in to Oracle Internet Directory by selecting the authentication method and providing the hostname and port number for your directory. Table 2–7 describes the two available Enterprise Security Manager authentication methods and what each method requires: Table 2–7 Enterprise Security Manager Authentication Methods...
  • Page 80 Enterprise User Security Configuration and Management Tools Figure 2–5 Enterprise Security Manager User Interface Navigator Pane The navigator pane provides a graphical tree view of your directory's identity management realms and the databases, enterprise domains, and users they contain. You can use the navigator pane to view, modify, add, or delete enterprise domains and the objects they contain.

  • Page 81: Enterprise Security Manager Navigator Pane Folders

    Enterprise User Security Configuration and Management Tools Right-click an enterprise domain to perform operations such as creating enterprise roles or deleting the domain from the identity management realm. When you expand an identity management realm, you see a nested list of folders that contain enterprise user security objects.
  • Page 82 Enterprise User Security Configuration and Management Tools Figure 2–6 Enterprise Security Manager Databases Tabbed Window The Databases tabbed window also enables you to set security options for databases which are members of an enterprise domain. See "Defining Database Membership of an Enterprise Domain" on page 13-17 for a discussion of configuring enterprise domains by using the Databases tabbed window.

  • Page 83: Enterprise Security Manager File Menu Options

    Enterprise User Security Configuration and Management Tools File Menu Table 2–9 describes the contents of the File menu. Table 2–9 Enterprise Security Manager File Menu Options Option Description Causes the Directory Server Login window to reappear Change Directory Connection (see Figure 2–4 on page 2-17), enabling you to log in to another directory server.
  • Page 84 Enterprise User Security Configuration and Management Tools Table 2–11 (Cont.) Enterprise Security Manager Help Menu Options Option Description Search for Help on Displays the search window for the online help. Displays online help topics that describe how to use the online Using Help help system About Enterprise Security...
  • Page 85 Enterprise User Security Configuration and Management Tools Figure 2–7 Enterprise Security Manager Console Login Page Click the Login icon in the upper right-corner of the page to log in with your OracleAS Single Sign-On username and password. After providing your OracleAS Single Sign-On credentials, you are returned to the console home page.
  • Page 86 Enterprise User Security Configuration and Management Tools Figure 2–8 ESM Console URL Window Enter the appropriate URL for connecting to Enterprise Security Manager Console, and click OK. This saves the URL information in Enterprise Security Manager so you can launch the console again without reconfiguring the URL. Configuring Enterprise Security Manager Console for Kerberos-Authenticated Enterprise Users By default, Enterprise Security Manager Console user interface does not display the field where you can configure Kerberos principal names.
  • Page 87 Enterprise User Security Configuration and Management Tools Select krbPrincipalName in the left category list. Click Move > to move krbPrincipalName to the right-hand list. Click Done. Click Next until you reach the last page, and then click Finish to save your work.
  • Page 88 Enterprise User Security Configuration and Management Tools Home Tabbed Window The Home page is your entry point to the console. You can access each tabbed window and read a brief summary of what you can do with this tool. The Home tabbed window is shown in Figure 2–9 on page 2-25.

  • Page 89: Enterprise Security Manager Console User Subtab Buttons

    Enterprise User Security Configuration and Management Tools Table 2–12 Enterprise Security Manager Console User Subtab Buttons Button Name Description After entering user search criteria in the Search for user field, click Go to display users who match your search criteria in the Search Results table.
  • Page 90 Enterprise User Security Configuration and Management Tools Figure 2–11 Enterprise Security Manager Console Group Subtab 2-28 Oracle Database Advanced Security Administrator's Guide...
  • Page 91 Enterprise User Security Configuration and Management Tools Figure 2–12 Enterprise Security Manager Console Edit Group Page Configuration and Administration Tools Overview 2-29...
  • Page 92 Enterprise User Security Configuration and Management Tools Realm Configuration Tabbed Window The Realm Configuration tabbed window, which is shown in Figure 2–13, enables you to configure identity management realm attributes that pertain to Enterprise User Security. The fields that you can edit on this page are described in Table 2–13 on page 2-30.
  • Page 93 Enterprise User Security Configuration and Management Tools Enterprise Security Manager Command-Line Utility Enterprise Security Manager provides a command-line utility, which can be used to perform the most common tasks that the graphical user interface tool performs. Enter all Enterprise Security Manager command-line utility commands from the Oracle Enterprise Manager Oracle home.

  • Page 94: Oracle Net Configuration Assistant

    Enterprise User Security Configuration and Management Tools See Also: "Duties of an Enterprise User Security Administrator/DBA" page 2-35 for a list of tasks that can be performed with Enterprise Security Manager and Enterprise Security Manager Console. Chapter 13, "Administering Enterprise User Security" detailed information about how to use Enterprise Security Manager and Enterprise Security Manager Console to administer enterprise users.

  • Page 95: User Migration Utility

    Enterprise User Security Configuration and Management Tools After you start this tool, you will be presented with the opening page that is shown Figure 2–14 on page 2-33. Choose the Directory Usage Configuration option on this page, click Next, and choose the directory server where you wish to store your enterprise users.

  • Page 96: Duties Of A Security Administrator/Dba

    Duties of a Security Administrator/DBA phase one, it populates a table with database user information. During phase two, the database user information is migrated to the directory. This tool is automatically installed in the following location when you install an Oracle Database client: $ORACLE_HOME/rdbms/bin/umu The basic syntax for this utility is as follows:...

  • Page 97: Duties Of An Enterprise User Security Administrator/Dba

    Duties of an Enterprise User Security Administrator/DBA Table 2–14 (Cont.) Common Security Administrator/DBA Configuration and Administrative Tasks Task Tools Used See Also Configure a database to accept RADIUS Oracle Net "Step 2: Configure RADIUS on the Oracle authentication Database Server" on page 5-10 Create a RADIUS user and grant them access SQL*Plus...

  • Page 98: Common Enterprise User Security Administrator Configuration And Administrative Tasks

    Duties of an Enterprise User Security Administrator/DBA Table 2–15 Common Enterprise User Security Administrator Configuration and Administrative Tasks Task Tools Used See Also Create an identity management realm in Oracle Internet Directory Oracle Internet Directory Administrator's Oracle Internet Directory Self-Service Console (Delegated Guide for information about how to Administration Service) perform this task...
  • Page 99 Duties of an Enterprise User Security Administrator/DBA Table 2–15 (Cont.) Common Enterprise User Security Administrator Configuration and Administrative Task Tools Used See Also Manage user wallets on the local system or Oracle Wallet Manager Chapter 8, "Using Oracle Wallet Manager" update database and directory user passwords Request initial Kerberos ticket when KDC is...
  • Page 100 Duties of an Enterprise User Security Administrator/DBA 2-38 Oracle Database Advanced Security Administrator's Guide...

  • Page 101: Part Ii Network Data Encryption And Integrity

    Part II Network Data Encryption and Integrity This part describes how to configure data encryption and integrity for your existing Oracle network, and for thin JDBC connections to the database by using the encryption features of Oracle Advanced Security. It contains the following chapters: Chapter 3, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients"...

  • Page 103: Configuring Network Data Encryption And Integrity For Oracle Servers And Clients

    Configuring Network Data Encryption and Integrity for Oracle Servers and Clients This chapter describes how to configure native Oracle Net Services data encryption integrity for Oracle Advanced Security. It contains the following topics: Oracle Advanced Security Encryption Oracle Advanced Security Data Integrity Diffie-Hellman Based Key Management How To Configure Data Encryption and Integrity Oracle Advanced Security Encryption...

  • Page 104: About Encryption

    Oracle Advanced Security Encryption Prior to Release 8.1.7, Oracle Advanced Security provided Note: three editions: Domestic, Upgrade, and Export—each with different key lengths. This release now contains a complete complement of the available encryption algorithms and key lengths, previously only available in the Domestic edition. Users deploying prior versions of the product can obtain the Domestic edition for a specific product release.

  • Page 105: Rsa Rc4 Algorithm For High Speed Encryption

    Oracle Advanced Security Data Integrity of message security, but with a performance penalty. The magnitude of the performance penalty depends on the speed of the processor performing the encryption. 3DES typically takes three times as long to encrypt a data block when compared to the standard DES algorithm.

  • Page 106: Data Integrity Algorithms Supported

    Diffie-Hellman Based Key Management Data modification attack This type of attack occurs when an unauthorized party intercepts data in transit, alters it, and retransmits it. For example, if a bank deposit of $100 is intercepted, the monetary amount is changed to $10,000, and then the higher amount is retransmitted, then that is a data modification attack.

  • Page 107: Authentication Key Fold-In

    How To Configure Data Encryption and Integrity Oracle Advanced Security key management function changes the session key with every session. Authentication Key Fold-in The purpose of Authentication Key Fold-in is to defeat a possible third party attack (historically called the man-in-the-middle attack) on the Diffie-Hellman key negotiation.

  • Page 108: About Activating Encryption And Integrity

    How To Configure Data Encryption and Integrity About Activating Encryption and Integrity In any network connection, it is possible for both the client and server to each support more than one encryption algorithm and more than one integrity algorithm. When a connection is made, the server selects which algorithm to use, if any, from those algorithms specified in the files.
  • Page 109 How To Configure Data Encryption and Integrity REQUESTED REQUIRED The default value for each of the parameters is ACCEPTED. REJECTED Select this value if you do not elect to enable the security service, even if required by the other side. In this scenario, this side of the connection specifies that the security service is not permitted.

  • Page 110: Setting The Encryption Seed (Optional)

    How To Configure Data Encryption and Integrity In this scenario, this side of the connection specifies that the security service must be enabled. The connection fails if the other side specifies REJECTED or if there is no compatible algorithm on the other side. Table 3–1 shows whether the security service is enabled, based on a combination of client and server configuration parameters.

  • Page 111: Configuring Encryption And Integrity Parameters Using Oracle Net Manager

    How To Configure Data Encryption and Integrity the sqlnet.crypto_seed parameter in the sqlnet.ora file. It can be 10 to 70 characters in length and changed at any time. The Diffie-Hellman key exchange uses the random numbers to generate unique session keys for every connect session.
  • Page 112 How To Configure Data Encryption and Integrity Figure 3–1 Oracle Advanced Security Encryption Window Choose the Encryption tab. Depending upon which system you are configuring, select CLIENT or SERVER from the pull-down list. From the Encryption Type list, select one of the following: REQUESTED REQUIRED ACCEPTED...

  • Page 113: Valid Encryption Algorithms

    How To Configure Data Encryption and Integrity Repeat this procedure to configure encryption on the other system. The sqlnet.ora file on the two systems should contain the following entries: On the server: SQLNET.ENCRYPTION_SERVER = [accepted | rejected | requested | required] SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_algorithm [,valid_ encryption_algorithm]) On the client:...
  • Page 114 How To Configure Data Encryption and Integrity Navigate to the Oracle Advanced Security profile. (See "Navigating to the Oracle Advanced Security Profile" on page 2-3) The Oracle Advanced Security tabbed window appears (Figure 3–2): Figure 3–2 Oracle Advanced Security Integrity Window Choose the Integrity tab.

  • Page 115: Valid Integrity Algorithms

    How To Configure Data Encryption and Integrity Choose File > Save Network Configuration. The sqlnet.ora file is updated. Repeat this procedure to configure integrity on the other system. The sqlnet.ora file on the two systems should contain the following entries: On the server: SQLNET.CRYPTO_CHECKSUM_SERVER = [accepted | rejected | requested | required]...
  • Page 116 How To Configure Data Encryption and Integrity 3-14 Oracle Database Advanced Security Administrator's Guide...

  • Page 117: Configuring Network Data Encryption And Integrity For Thin Jdbc Clients

    Configuring Network Data Encryption and Integrity for Thin JDBC Clients This chapter describes the Java implementation of Oracle Advanced Security, which lets thin Java Database Connectivity (JDBC) clients securely connect to Oracle Databases. This chapter contains the following topics: About the Java Implementation Configuration Parameters Oracle Database JDBC Developer's Guide and Reference, for See Also:...

  • Page 118: Securing Thin Jdbc

    About the Java Implementation Microsystems defined the JDBC standard and Oracle Corporation implements and extends the standard with its own JDBC drivers. Oracle JDBC drivers are used to create JDBC applications to communicate with Oracle databases. Oracle implements two types of JDBC drivers: Thick JDBC drivers built on top of the C-based Oracle Net client, as well as a Thin (Pure Java) JDBC driver to support downloadable applets.

  • Page 119: Implementation Overview

    About the Java Implementation Oracle Advanced Security continues to encrypt and provide integrity checking of Oracle Net Services traffic between Oracle Net clients and Oracle servers using algorithms written in C. The Oracle Advanced Security Java implementation provides Java versions of the following encryption algorithms: RC4_256 RC4_128 RC4_56...

  • Page 120: Configuration Parameters

    Configuration Parameters the code. The process leaves the original program structure intact, letting the program run correctly while changing the names of the classes, methods, and variables in order to hide the intended behavior. Although it is possible to decompile and read non-obfuscated Java code, obfuscated Java code is sufficiently difficult to decompile to satisfy U.S.

  • Page 121: Client Encryption Selected List: Oracle.net.encryption_Types_Client

    Configuration Parameters Client Encryption Selected List: ORACLE.NET.ENCRYPTION_TYPES_CLIENT This parameter defines the encryption algorithm to be used. Table 4–2 describes this parameter's attributes. Table 4–2 ORACLE.NET.ENCRYPTION_TYPES_CLIENT Parameter Attributes Attribute Description Parameter Type String Parameter Class Static Permitted Values RC4_256; RC4_128; RC4_56; RC4_40; DES56C; DES40C Syntax up.put("oracle.net.encryption_types_ client",alg)

  • Page 122: Client Integrity Selected List: Oracle.net.crypto_Cheksum_Types_Client

    Configuration Parameters Client Integrity Selected List: ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT This parameter defines the data integrity algorithm to be used. Table 4–4 describes this parameter's attributes. Table 4–4 ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT Parameter Attributes Attribute Description Parameter Type String Parameter Class Static Permitted Values Syntax up.put("oracle.net.crypto_checksum_types_ client",alg) Example up.put("oracle.net.crypto_checksum_types_...

  • Page 123: Oracle Advanced Security Strong Authentication

    Part III Oracle Advanced Security Strong Authentication This part describes how to configure strong authentication methods for your existing Oracle network. It contains the following chapters, each of which describes a particular authentication method supported by Oracle Advanced Security: Chapter 5, "Configuring RADIUS Authentication" Chapter 6, "Configuring Kerberos Authentication"...

  • Page 125: Configuring Radius Authentication

    Configuring RADIUS Authentication This chapter describes how to configure an Oracle Database server for use with RADIUS (Remote Authentication Dial-In User Service). This chapter contains the following topics: RADIUS Overview RADIUS Authentication Modes Enabling RADIUS Authentication, Authorization, and Accounting Using RADIUS to Log In to a Database RSA ACE/Server Configuration Checklist SecurID, an authentication product of RSA Security, Inc., Note:...
  • Page 126 RADIUS Overview change the authentication method without modifying either the Oracle client or the Oracle database server. From the user's perspective, the entire authentication process is transparent. When the user seeks access to an Oracle database server, the Oracle database server, acting as the RADIUS client, notifies the RADIUS server.

  • Page 127: Radius Authentication Modes

    RADIUS Authentication Modes Table 5–1 RADIUS Authentication Components Component Stored Information Oracle client Configuration setting for communicating through RADIUS. Oracle database Configuration settings for passing information between the Oracle server/RADIUS client and the RADIUS server. client The secret key file. RADIUS server Authentication and authorization information for all users.
  • Page 128 RADIUS Authentication Modes Figure 5–2 Synchronous Authentication Sequence Client Oracle RADIUS Authentication server/ Server Server RADIUS client . . . A user logs in by entering a connect string, pass code, or other value. The client system passes this data to the Oracle database server. The Oracle database server, acting as the RADIUS client, passes the data from the Oracle client to the RADIUS server.

  • Page 129: Challenge-Response (Asynchronous) Authentication Mode

    RADIUS Authentication Modes Example: Synchronous Authentication with SecurID Token Cards With SecurID authentication, each user has a token card that displays a dynamic number that changes every sixty seconds. To gain access to the Oracle database server/RADIUS client, the user enters a valid pass code that includes both a personal identification number (PIN) and the dynamic number currently displayed on the user's SecurID card.
  • Page 130 RADIUS Authentication Modes Figure 5–3 Asynchronous Authentication Sequence Client Oracle RADIUS Authentication server/ Server Server RADIUS client . . . A user seeks a connection to an Oracle database server. The client system passes the data to the Oracle database server. 5-6 Oracle Database Advanced Security Administrator's Guide...
  • Page 131 RADIUS Authentication Modes The Oracle database server, acting as the RADIUS client, passes the data from the Oracle client to the RADIUS server. The RADIUS server passes the data to the appropriate authentication server, such as a Smart Card, SecurID ACE, or token card server. The authentication server sends a challenge, such as a random number, to the RADIUS server.

  • Page 132: Enabling Radius Authentication, Authorization, And Accounting

    Enabling RADIUS Authentication, Authorization, and Accounting The Oracle client sends the user's response to the authentication server by way of the Oracle database server and the RADIUS server. If the user has entered a valid number, the authentication server sends an "accept" packet back to the Oracle client by way of the RADIUS server and the Oracle database server.

  • Page 133: Task 1: Install Radius On The Oracle Database Server And On The Oracle Client

    Enabling RADIUS Authentication, Authorization, and Accounting Task 9: Configure Mapping Roles Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client RADIUS is installed with Oracle Advanced Security during a typical installation of Oracle Database. Oracle Database operating system-specific installation See Also: documentation, for information about installing Oracle Advanced Security and the RADIUS adapter...
  • Page 134 Enabling RADIUS Authentication, Authorization, and Accounting Figure 5–4 Oracle Advanced Security Authentication Window Choose the Authentication tab. From the Available Methods list, select RADIUS. Choose the right-arrow [>] to move RADIUS to the Selected Methods list. Move any other methods you want to use in the same way. Arrange the selected methods in order of required usage by selecting a method in the Selected Methods list, and clicking Promote or Demote to position it in the list.
  • Page 135 Enabling RADIUS Authentication, Authorization, and Accounting Create the RADIUS Secret Key File on the Oracle Database Server Obtain the RADIUS secret key from the RADIUS server. For each RADIUS client, the administrator of the RADIUS server creates a shared secret key, which must be longer than 16-characters.
  • Page 136 Enabling RADIUS Authentication, Authorization, and Accounting Figure 5–5 Oracle Advanced Security Other Params Window From the Authentication Service list, select RADIUS. In the Host Name field, accept the localhost as the default primary RADIUS server, or enter another host name. Ensure that the default value of the Secret File field is valid.
  • Page 137 Enabling RADIUS Authentication, Authorization, and Accounting OS_AUTHENT_PREFIX="" Setting REMOTE_OS_AUTHENT to TRUE can enable a Caution: security breach because it lets someone using a non-secure protocol, such as TCP, perform an operating system-authorized login (formerly called an OPS$ login). Oracle Database Reference and the Oracle Database See Also: Administrator's Guide, for information about setting initialization parameters on an Oracle Database server...
  • Page 138 Enabling RADIUS Authentication, Authorization, and Accounting Field Description Number of Retries Specifies the number of times the Oracle database server resends messages to the primary RADIUS server. The default is three retries. For instructions on configuring RADIUS accounting, see: Task 5: Configure RADIUS Accounting on page 5-19.
  • Page 139 Enabling RADIUS Authentication, Authorization, and Accounting Appendix C, "Integrating Authentication Devices Using See Also: RADIUS", for information about how to customize the challenge-response user interface To configure challenge-response: If you are using JDK 1.1.7 or JRE 1.1.7, set the JAVA_HOME environment variable to the JRE or JDK location on the system where the Oracle client is run: On UNIX, enter this command at the prompt: % setenv JAVA_HOME /usr/local/packages/jre1.1.7B...
  • Page 140 Enabling RADIUS Authentication, Authorization, and Accounting The keyword feature is provided by Oracle and supported Note: by some, but not all, RADIUS servers. You can use this feature only if your RADIUS server supports it. By setting a keyword, you let the user avoid using a password to verify identity.

  • Page 141: Task 3: Create A User And Grant Access

    Enabling RADIUS Authentication, Authorization, and Accounting Task 3: Create a User and Grant Access To grant user access: Launch SQL*Plus and execute these commands to create and grant access to a user identified externally on the Oracle database server. SQL> CONNECT system/manager@database_name; SQL>...
  • Page 142 Enabling RADIUS Authentication, Authorization, and Accounting Add externally identified users and roles. To configure the Oracle client (where users log in): Set the RADIUS challenge-response mode to ON for the client if you have not already done so by following the steps listed in "Configure Challenge-Response"...

  • Page 143: Task 5: Configure Radius Accounting

    Enabling RADIUS Authentication, Authorization, and Accounting Ensure that RADIUS groups which map to Oracle roles adhere to the ORACLE_ ROLE syntax. For example: USERNAME USERPASSWD="user_password", SERVICE_TYPE=login_user, VENDOR_SPECIFIC=ORACLE, ORACLE_ROLE=ORA_ora920_sysdba The RADIUS server administration documentation for See Also: information about configuring the server. Task 5: Configure RADIUS Accounting RADIUS accounting logs information about access to the Oracle database server and stores it in a file on the RADIUS accounting server.

  • Page 144: Task 6: Add The Radius Client Name To The Radius Server Database

    Enabling RADIUS Authentication, Authorization, and Accounting Task 6: Add the RADIUS Client Name to the RADIUS Server Database You can use virtually any RADIUS server that complies with the standards in the Internet Engineering Task Force (IETF) RFC #2138, Remote Authentication Dial In User Service (RADIUS) and RFC #2139 RADIUS Accounting.

  • Page 145: Task 9: Configure Mapping Roles

    Enabling RADIUS Authentication, Authorization, and Accounting Task 9: Configure Mapping Roles If the RADIUS server supports vendor type attributes, you can manage roles by storing them in the RADIUS server. The Oracle database server downloads the roles when there is a CONNECT request using RADIUS. To use this feature, configure roles on both the Oracle database server and the RADIUS server.

  • Page 146: Using Radius To Log In To A Database

    Using RADIUS to Log In to a Database See Also: Challenge-Response (Asynchronous) Authentication Mode page 5-5 Configure Challenge-Response on page 5-14 These sections describe how to configure challenge-response mode. Using RADIUS to Log In to a Database If you are using the synchronous authentication mode, launch SQL*Plus and enter the following command at the prompt: CONNECT username/password@database_alias Note that you can log in with this command only when challenge-response is not...
  • Page 147 RSA ACE/Server Configuration Checklist RSA ACE/Server documentation for specific See Also: information about troubleshooting. Configuring RADIUS Authentication 5-23...
  • Page 148 RSA ACE/Server Configuration Checklist 5-24 Oracle Database Advanced Security Administrator's Guide...

  • Page 149: Configuring Kerberos Authentication

    Configuring Kerberos Authentication This chapter describes how to configure Oracle Advanced Security for Oracle Database for use with Kerberos authentication—and how to configure Kerberos to authenticate Oracle database users. This chapter contains the following topics: Enabling Kerberos Authentication Utilities for the Kerberos Authentication Adapter Configuring Interoperability with a Windows 2000 Domain Controller KDC Troubleshooting Configuring Kerberos Authentication 6-1...

  • Page 150: Enabling Kerberos Authentication

    Enabling Kerberos Authentication Enabling Kerberos Authentication To enable Kerberos authentication: Task 1: Install Kerberos Task 2: Configure a Service Principal for an Oracle Database Server Task 3: Extract a Service Table from Kerberos Task 4: Install an Oracle Database Server and an Oracle Client Task 5: Install Oracle Net Services and Oracle Advanced Security Task 6: Configure Oracle Net Services and Oracle Database Task 7: Configure Kerberos Authentication...

  • Page 151: Task 3: Extract A Service Table From Kerberos

    Enabling Kerberos Authentication Service Principal Field Description kservice A case-sensitive string that represents the Oracle service; this can be the same as the database service name. kinstance This is typically the fully qualified name of the system on which Oracle Database is running. REALM The domain name of the database server.

  • Page 152: Task 4: Install An Oracle Database Server And An Oracle Client

    Enabling Kerberos Authentication Enter the following to extract the service table: kadmin.local: ktadd -k /tmp/keytab oracle/dbserver.someco.com Entry for principal oracle/dbserver.someco.com with kvno 2, encryption DES-CBC-CRC added to the keytab WRFILE: 'WRFILE:/tmp/keytab kadmin.local: exit oklist -k -t /tmp/keytab After the service table has been extracted, verify that the new entries are in the table in addition to the old ones.

  • Page 153: Task 5: Install Oracle Net Services And Oracle Advanced Security

    Enabling Kerberos Authentication Task 5: Install Oracle Net Services and Oracle Advanced Security Install Oracle Net Services and Oracle Advanced Security on the Oracle database server and Oracle client systems. Oracle Database operating system-specific installation See Also: documentation Task 6: Configure Oracle Net Services and Oracle Database Configure Oracle Net Services on the Oracle database server and client.
  • Page 154 Enabling Kerberos Authentication Figure 6–1 Oracle Advanced Security Authentication Window (Kerberos) Choose the Authentication tab. From the Available Methods list, select KERBEROS5. Move KERBEROS5 to the Selected Methods list by clicking the right arrow (>). Arrange the selected methods in order of use. To do this, select a method in the Selected Methods list, then click Promote or Demote to position it in the list.
  • Page 155 Enabling Kerberos Authentication Figure 6–2 Oracle Advanced Security Other Params Window (Kerberos) From the Authentication Service list, select KERBEROS(V5). Type Kerberos into the Service field. This field defines the name of the service Oracle Database uses to obtain a Kerberos service ticket.
  • Page 156 Enabling Kerberos Authentication file is updated with the following entries: sqlnet.ora SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=kservice Step 2: Set the Initialization Parameters To set parameters in the initialization parameter file: Add the following parameter to the initialization parameter file: REMOTE_OS_AUTHENT=FALSE Setting REMOTE_OS_AUTHENT to TRUE can enable a Caution: security breach, because it lets someone using a non-secure protocol, such as TCP, perform an operating system-authorized...
  • Page 157 Enabling Kerberos Authentication Parameter: SQLNET.KERBEROS5_CLOCKSKEW=number_of_seconds_ accepted_as_network_delay Description: This parameter specifies how many seconds can pass before a Kerberos credential is considered out-of-date. It is used when a credential is actually received by either a client or a database server. An Oracle database server also uses it to decide if a credential needs to be stored to protect against a replay attack.

  • Page 158: Task 8: Create A Kerberos User

    Enabling Kerberos Authentication Description: This parameter specifies the complete path name to the Kerberos realm translation file. The translation file provides a mapping from a host name or domain name to a realm. The default is operating system-dependent. For UNIX, it is /etc/krb.realms Example: SQLNET.KERBEROS5_REALMS=/krb5/krb.realms...

  • Page 159: Task 10: Get An Initial Ticket For The Kerberos/Oracle User

    Utilities for the Kerberos Authentication Adapter Task 10: Get an Initial Ticket for the Kerberos/Oracle User Before you can connect to the database, you must ask the Key Distribution Center (KDC) for an initial ticket. To do so, run the following on the client: % okinit username If, when making a database connection, a reference such as the following follows a database link, you must use the forwardable flag (-f) option:...

  • Page 160: Displaying Credentials With The Oklist Utility

    Utilities for the Kerberos Authentication Adapter Table 6–1 (Cont.) Options for the okinit Utility Option Description Specify the lifetime of the ticket-granting ticket and all subsequent tickets. By default, the ticket-granting ticket is good for eight (8) hours, but shorter or longer-lived credentials may be desired.

  • Page 161: Removing Credentials From The Cache File With The Okdstry Utility

    Configuring Interoperability with a Windows 2000 Domain Controller KDC % oklist -f 27-Jul-1999 21:57:51 28-Jul-1999 05:58:14 krbtgt/SOMECO.COM@SOMECO.COM Flags: FI Removing Credentials from the Cache File with the okdstry Utility Use the utility to remove credentials from the credentials cache file: okdstry $ okdstry -f where the -f command option lets you specify an alternative credential cache.

  • Page 162: Task 1: Configuring An Oracle Kerberos Client To Interoperate With A Windows 2000 Domain Controller Kdc

    Configuring Interoperability with a Windows 2000 Domain Controller KDC Task 2: Configuring a Windows 2000 Domain Controller KDC to Interoperate with an Oracle Client Task 3: Configuring an Oracle Database to Interoperate with a Windows 2000 Domain Controller KDC Task 4: Getting an Initial Ticket for the Kerberos/Oracle User Task 1: Configuring an Oracle Kerberos Client to Interoperate with a Windows 2000 Domain Controller KDC The following steps must be performed on the Oracle Kerberos client.

  • Page 163: Task 2: Configuring A Windows 2000 Domain Controller Kdc To Interoperate With An Oracle Client

    Configuring Interoperability with a Windows 2000 Domain Controller KDC Step 2: Specifying Oracle Configuration Parameters in the sqlnet.ora File Configuring an Oracle client to interoperate with a Windows 2000 domain controller KDC uses the same sqlnet.ora file parameters that are listed in "Step 1: Configure Kerberos on the Client and on the Database Server"...
  • Page 164 Configuring Interoperability with a Windows 2000 Domain Controller KDC For example, if the Oracle database runs on the host sales3854.us.acme.com, then use Active Directory to create a user with the username sales3854.us.acme.com and the password oracle. Do not create a user as host/hostname.dns.com, such as Note: oracle/sales3854.us.acme.com, in Active Directory.

  • Page 165: Task 3: Configuring An Oracle Database To Interoperate With A Windows 2000 Domain Controller Kdc

    Configuring Interoperability with a Windows 2000 Domain Controller KDC Task 3: Configuring an Oracle Database to Interoperate with a Windows 2000 Domain Controller KDC The following steps must be performed on the host computer where the Oracle database is installed. Step 1: Setting Configuration Parameters in the sqlnet.ora File Specify values for the following parameters in the sqlnet.ora file for the database server:...

  • Page 166: Troubleshooting

    Troubleshooting Troubleshooting This section lists some common configuration problems and explains how to resolve them. If you cannot get your ticket-granting ticket using OKINIT: – Ensure that the default realm is correct by examining the file. krb.conf – Ensure that the KDC is running on the host specified for the realm. –...

  • Page 167: Configuring Secure Sockets Layer Authentication

    Configuring Secure Sockets Layer Authentication This chapter describes how to configure and use the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols which are supported by Oracle Advanced Security. It contains the following topics: SSL and TLS in an Oracle Environment Public Key Infrastructure in an Oracle Environment SSL Combined with Other Authentication Methods SSL and Firewalls...

  • Page 168: Ssl And Tls In An Oracle Environment

    SSL and TLS in an Oracle Environment SSL and TLS in an Oracle Environment Secure Sockets Layer (SSL) is an industry standard protocol originally designed by Netscape Communications Corporation for securing network connections. SSL uses RSA public key cryptography in conjunction with symmetric key cryptography to provide authentication, encryption, and data integrity.

  • Page 169: About Using Ssl

    SSL and TLS in an Oracle Environment About Using SSL Oracle Advanced Security supports authentication by using digital certificates over SSL in addition to the native encryption and data integrity capabilities of these protocols. By using Oracle Advanced Security SSL functionality to secure communications between clients and servers, you can Use SSL to encrypt the connection between clients and servers Authenticate any client or server, such as Oracle Application Server 10g, to any...

  • Page 170: How Ssl Works In An Oracle Environment: The Ssl Handshake

    SSL and TLS in an Oracle Environment How SSL Works in an Oracle Environment: The SSL Handshake When a network connection over SSL is initiated, the client and server perform an SSL handshake that includes the following steps: The client and server establish which suites to use.

  • Page 171: Public Key Infrastructure In An Oracle Environment

    Public Key Infrastructure in an Oracle Environment Public Key Infrastructure in an Oracle Environment A public key infrastructure (PKI) is a substrate of network components that provide a security underpinning, based on trust assertions, for an entire organization. A PKI exists so that disparate network entities can access its security services, which use public-key cryptography, on an as-needed basis.

  • Page 172: Public Key Infrastructure Components In An Oracle Environment

    Public Key Infrastructure in an Oracle Environment Public Key Infrastructure Components in an Oracle Environment Public key infrastructure (PKI) components in an Oracle environment include the following: Certificate Authority Certificates Certificate Revocation Lists Wallets Hardware security modules Certificate Authority A certificate authority (CA) is a trusted third party that certifies the identity of entities, such as users, databases, administrators, clients, and servers.
  • Page 173 Public Key Infrastructure in an Oracle Environment A certificate contains the entity's name, public key, and an expiration date—as well as a serial number and information. It can also contain information certificate chain about the privileges associated with the certificate. When a network entity receives a certificate, it verifies that it is a trusted certificate,...
  • Page 174 Public Key Infrastructure in an Oracle Environment Wallets A wallet is a container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. In an Oracle environment, every entity that communicates over SSL must have a wallet containing an X.509 version 3 certificate, private key, and list of trusted certificates (with the exception of Diffie-Hellman).
  • Page 175 Public Key Infrastructure in an Oracle Environment Currently only nCipher devices are certified with Oracle Note: Advanced Security. Certificate with other vendors is in progress. "Configuring Your System to Use Hardware Security See Also: Modules" on page 7-48 for details configuration details. Configuring Secure Sockets Layer Authentication 7-9...

  • Page 176: Ssl Combined With Other Authentication Methods

    SSL Combined with Other Authentication Methods SSL Combined with Other Authentication Methods You can configure Oracle Advanced Security to use SSL concurrently with database usernames and passwords, RADIUS, and Kerberos, which are discussed in the following sections: Architecture: Oracle Advanced Security and SSL How SSL Works with Other Authentication Methods Appendix A, "Data Encryption and Integrity See Also:...
  • Page 177 SSL Combined with Other Authentication Methods Figure 7–1 SSL in Relation to Other Authentication Methods Wallet Oracle Client Oracle Server Authentication Server The client seeks to connect to the Oracle database server. SSL performs a handshake during which the server authenticates itself to the client and both the client and server establish which cipher suite to use.

  • Page 178: Ssl And Firewalls

    SSL and Firewalls SSL and Firewalls Oracle Advanced Security supports two types of firewalls: Application proxy-based firewalls, such as Network Associates Gauntlet, or Axent Raptor. Stateful packet inspection firewalls, such as Check Point Firewall-1, or Cisco PIX Firewall. When you enable SSL, stateful inspection firewalls behave like application proxy firewalls because they do not decrypt encrypted packets.
  • Page 179 SSL and Firewalls Although Oracle Connection Manager can be used to avoid Note: opening up multiple SSL ports through the firewall, consider the following: The internal connection, between Oracle Connection Manager and the database, is not an SSL connection. You should encrypt such connections, using Oracle Advanced Security native encryption.

  • Page 180: Ssl Usage Issues

    SSL Usage Issues SSL Usage Issues Consider the following issues when using SSL: SSL use enables secure communication with other Oracle products, such as Oracle Internet Directory. Because SSL supports both authentication and encryption, the client/server connection is somewhat slower than the standard Oracle Net TCP/IP transport (using native encryption).

  • Page 181: Enabling Ssl

    Enabling SSL Enabling SSL To enable SSL: Task 1: Install Oracle Advanced Security and Related Products Task 2: Configure SSL on the Server Task 3: Configure SSL on the Client Task 4: Log on to the Database Task 1: Install Oracle Advanced Security and Related Products Install Oracle Advanced Security on both the client and server.
  • Page 182 Enabling SSL Manager. The wallet should contain a certificate with a status of "Ready" and auto login turned on. If auto login is not on, then select it from the Wallet menu and re-save the wallet. This turns auto login on. See Also: "Opening an Existing Wallet"...
  • Page 183 Enabling SSL and listener.ora files are updated with the following sqlnet.ora entries: wallet_location = (SOURCE= (METHOD=File) (METHOD_DATA= (DIRECTORY=wallet_location))) The listener uses the wallet defined in listener.ora (it Note: can use any database wallet). When SSL is configured for a server using Net Manager, the wallet location is entered into the listener.ora and the sqlnet.ora files.

  • Page 184: Oracle Advanced Security Cipher Suites

    Enabling SSL Prioritize cipher suites starting with the strongest and moving to the weakest to ensure the highest level of security possible. If you set a cipher suite employing Diffie-Hellman Note: anonymous authentication on the server, then you must also set the same cipher suite on the client.
  • Page 185 Enabling SSL To specify cipher suites for the server: Navigate to the SSL tab of the Oracle Advanced Security window in Oracle Net Manager, and select Configure SSL for: Server. Click Add. A dialog box displays available cipher suites (Figure 7–2).
  • Page 186 Enabling SSL Figure 7–3 Oracle Advanced Security SSL Window (Server) Use the up and down arrows to prioritize the cipher suites. Choose File > Save Network Configuration. file is updated with the following entry: sqlnet.ora SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2]) Step 4: Set the Required SSL Version on the Server (Optional) You can set the SSL_VERSION parameter in the sqlnet.ora file.
  • Page 187 Enabling SSL To set the SSL version for the server: Navigate to the SSL tab of the Oracle Advanced Security window in Oracle Net Manager, and select Configure SSL for: Server. In the Require SSL Version: list, the default is Any. Accept this default or select the SSL version you want to use.
  • Page 188 Enabling SSL Figure 7–4 Oracle Advanced Security SSL Window (Server) Uncheck Require Client Authentication. Choose File > Save Network Configuration. file is updated with the following entry: sqlnet.ora SSL_CLIENT_AUTHENTICATION=FALSE Step 6: Set SSL as an Authentication Service on the Server (Optional) The SQLNET.AUTHENTICATION_SERVICES parameter in the sqlnet.ora file sets the SSL authentication service.

  • Page 189: Task 3: Configure Ssl On The Client

    Enabling SSL To set the SQLNET.AUTHENTICATION_SERVICES parameter on the server: Add TCP/IP with SSL (TCPS) to this parameter in the sqlnet.ora file by using a text editor. For example, if you want to use SSL authentication in conjunction with RADIUS authentication, set this parameter as follows: SQLNET.AUTHENTICATION_SERVICES = (TCPS, radius) If you do not want to use SSL authentication in conjunction with another authentication method, then do not set this parameter.
  • Page 190 Enabling SSL Step 1: Confirm Client Wallet Creation Before proceeding with the next step, you must confirm that a wallet has been created on the client and that the client has a valid certificate. Oracle Corporation recommends that you use Oracle Wallet Note: Manager to remove the trusted certificate...
  • Page 191 Enabling SSL (SECURITY= (SSL_SERVER_CERT_DN="cn=finance,cn=OracleContext,c=us,o=acme")) The client uses this information to obtain the list of DNs it expects for each of the servers, enforcing the server's DN to match its service name. Example 7–1 shows an entry for the Finance database in the tnsnames.ora file. Alternatively, the administrator can ensure that the common name (CN) portion of the server's DN matches the service name.
  • Page 192 Enabling SSL Navigate to the Oracle Advanced Security profile. (See "Navigating to the Oracle Advanced Security Profile" on page 2-3) The Oracle Advanced Security SSL window appears (Figure 7–5): Figure 7–5 Oracle Advanced Security SSL Window (Client) Choose the SSL tab. Select Configure SSL for: Client.
  • Page 193 Enabling SSL This check can be made only when RSA ciphers are Note: selected, which is the default setting. No (default): SSL checks for a match between the DN and the service name, but does not enforce it. Connections succeed regardless of the outcome, but an error is logged if the match fails.
  • Page 194 Enabling SSL Step 4: Set the Client SSL Cipher Suites (Optional) A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth.
  • Page 195 Enabling SSL If the SSL_CLIENT_AUTHENTICATION parameter is set to Note: true in the sqlnet.ora file, then disable all cipher suites that use Diffie-Hellman anonymous authentication. Otherwise, the connection fails. To specify client cipher suites: Navigate to the SSL tab of the Oracle Advanced Security window in Oracle Net Manager, and select Configure SSL for Client.
  • Page 196 Enabling SSL Use the up and down arrows to prioritize the cipher suites. Choose File > Save Network Configuration. file is updated with the following entry: sqlnet.ora SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2]) Step 5: Set the Required SSL Version on the Client (Optional) You can set the SSL_VERSION parameter in the sqlnet.ora file.

  • Page 197: Task 4: Log On To The Database

    Troubleshooting SSL Oracle Advanced Security. For example, use this parameter if you want the server to authenticate itself to the client by using SSL and the client to authenticate itself to the server by using RADIUS. To set the client SQLNET.AUTHENTICATION_SERVICES parameter: Add TCP/IP with SSL (TCPS) to this parameter in the sqlnet.ora file by using a text editor.
  • Page 198 Troubleshooting SSL Ensure that the correct wallet location is specified in the sqlnet.ora file. Note: this should be the same directory location where you saved the wallet. Enable Oracle Net tracing to determine the name of the file that cannot be opened and the reason.
  • Page 199 Troubleshooting SSL Action: Check the following: Ensure that the correct wallet location is specified in the sqlnet.ora file so the system can find the wallet. Use Oracle Net Manager to ensure that cipher suites are set correctly in the sqlnet.ora file. (Sometimes this error occurs because the sqlnet.ora has been manually edited and the cipher suite names are misspelled.

  • Page 200: Keyusage Values

    Troubleshooting SSL A certificate authority for one of the certificates in the chain is not recognized as a trust point. The signature in one of the certificates cannot be verified. Action: See "Opening an Existing Wallet" on page 8-13 to use Oracle Wallet Manager to open your wallet and check the following: Ensure that all of the certificates installed in your wallet are current (not expired).

  • Page 201: Certificate Validation With Certificate Revocation Lists

    Certificate Validation with Certificate Revocation Lists does not give the complete chain and you do not have the appropriate trust points to complete it. Action: Use Oracle Wallet Manager to install the trust points that are required to complete the chain. See "Importing a Trusted Certificate"...

  • Page 202: How Crl Checking Works

    Certificate Validation with Certificate Revocation Lists How CRL Checking Works Certificate revocation status is checked against CRLs which are located in file system directories, Oracle Internet Directory, or downloaded from the location specified in the CRL Distribution Point (CRL DP) extension on the certificate. Typically, CRL definitions are valid for a few days.

  • Page 203: Configuring Certificate Validation With Certificate Revocation Lists

    Certificate Validation with Certificate Revocation Lists Note: For performance reasons, only user certificates are checked. Oracle recommends that you store CRLs in the directory rather than the local file system. Configuring Certificate Validation with Certificate Revocation Lists The SSL_CERT_REVOCATION parameter must be set to REQUIRED or REQUESTED in the sqlnet.ora file to enable certificate revocation status checking.
  • Page 204 Certificate Validation with Certificate Revocation Lists Figure 7–7 Oracle Advanced Security SSL Window with Certificate Revocation Checking Selected Choose one of the following options from the Revocation Check list (see Figure 7–7): REQUIRED Requires certificate revocation status checking. The SSL connection is rejected if a certificate is revoked or no CRL is found.
  • Page 205 Certificate Validation with Certificate Revocation Lists For performance reasons, only user certificates are checked Note: for revocation. (Optional) If CRLs are stored on your local file system, then set one or both of the following fields that specify where they are stored. These fields are available only when Revocation Check is set to REQUIRED or REQUESTED.

  • Page 206: Certificate Revocation List Management

    Certificate Validation with Certificate Revocation Lists When configuring your ldap.ora file, you should specify Note: only a non-SSL port for the directory. CRL download is done as part of the SSL protocol, and making an SSL connection within an SSL connection is not supported. Oracle Advanced Security CRL functionality will not work if the Oracle Internet Directory non-SSL port is disabled.
  • Page 207 Certificate Validation with Certificate Revocation Lists CRLs must be updated at regular intervals (before they Note: expire) for successful validation. You can automate this task by using orapki commands in a script. You can also use LDAP command-line tools to manage CRLs in Oracle Internet Directory.
  • Page 208 Certificate Validation with Certificate Revocation Lists issuer's name. Then when the system validates a certificate, the same hash function is used to calculate the link (or copy) name so the appropriate CRL can be loaded. Depending on your operating system, enter one of the following commands to rename CRLs stored in the file system.
  • Page 209 Certificate Validation with Certificate Revocation Lists permission to add CRLs to the CRL subtree, and wallet_location is the location of a wallet that contains the certificate of the CA that issued the CRL. Using -wallet and -summary are optional. Specifying -wallet causes the tool to verify the validity of the CRL against the CA's certificate prior to uploading it to the directory.
  • Page 210 Certificate Validation with Certificate Revocation Lists following at the command line: orapki crl display -crl crl_location [-wallet wallet_location] -summary where crl_location is the location of the CRL in the directory. It is convenient to paste the CRL location from the list that displays when you use the orapki crl list command.

  • Page 211: Troubleshooting Certificate Validation

    Certificate Validation with Certificate Revocation Lists [-summary] where issuer_name is the name of the CA who issued the CRL, the hostname and ssl_port are for the system on which your directory is installed, and username is the directory user who has permission to delete CRLs from the CRL subtree.
  • Page 212 Certificate Validation with Certificate Revocation Lists Oracle Net Services Administrator's Guide for information See Also: about setting tracing parameters to enable Oracle Net tracing Oracle Net Tracing File Error Messages Associated with Certificate Validation The following trace messages, relevant to certificate validation, may be logged between the entry and exit entries in the Oracle Net tracing file.
  • Page 213 Certificate Validation with Certificate Revocation Lists If necessary, use the orapki utility to configure CRLs for system use as follows: – For CRLs stored on your local file system, see "Renaming CRLs with a Hash Value for Certificate Validation" on page 7-41 –...

  • Page 214: Configuring Your System To Use Hardware Security Modules

    Configuring Your System to Use Hardware Security Modules Configuring Your System to Use Hardware Security Modules Oracle Advanced Security supports hardware security modules that use APIs which conform to the RSA Security, Inc., PKCS #11 specification. Typically, these hardware devices are used to securely store and manage private keys in tokens or smart cards, or to accelerate cryptographic processing.

  • Page 215: Configuring Your System To Use Ncipher Hardware Security Modules

    Configuring Your System to Use Hardware Security Modules Configuring Your System to Use nCipher Hardware Security Modules Hardware security modules made by nCipher Corporation are certified to operate with Oracle Advanced Security. These modules provide a secure way to store keys and off load cryptographic processing.

  • Page 216: Troubleshooting Using Hardware Security Modules

    Configuring Your System to Use Hardware Security Modules (UNIX) /opt/nfast (Windows) C:\nfast The nCipher PKCS #11 library is located at the following file system directory locations for typical installations: (UNIX 32 bit): /opt/nfast/toolkits/pkcs11/libcknfast.so (UNIX 64 bit): /opt/nfast/toolkits/pkcs11/libcknfast-64.so (Windows): C:\nfast\toolkits\pkcs11\cknfast.dll Use the 32-bit library version when using the 32-bit release Note: of Oracle Database and use the 64-bit library version when using the 64-bit release of Oracle Database.
  • Page 217 Configuring Your System to Use Hardware Security Modules Error Messages Associated with Using Hardware Security Modules The following errors are associated with using PKCS #11 hardware security modules: ORA-43000: PKCS11: library not found Cause: The system cannot locate the PKCS #11 library at the location specified when the wallet was created.
  • Page 218 Configuring Your System to Use Hardware Security Modules The nCipher log file is in the directory where the module is Note: installed at the following location: /log/logfile nCipher documentation for further information about See Also: troubleshooting. 7-52 Oracle Database Advanced Security Administrator's Guide...

  • Page 219: Using Oracle Wallet Manager

    Using Oracle Wallet Manager Security administrators use Oracle Wallet ManagerOracle Wallet Manager to manage public key security credentials on Oracle clients and servers. The wallets it creates can be read by Oracle Database, Oracle Application Server 10g, and the Oracle Identity Management infrastructure. This chapter describes Oracle Wallet Manager, and contains the following topics: Oracle Wallet Manager Overview Starting Oracle Wallet Manager...

  • Page 220: Oracle Wallet Manager Overview

    Oracle Wallet Manager Overview Oracle Wallet Manager Overview Oracle Wallet Manager is an application that wallet owners use to manage and edit the security credentials in their Oracle wallets. A wallet is a password-protected container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL.

  • Page 221: Strong Wallet Encryption

    Oracle Wallet Manager Overview Strong Wallet Encryption Oracle Wallet Manager stores private keys associated with X.509 certificates and uses Triple-DES encryption. Microsoft Windows Registry Wallet Storage Oracle Wallet Manager lets you optionally store multiple Oracle wallets in the user profile area of the Microsoft Windows system registry or in a Windows file management system.

  • Page 222: Multiple Certificate Support

    Oracle Wallet Manager Overview cryptography standards called Public-Key Cryptography Standards, or PKCS for short. These standards have been developed to establish interoperability between computer systems that use public-key technology to secure data across intranets and the Internet. Oracle Wallet Manager stores X.509 certificates and private keys in PKCS #12 format, and generates certificate requests according to the PKCS #10 specification.
  • Page 223 Oracle Wallet Manager Overview legal usage combinations). There must be a one-to-one mapping between certificate requests and certificates. The same certificate request can be used to obtain multiple certificates; however, more than one certificate for each certificate request cannot be installed in the same wallet at the same time.
  • Page 224 Oracle Wallet Manager Overview Table 8–2 Oracle Wallet Manager Import of User Certificates to an Oracle Wallet KeyUsage Value Critical? Usage 2 alone, or 2 + any Accept certificate for SSL or S/MIME encryption combination excluding 5 use. 5 alone, or any combination Accept certificate for CA certificate signing use.

  • Page 225: Ldap Directory Support

    Starting Oracle Wallet Manager LDAP Directory Support Oracle Wallet Manager can upload wallets to and retrieve them from an LDAP-compliant directory. Storing wallets in a centralized LDAP-compliant directory lets users access them from multiple locations or devices, ensuring consistent and reliable user authentication while providing centralized wallet management throughout the wallet life cycle.

  • Page 226: How To Create A Complete Wallet: Process Overview

    How To Create a Complete Wallet: Process Overview How To Create a Complete Wallet: Process Overview Wallets provide a necessary repository in which you can securely store your user certificates and the trust points you need to validate the certificates of your peers. The following steps provide an overview of the complete wallet creation process: Use Oracle Wallet Manager to create a new wallet: "Required Guidelines for Creating Wallet Passwords"...

  • Page 227: Managing Wallets

    Managing Wallets client wallets. It is only optional for products that take the wallet password at the time of startup. After completing the preceding process, you have a wallet that contains a user certificate and its associated trust points. Managing Wallets This section describes how to create a new wallet and perform associated wallet management tasks, such as generating certificate requests, exporting certificate requests, and importing certificates into wallets, in the following subsections:...

  • Page 228: Creating A New Wallet

    Managing Wallets Passwords must contain at least eight characters that consist of alphabetic characters combined with numbers or special characters. It is strongly recommended that users avoid choosing Caution: easily guessed passwords based on user names, phone numbers, or government identification numbers, such as "admin0," "oracle1," or "2135551212A."...
  • Page 229 Managing Wallets Click OK to continue. If the entered password does not conform to the required guidelines, then the following message appears: Password must have a minimum length of eight characters, and contain alphabetic characters combined with numbers or special characters. Do you want to try again? An alert is displayed, and informs you that a new empty wallet has been created.
  • Page 230 Managing Wallets In the PKCS11 library filename field, enter the path to the directory where the PKCS11 library is stored, or click Browse to find it by searching the file system. Enter the SmartCard password, and choose OK. The smart card password, which is different from the wallet password, is stored in the wallet.

  • Page 231: Opening An Existing Wallet

    Managing Wallets Opening an Existing Wallet Open a wallet that already exists in the file system directory as follows: Choose Wallet > Open from the menu bar. The Select Directory dialog box appears. Navigate to the directory location in which the wallet is located, and select the directory.

  • Page 232: Exporting Oracle Wallets To Third-Party Environments

    Managing Wallets For other operating systems, see the Oracle documentation for that specific operating system. Because browsers typically do not export trusted Note: certificates under PKCS #12 (other than the signer's own certificate), you may need to add trust points to authenticate the other party in the SSL connection.

  • Page 233: Uploading A Wallet To An Ldap Directory

    Managing Wallets Choose Operations > Export Wallet..The Export Wallet dialog box appears. Enter the destination file system directory for the wallet, or navigate to the directory structure under Folders. Enter the destination file name for the wallet. Choose OK to return to the main window. Table 8–4 PKI Wallet Encoding Standards Component Encoding Standard...

  • Page 234: Downloading A Wallet From An Ldap Directory

    Managing Wallets If no certificates have SSL key usage: When prompted, enter the user's distinguished name (DN), the LDAP server hostname and port information, and click OK. Oracle Wallet Manager attempts connection to the LDAP directory server using simple password authentication mode, assuming that the wallet password is the same as the directory password.

  • Page 235: Saving Changes

    Managing Wallets If Oracle Wallet Manager cannot open the target wallet using the wallet password, then check to make sure you entered the correct password. Otherwise a message displays at the bottom of the window, indicating that the wallet was downloaded successfully. Saving Changes To save your changes to the current open wallet: Choose Wallet >...

  • Page 236: Deleting The Wallet

    Managing Wallets (UNIX) ORACLE_HOME/admin/ORACLE_SID (Windows) ORACLE_BASE\ORACLE_HOME\rdbms\admin Note: SSL uses the wallet that is saved in the system default directory location. Some Oracle applications are not able to use the wallet if it is not in the system default location. Check the Oracle documentation for your specific application to determine whether wallets must be placed in the default wallet directory location.

  • Page 237: Using Auto Login

    Managing Wallets To change the password for the current open wallet: Choose Wallet > Change Password. The Change Wallet Password dialog box appears. Enter the existing wallet password. Enter the new password. Re-enter the new password. Choose OK. A message at the bottom of the window confirms that the password was successfully changed.

  • Page 238: Managing Certificates

    Managing Certificates Choose Wallet from the menu bar. Uncheck Auto Login. A message at the bottom of the window indicates that auto login is disabled. Managing Certificates Oracle Wallet Manager uses two kinds of certificates: user certificates and trusted certificates. All certificates are signed data structures that bind a network identity with a corresponding public key.
  • Page 239 Managing Certificates Importing the User Certificate into the Wallet Removing a User Certificate from a Wallet Removing a Certificate Request Exporting a User Certificate Exporting a User Certificate Request Adding a Certificate Request You can add multiple certificate requests with Oracle Wallet Manager. When adding multiple requests, Oracle Wallet Manager automatically populates each subsequent request dialog box with the content of the initial request that you can then edit.

  • Page 240: Available Key Sizes

    Managing Certificates Table 8–5 (Cont.) Certificate Request: Fields and Descriptions Field Name Description Organization Optional.Enter the name of the identity's organization. Example: XYZ Corp. Locality/City Optional. Enter the name of the locality or city in which the identity resides. State/Province Optional.
  • Page 241 Managing Certificates certificates, including the user's certificate and all of the supporting CA and subCA certificates. In contrast, an X.509 certificate file contains an individual certificate without the supporting certificate chain. To copy and paste the text only (BASE64) user certificate from the certificate authority's e-mail: Copy the certificate text from the e-mail message or file you receive from the certificate authority.
  • Page 242 Managing Certificates Manager main panel, and the status of the corresponding entry in the left panel subtree changes to [Ready]. Removing a User Certificate from a Wallet To remove a user certificate from a wallet: In the left panel subtree, select the certificate that you want to remove. Choose Operations >...

  • Page 243: Managing Trusted Certificates

    Managing Certificates Exporting a User Certificate Request To save the certificate request in a file system directory, export the certificate request by using the following steps: In the left panel subtree, select the certificate request that you want to export. Choose Operations >...
  • Page 244 Managing Certificates Choose Paste the Certificate, and click OK. Another Import Trusted Certificate dialog panel appears with the following message: Please provide a base64 format certificate and paste it below. Paste the certificate into the window, and click OK. A message at the bottom of the window informs you that the trusted certificate was successfully installed.
  • Page 245 Managing Certificates A dialog panel warns you that your user certificate will no longer be verifiable by its recipients if you remove the trusted certificate that was used to sign it. Choose Yes. The selected trusted certificate is removed from the Trusted Certificates tree.
  • Page 246 Managing Certificates 8-28 Oracle Database Advanced Security Administrator's Guide...

  • Page 247: Configuring Multiple Authentication Methods And Disabling Oracle Advanced Security

    Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security This chapter describes how to configure multiple authentication methods under Oracle Advanced Security, and how to use conventional user name and password authentication, even if you have configured another authentication method. This also chapter describes how to configure your network so that Oracle clients can use a specific authentication method, and Oracle servers can accept any method specified.

  • Page 248: Disabling Oracle Advanced Security Authentication

    Disabling Oracle Advanced Security Authentication For example: % sqlplus scott/tiger@emp You can configure multiple authentication methods, Note: including both externally authenticated users and password authenticated users, on a single database. Disabling Oracle Advanced Security Authentication Use Oracle Net Manager to disable authentication methods (See "Starting Oracle Net Manager"...
  • Page 249 Disabling Oracle Advanced Security Authentication Figure 9–1 Oracle Advanced Security Authentication Window Choose the Authentication tab. Sequentially move all authentication methods from the Selected Method list to the Available Methods list by selecting a method and choosing the left arrow [<].

  • Page 250: Configuring Multiple Authentication Methods

    Configuring Multiple Authentication Methods Configuring Multiple Authentication Methods Many networks use more than one authentication method on a single security server. Accordingly, Oracle Advanced Security lets you configure your network so that Oracle clients can use a specific authentication method, and Oracle database servers can accept any method specified.

  • Page 251: Configuring Oracle Database For External Authentication

    Configuring Oracle Database for External Authentication Configuring Oracle Database for External Authentication This section describes the parameters you must set to configure Oracle Database for network authentication, using the following tasks: Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE Setting OS_AUTHENT_PREFIX to a Null Value See Also: The corresponding chapter in this guide for information about...

  • Page 252: Setting Os_Authent_Prefix To A Null Value

    Configuring Oracle Database for External Authentication If REMOTE_OS_AUTHENT is set to FALSE, and the server cannot support any of the authentication methods requested by the client, the authentication service negotiation fails and the connection terminates. If the parameter is set as follows in the file on either the client or server, sqlnet.ora the database attempts to use the supplied user name and password to login the...
  • Page 253 Configuring Oracle Database for External Authentication See Also: Oracle Database Administrator's Guide Oracle Database Heterogeneous Connectivity Administrator's Guide Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security 9-7...
  • Page 254 Configuring Oracle Database for External Authentication 9-8 Oracle Database Advanced Security Administrator's Guide...

  • Page 255: Configuring Oracle Dce Integration

    Configuring Oracle DCE Integration Oracle Integration enables Oracle applications and tools to access Oracle Database servers in a distributed computing environment. This chapter briefly describes the Distributed Computing Environment (DCE), the Oracle DCE Integration product, and how to configure it. It contains the following topics: Introduction to Oracle DCE Integration Configuring DCE for Oracle DCE Integration Configuring Oracle Database and Oracle Net Services for Oracle DCE...

  • Page 256: Introduction To Oracle Dce Integration

    Introduction to Oracle DCE Integration Introduction to Oracle DCE Integration Distributed Computing Environment (DCE) from the Open Group is a set of integrated network services that works across multiple systems to provide a distributed environment. The network services include remote procedure calls (RPCs), directory service, security service, threads, distributed file service, diskless support, and distributed time service.
  • Page 257 Introduction to Oracle DCE Integration DCE Communication/Security This component has three principal features: Authenticated RPC Oracle DCE Integration provides authenticated Remote Procedure Call (RPC) as the transport mechanism that enables multi-vendor interoperability. RPC also uses some of the other DCE services, including directory and security services, to provide location transparency and secure distributed computing.

  • Page 258: Flexible Dce Deployment

    Introduction to Oracle DCE Integration The DCE CDS offers a distributed, replicated repository service for name, address, and attributes of objects across the network. Because servers register their name and address information in the CDS, Oracle clients can make location-independent connections to Oracle Database servers.

  • Page 259: Configuring Dce For Oracle Dce Integration

    Configuring DCE for Oracle DCE Integration Only one listener address that uses the DCE protocol is permitted for each node. Database links must specify a user name and password to connect. This release of DCE Integration does not support the Oracle Multi-Protocol Interchange.

  • Page 260: Task 2: Install The Key Of The Server Into A Keytab File

    Configuring DCE for Oracle DCE Integration Perform this task on the server only once after DCE Note: Integration has been installed. Do not perform this task on client systems. Task 2: Install the Key of the Server into a Keytab File Install the key of the server into a keytab file, .
  • Page 261 Configuring DCE for Oracle DCE Integration cdscp> create dir /.:/subsys/oracle cdscp> create dir /.:/subsys/oracle/names cdscp> create dir /.:/subsys/oracle/service_registry cdscp> exit Note: The directory /.:/subsys/oracle/names contains objects that map Oracle Net service names to connect descriptors, which are used by the CDS naming adapter. The directory /.:/subsys/oracle/service_registry contains objects that map the service name in DCE addresses to the network endpoint that is used by both DCE protocol...

  • Page 262: Configuring Oracle Database And Oracle Net Services For Oracle Dce Integration

    Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration This section describes how to configure an Oracle database server and Oracle Net Services to use Oracle DCE Integration after it has been successfully installed. It contains the following topics: DCE Address Parameters Task 1: Configure the Server...

  • Page 263: Task 1: Configure The Server

    Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Table 10–1 (Cont.) DCE Address Parameters and Definitions Component Description CELL_NAME An optional parameter. If present, it specifies the DCE cell name of the database. If this parameter is not set, the cell name defaults to the local cell (useful for single-cell environments).

  • Page 264: Task 2: Create And Name Externally Authenticated Accounts

    Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration For servers in distributed systems that require database link connections to other servers, configure the sqlnet.ora and protocol.ora files with DCE address information. In this release, the configuration files listener.ora, Note: sqlnet.ora, tnsnames.ora, and protocol.ora are located in the $ORACLE_HOME/network/admin directory.
  • Page 265 Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Verify that these lines are in the initialization parameter file: REMOTE_OS_AUTHENT=FALSE OS_AUTHENT_PREFIX="" Verify that the initialization parameter file does not have a multi-threaded server (MTS) entry for DCE. For example, an entry such as the following is not permitted: mts_dispatchers="(PROTOCOL=dce)(DISPATCHERS=3)"...

  • Page 266: Task 3: Set Up Dce Integration External Roles

    Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration If connecting to the database across multiple cells, specify both the cell_name and the server_principal, as illustrated in the following: SQL> CREATE USER "CELL_NAME/SERVER_PRINCIPAL" IDENTIFIED EXTERNALLY; SQL> GRANT CREATE SESSION TO "CELL_NAME/SERVER_PRINCIPAL"; You must enclose the externally-identified account name in double quotation marks, because the slash is a reserved character.

  • Page 267: Setting Up External Role Syntax Components

    Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Ensure that the DCE groups that map to Oracle roles adhere to the following syntax: ORA_global_name_role[_[a][d]] Table 10–2 describes the syntax components: Table 10–2 Setting Up External Role Syntax Components Component Definition Designates that this group is used for Oracle purposes...
  • Page 268 Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Local Groups: 0000000c-01f5-2f72-ba01-02608c2c84f3 none 0000006a-0204-2f72-b901-02608c2c84f3 subsys/dce/cds-server 00000078-daf4-2fe1-a201-02608c2c84f3 ora_dce222_dba 00000084-89c8-2fe8-a201-02608c2c84f3 ora_dce222_connect_d 00000087-8a13-2fe8-a201-02608c2c84f3 ora_dce222_resource_d 00000080-f681-2fe1-a201-02608c2c84f3 ora_dce222_role1_ad Connect to the database as usual. The following sample output lists external roles (DBA, CONNECT, RESOURCE, and ROLE1) that have been mapped to DCE groups: SQL>...

  • Page 269: Task 4: Configure Dce For Sysdba And Sysoper Connections To Oracle Databases

    Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Task 4: Configure DCE for SYSDBA and SYSOPER Connections to Oracle Databases To configure DCE so that you can connect to an Oracle database as SYSOPER or SYSDBA with DCE credentials, do the following: Create DCE groups that map to Oracle DBA and OPERATOR roles.

  • Page 270: Task 5: Configure The Client

    Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Group: 0000000c-7e94-21d2-b201-9019b88baa77 none Local Groups: 0000000c-7e94-21d2-b201-9019b88baa77 none 0000006a-7e94-21d2-ad01-9019b88baa77 subsys/dce/cds-server 00000076-8b53-21d2-9301-9019b88baa77 ora_dce222_dba_ad 00000077-8b53-21d2-9301-9019b88baa77 ora_dce222_operator_ad Identity Info Expires: 1999-12-04-10:28:22 Account Expires: never Passwd Expires: never Kerberos Ticket Information: Ticket cache: /opt/dcelocal/var/security/creds/dcecred_43ae2600 Default principal: oracle@dce.dlsun685.us.oracle.com Server: krbtgt/dce.dlsun685.us.oracle.com@dce.dlsun685.us.oracle.com valid 1999-12-04-00:28:22 to 1999-12-04-10:28:22...
  • Page 271 Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration protocol.ora sqlnet.ora Typically, CDS is used for name resolution. Thus, a local naming configuration file ) is not used, except when loading names and addresses into CDS. tnsnames.ora Parameters in protocol.ora There are four DCE parameters located in the Each parameter file...
  • Page 272 Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration greater than the server DCE_PROTECTION level. If this entry is not specified, cell-wide default protection is used. The options follow: Option Description NONE Perform no protection for the current connection DEFAULT Use the default cell-wide protection level CONNECT...

  • Page 273: Task 6: Configure Clients To Use Dce Cds Naming

    Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Option Description TRUE The default value. Select TRUE if using just the SERVER_ PRINCIPAL format, without the CELL_NAME. An example of a user specified in this format is as follows: oracle TRUE is an appropriate option if users are making connections within a single cell, or if naming conventions in the network...
  • Page 274 Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration DCE Integration installation instructions, and "Task 3: See Also: Configure DCE CDS for Use by Oracle DCE Integration" page 10-6. For example, a service name such as ORADCE and its network address can be stored in DCE CDS.
  • Page 275 Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Restart CDS on the system. The command to restart CDS varies between different operating systems. On the Solaris platform, for example, you can use the following command to restart CDS: /opt/dcelocal/etc/rc.dce restart Step 3: Create a tnsnames.ora File for Loading Oracle Connect Descriptors into...
  • Page 276 Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Parameter Name Type Mandatory? Description Oracle Identifies the Oracle system ID; each SID Parameter value must be unique on a node. This parameter is used locally only, and is not used in DCE CDS.

  • Page 277: Connecting To An Oracle Database Server In The Dce Environment

    Connecting to an Oracle Database Server in the DCE Environment For a client or server to use DCE CDS Naming, the administrator must do the following: Ensure that the CDS Naming Adapter has been installed on that node. Add the following parameter to the file: sqlnet.ora NAMES.DIRECTORY_PATH=(cds, tnsnames, onames)

  • Page 278: Connecting To An Oracle Database By Using Dce Authentication For Single Sign-On

    Connecting to an Oracle Database Server in the DCE Environment Verify that the service has been created by searching for the dce_service_ name as follows: % cdscp show object "/.:/subsys/oracle/service_registry/dce_service_name" For example: The following command shows you the mapping in the CDS namespace that the listener has chosen for the endpoint: % cdscp show object "/.:/subsys/oracle/service_registry/dce_svc"...

  • Page 279: Connecting To An Oracle Database By Using Password Authentication

    Connecting Clients Outside DCE to Oracle Servers in DCE For example: % sqlplus /@ORADCE Connecting to an Oracle Database by Using Password Authentication From a client, you can still connect with a user name and password: % sqlplus username/password@net_service_name where net_service_name is the Oracle Net service name. For example: % sqlplus scott/tiger@ORADCE Connecting Clients Outside DCE to Oracle Servers in DCE...
  • Page 280 Connecting Clients Outside DCE to Oracle Servers in DCE The listener.ora File The tnsnames.ora File The listener.ora File file resides on the listener node. It defines listener characteristics listener.ora and the addresses at which the listener listens. In the following example, each element is displayed on a separate line, to show the file's structure.
  • Page 281 Connecting Clients Outside DCE to Oracle Servers in DCE (SID_NAME=ORASID) (ORACLE_HOME=/usr/prod/oracle8)) #For all listeners, the following parameters list sample #default values. PASSWORDS_LISTENER= STARTUP_WAIT_TIME_LISTENER=0 CONNECT_TIMEOUT_LISTENER=10 TRACE_LEVEL_LISTENER=OFF Oracle Database TRACE_DIRECTORY_LISTENER=/usr/prod/ /network/trace TRACE File_LISTENER=listener.trc Oracle Database LOG_DIRECTORY_LISTENER=/usr/prod/ /network/log LOG_FILE_LISTENER=listener.log The tnsnames.ora File This file resides on both the client and the server nodes. It lists the service names and addresses of all services on the network.

  • Page 282: Using Tnsnames.ora For Name Lookup When Cds Is Inaccessible

    Connecting Clients Outside DCE to Oracle Servers in DCE To access the DB1 database, a user can use ORATCP to identify the appropriate connect descriptor. For example: sqlplus scott/tiger@oratcp Using tnsnames.ora for Name Lookup When CDS Is Inaccessible Typically, names are resolved into network addresses by CDS. Although the main purpose of the file (in the context of native naming adapters) is to tnsnames.ora...

  • Page 283: Part Iv Enterprise User Security

    Part IV Enterprise User Security This part describes Oracle Database directory and security integration functionality, which enables single sign-on in a client/server environment. It contains the following chapters, which describe how to set up enterprise user security in an Oracle distributed database environment: Chapter 11, "Getting Started with Enterprise User Security"...

  • Page 285: Getting Started With Enterprise User Security

    Getting Started with Enterprise User Security Enterprise User Security, a critical component of Oracle Identity Management, lets you create and administer large numbers of users in a secure, LDAP-compliant directory service. The following topics in this chapter explain what Enterprise User Security is and how it works: Introduction to Enterprise User Security About Using Shared Schemas for Enterprise User Security...

  • Page 286: Introduction To Enterprise User Security

    Introduction to Enterprise User Security Introduction to Enterprise User Security This section provides an overview of Enterprise User Security, explaining the benefits, how enterprise users access resources across a distributed database system, and how they are authenticated. It contains the following topics: The Challenges of User Management Enterprise User Security: The Big Picture About Enterprise User Security Directory Entries...

  • Page 287: Enterprise User Security: The Big Picture

    Introduction to Enterprise User Security Enterprise User Security: The Big Picture Enterprise User Security addresses user, administrative, and security challenges by relying on the identity management services supplied by Oracle Internet Directory, an LDAP-compliant directory service. Identity management is the process by which the complete security life cycle for network entities is managed in an organization.
  • Page 288 Introduction to Enterprise User Security Figure 11–1 Enterprise User Security and the Oracle Security Architecture ·Authorization ·Responsibilities ·S-MIME ·Roles ·Auditing ·Roles ·Interpersonal ·Privilege Rights Groups ·File Privileges Third-Party Oracle Oracle OracleAS Portal Applications E-Business Collaboration OracleAS Wireless Suite Suite Application Security Oracle Platform Security ·JAAS Roles...
  • Page 289 Introduction to Enterprise User Security Single password authentication lets users authenticate to multiple databases with a single global password although each connection requires a unique authentication. The password is securely stored in the centrally located, LDAP-compliant directory, and protected with security mechanisms including encryption and Access Control Lists (ACLs).
  • Page 290 Introduction to Enterprise User Security About Identity Management Realms An identity management realm is a subtree of directory entries, all of which are governed by the same administrative policies. For example, all employees in an enterprise who have access to the intranet may belong to one realm, while all external users who access the public applications of the enterprise may belong to another realm.
  • Page 291 Introduction to Enterprise User Security name (DN). When enterprise users log on to a database, the database authenticates those users by using their DN. Enterprise users are defined in the database as global users. Global users can have their own schemas, or they can share a global schema in the databases they access. You can create enterprise users by using the GLOBALLY clause in the CREATE USER statement in two different ways.
  • Page 292 Introduction to Enterprise User Security See Also: "Creating New Enterprise Users" on page 13-9 Oracle Database Security Guide for more information about global users. Oracle Internet Directory Administrator's Guide for information about defining users in the directory. About Enterprise User Schemas Enterprise users can retain their individual database schemas (exclusive schemas) or share schemas if the enterprise security administrator maps them to a shared schema.
  • Page 293 Introduction to Enterprise User Security "About Using Shared Schemas for Enterprise User See Also: Security" on page 11-19 for more information about creating and using shared schemas for enterprise users. How Enterprise Users Access Database Resources with Database Links Database links are network objects stored in the local database or in the network definition that identify a remote database, a communication path to that database, and optionally, a username and password.

  • Page 294: Enterprise User Security Authentication: Selection Criteria

    Introduction to Enterprise User Security Table 11–1 Enterprise User Security Authentication: Selection Criteria Password Authentication SSL Authentication Kerberos Authentication Password-based authentication. Provides strong authentication over Provides strong authentication by SSL. using Kerberos, version 5 tickets. Provides centralized user and Provides centralized user and PKI Provides centralized user and password management.

  • Page 295: About Enterprise User Security Directory Entries

    Introduction to Enterprise User Security Enterprise User Security supports three-tier environments. Note: Oracle Database 10g proxy authentication features enable (i) proxy of user names and passwords through multiple tiers, and (ii) proxy of X.509 certificates and distinguished names through multiple tiers.
  • Page 296 Introduction to Enterprise User Security The entries described in the following sections can only reside within a realm Oracle Context. Enterprise Roles Enterprise users can be assigned an enterprise role, which determines their access privileges on databases. These enterprise roles are stored and managed in a directory.
  • Page 297 Introduction to Enterprise User Security Figure 11–2 Example of Enterprise Roles Eastern Region (Identity Management Realm) Oracle Context Registered as members of . . . Acme Widgets (Enterprise Registered as members of . . . Domain) sales_manager Enterprise Role manage_leads bonus_approval global role global role...
  • Page 298 Introduction to Enterprise User Security enterprise role can be assigned to one or more enterprise users. For example, you could assign the enterprise role sales_manager to a number of enterprise users who hold the same job. This information is protected in the directory, and only a directory administrator can manage users and assign their roles.
  • Page 299 Introduction to Enterprise User Security "Administering Enterprise Domains" on page 13-15 See Also: Database Server Entries A database server entry (represented as "Sales" in Figure 11–3) contains information about one database server. It is created by the Database Configuration Assistant during database registration.
  • Page 300 Introduction to Enterprise User Security Figure 11–3 Related Entries in a Realm Oracle Context realm Oracle Users Groups Context Groups OracleDBCreators OracleContextAdmins Sales OracleDBSecurityAdmins Products OracleUserSecurityAdmins (Example Database) OraclePasswordAccessibleDomains User-Schema User Search Base OracleDBAdmins OracleDBSecurity Mapping Group Search Base Group (Example) Networking Services...
  • Page 301 Introduction to Enterprise User Security See Also: "How Enterprise Users Are Mapped to Schemas" on page 11-20 "Managing Enterprise Domain Database Schema Mappings" page 13-20 Administrative Groups An identity management realm contains administrative groups that are related to Enterprise User Security. Figure 11–3 shows these administrative groups in a realm in the triangle labeled "Groups."...

  • Page 302: Administrative Groups In A Realm Oracle Context

    Introduction to Enterprise User Security Table 11–2 Administrative Groups in a Realm Oracle Context Administrative Group Description DN: (cn=OracleDBCreators,cn=OracleContext...) OracleDBCreators Default owner: OracleContextAdmins (Called "Database Registration Admins" in During default realm Oracle Context creation, Oracle Internet Directory Configuration Release 9.2 and earlier Assistant sets up the following access rights/permissions for these group members: versions of Enterprise Add permission for database service objects in the realm Oracle Context...

  • Page 303: About Using Shared Schemas For Enterprise User Security

    About Using Shared Schemas for Enterprise User Security About Using Shared Schemas for Enterprise User Security The following sections describe shared schemas, and how to set them up: Overview of Shared Schemas Used in Enterprise User Security How Shared Schemas Are Configured for Enterprise Users How Enterprise Users Are Mapped to Schemas Overview of Shared Schemas Used in Enterprise User Security Users do not necessarily require individual accounts or schemas set up in each...

  • Page 304: How Shared Schemas Are Configured For Enterprise Users

    About Using Shared Schemas for Enterprise User Security Each enterprise user can be mapped to a shared schema on each database the user needs to access. The user connects to the shared schema when the user connects to a database. Shared schemas lower the cost of managing users in an enterprise.
  • Page 305 About Using Shared Schemas for Enterprise User Security multiple enterprise users (shared schema). The mapping between a single enterprise user and his or her exclusive schema is stored in the database as an association between the user DN and the schema name. The mapping between enterprise users and a shared schema is done in the directory by means of one or more mapping objects.
  • Page 306 About Using Shared Schemas for Enterprise User Security For example, suppose that Harriet is trying to connect to the HR database, but the database does not find Harriet's exclusive schema (in the database). In this case, the following steps occur: The HR database looks up a user schema mapping with Harriet's DN in the directory.

  • Page 307: About Using Current User Database Links For Enterprise User Security

    About Using Current User Database Links for Enterprise User Security "Task 1: Create Global Schemas and Global Roles in the See Also: Database" on page 12-12 for detailed information about how to create shared schemas for enterprise users. About Using Current User Database Links for Enterprise User Security Oracle Database supports current user database links over an SSL-authenticated network connection.
  • Page 308 About Using Current User Database Links for Enterprise User Security SSL to authenticate to the other databases. To specify a database as untrusted that is part of a trusted enterprise domain, use the PL/SQL package DBMS_ DISTRIBUTED_TRUST_ADMIN. To obtain a list of trusted servers, use the TRUSTED_SERVERS view.

  • Page 309: Enterprise User Security Deployment Considerations

    Enterprise User Security Deployment Considerations Enterprise User Security Deployment Considerations Consider the following issues before deploying Enterprise User Security: Security Aspects of Centralizing Security Credentials Security of Password-Authenticated Enterprise User Database Login Information Considerations for Defining Database Membership in Enterprise Domains Considerations for Choosing Authentication Types between Clients, Databases, and Directories for Enterprise User Security Security Aspects of Centralizing Security Credentials...

  • Page 310: Security Of Password-Authenticated Enterprise User Database Login Information

    Enterprise User Security Deployment Considerations Security of Password-Authenticated Enterprise User Database Login Information In all secure password-based authentication methods, a server authenticates a client with a password verifier, typically a hashed version of the password that must be rigorously protected. Password-based authentication to an Oracle database is no different.

  • Page 311: Considerations For Defining Database Membership In Enterprise Domains

    Enterprise User Security Deployment Considerations Protecting Database Password Verifiers The OraclePasswordAccessibleDomains group in each identity management realm is created automatically when the realm is created, and can be managed by using Enterprise Security Manager. Enterprise domains with member databases that must view users' database password verifiers in the directory are placed into this group.

  • Page 312: Considerations For Choosing Authentication Types Between Clients, Databases, And Directories For Enterprise User Security

    Enterprise User Security Deployment Considerations Considerations for Choosing Authentication Types between Clients, Databases, and Directories for Enterprise User Security Enterprise User Security supports the authentication types listed in Table 11–3 connections between clients, databases, and directories. Table 11–3 Enterprise User Security: Supported Authentication Types for Connections between Clients, Databases, and Directories Connection Supported Authentication Types...

  • Page 313: Enterprise User Security Configuration Tasks And Troubleshooting

    Enterprise User Security Configuration Tasks and Troubleshooting This chapter describes the sequence of steps involved to configure Enterprise User Security from the initial database and directory preparation through connecting to the database as either a password-, Kerberos-, or SSL-authenticated enterprise user. In addition, a troubleshooting section is also included that will help you when testing your Enterprise User Security implementation.
  • Page 314 Enterprise User Security Configuration Overview Regardless of the authentication method you choose—password, SSL, or Kerberos—you must still create the global database objects and configure the identity management realm as described. The primary difference between configuration for the various authentication types lies with network connection configuration.
  • Page 315 Enterprise User Security Configuration Overview Figure 12–1 Enterprise User Security Configuration Flow Chart Configuration Started What OID version ESM: Set Login and realm Oracle Name attribute, ESM: Set DB-OID DBCA: Register Are you using Context version user and group authentication the database the default Are you...

  • Page 316: Enterprise User Security Configuration Roadmap

    Enterprise User Security Configuration Roadmap For brevity, some product names and features have been abbreviated in this flow chart. The following table lists the abbreviations used and their corresponding meaning: Abbreviation Meaning DBCA Database Configuration Assistant Enterprise Security Manager IM Realm Identity Management Realm Netmgr Oracle Net Manager...

  • Page 317: Preparing The Directory For Enterprise User Security

    Preparing the Directory for Enterprise User Security – "Configuring Enterprise User Security for SSL Authentication" page 12-21 Preparing the Directory for Enterprise User Security This is the first phase in configuring Enterprise User Security and must be performed before you can configure any other part of this feature. Enterprise User Security, 10g Release 1 (10.1) requires Oracle Internet Directory, Release 9.0.4, or later, which installs with the required version of the Oracle schema.
  • Page 318 Preparing the Directory for Enterprise User Security By default in a version 9.0.4 identity management realm, the Note: user search base is set to cn=Users,cn=realm_name, the group search base is set to cn=Groups,cn=realm_name, and the attribute for login name is set to the user's id (uid). In previous releases, this used to be cn.
  • Page 319 Preparing the Directory for Enterprise User Security Note: This default realm-wide setting can be overridden on a database by setting the LDAP_DIRECTORY_ACCESS initialization parameter. See Oracle Database Reference for more information about this parameter. If you are using SSL, then see Oracle Internet Directory Administrator's Guide for information about setting up SSL with two-way authentication for Oracle Internet Directory.
  • Page 320 Preparing the Directory for Enterprise User Security Note: If you are using SSL authentication for your database-to-directory connection, then the SSL port entered in the ldap.ora file must support two-way authentication. This requires a PKI digital certificate and wallet for Oracle Internet Directory.
  • Page 321 Preparing the Directory for Enterprise User Security After creating the wallet, Database Configuration Assistant stores it at ORACLE_ HOME/admin/Oracle_SID/wallet in UNIX environments and at ORACLE_ BASE\ORACLE_HOME\admin\Oracle_SID\wallet in Windows environments. If a database wallet already exists, then Database Configuration Assistant uses it and updates the wallet password. Enables auto login for the database wallet.
  • Page 322 Preparing the Directory for Enterprise User Security Choose Finish if you are only registering a database. Choose Next if you want to configure additional database features. To cancel database registration: Depending on user permissions, Database Configuration Note: Assistant may be unable to remove a database from its domain in the directory.

  • Page 323: Configuring Enterprise User Security Objects In The Database And The Directory

    Configuring Enterprise User Security Objects in the Database and the Directory After you have prepared the directory for Enterprise User Security, then you can create the Enterprise User Security database and directory objects as described in "Configuring Enterprise User Security Objects in the Database and the Directory" page 12-11.
  • Page 324 Configuring Enterprise User Security Objects in the Database and the Directory If you do not use the OracleDefaultDomain or store your users in an identity management realm Users subtree, then see the follow- ing documentation: Oracle Internet Directory Administrator's Guide for information about creating a new identity management realm or modifying an existing one, and for information about setting access control lists on directory objects.
  • Page 325 Configuring Enterprise User Security Objects in the Database and the Directory Alternatively, you can grant the CREATE SESSION privilege to a global role, which you grant to specific users through an enterprise role. See Step 3. Create global roles for the database to hold relevant privileges. The following syntax examples create the emprole and custrole global roles: SQL>...
  • Page 326 Configuring Enterprise User Security Objects in the Database and the Directory Task 3: Create Enterprise Roles in the Enterprise Domain Use Enterprise Security Manager to create enterprise roles in the OracleDefaultDomain by using the following steps: Right-click the OracleDefaultDomain in the navigator pane and choose Create Enterprise Role..
  • Page 327 Configuring Enterprise User Security Objects in the Database and the Directory Click OK. Enterprise Security Manager connects to the selected database, fetches the global roles supported on that database, and displays them in the Add Global Database Roles dialog box. Select one or more global roles and click OK.

  • Page 328: Configuring Enterprise User Security For Password Authentication

    Configuring Enterprise User Security for Password Authentication For more information about this task, see "Granting Enterprise Roles to Users" page 13-31. Task 6: Configure Enterprise User Security for the Authentication Method You Require Based on the authentication method you have chosen, go to one of the following sections to complete your Enterprise User Security configuration: "Configuring Enterprise User Security for Password Authentication"...
  • Page 329 Configuring Enterprise User Security for Password Authentication Task 1: (Optional) Enable the Enterprise Domain to Accept Password Authentication Task 2: Add the Enterprise Domain to the Password-Accessible Domains List Task 3: Connect as a Password-Authenticated Enterprise User Task 1: (Optional) Enable the Enterprise Domain to Accept Password Authentication By default, the OracleDefaultDomain is configured to accept password authentication.

  • Page 330: Configuring Enterprise User Security For Kerberos Authentication

    Configuring Enterprise User Security for Kerberos Authentication Task 3: Connect as a Password-Authenticated Enterprise User For an enterprise user whose directory login name is hscortea and whose password is welcome, enter the following to connect to the database by using SQL*Plus: SQL>...
  • Page 331 Configuring Enterprise User Security for Kerberos Authentication You have prepared your directory by completing the tasks described in "Preparing the Directory for Enterprise User Security" on page 12-5. You have configured your Enterprise User Security objects in the database and the directory by completing the tasks described in "Configuring Enterprise User Security Objects in the Database and the Directory"...
  • Page 332 Configuring Enterprise User Security for Kerberos Authentication Kerberos Principal Name, User Search Base, and Group Search Base Identity Management Realm Attributes" on page 13-5. By default, Enterprise Security Manager Console user Note: interface does not display the field where you can configure Kerberos principal names.

  • Page 333: Configuring Enterprise User Security For Ssl Authentication

    Configuring Enterprise User Security for SSL Authentication If the KDC is part of the operating system, such as Windows 2000 or some versions of Linux or UNIX, then the operating system automatically picks up the user's ticket (with the FORWARDABLE flag set) from the cache when the user logs in. The user connects to the database by launching SQL*Plus and entering the following at the command line: SQL>...
  • Page 334 Configuring Enterprise User Security for SSL Authentication – Database certificate DN (stored in the database wallet) – Database directory entry DN – Database wallet DN (not the certificate) "Viewing the Database DN in the Wallet and in the Directory" page 12-24. Note that Database Configuration Assistant sets the database directory entry DN and the database wallet DN to be identical when registering the database in the directory.
  • Page 335 Configuring Enterprise User Security for SSL Authentication Click Apply. For more information about this task, see "Managing Database Security Options for an Enterprise Domain" on page 13-19. Task 2: Set the LDAP_DIRECTORY_ACCESS Initialization Parameter to SSL You can change this initialization parameter either by editing your database initialization parameter file, or by issuing an ALTER SYSTEM SQL command with the SET clause.

  • Page 336: Viewing The Database Dn In The Wallet And In The Directory

    Configuring Enterprise User Security for SSL Authentication client cannot have a wallet location specified there, the server and client cannot share sqlnet.ora files.) If you have a separate client Oracle home, then you do not need to set the TNS_ ADMIN environment variable.

  • Page 337: Enabling Current User Database Links

    Enabling Current User Database Links To view the database DN so you can request a certificate with the appropriate DN use one of the following options: Use Oracle Directory Manager to look in the directory under the realm Oracle Context for cn=<short_database_name>,cn=OracleContext,<realm_ DN>...

  • Page 338: Troubleshooting Enterprise User Security

    Troubleshooting Enterprise User Security Troubleshooting Enterprise User Security This section describes potential problems and associated corrective actions in the following topics: ORA-# Errors for Password-Authenticated Enterprise Users ORA-# Errors for Kerberos-Authenticated Enterprise Users ORA-# Errors for SSL-Authenticated Enterprise Users NO-GLOBAL-ROLES Checklist USER-SCHEMA ERROR Checklist DOMAIN-READ-ERROR Checklist ORA-# Errors for Password-Authenticated Enterprise Users...
  • Page 339 Troubleshooting Enterprise User Security Use Database Configuration Assistant to reset the database password used to authenticate the database to Oracle Internet Directory. This resets it both locally in the database wallet, and remotely in the database entry in Oracle Internet Directory. Check that the database wallet has auto login enabled.
  • Page 340 Troubleshooting Enterprise User Security ORA-28272: Domain policy does not allow password-authenticated GLOBAL users Action: Use Enterprise Security Manager to set the user authentication policy for this enterprise domain to Password or ALL. ORA-28273: No mapping for user login name to LDAP distinguished name exists Action: Check the following: Check that a user entry exists in Oracle Internet Directory for your user.

  • Page 341: Ora-# Errors For Kerberos-Authenticated Enterprise Users

    Troubleshooting Enterprise User Security Use Enterprise Security Manager to check that the user search base containing this user is listed in the user search base attribute of the realm that you are using. Use Enterprise Security Manager to check that the enterprise domain is in the password accessible domains group.
  • Page 342 Troubleshooting Enterprise User Security Cause: Indicates a problem with the connection between the database and the directory. Action: See the actions listed for resolving "ORA-28030: Problem accessing LDAP directory service" on page 12-26 in the troubleshooting section for password-authenticated enterprise users. ORA-28271: No permission to read user entry in LDAP directory service Action: See the actions listed for resolving "ORA-28271: No permission to read...
  • Page 343 Troubleshooting Enterprise User Security Check that there is a value for the attribute krbprincipalname in the user entry. If there is no value, then use Oracle Internet Directory Self-Service Console to enter one. Use Enterprise Security Manager to check that the user search base containing this user is listed in the realm Oracle Context that you are using.

  • Page 344: Ora-# Errors For Ssl-Authenticated Enterprise Users

    Troubleshooting Enterprise User Security If these values are incorrect, reset the database wallet by using Database Configuration Assistant. Use the DN and the password returned by mkstore in the following ldapbind: ldapbind -h <directory host> -p <non-SSL directory port> -D "<database DN>"...

  • Page 345: No-Global-Roles Checklist

    Troubleshooting Enterprise User Security Check that the LDAP_DIRECTORY_ACCESS parameter is set to SSL in the database initialization parameters file. Check that the database wallet has auto login enabled. Either use Oracle Wallet Manager, or check that there is a cwallet.sso file in $ORACLE_ HOME/admin/<ORACLE_SID>/wallet/.

  • Page 346: User-Schema Error Checklist

    Troubleshooting Enterprise User Security Check that the global role has been created in the database. To create global roles, use the following syntax: CREATE ROLE <role_name> IDENTIFIED GLOBALLY; Use Enterprise Security Manager to check that the global role is included in an enterprise role in the directory.

  • Page 347: Domain-Read-Error Checklist

    Troubleshooting Enterprise User Security Use the following syntax to view the DN that was used with the CREATE USER statement: SELECT EXTERNAL_NAME FROM DBA_USERS WHERE USERNAME='<schema>'; If you are using a shared schema, then check the following: – Use Enterprise Security Manager to ensure that you have created a user-schema mapping either for the entire enterprise domain, or for the database.
  • Page 348 Troubleshooting Enterprise User Security Use Enterprise Security Manager to check that the database is a member of exactly one enterprise domain, and add it to one if it is not. Check that the database can see its domain by entering one of the following at the command line: –...
  • Page 349 Troubleshooting Enterprise User Security – If the database connects to the directory by using password authentication, then use ldapsearch -h <directory_host> -p <directory_port> -D <database_DN> -w <database_directory_password> -b "cn=OracleContext, <realm_DN>" "objectclass=orclDBEnterpriseRole" where <database_directory_password> is the password in the database wallet, which is the database's password to Oracle Internet Directory.
  • Page 350 Troubleshooting Enterprise User Security 12-38 Oracle Database Advanced Security Administrator's Guide...

  • Page 351: Administering Enterprise User Security

    Administering Enterprise User Security This chapter describes how to use Enterprise Security Manager to administer Enterprise User Security in Oracle Databases. This chapter contains the following topics: Enterprise User Security Administration Tools Overview Administering Identity Management Realms Administering Enterprise Users Administering Enterprise Domains Administering Enterprise Roles Administering Enterprise User Security 13-1...

  • Page 352: Enterprise User Security Administration Tools Overview

    Enterprise User Security Administration Tools Overview Enterprise User Security Administration Tools Overview Enterprise Security Manager and Enterprise Security Manager Console are the two main tools provided for administering Enterprise User Security. Use Enterprise Security Manager to create and manage Enterprise domains Enterprise roles Use Enterprise Security Manager Console to create, manage, and configure Enterprise users...

  • Page 353: Administering Identity Management Realms

    Administering Identity Management Realms Administering Identity Management Realms An identity management realm is a subtree of directory entries, all of which are governed by the same administrative policies. A realm Oracle Context is a subtree in a directory identity management realm that contains the data used by any installed Oracle product that uses the directory.

  • Page 354: Identity Management Realm Versions

    Administering Identity Management Realms Identity Management Realm Versions Enterprise User Security can only use an identity management realm supplied by Oracle Internet Directory 10g (9.0.4) or later, which ships with Oracle Application Server 10g (9.0.4). You can manage Enterprise User Security directory entries in a version 9.0.4 identity management realm by using Enterprise Security Manager for Oracle Database 10g.

  • Page 355: Setting Properties Of An Identity Management Realm

    Administering Identity Management Realms Setting Properties of an Identity Management Realm An identity management realm has a number of properties that can be viewed and managed by using Enterprise Security Manager. These properties are described in Table 13–1. Table 13–1 Identity Management Realm Properties Property Description Attribute for Login Name...

  • Page 356: Setting The Default Database-To-Directory Authentication Type For An Identity Management Realm

    Administering Identity Management Realms In the Realm Information window, enter the appropriate information into the available fields. Click Submit to save your changes to the directory. Setting the Default Database-to-Directory Authentication Type for an Identity Management Realm Setting the default database-to-directory authentication type, enters a value for the LDAP_DIRECTORY_ACCESS initialization parameter.

  • Page 357: Managing Identity Management Realm Administrators

    Administering Identity Management Realms Managing Identity Management Realm Administrators An identity management realm contains administrative groups that have varying levels of privileges. The administrative groups for an identity management realm, which pertain to Enterprise User Security, are defined in Table 13–2.

  • Page 358: Administering Enterprise Users

    Administering Enterprise Users Administering Enterprise Users Enterprise Security Manager manages one directory server at a time, identified at the top of the main application tree. It lets you manage enterprise users and data that is relevant to Enterprise User Security in the identity management. This section describes how to use Enterprise Security Manager to administer enterprise users.

  • Page 359: Creating New Enterprise Users

    Administering Enterprise Users Creating New Enterprise Users Use Enterprise Security Manager to create users in the directory. Before creating new enterprise users, you must define the Note: user search base in the directory. See "Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base Identity Management Realm Attributes"...

  • Page 360: Setting Enterprise User Passwords

    Administering Enterprise Users Choose the Users and Groups tab. In the Users and Groups tabbed window, choose the User subtab, if it is not already displayed. In the User subtab window, click Create (located on the upper right corner of the Search Results table).

  • Page 361: Defining An Initial Enterprise Role Assignment

    Administering Enterprise Users The enterprise user password is used for: Directory logon Database logon, to databases that support password authentication for global users To set the password for an enterprise user: Navigate to the Enterprise Security Manager Console home page. (Choose Launch Enterprise Security Manager Console from the Operations menu and log in using your OracleAS Single Sign-On username and password.) Choose the Users and Groups tab.

  • Page 362: Browsing Users In The Directory

    Administering Enterprise Users Figure 13–3 Enterprise Security Manager: Add Enterprise Roles Window Select the correct identity management realm, then select any enterprise roles in your realm to assign to the new user, and choose OK. Browsing Users in the Directory Enterprise Security Manager lets you browse the directory for all users currently stored there in two ways—by using Enterprise Security Manager Console, or by using the All Users tab in the main application window.
  • Page 363 Administering Enterprise Users A list of all users that match your search criteria displays. You can browse through the displayed users and select one to Edit, Delete, or Assign Privileges. If you need to create a new user, click Create. To browse enterprise users in the directory by using the All Users tab in the main application window: Select the directory in the left navigator pane.

  • Page 364: Directory Search Criteria

    Administering Enterprise Users Table 13–3 Directory Search Criteria Search Criteria Effect on the Search Base This is the base entry point in the directory where the search is performed. Only users under this base are returned by the search. Include Subtrees This determines whether to show all users found in the entire subtree under the selected base, or to only show only those users that exist directly under that base location (one level...

  • Page 365: Administering Enterprise Domains

    Administering Enterprise Domains Administering Enterprise Domains An identity management realm contains an enterprise domain called OracleDefaultDomain. The OracleDefaultDomain is part of the realm when it is first created in the directory. When a new database is registered into a realm, it automatically becomes a member of the OracleDefaultDomain in that realm.

  • Page 366: Creating A New Enterprise Domain

    Administering Enterprise Domains Creating a New Enterprise Domain If you do not want to use the OracleDefaultDomain, then you can create a new enterprise domain in your identity management realm. To create a new enterprise domain in an identity management realm: Start by using one of the following methods: Select Create Enterprise Domain from the Operations menu.

  • Page 367: Defining Database Membership Of An Enterprise Domain

    Administering Enterprise Domains Select Remove Enterprise Domain from the Operations menu. Select an enterprise domain from the main application tree with a right mouse-click. Enterprise Security Manager asks you to confirm removal of the enterprise domain from the realm. Choose OK to remove it. You cannot remove an enterprise domain from an identity Note: management realm if that enterprise domain contains any...
  • Page 368 Administering Enterprise Domains To remove a database from an enterprise domain: Select a specific database for removal, and choose Remove..The database is removed from the list. Choose Apply. The database is removed from the enterprise domain. To add a database to an enterprise domain: The following restrictions apply to adding databases to an Note: enterprise domain:...

  • Page 369: Managing Database Security Options For An Enterprise Domain

    Administering Enterprise Domains Select a new database to be added to the enterprise domain. Choose OK. The selected database is added to the list of databases in the Databases tabbed window (Figure 13–6). Choose Apply (Figure 13–6). The new database is added to the enterprise domain.

  • Page 370: Managing Enterprise Domain Administrators

    Administering Enterprise Domains Managing Enterprise Domain Administrators Enterprise Domain Administrator is a directory user with privileges to modify the content of that domain. You can use the Administrators tabbed window to manage Enterprise Domain Administrators when an enterprise domain is selected under an realm in the main application tree.
  • Page 371 Administering Enterprise Domains A database can use a schema mapping to share one database schema between multiple directory users. The schema mapping is a pair of values: the base in the directory at which users exist, and the name of the database schema they will use. You can use the Database Schema Mappings tabbed window to manage database schema mappings—when a database is selected under a realm in the main application tree or when a domain is selected.
  • Page 372 Administering Enterprise Domains To add a new mapping to the list of database schema mappings in the enterprise domain: In the Database Schema Mapping tabbed window, choose Add..The Add Database Schema Mappings window appears (Figure 13–9). Use this window to locate and select a base in the directory and pair it with a database schema name, to make a database schema mapping.

  • Page 373: Managing Password Accessible Domains

    Administering Enterprise Domains Enter the name of the database schema for which this Mapping will be made into the Schema field, and choose OK. This must be a valid name, for a schema that already exists on that database.The new database schema mapping appears in the database schema mappings window (Figure 13–8).
  • Page 374 Administering Enterprise Domains Choose the Accessible Domains tabbed window and click Add. The Add Accessible Enterprise Domains dialog box appears. See Figure 13–10 page 13-24. Figure 13–10 Enterprise Security Manager: Add Accessible Enterprise Domains Dialog Box Select the OracleDefaultDomain from the list of enterprise domains, and click OK.

  • Page 375: Managing Database Administrators

    Administering Enterprise Domains To remove an enterprise domain from the password-accessible domains list: Select the identity management realm in the left navigator pane. Choose the Accessible Domains tabbed window and select the enterprise domain that you want to remove from the list. Click Remove.
  • Page 376 Administering Enterprise Domains See Also: "Creating New Enterprise Users" on page 13-9 "Browsing Users in the Directory" on page 13-12 13-26 Oracle Database Advanced Security Administrator's Guide...

  • Page 377: Administering Enterprise Roles

    Administering Enterprise Roles Administering Enterprise Roles enterprise domain within an identity management realm can contain multiple roles. An enterprise role is a set of Oracle role-based authorizations enterprise across one or more databases in an enterprise domain. This section describes how to use Enterprise Security Manager to administer enterprise roles in the directory.

  • Page 378: Assigning Database Global Role Membership To An Enterprise Role

    Administering Enterprise Roles If you invoked the Create Enterprise Role window by Note: right-clicking an enterprise domain, the name of the identity management realm is already selected. Select the appropriate enterprise domain for the new enterprise role, from the Enterprise Domain list. If you invoked the Create Enterprise Role window by Note: right-clicking an enterprise domain, the name of the enterprise...
  • Page 379 Administering Enterprise Roles Figure 13–12 Enterprise Security Manager: Database Global Roles Tab When populating an enterprise role with different database roles it is only possible to reference roles on databases that are configured to be global roles on those databases. A global role on a database is identical to a normal role, except that the Database Administrator has defined it to be authorized only through the directory.
  • Page 380 Administering Enterprise Roles enabled as its Oracle Net naming method, or if this name appears as a TNS alias in your local Oracle Net configuration. Otherwise, you can overwrite the content of the Service field with any other TNS alias configured for that database, or by a connect string in the format <host>:<port>:<oracle sid>.

  • Page 381: Granting Enterprise Roles To Users

    Administering Enterprise Roles Granting Enterprise Roles to Users You can grant an enterprise role to users in two ways: you can select a user and add a role (see "Defining an Initial Enterprise Role Assignment" on page 13-11), or you can select a role and add a user.
  • Page 382 Administering Enterprise Roles To remove a user from the list of enterprise role grantees: Select a user from the list of grantees in the Users tabbed window. Choose Remove. The selected user is removed from the list. Choose Apply. The user is removed as a grantee for that enterprise role in the enterprise domain.

  • Page 383: Appendixes

    Part V Appendixes This part contains the following reference appendixes: Appendix A, "Data Encryption and Integrity Parameters" Appendix B, "Authentication Parameters" Appendix C, "Integrating Authentication Devices Using RADIUS" Appendix D, "Oracle Advanced Security FIPS 140-1 Settings" Appendix E, "orapki Utility" Appendix F, "Entrust-Enabled SSL Authentication"...

  • Page 385: A Data Encryption And Integrity Parameters

    Data Encryption and Integrity Parameters This appendix describes encryption and data integrity parameters supported by Oracle Advanced Security. It also includes an example of a file sqlnet.ora generated by performing the network configuration described in Chapter 3, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients"...
  • Page 386 Sample sqlnet.ora File Oracle Advanced Security Encryption #ASO Encryption sqlnet.encryption_server=accepted sqlnet.encryption_client=requested sqlnet.encryption_types_server=(RC4_40) sqlnet.encryption_types_client=(RC4_40) Oracle Advanced Security Integrity #ASO Checksum sqlnet.crypto_checksum_server=requested sqlnet.crypto_checksum_client=requested sqlnet.crypto_checksum_types_server = (MD5) sqlnet.crypto_checksum_types_client = (MD5) #SSL WALLET_LOCATION = (SOURCE= (METHOD = FILE) (METHOD_DATA = DIRECTORY=/wallet) SSL_CIPHER_SUITES=(SSL_DH_anon_WITH_RC4_128_MD5) SSL_VERSION= 3 SSL_CLIENT_AUTHENTICATION=FALSE Common #Common...

  • Page 387: Data Encryption And Integrity Parameters

    Data Encryption and Integrity Parameters RADIUS #Radius sqlnet.authentication_services = (beq, RADIUS ) sqlnet.radius_authentication_timeout = (10) sqlnet.radius_authentication_retries = (2) sqlnet.radius_authentication_port = (1645) sqlnet.radius_send_accounting = OFF sqlnet.radius_secret = /orant/network/admin/radius.key sqlnet.radius_authentication = radius.us.oracle.com sqlnet.radius_challenge_response = OFF sqlnet.radius_challenge_keyword = challenge sqlnet.radius_challenge_interface = oracle/net/radius/DefaultRadiusInterface sqlnet.radius_classpath = /jre1.1/ Data Encryption and Integrity Parameters If you do not specify any values for Server Encryption, Client Encryption, Server Checksum, or Client Checksum, the corresponding configuration parameters do not...

  • Page 388: Encryption And Integrity Parameters

    Data Encryption and Integrity Parameters Table A–1 Algorithm Type Selection Encryption Selected? Integrity Selected? There are three classes of parameters used to enable data encryption and integrity. The first two classes listed here are required and the third (seeding the random key generator) is optional: Encryption and Integrity Parameters Seeding the Random Key Generator (Optional)

  • Page 389: Sqlnet.encryption_Client Parameter Attributes

    Data Encryption and Integrity Parameters on the value set for SQLNET.ENCRYPTION_SERVER at the other end of the connection. Table A–3 SQLNET.ENCRYPTION_CLIENT Parameter Attributes Attribute Description Syntax SQLNET.ENCRYPTION_CLIENT = valid_value Valid Values ACCEPTED, REJECTED, REQUESTED, REQUIRED Default Setting ACCEPTED SQLNET.CRYPTO_CHECKSUM_SERVER This parameter specifies the desired data integrity behavior when a client or another server acting as a client connects to this server.

  • Page 390: Sqlnet.encryption_Types_Server Parameter Attributes

    Data Encryption and Integrity Parameters SQLNET.ENCRYPTION_TYPES_SERVER This parameter specifies a list of encryption algorithms used by this server, in the order of intended use. This list is used to negotiate a mutually acceptable algorithm with the client end of the connection. Each algorithm is checked against the list of available client algorithm types until a match is found.

  • Page 391: Sqlnet.encryption_Types_Client Parameter Attributes

    Data Encryption and Integrity Parameters SQLNET.ENCRYPTION_TYPES_CLIENT This parameter specifies a list of encryption algorithms used by this client or server acting as a client. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. If an algorithm that is not installed is specified on this side, the connection terminates with error message ORA-12650.

  • Page 392: Seeding The Random Key Generator (Optional

    Data Encryption and Integrity Parameters Table A–8 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter Attributes Attribute Description Syntax SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (valid_crypto_ checksum_algorithm [,valid_crypto_checksum_algorithm]) Valid Values SHA-1: Secure Hash Algorithm MD5: Message Digest 5 Default Setting If no algorithms are defined in the local sqlnet.ora file, all installed algorithms are used in a negotiation in the preceding sequence.
  • Page 393 Data Encryption and Integrity Parameters If you use this parameter to seed the random number Note: generator, then Oracle recommends that you enter as many characters as possible, up to 70, to make the resulting key more random and therefore stronger. If you do not use this parameter, the system uses various sources of random numbers, depending on your operating system, to seed the random number generator.
  • Page 394 Data Encryption and Integrity Parameters A-10 Oracle Database Advanced Security Administrator's Guide...

  • Page 395: Authentication Parameters

    Authentication Parameters This appendix illustrates some sample configuration files with the profile file (sqlnet.ora) and the database initialization file authentication parameters, when using Kerberos, RADIUS, or SSL authentication. This appendix contains the following topics: Parameters for Clients and Servers using Kerberos Authentication Parameters for Clients and Servers using RADIUS Authentication Parameters for Clients and Servers using SSL Parameters for Clients and Servers using Kerberos Authentication...

  • Page 396: Parameters For Clients And Servers Using Radius Authentication

    Parameters for Clients and Servers using RADIUS Authentication Parameters for Clients and Servers using RADIUS Authentication The following sections describe the parameters for RADIUS authentication sqlnet.ora File Parameters Minimum RADIUS Parameters Initialization File Parameters sqlnet.ora File Parameters SQLNET.AUTHENTICATION_SERVICES This parameter configures the client or the server to use the RADIUS adapter. Table B–2 describes this parameter's attributes.

  • Page 397: Sqlnet.radius_Authentication_Port Parameter Attributes

    Parameters for Clients and Servers using RADIUS Authentication Table B–4 SQLNET.RADIUS_AUTHENTICATION_PORT Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_AUTHENTICATION_PORT=port_number Default setting 1645 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT This parameter sets the time to wait for response. Table B–5 describes this parameter's attributes. Table B–5 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter Attributes Attribute Description Syntax...

  • Page 398: Sqlnet.radius_Send_Accounting Parameter Attributes

    Parameters for Clients and Servers using RADIUS Authentication Table B–7 SQLNET.RADIUS_SEND_ACCOUNTING Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_SEND_ACCOUNTING=on Default setting SQLNET.RADIUS_SECRET This parameter specifies the file name and location of the RADIUS secret key. Table B–8 describes this parameter's attributes. Table B–8 SQLNET.RADIUS_SECRET Parameter Attributes Attribute Description Syntax...

  • Page 399: Sqlnet.radius_Alternate_Timeout Parameter Attributes

    Parameters for Clients and Servers using RADIUS Authentication SQLNET.RADIUS_ALTERNATE_TIMEOUT This parameter sets the time to wait for response for the alternate RADIUS server. Table B–11 describes this parameter's attributes. Table B–11 SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_ALTERNATE_TIMEOUT=time_in_seconds Default setting SQLNET.RADIUS_ALTERNATE_RETRIES This parameter sets the number of times that the alternate RADIUS server re-sends messages.

  • Page 400: Minimum Radius Parameters

    Parameters for Clients and Servers using RADIUS Authentication Table B–14 SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_CHALLENGE_KEYWORD=keyword Default setting challenge SQLNET.RADIUS_AUTHENTICATION_INTERFACE This parameter sets the name of the Java class that contains the graphical user interface when RADIUS is in the challenge-response (asynchronous) mode. Table B–15 describes this parameter's attributes.

  • Page 401: Initialization File Parameters

    Parameters for Clients and Servers using SSL Initialization File Parameters REMOTE_OS_AUTHENT=FALSE OS_AUTHENT_PREFIX="" Parameters for Clients and Servers using SSL There are two ways to configure a parameter: Static: The name of the parameter that exists in the file. sqlnet.ora Dynamic: The name of the parameter used in the security subsection of the Oracle Net address.

  • Page 402: Cipher Suite Parameters

    Parameters for Clients and Servers using SSL Example (dynamic): AUTHENTICATION = (TCPS) Cipher Suite Parameters This section describes the static and dynamic parameters for configuring cipher suites. Parameter Name SSL_CIPHER_SUITES (static): Parameter Name SSL_CIPHER_SUITES (dynamic): Parameter Type: String LIST Parameter Class: Static Permitted Values: Any known SSL cipher suite Default Value:...
  • Page 403 Parameters for Clients and Servers using SSL SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_DES_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_DH_anon_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA Note that the cipher suites that use Advanced Encryption Standard (AES) work with Transport Layer Security (TLS 1.0) only. SSL Version Parameters This section describes the static and dynamic parameters for configuring the version of SSL to be used.

  • Page 404: Ssl Version Parameters

    Parameters for Clients and Servers using SSL Example SSL_VERSION=3.0 (dynamic): SSL Client Authentication Parameters This section describes the static and dynamic parameters for configuring SSL on the client. Parameter Name SSL_CLIENT_AUTHENTICATION (static): Parameter Name SSL_CLIENT_AUTHENTICATION (dynamic): Parameter Type: Boolean Parameter Class: Static Permitted Values: TRUE/FALSE Default Value:...
  • Page 405 Parameters for Clients and Servers using SSL Purpose Use this parameter to force the server's distinguished name to match its service name. If you force the match (DN) verifications, SSL ensures that the certificate is from the server. If you choose to not enforce the match verification, SSL performs the check but permits the connection, regardless if there is a match.

  • Page 406: Wallet Location

    Parameters for Clients and Servers using SSL Example dbalias=(description=address_ list=(address=(protocol=tcps)(host=hostname)( port=portnum)))(connect_ data=(sid=Finance))(security=(SSL_SERVER_ DN="CN=Finance,CN=OracleContext,C=US,O=Acme")) Wallet Location For any application that must access a wallet for loading the security credentials into the process space, you must specify the wallet location parameters defined by Table B–17 in each of the following configuration files: sqlnet.ora...

  • Page 407: Integrating Authentication Devices Using Radius

    Integrating Authentication Devices Using RADIUS This appendix describes how third party authentication vendors customize the RADIUS challenge-response user interface to fit their particular device. This appendix contains the following topics: About the RADIUS Challenge-Response User Interface Customizing the RADIUS Challenge-Response User Interface Chapter 5, "Configuring RADIUS Authentication"...

  • Page 408: Customizing The Radius Challenge-Response User Interface

    Customizing the RADIUS Challenge-Response User Interface Customizing the RADIUS Challenge-Response User Interface You can customize this interface by creating your own class to support the functionality described in Table C–1. You can then open the file, look sqlnet.ora up the SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameter, and replace the name of the class listed there (DefaultRadiusInterface), with the name of the new class you have just created.

  • Page 409: Oracle Advanced Security Fips 140-1 Settings

    Oracle Advanced Security FIPS 140-1 Settings Oracle Advanced Security Release 8.1.6 has been validated under Federal Information Processing Standard (FIPS) 140-1 at the Level 2 security level. This appendix describes the formal configuration required for Oracle Advanced Security to comply with the FIPS 140-1 standard. Refer to the NIST Cryptographic Modules Validation list at the following Web site address: http://csrc.nist.gov/cryptval/140-1/1401val.htm This appendix contains the following topics:...

  • Page 410: Server Encryption Level Setting

    Configuration Parameters Configuration parameters are contained in the file that is held locally sqlnet.ora for each of the client and server processes. The protection placed on these files should be equivalent to the level of a DBA. The following configuration parameters are described in this appendix: ENCRYPTION_SERVER ENCRYPTION_CLIENT ENCRYPTION_TYPES_SERVER...

  • Page 411: Client Encryption Selection List

    Configuration Parameters The specified algorithm must be installed or the connection terminates. For FIPS 140-1 compliance, only DES encryption is permitted and therefore the following parameter setting is mandatory: SQLNET.ENCRYPTION_TYPES_SERVER=(DES|DES40) Client Encryption Selection List parameter specifies the list of encryption algorithms ENCRYPTION_TYPES_CLIENT which the client is prepared to use for the connection with the server.

  • Page 412: Post Installation Checks

    Post Installation Checks Post Installation Checks After the installation, the following permissions must be verified in the operating system: Execute permissions must be set on all Oracle Advanced Security executable files so as to prevent execution of Oracle Advanced Security by users who are unauthorized to do so in accordance with the system security policy.

  • Page 413: Physical Security

    Physical Security Physical Security To comply with FIPS 140-1 Level 2 requirements, tamper-evident seals must be applied to the cover of each machine—to ensure that removal of the cover is detectable. Oracle Advanced Security FIPS 140-1 Settings D-5...
  • Page 414 Physical Security D-6 Oracle Database Advanced Security Administrator's Guide...

  • Page 415: Orapki Utility

    orapki Utility The orapki utility is provided to manage public key infrastructure (PKI) elements, such as wallets and certificate revocation lists, on the command line so the tasks it performs can be incorporated into scripts. Providing a way to incorporate the management of PKI elements into scripts makes it possible to automate many of the routine tasks of maintaining a PKI.

  • Page 416: Orapki Utility Overview

    orapki Utility Overview orapki Utility Overview This command line utility can be used to perform the following tasks: Creating and viewing signed certificates for testing purposes Manage Oracle wallets: – Create and display Oracle wallets Add and remove certificate requests –...

  • Page 417: Creating Signed Certificates For Testing Purposes

    Creating Signed Certificates for Testing Purposes Creating Signed Certificates for Testing Purposes This command line utility provides a convenient, lightweight way to create signed certificates for testing purposes. The following syntax can be used to create signed certificates and to view certificates: To create a signed certificate for testing purposes: orapki cert create [-wallet <wallet_location>] -request <certificate_request_ location>...

  • Page 418: Managing Oracle Wallets With Orapki Utility

    Managing Oracle Wallets with orapki Utility Managing Oracle Wallets with orapki Utility The following sections describe the syntax used to create and manage Oracle wallets with the orapki command line utility. You can use these orapki utility wallet module commands in scripts to automate the wallet creation process. Creating and Viewing Oracle Wallets with orapki Adding Certificates and Certificate Requests to Oracle Wallets with orapki Exporting Certificates and Certificate Requests from Oracle Wallets with orapki...

  • Page 419: Adding Certificates And Certificate Requests To Oracle Wallets With Orapki

    Managing Oracle Wallets with orapki Utility Adding Certificates and Certificate Requests to Oracle Wallets with orapki To add a certificate request to an Oracle wallet: orapki wallet add -wallet <wallet_location> -dn <user_dn> -keySize <512|1024|2048> This command adds a certificate request to a wallet for the user with the specified distinguished name (user_dn).

  • Page 420: Exporting Certificates And Certificate Requests From Oracle Wallets With Orapki

    Managing Certificate Revocation Lists (CRLs) with orapki Utility Exporting Certificates and Certificate Requests from Oracle Wallets with orapki To export a certificate from an Oracle wallet: orapki wallet export -wallet <wallet_location> -dn <certificate_dn> -cert <certificate_filename> This command exports a certificate with the subject's distinguished name (-dn) from a wallet to a file that is specified by -cert.

  • Page 421: Orapki Utility Commands Summary

    orapki Utility Commands Summary orapki Utility Commands Summary This section lists and describes the following orapki commands: orapki cert create orapki cert display orapki crl delete orapki crl display orapki crl hash orapki crl list orapki crl upload orapki wallet add orapki wallet create orapki wallet display orapki wallet export...

  • Page 422: Orapki Cert Display

    orapki Utility Commands Summary orapki cert display Purpose Use this command to display details of a specific certificate. Syntax orapki cert display -cert <certificate_location> [-summary|-complete] The -cert parameter specifies the location of the certificate you want to display. You can use either the -summary or the -complete parameter to display the following information: –...

  • Page 423: Orapki Crl Display

    orapki Utility Commands Summary with no authentication. See "Uploading CRLs to Oracle Internet Directory" page 7-42 for more information about this port. The -user parameter specifies the username of the directory user who has permission to delete CRLs from the CRL subtree in the directory. The -wallet parameter (optional) specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL.

  • Page 424: Orapki Crl Hash

    orapki Utility Commands Summary orapki crl hash Purpose Use this command to generate a hash value of the certificate revocation list (CRL) issuer to identify the location of the CRL in your file system for certificate validation. Syntax orapki crl hash -crl <crl_filename|URL> [-wallet <wallet_location>] [-symlink|-copy] <crl_directory>...

  • Page 425: Orapki Crl Upload

    orapki Utility Commands Summary The -ldap parameter specifies the hostname and SSL port for the directory server from where you want to list CRLs. Note that this must be a directory SSL port with no authentication. See "Uploading CRLs to Oracle Internet Directory" on page 7-42 for more information about this port.

  • Page 426: Orapki Wallet Add

    orapki Utility Commands Summary orapki wallet add Purpose Use this command to add certificate requests and certificates to an Oracle wallet. Syntax To add certificate requests: orapki wallet add -wallet <wallet_location> -dn <user_dn> -keySize <512|1024|2048> The -wallet parameter specifies the location of the wallet to which you want to add a certificate request.

  • Page 427: Orapki Wallet Create

    orapki Utility Commands Summary user certificate to a wallet, you must add all the trusted certificates that make up the certificate chain. If all trusted certificates are not installed in the wallet before you add the user certificate, then adding the user certificate will fail. orapki wallet create Purpose Use this command to create an Oracle wallet or to set auto login on for an Oracle...
  • Page 428 orapki Utility Commands Summary Syntax To export a certificate from an Oracle wallet: orapki wallet export -wallet <wallet_location> -dn <certificate_dn> -cert <certificate_filename> The -wallet parameter specifies the location of the wallet from which you want to export the certificate. The -dn parameter specifies the distinguished name of the certificate. The -cert parameter specifies the name of the file that contains the exported certificate.

  • Page 429: Entrust-Enabled Ssl Authentication

    Entrust-Enabled SSL Authentication Entrust Authority (formerly known as Entrust/PKI) is a suite of PKI products provided by Entrust, Inc., that provides certificate generation, certificate revocation, and key and certificate management. Oracle Advanced Security is integrated with Entrust Authority so both Entrust and Oracle users can enhance their Oracle environment security.

  • Page 430: Benefits Of Entrust-Enabled Oracle Advanced Security

    Benefits of Entrust-Enabled Oracle Advanced Security Benefits of Entrust-Enabled Oracle Advanced Security Entrust-enabled Oracle Advanced Security provides: Enhanced X.509-Based Authentication and Single Sign-On Integration with Entrust Authority Key Management Integration with Entrust Authority Certificate Revocation Note: Oracle Advanced Security has been certified as Entrust-Ready by Entrust, Inc., as of Release 8.1.7.

  • Page 431: Required System Components For Entrust-Enabled Oracle Advanced Security

    Required System Components for Entrust-Enabled Oracle Advanced Security Required System Components for Entrust-Enabled Oracle Advanced Security To implement Entrust-enabled Oracle Advanced Security, the following system components are required: Entrust Authority for Oracle Entrust Authority Server Login Feature Entrust Authority IPSec Negotiator Toolkit In the following sections, the term client refers to a client...

  • Page 432: Entrust Authority Server Login Feature

    Required System Components for Entrust-Enabled Oracle Advanced Security Entrust Authority Security Manager Entrust Authority Security Manager is the centerpiece of Entrust's PKI technology. It performs core certificate authority, certificate, and user management functions, such as creating users and user profiles containing the user's credentials. Oracle only supports the use of Entrust-enabled Oracle Note: Advanced Security with versions of Entrust Authority Security...

  • Page 433: Entrust Authority Ipsec Negotiator Toolkit

    Entrust Authentication Process Entrust Authority Server Login Feature provides single sign-on by enabling Oracle Database server process access to incoming SSL connections. Without this capability, a database administrator or other privileged user would have to enter the password for the Entrust profile on the server for every incoming connection. Contact your Entrust representative to get Entrust Authority Server Login Feature.

  • Page 434: Enabling Entrust Authentication

    Enabling Entrust Authentication Figure F–1 Entrust Authentication Process Entrust Authority Administration User's Server's Entrust Entrust Profile Profile (Entrust (unattended Entelligence) login) Oracle Client Oracle Oracle Recovery Server Catalog "How SSL Works in an Oracle Environment: The SSL See Also: Handshake" on page 7-4 Enabling Entrust Authentication This section describes the following tasks, which are required to configure...
  • Page 435 Enabling Entrust Authentication Administrator-Created Entrust Profiles Administrators create Entrust profiles as follows: The Entrust administrator adds the Entrust user using the Entrust Authority Self-Administration Server. The Entrust administration documentation for See Also: information about creating Entrust Users The administrator enters the user's name and password. The Entrust Authority creates the profile, or.epf file.

  • Page 436: Installing Oracle Advanced Security And Related Products For Entrust-Enabled Ssl

    Enabling Entrust Authentication Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL For Oracle Advanced Security 10g Release 1 (10.1), Entrust support installs in Typical mode. A single Oracle installation supports the use of both Oracle Wallets and Entrust profiles. Oracle Database operating system-specific installation See Also: documentation...

  • Page 437: Configuring Entrust On The Server

    Enabling Entrust Authentication Configuring Entrust on a Windows Client If the client resides on a Windows platform, ensure that the Entrust Entelligence Desktop Manager component is installed on the client and perform the following steps to set up the Entrust credentials. Set the WALLET_LOCATION parameter in the sqlnet.ora file.
  • Page 438 Enabling Entrust Authentication Set the WALLET_LOCATION parameter in the sqlnet.ora and listener.ora files to specify the paths to the server's profile and the Entrust initialization file: WALLET_LOCATION = (SOURCE = (METHOD = ENTR) (METHOD_DATA = (PROFILE = profile_location) (INIFILE = initialization_file_location) Set the CLASSPATH environment variable to include the following paths: $ORACLE_HOME/JRE/lib/rt.jar $ORACLE_HOME/JRE/lib/i18n.jar...
  • Page 439 Enabling Entrust Authentication Ensure that the listener has a TCPS listening endpoint, then Note: start the listener. Start the Oracle database instance. Configuring Entrust on a Windows Server If the server is on a Windows platform, perform the following steps: "Required System Components for Entrust-Enabled See Also: Oracle Advanced Security"...

  • Page 440: Creating Entrust-Enabled Database Users

    Issues and Restrictions that Apply to Entrust-Enabled SSL For all Windows environments, Oracle Corporation Note: recommends that you do not install Entrust Entelligence Desktop Manager on the server computer. Creating Entrust-Enabled Database Users Create global users in the database based on the distinguished name (DN) of each Entrust user.

  • Page 441: Troubleshooting Entrust In Oracle Advanced Security

    Troubleshooting Entrust In Oracle Advanced Security In addition, the following restrictions apply: The use of Entrust components for digital signatures in applications based on Oracle is not supported. The Entrust-enabled Oracle Advanced Security integration is only supported with versions of Entrust Authority Release 6.0 and later running on Oracle Database.
  • Page 442 Troubleshooting Entrust In Oracle Advanced Security Invalid Entrust initialization file specified Entrust Server Login program has not executed on the server Action: To get more detail on the Entrust error, turn on tracing for SQL*Plus and the trace output should indicate the Entrust failure code. Enable tracing by specifying the following parameters in the sqlnet.ora file: On the client: TRACE_LEVEL_CLIENT=16...

  • Page 443: Error Messages Returned When Running Entrust On Windows Platforms

    Troubleshooting Entrust In Oracle Advanced Security Action: Ensure that the location of the Entrust initialization file is specified in the WALLET_LOCATION parameter in the sqlnet.ora file on the client. See Also: "Configuring Entrust on a UNIX Client" on page F-8 "Configuring Entrust on a Windows Client"...
  • Page 444 Troubleshooting Entrust In Oracle Advanced Security Action: Perform the following tasks to enable tracing on the server: Choose Control Panel > Services. In the Services dialog box, double click OracleTNSListener and change the Log On As from the System Account to the account that is currently logged in.

  • Page 445: General Checklist For Running Entrust On Any Platform

    Troubleshooting Entrust In Oracle Advanced Security Search for and locate the string "fail" or "ntz*" function calls. Adjacent to these, error messages are listed that provide details about the problem you are encountering. General Checklist for Running Entrust on Any Platform The following items apply to all platforms: Confirm that the Entrust Authority is online.
  • Page 446 Troubleshooting Entrust In Oracle Advanced Security Checklist for Entrust Installations on Windows The following checklist items apply only to Entrust installations on the Windows platform. Ensure that you are logged into Entrust Entelligence Desktop Manager and retry. Choose Windows > Control Panel > Services to confirm that the Entrust Login Interface service has started and is running.

  • Page 447: Using The User Migration Utility

    Using the User Migration Utility This chapter describes the User Migration Utility, which can be used to perform bulk migrations of database users to an LDAP directory where they are stored and managed as enterprise users. It contains the following topics: Benefits of Migrating Local or External Users to Enterprise Users Introduction to the User Migration Utility Prerequisites for Performing Migration...

  • Page 448: Introduction To The User Migration Utility

    Introduction to the User Migration Utility Provides the infrastructure to enable single sign-on using X.509v3-compliant certificates, which is typically deployed where end-to-end SSL is required Enhanced security Because an enterprise user model is easier to manage, security administrators can perform necessary maintenance changes to user information immediately so they have better control over access to critical network resources.

  • Page 449: Bulk User Migration Process Overview

    Introduction to the User Migration Utility After external users are migrated, their external Note: authentication and authorization mechanisms are replaced by directory-based mechanisms. New passwords are randomly generated for migrated users if they are mapped to newly created directory entries. Bulk User Migration Process Overview Bulk user migration is a two-phase process.

  • Page 450: About The Orcl_Global_Usr_Migration_Data Table

    Introduction to the User Migration Utility Step 3: Phase Two Completing the Migration After the interface table user information is checked, then in phase two the utility retrieves the information from the table and updates the directory and the database. Depending on whether directory entries exist for migrating users, the utility creates random passwords as follows: If migrating users are being mapped to newly created directory entries, then the...

  • Page 451: Orcl_Global_Usr_Migration_Data Table Schema

    Introduction to the User Migration Utility Table G–1 ORCL_GLOBAL_USR_MIGRATION_DATA Table Schema Column Name DataType Null Description USERNAME (Primary Key) VARCHAR2(30) NOT NULL Database user name. VARCHAR2(10) Old schema type in the database before OLD_SCHEMA_TYPE migration. VARCHAR2(30) Not used PASSWORD_VERIFIER VARCHAR2(4000) - Distinguished Name (DN) of the user in USERDN the directory (new or existing).

  • Page 452: Migration Effects On Users' Old Database Schemas

    Introduction to the User Migration Utility Which Interface Table Column Values Can Be Modified between Phase One and Phase Two? After running phase one of the utility, if necessary, enterprise user administrators can change the interface table columns that are listed in Table G–2.

  • Page 453: Migration Process

    Introduction to the User Migration Utility If some users want to retain the objects in their local database schemas and be mapped to a shared schema, then the administrator can manually migrate those objects to the shared schema before performing the bulk user migration. However, when objects are migrated to a shared schema, they are shared among all users who share that new schema.

  • Page 454: Prerequisites For Performing Migration

    Prerequisites for Performing Migration Drops or alters the migrating users' local database schemas. (optional) In the current release, the utility migrates users with Note: certificate-based authentication and makes them ready for password authentication. Previously SSL-based authenticated users should reset their Oracle database passwords. User wallets are not created as part of this process.

  • Page 455: Required Directory Privileges

    Prerequisites for Performing Migration Required Directory Privileges In addition to the required database privileges, enterprise user administrators must have the directory privileges which allow them to perform the following tasks: Create entries in the directory under the specified user base and Oracle context location Browse the user entries under the search bases Required Setup to Run the User Migration Utility...

  • Page 456: User Migration Utility Command Line Syntax

    User Migration Utility Command Line Syntax Note: If you plan to use shared schema mapping when migrating users, then you must create the shared schema before running this utility. The same ldap.ora file must be used for both phase one and phase two of a user migration.

  • Page 457: Accessing Help For The User Migration Utility

    Accessing Help for the User Migration Utility DIRLOCATION=ldap_directory_host:ldap_directory_port USERSLIST=username1:username2:username3:... USERSFILE=filename MAPSCHEMA=[PRIVATE | SHARED]:schema_name MAPTYPE=[DB | DOMAIN]:[ENTRY | SUBTREE] CASCADE=[YES | NO] CONTEXT=user_entries_parent_location LOGFILE=filename PARFILE=filename umu PHASE=TWO DBADMIN=dba_username:password ENTADMIN=enterprise_admin_DN:password DBLOCATION=database_host:database_port:database_sid DIRLOCATION=ldap_directory_host:ldap_directory_port LOGFILE=filename PARFILE=filename If the enterprise user administrator does not specify the Note: mandatory parameters on the command line, then the utility will prompt the user for those parameters interactively.

  • Page 458: User Migration Utility Parameters

    User Migration Utility Parameters User Migration Utility Parameters The following sections list the available parameter keywords and the values that can be used with them when running this utility. The keywords are not case-sensitive. Keyword: HELP Valid Values: YES or NO (These values are not case-sensitive.) Default Setting: Syntax Examples: HELP=YES Description:...
  • Page 459 User Migration Utility Parameters Syntax Examples: DBLOCATION=my_oracle.us.oracle.com:7777:ora902 Description: Provides the host name, port number, and SID for the database instance. Restrictions: This parameter is mandatory. The value for this parameter must be the same for both phase one and phase two. The database should be configured for encryption and integrity.
  • Page 460 User Migration Utility Parameters Keyword: ENTADMIN Valid Values: userDN:password Default Setting: No default setting. Syntax Examples: ENTADMIN=cn=janeadmin,dc=acme,dc=com:welcome Description: User Distinguished Name (UserDN) and the directory password for the enterprise directory administrator with the required privileges for logging in to the directory. UserDN can also be specified within double quotation marks ("...").
  • Page 461 User Migration Utility Parameters Description: Specifies which users are to be migrated. If multiple values are specified for this parameter, then the utility uses the union of these sets of users. Restrictions: This parameter is mandatory for phase one only, and it is ignored in phase two.
  • Page 462 User Migration Utility Parameters Keyword: MAPSCHEMA Valid Values: schema_type:schema_name Schema type can be: PRIVATE Retains users' old local schemas. Schema name is ignored when schema type is PRIVATE. No mapping entries are created in the directory. SHARED Maps users to a shared schema. Mapping entries are created in the directory.
  • Page 463 User Migration Utility Parameters Keyword: MAPTYPE Valid Values: mapping_type:mapping_level Mapping type can be: DOMAIN Mapping level can be: ENTRY SUBTREE Separate mapping type from mapping level with a colon (:). (These values are not case-sensitive.) Default Setting: DB:ENTRY Syntax Examples: MAPTYPE=DOMAIN:SUBTREE Description: Specifies the type of schema mapping that is to be applied when...
  • Page 464 User Migration Utility Parameters Keyword: CASCADE Valid Values: When users are mapped to a shared schema, the utility tries to drop their local schemas from the database. If this parameter is set to NO, then users are migrated only if they do not own objects in their local schema.
  • Page 465 User Migration Utility Parameters Default Setting: This value is automatically populated from the DEFAULT_ ADMIN_CONTEXT setting in the ldap.ora file by default. This places new user entries directly under the Oracle Context's parent entry. In 10g Release 1 (10.1), this is not the preferred location for user entries, so do not use the default setting for this parameter unless it is specifically desired.

  • Page 466: User Migration Utility Usage Examples

    User Migration Utility Usage Examples Description: Specifies a text file which contains a list of these parameters that are intended to be used in a user migration. Each parameter must be listed on a separate line in the file. If a parameter is specified in both the parameter file and on the command line, then the one specified on the command line takes precedence.

  • Page 467: Migrating Users And Mapping To A Shared Schema

    User Migration Utility Usage Examples parameter, the utility runs phase one using the default value, PRIVATE, so all users' old database schemas and objects are retained. Migrating Users and Mapping to a Shared Schema To migrate users and map them to a new shared schema, dropping their old database schemas, set the MAPSCHEMA parameter to SHARED.
  • Page 468 User Migration Utility Usage Examples Mapping Users to a Shared Schema Using Different CASCADE Options The CASCADE parameter setting determines whether users' old database schemas are automatically dropped when mapping to a shared schema during migration. CASCADE can be used only when MAPSCHEMA is set to SHARED. Mapping Users to a Shared Schema with CASCADE=NO By default, the CASCADE parameter is set to NO.
  • Page 469 User Migration Utility Usage Examples DBADMIN=system:manager DIRLOCATION=machine2:636 ENTADMIN="cn=janeadmin":welcome After phase one completes successfully, the interface table is populated with the user migration information. Then the administrator can review the table to confirm its contents. Because the CASCADE parameter is set to YES, all migrated users' old database schemas are automatically dropped, including those who own database objects.
  • Page 470 User Migration Utility Usage Examples Example G–3 Migrating Users with Shared Schema Mapping Using the MAPTYPE Parameter umu PHASE=ONE DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager USERS=ALL_EXTERNAL:LIST USERSLIST=scott1:scott2 MAPSCHEMA=SHARED:schema_32 MAPTYPE=DOMAIN:ENTRY DIRLOCATION=machine2:636 CONTEXT="c=Users, c=us" ENTADMIN="cn=janeadmin":welcome umu PHASE=TWO DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager DIRLOCATION=machine2:636 ENTADMIN="cn=janeadmin":welcome About Using the SUBTREE Mapping Level Option If a user (scott, for example) who is being migrated will have future user entries in a subtree under it, then it makes sense to create a subtree level mapping from this user entry (cn=scott) to a schema.

  • Page 471: Migrating Users Using The Parfile, Usersfile, And Logfile Parameters

    User Migration Utility Usage Examples Migrating Users Using the PARFILE, USERSFILE, and LOGFILE Parameters It is possible to enter user information and User Migration Utility parameters into a text file and pass the information and parameters to the utility using the PARFILE and USERSFILE parameters.

  • Page 472: Troubleshooting Using The User Migration Utility

    Troubleshooting Using the User Migration Utility Example G–6 Migrating Users Using the PARFILE, USERSFILE, and LOGFILE Parameters umu PHASE=ONE DBADMIN=system:manager PARFILE=par.txt LOGFILE=errorfile2 Although the LOGFILE parameter is specified twice, once in Note: the parameter text file as errorfile1 (shown in Example G–4) and once on the command line as errorfile2 (show in...
  • Page 473 Troubleshooting Using the User Migration Utility Database connection failure Database error: < database_error_message > Database not in any domain : : DB-NAME = < database_name > Database not registered with the directory : : DB-NAME = < dbName > Directory connection failure Directory error : : <...
  • Page 474 Troubleshooting Using the User Migration Utility Cause: There is no entry for the database in the Oracle context that the ldap.ora file points to. Action: Use Database Configuration Assistant or Enterprise Security Manager to register the database in the directory. Directory connection failure Cause: The utility was unable to connect to the directory.
  • Page 475 Troubleshooting Using the User Migration Utility Getting local host name failed Interface table creation in SYS schema not allowed Invalid argument or value : : < argument > Invalid arguments for the phase Invalid value : : < user > [ USERSFILE ] Invalid value : : <...
  • Page 476 Troubleshooting Using the User Migration Utility Check to ensure that the file has the correct permissions so the utility can read it. Getting local host name failed Cause: Syntax error. The utility is unable to read the local host name for the database location or the directory location.
  • Page 477 Troubleshooting Using the User Migration Utility Invalid value : : < user > [ USERSFILE ] Cause: Syntax error. The user that is specified in this error message is invalid because they are not a user in the database that is specified in the DBLOCATION parameter.

  • Page 478: Common User Migration Utility Log Messages

    Troubleshooting Using the User Migration Utility Resolving Error Messages Displayed for Phase Two Most of the error messages that you encounter while running this utility occur in phase one. After phase one has completed successfully, and while phase two is running, the following error may occur: Database object missing : : TABLE = ORCL_GLOBAL_USR_MIGRATION_ DATA...
  • Page 479 Troubleshooting Using the User Migration Utility Action: Specify a different DN for the user. Common Log Messages for Phase Two While the utility is running phase two of the migration, messages that indicate a user has not successfully migrated may be written to the log file. After the utility completes phase two, review the log file to check for the following messages: Attribute exists : : orclPassword Attribute value missing : : orclPassword...

  • Page 480: Summary Of User Migration Utility Error And Log Messages

    Troubleshooting Using the User Migration Utility SCHEMA column of the interface table and run phase two of the utility for this user again. Create the shared schema in the database and run phase two of the utility for this user again. Entry found : : DN = <...

  • Page 481: Alphabetical Listing Of User Migration Utility Log Messages

    Troubleshooting Using the User Migration Utility Table G–4 (Cont.) Alphabetical Listing of User Migration Utility Error Messages User Migration Utility Error Message Phase Database error: < database_error_message > on page G-27 Both Database not in any domain : : DB-NAME = < database_name > on page G-27 Both Database not registered with the directory : : DB-NAME = <...
  • Page 482 Troubleshooting Using the User Migration Utility Table G–5 Alphabetical Listing of User Migration Utility Log Messages User Migration Utility Log Message Phase Invalid value : : <interface_table_column_name> = < interface_table_column_value > on page G-34 Multiple entries found : : < nickname_attribute > = < username > on page G-32 No entry found : : DN = <...

  • Page 483: Glossary

    Glossary access control The ability of a system to grant or limit access to specific data for specific clients or groups of clients. Access Control Lists (ACLs) The group of access directives that you define. The directives grant levels of access to specific data for specific clients, or groups of clients, or both.
  • Page 484 authentication The process of verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to granting access to resources in a system. A recipient of an authenticated message can be certain of the message's origin (its sender).
  • Page 485 Cell Directory Services (CDS) Cell Directory Services (CDS) An external naming method that enables users to use Oracle tools transparently and applications to access Oracle Database databases in a Distributed Computing Environment (DCE). certificate An ITU x.509 v3 standard data structure that securely binds an identify to a public key.
  • Page 486 provide additional information about the subject identity, such as postal address, or a challenge password by which the subject entity may later request certificate revocation. See PKCS #10 certificate revocation lists (CRLs) Signed data structures that contain a list of revoked certificates. The authenticity and integrity of the CRL is provided by a digital signature appended to it.
  • Page 487 client A client relies on a service. A client can sometimes be a user, sometimes a process acting on behalf of the user during a database link (sometimes called a proxy). confidentiality A function of cryptography. Confidentiality guarantees that only the intended recipient(s) of a message can view the message (decrypt the ciphertext).
  • Page 488 form of a URL. CRL DPs allow revocation information within a single certificate authority domain to be posted in multiple CRLs. CRL DPs subdivide revocation information into more manageable pieces to avoid proliferating voluminous CRLs, thereby providing performance benefits. For example, a CRL DP is specified in the certificate and can point to a file on a Web server from which that certificate's revocation information can be downloaded.
  • Page 489 A public or private database link from one database to another is created on the local database by a DBA or user. A global database link is created automatically from each database to every other database in a network with Oracle Names. Global database links are stored in the network definition.
  • Page 490 Diffie-Hellman key negotiation algorithm This is a method that lets two parties communicating over an insecure channel to agree upon a random number known only to them. Though the parties exchange information over the insecure channel during execution of the Diffie-Hellman key negotiation algorithm, it is computationally infeasible for an attacker to deduce the random number they agree upon by analyzing their network communications.
  • Page 491 domain Any tree or subtree within the Domain Name System (DNS) namespace. Domain most commonly refers to a group of computers whose host names share a common suffix, the domain name. Domain Name System (DNS) A system for naming computers and network services that is organized into a hierarchy of domains.
  • Page 492 enterprise user A user defined and managed in a directory. Each enterprise user has a unique identify across an enterprise. entry The building block of a directory, it contains information about an object of interest to directory users. external authentication Verification of a user identity by a third party authentication service, such as Kerberos or RADIUS.
  • Page 493 Global Directory Service (GDS) GDS is the directory service that acts as an agent between DCE CDS and any X.500 directory service. Both GDS and are obsolete; they are only used by DCE. global role A role managed in a directory, but its privileges are contained within a single database.
  • Page 494 identity management realm A subtree in Oracle Internet Directory, including not only an Oracle Context, but also additional subtrees for users and groups, each of which are protected with access control lists. initial ticket In Kerberos authentication, an initial ticket or ticket granting ticket (TGT) identifies the user as having the right to ask for additional service tickets.
  • Page 495 Key Distribution Center. In Kerberos authentication, the KDC maintains a list of user principals and is contacted through the kinit (okinit is the Oracle version) program for the user's initial ticket. Frequently, the KDC and the Ticket Granting Service are combined into the same entity and are simply referred to as the KDC. The Ticket Granting Service maintains a list of service principals and is contacted when a user wants to authenticate to a server providing such a service.
  • Page 496 kservice An arbitrary name of a Kerberos service object. LDAP Lightweight Directory Access Protocol (LDAP) ldap.ora file A file created by Oracle Net Configuration Assistant that contains the following directory server access information: Type of directory server Location of the directory server Default identity management realm or Oracle Context (including ports) that the client or server will use Lightweight Directory Access Protocol (LDAP)
  • Page 497 man-in-the-middle A security attack characterized by the third-party, surreptitious interception of a message, wherein the third-party, the man-in-the-middle, decrypts the message, re-encrypts it (with or without alteration of the original message), and re-transmits it to the originally-intended recipient—all without the knowledge of the legitimate sender and receiver.
  • Page 498 client requests a directory lookup of a net service alias, the directory determines that the entry is a net service alias and completes the lookup as if it was actually the entry it is referencing. net service name The name used by clients to identify a database server. A net service name is mapped to a port number and protocol.
  • Page 499 object class A named group of attributes. When you want to assign attributes to an entry, you do so by assigning to that entry the object classes that hold those attributes. All objects associated with the same object class share the same attributes. Oracle Context 1.
  • Page 500 peer identity SSL connect sessions are between a particular client and a particular server. The identity of the peer may have been established as part of session setup. Peers are identified by X.509 certificate chains. The Internet Privacy-Enhanced Mail protocols standard, adopted by the Internet Architecture Board to provide secure electronic mail over the Internet.
  • Page 501 principal A string that uniquely identifies a client or server to which a set of Kerberos credentials is assigned. It generally has three parts: kservice/kinstance@REALM. In the case of a user, kservice is the username. See also kservice, kinstance, and realm private key In public-key cryptography, this key is the secret key.
  • Page 502 mathematically related, it is generally viewed as computationally infeasible to derive the private key from the public key. Public and private keys are used only with asymmetric encryption algorithms, also called public-key encryption algorithms, or public-key cryptosystems. Data encrypted with either a public key or a private key from a key pair can be decrypted with its associated key from the...
  • Page 503 schema mapping user-schema mapping Secure Hash Algorithm (SHA) An algorithm that assures data integrity by generating a 160-bit cryptographic message digest value from given data. If as little as a single bit in the data is modified, the Secure Hash Algorithm checksum for the data changes. Forgery of a given data set in a way that will cause the Secure Hash Algorithm to generate the same result as that for the original data is considered computationally infeasible.
  • Page 504 service ticket Trusted information used to authenticate the client. A ticket-granting ticket, which is also known as the initial ticket, is obtained by directly or indirectly running okinit and providing a password, and is used by the client to ask for service tickets.
  • Page 505 single sign-on (SSO) The ability of a user to authenticate once, combined with strong authentication occurring transparently in subsequent connections to other databases or applications. Single sign-on lets a user access multiple accounts and applications with a single password, entered during a single connection. Single password, single authentication.
  • Page 506 System Global Area (SGA) A group of shared memory structures that contain data and control information for an Oracle instance. system identifier (SID) A unique name for an Oracle instance. To switch between Oracle databases, users must specify the desired SID. The SID is included in the CONNECT DATA parts of connect descriptor in a tnsnames.ora...
  • Page 507 is being validated as the entity it claims to be. Typically, the certificate authorities you trust are called trusted certificates. If there are several levels of trusted certificates, a trusted certificate at a lower level in the certificate chain does not need to have all its higher level certificates reverified.
  • Page 508 Wallet Resource Locator A wallet resource locator (WRL) provides all necessary information to locate a wallet. It is a path to an operating system directory that contains a wallet. Windows NT native authentication authentication method that enables a client single login access to a Windows server and a database running on that server.

  • Page 509: Index

    Index manipulating with orapki tool, 7-40 uploading to LDAP directory, 7-40 accounting, RADIUS, 5-19 where to store them, 7-37 activating checksumming and encryption, 3-6 certificate revocation status checking adapters, 1-15 disabling on server, 7-40 asynchronous authentication mode in certificate validation error message RADIUS, 5-5 CRL could not be found, 7-46 ATTENTION_DESCRIPTION column, G-5...
  • Page 510 on the server, 7-15 CDS naming adapter components, 10-3 thin JDBC support, 4-1 communication and security, 10-3 connecting components, 10-2 across cells, 10-12 configuration files required, 10-9 to an Oracle database configuring a server, 10-9 to verify roles, 10-14 configuring clients for DCE integration, 10-16 to an Oracle server in DCE, 10-23 configuring clients to use DCE CDS with username and password, 10-25...
  • Page 511 enterprise user security ORA-12650, 3-6, 3-7, A-6, A-7, A-8 components, 11-25 ORA-28890, F-13 configuration flow chart, 12-3 etbinder command, F-10 configuration roadmap, 12-4 directory entries, 11-11 enterprise domains, 11-14 Federal Information Processing Standard enterprise roles, 11-12 configuration, i-xxix enterprise users, 11-11 Federal Information Processing Standard mapping, 11-20 (FIPS), 1-7, D-1...
  • Page 512 Oracle O3LOGON, 4-2 thin driver features, 4-2 NAMES.DIRECTORY_PATH parameter, 10-23 Java Database connectivity (JDBC) nCipher hardware security module implementation of Oracle Advanced using Oracle Net tracing to troubleshoot, 7-50 Security, 4-1 NEEDS_ATTENTION_FLAG column, G-5 JDBC. See Java Database Connectivity Netscape Communications Corporation, 7-2 network protocol boundaries, 1-16 Kerberos, 1-10 authentication adapter utilities, 6-11...
  • Page 513 Oracle service names, 10-3 OSS.SOURCE.MY_WALLET parameter, 7-17, 7-27 loading into CDS, 10-22 Oracle Wallet Manager importing PKCS #7 certificate chains, 8-22 paragraph tags OracleContextAdmins group, 11-18 GT GlossaryTitle, Glossary-1 OracleDBCreators group, 11-18 parameters OracleDBSecurityAdmins group, 11-18 authentication OraclePasswordAccessibleDomains group, 11-18 Kerberos, B-1 OracleUserSecurityAdmins group, 11-18 RADIUS, B-2...
  • Page 514 challenge-response wallet location, parameter, B-12 authentication, 5-5 SecurID, 5-5 user interface, C-1, C-2 token cards, 5-5 configuring, 5-9 security database links not supported, 5-2, 11-24 Internet, 1-2 location of secret key, 5-14 Intranet, 1-2 smartcards and, 1-11, 5-7, 5-14, C-1 threats, 1-3 sqlnet.ora file sample, A-3 data tampering, 1-3...
  • Page 515 SQLNET.KERBEROS5_CONF parameter, 6-9 parameter, 3-11, A-6 SQLNET.KERBEROS5_CONF_MIT parameter, 6-9 SQLNET.FIPS_140 parameter, D-3 SQLNET.KERBEROS5_KEYTAB parameter, 6-9 SQLNET.KERBEROS5_CC_NAME SQLNET.KERBEROS5_REALMS parameter, 6-9 parameter, 6-8 sqlnet.ora file SQLNET.KERBEROS5_CLOCKSKEW Common sample, A-2 parameter, 6-9 FIPS 140-1 parameters, D-1 SQLNET.KERBEROS5_CONF parameter, 6-9 Kerberos sample, A-2 SQLNET.KERBEROS5_CONF_MIT modifying so CDS can resolve names, 10-22 parameter, 6-9 NAMES.DIRECTORY_PATH parameter, 10-23...
  • Page 516 TLS See Secure Sockets Layer (SSL) DOMAIN mapping type, G-17 tnsnames.ora file ENTRY mapping level, G-17 loading into CDS using tnnfg, 10-22 SUBTREE mapping level, G-17, G-24 modifying to load connect descriptors into NEEDS_ATTENTION_FLAG column, G-5 CDS, 10-21 OLD_SCHEMA_TYPE column, G-5 renaming, 10-22 ORCL_GLOBAL_USR_MIGRATION_DATA token cards, 1-11...
  • Page 517 managing certificates, 8-20 managing trusted certificates, 8-25 opening, 8-13 Oracle Applications wallet location, 8-18 saving, 8-17 setting location, 7-16 SSL wallet location, 8-11, 8-18 SSO wallets, 8-19 X.509 certificate difference from PKCS #7 certificate chain, 8-22 X.509 PKI certificate standard, F-2 Index-9...
  • Page 518 Index-10...

This manual is also suitable for:

Database advanced security 10g release 1

Table of Contents