3
Configuring the CyberSAFE Authentication Adapter

This chapter contains information on how to configure Oracle for use with CyberSAFE, as well as a brief overview of the steps you need to follow to configure CyberSAFE to authenticate Oracle users. This information includes the following:

• Section 3.1, "Steps to Perform to Enable CyberSAFE Authentication"
• Section 3.2, "CyberSAFE Configuration Parameters Required on the Oracle Server and Client"
• Section 3.3, "Troubleshooting the Configuration of the CyberSAFE Authentication Adapter"

3.1 Steps to Perform to Enable CyberSAFE Authentication

This section contains information on the following tasks:

Important: You should perform these tasks in the order listed.

1. "Install the CyberSAFE Server on the Machine that will Act as the Authentication Server"
2. "Install the CyberSAFE Challenger Client on the Same Machine that Runs the Oracle Server and the Client"
3. "Install the CyberSAFE Application Security Toolkit on the Client and on the Server"
4. "Configure a Service Principal for an Oracle Server"
5. "Extract the Service Table from CyberSAFE"
6. "Install an Oracle Server"
7. "Install the Oracle Advanced Networking Option"
8. "Configure Net8 and Oracle8 on your Server and Client"
9. "Configure the CyberSAFE Authentication Adapter using the Net8 Assistant"
10. "Create a CyberSAFE User on the Authentication Server"
11. "Create an Externally Authenticated Oracle User on the Oracle Server"
12. "Use kinit on the Client to Get the Initial Ticket for the Kerberos/Oracle User"
13. "Connect to an Oracle Server Authenticated by CyberSAFE"

3.1.1 Install the CyberSAFE Server on the Machine that will Act as the Authentication Server

For information on how to install the CyberSAFE Challenger Master Server on your machine, refer to the CyberSAFE documentation listed in the "Related Publications" section of the Preface of this guide.

3.1.2 Install the CyberSAFE Challenger Client on the Same Machine that Runs the Oracle Server and the Client

For information on installing the CyberSAFE Challenger Client on clients, refer to the CyberSAFE documentation listed in the "Related Publications" section of the Preface of this guide.

3.1.3 Install the CyberSAFE Application Security Toolkit on the Client and on the Server

Install the CyberSAFE Application Security Toolkit on the Oracle client and Oracle server machines.

3.1.4 Configure a Service Principal for an Oracle Server

For the Oracle server to validate the identity of clients, you need to configure a service principal for an Oracle server on the machine running the CyberSAFE Challenger Master Server. Also configure a realm if necessary.

The name of the principal should have the following format:

kservice/kinstance@REALM

where kservice is a string that represents the Oracle service. This may or may not be the same as the database service name; kinstance is typically the fully-qualified name of the machine on which Oracle is running, and REALM is the domain of the server.

Note: kservice is case-sensitive, and REALM must always be capitalized.

Note: The utility names in this section are actual programs that you run. However, the CyberSAFE user name "cyberuser" and realm "SOMECO.COM" are examples only-the actual names will vary.

For example, if kservice is "oracle", and the fully-qualified name of the machine on which Oracle is running is "dbserver.someco.com", and the realm is "SOMECO.COM", the principal name would be:

oracle/dbserver.someco.com@SOMECO.COM





Note:



It is a common convention to use the DNS domain name as the name of the realm. 

  

Run kdb5_edit as root to create the service principal.

# cd /krb5/admin
# ./kdb5_edit

To add a principal called "oracle/dbserver.someco.com@SOMECO.COM" to the list of server principals known by CyberSAFE, from kdb5_edit type the following:

kdb5_edit:  ark oracle/dbserver.someco.com@SOMECO.COM

3.1.5 Extract the Service Table from CyberSAFE

You need to extract a service table from CyberSAFE and copy it to both the Oracle server and CyberSAFE Challenger client machines. For example, to extract a service table for dbserver.someco.com, type the following from kdb5_edit:

kdb5_edit:  xst dbserver.someco.com oracle 
'oracle/dbserver.someco.com@SOMECO.COM' added to keytab 
'WRFILE:dbserver.someco.com-new-srvtab' 
kdb5_edit:  exit
# /krb5/bin/klist -k -t dbserver.someco.com-new-srvtab





Note:



If you do not enter a REALM (in the example, SOMECO.COM) when using xst, kdb5_edit uses the realm of the current host and displays it in the command output, as shown above.

  

After the service table has been extracted, verify that the new entries are in the table in addition to the old entries. If the new entries are not in the service table, or if you need to add additional new entries, use kdb5_edit to append the additional entries.

At this point, you need to move the CyberSAFE service table to the CyberSAFE Challenger client machine. If the service table is on the same machine as the CyberSAFE client, you can simply move it (using a command such as that shown below). If the service table is on a different machine from the CyberSAFE Challenger client, you must transfer the file with a program like FTP. For example, to move it, type the following:

# mv dbserver.someco.com-new-srvtab /krb5/v5srvtab

Remember to transfer the file in binary mode when you use FTP.

3.1.5.1 Ensure that the Oracle Server Can Read the Service Table

Make sure that the owner of the Oracle Server executable can read the service table (in the previous example, /krb5/v5srvtab). Set the file owner to the Oracle user or make the file readable by the group to which Oracle belongs. Do not make the file readable to all users, since this would allow a security breach.

3.1.6 Install an Oracle Server

Install an Oracle server on the same machine that is running the CyberSAFE Challenger client. Refer to your operating system-specific documentation for information.

3.1.7 Install the Oracle Advanced Networking Option

Install the Oracle Advanced Networking Option on your Oracle client and Oracle server machines. Refer to your operating system-specific documentation.

3.1.8 Configure Net8 and Oracle8 on your Server and Client

For information on how to configure Net8 and Oracle8 on servers and clients, see your operating system-specific documentation.

3.1.9 Configure the CyberSAFE Authentication Adapter using the Net8 Assistant

The following steps show you how to use the Net8 Assistant to configure the CyberSAFE authentication adapter. Refer also to the Net8 Assistant on-line HELP system for instructions on how to configure the CyberSAFE Authentication adapter.

Configure Clients, and Servers, to use encryption as follows. Refer to Figure 3-1, "Oracle Net8 Assistant Profile Encryption Tab".

1. Click the Profile folder.
2. Select Advanced Networking Options from the drop-down list box.
3. Click the Encryption tab.
4. Click the Encryption drop-down list box, and click CLIENT or SERVER.
5. Click the Encryption Type drop-down list box, and click one of the following values: requested, required, accepted, rejected.
6. Type between 10 and 70 random characters for the Encryption Seed.
7. Move services to and from the Available Services and Selected Services lists by selecting a service and clicking the arrow keys.

   Figure 3-1 Oracle Net8 Assistant Profile Encryption Tab

   

Next, you must configure an authentication service on your network. Refer to Figure 3-2, "Oracle Net8 Assistant Profile Authentication Tab".

1. Click the Profile folder.
2. Click the Authentication tab.
3. Click to select the authentication service you want from the Available Services list.
4. Click the [<] button to move the service over to the Selected Services list.
5. Repeat steps 4 and 5, above, until you have selected all of your required authentication services.
6. Arrange the selected services in order of desired use. Click on a service to select it, then click [Promote] or [Demote] to arrange the services in the list. For example, put SECURID at the top of the list if you want that service to be the first one used.

   Figure 3-2 Oracle Net8 Assistant Profile Authentication Tab

   

You now must configure the authentication parameters. Refer to Figure 3-3, "Oracle Net8 Assistant Profile Parameter Tab". You must provide the value for only one parameter: GSSAPI Service.

1. Click the Profile folder.
2. Click the Parameter tab.
3. Click the Authentication Service drop-down list box, and select CYBERSAFE.
4. Type the name of the GSSAPI Service in the following format:

   oracle/dbserver.someco.com@SOMECO.COM
   
   
   
   Figure 3-3 Oracle Net8 Assistant Profile Parameter Tab
   
   
   
   

3.1.10 Create a CyberSAFE User on the Authentication Server

Perform the following steps to create Oracle users, so they can be authenticated by the CyberSAFE adapter:

Note: Perform these steps on the authentication server (where the administration tools are installed).

It is assumed that the realm already exists. (Refer to the CyberSAFE documentation listed in the "Preface" if the realm needs to be created.)

Note: The utility names in this section are actual programs that you run. However, the CyberSAFE user name "cyberuser" and realm "SOMECO.COM" are examples only; these may vary among systems.

Run /krb5/admin/kdb5_edit as root on the authentication server to create the new CyberSAFE user, that is, "cyberuser". Type the following:

1. # kdb5_edit
2. kdb5_edit: ank cyberuser
3. Enter password: <password not echoed to screen>
4. Re-enter password for verification: <password...>
5. kdb5_edit: quit

3.1.11 Create an Externally Authenticated Oracle User on the Oracle Server

Run Server Manager to create the Oracle user that corresponds to the CyberSAFE user, and perform the following commands on the Oracle server machine:

SVRMGR> connect internal; 
SVRMGR> create user "CYBERUSER@SOMECO.COM" identified externally; 
SVRMGR> grant create session to "CYBERUSER@SOMECO.COM";

In this example, OS_AUTHENT_PREFIX is set to:

""

When you create the Oracle user, the name must be in upper case and double-quoted. For example:

"CYBERUSER@SOMECO.COM"

3.1.12 Use kinit on the Client to Get the Initial Ticket for the Kerberos/Oracle User

Before users can connect to the database, they need to run kinit on the clients for an initial ticket.

% kinit (user name)
Password for CYBERUSER@US.ORACLE.COM:
<password not echoed to screen>

3.1.12.1 Use klist on the Client to Display Credentials

Users should run klist on the clients to list the tickets currently owned.

% klist

Creation Date	Expiration Date	Service
11-Aug-95 16:29:51	12-Aug-95 00:29:21	krbtgt/SOMECO.COM@SOMECO.COM
11-Aug-95 16:29:51	12-Aug-95 00:29:21	oracledbserver.someco.com@SOMECO.COM

3.1.13 Connect to an Oracle Server Authenticated by CyberSAFE

After running kinit to get an initial ticket, users can connect to an Oracle Server without using a username or password. Enter a command like the following:

%  sqlplus /@service_name

where service_name is a Net8 service name.

For example:

% sqlplus /@npddoc_db

Refer to Chapter 1, "Network Security and Single Sign-On" and to the Oracle8 Distributed Database Systems for more information on external authentication.

3.2 CyberSAFE Configuration Parameters Required on the Oracle Server and Client

This section describes the parameters that need to exist in configuration files on Oracle servers and clients to enable CyberSAFE to authenticate users.

Note: Use the Oracle Net8 Assistant to configure these files.

3.2.1 Oracle Client Configuration Parameters

3.2.1.1 Required SQLNET.ORA Parameters

Make sure the following line is present in the SQLNET.ORA file on the client:

SQLNET.AUTHENTICATION_SERVICES=(CYBERSAFE)

3.2.2 Oracle Server Configuration Parameters

3.2.2.1 Required SQLNET.ORA Parameters

Make sure the following lines are present in the SQLNET.ORA file on the server.

sqlnet.authentication_services=(CYBERSAFE)
sqlnet.authentication_gssapi_service=oracle/dbserver.someco.com@SOMECO.COM





Note:



You must insert the principal name, using the format described in Section  3.1.4, "Configure a Service Principal for an Oracle Server".

  

3.2.2.2 Required INIT.ORA Parameters

It is strongly recommended that you add the following parameter to the INIT<SID>.ORA file used for the database instance:

REMOTE_OS_AUTHENT=FALSE 

Attention: Setting REMOTE_OS_AUTHENT to TRUE may create a security hole because it allows someone using a non-secure protocol (for example, TCP) to perform an operating system-authorized login (formerly referred to as an OPS$ login).

where <SID> is the database system identifier.

CyberSAFE user names can be long and Oracle user names are limited to 30 characters, so it is strongly recommended that you use the following null value for the value of OS_AUTHENT_PREFIX:

OS_AUTHENT_PREFIX=""

Restart the Oracle server after modifying the configuration files, so the changes will take effect. (For information on how to restart the Oracle server refer to your operating system-specific documentation and to the Oracle8 Administrator's Guide.)

3.3 Troubleshooting the Configuration of the CyberSAFE Authentication Adapter

Following are some common configuration problems and tips to help resolve them:

If you cannot get your ticket-granting ticket using kinit:

• Make sure the default realm is correct by looking at krb.conf.
• Make sure the Challenger Master Server is running on the host specified for the realm.
• Make sure that the Master Server has an entry for your user principal and that the passwords match.
• Make sure the krb.conf and krb.realms files are readable by Oracle.

If you have an initial ticket, but still cannot connect:

• After trying to connect, check for a service ticket.
• Check that the profile (SQLNET.ORA) on the server side has a service name that corresponds to a service known to the CyberSAFE Master Server.
• Check that the clocks on all the involved machines are within a few minutes of each other.

If you have a service ticket and you still cannot connect:

• Check the clocks on the client and server.
• Check that the v5srvtab exists in the correct location and is readable by
  Oracle.
• Check that the v5srvtab has been generated for the service named in the profile (SQLNET.ORA) on the server side.

If everything seems to work fine, but then you issue another query and it fails:

• Check that the initial ticket is forwardable. (You must have been obtained the initial ticket by running kinit -f.)
• Check the expiration date on the credentials.
• If your credentials have expired, close your connection and run kinit to get a new initial ticket.

---