|Oracle Advanced Security Administrator's Guide
Part Number A90150-01
This chapter describes how to configure Oracle Advanced Security for Oracle9i, or for the Oracle9i server, so that CyberSafe TrustBroker, a Kerberos-based authentication server, can be used to authenticate Oracle users. This chapter contains the following topics:
To configure CyberSafe authentication:
Perform this task on the system that functions as the authentication server.
Perform this task on the system that runs the Oracle database server and the client.
Perform this task on both the client and server systems.
For the Oracle database server to validate the identity of clients, configure a service principal for an Oracle database server on the system running the CyberSafe TrustBroker Master Server. If required, also configure a realm.
The name of the principal has the following format:
A case-sensitive string that represents the Oracle service. This might not be the same as the database service name
Typically, this is the fully-qualified name of the system on which Oracle is running
The domain name of the server. REALM must always be uppercase, and is typically named the DNS domain name. If you do not enter a value for REALM when using
For example, if the Oracle service is oracle, the fully-qualified name of the system on which Oracle is running is
dbserver.someco.com, and the realm is
SOMECO.COM, the principal name is:
kdb5_edit as root to create the service principal as follows:
# cd /krb5/admin
To add a principal named
oracle/dbserver.someco.com@SOMECO.COM to the list of server principals known by CyberSafe, enter the following in kdb5_edit:
kdb5_edit: ark oracle/dbserver.someco.com@SOMECO.COM
Extract a service table from CyberSafe and copy it to both the Oracle database server and CyberSafe TrustBroker client systems.
For example, to extract a service table for
dbserver.someco.com, perform the following steps.
kdb5_edit: xst dbserver.someco.com oracle 'oracle/dbserver.someco.com@SOMECO.COM' added to keytab 'WRFILE:dbserver.someco.com-new-srvtab'
# /krb5/bin/klist -k -t dbserver.someco.com-new-srvtab
If you do not enter a realm (
SOMECO.COM in the example) when using
xst, kdb5_edit uses the realm of the current host and displays it in the command output, as shown in the proceeding input example.
# mv dbserver.someco.com-new-srvtab /krb5/v5srvtab
If the service table is on a different system from the CyberSafe TrustBroker client, transfer the file with a program such as FTP. If using FTP, transfer the file in binary mode.
/krb5/v5srvtab). Set the file owner to the Oracle user, or make the file readable by the group to which Oracle belongs. Do not make the file readable to all users--this can enable a security breach.
Install an Oracle database server on the same system that is running the CyberSafe TrustBroker client.
Install CyberSafe, along with Oracle Advanced Security, during a custom installation of Oracle9i. The Oracle Universal Installer guides you through the entire installation process.
Configure Oracle Net and Oracle9i on both the server and client systems.
Perform the following tasks to set parameters in the Oracle database server and client
sqlnet.ora files to configure CyberSafe:
To configure CyberSafe authentication service parameters on both the client and the database server:
Insert the principal name, using the format described in Task 4: Configure a Service Principal for an Oracle Database Server.
sqlnet.ora file is updated with the following entries:
Add the following parameter to the Initialization Parameter File (init.ora):
Because CyberSafe user names can be long, and Oracle user names are limited to 30 characters, Oracle Corporation recommends using null for the value of
OS_AUTHENT_PREFIX, as follows:
Restart the Oracle database server after modifying the configuration files to enable the changes.
Operating system specific documentation and Oracle9i Database Administrator's Guide for more information about how to restart the Oracle database server
For CyberSafe to authenticate Oracle users, you must create them on the CyberSafe authentication server where the administration tools are installed. The following steps assume that the realm already exists.
Run /krb5/admin/kdb5_edit as root on the authentication server to create the new CyberSafe user, such as CYBERUSER.
Enter the following:
<password>(password does not display)
Re-enter password for verification:
<password>(password does not display)
Cybersafe documentation listed in Related Documentation for information about creating the realm
Run SQL*Plus to create the Oracle user, and enter the following commands on the Oracle database server (note that the Oracle user name must be uppercase and enclosed in double quotation marks):
In this example, OS_AUTHENT_PREFIX is set to null
SQL> CONNECT / AS SYSDBA;
SQL> CREATE USER "CYBERUSER@SOMECO.COM" IDENTIFIED EXTERNALLY;
SQL> GRANT CREATE SESSION TO "CYBERUSER@SOMECO.COM";
% kinit cyberuser
The system displays the following information:
After running kinit to get an initial ticket, users can connect to an Oracle database server without using a user name or password. Enter a command similar to the following:
% sqlplus /@net_service_name
net_service_name is a Oracle Net service name.
% sqlplus /@npddoc_db
This section describes some common configuration problems and explains how to resolve them: