7
Configuring Secure Sockets Layer Authentication

This chapter describes how to use the Secure Sockets Layer (SSL) protocol in Oracle Advanced Security. It contains the following topics:

• SSL in an Oracle Environment

• SSL Beyond an Oracle Environment

• SSL Combined with Other Authentication Methods

• SSL and Firewalls

• SSL Usage Issues

• Enabling SSL

SSL in an Oracle Environment

Secure Sockets Layer (SSL) is an industry standard protocol designed by Netscape Communications Corporation for securing network connections. SSL uses RSA public key cryptography to provide authentication, encryption, and data integrity in a public-key infrastructure (PKI).

This section discusses the following topics:

• What You Can Do with SSL

• Architecture of SSL in an Oracle Environment

• Components of SSL in an Oracle Environment

• How SSL Works in an Oracle Environment: The SSL Handshake

What You Can Do with SSL

By supporting SSL, Oracle Advanced Security expands its support encryption and data integrity, and provides public key authentication based on the SSL standard.

You can use Oracle Advanced Security SSL functionality to secure communications between clients and servers. You can authenticate:

• Any client or server to one or more Oracle database servers

• An Oracle database server to any client

You can use SSL features by themselves or in combination with other authentication methods supported by Oracle Advanced Security. For example, you can use the encryption provided by SSL in combination with the authentication provided by Kerberos. SSL supports any of the following authentication modes:

• Only the server authenticates itself to the client

• Both client and server authenticate themselves to each other

• Neither the client nor the server authenticates itself to the other, thus using the SSL encryption feature by itself

  See Also: The SSL Protocol, Version 3.0, published by the Internet engineering Task Force, for a more detailed discussion of SSL Chapter 1, Introduction to Oracle Advanced Security, for more information about authentication methods

Architecture of SSL in an Oracle Environment

In an Oracle environment, SSL operates at the Oracle Protocols layer using TCP/IP, as illustrated by Figure 7-1:

Figure 7-1 SSL Architecture in an Oracle Environment

Text description of the illustration ano81014.gif

Components of SSL in an Oracle Environment

The components of SSL in an Oracle environment include the following:

• Certificate Authority

• Certificate

• Wallet

Certificate Authority

A certificate authority (CA) is a trusted third party that certifies the identity of third parties and other entities, such as users, databases, administrators, clients, and servers. The certificate authority verifies the party identity and grants a certificate, signing it with the its private key.

Different CAs may have different identification requirements when issuing certificates. One may require the presentation of a user's driver's license, while others may require notarization of the certificate request form, or fingerprints of the requesting party.

The CA publishes its own certificate, which includes its public key. Each network entity has a list of certificates of the CAs it trusts. Before communicating with another entity, a given entity uses this list to verify that the signature on the other entity's certificate is from a known, trusted CA.

Network entities can obtain their certificates from the same or different CAs. By default, Oracle Advanced Security automatically installs trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when you install a new wallet (See: Wallet).

Certificate

A certificate is created when a party's public key is signed by a trusted certificate authority (CA). A certificate ensures that a party's identification information is correct, and that the public key actually belongs to that party.

A certificate contains the party's name, public key, and an expiration date--as well as a serial number and certificate chain information. It can also contain information about the privileges associated with the certificate.

When a network entity receives a certificate, it verifies that it is a trusted certificate--one issued and signed by a trusted certificate authority. A certificate remains valid until it expires or is sooner terminated.

Wallet

A wallet is a transparent database used to manage authentication data such as keys, certificates, and trusted certificates needed by SSL. In an Oracle environment, each system using SSL has a wallet with an X.509 version 3 certificate, private key, and list of trusted certificates.

Security administrators use the Oracle Wallet Manager to manage security credentials on the server. Wallet owners use it to manage security credentials on clients. Specifically, the Oracle Wallet Manager is used to do the following:

• Generate a public-private key pair and create a certificate request for submission to a certificate authority.

• Install a certificate for the identity.

• Configure trusted certificates for the identity.

  Note: Installation of Oracle Advanced Security Release 9.0.1 also installs Oracle Wallet Manager release 2.0 and Oracle Enterprise Login Assistant release 1.0.

  See Also: Chapter 16, Using Oracle Wallet Manager Creating a New Wallet . Managing Trusted Certificates .

How SSL Works in an Oracle Environment: The SSL Handshake

At the commencement of a network connection under SSL, the client and server perform a SSL handshake that includes the following principal tasks:

• The client and server establish which cipher suites to use.

• The server sends its certificate to the client, and the client verifies that the server's certificate was signed by a trusted CA.

• Similarly, if client authentication is required, the client sends its own certificate to the server, and the server verifies that the client's certificate was signed by a trusted CA.

• The client and server exchange key information using public key cryptography; based on this information, each generates a session key. All subsequent communications between the client and the server is encrypted and decrypted by using this set of session keys and the negotiated cipher suite.

In an Oracle environment, the authentication process consists of the following basic steps:

1. The user initiates a Oracle Net connection to the server by using SSL.

2. SSL performs the handshake between the client and the server.

3. If the handshake is successful, the server verifies that the user has the appropriate authorization to access the database.

SSL Beyond an Oracle Environment

You can use the Oracle Advanced Security SSL feature to secure connections between non-Oracle clients and Oracle database servers. For example, SSL can grant secure access to a client outside an Oracle network to authorized data within the Oracle network.

Figure 7-2 shows how SSL is used to secure connections between Oracle and non-Oracle entities over the Internet. In this example, a Web server runs as an Oracle9i Java client. It receives messages over HTTPS (HTTP secured by SSL), and sends CORBA requests to the Oracle database server over IIOP/SSL (IIOP secured by SSL). In this example, the Web server passes its own certificate to the Oracle server, rather than the certificate of the Web client.

Figure 7-2 Connecting to an Oracle Server over the Internet

Text description of the illustration ano81017.gif

See Also: Oracle9i Enterprise JavaBeans Developer's Guide and Reference, for information about using and configuring IIOP/SSL

SSL Combined with Other Authentication Methods

Because of its implementation architecture, you can configure Oracle Advanced Security to use SSL concurrently with other supported authentication methods, such as Kerberos, RADIUS, or CyberSafe--as discussed in the next sections:

• Architecture: Oracle Advanced Security and SSL

• Using SSL with Other Authentication Methods

Architecture: Oracle Advanced Security and SSL

Figure 7-3 displays the Oracle Advanced Security implementation architecture, which shows that (i) Oracle Advanced Security operates at the session layer on top of SSL, which (ii) uses TCP/IP at the transport layer. This separation of functionality lets you employ SSL concurrently with other supported protocols.

Figure 7-3 SSL in Relation to Oracle Advanced Security

Text description of the illustration ano81015.gif

See Also: Oracle9i Net Services Administrator's Guide, for information about stack communications in an Oracle networking environment

Using SSL with Other Authentication Methods

Figure 7-4 illustrates a configuration in which SSL is used in combination with another authentication method supported by Oracle Advanced Security. In this example, SSL is used to establish the initial handshake (server authentication), and an alternative authentication method is used to authenticate the client.

Figure 7-4 SSL in Relation to Other Authentication Methods

Text description of the illustration ano81018.gif

1. The client seeks to connect to the Oracle database server.

2. SSL performs a handshake during which the server authenticates itself to the client and both the client and server establish which cipher suite to use. See How SSL Works in an Oracle Environment: The SSL Handshake.

3. Once the SSL handshake is successfully completed, the user seeks access to the database.

4. The Oracle database server exchanges the user's authentication information with the authentication server--using a non-SSL authentication method (e.g., Kerberos, CyberSafe, RADIUS).

5. Upon validation by the authentication server, the Oracle database server grants access and authorization to the user.

6. The user accesses the Oracle database securely using SSL.

SSL and Firewalls

Oracle Advanced Security supports two types of firewalls:

• Application proxy-based firewalls, such as Network Associates Gauntlet, or Axent Raptor.

• Stateful packet inspection firewalls, such as Check Point Firewall-1, or Cisco PIX Firewall.

When you enable SSL, the stateful inspection firewalls behave like application proxy firewalls because they do not decrypt encrypted packets.

Firewalls do not inspect encrypted traffic. When a firewall encounters data addressed to an SSL port on an intranet server, it simply checks the target IP address against its access rules--letting the SSL packet pass through to permitted SSL ports, and rejecting all others.

With the availability of the Oracle Net Firewall Proxy kit, firewall applications can now provide specific support for database network traffic. If the proxy kit is implemented in the firewall, the following processing take place:

• The Net Proxy (a component of the Oracle Net Firewall Proxy kit) must know where to route its traffic.

• The database listener requires access to a certificate in order to participate in the SSL handshake. The listener inspects the SSL packet and identifies the target database, returning the port on which the target database listens to the client. This port must be designated as an SSL port.

• The client communicates on this server-designated port in all subsequent connections.

• The number of ports that are open in the firewall increase as a function of the number of database connections requested. This approach prohibits the database server from using randomly chosen SSL ports, because the SSL ports on the firewall must match those chosen by the database. You can avoid this condition by deploying Oracle Connection Manager, an application included with Oracle Advanced Security Enterprise Edition.

Oracle Connection Manager lets you route client connections over multiple Net Manager protocols. Each client connection request establishes an SSL connection between the client and Oracle Connection Manager, which in turn establishes a TCP/IP connection with the target database. Multiple clients can thus connect to multiple databases behind the firewall, using a single SSL port through the firewall.

Note: Although Oracle Connection Manager can be used to avoid opening up multiple SSL ports through the firewall, consider the following: The internal connection, between Oracle Connection Manager and the database, is not an SSL connection. You should encrypt such connections, using Oracle Advanced Security native encryption. Because such connections do not use SSL, clients cannot use certificate-based authentication.

SSL Usage Issues

Consider the following issues when using SSL:

• SSL use enables authorization retrieval from an LDAP-based directory service. Client-side SSL authentication is required in order to manage enterprise users and their privileges in a directory.

• Because SSL supports both authentication and encryption, the client database server connection is somewhat slower than the standard Oracle Net TCP/IP transport (using native encryption).

• Oracle Advanced Security SSL requires Oracle9i; it does not work with earlier database releases.

• Each SSL authentication mode requires unique configuration settings. See: Enabling SSL .

  Note: U.S. government regulations prohibit double encryption. Accordingly, if you configure Oracle Advanced Security to use SSL encryption and another encryption method concurrently, the connection fails (you also cannot configure SSL authentication concurrently with non-SSL authentication). If you configure SSL encryption, you must disable non-SSL encryption. To disable such encryption, see: Disabling Oracle Advanced Security Authentication.

Enabling SSL

To enable SSL:

• Task 1: Install Oracle Advanced Security and Related Products

• Task 2: Configure SSL on the Client

• Task 3: Configure SSL on the Server

• Task 4: Log on to the Database

Task 1: Install Oracle Advanced Security and Related Products

Install Oracle Advanced Security on both the client and server. When you do this, the Oracle Universal Installer automatically installs SSL, Oracle Wallet Manager, and Oracle Enterprise Login Assistant on your system.

See Also: The Oracle9i installation documentation for your platform.

Task 2: Configure SSL on the Client

To configure SSL on the client:

• Step 1: Confirm Wallet Creation

• Step 2: Configure Service Name

• Step 3: Specify Required Client Configuration (Wallet Location)

• Step 4: Set the SSL Cipher Suites on the Client (Optional)

• Step 5: Set the Required SSL Version (Optional)

• Step 6: Set SSL as an Authentication Service (Optional)

• Step 7: Create a Net Service Name that Uses TCP/IP with SSL in the Connect Descriptor

  See Also: Appendix B, Authentication Parameters, for the dynamic parameter names.

Step 1: Confirm Wallet Creation

Before proceeding with the next step, you must confirm that a wallet has been created.

See Also: Chapter 16, Using Oracle Wallet Manager, for general information about wallets Opening an Existing Wallet, for information about opening an existing wallet Creating a New Wallet, for information about creating a new wallet

Step 2: Configure Service Name

Oracle Advanced Security Release 9.0.1 matches the server's global database name against the distinguished name (DN) from the server certificate. This protects against the threat of connections to a server potentially faking its identity, where the server has a valid X.509 v3 certificate, but not the proper certificate for the respective database.

You can control the system's behavior when there is a mismatch between the service name and the DN, by defining the Match server X.509 name in the Oracle Advanced Security SSL Window (Figure 7-5), as described by Step 3, Item 7. This step defines the SSL_SERVER_DN_MATCH parameter, stored in the sqlnet.ora file.

However, before proceeding with Step 3, you must manually edit the tnsnames.ora file to configure the service name, by defining the TNS_SERVER_DN parameter--to include the server DNs to which the client expects possible connections.

Example:

dbalias = (description = address_list = (address = (protocol = tcps)

(host = hostname) (port = portnum)))

(connect_date = (service_name = Finance))

(security=(SSL_SERVER_DN="CN=Finance,CN=OracleContext,C=US,O=Acme"))

The tnsnames.ora file can be located on the client or in the LDAP directory.

Alternatively, the administrator can ensure that DNs in the certificates from a trusted certificate authority have a common name (CN) that matches the service name.

Oracle recommends that you use Oracle Wallet Manager to remove the trusted certificate in your Oracle wallet associated with each certificate authority that you do not use.

See Also: Table B-22, SSL X.509 Server Match Parameters, for information about the server match parameters Chapter 16, Using Oracle Wallet Manager, for information about using Oracle Wallet Manager

Step 3: Specify Required Client Configuration (Wallet Location)

To specify required configuration parameters for the client:

1. Start Oracle Net Manager:
   • On UNIX, run netmgr from $ORACLE_HOME/bin.

   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Oracle Net Manager.

2. In the Navigator window, expand Local > Profile.

3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security SSL window appears (Figure 7-5):

   Figure 7-5 Oracle Advanced Security SSL Window (Client)

   
   
   Text description of the illustration ssl_client.gif
4. Choose the SSL tab.

5. Select Configure SSL for Client.

6. In the Wallet Directory box, enter the directory in which the Oracle wallet is located, or click Browse to find it by searching the file system.

   Important: There are two occasions during the client and the server configuration when you set the location of the Oracle wallet. Be sure to enter the same location on both occasions. On the occasion described in this section, you set the location of the wallet either by using the Oracle Net Manager or by modifying the sqlnet.ora file. Later, you use the Oracle Wallet Manager. See: Step 1: Create a Database Wallet.

7. From the Match server X.509 name drop-down list, choose one of the following options:
   • Yes: Requires that the server's distinguished name (DN) match its service name. SSL ensures that the certificate is from the server; connections succeed only if there is a match.

   • No (default): SSL checks for a match between the DN and the service name, but does not enforce it. Connections succeed regardless of the outcome, but an error is logged if the match fails.

   • Let Client Decide: Enables the default.

     Note: The following alert appears when you select No: Security Alert Not enforcing the server X.509 name match allows a server to potentially fake its identity. Oracle Corporation recommends selecting YES for this option so that connections are refused when there is a mismatch.

8. Choose File > Save Network Configuration.

   The sqlnet.ora file is updated with the following entries:

   SSL_CLIENT_AUTHENTICATION =TRUE
   wallet_location = 
    (SOURCE=
     (METHOD=File)
     (METHOD_DATA=
      (DIRECTORY=wallet_location)))
   
   SSL_SERVER_DN_MATCH=(ON/OFF)
   

Step 4: Set the SSL Cipher Suites on the Client (Optional)

A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth.

When you install Oracle Advanced Security, several SSL cipher suites are set for you by default. You can override the default by setting the SSL_CIPHER_SUITES parameter. For example, if you use Oracle Net Manager to add the cipher suite SSL_RSA_WITH_RC4_128_SHA, all other cipher suites in the default setting are ignored.

You can prioritize the cipher suites. When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following:

• The level of security you want to use. For example, triple-DES encryption is stronger than DES.

• The impact on performance. For example, triple-DES encryption is slower than DES.

• Administrative requirements:

  The cipher suites selected for a client must be compatible with those required by the server. For example, in the case of an Oracle Call Interface (OCI) user, the server requires the client to authenticate itself. You cannot, in this case, use a cipher suite employing Diffie-Hellman anonymous authentication which disallows the exchange of certificates. By contrast, in the case of an Enterprise JavaBeans (EJB) user, the server does not require the client to authenticate itself. In this case, you can use Diffie-Hellman anonymous authentication.

You typically prioritize cipher suites starting with the strongest and moving to the weakest.

Table 7-1 lists the SSL cipher suites supported in the current release of Oracle Advanced Security. These cipher suites are set by default when you install Oracle Advanced Security. This table also lists the authentication, encryption, and data integrity types each cipher suite uses.

Table 7-1 Oracle Advanced Security Cipher Suites

Cipher Suite	Authentication	Encryption	Data Integrity
SSL_RSA_WITH_3DES_EDE_CBC_SHA	RSA	3DES EDE CBC	SHA
SSL_RSA_WITH_RC4_128_SHA	RSA	RC4 128	SHA
SSL_RSA_WITH_RC4_128_MD5	RSA	RC4 128	MD5
SSL_RSA_WITH_DES_CBC_SHA	RSA	DES CBC	SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA	DH anon	3DES EDE CBC	SHA
SSL_DH_anon_WITH_RC4_128_MD5	DH anon	RC4 128	MD5
SSL_DH_anon_WITH_DES_CBC_SHA	DH anon	DES CBC	SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5	RSA	RC4 40	MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA	RSA	DES40 CBC	SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5	DH anon	RC4 40	MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA	DH anon	DES40 CBC	SHA

To specify cipher suites for the client:

1. Start Oracle Net Manager:
   • On UNIX, run netmgr from $ORACLE_HOME/bin.

   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Oracle Net Manager.

2. In the Navigator window, expand Local > Profile.

3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security SSL window appears (Figure 7-5).

4. Choose the SSL tab.

5. Select Configure SSL for Client.

6. Choose the Add button; a dialog box displays available cipher suites (Figure 7-6):

   Figure 7-6 SSL Cipher Suites Window

   
   
   Text description of the illustration ssl_suites4.gif
7. Select a suite and choose OK; the Cipher Suite Configuration list is updated (Figure 7-7):

   Figure 7-7 Oracle Advanced Security SSL Window (Client)

   
   
   Text description of the illustration ssl_suites6.gif
8. Use the up and down arrows to prioritize the cipher suites.

9. Choose File > Save Network Configuration.

   The sqlnet.ora file is updated with the following entry:

   SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2])
   

Step 5: Set the Required SSL Version (Optional)

You can set the SSL_VERSION parameter in the sqlnet.ora file. This parameter defines the version of SSL that must run on the systems with which the client communicates. You can require these systems to use SSL 3.0, or any valid, future version. The default setting for this parameter in sqlnet.ora is 0; in Oracle Net Manager, it is Any.

To set the SSL version for the client:

1. Start Oracle Net Manager:
   • On UNIX, run netmgr from $ORACLE_HOME/bin.

   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Oracle Net Manager.

2. In the Navigator window, expand Local > Profile.

3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security SSL window appears (Figure 7-5).

4. Choose the SSL tab.

5. Select Configure SSL for Client.

6. In the Require SSL Version scroll box the default is Any; accept this default or select the SSL version you want to configure.

7. Choose File > Save Network Configuration.

   The sqlnet.ora file is updated with the following entry:

   SSL_VERSION=UNDETERMINED
   

Step 6: Set SSL as an Authentication Service (Optional)

The SQLNET.AUTHENTICATION_SERVICES parameter in the sqlnet.ora file sets the SSL authentication service.

Set this parameter only if both of the following conditions apply:

• You want to use SSL authentication in conjunction with another authentication method supported by Oracle Advanced Security. For example, you want the server to authenticate itself to the client by using SSL and the client to authenticate itself to the server by using Kerberos.

• You are not using Oracle Net Manager to configure the client or the server.

If both of the above conditions apply, add TCP with SSL (TCPS) to this parameter in the sqlnet.ora file by using a text editor. For example:

 SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS, radius)

If either or both of the above conditions do not apply, do not set this parameter.

Step 7: Create a Net Service Name that Uses TCP/IP with SSL in the Connect Descriptor

The client must be configured with the location of the listener. For an SSL connection, the client must be configured with a TCP/IP with SSL listener protocol address.

See Also: Oracle9i Net Services Administrator's Guide to create a net service name

Task 3: Configure SSL on the Server

During installation, Oracle sets defaults on both the Oracle database server and on the Oracle client for all SSL parameters except the location of the Oracle wallet. To configure SSL on the server, perform these steps:

• Step 1: Confirm Wallet Creation

• Step 2: Specify Required Server Configuration (Wallet Location)

• Step 3: Set the SSL Cipher Suites on the Server (Optional)

• Step 4: Set the Required SSL Version (Optional)

• Step 5: Set SSL Client Authentication (Optional)

• Step 6: Set SSL as an Authentication Service (Optional)

• Step 7: Create Listening Endpoint that Uses TCP/IP with SSL

  See Also: Appendix B, for the dynamic parameter names

Step 1: Confirm Wallet Creation

Before proceeding with the next step, you must confirm that a wallet has been created.

See Also: Chapter 16, Using Oracle Wallet Manager, for general information about wallets Opening an Existing Wallet, for information about opening an existing wallet Creating a New Wallet, for information about creating a new wallet

Step 2: Specify Required Server Configuration (Wallet Location)

To specify required configuration parameters for the server:

1. Start Oracle Net Manager:
   • On UNIX, run netmgr from $ORACLE_HOME/bin.

   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Oracle Net Manager.

2. In the Navigator window, expand Local > Profile.

3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security SSL window appears (Figure 7-5).

4. Choose the SSL tab.

5. Select Configure SSL for Server.

6. In the Wallet Directory box, enter the directory in which the Oracle wallet is located, or click the Browse button to find it by searching the file system.

   Important: There are two occasions during the client and the server configuration process when you set the location of the Oracle wallet. Be sure to enter the same location on both occasions. On the occasion described in this section, you set the location of the wallet either by using Oracle Net Manager or by modifying the sqlnet.ora file. Later, you use the Oracle Wallet Manager. See: Step 1: Create a Database Wallet.

7. Choose File > Save Network Configuration.

   The sqlnet.ora and listener.ora files are updated with the following entries:

   wallet_location = 
    (SOURCE=
     (METHOD=File)
     (METHOD_DATA=
      (DIRECTORY=wallet_location)))
   

Note: The listener uses the wallet defined in listener.ora (it can use any database wallet). When SSL is configured for a server using Net Manager, the wallet location entered into listener.ora is the same as that entered into sqlnet.ora. The location of the listener wallet is not relevant to the Oracle client, because the client is only performing an SSL handshake with the listener. To change the listener wallet location (so that the listener has its own wallet), you can edit listener.ora to enter the new location.

Step 3: Set the SSL Cipher Suites on the Server (Optional)

A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth.

When you install Oracle Advanced Security, several SSL cipher suites are set for you by default. You can override the default by setting the SSL_CIPHER_SUITES parameter. For example, if you use Oracle Net Manager to add the cipher suite SSL_RSA_WITH_RC4_128_SHA, all other cipher suites in the default setting are ignored.

You can prioritize the cipher suites. When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following:

• The level of security you want to use. For example, triple-DES encryption is stronger than DES.

• The impact on performance. For example, triple-DES encryption is slower than DES.

• Administrative requirements:

  The cipher suites selected for a server must be compatible with those required by the client.

  You typically prioritize cipher suites starting with the strongest and moving to the weakest.

  Note: In Oracle Advanced Security Release 9.0.1, if you set a cipher suite employing Diffie-Hellman anonymous authentication on the server, you must also set the same cipher suite on the client. Otherwise, the connection fails. If you use a cipher suite employing Diffie-Hellman anonymous, you must set the SSL_CLIENT_AUTHENTICATION parameter to FALSE. See: Step 5: Set SSL Client Authentication (Optional).

Table 7-1 lists the SSL cipher suites supported in the current release of Oracle Advanced Security. These cipher suites are set by default when you install Oracle Advanced Security. This table also lists the authentication, encryption, and data integrity types each cipher suite uses.

To specify cipher suites for the server:

1. Start Oracle Net Manager:
   • On UNIX, run netmgr from $ORACLE_HOME/bin.

   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Oracle Net Manager.

2. In the Navigator window, expand Local > Profile.

3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security SSL window appears (Figure 7-5).

4. Choose the SSL tab.

5. Select Configure SSL for Server.

6. Choose the Add button; a dialog box displays available cipher suites (Figure 7-6).

7. Select a suite and choose OK; the Cipher Suite Configuration list is updated (Figure 7-8):

   Figure 7-8 Oracle Advanced Security SSL Window (Server)

   
   
   Text description of the illustration ssl_suites8.gif
8. Use the up and down arrows to prioritize the cipher suites.

9. Choose File > Save Network Configuration.

   The sqlnet.ora file is updated with the following entry:

   SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2])
   

Step 4: Set the Required SSL Version (Optional)

You can set the SSL_VERSION parameter in the sqlnet.ora file. This parameter defines the version of SSL that must run on the systems with which the client communicates. You can require these systems to use SSL 3.0, or any valid, future version. The default setting for this parameter in sqlnet.ora is 0; in Oracle Net Manager, it is Any.

To set the SSL version for the server:

1. Start Oracle Net Manager:
   • On UNIX, run netmgr from $ORACLE_HOME/bin.

   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Oracle Net Manager.

2. In the Navigator window, expand Local > Profile.

3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security SSL window appears (Figure 7-5).

4. Choose the SSL tab.

5. Select Configure SSL for Server.

6. In the Require SSL Version scroll box the default is Any; accept this default or select the SSL version you want to configure.

7. Choose File > Save Network Configuration.

   The sqlnet.ora file is updated with the following entry:

   SSL_VERSION=UNDETERMINED
   

Note: SSL 2.0 is not supported on the server side.

Step 5: Set SSL Client Authentication (Optional)

The SSL_CLIENT_AUTHENTICATION parameter in the sqlnet.ora file controls whether the client is authenticated using SSL. The default value is TRUE.

You must set this parameter to FALSE if you are using a cipher suite that contains Diffie-Hellman anonymous authentication (DH_anon). Also, you can set this parameter to FALSE for the client to authenticate itself to the server by using any of the non-SSL authentication methods supported by Oracle Advanced Security, such as Kerberos or CyberSafe.

To set this parameter to FALSE:

1. Start Oracle Net Manager:
   • On UNIX, run netmgr from $ORACLE_HOME/bin.

   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Oracle Net Manager.

2. In the Navigator window, expand Local > Profile.

3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security SSL window appears (Figure 7-9):

   Figure 7-9 Oracle Advanced Security SSL Window (Server)

   
   
   Text description of the illustration ssl_server2.gif
4. Choose the SSL tab.

5. Select Configure SSL for Server.

6. Deselect Require Client Authentication.

7. Choose File > Save Network Configuration.

   The sqlnet.ora file is updated with the following entry:

   SSL_CLIENT_AUTHENTICATION=FALSE
   

Step 6: Set SSL as an Authentication Service (Optional)

The SQLNET.AUTHENTICATION_SERVICES parameter in the sqlnet.ora file sets the SSL authentication service.

Set this parameter only if both of the following conditions apply:

• You want to use SSL authentication in conjunction with another authentication method supported by Oracle Advanced Security. For example, you want the server to authenticate itself to the client by using SSL and the client to authenticate itself to the server by using Kerberos.

• You are not using Oracle Net Manager to configure the client or the server.

If both of the above conditions apply, add TCP with SSL (TCPS) to this parameter in the sqlnet.ora file by using a text editor.

For example:

 SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS, radius)

If either or both of the above conditions do not apply, do not set this parameter.

Step 7: Create Listening Endpoint that Uses TCP/IP with SSL

Configure the listener with a TCP/IP with SSL listening endpoint in the listener.ora file. Oracle Corporation recommends a port number 2484 for typical Oracle Net clients and 2482 for client connections to Oracle9i JServer.

See Also: Oracle9i Net Services Administrator's Guide.

Task 4: Log on to the Database

If you are using SSL authentication, launch SQL*Plus and enter the following:

CONNECT/@dnet_service_name

If you are not using SSL authentication, launch SQL*Plus and enter the following:

CONNECT username/password@net_service_name