PK j?oa,mimetypeapplication/epub+zipPKj?iTunesMetadata.plist^ artistName Oracle Corporation book-info cover-image-hash 148809906 cover-image-path OEBPS/dcommon/oracle-small.JPG package-file-hash 804564060 publisher-unique-id E10746-02 unique-id 695897888 genre Oracle Documentation itemName Oracle® Database Advanced Security Administrator's Guide, 11g Release 2 (11.2) releaseDate 2009-10-28T23:28:38Z year 2009 PKLc^PKj?META-INF/container.xml PKYuPKj?OEBPS/asoappg.htm Entrust-Enabled SSL Authentication

G Entrust-Enabled SSL Authentication

Entrust Authority (formerly known as Entrust/PKI) is a suite of PKI products provided by Entrust, Inc., that provides certificate generation, certificate revocation, and key and certificate management. Oracle Advanced Security is integrated with Entrust Authority so both Entrust and Oracle users can enhance their Oracle environment security.

This appendix contains the following topics:

G.1 Benefits of Entrust-Enabled Oracle Advanced Security

Entrust-enabled Oracle Advanced Security provides:

G.1.1 Enhanced X.509-Based Authentication and Single Sign-On

Entrust-enabled Oracle Advanced Security supports the use of Entrust credentials for X.509-based authentication and single sign-on. Instead of using an Oracle wallet to hold user PKI credentials, Oracle Advanced Security can access PKI credentials that are created by Entrust Authority and held in an Entrust profile (a.epf file). Users who have deployed Entrust software within their enterprise are able to use it for authentication and single sign-on to Oracle Database.

G.2 Required System Components for Entrust-Enabled Oracle Advanced Security

To implement Entrust-enabled Oracle Advanced Security, the following system components are required:

Contact your Entrust representative to get these components.

G.2.1 Entrust Authority for Oracle

Entrust Authority for Oracle requires a database for storing information about Entrust users and the infrastructure, and a Lightweight Directory Access Protocol (LDAP)-compliant directory for information such as user names, public certificates, and certificate revocation lists.

Entrust Authority for Oracle comprises the following software components:

G.2.2 Entrust Authority Server Login Feature

Entrust Authority Server Login Feature is required for single sign-on functionality on servers operating on UNIX platforms.

Entrust Authority Server Login Feature provides single sign-on by enabling Oracle Database server process access to incoming SSL connections. Without this capability, a database administrator or other privileged user would have to enter the password for the Entrust profile on the server for every incoming connection.

Contact your Entrust representative to get Entrust Authority Server Login Feature.

G.2.3 Entrust Authority IPSec Negotiator Toolkit

The Entrust Authority IPSec Negotiator Toolkit is required on both clients and servers for integrating the Oracle Advanced Security SSL stack with Entrust Authority, enabling SSL authentication to use Entrust profiles.

Contact your Entrust representative to get Entrust Authority IPSec Negotiator Toolkit.

G.3 Entrust Authentication Process

Figure G-1 illustrates the following Entrust authentication process:

  1. The Entrust user on the Oracle client establishes a secure connection with the server using SSL and Entrust credentials.

  2. The Oracle SSL adapter on the server communicates with the Entrust Authority to check the certificate revocation status of the Entrust user.


    Note:

    Figure G-1 does not include client and server profiles creation, which is presumed.

G.4 Enabling Entrust Authentication

This section describes the following tasks, which are required to configure Entrust-enabled Oracle Advanced Security SSL authentication:

G.4.1 Creating Entrust Profiles

This section describes how to create Entrust profiles, which can be created by either administrators or users. On UNIX platforms, administrators create the Entrust profiles for all clients. On Windows platforms, users can create their own Entrust profiles.

G.4.2 Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL

For Oracle Advanced Security 11g Release 2 (11.2), Entrust support installs in Typical mode. A single Oracle installation supports the use of both Oracle Wallets and Entrust profiles.


See Also:

Oracle Database operating system-specific installation documentation

G.4.5 Configuring Entrust on the Server

The steps for configuring Entrust on the server vary according to the type of platform:

G.4.5.1 Configuring Entrust on a UNIX Server

If the server is a UNIX platform, ensure that the Entrust/Server Login Toolkit component is installed on the server and perform the following steps:


See Also:

"Required System Components for Entrust-Enabled Oracle Advanced Security" for information about downloading the Entrust Server Login toolkit.

  1. Stop the Oracle database instance.

  2. Set the WALLET_LOCATION parameter in the sqlnet.ora and listener.ora files to specify the paths to the server's profile and the Entrust initialization file:

    WALLET_LOCATION =
      (SOURCE =
          (METHOD = ENTR)
          (METHOD_DATA = 
              (PROFILE = profile_location)
              (INIFILE = initialization_file_location)
          )
      )
    
  3. Set the CLASSPATH environment variable to include the following paths:

$ORACLE_HOME/JRE/lib/rt.jar
$ORACLE_HOME/JRE/lib/i18n.jar
$ORACLE_HOME/jlib/ewt*.jar
$ORACLE_HOME/jlib/help*.jar
$ORACLE_HOME/jlib/share*.jar
$ORACLE_HOME/jlib/swingall*.jar
$ORACLE_HOME/network/jlib/netentrust.jar
  1. Enter the etbinder command to create unattended login credentials, or.ual files by using the following steps:

    1. Set the PATH environment variable to include the path to the etbinder command, which is located in the /bin directory where the Server Login Toolkit is installed.

    2. Set the LD_LIBRARY_PATH to include the path to the Entrust libraries.

    3. Set the SSL_ENTRUST_INI environment variable to include the full path to the Entrust initialization file.

    4. Enter the command as follows:

      etbinder
      
    5. When prompted to enter the location of the profile file, enter the full path name, including the name of the file. Then, when prompted, type in the password.

      A message displays indicating that the credentials file (filename.ual) has been created.


      Note:

      Ensure that the listener has a TCPS listening endpoint, then start the listener.

  2. Start the Oracle database instance.

G.4.5.2 Configuring Entrust on a Windows Server

If the server is on a Windows platform, perform the following steps:


See Also:

"Required System Components for Entrust-Enabled Oracle Advanced Security" for information about downloading Entrust Entelligence Desktop Manager.

  1. Stop the Oracle database instance.

  2. Set the WALLET_LOCATION parameter in the sqlnet.ora and listener.ora files to specify the paths to the server's profile and the Entrust initialization file:

    WALLET_LOCATION =
    
(SOURCE =
(METHOD = ENTR)
(METHOD_DATA = 
    (PROFILE = profile_location)
    (INIFILE = initialization_file_location)
)
)
  1. Run the Entrust binder command to create unattended login credentials, which are files with a.ual extension. Ensure that the owner of the.ual file is the same as the owner of the Oracle service.

    To run the binder command Select

    Start, Programs, Entrust Toolkit, Server Login, Entrust Binder

    Enter the path to the profile, the password, and the path to the Entrust initialization file. A message informs you that you have successfully created a credential file.

  2. Start the Oracle database instance.


    Note:

    For all Windows environments, Oracle recommends that you do not install Entrust Entelligence Desktop Manager on the server computer.

G.4.6 Creating Entrust-Enabled Database Users

Create global users in the database based on the distinguished name (DN) of each Entrust user.

For example:

SQL> create user jdoe identified globally as 'cn=jdoe,o=oracle,c=us';

where "cn=jdoe, o=oracle, c=us" is the Entrust distinguished name of the user.

G.4.7 Logging Into the Database Using Entrust-Enabled SSL

  1. Use SQL*Plus to connect to the Oracle instance as follows:

    sqlplus /@net_service_name
    

    where net_service_name is the service name of the Oracle instance.

    The Entrust_Login dialog box is displayed.

  2. Enter the path to the profile and the password.

  3. If you did not specify a value for the WALLET_LOCATION parameter, you are prompted to enter the path to the Entrust initialization file.


    Note:

    Oracle recommends that the initialization file be specified in the WALLET_LOCATION parameter file.

G.5 Issues and Restrictions that Apply to Entrust-Enabled SSL

An application must be specifically modified to work with Entrust. If a product is designated as Entrust-ready, then it has been integrated with Entrust by using an Entrust toolkit.

For example, Oracle has modified its SSL libraries to access an Entrust profile instead of an Oracle wallet.

In addition, the following restrictions apply:

  • The use of Entrust components for digital signatures in applications based on Oracle is not supported.

  • The Entrust-enabled Oracle Advanced Security integration is only supported with versions of Entrust Authority Release 6.0 and later running on Oracle Database.

  • The use of earlier releases of Entrust Authority with Entrust-enabled Oracle Advanced Security is not supported.

  • Interoperability between Entrust and non-Entrust PKIs is not supported.

  • Entrust has certified Oracle Internet Directory version 2.1.1 for Release 8.1.7 and subsequent releases.

G.6 Troubleshooting Entrust In Oracle Advanced Security

This section describes how to diagnose errors returned from Entrust to Oracle Advanced Security users.


Note:

Entrust returns the following generic error message to Oracle Advanced Security users:

ORA-28890 "Entrust Login Failed"

This troubleshooting section describes how to get more details about the underlying error, and how to6 diagnose the problem.


G.6.1 Error Messages Returned When Running Entrust on Any Platform

You may encounter the following error messages regardless of what platform you are running Entrust on.

G.6.2 Error Messages Returned When Running Entrust on Windows Platforms

You may encounter the following error messages if you are running Entrust on a Windows platform.

TNS-12560: TNS protocol adapter error TNS-00558> Entrust Login Failed ORACLE SERVER (host_name)
This error may occur in the listener.log file on the server when you attempt to log in to Entrust.
Cause: If you configure the client by making the following recommended changes:
  • Remove the.ual file

  • De-install the Server Login

  • Specify the Entrust initialization file location in the SSL_ENTRUST_INI_FILE parameter in the client sqlnet.ora file

then the server may not be able to authenticate the client when you enter the following command:

sqlplus/@net_service_name
Action: Perform the following tasks to enable tracing on the server:
  1. Select Control Panel, then Services.

  2. In the Services dialog box, double click OracleTNSListener and change the Log On As from the System Account to the account that is currently logged in. This enables the server process to read the.ual file. Click OK to make the change and you are returned to the Services dialog box.

    In the Services dialog box, make the same changes for OracleService.

  3. Make the following changes to the listener.ora file:

    • Specify only TCPS as the PROTOCOL in the listener ADDRESS. For example, change all of the PROTOCOL definitions to TCPS as follows:

      listener_name=
         (DESCRIPTION=
            (ADDRESS=(PROTOCOL=TCPS) (KEY=extproc0))
            (ADDRESS=(PROTOCOL=TCPS) (HOST=sales-pc) (PORT=1521)))
      

      Bringing up the listener only using TCPS will show whether there is a problem accessing the Entrust profile when you turn on tracing.

    • Set the SSL_CLIENT_AUTHENTICATION parameter to FALSE as follows:

      SSL_CLIENT_AUTHENTICATION=FALSE
      
    • Turn on tracing by setting the following parameters:

      TRACE_LEVEL_LISTENER=16
      TRACE_DIRECTORY_LISTENER=C:\temp
      

      The trace file is created in the C:\temp directory.

  4. Make the following changes to the sqlnet.ora file to turn on tracing:

    TRACE_LEVEL_SERVER=16
    TRACE_DIRECTORY_SERVER=C:\temp
    

    The trace file is created in the C:\temp directory.

  5. Ensure that Entrust Entelligence Desktop Manager is not installed on the server.

Search for and locate the string fail or ntz* function calls. Adjacent to these, error messages are listed that provide details about the problem you are encountering.

G.6.3 General Checklist for Running Entrust on Any Platform

The following items apply to all platforms:

  1. Confirm that the Entrust Authority is online.

  2. Confirm that the.ual file is generated. These files are created for unattended login credentials.


    Note:

    Oracle recommends that you generate an unattended login credential file (.ual file) for the server only. If you generate a.ual file for the server only, then when users attempt to log in, they are presented a GUI that prompts them for their password and their Entrust profile name. After users supply this information, the connection request is forwarded to the Entrust server, which looks up the revocation file and the.ual file to determine the permissions for granting the request.

  3. Confirm that the Entrust initialization file contains the following entry in the first section that specifies the Entrust Settings:

    IdentityLibrary=location
    

    The full path to the location of the libidapi.so file should be specified in the IdentityLibrary parameter. This parameter setting enables generating a.ual file on the server.

  4. Ensure that all Entrust toolkits, including the Entrust IPSEC Negotiator toolkit and the Server Login toolkit, are the same version so they are compatible.

  5. Ensure that you have specified TCP/IP with SSL in the SQLNET.AUTHENTICATION_SERVICES parameter in the sqlnet.ora file as shown in the following example:

    SQLNET.AUTHENTICATION_SERVICES=(tcps, authentication_type1, authentication_   type2)
    

G.6.3.1 Checklist for Entrust Installations on Windows

The following checklist items apply only to Entrust installations on the Windows platform.

  1. Ensure that you are logged into Entrust Entelligence Desktop Manager and retry.

  2. Select Windows, then Control Panel, and click Services to confirm that the Entrust Login Interface service has started and is running.

  3. Confirm that the Entrust initialization file location is specified in the SSL_ENTRUST_INI_FILE parameter of the sqlnet.ora file. However, if you select not to specify the location there, then the Entrust initialization file must reside in c:\WINNT.

  4. Ensure that you are not running Entrust Entelligence Desktop Manager if your database is running on a Microsoft platform. If this is the case, then only the.ual file, which enables unattended login, is required.


    See Also:

    Step 4 of "Configuring Entrust on a Windows Server" for information about creating a.ual file with the Entrust binder command.

  5. Confirm that Entrust Authority, as specified in the Entrust Initialization file, is accessible and running.

  6. Confirm that the profile password is correctly entered.

  7. If an Oracle database server fails to log in to Entrust, confirm that the unattended login credential file (.ual) is generated using a valid password. Also, confirm that the versions for Entrust Server Login toolkit and Entrust IPSEC Negotiator toolkit match (that is, that the IPSec Toolkit 6.0 works with Server Login Toolkit 6.0).

  8. Ensure that the Entrust initialization file has the following entry in the first section, Entrust Settings:

    IdentityLibrary = location
    

    where location is the location of libidapi.so, including the file name.

PK6lPKj?OEBPS/index.htm Index

Index

A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  R  S  T  U  W  X 

A

accounting, RADIUS, 6.3.5
activating checksumming and encryption, 4.4.1
adapters, 1.3
ALTER SYSTEM SET command
closing encryption wallets, 3.2.7.1
opening encryption wallets, 3.2.3, 3.2.7.1, 3.4.1.3
opening HSM wallets, 3.2.6.6
setting master encryption key, 3.2.2.1, 3.2.6.4, 3.4.1.2
anonymous, 8.6.2.3
asynchronous authentication mode in RADIUS, 6.2.2
authentication, 1.3
configuring multiple methods, 10.3
methods, 1.2.2.2
modes in RADIUS, 6.2
auto login wallets
and Transparent Data Encryption (TDE), 3.2.1.2, 3.2.2.2

B

benefits of Oracle Advanced Security, 1.2
BFILE, 3.2.4.7
browser certificates, using with Oracle Wallet Manager, 9.5.1.3.1

C

certificate, 8.2.2.2
browser, using with Oracle Wallet Manager, 9.5.1.3.1
certificate authority, 8.2.2.1
certificate revocation lists, 8.2.2.3
manipulating with orapki tool, 8.8.4
uploading to LDAP directory, 8.8.4
where to store them, 8.8.2
certificate revocation status checking
disabling on server, 8.8.3
certificate validation error message
CRL could not be found, 8.8.5.1
CRL date verification failed with RSA status, 8.8.5.1
CRL signature verification failed with RSA status, 8.8.5.1
Fetch CRL from CRL DP
No CRLs found, 8.8.5.1
OID hostname or port number not set, 8.8.5.1
challenge-response authentication in RADIUS, 6.2.2
change data capture, synchronous, 3.2.4.7
cipher block chaining mode, 1.2.1.1.3
cipher suites
Secure Sockets Layer (SSL), B.3.2.1
client authentication in SSL, 8.6.2.5
configuration files
Kerberos, B.1
configuring
Entrust-enabled Secure Sockets Layer (SSL)
on the client, G.4.3
Kerberos authentication service parameters, 7.1.7.1
Oracle server with Kerberos, 7.1.2
RADIUS authentication, 6.3.2
SSL, 8.6
on the client, 8.6.3
on the server, 8.6.2
thin JDBC support, 5
connecting
with username and password, 10.1
CRL, 8.2.2.3
CRLAdmins directory administrative group, F.6.7.1
CRLs
disabling on server, 8.8.3
where to store them, 8.8.2
cryptographic hardware devices, 8.2.2.5

D

Data Encryption Standard (DES), 4.1.2
DES encryption algorithm, 1.2.1.1.2
DES40 encryption algorithm, 4.1.3.1
Triple-DES encryption algorithm, 1.2.1.1.3, 4.1.3
data integrity, 1.2.1.2, 1.2.1.2
database links
RADIUS not supported, 6.1
DES. See Data Encryption Standard (DES)
Diffie-Hellman, 8.6.2.3
Diffie-Hellman key negotiation algorithm, 4.3

E

encryption and checksumming
activating, 4.4.1
negotiating, 4.4.2
parameter settings, 4.4.3
ENCRYPTION_WALLET_LOCATION parameter, 3.2.1.1, 3.2.5.1, 3.2.6.1, 3.3.1.1, 3.4.1.1
Entrust Authority
creating database users, G.4.6
Entrust Authority for Oracle, G.2.1
Entrust Authority Software
authentication, G.3, G.4
certificate revocation, G.1.3
components, G.2, G.2.1.1
configuring
client, G.4.4
server, G.4.5
Entelligence, G.2.1.3
etbinder command, G.4.5.1
issues and restrictions, G.5
key management, G.1.2
profiles, G.4.1
administrator-created, G.4.1
user-created, G.4.1.2
Self-Administration Server, G.2.1.2
versions supported, G.2
Entrust, Inc., G
Entrust-enabled SSL
troubleshooting, G.6
Entrust/PKI Software, 1.2.2.2.4
error messages
ORA-12650, 4.4.1, 4.4.2.1, 4.4.2.2, A.2.5, A.2.6, A.2.7, A.2.8
ORA-28890, G.6
etbinder command, G.4.5.1
external large objects (BFILE), 3.2.4.7

F

Federal Information Processing Standard
configuration, Preface
Federal Information Processing Standard (FIPS), 1.2.1.3, D
sqlnet.ora parameters, D.1
FIPS 140-2 Level 2 certification, E
FIPS Parameter
Configuring, E.1
FIPS. See Federal Information Processing Standard (FIPS)

G

grid computing
benefits, 1.1.1
defined, 1.1.1
GT GlossaryTitle, Glossary

H

handshake
SSL, 8.1.3
HSMs (hardware security modules)
PKCS#11 library, 3.2.6.2
sqlnet.ora file, 3.2.6.1
user_Id:password string, 3.2.6.4

I

import/export utilities, original, 3.2.4.7, 3.2.4.7
index range scans, 3.1.2.2
initialization parameter file
parameters for clients and servers using Kerberos, B.1
parameters for clients and servers using RADIUS, B.2
parameters for clients and servers using SSL, B.3
Internet Explorer certificates
using with Oracle Wallet Manager, 9.5.1.3

J

Java Byte Code Obfuscation, 5.1.4
Java Database Connectivity (JDBC)
configuration parameters, 5.2
Oracle extensions, 5.1.1
thin driver features, 5.1.2
Java Database connectivity (JDBC)
implementation of Oracle Advanced Security, 5.1
JDBC. See Java Database Connectivity

K

Kerberos, 1.2.2.2.1, 1.2.2.2.1
authentication adapter utilities, 7.2
configuring authentication, 7.1, 7.1.7.1
kinstance, 7.1.2
kservice, 7.1.2
realm, 7.1.2
sqlnet.ora file sample, A.1
system requirements, 1.4, 1.4
kinstance (Kerberos), 7.1.2
kservice (Kerberos), 7.1.2

L

LAN environments
vulnerabilities of, 1.1.3.1
large objects
BFILE, 3.2.4.7
BLOB, 3.2.4.7
CLOB, 3.2.4.7
external, 3.2.4.7
LOB, 3.2.4.7
ldap.ora
which directory SSL port to use for no authentication, 8.8.4.3
listener
endpoint
SSL configuration, 8.6.2.7

M

managing roles with RADIUS server, 6.3.9
MD5 message digest algorithm, 4.2.1
Microsoft Internet Explorer certificates
using with Oracle Wallet Manager, 9.5.1.3

N

nCipher hardware security module
using Oracle Net tracing to troubleshoot, 8.9.4
Netscape certificates
using with Oracle Wallet Manager, 9.5.1.3
Netscape Communications Corporation, 8.1
NOMAC parameter (TDE), 3.2.4.1.3

O

obfuscation, 5.1.4
okdstry
Kerberos adapter utility, 7.2
okinit
Kerberos adapter utility, 7.2
oklist
Kerberos adapter utility, 7.2
ORA-12650 error message, A.2.6
ORA-28330, 3.5
ORA-28331, 3.5
ORA-28332, 3.5
ORA-28333, 3.5
ORA-28334, 3.5
ORA-28335, 3.5
ORA-28336, 3.5
ORA-28337, 3.5
ORA-28338, 3.5
ORA-28339, 3.5
ORA-28340, 3.5
ORA-28341, 3.5
ORA-28342, 3.5
ORA-28343, 3.5
ORA-28344, 3.5
ORA-28345, 3.5
ORA-28346, 3.5
ORA-28347, 3.5
ORA-28348, 3.5
ORA-28349, 3.5
ORA-28350, 3.5
ORA-28351, 3.5
ORA-28353, 3.5
ORA-28354, 3.5
ORA-28356, 3.5
ORA-28357, 3.5
ORA-28358, 3.5
ORA-28359, 3.5
ORA-28361, 3.5
ORA-28362, 3.5
ORA-28363, 3.5
ORA-28364, 3.5
ORA-28365, 3.5
ORA-28366, 3.5
ORA-28367, 3.5
ORA-28368, 3.5
ORA-28369, 3.5
ORA-28370, 3.5
ORA-28371, 3.5
ORA-28372, 3.5
ORA-28373, 3.5
ORA-28374, 3.5
ORA-28375, 3.5
ORA-28376, 3.5
ORA-28377, 3.5
ORA-28378, 3.5
ORA-28885 error, 9.1.6
ORA-40300 error message, 8.9.4.1
ORA-40301 error message, 8.9.4.1
ORA-40302 error message, 8.9.4.1
Oracle Advanced Security
checksum sample for sqlnet.ora file, A.1
configuration parameters, 5.2
disabling authentication, 10.2
encryption sample for sqlnet.ora file, A.1
Java implementation, 5.1, 5.1.3
SSL features, 8.1.2
Oracle Applications wallet location, 9.4.11
Oracle Internet Directory
Diffie-Hellman SSL port, 8.8.4.3
Oracle parameters
authentication, 10.4
Oracle Password Protocol, 5.1.3
Oracle Wallet Manager
importing PKCS #7 certificate chains, 9.5.1.2
orapki
adding a root certificate to a wallet with, F.3.2
adding a trusted certificate to a wallet with, F.3.2
adding user certificates to a wallet with, F.3.2
changing the wallet password with, F.3.1
creating a local auto login wallet with, F.3.1
creating a signed certificate for testing, F.2
creating a wallet with, F.3.1
creating an auto login wallet with, F.3.1
exporting a certificate from a wallet with, F.3.3
exporting a certificate request from a wallet with, F.3.3
viewing a test certificate with, F.2
viewing a wallet with, F.3.1
orapki tool, 8.8.4
original import/export utilities, 3.2.4.7, 3.2.4.7
OS_AUTHENT_PREFIX parameter, 10.4.3
OSS.SOURCE.MY_WALLET parameter, 8.6.2.2, 8.6.3.3

P

paragraph tags
GT GlossaryTitle, Glossary
parameters
authentication
Kerberos, B.1
RADIUS, B.2
Secure Sockets Layer (SSL), B.3
configuration for JDBC, 5.2
encryption and checksumming, 4.4.3
PKCS #11 devices, 8.2.2.5
PKCS #11 error messages
ORA-40300, 8.9.4.1
ORA-40301, 8.9.4.1
ORA-40302, 8.9.4.1
PKCS #7 certificate chain, 9.5.1.2
difference from X.509 certificate, 9.5.1.2
Public Key Infrastructure (PKI)
certificate, 8.2.2.2
certificate authority, 8.2.2.1
certificate revocation lists, 8.2.2.3
PKCS #11 hardware devices, 8.2.2.5
wallet, 8.2.2.4
public key infrastructure (PKI), 1.2.2.2.3, 1.2.2.2.4

R

RAC (Real Application Clusters)
and TDE (transparent data encryption), 3.2.7
RADIUS, 1.2.2.2.2, 1.2.2.2.2
accounting, 6.3.5
asynchronous authentication mode, 6.2.2
authentication modes, 6.2
authentication parameters, B.2
challenge-response
authentication, 6.2.2
user interface, C.1, C.2
configuring, 6.3.2
database links not supported, 6.1
location of secret key, 6.3.2.3
smartcards and, 1.2.2.2.2, 6.2.2, 6.3.2.3, C.1
sqlnet.ora file sample, A.1
synchronous authentication mode, 6.2.1
system requirements, 1.4
RC4 encryption algorithm, 1.2.1.1.1, 4.1.4
realm (Kerberos), 7.1.2
restrictions, 1.5
revocation, G.1.3
roles
managing with RADIUS server, 6.3.9
RSA Security, Inc. (RSA), 1.2.1.1.1

S

salt (TDE)
adding, 3.2.4.4
removing, 3.2.4.4
See also TDE (transparent data encryption)
secret key
location in RADIUS, 6.3.2.3
Secure Sockets Layer (SSL), 1.2.2.2.3
architecture, 8.3.1
authentication parameters, B.3
authentication process in an Oracle environment, 8.1.3
cipher suites, B.3.2.1
client authentication parameter, B.3.4
client configuration, 8.6.3
combining with other authentication methods, 8.3, 8.3
configuring, 8.6
configuring Entrust-enabled SSL on the client, G.4.3
enabling, 8.6
enabling Entrust-enabled SSL, G.4
handshake, 8.1.3
industry standard protocol, 8.1
requiring client authentication, 8.6.2.5
server configuration, 8.6.2
sqlnet.ora file sample, A.1
system requirements, 1.4
version parameter, B.3.3
wallet location, parameter, B.3.5
SecurID, 6.2.1
token cards, 6.2.1
security
Internet, 1.1.2
Intranet, 1.1.2
threats, 1.1.3
data tampering, 1.1.3.2
dictionary attacks, 1.1.3.4
eavesdropping, 1.1.3.1
falsifying identities, 1.1.3.3
password-related, 1.1.3.4
Security Sockets Layer (SSL)
use of term includes TLS, 8.1.1
single sign-on (SSO), 1.2.2.2.4, G.1.1
smartcards, 1.2.2.2.2
and RADIUS, 1.2.2.2.2, 6.2.2, 6.3.2.3, C.1
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE parameter, 7.1.7.1
SQLNET.AUTHENTICATION_SERVICES parameter, 6.3.2.1, 7.1.7.1, 8.6.2.6, 8.6.2.6, 8.6.3.6, 8.6.3.6, 10.2, 10.3
SQLNET.CRYPTO_CHECKSUM_CLIENT parameter, 4.4.3.2
SQLNET.CRYPTO_CHECKSUM_SERVER parameter, 4.4.3.2
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter, 4.4.3.2, A.2.8
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter, 4.4.3.2, A.2.7
SQLNET.ENCRYPTION_CLIENT parameter, 4.4.3.1, A.2.2
SQLNET.ENCRYPTION_SERVER parameter, 4.4.3.1, A.2.1
SQLNET.ENCRYPTION_TYPES_CLIENT parameter, 4.4.3.1, A.2.6
SQLNET.ENCRYPTION_TYPES_SERVER parameter, 4.4.3.1, A.2.5
SQLNET.FIPS_140 parameter, D.1.5
SQLNET.KERBEROS5_CC_NAME parameter, 7.1.7.3
SQLNET.KERBEROS5_CLOCKSKEW parameter, 7.1.7.3
SQLNET.KERBEROS5_CONF parameter, 7.1.7.3
SQLNET.KERBEROS5_CONF_MIT parameter, 7.1.7.3
SQLNET.KERBEROS5_KEYTAB parameter, 7.1.7.3
SQLNET.KERBEROS5_REALMS parameter, 7.1.7.3
sqlnet.ora file
Common sample, A.1
FIPS 140-1 parameters, D.1
Kerberos sample, A.1
Oracle Advanced Security checksum sample, A.1
Oracle Advanced Security encryption sample, A.1
OSS.SOURCE.MY_WALLET parameter, 8.6.2.2, 8.6.3.3
parameters for clients and servers using Kerberos, B.1
parameters for clients and servers using RADIUS, B.2
parameters for clients and servers using SSL, B.3
RADIUS sample, A.1
sample, A.1
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE parameter, 7.1.7.1
SQLNET.AUTHENTICATION_SERVICES parameter, 7.1.7.1, 8.6.2.6, 8.6.2.6, 8.6.3.6, 8.6.3.6, 10.2, 10.3
SQLNET.CRYPTO_CHECKSUM_CLIENT parameter, 4.4.3.2
SQLNET.CRYPTO_CHECKSUM_SERVER parameter, 4.4.3.2
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter, 4.4.3.2, A.2.8
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter, 4.4.3.2, A.2.7
SQLNET.ENCRYPTION_CLIENT parameter, A.2.2
SQLNET.ENCRYPTION_SERVER parameter, 4.4.3.1, A.2.1
SQLNET.ENCRYPTION_TYPES_CLIENT parameter, 4.4.3.1, A.2.6
SQLNET.ENCRYPTION_TYPES_SERVER parameter, 4.4.3.1, A.2.5
SQLNET.FIPS_140 parameter, D.1.5
SQLNET.KERBEROS5_CC_NAME parameter, 7.1.7.3
SQLNET.KERBEROS5_CLOCKSKEW parameter, 7.1.7.3
SQLNET.KERBEROS5_CONF parameter, 7.1.7.3
SQLNET.KERBEROS5_CONF_MIT parameter, 7.1.7.3
SQLNET.KERBEROS5_KEYTAB parameter, 7.1.7.3
SQLNET.KERBEROS5_REALMS parameter, 7.1.7.3
SSL sample, A.1
SSL_CLIENT_AUTHENTICATION parameter, 8.6.2.5
SSL_CLIENT_AUTHETNICATION parameter, 8.6.3.3
SSL_VERSION parameter, 8.6.2.4, 8.6.3.5
Trace File Set Up sample, A.1
sqlnet.ora file, TDE (transparent data encryption), 3.2.2.1, 3.2.5.1, 3.2.6.1, 3.4.1.1, 3.5
SQLNET.RADIUS_ALTERNATE parameter, 6.3.2.3
SQLNET.RADIUS_ALTERNATE_PORT parameter, 6.3.2.3
SQLNET.RADIUS_ALTERNATE_RETRIES parameter, 6.3.2.3
SQLNET.RADIUS_ALTERNATE_TIMEOUT parameter, 6.3.2.3
SQLNET.RADIUS_SEND_ACCOUNTING parameter, 6.3.5.1
SSL. See Secure Sockets Layer (SSL)
SSL wallet location, 9.4.2.1, 9.4.11
SSL_CLIENT_AUTHENTICATION parameter, 8.6.2.5, 8.6.3.3
SSL_VERSION parameter, 8.6.2.4, 8.6.3.5
SSO. See single sign-on (SSO)
SSO wallets, 9.4.14
synchronous authentication mode, RADIUS, 6.2.1
synchronous change data capture, 3.2.4.7
system requirements, 1.4
Kerberos, 1.4
RADIUS, 1.4
SSL, 1.4

T

tablespace encryption
creating encrypted tablespaces, 3.2.5.3
editing the sqlnet.ora file, 3.2.5.1
opening wallet, 3.2.5.2
setting tablespace key, 3.2.5.1
tablespace master encryption key, 3.2.5.1, 3.2.5.2
TDE (transparent data encryption)
and Oracle RAC (Real Application Clusters), 3.2.7
concepts, 3.1
figure, 3.1.2.2
HSMs (hardware security modules)
PKCS#11 library, 3.2.6.2
user_Id:password string, 3.2.6.4
managing, 3.3
backing up and recovering keys, 3.3.2
managing wallets, 3.3.1
reference, 3.6
restrictions, 3.2.4.7
tablespace encryption
creating encrypted tablespaces, 3.2.5.3
opening wallet, 3.2.5.2
setting tablespace key, 3.2.5.1
troubleshooting, 3.5
using, 3.2
creating tables, 3.2.4.1
editing the sqlnet.ora file, 3.4.1.1
encrypting columns, 3.2.4.2
opening wallet, 3.2.3
setting master encryption key, 3.2.2
thin JDBC support, 5
TLS See Secure Sockets Layer (SSL)
token cards, 1.2.2.2.2
trace file
set up sample for sqlnet.ora file, A.1
transparent data encryption
See TDE
transportable tablespaces, 3.2.4.7
Triple-DES encryption algorithm, 1.2.1.1.3
troubleshooting, 7.4
Entrust-enabled SSL, G.6

U

utilities, import/export, 3.2.4.7

W

wallet, 8.2.2.4
wallets
auto login, 3.2.1.2, 3.2.2.2, 9.4.14
changing a password, 9.4.13
closing, 3.2.6.6, 3.2.7.1, 9.4.4
creating, 9.4.2
deleting, 9.4.12
managing, 9.4
managing certificates, 9.5
managing trusted certificates, 9.5.2
opening, 3.2.3, 3.2.6.6, 3.2.7.1, 3.4.1.3, 3.6.2, 9.4.3
Oracle Applications wallet location, 9.4.11
saving, 9.4.9
setting location, 8.6.2.2
SSL wallet location, 9.4.2.1, 9.4.11
SSO wallets, 9.4.14

X

X.509 certificate
difference from PKCS #7 certificate chain, 9.5.1.2
X.509 PKI certificate standard, G.1.1
PKݻPKj? OEBPS/toc.htm Table of Contents

Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

What's New in Oracle Advanced Security?

Part I Getting Started with Oracle Advanced Security

1 Introduction to Oracle Advanced Security

2 Configuration and Administration Tools Overview

Part II Data Encryption and Integrity

3 Securing Stored Data Using Transparent Data Encryption

4 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients

5 Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients

Part III Oracle Advanced Security Strong Authentication

6 Configuring RADIUS Authentication

7 Configuring Kerberos Authentication

8 Configuring Secure Sockets Layer Authentication

9 Using Oracle Wallet Manager

10 Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security

Part IV Appendixes

A Data Encryption and Integrity Parameters

B Authentication Parameters

C Integrating Authentication Devices Using RADIUS

D Oracle Advanced Security FIPS 140-1 Settings

E Oracle Advanced Security FIPS 140-2 Settings

F orapki Utility

G Entrust-Enabled SSL Authentication

Glossary

Index

PK~PKj?OEBPS/img_text/cfig0002.htm Description of the illustration cfig0002.gif

This is a text description of cfig0002.gif, which is an image of the Integrity tab in the Oracle Advanced Security profile region of Oracle Net Manager Manager. Use this window to configure cryptographic checksumming for data integrity.

This window has the following fields which you can use to configure cryptographic checksumming:

In the lower half of the window, you can choose the Selected Methods of checksumming you want to use from the Available Methods list. SHA-1 and MD5 display as available checksum algorithms. Select a checksumming method from the Available Methods list on the left, then click a right arrow and the checksumming method populates the Selected Methods list on the right side of the window. To remove a checksumming method from the Selected Methods list, you can click a left arrow and the checksumming method moves back to the Available Methods list.

PKkPKj?OEBPS/img_text/asoag003.htm* Description of the illustration asoag003.eps

This is a text description of asoag003.gif, an image which shows the Oracle/RADIUS environment. From left to right, there are three entities depicted in this image: An Oracle client, an Oracle server (which also is the RADIUS client), and the RADIUS server (or RSA ACE/Server). There are arrows between all three entities pointing in both directions to show that there is two-way communication between them.

PKe/*PKj?OEBPS/img_text/ssl0005.htmJ Description of the illustration ssl0005.gif

This is a text description of ssl0005.gif, which is an image of the SSL tab in the Oracle Advanced Security profile region of Oracle Net Manager when Configure SSL for the server is selected.

You can use the Require Client Authentication check box at the bottom of this window to enable or disable client authentication for the server. Before you check or uncheck this box, ensure that you select Configure SSL for Server at the top of the window.

Click the Help button at the bottom right corner of the window to access online help.

PK!YPKj?OEBPS/img_text/radu0002.htm; Description of the illustration radu0002.gif

This is a text description of radu0002.gif, which is an image of the Other Params tab in the Oracle Advanced Security profile region of Oracle Net Manager. Use this window to finish configuring your server to use RADIUS authentication.

This window contains the following fields:

Click the Help button at the bottom of this window to access the online help.

PK(PKj?OEBPS/img_text/asoag011.htma Description of the illustration asoag011.eps

This is a text description of asoag011.gif, an image which depicts a challenge-response, or asynchronous authentication sequence as follows:

  1. A user seeks a connection to the Oracle database server, and the client machine passes the data to the Oracle database server.

  2. The Oracle database server, acting as the RADIUS client, passes the data from the Oracle client to the RADIUS server.

  3. The RADIUS server passes the data to the appropriate authentication server for validation.

  4. The authentication server sends a challenge to the RADIUS server.

  5. The RADIUS server sends the challenge to the Oracle database server/RADIUS client (the three preceeding steps are combined if the RADIUS server is the authentication server).

  6. The Oracle database server/RADIUS client sends the challenge to the Oracle client where a graphical interface presents it to the user.

  7. The user provides a response to the challenge by various means which the Oracle client passes to the Oracle database server/RADIUS client.

  8. The Oracle database server/RADIUS client sends the user's response to the RADIUS server.

  9. The RADIUS server passes it to the appropriate authentication server for validation.

  10. The authentication server sends back to the RADIUS server either an access accept or an access reject message.

  11. The RADIUS server passes the response to the Oracle database server/RADIUS client. (The three preceeding steps are combined if the RADIUS server is the authentication server.)

  12. The Oracle database server/RADIUS client passes it on to the Oracle client.

PKLfaPKj?OEBPS/img_text/ssl0001.htmR Description of the illustration ssl0001.gif

This is a text description of ssl0001.gif, which is an image of the SSL tab in the Oracle Advanced Security profile region of Oracle Net Manager when Configure SSL for the client is selected.

This window has the following fields which you can use to configure SSL on your client:

Click the Help button at the bottom right corner of the window to access online help.

PKY3PKj?OEBPS/img_text/asoag010.htmU Description of the illustration asoag010.eps

This is a text description of asoag010.gif, an image which depicts the synchronous authentication sequence as follows:

  1. A user logs in by entering a connect string, passcode, or other value, and the client machine passes this data to the Oracle database server.

  2. The Oracle database server, acting as the RADIUS client, passes the data from the Oracle client to the RADIUS server.

  3. The RADIUS server passes the data to the appropriate authentication server for validation.

  4. The authentication server sends back to the RADIUS server either an access accept or an access reject message.

    Note: If the RADIUS server is the authentication server, the two preceeding steps are combined.

  5. The RADIUS server passes this response to the Oracle database server/RADIUS client.

  6. The Oracle database server/RADIUS client passes the response to the Oracle client.

PKZUPKj?OEBPS/img_text/asoag012.htmO Description of the illustration asoag012.eps

This is a text description of asoag012.gif, an image which depicts how a network authentication service authenticates a user as follows:

  1. First, the user (client) requests authentication services from an authentication server. The user proves his or her identity by providing a token or password.

  2. After authenticating the user, the authentication server passes a ticket or credentials back to the client.

  3. The client can now take these credentials and pass them to the Oracle server while asking for a service, such as connection to a database.

  4. The Oracle server sends the credentials to the authentication server to verify their validity.

  5. The authentication server either accepts or rejects the credentials and sends a notification to the Oracle server.

  6. If the authentication server accepts the credentials, then the Oracle server performs the requested task for the user. If the credentials are not accepted, the requested service is denied.

PK4PKj?OEBPS/img_text/ntmgrpro.htmG Description of the illustration ntmgrpro.gif

This is a text description of ntmgrpro.gif, which is an image of the Oracle Advanced Security profile screen in Oracle Net Manager. This image is described in the surrounding text.

PKLGPKj?OEBPS/img_text/asoag005.htm! Description of the illustration asoag005.eps

This is a text description of asoag005.gif, an image which depicts how authentication adapters integrate below the Oracle Net interface. This allows existing applications to take advantage of new authentication systems transparently, without any changes to the application. The Oracle Net layer, which contains Oracle Advanced Security is shown in the image. Various Oracle and non-Oracle software applications are layered on top of Oracle Net, including Oracle Forms, Oracle Reports, third-party tools, 3GL tools, Oracle servers, and Oracle Call Interface. To show that the Oracle Advanced Security authentication adapters reside below the Oracle Net layer, the following authentication adapters are shown hanging off the Oracle Advanced Security section of the Oracle Net network layer: Kerberos adapter, SSL adapter, and the RADIUS adapter.

PKPPKj?OEBPS/img_text/ssl0003.htmS Description of the illustration ssl0003.gif

This is a text description of ssl0003.gif, which is an image of the SSL tab in the Oracle Advanced Security profile region of Oracle Net Manager.

This window has a Cipher Suite Configuraton region where you can prioritize the cipher suites by clicking an up or a down arrow on the right side of the cipher suite list. Click a cipher suite to select it, then click the up or the down arrow to determine which cipher suite is applied first.

Click the Help button at the bottom right corner of the window to access online help.

PK8z᝱PKj?OEBPS/img_text/asoag015.htmb Description of the illustration asoag015.eps

This is a text description of asoag015.gif, an image which depicts how Oracle Advanced Security operates at the session layer on top of SSL, which uses TCP/IP at the transport layer. On top of the stack is the database application layer making calls into the Oracle call interface (OCI) and two-task common. The OCI then uses Oracle Net services for communicating with the database server over the network.

Oracle Net is an abstraction layer where Oracle Advanced Security supports various encryption, authentication, and integrity adapters. Below the Oracle Net layer, the Oracle protocols layer and the network specific protocols layer are situated. This is where the SSL adapter is located, which uses TCP/IP.

PKgbPKj?OEBPS/img_text/auth0001.htm> Description of the illustration auth0001.gif

This is a text description of auth0001.gif, which is an image of the Authentication tab in the Oracle Advanced Security profile region of Oracle Net Manager. Use this window to disable Oracle Advanced Security.

To disable Oracle Advanced Security, choose all Selected Methods of authentication in the list on the right of the window. Then click the left arrow to remove all authenticaton types from the Selected Methods.

PK|C>PKj?OEBPS/img_text/kerb0002.htm Description of the illustration kerb0002.gif

This is a text description of kerb0002.gif, which is an image of the Other Params tab in the Oracle Advanced Security profile region of Oracle Net Manager. Use this window to finish configuring your client or server to use Kerberos authentication.

This window contains the following fields:

Click the Help button at the bottom of this window to access the online help.

PK+ PKj?OEBPS/img_text/owmntrfc.htmc Description of the illustration owmntrfc.gif

This is a text description of owmntrfc.gif, which is an image of the main page in Oracle Wallet Manager. This image shows which parts of the page are the Tool Bar, the Menu Bar, the Navigator Pane, and the Right Pane. Each area is described in the surrounding text.

PKljPKj?OEBPS/img_text/kerb0001.htm1 Description of the illustration kerb0001.gif

This is a text description of kerb0001.gif, which is an image of the Authentication tab in the Oracle Advanced Security profile region of Oracle Net Manager. Use this window to configure your client or server to use Kerberos authentication.

You can choose Kerberos from the Available Methods list of authentication types. Then click a right arrow and the adjacent Selected Methods list is populated with the Kerberos authentication type. To remove Kerberos from the Selected Methods list, you can click a left arrow and it moves back to the Available Methods list.

PKwPKj?OEBPS/img_text/ssl0002.htm0 Description of the illustration ssl0002.gif

This is a text description of ssl0002.gif, which is an image of the SSL Cipher Suites window. This window appears when the Add button is clicked in the SSL tabbed window of the Oracle Advanced Security profile region of Oracle Net Manager.

This window displays a list of all available cipher suites. There is a scroll bar on the right side of the window that you can use to scroll through all of the available cipher suites. To configure your system to use a cipher suite, click one and then click OK at the bottom of the window. If you wish to cancel this operation, then click the Cancel button, which is also located at the bottom of the window adjacent to OK.

PKHh50PKj?OEBPS/img_text/asoag025.htm Description of the illustration asoag025.eps

This is a text description of asoag025.gif, which illustrates the Entrust authentication process as follows:

  1. The Entrust user on the Oracle client establishes a secure connection with the server using SSL and Entrust credentials, stored in the user's Entrust profile (Entrust Entelligence).

  2. The Oracle SSL adapter on the Oracle server communicates with the Entrust Authority to check the certificate revocation status of the Entrust user. The Oracle server must also have credentials, which are stored in the server's Entrust profile (unattended login).

PKpPKj?OEBPS/img_text/ssl0004.htm& Description of the illustration ssl0004.gif

This is a text description of ssl0004.gif, which is an image of the SSL tab in the Oracle Advanced Security profile region of Oracle Net Manager when Configure SSL for the server is selected.

This window has the following fields which you can use to configure SSL on your server:

Click the Help button at the bottom right corner of the window to access online help.

PKd+&PKj?OEBPS/img_text/asoag035.htm( Description of the illustration asoag035.eps

This is a text description of asoag035.gif, an image which depicts a client connection to an Oracle database that uses a third-party authentication server. It shows the client sending a request to an Oracle database. The Oracle database then sends a request to a third-party authentication server to authenticate the client.

PKHPKj?OEBPS/img_text/radu0001.htmC Description of the illustration radu0001.gif

This is a text description of radu0001.gif, which is an image of the Authentication tab in the Oracle Advanced Security profile region of Oracle Net Manager. Use this window to configure your client to use RADIUS authentication.

You can choose RADIUS from the Available Methods list of authentication types. Then click a right arrow and the adjacent Selected Methods list is populated with the RADIUS authentication type. To remove RADIUS from the Selected Methods list, you can click a left arrow and it moves back to the Available Methods list.

PKvkzPKj?OEBPS/img_text/transdata.htm@ Description of the illustration transdata.eps

This illustration is described in the text.

PK̳7PKj?OEBPS/img_text/asoencry.htmc Description of the illustration asoencry.gif

This is a text description of asoencry.gif, which is an image of the Encryption tab in the Oracle Advanced Security profile region of Oracle Net Manager Manager.

This window has the following fields which you can use to configure network encryption:

In the lower half of the window, you can choose the Selected Methods of encryption you want to use from the Available Methods list. Select an encryption method from the Available Methods list on the left, then click a right arrow and the encryption method populates the Selected Methods list on the right side of the window. To remove an encryption method from the Selected Methods list, you can click a left arrow and the encryption method moves back to the Available Methods list.

PK)hcPKj?OEBPS/img_text/asoag018.htm Description of the illustration asoag018.eps

This is a text description of asoag018.gif, an image which shows the steps to authenticate clients when SSL is used with other authentication methods as follows:

  1. A client seeks to connect to an Oracle server.

  2. SSL performs a handshake during which the server authenticates itself to the client and both the client and server establish which cipher suite to use.

  3. Once the SSL handshake is successfully completed, the user seeks access to the database.

  4. The Oracle server authenticates the user with the authentication server using a non-SSL authentication method such as Kerberos or RADIUS.

  5. Upon validation by the authentication server, the Oracle server grants access and authorization to the user. Then the user can access the database securely by using SSL.

PK"{PKj?OEBPS/img_text/ssl0006.htm_ Description of the illustration ssl0006.gif

This is a text description of ssl0006.gif, which is an image of the SSL tab in the Oracle Advanced Security profile region of Oracle Net Manager when Configure SSL for the client is selected.

This window has the following fields which you can use to configure SSL on your server:

Click the Help button at the bottom left corner of the window to access online help.

PKPKj?OEBPS/img_text/owmrtpan.htmm Description of the illustration owmrtpan.gif

This is a text description of owmrtpan.gif, which is an image of the right pane in Oracle Wallet Manager. Specifically, this image shows a Certificate Request in the right pane. It is described in the surrounding text.

PK11@rmPKj?OEBPS/img_text/asoag037.htm Description of the illustration asoag037.eps

This is a text description of asoag037.gif, an image which depicts an encrypted standard client connection to an Oracle database, and an encrypted connection between the Oracle database and Oracle Application Server. The application server is connected to the Internet. It shows encrypted data packets being transmitted over the connection between the client and the database, and over the connection between the database and the application server. The connection between the application server and the Internet is protected with HTTPS, which is the Hypertext Transfer Protocol over Secure Sockets Layer (SSL).

PKrmPKj?OEBPS/asopart3.htm Oracle Advanced Security Strong Authentication

Part III

Oracle Advanced Security Strong Authentication

This part describes how to configure strong authentication methods for the Oracle network.

Part III contains the following chapters:

PKPKj? OEBPS/loe.htm List of Examples

List of Examples

PK`PKj?OEBPS/asoappe.htm` Oracle Advanced Security FIPS 140-2 Settings

E Oracle Advanced Security FIPS 140-2 Settings

The cryptographic libraries for SSL included in Oracle Database 10g are designed to meet FIPS 140-2 Level 2 certification. Oracle Advanced Security makes use of these cryptographic libraries for SSL authentication. Please verify the current status of the certification at the Cryptographic Modules Validation Program Web site address:

http://csrc.nist.gov/cryptval/

The security policy, which would be available at the NIST site upon successful certification, includes requirements for secure configuration of the host operating system.

The following topics are covered in this appendix:

E.1 Configuring FIPS Parameter

Oracle Advanced Security SSL adapter can be configured to run in FIPS mode by setting the SSLFIPS_140 parameter to TRUE in the fips.ora file.

SSLFIPS_140=TRUE

This parameter is set to FALSE by default. It must be set to TRUE on both the client and the server for FIPS mode operation.

Make sure that the fips.ora file is either located in the $ORACLE_HOME/ldap/admin directory, or is pointed to by the FIPS_HOME environment variable. This procedure can be repeated in any Oracle home for any database server or client.


Note:

The SSLFIPS_140 parameter replaces the SQLNET.SSLFIPS_140 parameter used in Oracle Database 10g Release 2 (10.2). The parameter needs to be set in the fips.ora file, and not the sqlnet.ora file.

E.2 Selecting Cipher Suites

A cipher suite is a set of authentication, encryption and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see as to which cipher suite they will use when transmitting messages back and forth.

Only the following cipher suites are approved for FIPS validation:

  • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

  • SSL_DH_anon_WITH_DES_CBC_SHA

  • SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA

  • SSL_RSA_WITH_3DES_EDE_CBC_SHA

  • SSL_RSA_WITH_DES_CBC_SHA

  • SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

Oracle Advanced Security SSL cipher suites are automatically set to FIPS approved cipher suites. If you wish to configure specific cipher suites, you can do so by editing the SSL_CIPHER_SUITES parameter in the sqlnet.ora or the listener.ora file.

SSL_CIPHER_SUITES=(SSL_cipher_suite1[,SSL_cipher_suite2[,..]])

You can also use Oracle Net Manager to set this parameter on the server and the client.

E.3 Post-Installation Checks

After installation, the following permissions must be verified in the operating system:

  • Execute permissions must be set on all Oracle executable files so as to prevent execution of Oracle Cryptographic Libraries by users who are unauthorized to do so in accordance with the system security policy.

  • Read and write permissions must be set on all Oracle executable files so as to prevent accidental or deliberate reading or modification of Oracle Cryptographic Libraries by any user.

To comply with FIPS 140-2 Level 2 requirements, the security policy must include procedures to prevent unauthorized users from reading, modifying or executing Oracle Cryptographic Libraries processes and the memory they are using in the operating system.

E.4 Verifying FIPS Connections

To check if FIPS mode is enabled, tracing can be added to the sqlnet.ora file. FIPS self-test messages can be found in the trace file. Add the following lines to sqlnet.ora to enable tracing:

trace_directory_server=trace_dir
trace_file_server=trace_file
trace_level_server=trace_level

For example:

trace_directory=/private/oracle/owm
trace_file_server=fips_trace.trc
trace_level_server=6

Trace level 6 is the minimum trace level required to check the results of the FIPS self-tests.

PKrPKj?OEBPS/asointro.htm Introduction to Oracle Advanced Security

1 Introduction to Oracle Advanced Security

This chapter introduces Oracle Advanced Security, summarizes the security risks it addresses, and describes its features. These features are available to database and related products that interface with Oracle Net Services, including Oracle Database, Oracle Application Server, and Oracle Identity Management infrastructure.

This chapter contains the following topics:

1.1 Security Challenges in an Enterprise Environment

To increase efficiency and lower costs, companies adopt strategies to automate business processes. One such strategy is to conduct more business on the Web, but that requires greater computing power, translating to higher IT costs. In response to rising IT costs, more and more businesses are considering enterprise grid computing architecture where inexpensive computers act as one powerful system. While such strategies improve the bottom line, they introduce risks, which are associated with securing data, in rest and motion, and managing an ever increasing number of user identities.

This section examines the security challenges of today's enterprise computing environments in the following topics:

1.1.1 Security in Enterprise Grid Computing Environments

Grid computing is a computing architecture that coordinates large numbers of servers and storage to act as a single large computer. It provides flexibility, lower costs, and IT investment protection because inexpensive, off-the-shelf components can be added to the grid as business needs change. While providing significant benefits, grid computing environments present unique security requirements because their computing resources are distributed and often heterogeneous. The following sections discuss these requirements:

Distributed Environment Security Requirements

Enterprise grid computing pools distributed business computing resources to cost effectively harness the power of clustered servers and storage. A distributed environment requires secure network connections. Even more critical in grid environments, it is necessary to have a uniform definition of "who is the user" and "what is the user allowed to do." Without such uniform definitions, administrators frequently must assign, manage, and revoke authorizations for every user on different software applications to protect employee, customer, and partner information. This is expensive because it takes time, which drives up costs. Consequently, the cost savings gained with grid computing are lost.

Heterogeneous Environment Security Requirements

Because grid computing environments often grow as business needs change, computing resources are added over time, resulting in diverse collections of hardware and software. Such heterogeneous environments require support for different types of authentication mechanisms which adhere to industry standards. Without strict adherence to industry standards, integrating heterogeneous components becomes costly and time consuming. Once again the benefits of grid computing are squandered when the appropriate infrastructure is not present.

1.1.3 Common Security Threats

The increased volume of data in distributed, heterogeneous environments exposes users to a variety of security threats, including the following:

1.2 Solving Security Challenges with Oracle Advanced Security

To solve enterprise computing security problems, Oracle Advanced Security provides industry standards-based data privacy, integrity, authentication, single sign-on, and access authorization in a variety of ways. For example, you can configure either Oracle Net native encryption or Secure Sockets Layer (SSL) for data privacy. Oracle Advanced Security also provides the choice of several strong authentication methods, including Kerberos, smart cards, and digital certificates.

Oracle Advanced Security provides the following security features:

1.2.1 Data Encryption

Sensitive information that is stored in your database or that travels over enterprise networks and the Internet can be protected by encryption algorithms. An encryption algorithm transforms information into a form that cannot be deciphered without a decryption key.

Figure 1-1 shows how encryption works to ensure the security of a transaction sent over the network. For example, if a manager approves a bonus, this data should be encrypted when sent over the network to avoid eavesdropping. If all communication between the client, the database, and the application server is encrypted, then when the manager sends the bonus amount to the database, it is protected.

This section discusses the following topics:

1.2.1.1 Supported Encryption Algorithms

Oracle Advanced Security provides the following encryption algorithms to protect the privacy of network data transmissions:

Selecting the network encryption algorithm is a user configuration option, providing varying levels of security and performance for different types of data transfers.

Prior versions of Oracle Advanced Security provided three editions: Domestic, Upgrade, and Export, each with different key lengths. Oracle Advanced Security 11g Release 2 (11.2) contains a complete complement of the available encryption algorithms and key lengths, previously only available in the Domestic edition. Users deploying prior versions of the product can obtain the Domestic edition for a specific product release.


Note:

The U.S. government has relaxed its export guidelines for encryption products. Accordingly, Oracle can ship Oracle Advanced Security with its strongest encryption features to all of its customers.

1.2.1.1.4 Advanced Encryption Standard:

Approved by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standards (FIPS) Publication 197, Advanced Encryption Standard (AES) is a cryptographic algorithm standard developed to replace DES. AES is a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits, which are referred to as AES-128, AES-192, and AES-256, respectively. All three versions operate in outer-CBC mode.

1.2.1.2 Data Integrity

To ensure the integrity of data packets during transmission, Oracle Advanced Security can generate a cryptographically secure message digest using MD5 or SHA-1 hashing algorithms and include it with each message sent across a network.

Data integrity algorithms add little overhead and protect against the following attacks:

1.2.2 Strong Authentication

Authentication is used to prove the identity of the user. Authenticating user identity is imperative in distributed environments, without which there can be little confidence in network security. Passwords are the most common means of authentication. Oracle Advanced Security enables strong authentication with Oracle authentication adapters that support various third-party authentication services, including SSL with digital certificates.

Figure 1-2 shows user authentication with an Oracle database instance configured to use a third-party authentication server. Having a central facility to authenticate all members of the network (clients to servers, servers to servers, users to both clients and servers) is one effective way to address the threat of network nodes falsifying their identities.

This section contains the following topics:

1.2.2.1 Centralized Authentication and Single Sign-On

Centralized authentication also provides the benefit of single sign-on (SSO) for users. Single sign-on enables users to access multiple accounts and applications with a single password. A user only needs to login once and can then automatically connect to any other service without having to giving user name and password again. Single sign-on eliminates the need for the user to remember and administer multiple passwords, reducing the time spent logging into multiple services.

1.2.2.2 Supported Authentication Methods

Oracle Advanced Security supports the following industry-standard authentication methods:

1.2.2.2.3 Secure Sockets Layer

Secure Sockets Layer (SSL) is an industry standard protocol for securing network connections. SSL provides authentication, data encryption, and data integrity.

The SSL protocol is the foundation of a public key infrastructure (PKI). For authentication, SSL uses digital certificates that comply with the X.509v3 standard and a public and private key pair.

Oracle Advanced Security SSL can be used to secure communications between any client and any server. You can configure SSL to provide authentication for the server only, the client only, or both client and server. You can also configure SSL features in combination with other authentication methods supported by Oracle Advanced Security (database user names and passwords, RADIUS, and Kerberos).

To support your PKI implementation, Oracle Advanced Security includes the following features in addition to SSL:

1.3 Oracle Advanced Security Architecture

Oracle Advanced Security complements an Oracle server or client installaDtion with advanced security features. Figure 1-4 shows the Oracle Advanced Security architecture within an Oracle networking environment.

Oracle Advanced Security supports authentication through adapters that are similar to the existing Oracle protocol adapters. As shown in Figure 1-5, authentication adapters integrate the Oracle Net interface, and allow existing applications to take advantage of new authentication systems transparently, without any changes to the application.


See Also:

Oracle Database Net Services Administrator's Guide for more information about stack communications in an Oracle networking environment

1.4 System Requirements

Oracle Advanced Security 11g Release 2 (11.2) requires Oracle Net 11g Release 2 (11.2) and supports Oracle Database Enterprise Edition. Table 1-1 lists additional system requirements.


Note:

Oracle Advanced Security is not available with Oracle Database Standard Edition.

1.5 Oracle Advanced Security Restrictions

Oracle Applications support Oracle Advanced Security encryption and data integrity. However, because Oracle Advanced Security requires Oracle Net Services to transmit data securely, Oracle Advanced Security external authentication features are not supported by some parts of Oracle Financial, Human Resource, and Manufacturing Applications when they are running on Microsoft Windows. The portions of these products that use Oracle Display Manager (ODM) do not take advantage of Oracle Advanced Security, because ODM does not use Oracle Net Services.

PK7ŘPKj?OEBPS/asogls.htm Glossary

Glossary

access control

The ability of a system to grant or limit access to specific data for specific clients or groups of clients.

Access Control Lists (ACLs)

The group of access directives that you define. The directives grant levels of access to specific data for specific clients, or groups of clients, or both.

Advanced Encryption Standard

Advanced Encryption Standard (AES) is a new cryptographic algorithm that has been approved by the National Institute of Standards and Technology as a replacement for DES. The AES standard is available in Federal Information Processing Standards Publication 197. The AES algorithm is a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.

AES

See Advanced Encryption Standard

attribute

An item of information that describes some aspect of an entry in an LDAP directory. An entry comprises a set of attributes, each of which belongs to an object class. Moreover, each attribute has both a type, which describes the kind of information in the attribute, and a value, which contains the actual data.

authentication

The process of verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to granting access to resources in a system. A recipient of an authenticated message can be certain of the message's origin (its sender). Authentication is presumed to preclude the possibility that another party has impersonated the sender.

authentication method

A security method that verifies a user's, client's, or server's identity in distributed environments. Network authentication methods can also provide the benefit of single sign-on (SSO) for users. The following authentication methods are supported in Oracle Database when Oracle Advanced Security is installed:

authorization

Permission given to a user, program, or process to access an object or set of objects. In Oracle, authorization is done through the role mechanism. A single person or a group of people can be granted a role or a group of roles. A role, in turn, can be granted other roles. The set of privileges available to an authenticated entity.

auto login wallet

An Oracle Wallet Manager feature that enables PKI- or password-based access to services without providing credentials at the time of access. This auto login access stays in effect until the auto login feature is disabled for that wallet. File system permissions provide the necessary security for auto login wallets. When auto login is enabled for a wallet, it is only available to the operating system user who created that wallet. Sometimes these are called "SSO wallets" because they provide single sign-on capability.

base

The root of a subtree search in an LDAP-compliant directory.

CA

See certificate authority

certificate

An ITU x.509 v3 standard data structure that securely binds an identify to a public key.

A certificate is created when an entity's public key is signed by a trusted identity, a certificate authority. The certificate ensures that the entity's information is correct and that the public key actually belongs to that entity.

A certificate contains the entity's name, identifying information, and public key. It is also likely to contain a serial number, expiration date, and information about the rights, uses, and privileges associated with the certificate. Finally, it contains information about the certificate authority that issued it.

certificate authority

A trusted third party that certifies that other entities—users, databases, administrators, clients, servers—are who they say they are. When it certifies a user, the certificate authority first seeks verification that the user is not on the certificate revocation list (CRL), then verifies the user's identity and grants a certificate, signing it with the certificate authority's private key. The certificate authority has its own certificate and public key which it publishes. Servers and clients use these to verify signatures the certificate authority has made. A certificate authority might be an external company that offers certificate services, or an internal organization such as a corporate MIS department.

certificate chain

An ordered list of certificates containing an end-user or subscriber certificate and its certificate authority certificates.

certificate request

A certificate request, which consists of three parts: certification request information, a signature algorithm identifier, and a digital signature on the certification request information. The certification request information consists of the subject's distinguished name, public key, and an optional set of attributes. The attributes may provide additional information about the subject identity, such as postal address, or a challenge password by which the subject entity may later request certificate revocation. See PKCS #10

certificate revocation lists

(CRLs) Signed data structures that contain a list of revoked certificates. The authenticity and integrity of the CRL is provided by a digital signature appended to it. Usually, the CRL signer is the same entity that signed the issued certificate.

checksumming

A mechanism that computes a value for a message packet, based on the data it contains, and passes it along with the data to authenticate that the data has not been tampered with. The recipient of the data recomputes the cryptographic checksum and compares it with the cryptographic checksum passed with the data; if they match, it is "probabilistic" proof the data was not tampered with during transmission.

Cipher Block Chaining (CBC)

An encryption method that protects against block replay attacks by making the encryption of a cipher block dependent on all blocks that precede it; it is designed to make unauthorized decryption incrementally more difficult. Oracle Advanced Security employs outer cipher block chaining because it is more secure than inner cipher block chaining, with no material performance penalty.

cipher suite

A set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth.

cipher suite name

Cipher suites describe the kind of cryptographics protection that is used by connections in a particular session.

ciphertext

Message text that has been encrypted.

cleartext

Unencrypted plain text.

client

A client relies on a service. A client can sometimes be a user, sometimes a process acting on behalf of the user during a database link (sometimes called a proxy).

confidentiality

A function of cryptography. Confidentiality guarantees that only the intended recipient(s) of a message can view the message (decrypt the ciphertext).

connect descriptor

A specially formatted description of the destination for a network connection. A connect descriptor contains destination service and network route information. The destination service is indicated by using its service name for Oracle9i or Oracle8i databases or its Oracle system identifier (SID) for Oracle databases version 8.0. The network route provides, at a minimum, the location of the listener through use of a network address. See connect identifier

connect identifier

A connect descriptor or a name that maps to a connect descriptor. A connect identifier can be a net service name, database service name, or net service alias. Users initiate a connect request by passing a user name and password along with a connect identifier in a connect string for the service to which they wish to connect:

CONNECT username@connect_identifier
Enter password: password

connect string

Information the user passes to a service to connect, such as user name, password and net service name. For example:

CONNECT username@net_service_name
Enter password: password

credentials

A user name, password, or certificate used to gain access to the database.

CRL

See certificate revocation lists

CRL Distribution Point

(CRL DP) An optional extension specified by the X.509 version 3 certificate standard, which indicates the location of the Partitioned CRL where revocation information for a certificate is stored. Typically, the value in this extension is in the form of a URL. CRL DPs allow revocation information within a single certificate authority domain to be posted in multiple CRLs. CRL DPs subdivide revocation information into more manageable pieces to avoid proliferating voluminous CRLs, thereby providing performance benefits. For example, a CRL DP is specified in the certificate and can point to a file on a Web server from which that certificate's revocation information can be downloaded.

CRL DP

See CRL Distribution Point

cryptography

The practice of encoding and decoding data, resulting in secure messages.

data dictionary

A set of read-only tables that provide information about a database.

Data Encryption Standard (DES)

An older Federal Information Processing Standards encryption algorithm superseded by the Advanced Encryption Standard (AES).

Database Administrator

(1) A person responsible for operating and maintaining an Oracle Server or a database application. (2) An Oracle user name that has been given DBA privileges and can perform database administration functions. Usually the two meanings coincide. Many sites have multiple DBAs.

database alias

See net service name

Database Installation Administrator

Also called a database creator. This administrator is in charge of creating new databases. This includes registering each database in the directory using the Database Configuration Assistant. This administrator has create and modify access to database service objects and attributes. This administrator can also modify the Default domain.

database link

A network object stored in the local database or in the network definition that identifies a remote database, a communication path to that database, and optionally, a user name and password. Once defined, the database link is used to access the remote database.

A public or private database link from one database to another is created on the local database by a DBA or user.

A global database link is created automatically from each database to every other database in a network with Oracle Names. Global database links are stored in the network definition.

database password verifier

A database password verifier is an irreversible value that is derived from the user's database password. This value is used during password authentication to the database to prove the identity of the connecting user.

Database Security Administrator

The highest level administrator for database enterprise user security. This administrator has permissions on all of the enterprise domains and is responsible for:

  • Administering the Oracle DBSecurityAdmins and OracleDBCreators groups.

Creating new enterprise domains.

decryption

The process of converting the contents of an encrypted message (ciphertext) back into its original readable format (plaintext).

DES

See Data Encryption Standard (DES)

dictionary attack

A common attack on passwords. The attacker creates a list of many common passwords and encrypts them. Then the attacker steals a file containing encrypted passwords and compares it to his list of encrypted common passwords. If any of the encrypted password values (called verifiers) match, then the attacker can steal the corresponding password. Dictionary attacks can be avoided by using "salt" on the password before encryption. See salt

Diffie-Hellman key negotiation algorithm

This is a method that lets two parties communicating over an insecure channel to agree upon a random number known only to them. Though the parties exchange information over the insecure channel during execution of the Diffie-Hellman key negotiation algorithm, it is computationally infeasible for an attacker to deduce the random number they agree upon by analyzing their network communications. Oracle Advanced Security uses the Diffie-Hellman key negotiation algorithm to generate session keys.

digital signature

A digital signature is created when a public key algorithm is used to sign the sender's message with the sender's private key. The digital signature assures that the document is authentic, has not been forged by another entity, has not been altered, and cannot be repudiated by the sender.

directory information tree (DIT)

A hierarchical tree-like structure consisting of the DNs of the entries in an LDAP directory. See distinguished name (DN)

directory naming

A naming method that resolves a database service, net service name, or net service alias to a connect descriptor stored in a central directory server. A

directory naming context

A subtree which is of significance within a directory server. It is usually the top of some organizational subtree. Some directories only permit one such context which is fixed; others permit none to many to be configured by the directory administrator.

distinguished name (DN)

The unique name of a directory entry. It is comprised of all of the individual names of the parent entries back to the root entry of the directory information tree. See directory information tree (DIT)

domain

Any tree or subtree within the Domain Name System (DNS) namespace. Domain most commonly refers to a group of computers whose host names share a common suffix, the domain name.

Domain Name System (DNS)

A system for naming computers and network services that is organized into a hierarchy of domains. DNS is used in TCP/IP networks to locate computers through user-friendly names. DNS resolves a friendly name into an IP address, which is understood by computers.

In Oracle Net Services, DNS translates the host name in a TCP/IP address into an IP address.

encrypted text

Text that has been encrypted, using an encryption algorithm; the output stream of an encryption process. On its face, it is not readable or decipherable, without first being subject to decryption. Also called ciphertext. Encrypted text ultimately originates as plaintext.

encryption

The process of disguising a message rendering it unreadable to any but the intended recipient.

enterprise domain

A directory construct that consists of a group of databases and enterprise roles. A database should only exist in one enterprise domain at any time. Enterprise domains are different from Windows 2000 domains, which are collections of computers that share a common directory database.

Enterprise Domain Administrator

User authorized to manage a specific enterprise domain, including the authority to add new enterprise domain administrators.

enterprise role

Access privileges assigned to enterprise users. A set of Oracle role-based authorizations across one or more databases in an enterprise domain. Enterprise roles are stored in the directory and contain one or more global roles.

enterprise user

A user defined and managed in a directory. Each enterprise user has a unique identify across an enterprise.

entry

The building block of a directory, it contains information about an object of interest to directory users.

external authentication

Verification of a user identity by a third party authentication service, such as Kerberos or RADIUS.

Federal Information Processing Standard (FIPS)

A U.S. government standard that defines security requirements for cryptographic modules—employed within a security system protecting unclassified information within computer and telecommunication systems. Published by the National Institute of Standards and Technology (NIST).

FIPS

See Federal Information Processing Standard (FIPS)

forest

A group of one or more Active Directory trees that trust each other. All trees in a forest share a common schema, configuration, and global catalog. When a forest contains multiple trees, the trees do not form a contiguous namespace. All trees in a given forest trust each other through transitive bidirectional trust relationships.

forwardable ticket-granting ticket

In Kerberos. A service ticket with the FORWARDABLE flag set. This flag enables authentication forwarding without requiring the user to enter a password again.

global role

A role managed in a directory, but its privileges are contained within a single database. A global role is created in a database by using the following syntax:

CREATE ROLE role_name IDENTIFIED GLOBALLY;

grid computing

A computing architecture that coordinates large numbers of servers and storage to act as a single large computer. Oracle Grid Computing creates a flexible, on-demand computing resource for all enterprise computing needs. Applications running on the Oracle 10g grid computing infrastructure can take advantage of common infrastructure services for failover, software provisioning, and management. Oracle Grid Computing analyzes demand for resources and adjusts supply accordingly.

HTTP

Hypertext Transfer Protocol: The set of rules for exchanging files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. Relative to the TCP/IP suite of protocols (which are the basis for information exchange on the Internet), HTTP is an application protocol.

HTTPS

The use of Secure Sockets Layer (SSL) as a sublayer under the regular HTTP application layer.

identity

The combination of the public key and any other public information for an entity. The public information may include user identification data such as, for example, an e-mail address. A user certified as being the entity it claims to be.

identity management

The creation, management, and use of online, or digital, entities. Identity management involves securely managing the full life cycle of a digital identity from creation (provisioning of digital identities) to maintenance (enforcing organizational policies regarding access to electronic resources), and, finally, to termination.

identity management realm

A subtree in Oracle Internet Directory, including not only an Oracle Context, but also additional subtrees for users and groups, each of which are protected with access control lists.

initial ticket

In Kerberos authentication, an initial ticket or ticket granting ticket (TGT) identifies the user as having the right to ask for additional service tickets. No tickets can be obtained without an initial ticket. An initial ticket is retrieved by running the okinit program and providing a password.

instance

Every running Oracle database is associated with an Oracle instance. When a database is started on a database server (regardless of the type of computer), Oracle allocates a memory area called the System Global Area (SGA) and starts an Oracle process. This combination of the SGA and an Oracle process is called an instance. The memory and the process of an instance manage the associated database's data efficiently and serve the one or more users of the database.

integrity

The guarantee that the contents of the message received were not altered from the contents of the original message sent.

java code obfuscation

Java code obfuscation is used to protect Java programs from reverse engineering. A special program (an obfuscator) is used to scramble Java symbols found in the code. The process leaves the original program structure intact, letting the program run correctly while changing the names of the classes, methods, and variables in order to hide the intended behavior. Although it is possible to decompile and read non-obfuscated Java code, the obfuscated Java code is sufficiently difficult to decompile to satisfy U.S. government export controls.

Java Database Connectivity (JDBC)

An industry-standard Java interface for connecting to a relational database from a Java program, defined by Sun Microsystems.

JDBC

See Java Database Connectivity (JDBC)

KDC

Key Distribution Center. In Kerberos authentication, the KDC maintains a list of user principals and is contacted through the kinit (okinit is the Oracle version) program for the user's initial ticket. Frequently, the KDC and the Ticket Granting Service are combined into the same entity and are simply referred to as the KDC. The Ticket Granting Service maintains a list of service principals and is contacted when a user wants to authenticate to a server providing such a service. The KDC is a trusted third party that must run on a secure host. It creates ticket-granting tickets and service tickets.

Kerberos

A network authentication service developed under Massachusetts Institute of Technology's Project Athena that strengthens security in distributed environments. Kerberos is a trusted third-party authentication system that relies on shared secrets and assumes that the third party is secure. It provides single sign-on capabilities and database link authentication (MIT Kerberos only) for users, provides centralized password storage, and enhances PC security.

key

When encrypting data, a key is a value which determines the ciphertext that a given algorithm will produce from given plaintext. When decrypting data, a key is a value required to correctly decrypt a ciphertext. A ciphertext is decrypted correctly only if the correct key is supplied.

With a symmetric encryption algorithm, the same key is used for both encryption and decryption of the same data. With an asymmetric encryption algorithm (also called a public-key encryption algorithm or public-key cryptosystem), different keys are used for encryption and decryption of the same data.

key pair

A public key and its associated private key. See public and private key pair

keytab file

A Kerberos key table file containing one or more service keys. Hosts or services use keytab files in the same way as users use their passwords.

kinstance

An instantiation or location of a Kerberos authenticated service. This is an arbitrary string, but the host Computer name for a service is typically specified.

kservice

An arbitrary name of a Kerberos service object.

LDAP

See Lightweight Directory Access Protocol (LDAP)

ldap.ora file

A file created by Oracle Net Configuration Assistant that contains the following directory server access information:

  • Type of directory server

  • Location of the directory server

  • Default identity management realm or Oracle Context (including ports) that the client or server will use

Lightweight Directory Access Protocol (LDAP)

A standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. The framework of design conventions supporting industry-standard directory products, such as the Oracle Internet Directory.

listener

A process that resides on the server whose responsibility is to listen for incoming client connection requests and manage the traffic to the server.

Every time a client requests a network session with a server, a listener receives the actual request. If the client information matches the listener information, then the listener grants a connection to the server.

listener.ora file

A configuration file for the listener that identifies the:

  • Listener name

  • Protocol addresses that it is accepting connection requests on

  • Services it is listening for

The listener.ora file typically resides in $ORACLE_HOME/network/admin on UNIX platforms and ORACLE_BASE\ORACLE_HOME\network\admin on Windows.

man-in-the-middle

A security attack characterized by the third-party, surreptitious interception of a message, wherein the third-party, the man-in-the-middle, decrypts the message, re-encrypts it (with or without alteration of the original message), and re-transmits it to the originally-intended recipient—all without the knowledge of the legitimate sender and receiver. This type of security attack works only in the absence of authentication.

MD5

An algorithm that assures data integrity by generating a 128-bit cryptographic message digest value from given data. If as little as a single bit value in the data is modified, the MD5 checksum for the data changes. Forgery of data in a way that will cause MD5 to generate the same result as that for the original data is considered computationally infeasible.

message authentication code

Also known as data authentication code (DAC). A checksumming with the addition of a secret key. Only someone with the key can verify the cryptographic checksum.

message digest

See checksumming

naming method

The resolution method used by a client application to resolve a connect identifier to a connect descriptor when attempting to connect to a database service.

National Institute of Standards and Technology (NIST)

An agency within the U.S. Department of Commerce responsible for the development of security standards related to the design, acquisition, and implementation of cryptographic-based security systems within computer and telecommunication systems, operated by a Federal agency or by a contractor of a Federal agency or other organization that processes information on behalf of the Federal Government to accomplish a Federal function.

net service alias

An alternative name for a directory naming object in a directory server. A directory server stores net service aliases for any defined net service name or database service. A net service alias entry does not have connect descriptor information. Instead, it only references the location of the object for which it is an alias. When a client requests a directory lookup of a net service alias, the directory determines that the entry is a net service alias and completes the lookup as if it was actually the entry it is referencing.

net service name

The name used by clients to identify a database server. A net service name is mapped to a port number and protocol. Also known as a connect string, or database alias.

network authentication service

A means for authenticating clients to servers, servers to servers, and users to both clients and servers in distributed environments. A network authentication service is a repository for storing information about users and the services on different servers to which they have access, as well as information about clients and servers on the network. An authentication server can be a physically separate computer, or it can be a facility co-located on another server within the system. To ensure availability, some authentication services may be replicated to avoid a single point of failure.

network listener

A listener on a server that listens for connection requests for one or more databases on one or more protocols. See listener

NIST

See National Institute of Standards and Technology (NIST)

non-repudiation

Incontestable proof of the origin, delivery, submission, or transmission of a message.

obfuscation

A process by which information is scrambled into a non-readable form, such that it is extremely difficult to de-scramble if the algorithm used for scrambling is not known.

obfuscator

A special program used to obfuscate Java source code. See obfuscation

object class

A named group of attributes. When you want to assign attributes to an entry, you do so by assigning to that entry the object classes that hold those attributes. All objects associated with the same object class share the same attributes.

Oracle Context

1. An entry in an LDAP-compliant internet directory called cn=OracleContext, under which all Oracle software relevant information is kept, including entries for Oracle Net Services directory naming and checksumming security.

There can be one or more Oracle Contexts in a directory. An Oracle Context is usually located in an identity management realm.

Oracle Net Services

An Oracle product that enables two or more computers that run the Oracle server or Oracle tools such as Designer/2000 to exchange data through a third-party network. Oracle Net Services support distributed processing and distributed database capability. Oracle Net Services is an open system because it is independent of the communication protocol, and users can interface Oracle Net to many network environments.

Oracle PKI certificate usages

Defines Oracle application types that a certificate supports.

Password-Accessible Domains List

A group of enterprise domains configured to accept connections from password-authenticated users.

PCMCIA cards

Small credit card-sized computing devices that comply with the Personal Computer Memory Card International Association (PCMCIA) standard. These devices, also called PC cards, are used for adding memory, modems, or as hardware security modules. PCMCIA cards that are used as hardware security modules securely store the private key component of a public and private key pair and some also perform the cryptographic operations as well.

peer identity

SSL connect sessions are between a particular client and a particular server. The identity of the peer may have been established as part of session setup. Peers are identified by X.509 certificate chains.

PEM

The Internet Privacy-Enhanced Mail protocols standard, adopted by the Internet Architecture Board to provide secure electronic mail over the Internet. The PEM protocols provide for encryption, authentication, message integrity, and key management. PEM is an inclusive standard, intended to be compatible with a wide range of key-management approaches, including both symmetric and public-key schemes to encrypt data-encrypting keys. The specifications for PEM come from four Internet Engineering Task Force (IETF) documents: RFCs 1421, 1422, 1423, and 1424.

PKCS #10

An RSA Security, Inc., Public-Key Cryptography Standards (PKCS) specification that describes a syntax for certification requests. A certification request consists of a distinguished name, a public key, and optionally a set of attributes, collectively signed by the entity requesting certification. Certification requests are referred to as certificate requests in this manual. See certificate request

PKCS #11

An RSA Security, Inc., Public-Key Cryptography Standards (PKCS) specification that defines an application programming interface (API), called Cryptoki, to devices which hold cryptographic information and perform cryptographic operations. See PCMCIA cards

PKCS #12

An RSA Security, Inc., Public-Key Cryptography Standards (PKCS) specification that describes a transfer syntax for storing and transferring personal authentication credentials—typically in a format called a wallet.

PKI

See public key infrastructure (PKI)

plaintext

Message text that has not been encrypted.

principal

A string that uniquely identifies a client or server to which a set of Kerberos credentials is assigned. It generally has three parts: kservice/kinstance@REALM. In the case of a user, kservice is the user name. See also kservice, kinstance, and realm

private key

In public-key cryptography, this key is the secret key. It is primarily used for decryption but is also used for encryption with digital signatures. See public and private key pair

proxy authentication

A process typically employed in an environment with a middle tier such as a firewall, wherein the end user authenticates to the middle tier, which thence authenticates to the directory on the user's behalf—as its proxy. The middle tier logs into the directory as a proxy user. A proxy user can switch identities and, once logged into the directory, switch to the end user's identity. It can perform operations on the end user's behalf, using the authorization appropriate to that particular end user.

public key

In public-key cryptography, this key is made public to all. It is primarily used for encryption but can be used for verifying signatures. See public and private key pair

public key encryption

The process where the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the message is decrypted by the recipient using its private key.

public key infrastructure (PKI)

Information security technology utilizing the principles of public key cryptography. Public key cryptography involves encrypting and decrypting information using a shared public and private key pair. Provides for secure, private communications within a public network.

public and private key pair

A set of two numbers used for encryption and decryption, where one is called the private key and the other is called the public key. Public keys are typically made widely available, while private keys are held by their respective owners. Though mathematically related, it is generally viewed as computationally infeasible to derive the private key from the public key. Public and private keys are used only with asymmetric encryption algorithms, also called public-key encryption algorithms, or public-key cryptosystems. Data encrypted with either a public key or a private key from a key pair can be decrypted with its associated key from the key-pair. However, data encrypted with a public key cannot be decrypted with the same public key, and data enwrapped with a private key cannot be decrypted with the same private key.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to communication with a central server to authenticate dial-in users and authorize their access to the requested system or service.

realm

1. Short for identity management realm. 2. A Kerberos object. A set of clients and servers operating under a single key distribution center/ticket-granting service (KDC/TGS). Services (see kservice) in different realms that share the same name are unique.

realm Oracle Context

An Oracle Context that is part of an identity management realm in Oracle Internet Directory.

registry

A Windows repository that stores configuration information for a computer.

remote computer

A computer on a network other than the local computer.

root key certificate

See trusted certificate

salt

1. In cryptography, generally speaking, "salt" is a way to strengthen the security of encrypted data. Salt is a random string that is added to the data before it is encrypted. Then, it is more difficult for attackers to steal the data by matching patterns of ciphertext to known ciphertext samples. 2. Salt is also used to avoid dictionary attacks, a method that unethical hackers (attackers) use to steal passwords. It is added to passwords before the passwords are encrypted. Then it is difficult for attackers to match the hash value of encrypted passwords (sometimes called verifiers) with their dictionary lists of common password hash values. See dictionary attack

schema

1. Database schema: A named collection of objects, such as tables, views, clusters, procedures, packages, attributes, object classes, and their corresponding matching rules, which are associated with a particular user. 2. LDAP directory schema: The collection of attributes, object classes, and their corresponding matching rules.

schema mapping

See user-schema mapping

Secure Hash Algorithm (SHA)

An algorithm that assures data integrity by generating a 160-bit cryptographic message digest value from given data. If as little as a single bit in the data is modified, the Secure Hash Algorithm checksum for the data changes. Forgery of a given data set in a way that will cause the Secure Hash Algorithm to generate the same result as that for the original data is considered computationally infeasible.

An algorithm that takes a message of less than 264 bits in length and produces a 160-bit message digest. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.

Secure Sockets Layer (SSL)

An industry standard protocol designed by Netscape Communications Corporation for securing network connections. SSL provides authentication, encryption, and data integrity using public key infrastructure (PKI).

The Transport Layer Security (TLS) protocol is the successor to the SSL protocol.

server

A provider of a service.

service

1. A network resource used by clients; for example, an Oracle database server.

2. An executable process installed in the Windows registry and administered by Windows. Once a service is created and started, it can run even when no user is logged on to the computer.

service name

For Kerberos-based authentication, the kservice portion of a service principal.

service principal

See principal

service key table

D=

In Kerberos authentication, a service key table is a list of service principals that exist on a kinstance. This information must be extracted from Kerberos and copied to the Oracle server computer before Kerberos can be used by Oracle.

service ticket

A service ticket is trusted information used to authenticate the client, to a specific service or server, for a predetermined period of time. It is obtained from the KDC using the initial ticket.

session key

A key shared by at least two parties (usually a client and a server) that is used for data encryption for the duration of a single communication session. Session keys are typically used to encrypt network traffic; a client and a server can negotiate a session key at the beginning of a session, and that key is used to encrypt all network traffic between the parties for that session. If the client and server communicate again in a new session, they negotiate a new session key.

session layer

A network layer that provides the services needed by the presentation layer entities that enable them to organize and synchronize their dialogue and manage their data exchange. This layer establishes, manages, and terminates network sessions between the client and server. An example of a session layer is Network Session.

SHA

See Secure Hash Algorithm (SHA)

shared schema

A database or application schema that can be used by multiple enterprise users. Oracle Advanced Security supports the mapping of multiple enterprise users to the same shared schema on a database, which lets an administrator avoid creating an account for each user in every database. Instead, the administrator can create a user in one location, the enterprise directory, and map the user to a shared schema that other enterprise users can also map to. Sometimes called user/schema separation.

single key-pair wallet

A PKCS #12-format wallet that contains a single user certificate and its associated private key. The public key is imbedded in the certificate.

single password authentication

The ability of a user to authenticate with multiple databases by using a single password. In the Oracle Advanced Security implementation, the password is stored in an LDAP-compliant directory and protected with encryption and Access Control Lists.

single sign-on (SSO)

The ability of a user to authenticate once, combined with strong authentication occurring transparently in subsequent connections to other databases or applications. Single sign-on lets a user access multiple accounts and applications with a single password, entered during a single connection. Single password, single authentication. Oracle Advanced Security supports Kerberos and SSL-based single sign-on.

smart card

A plastic card (like a credit card) with an embedded integrated circuit for storing information, including such information as user names and passwords, and also for performing computations associated with authentication exchanges. A smart card is read by a hardware device at any client or server.

A smartcard can generate random numbers which can be used as one-time use passwords. In this case, smartcards are synchronized with a service on the server so that the server expects the same password generated by the smart card.

sniffer

Device used to surreptitiously listen to or capture private data traffic from a network.

sqlnet.ora file

A configuration file for the client or server that specifies:

  • Client domain to append to unqualified service names or net service names

  • Order of naming methods the client should use when resolving a name

  • Logging and tracing features to use

  • Route of connections

  • Preferred Oracle Names servers

  • External naming parameters

  • Oracle Advanced Security parameters

The sqlnet.ora file typically resides in $ORACLE_HOME/network/admin on UNIX platforms and ORACLE_BASE\ORACLE_HOME\network\admin on Windows platforms.

SSO

See single sign-on (SSO)

System Global Area (SGA)

A group of shared memory structures that contain data and control information for an Oracle instance.

system identifier (SID)

A unique name for an Oracle instance. To switch between Oracle databases, users must specify the desired SID. The SID is included in the CONNECT DATA parts of the connect descriptor in a tnsnames.ora file, and in the definition of the network listener in a listener.ora file.

ticket

A piece of information that helps identify who the owner is. See initial ticket and service ticket.

tnsnames.ora

A file that contains connect descriptors; each connect descriptor is mapped to a net service name. The file may be maintained centrally or locally, for use by all or individual clients. This file typically resides in the following locations depending on your platform:

token card

A device for providing improved ease-of-use for users through several different mechanisms. Some token cards offer one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the token card at any given time by contacting the authentication service. Other token cards operate on a challenge-response basis. In this case, the server offers a challenge (a number) which the user types into the token card. The token card then provides another number (cryptographically-derived from the challenge), which the user then offers to the server.

transport layer

A networking layer that maintains end-to-end reliability through data flow control and error recovery methods. Oracle Net Services uses Oracle protocol supports for the transport layer.

Transport Layer Security (TLS)

An industry standard protocol for securing network connections. The TLS protocol is a successor to the SSL protocol. It provides authentication, encryption, and data integrity using public key infrastructure (PKI). The TLS protocol is developed by the Internet Engineering Task Force (IETF).

trusted certificate

A trusted certificate, sometimes called a root key certificate, is a third party identity that is qualified with a level of trust. The trusted certificate is used when an identity is being validated as the entity it claims to be. Typically, the certificate authorities you trust are called trusted certificates. If there are several levels of trusted certificates, a trusted certificate at a lower level in the certificate chain does not need to have all its higher level certificates reverified.

trusted certificate authority

See certificate authority

trust point

See trusted certificate

user name

A name that can connect to and access objects in a database.

user-schema mapping

An LDAP directory entry that contains a pair of values: the base in the directory at which users exist, and the name of the database schema to which they are mapped. The users referenced in the mapping are connected to the specified schema when they connect to the database. User-schema mapping entries can apply only to one database or they can apply to all databases in a domain. See shared schema

user/schema separation

See shared schema

user search base

The node in the LDAP directory under which the user resides.

views

Selective presentations of one or more tables (or other views), showing both their structure and their data.

wallet

A wallet is a data structure used to store and manage security credentials for an individual entity. A Wallet Resource Locator (WRL) provides all the necessary information to locate the wallet.

wallet obfuscation

Wallet obfuscation is used to store and access an Oracle wallet without querying the user for a password prior to access (supports single sign-on (SSO)).

Wallet Resource Locator

A wallet resource locator (WRL) provides all necessary information to locate a wallet. It is a path to an operating system directory that contains a wallet.

Windows native authentication

An authentication method that enables a client single login access to a Windows server and a database running on that server.

WRL

See Wallet Resource Locator

X.509

An industry-standard specification for digital certificates.

PKW$S=D=PKj?OEBPS/asoappa.htmwz Data Encryption and Integrity Parameters

A Data Encryption and Integrity Parameters

This appendix describes encryption and data integrity parameters supported by Oracle Advanced Security. It also includes an example of a sqlnet.ora file generated by performing the network configuration described in Chapter 4, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" and Chapter 8, "Configuring Secure Sockets Layer Authentication".

This appendix contains the following topics:

A.1 Sample sqlnet.ora File

This section contains a sample sqlnet.ora configuration file for a set of clients with similar characteristics and a set of servers with similar characteristics. The file includes examples of Oracle Advanced Security encryption and data integrity parameters.

Trace File Setup

#Trace file setup 
trace_level_server=16 
trace_level_client=16  
trace_directory_server=/orant/network/trace 
trace_directory_client=/orant/network/trace 
trace_file_client=cli  
trace_file_server=srv 
trace_unique_client=true 

Oracle Advanced Security Transparent Data Encryption

ENCRYPTION_WALLET_LOCATION = (SOURCE =
                                  (METHOD = FILE)
                                  (METHOD_DATA =
                                  (DIRECTORY =
                                   /etc/ORACLE/WALLETS/oracle)))

Oracle Advanced Security Network Encryption

#ASO Encryption 
sqlnet.encryption_server=accepted 
sqlnet.encryption_client=requested 
sqlnet.encryption_types_server=(RC4_40) 
sqlnet.encryption_types_client=(RC4_40) 

Oracle Advanced Security Network Data Integrity

#ASO Checksum 
sqlnet.crypto_checksum_server=requested 
sqlnet.crypto_checksum_client=requested  
sqlnet.crypto_checksum_types_server = (MD5) 
sqlnet.crypto_checksum_types_client = (MD5) 

SSL

#SSL 
WALLET_LOCATION = (SOURCE=
                          (METHOD = FILE) 
                          (METHOD_DATA = 
                           DIRECTORY=/wallet) 

SSL_CIPHER_SUITES=(SSL_DH_anon_WITH_RC4_128_MD5) 
SSL_VERSION= 3 
SSL_CLIENT_AUTHENTICATION=FALSE 

Common

#Common
automatic_ipc = off
sqlnet.authentication_services = (beq)
names.directory_path = (TNSNAMES)

Kerberos

#Kerberos 
sqlnet.authentication_services = (beq, kerberos5)
sqlnet.authentication_kerberos5_service = oracle
sqlnet.kerberos5_conf= /krb5/krb.conf
sqlnet.kerberos5_keytab= /krb5/v5srvtab
sqlnet.kerberos5_realms= /krb5/krb.realm
sqlnet.kerberos5_cc_name = /krb5/krb5.cc
sqlnet.kerberos5_clockskew=900
sqlnet.kerberos5_conf_mit=false

RADIUS

#Radius
sqlnet.authentication_services = (beq, RADIUS )
sqlnet.radius_authentication_timeout = (10)
sqlnet.radius_authentication_retries = (2)
sqlnet.radius_authentication_port = (1645)
sqlnet.radius_send_accounting = OFF
sqlnet.radius_secret = /orant/network/admin/radius.key
sqlnet.radius_authentication = radius.us.example.com
sqlnet.radius_challenge_response = OFF
sqlnet.radius_challenge_keyword = challenge
sqlnet.radius_challenge_interface =
oracle/net/radius/DefaultRadiusInterface
sqlnet.radius_classpath = /jre1.1/

A.2 Data Encryption and Integrity Parameters

If you do not specify any values for Server Encryption, Client Encryption, Server Checksum, or Client Checksum, the corresponding configuration parameters do not appear in the sqlnet.ora file. However, Oracle Advanced Security defaults to ACCEPTED.

For both data encryption and integrity algorithms, the server selects the first algorithm listed in its sqlnet.ora file that matches an algorithm listed in the client sqlnet.ora file, or in the client installed list if the client lists no algorithms in its sqlnet.ora file. If there are no entries in the server sqlnet.ora file, the server sequentially searches its installed list to match an item on the client side—either in the client sqlnet.ora file or in the client installed list. If no match can be made and one side of the connection REQUIRED the algorithm type (data encryption or integrity), the connection fails. Otherwise, the connection succeeds with the algorithm type inactive.

Data encryption and integrity algorithms are selected independently of each other. Encryption can be activated without integrity, and integrity can be activated without encryption, as shown by Table A-1:

The following sections describe data encryption and integrity parameters:

A.2.5 SQLNET.ENCRYPTION_TYPES_SERVER Parameter

This parameter specifies a list of encryption algorithms used by this server in the order of intended use. This list is used to negotiate a mutually acceptable algorithm with the client end of the connection. Each algorithm is checked against the list of available client algorithm types until a match is found. If an algorithm that is not installed is specified on this side, the connection terminates with the error message ORA-12650.

PK ъwwPKj?OEBPS/asopart4.htm; Appendixes

Part IV

Appendixes

Part IV contains the following reference appendixes:

PKu|PKj? OEBPS/toc.ncx% Oracle® Database Advanced Security Administrator's Guide, 11g Release 2 (11.2) Cover Table of Contents List of Examples List of Figures List of Tables Oracle Database Advanced Security Administrator's Guide 11g Release 2 (11.2) Preface What's New in Oracle Advanced Security? Getting Started with Oracle Advanced Security Introduction to Oracle Advanced Security Configuration and Administration Tools Overview Data Encryption and Integrity Securing Stored Data Using Transparent Data Encryption Configuring Network Data Encryption and Integrity for Oracle Servers and Clients Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients Oracle Advanced Security Strong Authentication Configuring RADIUS Authentication Configuring Kerberos Authentication Configuring Secure Sockets Layer Authentication Using Oracle Wallet Manager Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security Appendixes Data Encryption and Integrity Parameters Authentication Parameters Integrating Authentication Devices Using RADIUS Oracle Advanced Security FIPS 140-1 Settings Oracle Advanced Security FIPS 140-2 Settings orapki Utility Entrust-Enabled SSL Authentication Glossary Index Copyright PKz2PKj?OEBPS/asopart1.htmJ Getting Started with Oracle Advanced Security

Part I

Getting Started with Oracle Advanced Security

This part introduces Oracle Advanced Security, describing security solutions it provides, its features, and its tools.

Part I contains the following chapters:

PKHPKj?OEBPS/cover.htm Cover

Oracle Corporation

PKJPKj?OEBPS/asotools.htm Configuration and Administration Tools Overview

The script content on this page is for navigation purposes only and does not alter the content in any way.

2 Configuration and Administration Tools Overview

Configuring advanced security features for an Oracle database instance includes configuring encryption, integrity (checksumming), and strong authentication methods for Oracle Net Services. Strong authentication method configuration can include third-party software, as is the case for Kerberos or RADIUS, or it may entail configuring and managing a public key infrastructure for using digital certificates with Secure Sockets Layer (SSL).

Such diverse advanced security features require a diverse set of tools with which to configure and administer them. This chapter introduces the tools used to configure and administer advanced security features for an Oracle database in the following topics:

2.1 Network Encryption and Strong Authentication Configuration Tools

Oracle Net Services can be configured to encrypt data using standard encryption algorithms, and for strong authentication methods, such as Kerberos, RADIUS, and SSL. The following sections introduce the Oracle tools you can use to configure these advanced security features for an Oracle Database:

2.1.1 Oracle Net Manager

Oracle Net Manager is a graphical user interface tool, primarily used to configure Oracle Net Services for an Oracle home on a local client or server host.

Although you can use Oracle Net Manager to configure Oracle Net Services, such as naming, listeners, and general network settings, it also enables you to configure the following Oracle Advanced Security features, which use the Oracle Net protocol:

  • Strong authentication (Kerberos, RADIUS, and Secure Sockets Layer)

  • Network encryption (RC4, DES, Triple-DES, and AES)

  • Checksumming for data integrity (MD5, SHA-1)

This section introduces you to the features of Oracle Net Manager that are used to configure Oracle Advanced Security. It contains the following topics:

2.1.1.1 Starting Oracle Net Manager

You can start Oracle Net Manager by using Oracle Enterprise Manager Console or as a standalone application. However, you must use the standalone application to access the Oracle Advanced Security Profile where you can configure Oracle Advanced Security features.

To start Oracle Net Manager as a standalone application:

  • (UNIX) From $ORACLE_HOME/bin, enter the following at the command line:

    netmgr
    
  • (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, Net Manager

2.1.2 Oracle Advanced Security Kerberos Adapter Command-Line Utilities

The Oracle Advanced Security Kerberos adapter provides three command-line utilities that enable you to obtain, cache, display, and remove Kerberos credentials. The following table briefly describes these utilities:

Utility NameDescription
okinitObtains Kerberos tickets from the key distribution center (KDC) and caches them in the user's credential cache
oklistDisplays a list of Kerberos tickets in the specified credential cache
okdstryRemoves Kerberos credentials from the specified credential cache


See Also:

"Utilities for the Kerberos Authentication Adapter" for complete descriptions of these utilities, their syntax, and available options


Note:

The Cybersafe adapter is not supported beginning with this release. You should use Oracle's Kerberos adapter in its place. Kerberos authentication with the Cybersafe KDC (Trust Broker) continues to be supported when using the Kerberos adapter.

2.2 Public Key Infrastructure Credentials Management Tools

The security provided by a public key infrastructure (PKI) depends on how effectively you store, manage, and validate your PKI credentials. The following Oracle tools are used to manage certificates, wallets, and certificate revocation lists so your PKI credentials can be stored securely and your certificate validation mechanisms kept current:

2.2.1 Oracle Wallet Manager

Oracle Wallet Manager is an application that wallet owners and security administrators use to manage and edit the security credentials in their Oracle wallets. A wallet is a password-protected container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. You can use Oracle Wallet Manager to perform the following tasks:

The following topics introduce the Oracle Wallet Manager user interface:

2.2.1.1 Starting Oracle Wallet Manager

To start Oracle Wallet Manager:

  • (UNIX) From $ORACLE_HOME/bin, enter the following at the command line:

    owm
    
  • (Windows) Select Start, Programs, Oracle HOME_NAME, Integrated Management Tools, Wallet Manager

2.2.1.2 Navigating the Oracle Wallet Manager User Interface

The Oracle Wallet Manager interface includes two panes, a toolbar, and various menu items as shown in Figure 2-2.

2.2.1.2.1 Navigator Pane

The navigator pane provides a graphical navigation tree view of the certificate requests and certificates stored in the Oracle home where Oracle Wallet Manager is installed. You can use the navigator pane to view, modify, add, or delete certificates and certificate requests.

The navigator pane functions the same way as it does in other Oracle graphical user interface tools, enabling you to

  • Expand and contract wallet objects so that you can manage the user and trusted certificates they contain.

  • Right-click a wallet, certificate, or certificate request to perform operations on it such as add, remove, import, or export.

When you expand a wallet, you see a nested list of user and trusted certificates. When you select a wallet or certificate in the navigator pane, details about your selection display in the adjacent right pane of Oracle Wallet Manager. Table 2-1 lists the main objects that display in the navigator pane.

Footnote 1 These objects display only after you create a wallet, generate a certificate request, and import a certificate into the wallet.

2.2.1.2.2 Right Pane

The right pane displays information about an object that is selected in the navigator pane. The right pane is read-only.

Figure 2-3 shows what is displayed in the right pane when a certificate request object is selected in the navigator pane. Information about the request and the requester's identity display in the Requested Identity, Key Size, and Key Type fields. The PKCS #10-encoded certificate request displays in the Certificate Request text box. To request a certificate from a certificate authority, you can copy this request into an e-mail or export it into a file.


Note:

Figure 2-3 shows a certificate request for a user. A certificate can also be requested for a server in which case the CN attribute will contain the name of the server in place of the user name.

2.2.1.4 Menus

You use Oracle Wallet Manager menus to manage your wallets and the credentials they contain. The following sections describe the options that are available under each menu.

2.2.1.4.2 Operations Menu

Table 2-4 describes the contents of the Operations menu.

Table 2-4 Oracle Wallet Manager Operations Menu Options

OptionDescription

Add Certificate Request

Generates a certificate request for the currently open wallet that you can use to request a certificate from a certificate authority (CA)

Import User Certificate

Imports the user certificate issued to you from the CA. You must import the issuing CA's certificate as a trusted certificate before you can import the user certificate.

Import Trusted Certificate

Imports the CA's trusted certificate

Remove Certificate Request

Deletes the certificate request in the currently open wallet. You must remove the associated user certificate before you can delete a certificate request.

Remove User Certificate

Deletes the user certificate from the currently open wallet.

Remove Trusted Certificate

Removes the trusted certificate that is selected in the navigator pane from the currently open wallet. You must remove all user certificates that the trusted certificate signs before you can remove it.

Export User Certificate

Exports the user certificate in the currently open wallet to save in a file system directory

Export Certificate Request

Exports the certificate request in the currently open wallet to save in a file

Export Trusted Certificate

Exports the trusted certificate that is selected in the navigator pane to save in another location in your file system

Export All Trusted Certificates

Exports all trusted certificates in the currently open wallet to save in another location in your file system

Export Wallet

Exports the currently open wallet to save as a text file


2.2.2 orapki Utility

The orapki utility is a command line tool that you can use to manage certificate revocation lists (CRLs), create and manage Oracle wallets, and to create signed certificates for testing purposes.

The basic syntax for this utility is as follows:

orapki module command -option_1 argument ... -option_n argument

For example, the following command lists all CRLs in the CRL subtree in an instance of Oracle Internet Directory that is installed on machine1.us.example.com and that uses port 389:

orapki crl list -ldap machine1.us.example.com:389

See Also:


2.3 Duties of a Security Administrator/DBA

Most of the tasks of a security administrator involve ensuring that the connections to and from Oracle databases are secure. Table 2-6 lists the primary tasks of security administrators, the tools used to perform the tasks, and links to where the tasks are documented.

Table 2-6 Common Security Administrator/DBA Configuration and Administrative Tasks

TaskTools UsedSee Also

Configure encrypted Oracle Net connections between database servers and clients

Oracle Net Manager


"Configuring Encryption on the Client and the Server"


Configure checksumming on Oracle Net connections between database servers and clients

Oracle Net Manager


"Configuring Integrity on the Client and the Server"


Configure database clients to accept RADIUS authentication

Oracle Net


"Step 1: Configure RADIUS on the Oracle Client"


Configure a database to accept RADIUS authentication

Oracle Net


"Step 2: Configure RADIUS on the Oracle Database Server"


Create a RADIUS user and grant them access to a database session

SQL*Plus

"Task 3: Create a User and Grant Access"


Configure Kerberos authentication on a database client and server

Oracle Net Manager


"Task 7: Configure Kerberos Authentication"


Create a Kerberos database user

  • kadmin.local

  • Oracle Net Manager


Manage Kerberos credentials in the credential cache

  • okinit

  • oklist

  • okdstry


Create a wallet for a database client or server

  • Oracle Wallet Manager


"Creating a New Wallet"


Request a user certificate from a certificate authority (CA) for SSL authentication

  • Oracle Wallet Manager



Import a user certificate and its associated trusted certificate (CA certificate) into a wallet

  • Oracle Wallet Manager



Configuring SSL connections for a database client

  • Oracle Net Manager


"Task 3: Configure SSL on the Client"


Configuring SSL connections for a database server

  • Oracle Net Manager


"Task 2: Configure SSL on the Server"


Enabling certificate validation with certificate revocation lists

  • Oracle Net Manager




PKi* PKj?OEBPS/asoconfg.htm Configuring Network Data Encryption and Integrity for Oracle Servers and Clients

The script content on this page is for navigation purposes only and does not alter the content in any way.

4 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients

This chapter describes how to configure native Oracle Net Services data encryption and integrity for Oracle Advanced Security. It contains the following topics:

4.1 Oracle Advanced Security Encryption

The purpose of a secure cryptosystem is to convert plaintext data into unintelligible ciphertext based on a key, in such a way that it is very hard (computationally infeasible) to convert ciphertext back into its corresponding plaintext without knowledge of the correct key. In a symmetric cryptosystem, the same key is used both for encryption and decryption of the same data. Oracle Advanced Security provides the Advanced Encryption Standard (AES), DES, 3DES, and RC4 symmetric cryptosystems for protecting the confidentiality of Oracle Net Services traffic.

This section describes data encryption algorithms available in the current release of Oracle Advanced Security:

4.2 Oracle Advanced Security Data Integrity

Encryption of network data provides data privacy so that unauthorized parties are not able to view plaintext data as it passes over the network. Oracle Advanced Security also provides protection against two forms of active attack. Table 4-1 provides information about these attacks.

4.3 Diffie-Hellman Based Key Negotiation

Secure key distribution is difficult in a multiuser environment. Oracle Advanced Security uses the well known Diffie-Hellman key negotiation algorithm to perform secure key distribution for both encryption and data integrity.

When encryption is used to protect the security of encrypted data, keys must be changed frequently to minimize the effects of a compromised key. Accordingly, the Oracle Advanced Security key management function changes the session key with every session.

4.3.1 Authentication Key Fold-in

The purpose of Authentication Key Fold-in is to defeat a possible third-party attack (historically called the man-in-the-middle attack) on the Diffie-Hellman key negotiation. It strengthens the session key significantly by combining a shared secret, known only to the client and the server, with the original session key negotiated by Diffie-Hellman.

The client and the server begin communicating using the session key generated by Diffie-Hellman. When the client authenticates to the server, they establish a shared secret that is only known to both parties. Oracle Advanced Security combines the shared secret and the Diffie-Hellman session key to generate a stronger session key designed to defeat a man-in-the-middle attack.


Note:

The authentication key fold-in function is an imbedded feature of Oracle Advanced Security and requires no configuration by the system or network administrator.

4.4 How To Configure Data Encryption and Integrity

This section describes how to configure Oracle Advanced Security native Oracle Net Services encryption and integrity and presumes the prior installation of Oracle Net Services.

The network or security administrator sets up the encryption and integrity configuration parameters. The profile on client and server systems using data encryption and integrity (sqlnet.ora file) must contain some or all of the parameters listed in this section, under the following topics:

4.4.1 About Activating Encryption and Integrity

In any network connection, it is possible for both the client and server to support more than one encryption algorithm and more than one integrity algorithm. When a connection is made, the server selects which algorithm to use, if any, from those algorithms specified in the sqlnet.ora files.

The server searches for a match between the algorithms available on both the client and the server, and picks the first algorithm in its own list that also appears in the client list. If one side of the connection does not specify an algorithm list, all the algorithms installed on that side are acceptable. The connection fails with error message ORA-12650 if either side specifies an algorithm that is not installed.

Encryption and integrity parameters are defined by modifying a sqlnet.ora file on the clients and the servers on the network.

You can choose to configure any or all of the available Oracle Advanced Security encryption algorithms (Table 4-3), and either or both of the available integrity algorithms (Table 4-4). Only one encryption algorithm and one integrity algorithm are used for each connect session.


Note:

Oracle Advanced Security selects the first encryption algorithm and the first integrity algorithm enabled on the client and the server. Oracle recommends that you select algorithms and key lengths in the order in which you prefer negotiation, choosing the strongest key length first.

4.4.2 About Negotiating Encryption and Integrity

To negotiate whether to turn on encryption or integrity, you can specify four possible values for the Oracle Advanced Security encryption and integrity configuration parameters. The four values are listed in the order of increasing security. The value REJECTED provides the minimum amount of security between client and server communications, and the value REQUIRED provides the maximum amount of network security:

The default value for each of the parameters is ACCEPTED.

4.4.2.3 REQUESTED

Select this value to enable the security service if the other side permits it.

In this scenario, this side of the connection specifies that the security service is desired but not required. The security service is enabled if the other side specifies ACCEPTED, REQUESTED, or REQUIRED. There must be a matching algorithm available on the other side, otherwise the service is not enabled. If the other side specifies REQUIRED and there is no matching algorithm, the connection fails.

4.4.3 Configuring Encryption and Integrity Parameters Using Oracle Net Manager

You can set up or change encryption and integrity parameter settings using Oracle Net Manager. This section describes the following topics:

4.4.3.1 Configuring Encryption on the Client and the Server

Use Oracle Net Manager to configure encryption on the client and on the server (See Also "Starting Oracle Net Manager"). The steps to configure Oracle Net Manager are:

  1. Navigate to the Oracle Advanced Security profile (For details, refer to "Navigating to the Oracle Advanced Security Profile") The Oracle Advanced Security tabbed window is displayed. (Figure 4-1):

  1. Click the Encryption tab.

  2. Select CLIENT or SERVER option from the Integrity box.

  3. From the Encryption Type list, select one of the following:

    • REQUESTED

    • REQUIRED

    • ACCEPTED

    • REJECTED

  4. (Optional) In the Encryption Seed field, enter between 10 and 70 random characters. The encryption seed for the client should not be the same as that for the server.

  5. Select an encryption algorithm in the Available Methods list. Move it to the Selected Methods list by choosing the right arrow (>). Repeat for each additional method you want to use.

  6. Select File, Save Network Configuration. The sqlnet.ora file is updated.

  7. Repeat this procedure to configure encryption on the other system. The sqlnet.ora file on the two systems should contain the following entries:

    
    

Valid encryption algorithms and their associated legal values are summarized by Table 4-3:

4.4.3.2 Configuring Integrity on the Client and the Server

Use Oracle Net Manager to configure data integrity on the client and on the server (

  1. Navigate to the Oracle Advanced Security profile. (For details, refer to "Navigating to the Oracle Advanced Security Profile") The Oracle Advanced Security tabbed window is displayed. (Figure 4-2):

  1. Click the Integrity tab.

  2. Depending upon which system you are configuring, select the Server or Client from the Integrity box.

  3. From the Checksum Level list, select one of the following checksum level values:

    • REQUESTED

    • REQUIRED

    • ACCEPTED

    • REJECTED

  4. Select an integrity algorithm in the Available Methods list. Move it to the Selected Methods list by choosing the right arrow (>). Repeat for each additional method you want to use.

  5. Select File, Save Network Configuration. The sqlnet.ora file is updated.

  6. Repeat this procedure to configure integrity on the other system. The sqlnet.ora file on the two systems should contain the following entries:

Valid integrity algorithms and their associated legal values are displayed in Table 4-4:

PK,4.$PKj?OEBPS/img/owmrtpan.gifgGIF87afMz33ffܭ̙ffffffr333fW%;xfff̙3f̙̙f3fffffff36LL,H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ JѣH*]ʴӧPJJիXjʵׯ`ÊKٳhӪ]˶۷pʝKݻx˷߿ LÈ+^̸ǐ#KL˘3k~A3g7V`֫V͸&}`ެwNk-_xMCFi<=v^:Aj^<Y} c@8HmVleφ:h')ъfSdd ΃EGJҒ\(J.d7E*P8ͩN?ҝ[/N&@RԦN eR(TBEF42FVQVDkJѭT+XչrU+pUWfu"[FkŽUSkE^d+cӊ+>5,YGⵯue_ Տ"5MmY2ֲElk%[6j&3bh\UokFƚ%Hn;-Vm\k+v7mnvez-/wV-d@'VwH`katZKZ=p\ÛXzv;-#](|v+~k0u?, +86lmر4dsLY pEcEXAmKZvԥr#_氇{yD1l+yHưM:b.qD1]SVn9vo[!d.|Y4#:. 6zkY@g)߅ӝ4ny[4Ul^]c ~y|/F%OMU)~JlaIƵ FսMJgwDlfzS~_Y|r6Z=k;ØInwgy5KG ?Xi\_^tLڮ8)C%-xk"^g訪z6Pyp:8z;ԛ 6uQInv͡JKoM{]F:pu2YfګpNvϻ{_ݚ#@O;񐏼'O[ϼ7{ қO=)llUgOϽO_}}OЏ^Ͼ׾\OgzO|_8Xg(yG| XZT؁xV X&x("_| `x1Xx3x3X6yy7(z8?(+8(DX-l/|5Mx=xpٌJxER)xPR9Çg|hp(I/ w2ɖyw:t09{)IxhǓPyyTVyXc_9tH~XjXMhxx(}}n} yC9XYxsIxIi9X ћx9wgxYȔHx8 9#XLWwH*}}CIxȍx I2*Ǟ :Z}zx(BY$* JHXyG*z68Zأw98iHQ)tqIx/F $ȥz_I:r9`j*騏9}wyʧ9JirړxGh[:j{*s:+(x P XȊ):J꜉%'˲&@y:*4Kx8# T;# $?;(\xE+J[ڴ  '[xxaYJf ,pKtKp;Qq{z׷+;i k0иB74=^ݺn;Zx˸۸{{{k{0K+Kxś!,:Ѻ;Kgۥ. ݫ++A ˸۾p1+<}jǽkMk&l<;,Ql3[ |Ǜ۸o+-L[׫;\lLK,0AB {;®2ż+ hJK|q1! iƺ 4 Kuy<<ɒZĂLʀL3[$PGȞk{#`kʒʛ ˉK* 0ʤ#'`L>,U\|͂˴ {+̈<@a#p'̬Μ<><<Ϥ[܌ ʓj$p<\K =]} M =yüĬ#` =0]Aa :}<=>@=?]BmD}JL]8==Tm!-ҚɄ8#-}1}3=lnr=t]v}ձ\| ky_2@` 'p|X aqךٜט~=T 8)\Kޛ#؎ُ֨7ټ۾=Ѡy'!g =Q˭Xվ{̮۲-٪Qٹ׿]yȭ܏J ߂Cڲ2 ֗M 6 ^.==O z=!"ܴ*. >#>1}/܂@:<];4}] >=MQU %2c>d.3jmnh~W=ݐ뽤`-,EH>IOL^ٍѻ>ZԠn\jipn~p>6ꭾ궞7>t$ݞ&ֱhm L~.혾^SN혮Pڑ7m^*.$)Nn⮾8^:βv.a~}Ҟn蕎>.:k갎ia.ԙ)KlQ@!p螾ڞTNӾ?4 'm.m_P*,?.Ѷ] A5e_틾ԮO9.Ik'N.}NOo,x_OaJ"d ]rw>͎BȎ<5̮.ӛ.ә?D/k{k#0}WүݿZ\] BP$XA *PaC%R`(E3^`G!E~TI)UdK1eƼ0M9u%ZQID@i NS%gn5"WaKUƉiծeR9"]y2\ߟB&\W @+֪Y ld1S}g73{dԩUkرk]mܹuc,XG^}˶iǦذsћON]zu׵[瞽v7](կg޽zϧ_@}G[r#pBB 3jj . 0e+p7STqō:2MCcF gFFܩ ?F,1Y4H$[kqtI(g1J*DIGxCKtIp+2I4T?ϳM82N:gĒ)?/cRA4a̯ʼB8"HXQH&tIKظ%R!0LB-3T6LHsյE8Wv>Oo5Q$5RUDhW JZV XaWpsJ5\4EwݼXגܓN-V}i5LЬVkUۃVxE1*a%Mcu?2y[$X%2e#XmWVb"9#ڄ5fב6d6 吚l?]fV0Bm*煵y0%V~c*pﺋvx[ 'qWjƟMK%(k{!{о!> vi=sg}Zrc|x% ڥ5$GsrEJ :앭tgk_w}&(AYw :cL_ gQm1VCHps`־@Wɦ&6ŇVا> JdF~< ]SI6?0c<qHژtc/p#_R' np}t_4ŝTQ$ /bY 0l.3p,mL[ĖIQp%H" T]N)J$R',d-mCz$YddHHf !2)!Qi\,sB[FS#ev^ tdH/K33df9L@%dg;yiS5˒Ml"[Op*Njy&T'Qmőǫd@-zQ&lAeЅTwihNQeeiKՈa3LA:R=c\FӥCF#:T6iSz%桖{^P(U/uSLՄc iIWxRЪh|TV:T`XzWyUWC$4|?x46vkcoW만`$ظ(J;lUU0ֱ5dT#ۼr`rvVhI{[B BJ-$ׂݕlJۃVIOÂ~SF@BBv%Ƹim{^rzV \NefS!vI'c9Prt* pU`KŶe;U%]ދ$j @źoo򱲎')-f jxkZ[)32\oX0 G:ה-A?nyDƘvXRq ^tP3`]UMJ-d8YʿK ^.є1PprhYg0K[9pީtJ]H&sŶgMw m񾄎5$ZJx%Ȁ`M7ߊq@,_KX#Q/g &7YV@1 pcDP "b"wK [1G"D[4n۔طV|m!F߽ueSYG4%Ŷ|@L\辮z/\j8܁e)R~d9Qs$C'{t^ݞ@m,_աk}뇒ˢ!G%!{ o+2햾obrbw<{׿ND?|x^.^%kU]vS΁2CqEZ޳IEE;kSa< U#FA3BeFjG ČXBPRFn !6T'Sf7{G0 $y|HGp+<5hl2tDHCGLIȪ8{D7|ӷC)c4E#k%9ckYRId0K$E HV4qtŒ$FG5Y9#g:Jk6l{7ĺ7,KLT4{;8(kJ&hͳ|^Ns O?I+EL"fԝB2KE\GEe9U@N&5L|{Rz1E p@[ȉ98T2XaU`54/9ԘL9є,: V-WEP9 U4n԰o459 6JA"I*Ո ֤Kkl@PBηU5T}$5^MWKZ_%BYӠoWV}5 AlVl!Y!*ُ%66"5j ٖ-ٕԸYYYY ZZ-Z=ZMZ]ZLγ*N:eJMȮ9 bZe}Fw\V{M EYjYEۚu۷=[ٷ]ۺ]Y]@ [[ FUG.ħOJ<zeAVy5E9cDּpV[ѥ[m[[MM]k֭[m!\ݫDRJհJsQ|g!4y1dd%cGJΝϵ۹MYބyٸ^Uݘ^5]ם ؍p8NEqڰ:K|ѡ^ ] ]][[_M %Mu_(&]1^5Y)&dWVb3vd>^hubi^Ee\k`mPdq$}  >U_[4Ndaqd`.ic_nbVbMvce6Pf"uhf%gv@feeEXFqFb\vm?ey]p+\O7|~}n~Vhg/nb^VtYx.݆`d5gVi>U>],N蕝gc>dnHYW1|‘ƫj]Nۂvgl+VPix^h=eNik~f"a HY9A$g13`&k>]N^bbZv`vX>eng]lqN[Vۻh̼F >7I)u61(ljaSF6b%Sѥ޹^A+v=mJm\EI ؀Tl> .&RatdN 6Cؿ>Njl%4G9ؗ8> ϐ vШ6fl( xjJ=>5PDVVK&ԭun_,noFvJ07XsTM%=%!UQ껚q ǓkJ^ WBK6 G2Fp[e [6v4^m\]*'++rkvmǰrsGZ{s#td5H_mtl9s; sqG]ߘr s5=8/'ZOIXB[SxmwGtjo\g ' TRG4SD,TtY\9Jѣ~?N7u3In\S1D.4SsڱjBz~fLOݪKn5py}gH#w *HT|Bn)'UoXw!MTy@ PGav7W㭧X^x-!D }3} g!$QB#PaTToYic e Qn]}c_7y'tتͨd꓁]FM~^ԣڤJ;-dz jݖjr$BVr*nxƊ㬵^rJ/jkRe3-Y|pꄭdڎm~ n D@hq8a+v%.az{by$X j"`M= .1bBSL QT/}2]si"!e, TZJc"YOV}i}~xlRms67e yS9Σ\襛.T1B{rwwn~;+~>7,7<~[_}E?tr+&='kL˿}e曄G8韯>7o~HR(:ԏGKq *0A C؏)˒'ؕy9 cx&PK ;0A%dw>{aY@T%冓a()bYHരy/kD&Q*N 5Qu<r_ ʨG}~# ƧhcV7$e/(GN2\s(YIc C)JYd7F"lŮ< bb*Y9Og0)a<&2e2|&4)iR)%uHDNc%AҖeqr޻tbj#-e'S/J_„'@* ($d9PU΍ tHdsG\ӟv'Y^WFO͌IS*)*Pb 4іMhu"eGG+k'a"T*Ut/M ^1LӚ$&VUӼ*\T'Oψ0U`=Y:ս 2%odPV-\*Q-]EQUWXx.sQhFaHfe8򵴲+TUtŒe,+cJVŨ}ev`ٙg(!@`$XNL;ʪ5)V] a sXc|NJl&Fs[uw4:/3N꬐t97bC ^;Eֺjvi=Mj ǁ!Lo6aH] c*v V25 k#֊!x`-T wĀ ia<6"%ʰ̮R{f9j;S#ZMp'Ѯw ݸtgqݩtm[7yrQ߬)ZQCpd4,cŶw#UD^UU4V8 n<Ӄ=W.,-O.g18YS}L$jHNk!b[~NE0=NۮMkb2@=v;E\u'Gs/-[;Ns;L&}x鈪3VH:p}cO?w*g`Pwߘj2}UM:ErfSR|!<=}{Nga;Է^۟USz7]8{VU&ķ |F=t_u]Yt񖻨 = ɜvS̉ڹ" N֍wI U  j^5L   M͌ E\VaJa%`MAI(ai!qaWyai!ᵡaaa aѡ!k"R ""V4b=E"\tI!"Y")!erb (R,&*!+^ƽH(b,%" Mb/BVK4D=Wl0JU-ĭP)ʍE9-_b-˵WY:ZR! ~K\ct6n#!++ݝ_d.rPKYh=ױhE=J|XZKG>R7Rk#!nеؑUZ^Xie&LyAR何LeYeI[zX[UQĈe]G}&7%Urd9&RɅBec&t/QhpR&Q&R\g&%H' &BH%,':>`ܟ,_G}F=*Xm!4 fʥrg܄%ZXEydz{{|2X@`H%f:a``yX:h;RQhمnhgi9Ƽ 3/heu 2 Eϋ 5+b &yj|h+]F5+ƫ+֫+櫾&mj @]9q2\N3+^FN,V5ŷ*.*,8dXKULL{m`Z( huk,$z,A ^D}2fczeb~gB,цҬZJ1:_DN f&u>Q)_d٢OBm.j!nbXV~mkxYGW.5t*Fx\ۖ m -8'bgt^=VRa.m^&..ݩZ?2͖2-k %m®aZD.n)r*ywg˒;-ln`&i9&#dY go0M}G~XIؼ\\djDbje*4"Ef %hg3 BdExR$%}'[X^&gw4M (lkcf|y~4UE fq* 0=2W啰ȝ0 & 0YI8Fq2~L1rZX#%ӄG*VsE2qűEWZ1T#Fq0/2)qP6 eP+džqWe,]m+2"$phwO+_r/Om")񭞲$1E2OLf߰0+1-{-?/w3G^(W(l),2's*[*0nijNhgGo>sf\.<qvb#=1 sBJq:233e58[99lD!?VaFF7nGG{&tå#:.i4HL!MMg"NN:_7kNuNtE352./UàU4VSPJ?WS]XuSk su1{ZO][t@?dgs?GgH^o>ug`S`o2cs@'%_G/Bp=CvoobcDYYGuQoi]urgL3=CVreF.vPl'-3eW47qpZqsq ،v`0wJ6A5I:jjGKkGwp/#oudE6<[2R&tm6u60ogjwكJm,[s}6p \pv_vG%wÍwd(nq6t23sq-wy*06$?ws8}ScIER}}SڄvKQk;2Kexk98xxﲃ058,89'{~yu8%ɒWh:jCIf5DJ-P8ԥf2z%?:߶spsyy/y[5c$5Uv 'yxs#3sOy'xQ6x㸞/39׺~Cw5D:ݵ.o_Aw7&3B5>d>vG;^0y;[}v=F33˵9sjI]z~#s5ŷakk5`|쯴t|1J);3<ɯG+>A;W2f1;`Od{#;:>d7I_V??Kx֋|$stqs:立=O#}7{ssvSG٣>gK7toxC;6w+x"#8rv7{86?#|4X TaD Vx"9v*(0yeJ'fL3ej\ygN;yhPCq^`Q#͏16u*B!*D"Ê hՈ ~uujZenJBm5֫q5E`ZuoXr:Wbb|'rm2}4Ҏ. $ʒtѫYôyvlٳi>muLϟy3:5rcùY One煕^bĜ3,6֙+_K\pwW,;Oih֩Kn)\5 <\ ; ?~뎾ξp>!nDq2SC b mlqH{L:O38pd@MIR{Ҏ L5 K'*~dRMuq\|Dx9qfM?1N-kX{EXU]uYm5U`#630l-[cQYՠG4&K7}xwOA|ݗ~7qA5ہۊ\%J]إ]y5Na#UM>9_Q.V}U&en*dx/8J}S#Xy椕^馝~jPnhpJ睝讽ުu>^1Z!w@?+"?(n%(E\B ߜ=\_˽@$-q{Qd5m=pя$}ҝ4uWwaMǝ^ȋ[K[[T= guU/?)^߶a}ZW|ׂ^Ep ~NYc?e W T鍦tGq?'LV Ӈ& )NizE9 Z+4-鄍 wDBMF4Usp\ H2$vP) 5%)FɄ[CدO̤'A +ظ&OY^&C|Qbx45p J]3"9I_2XhF0P^:%Tī1L#&;c2%HHabLJ< RtC]&N^Jc *"\NCd({9, }OoLgj$Nf‡NUǘ|bfcK&Q8Dt*L27 %l>4h$T63yZȹ8sE,d; '":RLObh5}%=':R#О0H&Dz m/Q9u$RPgTB{Ԏ-yRRMkTu!Ƨ<jP9ɢޕ(GMRC~VhT +_0?TIK<ѩEe"d!@olX+ǺY'cUVy:cL-u?U<]P޶6zU _}3!eQs6\?%`$J*n+_kr qzo npҝnu;/"/|K뼗Lz:7'o(}[_5L׮ni[&,f\e;36alq%~+1}؈'߳kUuBkaLJ]_ht 1-6pB/pϻ7WfmOJG & '+JPgwNPAW[^_.P adoX] l opp_P  g o0 Qf LƪƲ 7.mت/Z[ ЮcQ̊qK}2SKnpr0%'ebMd- 课شPrLqL  ux^FR:.*aZeJ߀2f*Rc픮@L1PT,-' KH(ی/J-2B)r(Yk.D,/< +s*sqn '*SdG,1,,n^V 0+ﯖSL9!G hMW$8)$3"wIJ77D0m*E-?'j4E@1= P>> F+#p"&i0TEC@,A-'k3B STEc77DD&WGs4B>tCTfFTGH-GEHPHHTJu4ImIIAF{EKðJGJK.KIw+JTMEEA4FL]L+,&=e3X+O]ESk9+NPͧ φMʹ;78,LoLoNRnBwNP#k4c c!PRo9*Q3t.AzkՔS7S;0TgKycdouV\SO{de6ҘM\*5SD,b>3(\ԎUxo֒ZF@--$$o%q"K@$; ,*MPvU.1 nf"5G_;NON#R 0+)b9Gcʵ*յ\ [1*aXrtn&&&qewesL*j+P&d"#/i;2lO;g6шga6dVode#SeV2)ɶk* O6Wc6~.2R06Nt?^Լ޴GK LO)vH<ѴT\keTㅠʠ4ckm٤h!˖Oa]!/b%s7r/LPWI}L_T,9Ԉ̩Ki}UuaUՐ3fK0mrQZjUZZu%;ա6;<|B˘{+qy8\Z!OU3٪A5[km}?ŵc{pG8 -> dz3e{ǔju7XJ_[Y;ۉ';[[7KTսۿ ػ=1Iy{v֛S3 (1m[]-/X̆װCyl,a5$ry\O=iyYU^q@u<~ {_'Mw;!HAǑ-I<ƸBK >_Ǟ~6&v ?;oC)?p27?:+S>d>I'exݧq?P^uNsϾ荖Ϩ~9zsyN{ƓjJ]{_;cҏ KY}ꃺ݃=IAO~k?|O~#Hk?0bA/AË?BAmgPtG/,Lp:& - A q!SЖYp=lb qC4R%N~C*V CЋG)gL[wF6Fύ!^9"gѢ5~#&,#"E>ǃ$"9ɲTuy4ɚFzrMexGR^ҔD8\Brg{ecYRҲp,*uLCa 4aBe2J^򍙦3)M'R3(Ħ9Lܘ{|0éqɚ笧29nt|'<&ϟӞ>Iӝ)zt<΅ПmD{2P4T>φv4s͕DG S%jGe!8ePc jtkFUSµt'! SeQa%NꯥNOꡆ̪.jNմt7 TfͬZ ՙPaE)C:͞nx-lzRmkȪ Q+=,âʽ ШV+f1قճ^{)Z v}c5ͨeK[[)-PzK6,rk{J nl@p.R{zԕuijwc]}ג%|cV7h$/|6vl.h`"m Y/L2²0{c8%iZo ]^ x4ox< yD. oarsqˢ7=*.\ 0>_M*x*7b<Ȋޱ\>%`!~$cQ71[>yu_{}EeS߬kF?_Fwy˷zx$~l~rQ'{}t%zoO>A>䥯2g.Wzvz7R{whe'@Fv5vx~'٧![\$,C'(.b+!7=-5\,\9#&f#H;bG(`In5nք9Ph_RX{7xEŅV_cȆeh~gidžZ"rH YXuKz( |؇A腂 Xu&䦈z<؈|Ϸ+׀77',qTCc(Hhȋ苿(HhLjɨ(Wy׊eg׈٨ȍV8׍h爎騎Hz*L8ǎHh厐xGV(IibGYF[VreffIiT4gkbayhk)+ٍXHK!4# t9aɒ;ɓ=5׉(trs bus?)SIU _UhI7sG &mWԆ"MmA:ikɖmY.81G˦l 'Ivz)wfr(薃II@p90IcƘ_#Ii s)svIsws4yidXdZ)Kui^9e8exikhj雗/t 1P'SVYkOilșEYgbHxSG7{v׉Y))i3xɞCIy3zjnIJ, dq*R)?#6+Y !f%*')6%Z3J5J1SȌ=? A*CJEjGIKʤM:抯 ک KˡP ˰  +Kk˱ !+#K%k')+˲8y!3K3[1[9;˳=? A+CKEkGIK˴MO Q+SKUk2{K Y{_ a+cKekgik˶?Iڵ8۶ukwy{˷}g]kv䢅k[-˸븏 +Kk˹빟 +Kk˹2뺯 +Kk{J軿 +KkNjɫ˼ +Kk׋٫˽ +Kk狾髾A;PKFjggPKj?OEBPS/img/ssl0005.gife(GIF87a̙3fMz33333fffffffffrf6LL̙xffffܭf33fff3W%;3ff̙,H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳ @ JѣH*]ʴӧPJ5KXe^ʵ ŠKٳhӪ]˶۷p㚽ݪW ˷߿ LÈ+^AݻyeL˘3gvsɚCM4`ΞSmװO?VM%rWpw`߱ͭ[o|mG{:륑CN{d]7>_͟g/u߫ݷ^hxD~q_}5Bxaa|nFP_&"G z؞˜!8c7J^zjH!hc(ζ81H}a}L@3FHt8/ʹ=0ߑ$uN_mrWs5M_u1GvkKidrK6t F[}/ Nx?x^OBn0K^? giG^xg.{zǕ{{MݦW8뎫n{n;>8?o8w}Ϝg<'OO?}??8_}?{g9eJP<'@n{'@YuR'/ ^'@Br>)_CXB 24 uXCJ 3 20Ga'.QS P" 1^,|@R$)шsbEMs~$ Kȿ&rs!kE=Vs XD+lt!v7!1q$"hIC6zWY8q\e(Y)F2B͑4g7-.Җ2%<_34QiYi>2blx <&yGvНk ɶ'ސ~ٳf) :@<J brj c1ש季1\f,3' Ҵ}0b^.Nv7ʂ5v4pPҥOܐZĩ.jL*4 d KHŰhMZֶdYvxͫ^:+!| `K6!<5bd'KY@ͬf%{zkgCKҚ69=jWʤl7*}-nw[2KϙT?Pڮ|i1XMRU{P* LF NbpB~Ѫ[݃$/.u*w\N:*P+>lC\p4aS)<س8  PrKBZ|+ K{&=~o)CX ֎`f\>#-a[Sz&F7m` hod~gֽuwI7X{δ&aWmelI /yk'6Eo;owT p {bch` ={N0[d[FBy܃_?ƎMi?ּn2ŋbt5i\aL)U3LoyO.87.pœ޹[]4CDtt*c?}o}p[ţWTw(qB:s,}wkŽYdX>:<<޶wvv[ӗ ָ`.y0ˊSu.)L|~>sc5c-}|,?_KWSLeWnj6pgG}7[xj8,GHZBqFs grᗁķ7#XzՁE.(l7%#"%x_E؁nǂ~Yr ( ZHH+-8@Hrq (|3g(TBci2.h3~&X-xȘj8I'CxؘXȊ(:XxV7Xt7՘XXh4(vﷅv986yH89yV"9%)'ydY, 2x%,/(V>Ifi-9nfAlq{!6+5x<&Y(<;Yyd)KٕdġKٖh9i fٖiY[iu9kɗpXYirO v\z1Y';f5x5H XtII|钐g1_Ii9iɖz)ɛyNyxb^Dž5ș)Yy+Iɕ靲iI牞ٞ ɞ q5$z?Ԝ`wXlinYiٙٗښ I ɘz鞮i#ZauT7gYJi֙*Z< ٠IHjN x@R#]|ᘋ򩞻Y9fٝ 빦~ٛ:^tڦbh*SJ,`y[Zgkʧt ڕFjʡx}u:n9lڨix)BꘜjY w6#Z 3dXzVW9jaIF8՟КڪpԊ-\jɺZ٭R Ojz1ډxdxТ[h xi{hر"K3ې(*4#0;"4{yb8'}@1+G+I;W_%Ʌ\pD!gdBpN[j'xmlbe}C!RZ-v^Rn;Hs"l=hf[[=bvȂf6+bceJq6;;bWxk:'sh _Ƈ{7閻"u{+RֻDѺewj+4-k juFX_ևP/2Xog2 ћdx+z*8`ﻜ7%ߺmtg(6z+lGpkmWfLnk|)kҵW1\ _3 z6zkTɷ;+d{<0BB|D\e{H9c *[ἇP~ d<[͎i\~^nzreNG̾͟.fQ^۶ 2e:vm~e<73&g.jUj(+jhꘁ,ZsڪՍ}-١mk|,,er9~Q|,}ݱƂ!j'2-anH&w쩮jGEk./0(*~<7/M#V}HoڼA?=#R?o[~\(T^~MC6_^odLgj_VLNpho?ձ/p[mq4|gOB /﫤o}oíZ_jV\x}I??ˈχ==~hO?ޟ0?_O?$ A "H p1@G!E$YI)UdK1eRxŋfӡD7{dLI.eә ЧU:^JhĪ]qr8YiծeT 2{pű^N$UQm&\K R(0.ûw15߼[gmb]~{yṔAϦ]6I>hdɎ)kɱo/gޜsay# hf֖wNSgN]yx_ wٚpcN=TPpB $*A(sб)q,P?4dPSN6c-OA6 ?1 qF dF ȅ㑴tI,R PG|GKJ-kPE$KsM6E2ʞlѮ3s6lӾ4E43lRODoS9D+qQF˼rE5BJ-uBL3-$ TR5GuURM]=NwV<_ՕXeEW: \w56^}eUTubֻdf;V۬T%nUju2mOEwֵ׳auem_ 6`Vxa]6`db3xc;b,9{K~nckr[~9vecyfS4~ѥyg{)mVyhVcO!-zܥzj_mj:꫃`6l]'.;mf 4^̶u6sӭ>{wt)v>}W?و{ ?uc`hr3ǿa"p/#FWA ,a mx!y6$aK80+GMo2ԡ}Aayx :ЀT"bZ2#ZwE"ˈC)S< xCvqx,C{ :Yd!U(G_}Qd,Sb>. XF7;$"MH\Ʌ2\c9T>.|]ͬ,(J1"/ʑrD.y!d2RdLiF %}3a|03m}S;N@M DYh䧬 LuSg-zPڑBPF[hD-ȉDJvT̨B:RhJ]Nh‹Km9…1wH|SUC%jQzT&UKejSTFUSL5NU[MIS^$kYzxu`eEUzQ =>jLtf'I0+2jp<_ATM5{c[hɄ(̔dKŢ3)dyA!#|&C6ecّn4KkBܺ1azB7`+R٢ oۅk"p˾^V+YZ܋ж >ژb^-KZC198u2vtĠp!I~XY$q>te]lX>i7aB>5|#Oh2t9E}vL~<ձ/7-|z{ Po_!ă5Cbx|}3_QHʸ,}c.?7x [{W?o#$C)?+>@cҹ2,>"c@G?US 1@~r5@~@9S+ 45z TADN#{7^A5 BZB"|5S %L>b%lB(|B)tB**B+B,+B-'7#< A283hLD/f @-΃': 03Zcd.Fܶ[DrT;s1w\cG:œ<TƁǏGE컰FjԱ}F>t7EX!#ca$HVsl EJLFo0DbK|K9ˡK3KrK LŒ-`N`^`n`~} ` 'd ` \```an>aF^a~aJWaDSa>U+.b #2b&~:o<&bE 3b-V_+N0b06. c31&Q:3n&(rc9^89cacc@dB>c(DndG~dHdIdJdKv߀;PK݉j(e(PKj?OEBPS/img/radu0002.giftGIF89a3f333f3333f3ffffff3f̙3f3f333f333333333f33333333f33f3ff3f3f3f3333f33̙33333f3333333f3333f3ffffff3f33ff3f3f3f3fff3ffffffffffff3ffff̙fff3fffffff3ffffff3f333f3333f3ffffff3f̙̙3̙f̙̙̙̙3f3f̙333f3̙333f3fff̙fff3f̙̙3f̙3f̙3f333f3333f3ffffff3f̙3f3f,@H*\ȰÇ#JHŋ3j +JIɓ$\R%˗0QI̚8siTǟ@ U1ț3]RdRJ:*jV2z&TXp5l֝h9۷ʝKݻx˷߿ L@+4vcG~Lʘ/cެxѯ[i6/ʏ+k~sfׁRn eۘeC [gB6הu7.yzq};<O_ϾDPϟ$}'hN y^`M2VlUh^ȕ A TUcUX$~(hfU ڊ&URlǕbI6؛.Aޚe+}{wG3:cS)H-:6^L\{w 9oHft͖g=썆[*2Tu3lu S48ktզvpBŖu}" E7bVH>N6̡32!HDHLI&:PH*ZXH k,z` i]Fm&ilHǟıxŢ ffr&AtjY5p@>ROD>яJ_%-Nz|KG 1bl9tR9UZ7yefВ1.!SXT/wyKtIg,X亩,cUP9`SjKڸ2b9lrs2417p3I ?Ʒyɤ>#:'@B3"a'"." d!v,+f,$Gj-,HMҜ(t0Lg7"Ted]Bά\3KC!r^ ӿePp#4!ۜ bh?WZ'6KL8w?̮v3x+|"hި R/z'UN5"nKJׅ~K`.lf"-N(xC>Ђ\ pC-xMXOtpKR7B1D<x'ֱh51Nbt2>Xp}z:c qx9.Ǥ1VmTuL2p-sv.e+RlYΞ$ȀZsr<)-OLђMIgսE3|AM/lRʹK>IoҕN5Vˮ5a-Zۋֶ5Bd]zĴ MbNDd;Suj[ζng&]p?8-K`@&` m`\&ef]^DNXA"IsM [@7{ vGGט-vHnK.DԜ37w)qPs97_N :f9yNt2N&yNb2ƴO:vכSO{;ݝh?;۱Na9ڡޛ$\{vpV=ftw}.%暊;^_zkȉx1GgO2'^_Ӿ䟗yk[.n+,٢OOՏg?_d`oG^EHR&wPy!%H`PUfZw|ԗkx0%H%Y+I%qp}GdU}(x}}42,`d5~]lBfW Vg̦.=ǃ4hh fjEvt1cMoc'h$Nh_\#tck&F;}h?8V{/Ruk3X4Ȇ„r!O7^5QTF9 "bwH QH/P\gvff^@ufpM&yR17V>+jR}Xh8X}>82zh4w{Ę]Xƅ hRST: CV]Xo[Qb(%<^‹rx;V+0xeh7옉CȇgZ_8X8x;HW[HdoEH\he y?9kt!yڨ I  34ْ6Yr64exqHE-3B=hx3,-:Ԙ֌:ق9p&v>&b#KiidH5jiBo&2YHYV.X+94җY&Wwx[ޡi  QzKFc=`ȈL2bhx'F$dhH@=VAF蚑]əVi>++!Y Ha ggtX@5h#6C~8ҩ+*̄9evYƕY}C%66Ei4jUBי}ٹա6u dx2'ȴiH06hR)'gx^=i9ڢ,'zT;[Ƣi(%Ht՜;ǥb< otJc)aGp@Q%nQXb6y IK^| #,շ~VWKFl,zH]~[紐={]K$h,Ѻi[kETۻ+r9rX 1 Njt,ǒryWw1sKUW۽?A'z1x ?铛yrK-gW'x$u1xTwKN$w,wB{ožTHYYu&vZyGK u,rvz{K |v¢N3{Kk Lugzwx5Ľv8ni;aј5L ҖyXvɩln?o=yaf<Y{Hj\^ጞ|%38OX9^m~ꪮϦn_.Gh+)F^6xY .EKߌHlav.C䍊- ש<0cmM㓞sd@ݞi>*<}y-- oǡΦ _Ca^r@^վ#J+DH.G3bTYOM[׃N*,ŽtFrN'q~KuX>#(9R= ph@Oj._ przw_͘`O.Ќ[߄ča$?<,/AJR܅"_VWF_,h^oE%0Jym8P%6f >jA*ziQh^5$*Xݩ>Wc5hZ9fߟ>j?szϣi[NwOco Xk"Lha :TpĈ +VؐRJ$YI)QK+"UΤYM9u'@13%ZQI.eڔiȟ>Y„)3UYn3hHaŎ%[H]gN2Zq΅k]yMɶmL&\a<}cȑ%Ojcʙ5 gE&]iԩUrUr$soFUoZK̆wͼmO^tG}]:oW/Ty'|mo%߾ToA3bޣl@p:0,\C;,STAk)d 0:dB q0Hd\7(1D%DI1J0ÜJ-4S/RL6S3TKtNK0;tPB *PCUtQFeQH#Q͆Đ@I *BN;SPCuTRӸNf W %SNZs.Jt<@1< {OHbyV7/+2eمuڣn+WTd[E[V-YhĪg/EjuPUGs \eWn h7M^4Lu4%c]w3nxckՄ8bjvad4ސ[iVc^cu旭KfBKYyh?{6ghf:d5zk̵󶦊mk{h#"ni,`rǣ)[q;^Ycl{N 1w.?nW(WzOKo c {ܯl!:7;}sχ+Fu;36FRwMLvݯ=߹ jud| ~T$mߨ]~鿿)neکH?jd`?FP-x&Pң6U*P#$ BbO&B*z3ZRt{,)hbZG3Ĥtn)MdRȽPr8Aox)]#].]] # {#iDaU}zCGȱvҒc bëVl<CL`|]%I\|BX8zreW]QQ$ISNz٣%-KZRcv<埲-RQJe!?>HvDfՑLҗIc0'l?i7Ŵpg 93Ng=U2O{3g?OhAHP&UhCPFthhELfhGQP iIDRM(UiKRƔ20iM)QTP4iO[SuR&\P8KejSTFUSjUzUfU[jWUUc%kYzVUkek[VUsk]zWU{k_W%la˛(հelcCX(ֱdRݳ,g/[K%mizr5mk]Ϟuakm{[ƶWw[cIj[mo{\:41nrR]ZBs{]fWnwڀ;PKPKj?OEBPS/img/auth0001.gifaGIF87a̙3f33fffff߀W%;frfx̙333fffMzf6LLܭff3ffff333fff̙,H*\ȰÇ#JHŋ3jܸǏ CIɓ(5zLɲ˗0cʜ`%͛8s͞@ JϢH*]ʔѦPJ)իXjmhuׯ`v KٜO9]˶۷pʝKݻx{oȣ 6xኀpǐ#KL˘3k9r`CGL,ӨS^ͺװc˞Mm @͐ Nxn.μWONikν;nի/? v甃ˢ'@o?z7鲷-Q#+i2|&@9뵣<#߯ ֗W{kR۹'/xtL;^瓼K"脡AO֝pCxhAq28B/`Wh~0&lZ7 s1saw;Gb[w CY|"H/0ǨE/Ve-m )ڱg{XiKS>.Ƒna9jQ)|'iE7^3T$%FGZt#}hHψ*S?KTx+rTa%KxFI0-Ob~k##;E9Vr&"wiJow|\Y(nn`L\NlFcS[(sNuzҙ e0wrF3ԩƔ+'&Q <zҖϼuXJ ӑ& ٨Z#0WLVs#q%=JɊ)d)#s:{KNbI?ӈ1-sjЧTgPw[Y;eTBndZJՃ]3+ӊU6ǫ_-ZofUt=qakZ;: ]_vsa;ٛ5smc:q.:'dMjWֺARj=mVi@xN[:]sKmvD x]=nys}|{M.v^iu',S_1A,&N}Q.1y7l^۸0Kc1\\!Ƚ52\[%3nu27)S2.-s2\1̢1|/3q3|9V3fπMhA9Ntmh>3x~4,IùҖf33Ms̞4C-j.X>5UCծf2cYӚȶ5s75e,aV1me3[~- S4)m_4q>ӭnSݩ~7Y-y5]}.p_>8‰W6#S3qks>4A>k&?xS}9̭+Xks9Џ+Foѓۥ3=H.:}`uwqUnGkٹPLev}|'f]pJ?T@.e܁-.2}VGұj̷(DRvpQzZm@E{D_%g, >8= QOS[W;n៾7=_ߟ<u$>wz7 < `B?"'ZAKy[O&2,W$IWHЇ7~Tcrƒ~U'W| ~/xͷ{@\w|Rfw zi!_ry~A@B~тw0,z"2Pyy܇/Wu@XB8QF^EsƄP6R8Yq\Z5s%$S\acX}NXcA/Ն%;d n8hX/lH|c}8wg"a8x55e8xyr؉8HHX|Z<<QqE¸ZX08؋ьxeԈZi岋Qᘍ1xݨ60X(x")ȏn I.)xY : y)I$ɑ\&I- 9H+(Xђ9A)!<7*q #ɔWJi8rCUx[)瓶[y4raJ)g9xqnpY-dYy9hՂ99,) "u{SYy郏y!}Xəiٔ}IfI\y9g0Y9EkȌh84iCɈ)Ie֚09ىy>o5ЉTHaۉYɝy>}Wg9 f!؞gi!c)A))9Py}/ҖIUhY칝(Hjɠ9y('Ȣy6*9ٝ)e@:BV!:j1H[ʥ9CFɡhz U m`boʗf*s> wy:D5*ڨ:jʛl:d %{*:fʙ:5: xY5"ڧ*ʺhΚ zz 6ҫ: iu *j݁Q " ;ʰ +گz k ۡT[K˯˰,ˏ5<&./- 3+qyFX H[,@Y+-+N Lc Z+(? *۶rb+Q iF'ۨ2۶EKVs;gekiC;۷}۱ظDYJگ_I ;6KKAPK. K^&v˩ R:Br+;kۼ۬!@+,;[ zԺϫ鋷3񻿖J>k;1ZzQMcHP;}Jڦ,\ܠ+ V $<|ԛ¿a#\>(뺻܂f2B-z,('g{w+X"PL8֙ւwgŲfں#}|=Ր&Fi#|m((%]m'Gu"'mۍWY Mʗ]o]`M==Ý͑ݔM\ߍi ѭa]A ]ލ8QKM˶> [u![57.~[;s;~i]g䥝9-3^N.%n0΍+ 弜劼@~Dnh.mԬrNaM%| 0e-QR>N獎և֑s .>,>Ԁ~М.ݖ>ڤ~ګNۯ]>N饞J+&9N܌*ߡAm,.۞l䶬i~w{} SUڱg>h~J0~nގƍ,)].鲾*-# z@7x8,.~᙮` /^~Q1oN~-a\(*,_m>~X3i..9nOa>gPTVX_prb_n_}f%7oyϜFH:>Y8[Tj_^?N߮5WZ^>މ䮩}G?o/Oo^O <~EU?쥟/B?ooy$XA .L%NXE5^D G! 6 ٠CIEdYF1eΤٱM"_ӧE92DyʡI ϠJdUQJ-֩U% Q+X ŖelZ]ݞoE`_H[R`/1Z%;~p+#Krf; 實?͸j[s~ öʞ=Ľi>Q~r̛[}n7[WǾ3_>P:x<>/q׷wTz˼X+? Pp2+–B&,tC< DA4DSD[tEb1Fkӎ >{Gu H"4TrI&JI(2!J,4$0K0|2L2tqL3Ts*\M8)D3N:|lN;s+
    O A ̀;PK;QfaPKj?OEBPS/img/kerb0001.gifwGIF87a[̙3f33fffff̀frfW%;x̙333fffMzf6LLܭff3ffff333fff̙,[H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@rJѣH*]ʴӧPJ4UjuuWY9 KٳhӪ]˶۷pʝ6+x)f߿ LÈ+^̸wJ~ױ˘3k޼ +sMӂ=^-t_԰c˞82E2Ŀ=|7♃#}6nֺ _oҙg;oU?868{ozK|їuיA~7h!\=!N(]|J88ZA9d &c3fq&jzw@)d-^2fga5>I%]x>≁y$^ v ckFc3i8Jɜcz݅?!Xy~V%~J矀8yj~g&ᓇYuAUJ***zխ+llSX&ivW^-kRv+kѥs%+knk,pBcad?\P;q|q™5<$cq𪼲 s04È;^vKq9M9y]esخyjk.GL}x뫷p/8`-ߥj;n8K[_osݮ{~ι۷~G_샿{]FuhQ=r_4iO~40(yovt`'QriQ2UH7:(% ?w }(DѮq[_8!:(_xHmKjdq1p) 7ǩc!8Fm<"D&0;;f07,GA:j GP{##H~ X`K" BQ $$q2R,8?P##On2RT$HGSKAԏ$M)B g*gLLN`ͩϛ' ՙ*bʗKg2۴Tg;~ݎ#&1h`9|kw }#JQɨDѬt, Ad'ZI_R M=JӘԧ'NîHMRTSCT5 TͪV+ݔ` XOձh- ֶun\ ׹8+^W鵯 l*Qe=b2C#K>/le F bA+M-^Qƕ-Za+چmVq ?+ƌM ΍+҆.ju + MЫfo+&/~7oy԰t J`9/ildcIM{&+<ph8ˌ"4P"DaTT_A!6 "0̦ JlV9F"ZYMi=u"|,̪ܲ 6lB[ )gTIuU(?@f?+:1%HFiKl0gUrYu]%3ƁBͼfSz"t_AjʳE38w2dWs.>5&TfSNhb{ p{VҔ̴ov}i޽*=_{wt.=8‹pgh}8ƫk3Rş;U1jj6f(K=o΄<0_N)՗k9 l9W} - ыt Q]zcc5R:Ы>k\G:ϱ3=Zͺٛvb}16WY*W]]mjrK#}=c?.$wkc|=?yRvY+}V[YEk7P뵂5봲f++ڵ:Qi J+m ˬkCJ2:Xkz<;xVKk{eۚE* 3E }44[XhW);Vf,"Iշf wXMO|_uZ"e&c\(Bқ˧1]˽koL.΂,B֜?H#%-Kϲ[m@ J-}eLQ|S֭<Еչ<\ԛQv}:z`Mɂ;]؁-Y†؃=~\őȍ v/oƓ|z=|ݴ \ϡT lً٫b,<}smMƱRڣm۽ Ǘ e=ԬڈM{͑XMڪlڿѝ}ץկ }ٻm s]Ǎ}5lƛ=>~ڧ~ 4 n-.!3#trmN.9)ۀ}]>"^(w8n(2WѶgU{ [b>Uf^[h汵lZnr^Zt^uxYz~YY~茕>Z|>Y逵WU颾X^suZꅥVW~c~[wU>Ȟi.8y.>^~؞ھ>^~>^~nJM[)YΡO λ'j[Jnk'&p0$&ii+?"$[(1_3gvsV\"%/>؁IPR?^VX枱`b?d_fhjl;PKOPe|wPKj?OEBPS/img/asoag035.gif"%GIF89a666@@@lll999ϫ<<>>vvv[[[***^^^zzzXXX/./ƅ777 bbbOOOKJK---ggg=<=utuiii(((QQQhhh{{{kkk|||:::GGG\\\wwwJJJnnn͚YXYDDD̲FFF]]]mmmƒ ...555aaa888fffIII%%%qqqǁ444===+++cccRRRdddgfgMMMuuu333&&&xxxWWWNNNSSS)))YYY222sssAAAVVV$$$}}}CCC!!!BBBTTTHHH!, H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0* +!`b!N\ʴӧ0WBРI'wQW ٳh.A߉J?3`@rwm .Mp_ 4Hu]<H*OTKX?=_ htm% ?ιi9lm1mmw :w`سkj4f Oj^֮aySTT&vhS # ys)5ՄJetAXxZ8`xh(^aԅ d߅nxrWW .xB$LRԖkO ܅CYmU~S>YC [sE75pgrҩ 2$W'(`P ++b%X2,Z}bfyX\qv駠*ꨤjꩨꪬ.$4Tꬴ YJ*sv]gEQӰUBF+mYmB_sTWhMk,ŭ+d\BPԣa xCJO;_}?тC$"񀨑`GdH6X@\ê@냃H#QN&plX\c*ҙ ` 8@.I}1) +pTbPRa x $JZ$"Eqq=E~ uK*W7<Έ"Df*š? I"\Lf2IF|r*rTJYش&,CBJP%j! d@r*`1tIz E t*+Jйu"QT DYMx ̊9C2T2*4$H`}?׾.0_ʏ6 _d BCba%F9֭Ԁ&"QZC5A+*]H ^jWWl%ČAw`ɠcv6 :RȦݨMR)%CܧA:кupxXw*v5 @vJOwrP=Q^<%:4Oe@f ]a okW[!{hITrŊ@U%QIf_ؤ/Do Kt˗8.)b 7.!?҉&t~1f\@(P]x b.+.@)c&?p?A=Š#d &)o37lw^ ގ` d xӠGMRvEYo0"I/q6pMb6dP`α Dz϶.b=VhHMch;hx1F am9hH)Q pOW͂ f.b0=̻ٹwMMB6{ GM{ =c N8\@ LXADGPHp|׉ A~0@!E@kDMDk@ @p8d担}  Q@7~:=H@xCFILHlxhRB0# \ rHԔNtID! D" F )' mj萄lٖnp)` Pɂ$( &֨.)X3)x|娓Biv wp Oq Y%T0=!0Zɕ^Yai h)8*PyșYJPw~ɑ,8YX)وؒ؍1 8)Tȓ討# 0 3PC@  9y]9y O  ":$ZJ` i ,x (`!(ɈȒȍ0I25 l7iHiٙi*@ ʠ*i[9_ix}ɡCϹ$P4x׸/9h4iz;ٓ왤)Mz:z ]*  fhzؤ 0~y{}ɣ@j٨LZ :z_b*97}pe1x߹ژ?ZzšK:*ZꥸI:9U 8 FCcZ܉~٣A CZE*QJTjʥگa ){{~d"rk: 9 6õbL񱉺"YN'ʬ,:}p\gQM8{:; zB'3>y2qWRֳp5ZIYQ!f PSU Wڬ-2{}qP;mq1kkmq+xr2r21vqA+ݙ{z T/:j:(+ʯ`Z)Pf2 ں=8[Cq/:kjB"IX.˽90r/{%3a0[0#9労k"Q@h@5RkZK/۽J Y"+@lhT{b!*"%[4<:F{۫[$uxǧYZC ̨$ {[`z}+Cǒ<@^̺"A;#b,QƦ;V2 zڿ6z{n `\˧yW}< [Ā\%ܹ_ ++ |KRN@m)R3!+q@)D4m̧Z;̶,֙D#˂]߫ ,\\$<ٶMqC8slF wB!40Jl՛̵{}̼I9uNw *~!<z!!GهJ49Dc[lg7JQtߔjn{o؄F#JED NNyx9k9{9衋>:饛~: g.#M(apNo;Pps}wsq 'WPYfmYg}ZhFZiZjƺ:ӹۼW}cN [O5q̓*'=UosB=e ZG$ u㠘7aTcbLxBmwg22.y(QOs@':nkY BHuPf&Ml h. 4 @с@ l`D4j ðB [u`A[PA @FúPJ$Qv4 JZzjIKAiT"PsdD /;B"~aE1omm.fhRj7jQ}gG "=bRױvK$'7fWwmnSv äp 0P"V]f)z&EttS;'hL_X&p 4m0PsU&KC8OG=a|umF#M+fq]bX3@z#u$ pԆvTh3Ae4ˡ<2M1|e,gY6^2JJ2^f)U&3WG .dMݍ;Urg./9Ǖ혛Zw^2KLt?f Lbtih :P EQ>:P$LEU4Q,9 0:BXC90p{1DE`L(+ȷL:ЀN )l?jFkFlFmkp,p GqGr,Gs<SD`,<0nX,`A35e.T؅jkFCh\H<@.ˁ1ih" QX 40!C_)]mX Jh6~DhHIS`qB)Є7 #AHvh H IJ\=kK(KrX\OX˵|ZȆd(z/ sJɬKH$hH=Ȱ  0#8!~HNK,Mi=0eo`T=HDBH=I! 4MN):@@A>H`%HH$NN܏K+^;0L@J|OϐЁ{0)pdhH h70O= =@8WET6(EP]:HSDP\h ?8O)(=XrQm:Hsl^L=Rج-R#:8=5X1 WLC0>>hhhEEECCCfffZZZSSS'''+++eee[[[sss&&&ddd{{{"""=== ]]]WWW%%%ttt~~~zzz(((NNN^^^jjj!!!###cccmmmDDD\\\MMMRRRHHH LLL$$$BBB!, H*\ȰÇ#JX3jȱǏ CIɓ(S\ɲ˗0cʬH`Mɳϟ@ Уs"]ʴӧPT)իXj݊u*W91ٳh6':pKݡlU"o9ʽK$œ(2v8.˘3#Vq_ @PA:1P7caP`uEv+Xr>9 : Y(qtFO" 1 778c r:K)al,rx%1V5t5WMǘ2X Ѓ+q7vCJA N%֤9J~(48g}b{7(Bt ia(Qyմ57buM_jJ#hiɶk  BmV'Ln栄ogf[F*iT*_m}餠*T ai *꫰D*B @q"j 0Z@ `A [}VҧF+J:h@).%cȡskU*YNwzG QIY];ȂÀj|X?.7Tx˨=nyϸCh 랭tz7;C\]b"~r{7B2d [[(N1 ^'a30gL2\8Hxp00"HN&;PnrC2!t 0ٱ@BlP\*sʇ2la3Gh6r0.SDjȥZB6ΌUEP&%vj+f93o4+2d964]Xl$ J[ $:ϛS0GAY[I WMqDM"#8'L:Bn4 v4\6=N$@ͭL ]&SOlVt/W#UM"޶!d&Ita{ Uonzwg!lgH:> `l `#f5k$AΞ4_^lAav! e>Hju q)jX:`.wQd1:;HvVn8rr)thC/`AnFF&/7bIR6Y?ɷH"Cz}pSncL U rxw BU>+X; vme;whQUQwguH=ͷAtweƔHCC5:ŐI\~yhYY986#,Ѝؑئ*O#6~~ hГtfgq|;QmT| ? ~z7ˆV,*t'yF7st[9xRé !C5QYn(b (rŒVqGQD, $l!Dh~e1*꘏HCQH=9Ϩ)—RV ) O`;ʣ?gڔѢqtB9Y!Q('!J߆x'"{, 'QrZ7jxJ`HK I9ZCM߃arqg}d-%( A_agS4Apic'YnK 4.=H.) '[zPHnĔTCIk:I8 ĮVDզ2j&qZw Q3%v@vM%1=>Ui Q@ ꏫj@%Y R2 b2W R:Q|n1;Ⱐ7n a b5>rw0:Š=b[DKwOQ S 8Ra3zh ?4p!7+y !1Cx!= .d1$tGZ a QEB9jH87Dqڹ/Jckd&q?a _1z0V>QV ϫ{ B}Vt#g k2 @X a2a{-,1&|#?MZ&aO! s,wm"k ,K#LEP:uxVq1qgeA,(X _w!aG0 b K a^Z \2?2DpNQ+_W1D$R"A0Df< F"xP3D( Xq uǗo| kn 0:QOwр,~칥<Ʊ˩2'*d\<P_꼱'1"nq)wc}QA9:aOZukI> F=ܺ p5V2=4T@b|Ͻ<-} Җ<mJg`k|lO2 mT'Q`NdUPPv}xm40`@w`(1D3XA88W=S=+|teQ,{!LpdP׸ۺmX{0-ڈ `Dm,(99vt8r,>-M'wWa}{``U@Ha{ms},  |*W=ܤz{ȗCl) M Z0(⹍`p߶amaZimqp1B(-QT4HwX8mhN)A @D~JkNdQ&,)a4h|V!q);豱s*,ldփ萎\^9`4(td2kYE-}.aN`2~.f-9`b!^+=cIuՊ g @ʾg 5GڮUݴEV.؇ G{^`&Ga,cNQ e\[#^a`Uǒ#ёddK^c'B-a[=-6R*o#r⮭o @G3vHLB!cD8}xE" 2,rn D*e򰂷VB OvLJ*?:mO?N\T}ڜ;J ή!ioKr1ԈZ$ݧ<_F 0_id|_7?MP0 fS?N<"S`o螷_= )Jλݱw+鲮?\aFZrtM зB.dt @H] "nB)&^,01]I4VdPdP9%d 0`|*P@,S՝X,jAAȭ , `@K `;:qΥ[ݸh_&\tZ.fcȑ% .הJb XLja IDjg0҄ XRj+Tزga+qJwsѥ#2u٩4etεM" #TDLa9,46 ~#K&:#-TpA#1&B 1,L0 vo$tQj;kLsq7б 1C BqGq-m/sLG T3"CtrȔ0K / 8/ 0TtQPр5# &18mE3N@fRLC-BuF/082ҔtWp] OXAYda.J@@ M D!. (`^6eVuw0Z/XZ*ЕWI̲16O8VI5lYḤ.N>I)a[tu){+цS%XY .a5c U&`dUlYVziviz%xTLkjr5 dx I# H\tXP@Y8]vGtzgAIT 0r;.( b [;p`sTYsC}tK7tQa  6PSZEGDǂh)X/ohG"\+bC0G7#x Aޔw}~뷿3! P$` XBX+(f1`m耒RP6k@iP#$a MxBP+da ]hB%XHW `Db0 Apbr/h|I[TPPc$c@@kbҢ5 J$fKǠ6i@,HͺE@R@ z9$<g 2| UdI0Wq+*@p") l %0Če/F_Sd?%UaHc :-?f7$r:tH@i#Յ Ng=GYK\E*zЁ lea)Y1@2LF ),zQfThG=Q^t5X2"@b4[ KÕuɥ9iO{"0Cr>4b % 5dB  C" V`(+hPR *u }5eKj8Ԙ,RTJU x Ђ'@ A*B*5k*J)"TzXhgಆTmo7*E`pU%y- Tt>QU@&[fvlhG[ӒլhU+@[Kз2]mkcXr=ij]b`囬%bH2Եn(kYjhIkZԎwmkAK&N%q*0w.Rʡ&Ad.Bb" 8f8`sFӕRػoj7TԃK|eQQ\r r&Nb~$ԍqq,A.3iYYDu! wͰjVzxʲ"FeH7$LKBRSw!m&ޖ$؅ґ>lz yE~pv% 54-k]Y}YMҰtc@rs wu"e,.O@P]ܤY|k%zN0 ``6L[nkF\f]-hd*K%(cnyL5 vZ#9йfr_;X=l`cXvH6}L$I÷)q)BHouCh\/м>_ X! .k~v x6~&E\s҄(aB"pHYI={mdA>yaM `v?H-{:MjZG4Kݙ8OXas#RdR|`Nj<|Q~o c|`6g7疸 S H)6ſGvh/۳H!_Ϫ8Ӻy<_> ؄1P> Bn{c@!K<2[,@*pH>B0z\BE |,VhA*XD,EXAЅ8 !ZK T\?؃HN@$'@SI HDP J<:>#A3:zL`N8m %ShQQQP=P]P!mP-5?Z2$9%cNS@҅hQ-R.R/X R2"UH:}7ct>XS*R+=DR>S?E z!B-TC=TDm: 2.hA XS\>SSHHS,9O7HTPR؀2 t`4RucHYp/&phM5XH((H4`V+t6({\Vجh6P IЄ'aj s@5pBKV= X} .LH,\Fth5@CB@++@9LX{=l X ) YXkTa2(ChM8ؘр -% K4 tX$xXxW&p:`@t ȲWvȀ DWZ V 07(%5h1]ۘhV48`{ p6`:P( .ٮA8܆9lMQ)8.f8_4F`K7r@Ȃ 2`P(^3W@7HFtm 3\t^UO8-, ]a-lD 18MHY'&E$t@ѺY(x&`]Xf ` b/IVټ4x t;.-tpEV)HidG~dH6&O$:%mSl>AոDNds+Tdd5%CMf>L}RMPЁxR.SNe_&UNdWPX@YUOP]>;SeifVan}Nvb)Pghfu`&k[M8a)q6s>gKuvwNR65KE栍{#HtN>6hu.hL>hK]hv,#X0ȉfhiJFekNkv--PjbjkvjlNl^l ;}lмgfG(F;0l3PkNm& ;0 #xhZg8 mV-hNn^nfF`j ɞ[U̞g훆#p&n,%3ȉ^oNF0L mدÝGU3vV ܞiZ(p0.(~ppfy }Eߕ5bly>f޶K`:P?qqqqqq^J+ h3^`8"?68--r.r/r0s1j @덖md"n@b+΀REЧs.ݮ~8ht= sK/aERx$O%&'5H ȌKo`(DopQjR)t&PUwqW`ъ`i&H5 7Dm(clHaUB,(X(ޥTJ8uu:/=PU v?g j3ȃ&hA)@s (\ x^X)9l=W &=@`tqp_]@9JP;.p60421؅ei/QEg`D@p/HOg5P.C+68rȂG?8k.Є(9 (5o zNs`F0zj)1(HȀi]XO8, zriPEP5ȃ<*/x( N@e0!ng!0>GMz .Xb_ȆD؄6HSІ9 r6"0I`UX8mX2(l M|W ~K׀?p-35h^QB k!Ĉ'Rh"ƌ7N 88䐣 C"DYF id-j(ҤJ2mbqS +,RiHBӰb2Av&f"hDAD/U`!,$ 1Ȓ'Sl2̚7s;PK<_h>.9.PKj?OEBPS/img/asoag005.gif!GIF89a&ZWXǑLIJLIKvst?;h.C 6iXN%뀦XAEjvK 4G:*iG_: YhnMV+9@37^8'  0@)1] )b}8HcsJK|VB+怗( ŧD#M +vX߾$5/uwڡbE ^U9,B{@FG&ՠe+AHM4/ *'U[ݍj}3ݥ#-%H?r/M^6 z;ɨ4zHh(EL@JJ9Zd%D=餤];Q#o`5n@/C4_P씭# \9p_#*@ D|像*D 8(i3Q V ] @ץ9`ܥ7HJRuT-h B4`5|n$(nȝà#! )+xFo= D`0˃YZ`N4 3Q .>2<9fJtH* VBpU 29KX|fG4f Lβ7&T4(QAX}*0(F1 i2̩9%~bBGE\0#JK CA'4/{27VoZiphGZ!,U$z|0o 3# X Ϳ*)Qdo^>e$GW &B/zvvߔ$w[oIad(z%%zjS~6'2r*Uj1AX{6mM,NL%)R-Q@b5MƖb9@'g*arJeR.'\c@.k=-*6 4IP$ 05[:Ewx>~!Sb\6f:!&){ Zw*s]b(EA @ ċs&q=4{6/Ct#Ij6=@2 ,ʓF3Oŕ%c{߂HDF7ՕiDܖg1gwdoJ0\ (?# _N2o;L3YB;i9ɾ[dʘKvF< (Vq8OPaV:uH3\Os-~UYЬ,@m'ֲq33fuJ B&55ҁ˘A\U#=NSj$KYd_mk{-x;\^jZw* N[?7s2WZ "Xu_낅G';fDAB]Ս~v_I ڔnhVQ%w!Ns w]f߿ o2BX@g}{+?Yv}!eĠ3 v(_ v| Qq9U@ql9"g|A_"D;罶3ٹ}FeSg_CϹtHs7`$@)[<>G~T{Ot|~u׀P|}VI= y(zezȀ. 2ZHp#wh5"&cdPԁ!fi7s-Ԅ|uMA9UE_xzJ?PMe-MSQpDgw(cx<$^o Vu`T+Hsu VERbQjNQ(T7xaLj.WC0CRrl 0SV&,]b5VtFGȇ17H4/m0A|x7rn5[(Tv؋8uxK(E7JȁxߘJ8~nFhH(xGh.t]{8D96R׍ȋI 9-#gۓّs"9 9&yS(ْY#.9 2I8:<ٓ>@#PFyHJLٔNPR9TYVyXAٕ^`b @hjlٖnpr9tYvyxztiyq7}0gɗ٘p8YyٙyY ٚy9=fuYɛYٚʹ7%1tP3E 5 |a)ٞI}Pg 0HEpNfnҰ>y y`J 5D -E%1(y!r@1!6-*p?b&(aQ0i*Z%Z_!~vEE+ iQ3P!{ꉠ #PEC #`m + 1-$r咆f   Y4/"!D{/ߢ:r`1e% BxU iAɦ)gjPJ J!J c"jI~ʪ馁 "#H \Q%#@}+$ƕ"ԡEtD턞7!a(MB  K kE(  0a:[i P^Zc[~pkʰӹdT | 7"Yu B-JAk!b<;:pBjWZ2b:*h#@ c`#iyPkc.Má1H|EA G1P:3`\(:vMlӹaTQKQ_ ?'XZ|Y$p[)$@ɫCYe{~k4PѢL VM{/ !;-*"]1zDCѾK J%1yEDaإ? {y0Z˷%ӫPjhB`%l|~AanD&!RKIo:LIq@,M%,z@'JcP|f;TY+D3ܛ]j"f{ ڶ,lcz y+{̠paz4̙Bskv9C̶ azv"*ܗȲ 3rfʸ5<˼˻p˹˾\l,|||̦<|̜I/<\|<" c=]} [=]} "=$]&}}(MҐ#m#`.Y|?A3X<-7pӾD ?A-;]L] G9CT OmIK]\} WMY}[d_=amc]l}g-i]kt-oqMs]|]wQSׄmy{]t}،֎G-փ=ل] ٚ՜U=mڮڰ۱-]۶ ڼQap A4=i;y-}0 έT{ݢc9-ܽp]s7ݳ}=tS=}]UM7 M\]-D=^_߃-qS^-T.=}%s^VN> YR)@$ .$⩧!)Q#@5M& 6"+ </Eid΁V=IΥ FN JXC ~(tka|RG&A+^.pJUwfNFt3_Ak1n3 zR=?B(6&&}mJs. [gOESD( pRGek:vu!4 $}R |Zr`Fٱ-yYdj,δ )b2pk2yic1&Mb$jNy!%4)st,!bN_*}ѡ%~>+Q.R\F˾-:/ϡ/m|~Px8#e ?? L鉒Bn[6޾\T'}h_5#(4u+?)C)a>+a&# 蟗5o M^AE4\-.?B``F!#+CVc"ьnU &fU.囵7k> P ,.pO`z<oo +$p_F)/R! D߮ ^QZ^ϑ~ ǣ(<R)tĝx#ǏJJJ(  ( FB Ѻ _{ PCRK2KzFJ P%ߤS!DQ "$".ҺQ J Dĥ[]I"0F=9dI'Q*`$uQ`p}JB5"Mrع[% J;hJa(^(`+ )8Km[oQ ũl28 πq *-$A6z lH+MU"ƒ&D,iavۊ~FK0\ׯaǖ=Dj]`D^٪i."q[`^ 8YՕTRT5ps&޼uKvv}']L #1*ȁFք8 (?ȿs AU(pBQ,颁 ;P\ x9Oy쑶>|P KH;ҋ̌8EI$,)4,#q 0$,Kl7L2s;,;d? t 9w 3OLH?T? uC-UL=tBH' U+A/#DT"UABuYiTXkRU\j5WyZ-[d'Մ=im Yf;Vj WjsMWuuɝWy{VqXF܃F݅х%!18c4)0ߑI.^YNY咆}m` hyy]{yGg}.hf>駟I-꫱^Fjί]kN[m&>l^[n^kў[N[ebV e .^a.`l fy{~-ty P`L`㍣%wSFN݂A~Z .\"DB&x4lOpu}yFr= xq +C|O_Tr- |!d&7f#@S>4~Y.,܂\H`B:I$}_@t!|pNbh*#`TPQ6 _x: $rpA|xVT(aA.qBXH4chFaP~◟|7 xB.$nrܡxt1@5\=@LEnv+i>+ʁA 7 .LE 0Gre. be`F$Q(_Puv\bxP2.ifEI4+RÐl?;D``jezF!M7rs9\ j(d?:B1 8^Rd!Gw!e0x<<8Q!]M8ͅDIFYThU4HC/ LJ 4e%!/.F_2 Ewq7kI=h#KiTwF(붽0$, )rHc$Ӯ MvVF(-7=]JW`u3kT-͕*҄e5-1%P,U[L'@:xj#$8s}YxPJMQR 7#@9D M+ x|(P@fiǻ)oOAOʇ ϧ7@ FT0ji 3+@Gs$&yxz,o@I^xl,@b`w(p,{Evf-|$vn.&"\b:6d`,$4'r$K";PKB!!PKj?OEBPS/img/asoag003.gifGIF89aJ@@@lll<<ÈL@!0s䃁˘3k̹ϘM9C2Kװc˞MۯLC{]Nx|}+_PƣK]E@o 3ν;l䥱9t'|Aᄒr^>4}~ _{`(X>߂:h|NNnj("z~bM! "b|)hcs7e(x z= Ip0gImUw嗷9^9[&mf9do&yn9993*蠄j衈Zҩkq>t馜v駠*<A xNZC`0ꬴ՗ꛫbת6;*8)IƸײаVk-2k.DtpP3o42C(@h0q&xB"aA*"C&,G$ +i9WEѬDz% 8 @jC@0x ? *P ,P  9@6) $p 4Ȱ@(\{y mٜ W OEbp%ʃ822l3:3Bm4J34RSm5Z *bTHG@bN褯ewʲnz{{3o<_Zar/?3X0OY">ЌLaB3!E6[qt=6d P2BBe+c~O  #x>V>N)ANdlDyY}f )lFЌ*dE`^ (B|9. H2e&s3 S>P4)GVN 6Z >>|8`xxL2B[،>nr&sZt.ISd$xf7UA F꒝^/9KJ4c=EQQ2m :I_SfQ,_ZS`ϖ~:^3&=ه<RJ=(<#:QT(u;H`UUM T,uDb@X 2)gU(HkԶBԤ;=UE(mdw I GiT>:=:BZ R)mi ZvIͬ"[(S#ũT˘ky1 >r#rL'ZRBխU]t{0Lr.yכ 8@겛6u%iNz LxbX{$, b3nљ7[O Je."B=|G" 1x[ϸJtUX|qkY6=lhX@5V0BmTX0clոiűw Zs,\zR aMܽ8BIBЈ#@&oKMsw 4TDF5zӠu !boVհgj,Y$M=8y L+ ئ{3]rqx{^8ONr7Ӧ2ŭ-o8Ϲw+\I"gxN< ˹K2WM몿1" 9/`V:tG{S6cEvp;n{>Gֱݼ d5;۹4vA]mA"Z%Bgl/<?Q-Z+^,c"#CTF-{sL۲&vi0`n훏l/S|Գْ}8 M?FO}"O0ީR8XxZ  ^H(|XWwҁĂ,`8l#XX[>- `:~,p:8f+؃X+2؄3+8(GyЧ|yx؇!^F`J s@ e0 QP p u c 1aQH6{zIHw8QM؋z` 5PP0Z` _MhYugxڸnRA 1aLu0m "p6  0 P` eɂSrg!^LYu㆑Wh8XVRy(ѐYv%{NX-j'u^vxxky.9rvy%a zoY`rKsЖ8Ș9Y9 f5FMiOљnIwN !]9邙yY5 6-@)ґGY*AZiћb9'tS FW N!sLF&pYprzYpWLT068on .02:4Z/:&0oأ"!iމPR:TZVnqYT@V8YE@PyPpq*`r:t*w  \pq ^x\0W:Zqp{z\ VL N  YfqfS (i\W p:Z9w :V JiFJ ںڭ⪭"TIʝH٫%rTN\8!,jzNqV#J;0xV0 NOʠ!ʝ'C Up@um T9ۘp:dkgL 0p@ J0l L`ڰ N)%P_` p|* :jF$0fd` $p7@ o [m3_P p  k)`@J\6& yL0p9@H/PrOڵ 1O#`` ,@`{Pp~aV(cA^Dϰ) |6+B)˯ { 9 !P?#`K$bܔ# [_%" yA!(6!pk # %0E%^ 1L$36-:75"AD<$0U? V 6D^ abnA~pU<WQx1~᱘5GZr϶p`ElYoHZ_5Pq*~S _veH͘| `0l }\ 0@T ϫ\a0 `xEBw r6{5TxP}!غsb Ssɑ\ڪ0{u<-S0,I] p+ sX -:l`MM `}}A=ـ`q 0|\`0C( }"]cQDp-U<gL^unM X`> IZ .}%'è<r˺| 5-%>umȾ4>g)~ɵ~LɮNPY^F}eQy. IO'4Vy!HVLl± ݨL1A >^~芾>^~阞难\`nٽ@{u -}| `+ˌG|U g)=-0"X҇ ?a*-?4)Q0hO&Gʀ>;q?b^4F:; QiZGe[xS`;rbK "$ehb͒xj`9xeֵoh5Xv- v 2|+ȵ$@Uѹ.Jv겨Q6jڵآͶU*M 'S4_,pmT~kbY: G2 ih3)`JU.x4 ش 6Sj lx z함k!K0Jy:sKmt^ @ZS^x֠v| Lg‚z`"r̹F#Z^.! % `SP zgH{79!:nKz4z. @(e"pAoY(y} ,O>?Hj?ɗ~1 ;PKPwcjPKj?OEBPS/img/ssl0003.gif+XGIF87a̙3f33fffff߀W%;frfx̙333fffMzf6LLܭff3ffff333fff̙,H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛9ɳϟ@ JѣH*ӑJ *իXF0ׯ`ÊKٳhӪ]˶بʝk0x˷߿ LÈ6K\#KLeˋk ϠCyiG^ͺ5iƧcLmuVo_5ҲǤݻxa}sCG0]t#gW\w׮-<^ءK{{x>=7:}WwxRxĽ} M J_^aMAzh"!z fآR""y-xa;zX㈋D"8`p`aJ$/Na)d`~v:"_7~f5:wc;\fbxVĜ6I=ءti'qڝyF mm(h~<6YfQe~bh)Z5pqƊjAʪZ +kܯ޺6\Fkzw\:]b+k覫>+k֛P L'VY(!+q_hP[$Wq({r2 #l3ݬ39o>O<̡J/@N;<4w$EtV[g@Df:wM6PMN=llv}thp ?8l߶[8L&rג[y㑓#|ow_n9ك1ڎ9;`!?Xu;zp7n3}s^x.} }Go+8oK;_}Ӄ~.//;WYO4'@fy8;QЁ_ ^Ђ3g뱎z$(>O`gDa !%4 ! sXA~pD(":DթpO =u ꍇyQ}[aXAQuW9vq.Dqz CSIFF7«28I# e%/G2<^S$ ?T,568xr# D֚] XJֲhMZ YU!*J׺ B׾ bRNMRX:l`+Z,f7U hGK+ƒM-bֺ-lgKʶeok5>0qaW]@SlGsZWl̦ !ݦ2ETIoxA5"ƍg-͉./uQ X :U}[_+׾MZx\FnN;EM8q 1$׺k0 ;|&+ӿOFA-'] >9#(JG8OP(8Ȯ=` ,- Ƣ5l:ط59*Xβ`b/#qγ\ؙճ/`60^/1AGx-M҇7MԨV j.CzӄQn)h>int=+`f< e[ZՏ5u9ADC옐߸"$i$9YY_ 9ɕVidLryeYdXUYghc {ypw|a)| v`9oٖђrBwN7g D8fmɕ))y9)٘fٙyٕٛɘK97v0R TI99)oXYɛIٞ)_QMyQBqp8]P{)I)ijYI隧ٗٛ )ژqN7x[Nȡ9YiZ)ZYDBʞ)7LJ(jNs=TwٙM ٣9z7mO8(ϖ\F \~m6!g5hWY g^H<<4\F,HDl3PLR<0[V̲X\^N딞GQ˵wd|f{\%k[3Nlnor`t ;nnaqWRpzOv[_c },Ĉtl伵7#>\KXgֻca˕,|ѻ*nUע%ء5dz-,~ Ӏmt}}e+'YYY xٜEڞGH=։=t,–hMAQf}٪-Ջ}Ӏ=z}sl,P­ӫ]@},\'ȉ rm qW* Fi)km]H!3%tKvCd3~ȹܼxl57˹6uDŽ!hU >.N!n_|qߟ<߬&G e Vvik/dn[ڥ湑>)hEgjyAogzҚFoZQ5n?X T(a‡%6XbŃ3G!ED0I)Ud(aDM&iΌ3僜!:HI ãLNm$TNZ5aIaž %N:{e VjZ+ÌE:kިvnKW`.nimX7պt[q;f݋3|C1@G6W֜ \d])9'ﵖ&^q?+N)m+`#^)U6h ܥ k}?y1{삋 >TN&oAt*"o>߳NA;  @0\@ LC[tQKDB+i{Gb$DDI(rJ*J,rK.K0s1KD w14&2N4s%0FAkZMDYB QH#tRJS@M%M,rI1TTSUu;/mF~Fk=qT7IuU^{S]Mo֜RI]DI`vZj?E}ڔM[aE-%b4Vh5\t{Všf=n|ʆLHR!}~r_, +%~u_*4߅^PM+Όߏna!rS~aa[e%⋝wFz}uא-:~q6臕FYK~:jZe٤3Y^ lei^JvmNi?]@qws\fyez _vy<߬fY!X쿕#q˩~nS9MW3cQ;vЯVKǚwWixOǛk@64l骳}=f]w W{YsA~kep2:]/\~ |]nALb| @ MpE8DZyԋޛΩ\ da a\xC 1,ٖ~%a(935H#FQdڡiD6񊁃%ъaNȾ+bHkdc"1f8DQ{tH@&i yHъ(&!ROBoEd'H%2҄u|$IT.(9(e-#8b}40$f1yLdt$3Ӥf5yd:g͜W/R㬈5Y;Xdg;NxY.O|S=ɹtj%hA s2APFT$e,)QfTLzφnt,!iIMzҒT(iǐ%( hZt-GS LMQauET%*MzUf[*WzU5<*KZOγRgֲr>UkZjj$k\SVT~*^WlMjW*DXfIdYY^}lc%ةTyIs;vEiYX%7M oZתķɌlH[>2mXtr.o;ZZ׺u-Ugd\T ]JKFb޲ޥ|{"D`'*Z[Up׾ot "t~ ~#,aeLG,S70~i)-ꮗZugL#.[4pBGn|Nec^}ɬ3Ua{6qm;Zdٝnb 4n' -CWjzfZD}\Ythv:hh zu.VZά0BA`[7}ldחLqmW,YF[^_#jg[ےmp[0y}p_{fwv[}bzWƷ i~\ dr#k,'x*`F\x-~qg\x=q\#'yMnhr{6y]>rum}s\SgԚS e ^ur į׺L㑖dz.jz\, Gq:[ou}j{eJ3X폆/f<[c} ^0>D(^៽O˿7ɮ~y}۞9\b?^t<5/fU0 em?Ǯ{a?}%k8'Zf|wЛozg_ew'g+x~S?:ૻS#1#?>?S0d9D<[?Ө sA@èT=s= =[zAt>) : *LA Bq+B3B\SBZ *t!9-B.L '\5(\xr n[?19505|jäC:+9:CCC?T)>?Č )$DD'CLDFElDHԨGDJIDL,KDNܩ+\N j54tCQ<; I䲵Ld K$Z;|@LdJ4@N< ;´6Ht:2d,&=9K,åϿ짯ât P8ИTυ{O~4PLBH&;PH£J7uET  H]QuSQѝ3ϱ@7I2-H ]! =ϱ؄Odt}+R;Qk@Kvr\mҘf38aҽ 1Rt16&M<*)71mpD?l5\JJ؜$Ш4[5SS$TSAeA$dTQ-GHm$+MGg#PݒdML>AmtSsSܮ=4ES"{VS6c ;#[9NU] s,OQ`mL.MT%BS% #UEPEȔWSMXR@ NkUr}ݬTWWR%ME+]}5KiN,،}R:MզNV]Vʌ?,M=UJ! VVYs}aUrT=,5$څYԅUJcaS)t=3SJCV m@^>AUZn W!Zv PQHeۂ[=}ڀD [\Pm\} Q#Ums*\Qܽ\5\ ]LZҍ=]L]ՍHmD4]صEٝ׽]ܭ]z]?]5 ^^MP=^]t^fa^D^Q8abF5},kQm_}___s/=_Q$_ E_N_D`J`=N߬٬s[R٣՛ģTxZ\Vb``ʜ>{8M-5;Y& &>a #F{VD%%JA֪%a{7N;b|NUU[2ރ{ʶF@;bcaմW0؜%XUC[gVcW0Oc46^W9FZHh5;.&/a}b6~ǻيjm(՛ZGTAW2T46$N#dnaub]L256c2XV> 㗥e}?d:}=edRA,YTVK3eʞf6$9I.YFE<Ԥ`G.  ⼳CVS+4AocNi48We{USJqeg;TOLjbC^娮ӌZfc6΢XjN׭vc.dE6e_uA~k$i-jnl?FZllc~ŶZTv%3fԋeHj~cc֢K۪-FKl~g⧺TD\έ96脋n8)MlVnynn F[#?\^ono~ooooooooopp/p?pOp_poppp p p p p pppqq/q?qOq_qoqqqqOqۨqq qq! r#"?r%o$_r'G&r)(r+r.,r1/_f[1O /s5Rs8wtƃ8gm;s?Wp=OsB?@/+tEC/YvE˓tKoJKtrNtPuR?u5uT_u\buXuYuZu[u\u]u^u_u`;PK "++PKj?OEBPS/img/ntmgrpro.gif;*GIF89a<xܭW%;6LLff3ff̙ffߙfff333f33fff3ff33f̙3ffff̙fMzr!,<pH,Ȥrl:ШtJZجvzxL.Czn|NoVOj|B}~x HCEY#"JHŋAq.~6>꘱ɓ(S\d">2y&˛8sB?RRОH*]ʴ.v=鷐hC:ʵׯ,ڨ5f%҉p5}4ЉJu˷߿J mCF:K1޽|dǒk̹d MkUI-KR(sʆX7,۳۸wMBq4 5l?u& ^ڲ2nٹ 闧3G.lqSV~<u$bKnx:{u!l]Gk"MW ~]zVhaq@sP[pT[-sI8^ *%]!&ߋ*F߅HM^:%>)_I^"~G%rߖII u) p~W#}`iIVdoDudBAZV瓅ȧ^^VU"ʓ!_iuIjTz;NWZ 0*#9Ȇ`h&a](fGb 뚃&kl{>rj'~+'θkl1 .d  |I>So llVq"k9a, ɠKl8SsTGAM>}DmH'L7K =HmD Xg\w`-dmhlp-tmx|c]L}.n'7=Wngw>wGz.褗n騧:ߠ.n{ۭGsw o'/G/W϶gw;އ/䗯8; ]'bå8_/C_5̀́K  Zx 8d_6 QB.)hB}0ĠwCipq fupD`U)D"D ޏS\" '#PB(4!$:^L\Ȝump#HG6Qd#GB򎐌=lEL7Аec(I+QL(y8Kl#aK~R"l(gxFS 0JùY|.͘)%mG2PL3n\Ir#KsC'Y;| )Ђ瓙J8D'JъZͨF7юV#(HPv(MJWҖ0UCG;8ͩNwӞ@ PJԢHMR:T&TJժZXͪVծz` @Sٴn8-Jp\JWU;+ Ø `KV}|m+T:%kS::ʍͬf7z%0b!KҚTƖXvβqggK, hQ6[ ZrΟ~em_[jЍtCͮ ws \5ٺ4HzN_+6JToXZw1W̷0]Jӫ^¥u|'L E`oT _tؿ qwW -^ KV.=m/%'0.?S기=3iP}9|_WR2e{9jO<9J..kع7@ ЀD8"J}A/&ۓ\.wː2}] 3VLfȥy,m9>|V_xss|?%~>2kXDu,aŮ|\96e YY mgyҘW5}UNwqy6d[RYVv|7sl~ฮ~p;~*Oˎxeq{$pi#ew ܭ#uf/`oZ{u/9gx!A#J'KPxƧ6#vNť;[cy wt3y]ضn8s^#]>ǹۇsi+LϚ7Hoۇ߲]W[znZ{s֋^\-1- Ytg;w|/zȗ`g4unw'w֦j{ rrU4D?냮{o}?|]K?mjn!:es9d @F&zkkwol fkߗlw X}ņ}tGqZew~~UU|:j]%p @a`gjW'Εp `w@X["xxց'88U,0Hj 6VgRΕc8Ak`]EfxZ$~Mn)r+؂/UW89uVmVZEqiye]t9)@`cuR"ДwFzه|y!藥7IWшQ 9S*ɗ~|FgɀWy6_WYUXm)\YXs)xY׹)7l9WR0ift?w&Yjٝމ:qr5.UaIyzw)Jǐ=miWz(zh >i/RkVv; E@gzɩš$d٢NPfy1*?3꒗fn#&b:cJ}mjIJKژ*Q9QsQY٤xw S eQP}VƛW^ A ~gwuƦmzojQJQje9Lڟ*{ ,!9n؛ Xh9xtޗz(jaڧJʬzcXQzJڬsҊZPQ޺J65(dlZmfl8j5{ ۰;[ U׺x%:Z{J k k۲%Q:)6EHUǘ5WxRگE:XJL۴NKGڪ*۲X:*_*kb Q1+*#ZsW8ۂR5rKA+CWFH;[Zڭ'+Ԛ%R˪۱k ZkkK4RJ BX%hv˳x볳E5[{;uW) K[+ ˮۮ 8p{sŧb( I;[e+Ƌȫʹj(kcʼaꛖJ[n&-x%l;bK\I"QʧoڮͺvzkUkl | |&p' ?̰ALC|1A\M;廮ڹlKTz6{Ȫ2Mܟ,l=!vޞ]|'uKom .mm-n˃ ՠM[҆ڙ>]Ӎ-l>4ް8nY`ޅ;& 0NmT5P>T[!'7%mBmBK^{8VUgnuNA \i$ZNaZ'[tnv^Wx. Bf5]耷RU@^~ꨞꪾ>>@0 &R ߒM&e{[L~Gh삌r5z*U δꇎپި%޽,E}}|Aqڞ.>V ?W8?Dύ:/<>@O{B_POIV$]U /XfopMO bSUU$%-L_'of^4c_'_k˺FR' g]/v OU\N[;uVgio΅0R7S2?Q ЊQn+gtfR?}Rqy_ľgЎ-Iuj?Eoxglvl϶}-?to?V'%uO'!AXdRyl>c ].! 5~a\6ҚnLq^y  H" %""8#L R NdifVxxO0K4FK,I&+#˥#"DJ] V5P\bB.bZ(+Y0}16&:pA9dIđ3RNFܝ䎦=;hF`*VzԈ+"=61NWldW_ 6%f[n Oz .Nc Z|PE0HG蕪Sqqz2F[ռsgϟ锕De4s^ =R*-0'ƭD0 '<蒸Ţ.$;>∋cGרӠg׾ H5rmyrе+=  ׯ~_.,5Ks!A/=|`)? s,QFĄD9j % A$.<ny19z1!,1tTwD(J21-rilԫ)LSML7ጳ30Ks'ADs=̨& TACS<;)G=lQSDI)C|}OtLKI->0eRRkWa-CTMOZSMV<3_}Ko-IsݵV>m icͶd]W݃(i-CkVuSvUo9u5 fQ{5W &Q?f˶" zHb8 t3 XLr0U%W넽ʷ&hyb3VւXZQXb>~CV$CKHjU竱FkyLzk &"p.*מCnmN7oVe8~*ZF:n~:\Cθ뺾:A]m'j8{y{aq ԵK.j{EP @ztcN*c\]먼fB- x6.8acmJ?ϭvM{g&#ݓo* e1c?Nn~{#GN \LM$ A b7ӠB.h>z.'a qAx ~bj搉ڡ4ppMEP-]4ZQa Ñ;-QM\O9h c`=d}LJQ"<я IAw8Eё$%7QfIUtHYS*r\-)W]l.=U1wK^.A,iJ!Q&3g^!d-_XMq4'v.t'9'sγ@l1ߙϬSd6}&8۩OC \EC8AI!YQ|bTI Y-i8IQZS)0Y3OG;O#8} TnvJ< ӣ\[UAb@tL*Vꝛ֩LMhWհp*YېTؚW6cpYמVrz5lTCaB`N6[CcX"S=e/[DFld QϮBk4hrĴljZݚ@oֶn[.+1ەUg;ofw .?@e{5\OF$Vd{򺴻5/yStGbEnɽ/q;_ܚȾ: 0v]BpX2&q%1\]WX0+<+8mX`!ֹV%}KBcLͫxM'hV2)bG5x4y|19a xCZψ>\7ùr|,KyӀɜ4O>ps$/ ?YS#F8tq>2$#&T2r(SB?%@ ?!SCCCOA:I*LP4U$E/DoDgQjtnT7s4AY$TH[;T6E aGJFPFJ r .g&t$tO.C 袰*4T$TMt?4MCeXN-P4$֔$Ԩ@3:DBTQIQaHaRSKTݠQu$A"3H5?7$jDZU$^cFD5.QV?"W?dWSG'WWB B">[93#C#zuG}RYq!:c\oZr]ySSUVDNL;0[Uy G5E{U˱_UPt U Y5Gֵ:?VbZ_Ӑ bx$ad)Uɑ_Mbf[XF`veTCFBsvbQ 5^1?VVVDd)V` ŵcj3kpkkfg9#\muOmj\#n' 4`-6%6Yٶ!o68s lt3SnsF_g7@Uurs!Rp6qU9oeO-y 7mcuu vvvvtm Zq:xk#uwxuUxA"Q/WumVZWVvpE7zT&{w w|v 7rѷ#v}M6N!R6}szKFs?{{b7qx7iW~|)PS6z;XwU{{9L3/WG٤ywЅe!8Hyq3qfE@6uЉumؚU]N7}yԊs?8sqҍgWTs+v ǘאsU9YO!b%9}/I3YS7uCQ)YI(:YbWiPGf᷅XESy^yOfM5ْtqu{wB(w<+v˸xF%~ـvXkXٝ'YrM8yey#ٜaCWm3_ѡ £ٌ L z@::D:;W*ZڬH_?yY Т1՛quz5kz=yr"/BkIۑªmԫO,BzTź/՗]:+:byWי$ZU:@9=7;Tة3@;ZՙSsZq{|!E6ae[O6'ѵ#K[{[N6ra;Gy[ k;כĽWnӞ 2lj;G˧x;4λ=^CeoG\1ڕ(7?޶1~K!>ޕiWԫ8?[[=+>!Ս>齾#<3))x~9ݡ:'*>^-kT}{+2)gˮ˹+<ռk_oC 2BNXt_~eV s,@_;ZE?2 LB°h KP:A)jbګ1l.[ 9nu y=BFJ6=!Z^u9"-yy")9ajN 0 #'+/3)sJO6_ҊE2zw~YcSiSlwm nƑ WnLUÃ%ųWmLr% ~I&!f8\m):yqƚnL &$rLB̓(ժVdS)W!4ڊDlWsDbBZV)6N{Ekg*ںvfCvǯw &-_OB{x2~y Vo@3sg,5Û#1\ȑ-["m0toi}sZ8.]VpRxOoe:;An򨒹w7qϧl^~ &GIPw#ǽE%Xf)!dP߅&e(VuȊgiNU9ʦa\8,8LJC"dsBB)eiTBD$OKPie1YJc>&utj&kR'p&v"eV烂dHe*Hר Z顜jYm/}*Ij:2:hxj, ɬl)S&[鮍+ [-!kƱ6Kz`J m(nnqۢ{{⫅c.w/XgGo{Wh ;Gf_%qq sE׷1~GUq%qhlk5,r\?os&l|MѨq@+tINj3#;M4J 2[,-za;|e5Zs=ѶͯU)Nw{Q+%B;)Z6ݨei+'ytzL#;W:v+{:|@<6t+$zJ=",}ۻ}>3dث/#f%H.[L3oCkԒL+ >hC$X*Á_.AiPMވª $< O^H2a= ?T0d[\dVs븝.wU_a9.yr-/{zi6o{Ҽ-E}{C<~c"X1ﵗ~ \'8ž/`W-7g ?'<&1waա8qk0#L{+-:Š}ld8wB2x|'*[2Pd(c[M'g9ܲ> 哂YjVG3{,k|7W<|tɌ.r&4I{nD+ZД޴\HyҜNi+/zԪ.CAeQھ>Q`ΚLJ{QOUk]U^6e̫2#)!6{liVmo?ێ0]nufZy{2؝o'pNe/\/1fo8ArC\u5ɯ5r-Oac)9Xqs?^σVsE'ёNb/wuTOYէt]sd]M7;'NƊl)ǎ'pv>״[(@ϾpOqQC><+oc><;σ>=Koӣ>⡭?=ko>h {^>os1C?ҟ~/h7?>'_}i?'gojl}?o?X"`^X)`J 2jr Xau` b_2 ` 1 ` ``@`"aJz T ;Ra*˜bF@Y_ Zv`aZPڡ!桛!!S * `!\DC9' "b"A"]ID(~A%Q&bnu"%)E*b-`**B'(ZE@-c "b$"PBE|Db1J%#/EN(4cV#(a$67c;*8R99bD#O7><<="*D>cB?.@^@)BR1$69A-H$BVGnE*nI~HjTFXIJ$$I]bdN>LTMJbdP.`#^ BKP*P~c,eU^SOFyUz`%ciW%geY%jZel=|ac\ͥne^%qu]eaQ_]afc^`6bc:fedF&Iڤerf!B1hfiifjjfkkfllftmJfC]n&o papq"'*0gr:sc0'rHWbgvjvrgwzwgxxgyy'vAuXAWBg|ʧ >~fg~ ~~hJR8 f hJh)(~ 8 >NhzU}Re#h (j膦臺J>c4({ɃjhrL"ި)*钚DhhF0bi8Jhi&ifi^)(ihZHh^jjI{Bڡ2jށݠ^ :j*~ Zꦖ),qjb)mjꪲjjjj*jjq k&'k g:BkJRkZbkjrkz뷂k븒k빢k뺲kk6"/뼾Akkl l"l*2l:BlJRl&,ZlzǂlȊȒlɚɢlʪrƾlll,rLg t"m*2m:BmJRmZbmjrmzׂm؊JbْmڪڲmۺmmVm;PKXD4;;PKj?OEBPS/img/asoag010.gif1'GIF89aF3f333f3333f3ffffff3f̙3f3f333f333333333f33333333f33f3ff3f3f3f3333f33̙33333f3333333f3333f3ffffff3f33ff3f3f3f3fff3ffffffffffff3ffff̙fff3fffffff3ffffff3f333f3333f3ffffff3f̙̙3̙f̙̙̙̙3f3f̙333f3̙333f3fff̙fff3f̙̙3f̙3f̙3f333f3333f3ffffff3f̙3f3f,F@ H*\ȰÇXŋ3jȱc"豤ɓ(+)c4J˛8ssĐ<p Q}EQM 2*ҪSj5ϕ]s5UiXOWtZM6ʝ+P.E.އiR!ˆߴ;pǏt ʏk2[V^ʐ%;ly4fHseV®LL+]t&2歐sSċKlu-Iwo~ܠqȻ{_.xZW\ @*'ϿKe}~%~K|5v V`cqeL zeiy s(tbS蝈Ae"I%EAŔᆾ#( A-2y"(#ARQR&^[Zd!LɥBNPN&OUN9V=bKcH9TEJ.K͒)eW?{_ݫ 40I/~qQ4eru&I37V[\mH'PdT\qNpGNMTg!iCvUw vp̨q4Ì7P\[߀.e~e1Lp.V[DQ\z$]H^fDg'JQ!Il꒠'CLju$ MIVk *9J0.w"Z򔵼u'_nqdz@˥6Iɓ%҄6m02'A`rMەӛ%:׉sYgwW =ųO33JJ zQ\Ls7%hbi8J "Ob !G!Q4(MiNQw*L_Mɦ‰OV(bsiWVPGFюSP@/yTT3KSS)XJֲh=@rp[՛Hx+\4UIVEIegJǵe_uDkkʾ㬤2st "խbp*71e%l3ݼKEUC}bOżn{8;Tg*̝&cni{|#R)!ОW%NK KH0#`;rpK%Ȫ샜[bk&.paD,q n k24N3OA!;,)q<̘]Q1?{H~N `GB8#FX=*3HjWoJ# &jtURE1 @ߛG˅JsD_zҏ^1'._t?>7BP^E~d\4~⩧znMț}ikjX?M{`fOGX-dPM=dhfӆfxd~!$ŀrH9;^BU(A#(~OR'.w0E؂Pu|3"%a4Gu>h."8OEpHB  q ;HGI둀zkKIs69xUhxIgeOWpMkhmhuxLsguWjE/`n8VWͣbJ5{ԕY\uX^YdXAHʼn$AUQU8'䊯%dš(YEd"aV":Ȋ`bNj(H&c8|ӈrSPjrCXTF0B0r؊Xz2! xF᎛' WuYȌa8wPhǨȍf(rEDGKCĒCUQA[XeS2S$5U[,")#葵vzx1IsfR(f 2cuvf!!"H.i9.bI&#Aa7!H x@iYpYo9U.xgle0 I ɈARaQim]!LTV?CbO!94[MA"~8b5x.qfY y!]ci_ry]U HtXrJB@| o \7lw)2). }' ci償L1yt%9Z|\:_Tyh"ۈ\ :=)72Su}'(8 &iٜ9/[*Z, 5ꗩ£TUGF*.tNQעٷ.Z'UIȡDʦV r&j6r(-\}0ѠU1fiGa_y`~\FuBv%& "&EWQt)'ީB{HO~Qy8Zbo2DqhsJij1N/cDfRqQn4i08ʶg*!6'waD"b"F3JWD;Բ22g93x0?8[e9>['>.3tZ;:[Ta,._{1jl+ǘ6z+D«t,azr*exK\ȮH+ ]j]=RZ֥ $ۼ QۚԪIDd-ǝu-I]ur RMQU5''}> c0>vㄣG:7o'mÃcټUCޜs5+=e(q ~nb >$~b|%09*g4~a9zUY]Fi9Dc cYI~c2,TxMjю@E2YnS6yA;ē5m\jJl@n^L:[yKwxp>Z. _Edyner+;or8S筤wy诘5"Dd҂nh;kNVeq6qË~NDG&5f돩BS'>eO)".H־Ǟ]f̾|!P~Pb[tT>^%LɛAĹ05"ZRonTTJD" Zfr摸R|Fn^V$z ^Z*29HV46? JNŽ8'_꾞0_G]DW>2L_GV S6ӣU[KMO_^`m-}"MYZ"\ܮu\XhlhC~2hu놿k^rMӳWU1yHB [4Zم_ W *YmnHޮϥ:ҠhB-Ü4 9 ^?<|/K"aJO\#XA .C*dhn,h%G9bI)UnRI1er9S@9sԙЊI=$gќC.ƚOl9`TYbZgW׾Nh+S 4֭۠#Y͝5ժr馴{Wj߅slܧ.u*mFl߶5k'-3_&yea;t r>2x#+K5N 1iÉTyJcFADmd&n+կg{ߛ5|{ɓz%@$:x*;.С PjCP+C$Ĝ Mt[Q+cjĬP!gr!TH’.4)ɢɚtI(r GI)rK'ͪQk$rL2tǺD"H#W R4!ܱJ%;=[mOДG927o4@Qӹ`R*%K# l}QqR5SL֑SW>C!5[\lVXUtv#^mv:jU͕et252fo5u=-Ti^|<ө- \6UpMt3uVî}a`nC5WU_<ńeymđm u)+Ni` c=\RsNg*Pg\_"ba#c59Ǝ{iJ꤀}/ͥ9jKs&ZTdWjKY43%k̚5B ʼnէI%Vکh )S t9l'v|$zYEMZWt"_r8*BddLmTI|u dQ:#fCZ٘SYAYk5;T_buBUZ&Rnw]WCţESj+ƫ.jbeYE^/}/I VmAА"bCk^g%+Nlh4 u W!MBkRUI&dvT3/1L?eomiՉbFZ= 'OiU\RҔ+ H= c2 pxs-`̥ݶ 4#g9BU4z442GD5'Zыfth8L\e+rqJzHS;J}43 .eR̘zq#kj򊇻~yP<-yW^ɇ;BχϢ{jV_~ύk߼XO=Dܽz;94>2)YӇei'o?Kgd, ~ ;%ZC ɯ;/z= t`I@l@,=kͨ@ 9vc ܋*KT7\>|=DrAt@ A8­ˤ< KBZ#, &  '*|02?-B+B,<8O 1Cq/GO4 HC9HƅL {ǻh'HyB)0 H/VBqdH\NЄC,#ΈtOϬLOrD6 DNj M|\PUP}PC C2P KdJ ̦,Г,Q,LJQ #IQ}DQ?QGtKB<5PO "5PLdO<'͇!,8-5FRelR0SlRLܨ5%J͹Z \\,_}D` O)eWc:95VMVAOe Ag%~PoRn-Wqe MW tPv}4YtWhP}VXֵ\VKةpL}Aj˔ e՘E3%XY?(ԍ%> 4WsE {D~Y( E%zT8JU2D#U݌MҚ-#B#Rі4%նҴ[ЛوZ#|ٚZ8Hi]ZMER E˾\ɝ\ʭ\Lc\eMܐ\%\ƽ\:=]M]]]@}е-صü$[\ݞ-]]] ^Hb}ڝ]P]G ;PK |A6'1'PKj?OEBPS/img/asoag011.gifo1GIF89aT3f333f3333f3ffffff3f̙3f3f333f333333333f33333333f33f3ff3f3f3f3333f33̙33333f3333333f3333f3ffffff3f33ff3f3f3f3fff3ffffffffffff3ffff̙fff3fffffff3ffffff3f333f3333f3ffffff3f̙̙3̙f̙̙̙̙3f3f̙333f3̙333f3fff̙fff3f̙̙3f̙3f̙3f333f3333f3ffffff3f̙3f3f,T@ H*\ȰÇXŋ3jȱc"豤ɓ(+)c4J˛8srĐ<p Q}EQM 2*ҪSjUϕ]s5UiXOWtZM6ʝ[V-X.E(^iRa Y +^ߩV"Gd/GTo]-KT3ҚI# ̕ZVj.*2QV'3˸љW7CM_z yw.u2-!툻'lx^{FYUh Ͽd5$| }%~KЀ#%&Ԃ.8Z6prEq{Z9xAwb9axSF- Gx}1!p5F'_OA8P AXFJdBJbɈFIdږVp(\riQ7i= #MY٤8Q\/"ifhW&C.IeAp"#sSRIgTզY Y[koӤ+o2H? NFDꉇ"TB+A6yöĊdF#TEUbE+j0V+Wq U+T榫RJU&VY{nhVQEea+Q ]"؛vo ]NLE6|!Gp E0.;|QTui#i9֯KC&L7j#(ZV7pnKvVRׯk6km2Seg%@=5IMRlEn㎝W lr$,8.y#礗nu]z~!;{ѕ_o_uojHYG_14LEhԇ/'t m??Ok%OHT~'@"xi`'HP Aou\`GHBg85OS4c<92z͚RL3iEFџ$? F\.T$B0ͨF7юF` i@Ӿ^)ȩҖ,Ah(ÒRԥI(O0uHwB OUe.A*HժVZJH٧)NAVRR3+g&a ['P@i]VH-aW„V_UVԐlwBk6⻬d7|ӘubˍNa*gW*b:Nm[ֶ!PosIUΖn┫ mPuaǠWmեFN;/e.=;7tkpk] k4DK෿llW^eؕ}DU' 3M01%:ݒЭo5LN#NMCMr)ef RLLK1wI9I0m!b hmK6.{`τkhNǜ+Gk&ɩJgDu"XmN߄՟r5p`%qoL{,TD2iY%ԛ%KmLBӽ9s+f̰=hld;Bi AYu\3YYc _._=aCD)3KJŻrqo+f6] >q)'/F`%pu/7E?hG)ߴ!7o|(7wR  GHp06 g] sr;]OKӧn!Xϯ[7e_ ctEF"֕ P5FrŪ!;G;Nr{2ڱQ_ B<9twpFq~m'MAah2̀(/&hsv ]~j}4$W+T7,OUv4 moɻ6IO|n'*z_e3yQ< vv^xW8ְM@6mg3x#gxAu2]!b&|0WxbkT8Ac^sL(}՗%ܷx4hybwa:-֖:>3ĂIe6THGd$`2v|]Z6G$JtT7W(NӅDIQFf`ex|IG.bCel肌Y\H)OP8RO_%Un UՆTR8shWƈȈ VmX(M ʼnd Q؊e~8GYaG剷9z(ZgM2y8@WƇr1ˆXpT؍֌Xxonj85?[l.AZQ!!ත[\2ԮI+gon{mwt$znTuK<<Ζ7Y"=qw[p,[z.|ҝ2Aqlr:+tsIaRĦn۪(m˺ *||j3$ yb;aK۵ ;ֻI0wl{ ؼ{InY}ww-ʹf#vFwvr*{'J :>b?W:7Od6)Û*Q3G"1~,`fr ]GVs0n QW7DN2-S4 ;H3tVgkWFo*ccy>,Vk%%ԖacGLy, <1;_~̧t]Ε/plӧL(]L}!l5vq^%G xg~av49a{{sd\x2a6~Q!h|!Cqo|25y^m-NpڑN>HFc̿\t.A ümvWR3FȜ@\ut&T<1GBDCa26 MI .s0&7]C2~J!]H3!.%=I҄%;X)}Y7YʿUM7%М0m$"GI=K&ߜ<Ѽ~c7K`B0A"ދ&~(.$=㋤tFEm9}h> AƭXΎvLS;ni)[Et@m}a^V1Ń\\AXp^@x ?)Jk Zuz^WA|UNiž.5=5؈~@bN抱I3CCؤ<]F{.F.^IaI\[Y}ₘPQč{D4n?Ŀy>z[^b?B>ɠ5ț~.8u=>a1^J8O)TVYKzcT* ~H4:=n_+~Z;&?B~Q.,[:증T#@ߕjN1ZO:݈:J[c_C{>4ky/ Dt@v_~`F&^_ۣ}-/_^nX_8?#Og5騠?D_)\ǝ ^O+>zsOx=~ӿO#Fn/wŏV/J9Ƭ/`ҋJV $XV-dC%NXE5nNjD$YҤDNr\劕SƤYM9&O[P4"PI.eӤCBZUYWaŎ%;vY;G}QM k5n]w\߮+[aĉi>Hcȑ%Cf dfsFF4ЧCUu@aK]۶jVeNo.HxMk<5 k?{Xy [.l{WF(}-yM@0mK7@#"'BoC;; ZWʽJ qSѤzqEk(6lqGp܍G A[ һ"9kR'rVJ+rK.گ,('+3" [h5A19J<O= 2:4;PtQFCPF 4I/̜**MTRtSR TTSTUGcu8^At V\Ŭ0XbK- LUN`fuٚȠ^ P[j 59nk2OdMWw(@ȄKތ#*%ZVxOcMy#ȼz[a^UbE X{;4OwYdsMkoa&et" .6hVڶuiz[zk浧Vzl4rmvm[%nJO{o eo xBnF.$I v]&˳D?7sʯM{UΕ.=vo2w >ၿݧwm}vJ'yKދmis||ޱt>zIȗ_{q/&ޓ^j¿O^K?O'q/dWlЀSB-|iJFZY޷ f8mԣC _1< D$o5V崅l0|=d:ҏ"Ƙ}! ;1Zf6K%4d OB\Ғ3eNG2RdQZY72/ۋI@A"$+?O Ĉ8BNa,5yD F7"p gy2UWqSR*og@j_䶗4E0s͚:EdRb\-d1[K_6/ fFX.*VOvad+PRƲXǀqLrKl*A]F!'Yjkb1+!╁Q4;[Q/Q>PsU*˜" ),9M $`g9FԀ}h+/eZGm_ʠ\-q/hCNRU$f.DM:/APU;uP: \GRj MiTv2iam^.N]iSC#3_mdٱъɲ=EQ>k{F%N]܆[ʒ~+`z# őMa!]eoN)ñM;@>y˝Fd'.y|]yzE~sV z3뤰" 7lϷ=XzN[Js]]9NkRoT;{5^ݜj9QYױ]mg O۾WwэSAtspH!~Q+E6]d3 Xy"Jl^C$6W]PA}V;*ح 灸~/{_"f:xOC5꺔_$;* *9K;RÛD䵀Q k [Yʌ <$ \@[ A0A\AlA|AAA(#ErQx<УD As?rԲB 46Q н-<>6w C' ɓIL h4 s l1@CĜK|@*:DȫġD9?ဤBhSCCL|JĘEH=JDH(CYj)D;D0l DC<FeL`q16:F?D޺.?pKESdE?=O.dGw|e\Cxw4F.rDly,!T#LhF3?2LJ! zB_|qJDtC(R, OFcizŃL8G<rHaI|1I\I(R\;9ZB9<5IdF I9CPIИrY;++QzLlG⡰|9I\KlKDg͉pB+T8(mAHa$(J\IZGFHl?DX8PH\ēR=3YDł(I+^l,+ H84lqE;||ؤFMrL9mE$. IHzGٰeAj̓TJN$< l1a"hێ쬡-YM|HM"FT~rDžlGώ"tʨQODKVkn*Y0L)1(A@dU r s-uwKl*hW{|;Io=IׂEe׭ YiXHr=| Mqf:CHv:{XA+ T'LWs뢙Wg]إ.PXݘ]؁=խZ4ZRYY9!ZTۥזyZTm34 ¹ Y!۸E< ܅ۿ $9E\`,\0m\<=qe[ q\[ 2Lѕ~_!\D+EIY ݫZ]$a]ޝ^ܡ4b<5^x\Ш^ߕ=mKoƯx~U~]߾=P7]IeDX-FU}P?uW]][`} n ~ t>[NEmNa\ a   b!~P".bU?6)@.L m86d\'AYGd5 JcNeҒ"Rd PFQeEcsd9YE>FD.feaQ&<.f?}dTFfVfM\in9g\6am&fn}[fFJaM`p_u~fh6`x^Aygegs d}et&g^\\~rF]oVWa^]N&pdHhs^7V_gvhݼ_FʝW}ƥ&h'HJ|^e[F@ҠSe=joyf |㑖[@*],]{C!.PQ]j HjDf9Hk>mkGfe^3n\1(.dܨLlkANuikm4ˎ8llI^ުT۬>mj# k.l}[gymjlI`XL͎A1b>ʛ^{kUH~V ^T^b ~j趏o.koшkib^h6_^ﱮl#Mܖ_^AlƕK.n OpbuWea헉U.onq gpoopqA^XjVXqW`s!Rn&?n r:Vp-nA8!NJ3ב45.7v-%w<0fs?Wr3@q^p@opAAAtmG0@JRNE\ڰfl Q\&;SOgnu[t\uo/t*?Ŧ s`m}odGu^Quyi~ƮvYW.jd/W1'kaghn0ߒ{v ~wnw s]xssavPwpwb>7w'DFx "{xLYG>yony nx/`=uoxCy yW7,7vT'XAyPqKJ_۸zg-pE[/͠Wix~yE`mO7?i`zOvzV %{k! oz7*cu?{қ_Zo|'.{ | }/})w^}LO;Gs&תsO wD1WvF8v㗏M~Xu描·|(o{b7h~~_zkN$m Jzgeo nko<\wFt{\l!Ĉ'Rh"ƌ7Nd#Ȑ"GFȊ$ʔ*!\YQ@+ djᵛ0]gŖ@u((RG8Z͜8u*Lj*ֆKr帵+X_l4@Rwm-ܸr玤@/ 0⨄3nUl2̚#|NJNItE;OuǏWՁwͻq[-x5_UyXΧS>[ڷ3;/o׳o=~qsZ? 8d ~%8TւraY(!x K"%x'by]/f"5S6u#?ې$#WE5)LH& ݒ=ڕ!)!Unh`eVbzy&i&maY&uFvif|BDB 姞rz١kdE6%Qꖤ%ԃ6tX=U:)XGfOq ^Vq:ES6U)@j+L:lPF,^ h;ʘ hմ z y-gn ZT*ʣXf ec` 7*L{1_|/VO|[IqȿyE'?4wX23\3ݜ31hM?~ө>O=-x3K 2dZL0f ]tL'BEB| S.|! c;PK5CGt1o1PKj?OEBPS/img/ssl0001.gif&(GIF87ah̙3fMz33333fffffffffrf6LL̙xffffܭf33fff3W%;3ff̙,hH*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@V@ѣH*]ʴӧPJJЫ-'`R+ׯ#N@ٳhӪ]˶۷pʝK7V`~:߿ LÈ+^̸cꝬ˘3k̙sdʠ/ZLӨZ԰c˞Zr _3ſ =/ޝw5 u_dG|a;Nkw#?w^/gvGAW^yG`}*W_ރ NxQȡ҇g5"|zf#'Ha{Aa?#hX"9x\~!~=d3:VvhbiEy/#k#u;cnZel+ٚt(d'vw)u#myn8@B)\ҷ&Tb()ܫjNFiz֚׭+,sX&llw{>\-k`Rv+ka+P 'T[ KP ;LDVj@ ?lq$;rrA+l@2ל16;P, *,4;msFK@ xA33RLu/cӳ}uWMqR-v\$v8Du@/~n}$(כxqx Ooh_ޘn罰~~߈x Nΰr~>:̪|<7oǎCo|/'>>gϾ;s>䦋}? T=t{&@"D'=` # -bЃ.4?:0KY #A= o@W? C -8D*1|h@,J,b&E9]HYq b7E1Vэ3#5P|FbE9qG E6)lUbnvqd/z2y^&ՇK~RveI'6\) wv94r';Ri(x^$I?f0<02d TKrz" 7nTe(ݹu~D*''"#iXA[g;iħnjT57--X3'9l{c '~ўa(8Adӥỉҋtu*ZE-*ґ=)PuSn=M MR2wEQ߶1H`XͪVծz` X«U[hMZV|̡m\Jײuͫ^ } `;׿M, :w+d'Kbͬf7 -a1+Қ=jWrƌaH63en%ҀnE hv A>{@rO3 .@5uըFJkq+ Nh:d^/% ӣk^ԢYwW2ꯎș&@9 0OMpĨ hFe'R /;T}}0b YR{{aoX/ ⸚x >̍O&?o:bCa U k<3džq$$EM3Sna s*v Ec&Uʕ)\f3͂!_ڈtV ;}mtg(x 4E*Er4a-gHэ^X7I}1h17l{凶pb;8լ5dW=V֤y81&Y[1F"fǛ {RfT)lK`e}Zr7j3q̨,a|^F|{c_܊E7Knr{ɽ<4ϸNvY/ԇ8- g1 p}#<÷p_g*Q&9da|8f5p(OOɇGY-07|$1Q͛^?ӑwEvwʵuqt1fé V21pcrzansF:W\úH&eٳ6_ Fջx;whMtݼii6ǃԌ!9*>W*z_~1O{>ݖ}O޼2ꇩ4.o?|d/mgOs묓ջNOz?'jQ~Wآ~(E`ExWx8ZWpOmOl~hK]]5""Hl^Ձ7%'#pqłGr.7x_6Z8q:hx^Fa.fdCg{c׀2sE7|QhYE|Z(fe&cb\؅6Gׄ'aQejs 8Yx⷇VׇX_8}Ȉ~uOƇhi։2~"b(k/.Xp{b8-`x&W*`hwcxȘXU]!8}xبΨ6ИfqŘXVa2xH݈'g؂nkm!oAZetr lѐfe!yyOl؏9Y U9YŐ\E"qdtbᑦ|Xy I%)AٓG9Di$9$i>IKTO@)=IQIY)UO[ hYeOUM\N(7Qq$ȓbVj9jiI)[gI)) əlpYsoB|gȒYIhA阸i@Yٔȹٜٛe b Yyٖi_ٕYYiIɞٞyɕ Iyfhxygr#֝vWYٟ霺Iy) CJZwr~ŠF~*l99<*YjaY;7JY'ʔzGo  i?IbʘLNڕzITlnyIieZ9Nje4b{J{]2:51X7x929oZzzVJ\*:ڪHXګUtٌ8~قH &,8) ҚU1hEg8Zj&}뺮ۊ`x`~^e;[zYz 4Ks { F1,;~DaQѱe…ago1F!fW`cegh&l6Y^R0{2u7ȳ)('1Ǣ (n'X[Q1۴5w>>a^N#G!"n$j̙*цwx9v켺}RKh7N\n8Nk[b&iqM~k}ؓػ+}m-4.ӲdM"+;ھ ,/}zuz=ֶծvn-n|87-ؑ]m,.־[ ƽn,k*ߚ h^ؿSi k$?->S.'o).-81_3~9*J˪Ӿ>!#TJm I_^V^=_ڨ7P_Rhm}Z>=]Ľ ޯ[ڸit/Odo$XA .dC%NX 4n̸GDG'5>`ْeG)cM9uӧC a<9&ђH]JRɧk>YUY. )ҏFAF=Jti˯c-is[q%cZ+Uz*_l%\v9%)#}E [ę5oX#e+Fȣ/Sk1,Z~O'%=3lsM;qPq7ֽѥK:f}w_Kuifɫ}2}(Ԅ߿ՠv93 htA#pB +.#'lv)pDK4DU(> $?kԉ20uG rH"]{$H&tI(\2WbZfcužI>dR:ꢝ iU街NykaydH9k8n96;l*n$?^avx]fYƥ[ªۖjBS{1ɵLc#uAxޫwMGI~N-}cWRN_u8P<~x@K@F0x> fP}s ABCxBCaBa CPa 7Cfa_@ >$"DVEΊ"HX~#HQ;DVlm;Y:Y-^WKnqJ[eWOD.8't{]v実;wmMxK!WJ}yK_q/y_&x fn [6X -lḶײ i=U^5/fY+־ oe%8QؒXu[ Pnz&{H#G )g rQT>Ƨ̤U_f9|\l%:?oztTv0Q>Ƽ6Y8B\Ӷ.T&2ٔ34RHy8?ڬB{p_DRN{i~Z9|M9LqKΧ+Zє)ޚKkhfVW,WpI]g|m_X%/L9xr%ժsDhΗEv]$Di#9Zѷ:K.1 f;n#e.Y/܀"[-aKxq;:0MG.2G|pm~OvOsGya+ᩭ>ߥ׳+6ij!Y]tFީ=ojA; 96׻vWD~1,HvYg.w=qy۹ <׏K,UvL5NIIs 6>/^ao~=EFRķznW7#5[&G[S*?.(KA> Kc:㼿Bы&”C (B/t<3C;8¦§/ҧ";;q4W4,59-4$t0c8QC%d@-EB8¬:8DNJ:?+F0DU\/VlECECEEJzE\.]EE_.` JEb ac%߳;HZ*ē&c#2`CK(G ' kI3-?ۘuG,ɨHHwj@U6)„;kB*6,'DJʝʫIJ|+AɩJy#@? mZBܵJK%L˛Ԓļ3K3JG{Ȋd[J\Jl LKܻK{Q}LtPeQ*+Q,P7}PO\#;[R^cMJE!K-DXQE"RO2>(Q]-*-KO1N)*tH|uI e%8\6-95lIHԠQ.JULT<tYVԗYlY/|< Zj<2ZV=:%Ĥ}d]ZE8ZdZ$ZbZԙZ餱=[N,C[0m[ [ͣ[[ ktھ \\-\=\M\]\m\ ;PKt&&PKj?OEBPS/img/kerb0002.gif'GIF87a]̙3f33fffff̀ߙfrfW%;x̙333fffMzf6LLܭff3ffff333fff̙,]H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ JѣH*]ʴSJJիXjʵׯ`f}J!h%M,pʝKݻx˷߿E+^̸ǐ#KL˘3?f@ÚCMiӜ=fװcvZuSгs{sgKq+@\4'|8椓CM7,qک_qk_9w9/|~ý_wAQA']]!6'n$ 8^~ jZAY7aQxh.c;8s.#'@I8#Q5h_ :a=^%}Fx㋍9$TfT@™eA(w%uj Tv9`Y!#U "䣀(mGi"_6%Χ$lnSvdV;Ğۯ$l6;䖳V`@N%-Pֆ+hߖk覫+koB,_ k #p.W\\6U챾},2!B&l@*\r4;s/ ZK3 C#d' 3Кu̴EO2<+m>Ct[ud/ݵQn3Y$kwLws3 0pގeDJn܍ߛ9ŒG,xo>rD/N~뼯KS}jan|kDZ׋wNߌ/˞7\OgOZ߂h>yeG=g=#:p-Ͻts'6#H?Iʣ9*VԥςߌXCjQyt}L+wQclMk;OQВɮ=9V#(;D`/7uzN+-0+jѫ~5t"/L;qճqzHoP<|V_-h0G򎳮#M\M d^9 egu<Η<ޟ7QBw{<[K/)׻^S 90K觞pM3׾{mp{ݶ0- nwܺ9M̺[Ȑ!Sv3yr^4J+"<+K-L^B#Ƚw}O׫#fYЏO}Ѿt͞|{ӯ>՗'e˯OK&F7iq?'G~c`'kt}'G|!&n6q~ ؀h#G{-mym'8+~=X?ȃ@8/`gGRbp,@(ST-XJHg~t9$HV(Rx*[xm{W(!DžcfAh>|X+臔'f~FA'z07xW~XhHw|)wgf'~*r6V&uF"9Xw s%pH'il8pNuAcZȓ׋QpFynHyJ2L9R}wRɈZY>,l҆L,G ɗȤ|IWkLTyє 9iٔ閉)Vrqjə)~s\;Tv6`ki(LOy)yy9iY}9I)AJ"(N8¹y٩tap9yBrgO7v*O$ 䉙ɛɝשlI$ȌxiIڝj*9aHvڙyǏL独(ۉɘj*5Y橠_99d@ءuFvHJڌ|7aE8 :]WC_ȸ.ꌵBZF;yUjﵥrZtZux[aҥε/Ȧ1ا5nHb]Yǩ; y7v~R`j0ijBʤ**c(&+*y yꤱꇧ(;"BiniV,Yڙo)VJge`ئjgә+ZӚz`_:ʪފpocRΊlf ꝚIԺ2٪]Y̙#d*Ii՚򚜬%"Mگ6Zމ6+h}ڞ(1Ymz>9#:seq,GkX:QP8 kYVZʵY֊]kaK(14zk+r: s_J';ۤ+b jzk[]hpx덪غK8?6/* *1x+;`[ɩ۰Φ ˼Fkm?% Zỗ!qi`J)EFD5[: L}泠DZs ' pI{[_宰Ƚp@Wp6HZi)n7ʮZ%j`wH uNDU{YK;Z雋ٴ +fu;jH˶V~ (zI|K\)w) j Zl[œ;@bO/YùflM6YBl+bn̢Jr[ 7K*LuNŽ2!ť[z Ël< `ʬl<[̯0lxzj"hʹk^e,[Δ5L\ z a`͑wHˌq베zf\b5ѡG+Xً(,u/yF{X-Kt (|ul~dJ籞I+$<9&0ݕ0^9jIЀCĴ: yUF'~0%*X<?]֚)YOl[D7Kq fl Mqu,Xs,'|R}TW Z\˵Ӻ`K$س،=ʒ߹Wv=Ī,;ڷm#Y֦эXVzдU}۹]d ϸm Ufڿ[լܜۦ}}ԍZ|݊mX݈eLl+Z]χ a' } VKq}Ёv%Fx}q]QujFI-;>D+WB<W8taԡ.&ސ('em"7W9K[ 6qF)%M ^6iV];1Zߒcq$=zL peɞN]^hU,u>T2^~ܕ5>Wv , oZ_\E`+My5&',_@2._s8/4&>?(A}HJLNPR?T_VXZ\^`b?d_fh1dj/[V߽t)]Oi[ƩZX*WOKjs_O3WYAь/_JiK7TwM/$auyKTJmʿL!ί_؟ڿA;PK1{,'PKj?OEBPS/img/asoencry.gifPGIF87a\̙3fMz33fff333̙ff߀rfff6LL̙xffffܭf33fff33ffW%;ff̙,\H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ JѣH*]ʴӧPJJի%hʵׯ`ÊKٳhӪթpx˷߿ LÈE@ ʘ/k9s͞ChӤONȰcf̸dzsͻ NxlmmУK\yQӳkν{uCGLxyg{}˻g<9x_em~Wwv7| '7a^fI:dA}O 3gx5樣=D d=]A(zR"9?:X!Grf%x q梓<(uYc`Y&!X&c'!fl _"9XީrUgҷfB>iW&d>jC:%Im)o(jNJ"kÒ)ZxVktgJz\k趫+o‘[nLvؽ8YQ |S' 7G,WlYw ,$'D(& %&z ݬ/@sA 0ADlsPPۋxWOnS]9gb?2$n.{*d~szǽ羻xajo{gm\|?<:k|8ӎҗn O/ο._O>`?fnwA|_H@z X]-HAJpϳ_վ!AB@+'~%xꅬ1G@DYzCN0x3  (KbV:Վf%*P1:?&1=<# jP~i!ydNDGt]#%&-nj=_62VJ#J.5tcG:0dINq>,֪W< i;Pq4#UiJdcrK$Bї"(/M]l6~2<% 8LcRҀ&9ud%.Cie&Kӌ<"r#^CscBϒTNN gS25=*tdV˙L?F*.@ßMiӡ (e:yElI[HPjRumi+MǛJ͆W-UJJnYJV4 uj4˫^׾2+q2mMb(kmd'K&ie7κ !hGKZOeMjWtպ_kcKڦͭn;-pKܾ M:;}tSnWzxw=zw}|u7~Uw7X>;t ~ [_ {i=Uo)~x:-YZM5dHZb6@j+0 Xβ]m=~,X|'ǒ3j⠹j^38&6r^\f ;*U\0:ys$VojK"B4]I=xϩP6ΜW.S1,aӜ~1>Fꢩrܬz%T>c&̃4p=HkRV5 B. ֎tdu2R^G{6xզ"Pݮ5'qܺvKlt> ވx'3Uo}vi0ϻ962( =;=ӟ#.; xW.O0GM{qm_}Uƺ$9w.ttgt-&)9x]sO[mjCF?Zvt@q>C7}tD +RKJ&>zڵ?! 5뼳f -{e~6>lf߆Եgz$ |NH|[Iu!J\/~̛ޮV!/q-}|Ѱr%5np&poW('.(Yb~¶~g~}SKwyDw}}Gl'4oMm}Ezxr~w|G'%!w-{)%GrᄿzgbJ|L86h'R(zT|xՅ?Va؀eteGg%wsPug_}wxXu$h7bb؇LJa8U^h^X `Չ^xe\؊熰Xxkyr Yn[{^h+h|ʃwx6Mnz,'ӈa؋GBnb)ј' |`RUf'?+,rB+?HKXO~},nE+(((XgK(~owqM,9KXfא‚!w-yR*"(97}6Yk0Y*=I*)9YƐp4Y<ȏ,NjTIr)E2i}!ɀz*i Uj$p.ؖgj_ v|R,rI,d|RYsGX$hǢhg5f)yȗI^ٙ[9)wysmG4՚PÒ)hpXgiy+eyX0Sw囿wT-HWSXyuVƛɅP21shW9٩ 3x!93ߩEeVhyVթX5ֹ: *Xz}%E!q䡡e J)HҠWP}-2Z 9!V&zyiʢ.17ڢ|![ƣ$j-? 3#vܡGK4.W֟ף\UVXZi;^*Z# kzemZqzdJ*XƧ7բjoqzILZ樋#Jdjjʪʩ%Rꧥu*[Z:y :Nje->ɢWJV ɬz ^rں~ݺ*gAVJjʭ7w Ju94h@t6[**{: (m X[0[  +zvE˒k,)u[31-3K#, 87{u J5:zEH;5 xKڪ:_ 2"ʴ]JđJ sJ4ڤ"kp:zM`*0jyŶrx&g+êLJa:;nEU\+n;Z4F)hq|VwKjkkEۋ~+::{KYE x[|!*긊ۤkZYp2]Ǯ暳% b{ ;VOy;Q{|\ۮ  [)<i#4|46LkˣD̲'܏7ms=?Ę+"z%mH[0$ѯ? *rtKʡ|j̰frh\H|L\iǐĘď,ȜWF<쯋,l;ʊZ{zŜ+L_zxۨ<*M]֮~kB-ݶ,]^M{l}=W߭V,L=j߻*ٗM $"Tmu$&-/í1!]ܿLuOlM ʩ]t}䙃*FP ]ɹ\<~?mݬ妼}NmH^Jh]:NWx~`^u۴V紬A>mlح܀{%͹~̽j>ҟ@>2]߶>ޡ-hN̞ĝ B۔..2n>㧾Ӟ>1nnSQTn.>N~zM[.b.;(l͜~٪[}lgݼL o _ˋne6Q ƨ^g|n<֧.Ǝ 8?Go$^P_]Nj 4a}FL_1_>oOH7@ZW|Sp/@?aϙuϰ~zUm1%i1 ДKީ[y[_?%_ZVZO^Eȯʿο[Ye_Ye_?/tY_vg A .dC%NXE5nQ@ z$YI)Ud2$1eΤY͍/OA2)rQI.X'SQNUY^WX%[ϱgծe{2m[qF|;]uKVo_5*aX`c%O\e̙5ogE&]iԩUfkرeϦ]mܹuo'^qɕ/gsѥO^uٵowŏ'_yկgϧ__{ >X# @У,t0<9zp"̉B P ;) @BETDDjUh)4ri*zBFZjIh੓J_J诩:j>gʔ mh֢Mj+6 ^GY-%y._ Jl̩Xmx*Y`c `[Jl&룐S&^NoXnLpC xi@j+*o5c]_@rx_V]*x\ud)4Hۇ&\eZr ~6Tsp$qv6Gxtw߀7nxN %WExW>g9otC#z騧N骷..Nێ O+;}KOm[jnzOZUI~eu oz B@^xqL}+! 5` * ZP$  @dH 1Bb0 @8,`CKó0%߁!@kXC3@E3Xb5E.vЃ" xa e6r pc H xwB,D䎨,kWE8c$H+bQ&0&4c јF5b8 ҕD,giL`<Ĉ\p6&:QG:ә$%3`I+b2"'=BPR4)QFUB|fX<Ђ XX 2?uɂ,k@:|3iR̦6Mz$C8MIr%P:9Kxs0{Ҁ}'b#T&i EHRT>(E-ZM3dTd:hgIhN-uiL:ӶZp@M@ . `|S\hL,*LeS-DSfUUru^ H8VgE;պVuqMmjQ ~|/} `i`S `Ђp{!]X,cXGRt T(&mrիek ϲ2uiJkӪȂz[76g>l{m`" ʅ%q \6΍l%EnкŮfJhI^]z)@b7 :[ @c. X3ύ%)Q^7ua:fX@BZY/Iz1gȝv"x8G*I6%Z1{KYƗq2ڟlZ3! 6pҹh~ڙGzI:jYuXTY$N&jy),*. J-@z ɧ:9ňɖ%U'ؚ)8 ipZHZJ9 yؚJ r:=p גex2ɮF֤ʡ=isٌZJ嵬؈+q ՚>5٭j gP{}꒴ +IL@ʚdXʲʥjʊ8>2s6]K{ZٱSۮIXQ& 0F*$TZ{*DYy`bd fZp=[Fz L{s|͒mLjy|[], $%\l.=[BL,rr^1B  F  /8vmK%=']4u\؆ !_ Jނͷzmِ4U;E\Κ nV/ 6G kl"Iz]̆y:?~ƋGN͏mu ]HzY𗲿  -x]~|~ - '-Ǣޤ>\٨~Q:%'kxvٲκ׌ns;߭>5"@^5}\goiɨJBaս} tJ?_B aOmMdQnۻ(ka[,?-/Oe/goik k.0ps u'F䡾=]"S'&a/ =5/79= ?@_pvLPlε.>ҞԾl2''JR[NQUKKb^aHH\`ZE]_[cf$$eWdXrH (XpCD"JH$E2j(ǏB2ɓRl²受0cxB&85 ϟ@.:hQ*Hp1#)mJիXjS"%"**U΢eV.]|F 1d>&-Z5kڴu.8r<[ݼy"_ L‡)R#Ǐ I>R%.eʬi͝<J蔤kdtj$\+_μs^Idl(gѦ}VL[oʝ˥ݻZ)lĊk1dPeafqg6iZ[Fmn]qQEs0(4n"J$YeeWvܭo!^/Wz驷^]_[|f}`h NDZn4!t!ma0L?hoq7QN=bVjݨpu>JwCy$/IǤOVb%}[e:f)j.lj rkF"R*j,B~gꩿ*z*ƺ|g쀹+=NVeg;КmlE.фΊgN^mP%N.!-b4l2<`ݼRjx$ <wp 3b&Azf1jl|g"l'x.i|xU΋Cr DBTl%)Yy@*NJN^*xa/LTL"aL'N}- N|rȀ h 9v 0aTAGHdV8y T^Ȫ^0"cAOfr`?Ƙ_ G:8.}Z wܲa.YG ]N1qxL"H 5hd %i)E>yo~j,)hJϡS|j;ONt*vMK@@@G?P !gD8.ɃRg좁ɨ8O'HYF7R44 ++Jxvh}hd`DNϺP j F< DFSӜiQLf0h';꘏)+iР4kZ& d7 jmepWm`L8H, PF2*E4JPl~8pTbYK P\i+YJ@ mX*$-/%õNqY1Y 'ibUDV㮫rs](( ЊweySԴ5 {iLpP{ VLٗ[}ꗧwbSbj@j3G2XigthgM )m7Yi)vb~щ tkxs޹_8 剒W빉%jyI}Yy)Zܦ)'=H(1qwy :  ʛ$i'ym6~q؂)rn 0ښY9S;Zs}C\Ƨacɍˆ4o9פt7zygfZ( JfZУlnڛ*uZ]䘧Iz"%%huنnyyVFk[zvW{7w9j*\h;j$@$JiGJq9Z٪Rzʢ, )2-& kHB:qW2qڙ:ᷪ' v&j(,ɚi犣K*t*MF*ZJ+*Uڗ/3ib*ZzAJ+ ++:}A'+A z9:K<|ZF+uB&k(۴*˔- +#Cʵ]< p۸|;|cx:ٹۓ>@#DMRI|ռͅ;8[9}'Uv h-LGc+M-\1Wcx=z: l?f"ֳ2;nҺkƅ]qkي^ڃ=Fg-kԭH<ٲMMç\ہ ꌢM֦\&ڵڑ K•ͮ-| ڽ- gCBBpD=#ph[)K,\}L,m M- x=[},/Ӕ mܨMҒ\(q87["y 2>3n㕲'`3gP)8.~CE)]|[‹@> " C|mѪײ, \`3hpޝ >1]hցԒ~.]P}7 [ZR PWY]X؍X>#+.#a\ڏ|g>뭈݆0t>vsxξzK\˄._pB@R0NgPgPJ ^ .3?qT*?~ ,-^S+~=.U. ) ^ .[0B.   ߘ P1Nz ?[Pek...oBJ-LmpPoԱ?02O/p'4[ph[ghpXʦoHONoBp>pO>x?qmdc Bj*_Q ~0 Jk .RQ+ VB[BJ RBR'JJ BB JNQU&~~gBƿ'RR ))JFF++RVY @`(\ǓHbE 3jr) AR9U'NdW0yxԈ!ɳϟ'b T)UJh-@ED ԋB.IAM?h 1Ԧ\EV\UttvRp.!CEÈ+^̸ h2v f v8̹ .*̺װc˞M@=|mA&lbĉ-^ܸǐSHdˡBgE@b;+(Eǟ ۤ'l 垓poVȃ3/ H!Rp'\C `G/8’UHv\<%]w/|0/&ɀІ XJ1FmqY22ЁD*HK*Ob!Ti@%t`IĘdIDhy ݖn[@'\gr)\s]]tҙSu*xLwHޤ䙷(QFmM1c?/@H!NM0~HQx#bM":A"^z",+ R'RR+C "+sD;MՂP6풽4 eSb[re aiiy q9gwB='iF tT*vp _:E_Kz(+[$Pk"gI56Υ|+{{,_PSaPG-e@UUƶtg̪4= MJhC- )yu;p_;$N^Ym3p̙w.|FL}X(ˬHnNIFۅKt1I4[m[Z~RJR Rq4p&a?I*LO@ϪnPݷ>8ᅓo8 \’SHfq$P+uЉQ31P> V lW%nÂAPȬ[fh-!'0K 4@xl ။d>xM}V7pJnrÿr C(^.sS1'ⳠMCi0S!̣MXXhyq^@ GsB7>'\t#-a%p{ϊc_.:Ñ+'1$[J@7$-wl2mp i@!]QQ]LKKo$'E|LXHE *3"0$J< Z^ʖ51hm @JP`-G9iX:"'IъZͨF7Ѫq G3z`l+Y-lT3 b2MJ(R:HvN"Q9+q1Sd$ E kgp4>t#xM*˜% $AAC R*0(}GPLIMB񧞬"(*N- ̨;gRөJ"s0WRQkǹwFQRʗГL3x_*Ų༉4s';fZb'fNc2FKΜ|pZfƱP bd< ]G,Jء]%X5/m s3ްJ7N3?Q]T[̰*= [(Ğ?Yhi'Rpa/w7NߵS4.AKW<J F3) 1 lNO1,#g+\Dx pv.vzi^D͝Qzb7y=cul~0:A 't?|7ǽzՇnwbdzO}}zjmduۡcK_~~~W8h@g~$iWa|ypyybtHby}c^ǀ4Z wH X5Ʀh5P=H.xcm"q/EgqtwwVw zۜWRɏI;+{E-ˬp2 kZ`.GÄYb J޻k!N#|l3w:;A}*hP|EnKKp ;эZxsߧANCi.mcV810 [`Q= ?@[-my(;ު, \ra\HdlqVBp%[Arl.GB @B@?Mz^Ox "} PaR`:NP  Ir9ܻ."B@  2nPk,=:lBǠVH~^l}>.o h:""mAVp B_rZ2Z Z!?p)/ߘIva 8im;v .,,۽)?"4 V͊>VSiKB ~`0%0@]nP_zn.4Bvm]d^t_5i7GU(! `m*q;`z ) NI0  D-020W![B]/n Q !T_ ~*RJJghJhgRR  [Jg g'' [gJ[ 'ŃJNQU&Ӵg [ 'B'RB'/ \$E&!#rBb7hHǏDB)"L,L!(xhAE( Ph@ pFPHʤU Xʵ+ `N;Y.b$1cȝS$E ,ؕ`Tg PΨ>Q=Q!+&')zd ן({[ӨSVY6mܢxNss% @8Dh,ߖV… H"ƌ5>I*XO>y S BТ4JTVfkXdMqZjL[9™Cpvp&&*%Ҁ7 r( L3Z܍8H@̼Ml} Xn5q"rC('Dg >JE]PLssI7]D]WBvmQw!JwzU' 1'D|W}O~ 8`ZϬu44݃os %$b-#\&a @hs莘 Mkl RpB#X&r&[,,J`lf )alV&9gwvgVg?Q|jhT)~4գ8 :c2)j#pv%v\[j'^)\g&&l++ i@=й>uGo{[C? *0sp 7D($'_HRK:xi,@O浅'瓲!ij^1+BW#3mkM.%LtGP'ISxƄ[뵢`գdOZ [642{$ FX"B|{:`M2P4m>/4#@(llvBn4t >iZW;vS@Kk\T(ߍMa«XSWh/Aß eh~>3 g+ iI[ZU7@xNjLy@.K]~z lû&f3.J*-7;rQ񌷱!g:b';  NC$b~!k]< l@A4I#iB1$$Elj0F^E QpVSGV\&rD.UzYJ75%Z+*º6--\'PҷrZ^qYDjrN5o#qWcEʟ*7h8αw=NK 4'efZ( şy^pSGLľR! JƔݯespL:xγSihZ) ~X{噘))? }膟s(~,xbHH4艠hGk5kstyf' -nWY( [j{=)<{yq(*1~FhJ# ǀfFrYl:GelHgwXN6~ڑ1n`G Jֆxi Jz[*uǪ䖢8,j (6zyx Zo7ʩ3b]ڮ֬)r(uYuzw|V #*KZfzij [vHؖ.jjzzuZz ;샰J*ko*Hx|+lԯ*A99)l#pXoj0}4K* ,~ḆN) ,j&k(+ֲpzКG7QXɱ.ٳ0Hoьg&~6ʂY)^9@tȇ( @%{\9Z쪶[lm# Zu اۺ>+oc[~p9 { Rk7~iH{(20, d L˂ɴKj`,h)H)d%p뚺Kj+pꖯ;'ڜ˯ɭ{;|Yzipn+lG ( 89  p9 d*0㫘1̂`p9$~=B2xQxBhė. ?K^9)@>^(ؾӴG$~fGTJ)Ů|-z۷?;OX~&dNZ<;K A.}n\Rܶ=^Nmgi/hλlj=L?@:͐)θpJ:> Y;':M ŷ[Rf>\8$[YyӨsC9}990[Aq& phR~+X^qHϜL}^^\.,,NkM |ھ5.rq 0 ?Ύ}e O덧&▞Z\<.0Ϸ:O6O8dO>:^6{b|qd\8z, ,˝/O oo[?Պ_ֵ lK2_ @?_]ؚx|M/_pOOߺa qb ȟʿ?9CX|LqF֓Ljߡ/Ww-L@@ST.''JRNQU&~*XP%DD!+"VYlBxA-ZQ)*Ǐ CIYlʥW 0cʜI͛8sɳϟ7H6nܾW9uڹ'{iP *l!&Rx"ƌLq4IݻxzDYJJCÈ+^0ǐ#KLϚ˘3kYsϠCMilR^װc~CQIBaQҫJ=[flcɚ=Q"m/f\ËO_R~8/C׏Hp!`X&XĂ 6`Fńnadᡇ($(,PƋ/ 4pō8#S2g%YJgV^2Vpmԉ+찧))|tax'\'Z:(]z([((> Rʢe`:vJƏ Fv9K6iUkz\V+*ׯF,h YŲ5x!V'j  njfzK#vJm+Plj0·*%Ñ+\wu]qKq φ<%[+s1Ln7<#9;tEVIq60<z S2(e~砣'ckH s[w3ל7{ط6ΩП- ~ҋZBX/D9DV[${q/Iכɱ^.~{x{-=Qg|9e_P\.B. sYb$Ą$CIե#K'V1%K7S^*$'$&zҊ[rEd"/!2sY1Ͻ=K$LASZҼ'k)ӵ,9qcNs* U쏸Z 3H'S{"Ϛtɼ2>( 7k~롡\r'+78J{*4ΖKi)&R)Iӛvɠ@&(vHͦRm6Qy]8jy8reU!H ;syhZVִr+ )+k>XqisrSOp.v=t!GɪS ت ynVdeY-{sNu VD_kbؒOp;n=x&MJ[Ҙ4IsӠGMR 0C 0*gMZX鎧ĵy}'AAGcWxn2ET3Ad6lI&)Inq'39Qt]We;~cK:C4!)Y<#NM6Mo( hVi rs;b%'8ס=[}b7'[tj6;9[!ϔKA '΀? &P(戀:=~H!;|W|ynBs}^qG]gO>K!w&? 'ŤCró|K4`VȯI]';9&aKT{=] _?Ѐ+az =&ֿ{P Ճpv%s|x&'BvuqNss|5v!Ut1 z '}Gp{pR ''z/WY`c`Ƨn ీuyїyv&v)S-Ct|#}& 7x v'pc m'pwmwWxK-WnCpEg  HLhyu%(eqheY&/w /i+R gtp ixuG1]UWhZEWy[y'mFmZx p~'4v&~vGg1Rp~Ȇ `z{_#H< ArE(\؋ IȀgB_wSyy|R B pr׉hvz' t؍uw[刉@{Kz [-whpx wnS0p1Z(tא@Ҩ0h  xK) zg"(:(v'P{pzgwxǖ=,I'Go3ZtA L|:xoUWhvٷ|bl9pwG)Rg{7/Xڨ{1J@y0؇D gY}8oӷqS B /tҘ ȉ'pri _ s(x @ wi=B9_Ǐ٠I&㈧i}9 R/fx(9w }_Hiq7i9  ,JyQE @)Aa$UɌ OwP9Q>: h@W,ỶjC9|ax hȸTvGɎ){;x@ʓ. y%i 0y:7{OrJ vZYTo˸oˇthz~ Yzw0 g: B@yi*y|zڪډJ@8,5 BP{Ѫ&yT>ܺ)}&| *j* y\ !?x`lں ݹAG " {{ [ nxKl#7%kzE  _zf :k s=9[ͪZw!+A;;;'[G _/ p*;jU{ANy`KL}Gg)[崙hmO;vVs{W;xKz{6?+ۧjeg{ݦw'2+zHuk`A}+MJkX4ˣIuٻ$Գ}{;&;QZ蛾 +|Kk+J{ K ri!;l;,?r[[<Ã|\þ̽hw1WԚŧLl79lllg h ɴ(; 'w:v7{8}D-,ͻ,l`ث! ' 91(|{~I҂j~D.+iFXrɈl vQ <#._] 0V*ʰҨrWw~( ,{ݨR0hىPv1؍صϼѤ|ّ Ҝ=]}vM 3(̃}ಚaݴB i6ӿ3  ~:M/W׸Wz ̍ё=\ҍSHxЕʗ ګށswy%jY>۠`1ʴR`+m[hc5jw ~hJ K haԭY\F~)~ *Ϊ(QJ{}z(y iX L湪9kZ䡼}|K~llՑ [$U voۍm rwzwI4Y.Y8tw%~z~}Ε Ձ.LUݵ mݟMpR0v7Y@}ݒYntچ7긗]ikۆu'7ȫ9~y~@< ,Qڽ H ~5 mp 9&ނ#.ظ |=KgƁ=\ 艞F}KMH(GalA5-Nѭ=F{{ -?S9DOL 4XcQM]h{9HJn6g|:OpH]ȀǑ~ʕ? _E}죯m9/L.EJ =o/Χo/N}h?#qPF/Hod"/ ن_?]HH\`ZE]_[,RJJRJM??OL@@ST.''桰NQUKKb^a t"0IZX/8y:W Er.j|KW_ +F Yf͠E6ڵl6ʜI͛2b]yӷ?*h „Z2l!Ĉ[:ٴsήnyҗ'$KDR-]bs ݻxmUu>"t(QG*])ԨR#Qk։4ks-˚I l}%zMn}Mux0AiŃrq 5dV-kv۶:lө6+ӫ_:ݽ~q|XM7K QKu|4'Rt@P(KnVT!!B(P@:Jwx9yrސD9{o#qs 7 t] Ȋ @ /(EL|IJAc @'@@mZăs愁Z "!Gcᘣ0߭xIFjꩴ )0)&~gYF$`+g$I+d"@yʛ4v~#Z6 8 lŒș,dz`k.:킣w;zӔ'$믈W|@5O}FEܔ5w+H%+[h -bBN9g!C;J$ f'lAc(^RJ  eh*mdqG/I+7r^ X'(@zy0''-ƔqUFIVE;x8@S=Jkt51V،oCGud5OdejDqIsSJԢ3MRWO8\Hˁҥ zƺ6gOj>Ua5+vV+{F6mFk:j 0JۦV lU^u|/=.jJ r17ύo.'[պB,TQ]V*o꼣&źNa !|'|t$I{Xꖪ`K]dw)uS.5d\ \x—8Nwa^ne;\צS^K\A.7^q2ذ>={6 hh("[6J:%_Ƴ2m-d;>ɽJ1Sa0⶿^wFγ3/{gxRm{7=- ӟ 3ah43ƿ K)1ztBY,X}4rמAnjaɚYծTru^dZΧrk fM۶RDM,nx TswFG;\|#z{2Mc[M9!^5ed8c{9Xwm[x~kN3,ħ*xik&%yeZf4_ QN@CC1O<?ի R=7b-'k}ͬeobL%@DB H @ EHP Ecӗ^Ť ! S&tB(6xeʝv[{{찷 `b9?$+$纽 AM'v0k!8*E c7!qLZ 4Pk`nm3dSq{e$ظvn+ppp$fMrw ߗ3)bu_.gG޴(/pu =!MDl -8 P!W8%P4("oerzge863vw`~l0[?Vn&EErG{-l+ÁwBP9Px1>' gy3w!'l_Gi(۰6'-ģ"2# 9ؓ4xBqw#?xs!fBF U]Nanv`.jp8`I`|@IT1w$y7 "BN!; DϒJPs(>y9C>-'P'-9 =(,'^#W\[wgף`X"WG)"Ty 6X-mb~.bYqx\r  $ٖ&I()p,y'xrϱWH1:i Ot u9R"m3@R8u)`5k)9 oHjDg/V(NƆPV I | iDᐝۙylp{lyt숀nVtmf%@#'+uv7T؛1]Q 6=3''$f0tA(nLs#r@i 10{&pOr ":d%j'*s*Zg&. J:r@PIg>&dzBx,U'Y1ziʡkډqdnZ6wfu*@]:i6m꧒ْQ(p1=ʗTJwJ `CejHxMz07٦rGw|9'} J8 `Qʩtz9ګ j*ZnNJez*9xL&xKj&Zz,tFB;gԞ- :$0E֩n [k 0$[&{([*lв.l2;4[3{8{<۳>?+B;D[F{EKJJ0PR=G~J (0:p {;jжnkp 0tKv{xKe{;~;W0[K;{%۹DDKp`ۺ[p+p,:y%[bhk˶n۶q+t;y[|۷˸K{%й+[ۺ+[u8`C4$Y J `jZ+{; ;[x{e˽d+[ 蛾۾ +V@kY Т_Y* ; @(< Yiۼk|׫ #<%l* !© 1,ñK5MK)W۰>Ǵ@1`p"V MQs7,tp}->ņ-݊=}]⡻AP2@e/T!.C  F.;F0k(-NaS^vyQ C<.@Be>g.#^F`wcu~. R9)[=]ڑ\k84xC~Xv陞륰7>,=@{ܦ.Nߐ8' 7**v>3l," 5PN+(k2 ;+n7T"ޘ۾g$)"x?֬ ouH*_Z"?&%*).-2O1?6_5:o9>=BA?FEJoIN/MRQ?VUZ?vY^q]bla?fgejOnoirXq?vOTuz?OpB~?_?_O/;PKC7G=PKj?OEBPS/img/ssl0004.gif*GIF87a̙3f33fffff߀W%;frfx̙333fffMzf6LLܭff3ffff333fff̙,H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛ 9ɳϟ@ JѣH*ӐJ *իXF0ׯ`ÊKٳhӪ]˶بʝK0x˷߿ LÈ6K1V#KLeˋk ϠCyiG^ͺ5iƧcLmuVo_5Ҳݻxa}sCG0]t#gW\w׮-<^ءK{{x>=7:}WwXRxĽ} M J_^aMAzh !z fآR""y-xa;zX㈋Dz"8`p`aJ$/Na)d`vv:"_7~f5:wc;\fbxNĜ6I=ءti'qڝyFmm(h~<6YfQe~bh)Z5pqƊjkAʪZ+nU̮@Gfmv+k覫.+k&o+l UI7=,FL_quӎgL*0uR+8#cߛ{ ߖW~?\య.po<9_~+׽jHR{W|C8Gq>W<|ڣ>Τgߟ>= (7K逥3^@5se7 60^N'A VP*hՍ]_@^i ?HCZЃ'D!8F3!)Bp/CH&2JЉ"t!=νqCsH.O6D)81f;(G.uLbA2J4uC?:R"Ǹ&x1%Y 񑟤&=QqQԢ!G+N| wURqe^ZmxI%-;L, SE\[N RTf#a Kd,##yIi/|b)K(D1cpEy|Dt'77H:&ρRmcOHM4#袓Q9i>ٶѨ-a[$#OFY[Ҕ}tvګW_00DbK7Sh,NҞFWP{T 543HRy:U5lHZӕKa` XJֲhMZ"+"[ݖ\J׺5V 9׾USKƂb:61c'K6ͬf7[Wr +Қ,jWclQpɇIJL)[H'%^҇ue{F]Qyc!H>tAŨPFgΚt*3׀gi#MtouyI\.ZRZX!^^tN~+_3m ,`rX0po&/q(?X-c 97{@c 0&-`T1xYJ}dJ3k.Gq'>)q9֘?BԸd@ƾ-W6q^܊;4Et(oޑ)Hnۡ??O{7W7anјS Ey%3q}^gËf0s*TTNOlf2g Xp)sIJλ6un+v'>B硓6 shşSߏӉӻ.cvsc>Ӻ=k6?,V}302qjk{B?n}+ZqM6Rk3%۷l7(Z7j ؀(ec9mV&Cz$z %t%҂ff$WDVrhve7{6Xjgpr!:c55&#񂐗 b4N|PXo7worׄ[u8uqG_GGHc*ggwiw:w:rn#zK6(8օ%x{uxeh|BXB&hhhT~bDX(Q.&~v}{6-؋jCK8g|ʸ،xHW^Bxؘs5ը8x6ŨXj7x玮pHi)V   ِ YY`1y⍪؏yiV)adjc!hQz14.+"YX~ɨh9+iyaKI'ɔFLM)LW^a YiU)GYlHIi_isiuX9l{ٔ]I&|N艫~y[ɘbjɘWɑyd٘99ٗ|ٗ )٘Y<>o(ydi))ٚÉɚJydII[ٜΩҩ_QxmqLF֏m~ٕrhS )\9 iSYzit)h@gmV^)$ٞ$٠өٜ0ɝىy9,0)8*5Z2Jɇz1lɎCYoFbYy)9יR]ʟYNP Z&*K'II 6SFfYe|zo٦ 9t٢v颃YQyi|ꦎ ):}{޵oqh󸪬ڪۘhŃ3y(ȫZ꫱J*j㈬!ؚX:ʪGg͒ڮ #W97׊2щxj2;g~vva;Ja˰+(۱ k'$6#[jy5^oGn~^|''qRf2؇ЁD+y8J`w|׳$qr!jdnxgv~!{†tqz˓3r.k`(wn(u׵ba빓q +VFMc:jvrHt0rG8m9Y{k;fwKkRFJ8r[H@ĕ8DF|ćă |[QLGKLlW洴WzJ鯞)  3f_eu閶+-oMt߅`G񽇙+{2߭MޠM޲Mg]p}SFxLW5@~k]̻Fx=Y ڋgzcarR8+Kz.awb϶"EǬF K^.(e,,>["sҚky^\*G.9'fwwJΣ4^k.vPN) s̓is}~B.seB]~Ǜ@n`.*-.+mvFb >!ѐ׶-yN4NM~6D=7^GYͮˮA.-؎>~,ahI~} m` /Nw{]! anJ-*,cA׵Է..&Mg8 9.BJDfL_;mjPHOn ɫ*ʠ 9`bJ.zT5cfJo&\aĉ|y3.ݛv )eye^ٳ\݆V6C)٦s-Ƽ6Ou7իY ]lᯍsџm"מonŏ'_װƾ{NϽ͹}˟Lk裋;| <tOb,|O6I*qDK4DSTqE[tEcqFkFƂSp#0dP@lF$TrI&tI(st,21lH-H(sL24I)U;. -OC"7 LL2R/.TN0tQH#5OlC3=.QM'RRPCu)o:1N4FIuVZ5U @9}uן!*qZ[deE4vńV3bE9eS;V{WFD6k=u=u5\yuv^|Wxϕ7})so|W`_{EWcv)WnSuUDvaXxEw]˼cedF9aUev"tU錷1` 5?EuꏗYcv{8i)6.|Ez׶wėęe*&;yyA6i]}?_]ɿf@u鶧t'a'Xv7V]ا¥mc^7璵jSϗ~HcW{:~L޷e.-`$p ,Zw=PQ%(6i΂3MxBe$`-B3a ͣRsp/C$bxD$&T+wp< xE,fQJdDpaxFdKE8Qsc0^pvcG@PHD&R$[XH2Rd%xnd'=I9:{%(MyJTzCyd*Y3Ǖ~,%!B'ΒvK^꒎$.Da̎ve L,32$2Y:2ϼ(nRl&Gnv&& rT')[йO-Saf.uO#γ&;5YPb5 Emb3&b:#BV04,IQ^&)=FR:>iHkv/(Je2G0)P7R?eFJ&1uigN)̝ԢFjLM5\XzVԣQTY˙2M5Y3zڵzkYjW]nTubPԧS#uUX6wkMFɊʬ7K6L +PɺTTmeWZv; uimcuR5S+(BP:s(l{WqxWB%"x^ ۅ|7%K>& kϪC\0[ה%&39 [X? ˥X+^qXbXn9cƳq},[sqOL`Yݱed( r3;e[>%/e0C/Do\ټi `:L|g5++zT}cjbo*&8mcLޙf㚑]ߦ[;18mmuGA8upS7e6`-qW)wK>u37 qksk; ,z1#rl_.S6Lk|{>mZG/xʿS#}$v>ެmzUwO=U}˙{';̓q'ўݒ1Ǯ\|$}lyW/~~߻b}cʹ޳O'a/j5}{ZwujZٗZÜ|ӧ~YEH^FFa }WZ~n럩}sMSR) @d,@ L@l@ %Ӻ@o@@ t- l @Al+ Ly@lAaA\Ap4ֳA$AA! B!"A"L\B&A'|B)LA*BB,@-B B/@0 CC2d@34I[CFc4 qSʊ:tcK6rӼ,Yث\sE[F*m:`tJDJEs4;Čk9gtNgu^gvngw~gxgygzg{g|g}g~gghh.h>hNh^hnh~hhhhhhhhhii.i>iNi^ininixiiNK 4iViiPiji=j>^j&~jZ_jNDRW[pkhF=kFkckN(kkkM:kk<6.l,2l Ǝl}~l[lˎ稾lvlNl(&mXֲ>mnm~m؎mٞmڮm۾mm;PKaE!**PKj?OEBPS/img/cfig0002.gif0GIF87a[̙3f33fff̙333̙frff33fxff]`hff6LLff33ffff,[H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ JѣH*5ӧPJJիXjʵkե`nKVزh ۷pʝKݻx˷ܱ +@È+^̸ǐ#KLe  FKϠC=:f ^ͺ׋M&۸sc<l 8c㺑<ЋG&ztwlS/oy{/=ߋ><Ǟ~ {ܹ_ivzHsG s^ xx!v Rj7FIX"N$`&!ṱa?8g% E|}S݆ He*!y",*$CI(CZi>sxetgu߇Ev(h*dn}u&ޚ):cT2:(z (*|GV=aZެ>*kº뭸Oj챷:,Nk!쳯PLa2+k覫0I+k&민 %p]k -[P[ P-Aw|P$/ r(LjnsDm:t%K?m3r,5Q,Lumkg=dlvS-l hݶv{6cz /.xM/sANNwvf>Y]+0A7-/G~8­Ύ.=6z~ C~֛xrnzs/Noolbw >z[z@77|kxqOyD?1`h9L4&)*Gt7:0?@w8sBЅ{! kCP>LʗAZpT$UG|B͈7%/X\Ш0a`@۵pfl)0MqGGA !t@GHڕ1?LcHHDvK9I;&O|'BiNb%(MBt")Gsl wD19l0-GsP B jф9Q]ӥ c2L[ZЩl`XͪVխFU1] X ˗AhMZZ+̬l\JW\ 2^׵$} `[Mn :a,d'Kbͬf+zu,hGKگMNֺRx}lgkmsv p׷=r[:}t7Zսvzxw=z՚[}|ڷW~7Yx>g;X ~a [Ž {X4C+RcQVvi!q%8αw,jV22EG&ȳ2G$xJ^a'5R,/SKD G9QJU*sAldt1_c)NvݚfY2_gILM|sL=; Lg.hqE6A#ƼR4 |*5yHC=̐(\15ˉ{4U'ZLpEjN7טԧiiط177JA׊h}V]ZЍjDUN6n[v½~m7f-g#}e^W`Cn__i|Z^k_L5kW-1Fy䙟6/sݝ|>G-4 #'yM$𚠓/]8}UwtOpf}[wrׯ5cnٳ|v] 3쬝n-s9Yfyǻs3Qo|xaQEܠaj<ջ@A&*vλEE: j79z:D{E~p Ta43-6?/%IݹhѼҰ>彩ks{VtX}ۧ=q;0oNv{x]D{)(}~i'"{&4"t''ok"|P"k~#Xr}Rgg~%@~uw6`(xd*\,mn5"f~xq)?t9ar1G5uL؄;t8suuRQXEX\Z̧^x_]5d[fxjx[l؆'xphxr8Wv(]o|x{x\WYHG^i jDwp7}$h1oXXHR׈y'4}f)`8*la\w| 8ng?'wO*G*XVyrB7?X*[`Xwǀ6R~z%Ԁl"Whz}h}PBy6o͆|xV|zEfS{{zA}FBG}!gly{h'2~ٍX HB يF!'HL }V&x'$}|5|易X~ue?')f0*h9?bf}wnFy%(Y[gRDRψ~UfI]IliYnصr)[qYux]tD0{'}9gIeII>/wAPu2)yT|љ)!r5q-c Aiij6v)+GiV)rٜ9!A۩rѝYy9ЧqI֚m)iԙVi^gљٝٞ9yhU )qQŠ :0b9yi١\I蟯Z0-}1):(j*Z>+z?2JH ңKXGJVZU:٥Ȣ[hvOjtѦr:M:q_-z{A%֧~y Mov:n*,<(u*jpJ3tsV׉ ;:ZT:|BʫʢzzlfX~̊ΚWs!BڪĪA)zbZ١JrqCx%Zfz.Ү *A)E*Z[گZ[ؚIf8%i~ 016J z +*;WZ39*{[02{>j=(A5jKIJ[HJ[kL;N{;R;6;˺0[˙ʫT*WY=Kkcۭek:km,yql} [&k*co۟ ˩wˮpk|벡yʧ[뤥;?Cwz [۴kJk˵kʻ-K{[,໤䛽ϚC+컽۰Q+۾ë;+dL۽ }Ż̰s;LK ZZ,* L l#<" ¾J0뺹IjjgI/5x5i+[7lNJ]>@V<_a,XKů`u@&JիvƐ&pKELjaHlkȹ2ƛcAȘ`zƍoà Zƒ Rj,(`l91pʟL˱^ˀl˺ *K+ļZ~ Ȁ̭̾ʺl<۪֬l$Ҝ]ߥX"^$^(.X! &.N_0354+-~Ш:NW9-@n<>lF.ݓ䓅LKR'^2~X^6J2Sfd^f~hjlnpr>t^v~xz|~>^~/vcMnM>Ē^~蚾N鞮=Fr~B~|x"}>v먎LtN(.^4yn'w.qAվpo^k1>^~;PKOPKj?OEBPS/img/radu0001.gifyGIF87a\̙3f33fffff̀frfW%;x̙333fffMzf6LLܭff3ffff333fff̙,\H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ JѣH*uȡӧPJJիXjʵkե`rKVزh 0۷pʝKݻx˷ܱ ^0vÈ+^̸ǐ#KLˍ0ϠCMfΝ.ͺװFMs۸sμ6Xۈ `rw'.|w[)pɣ\\;vgN|խf.psٻg\{7~u~z!s^Z8r a("w 1Xatu5%H4Ȣ65""y 15c}Qw.cZjX]H$5M5xW)"cCn7 #ҡfPuX 饠qHcGbzj萺O({lV(r傥!隥y N미 >+8B=@-Z]Tv۠+k覫׻k,lp hXKWLqAg/w0oj&@!1*Wr02#ޜ3:;(lEpJ\h7m \}Z{̵I=u_wtfvK tucV5VMwvaMyuN{7 cJY /,dF9y'~{<Ŧ^yBpe_&9ur;zȞ;ܺM'0ھ$v{bߪEY` ܮ[@ g o~şO>Oz◿O}[_o rjĨVEP#ړdwBP~ !;y_ 7'T^>p KҐyAצ jpRopP4!ȼԡ]Y*/u\k> 0hbzȱ& fvV]D4QnlGfу+$7ˊ^$cϘH7}@8H1JLd*'#Gr#Ԣ*mn 1|A2P!%#$E cZKXсHr d-W)Yd|2pTb=O)gq<Ļ5 ;, 7Lb )Sb%BE)$'!Y?F4~L)']qx &є.(G3Ҁ_kB'MxDiJoҶQ26ϖS hFM*RzT!FbBUYPӨVm9թebUVpS]iX?Un5^hMZֶ{J׺׾IK65;bXd+ZVf7{rgCK>kMjպz,lgK[-)evrpq=rM:}t-Zսv zׯx=z[}|ڷV~w76[O>;8W ~ [84 {3C, >q,L-qHj1+sbr1(;W4< '/~6 +GC|)cҘ܆cGTZ~Z}"uDQk܉ա$M?gPvo'jZ^릂(Fƣ-<1ugGӓsqG.(h?ۑN vLԝ 9Z|g7Zf>G *x3r8+򑿷&_/S~ޕJk,SF+F:9s4ւۚ5fHK}=P8iקGu:cv:aR v u]{ۣor7r;>|GM=ͻx:^~\$TBr/yL9o<_W/ޭwccukrq {>.u{/O孟=C?߻>׽o_q/<}6_>/}?7E?zuOk x$ٯ>||gU~}zg~(~{G~{ǀ} V-{H({W}*!R ~6Q&8{xǂ,{X673HgwyW}WyqqJ^X`52hLqm }!s8cbigl~,=xpņqHݧ!VQ_xh'HXq(HhoыƸXxԇfX茹xȊdȈW7ȍF|Eof쨇\}'qk ȋhԸ(sxF5 I8}RHh)v'x#iFe(ȑx{Hu))7KYB,8:TMiOI_DF9>-x$y,QSaʈ ٌ ʄіm1{Y藾!\Y]쨘˜aHa)-bșT2qYy&)閦-$r )yIrY Nw~9Dh8҄;)C(שw)ީWz Is9_ǩ"~﹕egV)xt9C~=)әvpH[ȠS<8,J|퉡Rɓ=)}g%  {7ꢀ5 (Wy\w!z, ǝ8v) Vɟ٥HEؤwW!' 8ɦot9tZrJ4dyq:' mJhpȨz(HٕjɩQ qhZsjli)az8&iJwIlѧ`N ~ {i:ڝ̺v&7ڗzڨjTꔐZAٮZzZiwʮ}r)OJ:Z [ژx:; ;q2[ W/!۱u 3{~z$i*hiCE蹾mb=JN{6ng[4+B9ige5{zk뺍L Y+y—†۹&誯+:>{(BlgRď\ę ećNۻؚT|G\BlV\V*Wiv8:x6kMt.>3^79>6dۄ?CK$O~Qn;t=NW>5GSYxjsY8iXkAUJ,^.wߕz]|>]>U膾\ǵ>\[^u^[鞎\v꤮Z~5.\]>%붮YUN[Ž]^EȎYǾ쩥^X5^~eYfz .~>^~?_ /B6!ʲV:__"o(?%o!=dy k" , ljI1mBO'AGI_j:MO?l>B"SZY[]ONdfe?jx-mr?t_v;PK6PKj?OEBPS/img/owmntrfc.gif&eٚGIF87aPMzfffܭ̙W%;ff̙frfx333ffff̙36LL̙f3fffffff33fff3,PH*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ JѣH*]ʴӧPJJիXjʵׯ`Kv,A ц]˶۷p6,KwZw˷ߓy~8ayF,\ǐ*.8^#kf8AƗ7,+=^ 廦њ5ړ枝[0mۥj+&d{vno׉'#՟M>^شmOG_KW}+tƿ_2]tgX}m B| |MU1ir"^ 8 f Hiy#7~"T<8;3LnȣkD"-9c:%Y6{B X(eY>E~_z9ؔHnl&^r&ye\:hnǞ:~gI&{>j&2٥8fGfjh vjF).Z؁]gF*ucA¹娎:|Ò+vkشH mѩdMjzq+w>% ۮz7&8C/f%W-ĉY%Dg$l[4,[ҽ,4#s8si+@;usM=/t\J?tRWVVu\LuP SmMcfb VnrEwxvYB WnNފ{G.Wng砇.褗n騧{.n;k/{': Wow_OVo觯ok> ?~L:P|'H .`(= / GHV&L W@ OH5<w@!YH"HL&:Pb(*ZX̢D.z0p g =z 9IS "?ϞK=| (z|:wN0.t5K2 !@ >ro?=O~bo %5i1і^Т4# jҝ0MA]H|?=i>Gғ4#)JZԂPBI=d(W&Z=t,*=O{ )=kZGԣ2-*Z:}o=>JץuPT6~cL:SBll;;]끔u[Y–peiZ֢6mYkmbSVUJv%nYۆֹlI][VfV]RevߥSKב%c/{JB֜A&{W5jv9jVUjM_׺`[/4\/cؚJC. 7K^6 m+OBwA3vƋ0{wʷ0;f~MT$ȸle+4s!7c}JY]^OdS|3a ^VJiټ_q/{?8DY{3JͱlbU JqG y#1Ѫb,ʜ1|y}MeaҠ02jt Vy.ڇ䳢R34~/Nrͯ6wFuYfM ֮71ӭˏ&>ЋI8Hʼn[ϸ7~s DыV0gN\dw@ЇN79җ;P].TgŚSϺЕ{`؋hOYw3`c/;N=rw3.{'<&㏮[X2/6GOқ>?Wu_Xg?UzO}OW{-U$3O[綿;|=bO/?O?⻿*A??r/? ]M ~sw xw("..e P#!g1hsht.7+g ,*؂h׀//tR*3H5'8w>3g=H8HLXxGXD(.X~,؅fG @-G 1 0' І2'jxmPs t0/fR /r#;hv!ZXsXIB88聚xX@`h_8`1n8uXr(s x8sЊnb%2*#5X!،=Hh47ȉ(h~XZl؎XrdX.GhysЇ @Ȏtϒ+brWy J脎H㈉ 99(\H$yw0uxr5h82G6r)rٓt 9和R/)ʘVy)^IR(^]\2c)3}2ٖN7rrɊCs>K ُVsIKɔh$N,(SXZXxXfl)]Ytyqh 0 ЗЇ1+ׇ?9sr5)BאQb,yr9vjLSX*yII)|Y":ǓG+H.g!jy}+x w :t}3ǞwɋErB@(0HY0$Z:9Y"6B-c/R+&bv vAwj}@iȓ+:鋻ЇAZ4,כ99tZ+ף\s|YsI;yE*Alʦ؛hOiMwW_|*)o8H񉦫(irjXq8+zg8'y;꧜:m:qI*JZ:h mxHmʟ˧,Z3 4ҳ?;ZNjZ sJ9 d;9 %;1RKlV[;\z gѷ! m[mLrK;k_J; P p{i ˷kkk۸k; P!kCҹvqa#[ۂ۸R w[3[k΋[ [)۽8IQǫe+K{K KޛH!˸[K{|˷bl}{saO@˾"\N[+WFqLJ; <˹󫽚.\E!3\5<;Tl%*,ĺ+ĐAFƳDĴNQl9{6khŦb|ǪGCaƱZhh%鉗9өhؙҘ)=-Jp~/gؖNl޸*s>uw@}?I=F΍7*>nPMk^p~~졾앎mjޅNۮ}N.I坩nXnm#%YY1  >Uލ׉dYt܎}=ߗ-iޠN,oy!0!ϕO>HP.Xl7َ~ɰFF/U8.(iQK>yL..qY>\ 7<o@jwtn`̓Og6/i-uy陿?Ý5!KsA@7_sͶOOOL nڿ?_ϐ46i*"_  d0A,dC= !E5nG)$YI)Ud2ˉ-IZXM9uOA%ZQI: Ӡ@ ^NZU (HR҅1ZcYiծeۖXi[]ynS[Hu[0Z ngO\2qgE `—UONL1d|Lչu^f'^p,QfXk,X46Enqg b%'ַLկg{Nb/@خC( L*>#輖҃B 3pã[i> !?.p>ب D룐% 9rH"C@쑼;D{1!o[wuY{nPzW!0K"t.{}mI^yOWMuX}{]"k7pb5`o$&1}.dbç(f0C4lՓ+fxA8YT[ND4)P X|]xY\GtG@F>RL GDΐvD3ERc -yɈэ"6N2iE4o¯Ide+IB9Rt'9ʲj4QPJ`2$a]fŊ (q7򲔐 f0YLl2\)$4_I89 Rb#RVff;9Hds*L8CNQ$)mϵ\ӝ6ϐ) 9 PFe zQ͈B8Ԛ[?bTP(I;̓5Dk #7_pf4.gMlTkK5QT7z,[Sڐթ47-jD 6RkZ9ԥ5]Mu*F 'R U5""H@ 640YU=4acuY%' \=15weHםu5~]+`6>XfhG "[0xDZY ]ahFVV5` O%vnVz=*lBĭ(;{U%u4^73gMutxvD’-ogɍ[5/aWzүSI T B$V Px :pc7zαP!ۯշ~/c1'ٕ%v)iXPu%+X"!WyD6o\批tF|{aI7/莒*&MrD7!0e@X%BpN30Wb北| w&5{P4] !ڽLVE[mn=9hviTã)ز.c/K?ڜ 20l33[BB 3DzCòDӷEk4)lک1#ܴ1PE`4'\$sD.28\[ӵE~EA Fj\#R/DԠزp4h(8k7m5h5j|ǞFCnFF;}kȃC6V7K wGk4lFGp|l r,*|Ʉ;Zl̾Md 뿫BLc?4@ES鋗ddKTL,,D{Y=,4tO@NT 5YǴ ztp2I}A2;>,N$ͅ6zCKQЦ9>[d FJnG0̩APE)j3"TRڱZt чPѻ`Q+M=ReLRP-+ F$3mpD/sJ|JD4e!4ёF@ W։ nXkor=MʋңlU W4s>I V0pk[cEEX:.ٗN;@]<"݉sTXleTJ}ڦXZr֎-A+ْwUzZY;[_E|&m[Gb8f\Crئ< Y[ڊڈڎj%\r5ڮ-څ8]%[1{M,\M>s̶}SumǤՉMݾuѫ׷u]U Y\h\wx ղU۱]pQ[-`ܸܵu jTuEEmަ׽EqE\VIEӕ*:f ;(⌕_KD.UÍbEaYFa mA`\NQL&_ֹQ-D׭;eTaZaf`.eb]d_6]M&l.n5Y l=fXMAf|K)Me`.L ܬ?6bRJ~eõ K~VhffJ6d[0I5Rmϗ=u^b*_@c֩5XFvc,e(fk Wc5gxde0醠3xf.ZOƈ_=1Zpf߃=)Ngl='V@_ov_~HfgӰC֘p}GvK -ͯ%S= y 'CHǦ896l R:=M֓>Qζ}ȞM *H[O òVm߮FmvO%e>N.4/dcY:nV$e.7d oc[B]T3iN D#oL l Rp?ҿ"8=ui/?0CKԯvF7l 5H+S-BRd&S.lrg/U.r/r0s1sT2ʼnƆM~аB<'߱9/3)N+Gˆ .{6rWHtɊDHS ? @̧F;'CY]cWEDuY#"KM/A u7g,[\'X_O |c^hb/;vx=7?t LGڦvY)^/frAsL~ewx_y7"v{=|wxww?'ԶHnj&2xxx?U3p4F O 7)6f1*l_}nZXvzt;DRMN!F>hjt  8p`A&Dp!Ĉ'Rh"ƌ7r#@F0$ʔ*Q2gҬi&Μ:wy@˗+-jJ&6E4|u+T_or۴Lbͦ{[`}NGNIb >Tp3hAV2̚7s(I) 4ԪguYZ4)͖ܺ`ֺxy]aOkqWJ&lw.B6=~n:6iӵZ(vE[(xml9`M9W]%][  v%zAUى$7yd8#5(Q}[~1#=ڇED`=xS+ X[8I`Y2rɵ$M|ݸcbz)9'ub;c})Ӑ 9IHieOMd \]NMerV)uv%jSddh§uwj*_z硽(k9@`j,j+:CNexz^>{.S[:R6*Ջ8-覿 l {* Ƌ,.|bgt!<_lT@c1<39=X\T4+ܲ˱F;82S[}EAw44QE?,ItM}v6&5?pq-q=h{}z ڰ-=8;aݷQxTh#^⥛~:ꩫ:뭻:>;~;cvJ{^Kv<8|>:K?5*|j }ߓT3^O>[h'm?6ƇuSï7G>(@%{I¢~F3 JN6ף' KRʉg 8BT,X r>c&w@O#DJ oB29n8%2s6 tU"(1f|5 e›WA&JC! Yʅ`ZWI*(9NZЙj3Oi[6UvIi;gr&1-7q}!tgѲr}ƅ38Y'_r/(c#BE&,+;*~_a ٝ|kF3m-*q&4V4lq ueC"Sꍾm;дUXpFOwPqԱ Wn[9IU7:6c9Sd p!.yx aeB{LST1%ɳ~ڕ:ޏw%IPJʱj+GMK%ls|9pԼM ,ܷjK )/4e͐\?lcX~Mre;W?C/yaYLJW= j^^F- y5`_Q X `0iuq<   ʆB P *  T9'I !^5aԠᆥ%OF!BzO2"Sҏƙ!NOr OݕErEԕ{XVR Z-]b}1"B"^%ejfPb%%RR&P9ǝb}ρ"!Yʉd-$5$=dM$O?]E9]OߤtdPjS$]"ٗɗVnL_Mv^FYbb%Cu$Gy_eJnfJh$AAfc`$٘^aZA Y]c*]BUdzdneyfDrH5 5^eQ4I5_f^q%yeI1% PAV:ңd 15w̦BRBBgI'Q'0z"N{gg-Lw} "D~`2`aJ} `M1.(ΉaV]hhl(th%:ʇV$h1YjZ \ꨑHbόfF{$,irJiU!])6bm)藶4>`m!r"v橱 imi⩞*#O0 1 yI]*fn*v[M)ƙq/㣚b0JcOH֪ļ ʠjDǍ#cU;bI;r _Z.+yg V*ꛆD]RYkBŦ"Ba$$Udk-mLkO^ɼbzXE޻$Zn'^}+ul66,v6NJuZ"FP,HzQ>ɢl>,&*kb^^-l,xV Qe} Sm\'bvgyj,"e9k'6*ynGSr-#3'pBX6>XU*.V*4SJ.6JbnZ]]vԧܧ$q>Wq>'&%#KXI.f]Aj&'I鏖iJ.ycY{Anre|\n^nR/L' /o/h2oy4 iRUbLe+/{dn_"To飯*Rnq%hV&pB"0rzN/z/V^6gS߾# G6Z^Kn/U_/ߪp>Ue _ ;hvF3X̰s~oWfo@֮:]hz/U1\qfm1tq,Z12c䂙3bnp/q%'ᾰT N5FP5g,&!?Gi!wi'/'Vo- 2ޜ2Mr2,s&-:0r.,-G-03O++s$3'74 5O6o33}3s<:Sq/{-j2<<=@FrA$;Ar$Nr"4C?:-CS0F2AFt#/tEW.Zn2GIGI+4D%cOFts[HsapWeKHSuVRlfF``n|v_^pkx_eVww 1|>{.6k/hϪ5nwOcn 9x~C.Xv#9d&+W?R j2iMu\S2 !{4V7^C2F+t 2DϹ[^GwwsF"'VNt44.:b#z%4|q˫܌2/PS wgi 73bЊ9Ѯ:=z:?:9ʴ:8c {&&{{_L;{3ָ8{T|]dCsǻ48IwfPW_d~Ga/}3غwTk07|%678×1@}Fq7b͗8ES{׷׳p2wywxkO}{.;'9ܛdSj9sV+Xp |@8;1w<~'l7wc67BW}_=,>t0}'uo7[#`6&|S~yV9u+;.Cwۗp>}77?.p(x!440Ã):X19vhaBH#I< % XtfL3iִy3恓)KO85ziRKVmh!ń+|صV_/h0Vbn-Gpe6[_jn[ kvba|ۢʖގd+{X߹3Zdԑ;lz5S(KvzԳi׶}{S%~ի߱_xp&(m >WN9.n;ݺyٷ}ru[w?{pᓧ,= 3ߨ 5L Vi - 5ܐÛt0 M<U\ES?uTA\"5$ C#|J>QK,rK.0#=..< iWOa-#PnB8 $ W'֐3ġ|Ž|$[Kw’pi,E*f uh-р_CMpxT =Iq$#3ep1" )> aJƙь(Y$7zVHN(<ɑPfWG'>rfexCr/4&)@B% di:IJ80@A56 tMBvhB3;^3{g'vOy*@)X, G,hB Mq4"f7lN`7΋"S<[Jl sb:7YH=͐t$IRDtDHRT^ I4 T4?jJըMXɺ~D&Vͨխ=GZV:+D1't[IWtyUb;^%[ lK$skbY~EMd:UֲH4{΂-GD 5jSՊyl[\֖@խx[6DfƵL}>΃꧃׍`X: iî$֔Љ\cᄌyfE?%hO\AW* f,GC18hSL801hK fn!yy!~GL%xbм1+kؗes=]9M<nVZq@LeIf@Þ"wOy?יqZZI8樎LPvY>Gg=_` mHD@Dwf^ڬ7Y$7,#ǭx{4T,:c1ھ/ 2ft"@&yG6ͦNX&Yz(cfфf\涇q'mGa clb0F=5.-.kٳ7ieo%󸏩b@&qޱnx(><"I]\-FU~Z/n%8DuLd`k9x4ud&iN.Awy ~+JTxWg~iqu4]ˋrnUloΩ*y{B\~&%%c>9yxA>_'%d[Y0SM$N?S}^{rK2}t{wU{'ZXg_b~[Y]毽*~F9)8⇒7Ga hu;YZ]|j p8⋻hdFī1T>*IOlDņ vl&) ''lGNɲ(mߌ("nU~mlJ/֏͢MU},0fqݲ͈ Ș2ˊ°@,f/d',Ig. w»z0ʬǃEHK9>tu g>K- Mtﰗ#A;1k0͸*wMLiKIIIJToum G_8 I uQm>2U"U؈݆)pHqM_C3IzS;)U>Su&W)$ ptQ;XS0/~UTn$,!,ՈFZU"dЌ# `8%o, \9)w-YLY^U݈OO'o1)[iVjnPDa%+,'i^V'}#Ura+6;xTMu(5dS.xu7_5;xTɞJvƼM-m()ttPBΞ"jhCA1Nh~5v+@eSe͓e1PG#s/v[lLvI6DRv*sP&soekoBAmnTn+n]=`SP p]rqG`O r#7lױr?W.W2w6QW@WuYOtttOr{qukZw[cLlxe wOww{J~Dod ɮ`)0L lVyem@ TY2wi 2Ti͗O93[q7JPcElUUlPq~T!*F2d)А{wI7e7}~ov32p)c]%tT ER%m1ق~Z))U\'c(ݘH$Mhgx xE& EIxQT-ɉ ?S䜖 J#r)8HQմ?IK9}m5V؃;(RuX1%SڸI5a4]cԇ⊵_-[Ē4G ɋlf_4U5V܂}ЕqɇGF 57nDY1IMkP6Y0 m aA2u{/Vϭ'ѕC[umُ̙!)iky͟p,mi2ؘ)jg6gQUh7 f6m.*)RMqxC6&3le$0xO$5KSnyւVW7ĤZ?+g/樑szZ|\ZCڪt6bՔZs_S;՚o*`[n`1!六5ǭ]ì#t:s粔yFρ3pk+bj-RL {MfњBzdQZ3L5Yi4goxR_'͝]klqP)9sI3\WI6}9f''څȫɖ;,tYp\-շ⹭&ⰛyLe Z%5HҌ,z41&EqHE9 yR _/ Z`:76ZP}8YA՘׹ii1uXyЌcq\2)8 zt1Y6\X{"tQ.{0l&|\햕̭!ӲS)Xpk9V&c+1|R[mvy = \UJqYRM=zQ@ZEDy6n4OWX-{K-JqN+tgr)wf]5=S㯿Qz=c]]aSe|s}b|4=[]`'W=`})^^]R W~V[q[JՓ?zTu6g?x>+ۡTȐ7:x?m(FKtGbYm F+Ƀ(AWхESY W )\zP,m~ťsa*q{&Gg{-/A YN_DHܑ 콙#?h^PuBm]z!ӽV.̟ ۓp:qն K̓rPT^q.k1F"&rBE3OP7? _=tVUtJϴK۴C2S}ujeI5a/Gm4kͷmoW:ǽtk7dwVg=Mx>n.2Iwz9j{z遛̪9,>:.u:nO#?Cs%= m=ao{w. 볯O4KOQ;ˣAk 8ꬁ_? &ߕA9q7 c$d& Sj/!b$!p"(1"*ȈG R),ɉRbĤ*VQGWlψt' 1GBE5ya`\(MGqBJ2CT"H6ґ $& JUV[&INǓ + F \^*U(s(UJRwe^*sC, 7Ƥ+4ejs,3-Mi±ͺfNt3a,0qFNdsZ'̚)vLB{ 2Y0Pӟ' QiVBKPY9`(D}`hC,=BI*7j[M'40-LR%t"iiEu,ʈ Տu_b1\To sXSմz&]*UfT]=wUK+b v-a*vmc Jve/jvpJ~ `efwUmk_ 6J-h>9kyKv-qZbs"uF*5`-%\jwnq-u].#D(@JwmE܋Zzfs*]R)/FV`w nw_UŤy5)`+Cpk_x$ެuFeDuX -I0J븳q' Ŷ|17l eX)e_9E1l_Eyd1 dK YD&d(a^U9i&_fxNqFӜ<+zѰm۰6&.\*ќtr]D>oe/h_ڮz@o{JS(յ l3WٙWmw]:n=[˷p}ij7-Kkχ.7qmjkYܹݙn.fz | >6}l{pmj[sox=@S /T%tE\f*czr[|4TrY)Gnk\zϷ tj ='7t/ /~TӯլGE׭v}dw!{.oԸtǹ'w|}Cs/f-x+^1_~4٢pUG_UK9~>1 _6Gjz } soeվYIkuZ/bo>Ҷ_iVX?}R}2kiQ\ǀ X++%VeȁfWwGL>1Bf{&a/1~x+HhL6:WbgZ.(A(C|4(+6'_u*+c:(c@HSHUFF*H(8>da&Vhg$ᢄP0K6dwy(Mk)m)9h]ewȇZ`c,cC҈axccHhyzSL*s xH҉؊ &:&kX(fxsJh~˘('h׈٨ȍ(Hh騎(lB(~+6D4ȏ#SDAh  6~)Iiɑ !)#I%&~pͨ-/,)yxf09!%nr;)CIg>%@YKɔM}GyTԧ>>LLLzzzdddTTTGGG]]]...nnnYYYJJJDDD222000:::((( ,,,555HHHNNN***"""%%%U&&&k~ff_Z666@@@؏lllһkkkWWWϵ⹹RRR՗|||QQQ___뷷ݺhhhNJ~~~pppyyyCCCȞ¸uuubbbBBB777VVVę```Ѓsssrrrtttɯqqq}}}jjjPPPaaaAAA^^^xxx́SSSiiiêmmmcccˆoliLJJ~|{TST.*+rqqURQjig3..zwtyrmqqrgggD?=SOKvtseb`edb]ZXpnm]\[wvt_pY{zyon\ʪ7Ą!,9 H*\ȰÇ#JHŋ3jLc٩" CIBl\ɲ˗0cʜI͛8)qfT@ JhCVɴӧPJJB8feqׯ`ÊjQaVӪ]˶۷p^b06P˷߿~5Da鈂/q+^̸r'3k̹s0@ ӨS8!J:˞ѡ:^ͻ~ζqμnq usνW~=rӫ_U|qogO÷.~&݀fF(i 6mMUax^$hMك' ,h8$5#~GXA'~HkG~ҏ;Tvl `)f})?bNY囿a#Df " sà.0vr@ `:~TQ{гB1 ;J<,e86PenDB;뮼C>CJ.[4ӏ>@ ;j&% 0  T`L.1)e1{(B;R> ( P *jÅ%AwnP좁%2G(L%L~'!G5$p@5(BClL 2/A.I$8ذ"Dt`6,Z; Dt=h8$\tAeTp4Raݘ@~X.?C:MD)UDtӐE"s% oaKmDP4n=A 8!tZ3bփ#n!ZϷ8эq8A Am V@%0#cR"pC ȫ `/CF: oH7G2A)ƃ ,V* l#N81G?`@ZW,s8B_f"@&t:R3 GT1 KB{=$N8`GXp ː2 ."W,vxƀY%Ќ&j+kα 08D(JVdvie &N ; :P0AzPfJӚ8ͩNw> ;Np cZ@O9B2L'QVQCB @,a$0tp\J׺ծx"p2zj-! [jSP&e-qэ>*Z< _@q;@gO;qOF(r ^$\i9Q-` @'\1 PP< g cw~,]p;/ KnQL7uguuuu{b'q{fGhwea>1W0vV|q|eOpG v&-<؃> F_`H0C5`~~5~/F ]9#6NAv-A1pmM^@ AzTzW{ZW{]{`{cww; %@ N1@&vƧ,`;Pxpp P3)  p z 0s b\NxSxs  NiA1P-aЌ01`I p&laSWuuG{\w{_{a{k N

    0I8a03`J^Xp7Hh׋m@Èm E ` `h PzTY%~<0 -a`dP4`|p $ 9ۇt}%0ה@OB6 g ,# CnZ!ށIMιc,f,ePA0QˀA0 @  c a O 1CP  !~apތ'5l p s}R@@~l@0yʛ^-^& 8C 1>5 0 " ~ @DY䍳bܳk9JqPW ! 1wͰUsapT0 d x^0p|  2 2` ?%c` P t@NP 4  .^, q" pd i<ktZn\S"p`f%CNqIJ 0r@B"4PP@ <0 4FZw 5E(Ն_d Fߎ.2\ ",ScHA, , H#4X)Lt8#D#FH`QDHD0Dx@_ ) pa"$ 2;  d qQ>48 + ,2 -r . / 03 1s 2( 38 4Ѵ`@I pT9JxfEXAdNJD(

    ^t 檬꫰*무j뭸뮼+kL2f:dA] Bb-IB ,XE $qȀ#P?P Bp.Є RaA-!F"BL#dC Ƞ C1,Bxc4,=xCU%?H@yC1 d0C6qy` q"@ .P` A\#H``q-R-uKaSΔ5MqS4t~:]THhҢ@"AjwH& pS1!6ZGRI|oG,+}b_-M~_-}+"`.2V8?Pa_$z% DdoYs5?jZ?p p\4%P+x8~X B`k?q\tM:*Yc(NCZ؃( %{ 4OD-ID F0 KhSX3Dbq,a @* A8{_ *,.X hZ\Whl%#Iur(;gJit}2R7(c w0X>ta=ck B&>@32q&t!DЋ[l#Pn8F S L4>fYu?lo[5@r\ T#]`3 4$"QkkTp of W+%H`sWt$4AրSG>"OI/p&1<@HtpG#s Ip%t299NZ%J9Tjٰb 5$";o2B"9CA _%uP < `!  RU2Fx ?UN..;xN؅D93B>9'B+(K ,,Z.KW 3؁\\*pj#A$r$O؀F`-urQ;.y:岧U{.}zYVH7KZS>Sp#RX 890 B10(tc(@#i09CfiP= #b CDt 0$8ȃJ<&X«<șCźS&Q`g$ sE2*s:ʲ2r%09P`X=7IA['P#w"5'Tc{b5'X5H6رJ `G$D,RD;AK# "ʧL LZ "I"XIz2)c:2#,UI]:d 0˖0_>,MՍ20X=SȐO eRfzegnXF(8؁3e[]ރʄ F VX ՏU,\Ll$@C =F>+" xH`q0u/z3`]9SbQhW94%4qS $ hjWh1PW]\n$;r5Mh1>JahQY5N"Ui/bPX=ͅ4 HVGiq&纡 ]u+2ȂHPJ`6>@l{& %j~*D/z!jah EkNъܶՎE[Y%lHhVi XЃ}$&`Vx>UPj@Ke@WHgppE8(؅R޷``Eh5E4Vdhv\z0#buQqnCdE^2=45A=2j#njuqo9d! &H3%M;SX"د[[N(e0LKЄ!Hr& zn^sKk߬p4N_dv7&d7爕&?*r&'X=%8;S4 $(4?`LPVЃM8 x 8QЃ

    P;!dbpY=!d䓔w!)D. s>!d @`@ lFPBp * _!,fu r z6`D3N&8,fPЈÅ~ "~ЁGl;C p`2`>D4`@0$o 0&LZ"6*x@,!k _hA)3@4-5`☴A R  eP\Jm%cn~3,99Pa%HN9t Ѐ'p$-I  Ȁ D ,Cс  hJ$.5S90&x3$qB ,X=q`UQ}`ؕ1(\+OT&X `ؒ@$xB:1 F~Hfp -$QO\j8؅a 43$7 db8L:ЇaB(īa&"6KhP$1 U`hF0aYcD =|@k8 Dbq) =G(:y$?.n[IA1 3 0HAC`B Z V";X @48XPAxhD1 *BB03,@D@?Ԃ ACH <1@h$T ?p@)d@@ lBAC `)@|AD)Ђ$B/% X@ 4|ht@X,P&)M $2| #В.* ?<p`| xBC3D Ђd@H A-,(@L$PBC,H'0?DdBP`(B I3A0/8Hl\$bAh@XB"XC$]A%]@ 6 `!=\B BP@4Dƹ1 B4#-h#^.̸#8j86A5:@B`A #lA28A@$#D@ 0B:D+Ђ 0Cx#6]&"G~ "(0BIZA|@"xh@* 0cTN@&PP>Ax@ c-xBϩ#0@(C(($? ?@((t8A0 XBib3BaP\+&#@?@5r@'\Ch@)(h/ @ | 'q.@{,be$PvP (ŷ v)D&\@ 'P &`@$D(d@)?$d=X/d1ft@tH#D.CDAHCܤfN*^̟VԠ"n*ƥv*h DJ`Lg&Y $.Ĺ',A*ڧŠ |TfdD'@ADA),@镚T?#D#8S@@YaAt A'@ PQz$phhPA'TBhI*ǵD^@Dxjx@ Pk38Pyl ,PHӻv0', @@BC*,4<(-z@%D)-JAXg h-$0uM{)dA@ (2\<8L?$-4A`"PĶXdp A+D빊MBAAA8ԬlP-D 4%$#L $Chj@+4A9a?` l !x/:@l"O'p؁'H+xxBPxu$l X~/8@ v&Dtl⮏>H..T4(P%(A 0J !j.2" B8$f/*h\&(@  <YIb+dAWn|]#$,0?XA.!؞rLB9aCx p A'`'C,B 'Hl2@.,ɢL.d"y ?$dl¿!D-ď@dqB Ev8,ɡ ƄZ%b/oP:@'Cx6/`%?HH(&T?@#1$40 85_ {@$$xAȀ`'Z.%AA8B"rPB) DtD`2z//z/0A \dX3~Q50*qSǂ >dnVW3  p+.F:dnnhB\_u}!R(k ?ԁW.LJ ,DTT?dAK .h k6-8 (p @!4A̞ ~4C5  Aӥ'LB|41`CB1s8g9H`PyCXr9Cr󒵤'p?8Dylsg Apչ 9b9b'0, :WJ7z`aP .0@' $( [#fB?L@!ǺD<Fx)HE?P1~@[@Zs2|tW{'GzW2Ф ^@ I@Th[q @jW;;D:b "l4 VN3("F0{7 2Pې&? n遀pQ0@dc;Gɍv@.t 0?sAэB{ PPC:&)^H D@ ,l(\V_}g=@oؽ}[<>D'{?>?DgW_gS>Wc5~I BL>뷾>Ǿ>׾>AܑI+4%C3FD@ttpp ލ# 垛Q cVsT'"C& r8Mz@,M= b@hWb(5W 9P1u. ASڂ`j% ?2`3_n-fx7 E-09z!(x=Z%4?'"B΀8a(Y)\sb ;& \P@  t`Z$40 @Zq.8 ~@^, rJ$!Z04XB:@ p@`C $pi8Їmy p<+z0N.@X $,0%w(nġ"0&T&2bE2 x˘p X!09>0@ 9]!i/z 0@ !`4 *"." ` #Z%C"a\ Z:3hQXrq(^&hxQHIZR A@Q4$~0@R9  *`:? / HPԛΡ+@r[tDfSq tHX.\UZX U;R8?eլ/ZXͭGh\H*`x+$pH asƗXb(1&1d0+XL@@ 8CZLn|QQ ?D@@xL{Մ @a"aFQ![T;ƀH1  S=(8PFaGqWɫs,pWN`u1 @Cxy|d @L"a\(@kp)c PA 0:ԁh4f `4腎f7ck?o&@+ X@h)x@0aMcMEt',1 İ3@$lI8#,!PdE &fWyY?L'a )(D]"p:A"ua/\)PHh$f8JF8d[҆X@ ` @#f6$1@QB9q!I^r;PKJJPKj?OEBPS/img/asoag015.gife,GIF89a2# ZWXLIJvst?;857MKM[Z\֧!2,@pH,Ȥrl:tJZجvzxL.- n|Nx9 kyq{cUn\sjoմٷߓfuHP?,Ȱp HnËAAlS`Y <P %Ō8s6D .STӧ@eИـ,l P0AK]X}1x2WvnB]KM(i`AKB8@m`U ~A *p2)I#dlXMܸ2#Gχ ~!cHϴ- 8!ZZג M՟ ( sڿE~4vmFw0FedePƆ{ɧR4O1y%Y tm``dM$k4k0YT@&)O1Y$ĖE1z14Ѐ ([wZ1kaz"a~BxTG!!D'pbyFϞd E4INh}馤)Zݜ6*+3 M L:^밿k+;L6+J¬VmL[\*r+!bmn)'k{olo .B 7,>RźdsHOy\r'|0crE1,ls-l@73AMDtHgt+P/-5%GEdt^ml6gUHLvf񣖤u_q<7 rrss]n@3.m.dH>ؔjwHsmPIqGl?PźӮ {Yud]+;Ϭ6G*=W"g}so/93q+_/S SFhpy'H Z Y :Bbp\%O8j,܇ _c CsZ=k8D!D$b`e0j0\\<`3H (PfKJDD,-1 `d3H{ ӹ852:SNdE7Wl "8G8(1{"5`D+f;RQL% {²C$R\RKZ C= gRܼdc\'kY[^3+nަ5*8@p3u`-qPY UYԓtNmiZ9ZsU=2﹌|&dLՂu/,FXi8@tEx@U  |@`2hӝ(A8Hy `xd\,J8| X@f3|OoSJkD%/4!T%_ǞXU\Ć828Y*º@FpPYH-,P5R9 6+BLהu{^CX1jG)3A QNmhXnб?!Z}k[6m[6|m(V+*/aMr PzZtK]M$2p` L!n d 8/z {D2` w0 \  `P~\h@v5P[C;0(lXՃ+ |/07BDobSxr@)D5č?G lN88]D]WCn/+ \_^Ǖ7\[+L:xγ00n[}?ߊEVE? шsI Җδi$:ҝ8-jG`ԨSS7ejVgMӑ֒LA )D"՚mٕl~b@sD6]i[CSTza:hH5S&EvdGcE>j%6E=ґ]=$^d Xh=;і´5nT 0`   YZ*p3BoF@ vNjYMd( m[3c*tlqD:6Uˬ"Ea/е^F 1tF3C\1M :Q(fvEY4<LSe0f2t+3Kx(>ZNHbƱ%\0|6.?~CH1]/H:ogOKޏSH}f}k(&)fW&p6%wIk&#b$?6lQ:lcgk"XFxGuV{-;:q0ORlnk.Xr k(2-'j&mU@5ZBHVG[`;3Ox„ж~X؅@f^8&d`jpXؖ~ h{|؇~gZr\xZ%w[xkZp"sr F%3W80D ~#Bf m墊ƊA$B zapbS ċnz#L!8u*Ȩh4̸>HF}qvA8hو485"kӸRƉWw>x 7 4HM$uu %F l&q{ȳi6!C PsdR(htXr'7HI `3i(8I g-bNQ(ɒHXr`b 3Iw1#Tk`Ckt@&xԡov}on&&)gYi]FpA (QYSD73"z7`WolMQ s.b'1xqt!A~1#"?soE֒kJt6xMx[ Et@vfggGX9!8ұU1U sp* W曊9W IP$vxsV"l%XKzB5nh灜^v8ٶ'Nƞzn:,oB:3" x|i"q}zgwiyE!v-BŠ3ꝰԩzlr ^ [UC*$7G S`84:=s'-!Q sJ'ģ1]3=Ӈ_а8ݳ &VsG虱چѪ#6Xӓ긲ز' 1Hnt;z1v[+>62Ya'dz4 pPhDV{XZ\۵]+^b;d~QhjG2UL|ň Q|צ N 8[{[{JҞMGsB%j8Ab{K x4ZJvDqwv$ ]ҁ"!鐩wq'@kwr`#lIR'">t!K5C;[ @ 9+&`n~{fDb [[@%2'O\(ڈٖwQ-د1iA3k`Qzx}AY!$Y1EO l G$B GⲈ°U:,:lm:|b+hCVlBY%Y7`Rֽ9Ym%n tdiڕ=KHtJpZן*Ǡ o⋰})}N-=Loi K=QtmrjAjW}VDr!Z"+ݯݗTlw l-HeMH:Jè=%fWYOנsTy$nus :7 %a E) Q81E߻Ŵ%7zr 60p sJ~ϜP<ڙB"e G H́+aᖡ%U+gg-ӓ6;ߠj'r\8.Dތ2lM,n͘pZ}cft-ۣ1B>]΍n1BΫRM "b"oC q4(Kc3LB9dsu 0LȞHTLS%s5ؘDipqzI۾nDsDT~ vQ[{I$ n_ut(!O=rꭋHñk]{%X#DlŋC.Cd٫0q<5/ m<@1B}zaΑ6\Q.o0߄U *\^ڱ!_si=y7v7D5,CpqU˰P>7db Zaۑua^FZHoX?X^/jiTz1OzoIS o_o2./6_._ϿOr~o?կǧZPD߿A ]]\C\3_0l\p`G!X4It>QZ^@~a\6bvqޖt*m !#%'/,<620?ACEGIKE)SUW)-M(040&^oqsuwyPY\{2Dfm~%_;.26,GǰA#($>,:/?6eX`ASX_ 0`Eq%\XCA6x!"F'Q~ȑe+Aw,ddJ7q Zْ#2" !޼G&}g2(hjժLffBO2bQ:,NgѦUm[oƕ;-ջ$Vc 8 F;LL<Ō peϟo]󧄁V:,pAĆqqСnyVD9~IJ߯ZͼP =Wxs 0zۻg+, O{o>1*o 40E j yPBV(,%28Qrq[:}-[pќ/sjPxL*D3hm3\(;%*Z%-$`s\En7;^ ,Nk&%-N~^>0SN zJ; K%)c`c-odN-r>QYX7X`m(ӱ/K`9YM-DtjJl.?Tv}g+ 3X*v"fH˂ f^g6fKj?euL]/%@`|ek&{g?˞0(mF[Nk]$_0.pҬ=f--X&,rap 60Ql5꾆h+` &u~tgNq1a o^U!Ϊh-t &nk_95qc=V,56GѺkZfh/uȥA92v0l] B+جv fDe6A\.V"#s@Yb,[+Jq.L9sbsY^gFmI;hBf`nm\2e6Utxڴ5j utu&E|YϥuU_,kÐf5_]A6 vml[lB\"#5׬=Kbjcm|[B6yq)Aws ߻p D18Fe]p]j * T/$X $\PQM`C<fx0-ji.}  6{@鳹g' .&iDٖmsb[Zy?WJ `zbVTջ r\6$ % rPhlNٜ`/},7٣U?ҁW-Nx\*@u+tϦ^}n_y2ϫ?t^H=gϑOBay`o'_oWB (fΟF3V.}_^ɗ?i=̎rϹRhɰ`q  άOFomD{%K܅ʁ4%zJ &`eq%F^E{hi٧^>4Nf`0'r`pEnZ7 CA5RiXZ>PU,JFWjg-kW$?an]fb ) %ʙxEE0 ]M1e 2hV&f|8 .QH%j F @ #r..3.E< hA;v'`0  '&&e<b2,2W!3I1*$:fDJ4S5[b3 L2rANC,j6'7aC5{,$2G!#aq:::s&;;)L7+vd4\ 3=s=ٳ==3>G9GoAc?T{a'4AiDzA<4Bua3^SB1 @/4CA 64;TN)C4EGT"B2EaTVE2F12B m$לmTJ̠V0Wj}a(2qtF.#@hNjŝ1T@j}0e@jPȞ_(Kr i{Pfmxdb'Җ0I zrL{$J~%QXezbHzKѤ k\(>&]Pl 011CU=YfU Q0rEV"(&xkg^nGlMǬ .^-[u[[JvKj /L<КxhwgUu/ZTwDUH["8,XRe tUU %`Y`p{ ~3&ZYtQ_99 )J`Hi$vwduYe]EԒc(]0 qFdYd}#y&O{EZ|Xƛ|:Flp U)t'v!%ZvmYmcF1dv!ޖ (L}K!A,=odD%26iW<`5O/so hUr/7h6ge.Ն>0^|v?fƒ1!n[mzwԧnȍܔcU0XO&oux!s7v!zn,]Fx7.W{){{NtcfXj U8J(R֗}suO~ȉ$Vah@fhD#{ 0 e ip|O_q`P{6f'omuYX\$aJ0xO5Su8vAs8ߗ҇Ix8W}87/ S!LX].a 8wO؍}CyƀkH EZ&АXLpъ)lkЫ$^ ; 9g8f|GLhf8VSɔ{bX\lba%^aW0SXTa4쒆s-ۈxdX8Չ d xCN\.P GHs{GK qrC]&M'_H_MǨw/GVHw֙dEt0W^&tL Uy KNqhǨY0yLNǤpɹPtK"AEVR`Q,y~ɍW9 죏/%Hw%6lEV>]l{>GG/Cڌ1qEsAzr׭WY7ůX寮Z1 !;%{)-1U@V끍' D `QND!{׋Á6CL ³;Blw.%e|co fV;۷{.bĸ]2Ӱ%LT~SX[{8&Ҳۻ b<,{)*l#%cڿ *n txܭ\rc&܌+|0\/6[;\?KŻ)õ+1 ="<xxW|iJ(c6zu֠\݂T#y\94-5B@ `/B-<7F͇˧Cj/SH-@=\Bni;-\\@&@6 }m}۾aBEY*]i/l<^ƃ8߆9=ٯ~U9ET]=]4 ՞ H ˒?Wy\+) B ᣞK  `eܹ??;PKKgj,e,PKj?OEBPS/img/asoag012.gif&"GIF89a\3f333f3333f3ffffff3f̙3f3f333f333333333f33333333f33f3ff3f3f3f3333f33̙33333f3333333f3333f3ffffff3f33ff3f3f3f3fff3ffffffffffff3ffff̙fff3fffffff3ffffff3f333f3333f3ffffff3f̙̙3̙f̙̙̙̙3f3f̙333f3̙333f3fff̙fff3f̙̙3f̙3f̙3f333f3333f3ffffff3f̙3f3f,\@ H*\ȰÇYYŋ3jȱc"\8ѣɓ(S4˗0cDh53s*YSÞ8} C*](R3yڄj)ը>ʵkW,*V͕e[=[VB +֥{^x7߉xxo_Yپl6FL S^8ث n|2mMG7=_Y51ōZmY3)ȓ+_d"x؝#zhoam1K-sgrqEA&[ '}אt_BADH x|3iDIUhExװbe\EV 5H$aN]n (ӂ "A(2#D=UHk2F 8Y$By% yK?fCTgeN!] at Yfs)ym婧zcVRvf&袌6dVRMr5-YZV5@Mr "jߪy*ޅdx*RzӦk*uk ґp%*ƅj:jf[baQZ*n璻Pmn:n˞kSz] 0(z*d",1U ;Dq$w1{\vLr!ʓl,_)L8e[#s@dD;WCvtLo6QrqT 3e)}u\+4rv-3u45UKvL^fdkJkmwq[s0G݀S_ف^m ^ۆfG.Wn_Iǟo7ޭʡ^`ǎ-n:Ʒ> DhN'/ H:*ϺD.9eX́:' R!W &s_B0U+! wB(Pk[ gGX i1 sfCHof%#idrX̢x⏊c;X2D+ό2,(:"D#MQ#;fGq /Hq$SиHRn>ġ&7Nz8((IrL%S򕰌,g9ÞjIV)\.&kbgHFOY0T̫,@D!tCjZ̦69]: 8ǹMAʃόO3tV%[2wdZ(xB#L':oƠ"BmwNu$D=ĢSlhK22?AJbP}E?Rni%Gd1h9|"'69@ &L3OKKΔҳPOÞRzbIERcSѩˬZ'y*C ˛xENF{mNDȭ%#Mz,MOoԼMk _y;Њ7%,-W$H*[#C(«l;Rr/QlhiT-T K)8ynOiI"xIbRr.~׺ŋwF40"{(%gծ̷A2P6/kޢfU5l_Vn0+ ~DTgoEҲaAh>atIdNl7ƶX{6Fo1WhL&" HNw L˓<1RY= GL(+j^Z#reaSi*s4pqJH g73Svד/I.x: \S)ZϏfDMG4ݘXJ!M}NtjS7NJgMkY՛c--=QkٽCiBzt b-r&Inu[EڛkcD~vW.s47_jp.2;Q6L)7G[OWi$pcy;a@s  CeUk|%9F~)W94rp'y1ޜg F*9GY+8B<",G:͢>}POc!BR]ϼ][c޵pҟxL^d2{7ъtGqH|.^e1lOAɻKIB(CWnrKolnY4jܽgf O?BTs-OLo2}Ȩgzbce6`L TjRc7$~DY=dE&|'swITb|d&UEx3!.Qv̳23'WT"eLzEA%xO2RIN$Zu P,9/hD!q)q Q{VT2?f'#dw4/2b{#)YRDԶ烠] G\'DMh(ZƷkC牯*=KB]KL-{A[s۵.{6Ƭκ\oĦ=۪*sOFylK%CfGcj򺼜9ձE+([iG}Ck`%u"qJ~CO˓azrKrګHjc{<0[P@NZDˌ 鳿{y|t{V+^' C+ ^y;K2t&\Q˝3O*[9yUa;+eٖ`-.\?=Ŝ*XL2\N\ŇWƘĻ8gقgu&t\v|[0]vfr_ë*ȃ̾l,sL ŅȖȏlȊɞɠܧ [e]nqC˱8>2GV},> mlLn<K\~=˜8Ō Mx\~&ќ=Ӝ͌q ɼ<|N׬N\y ݼ l=NO|xy |O <=!>J֍dwZU+XyʌO_!Quqg$h1CyT|Uq*9 )rxO#pBCM<7}ӪSs ה-=MmwXI@Qe=yY}@[]M_}ya0 ¡`%2`--ј*ֆznpݏgyi-.ן׀Ma܇ڧm6]#<{̄MΖןΎ ײ+6HWkG}t%8x;s?gHLf#ۑ4ǽ9ФݥMw47O]팿R8C~Xыq>]fk}-g2wk0ۣm\?dWނX􁱂m˱$=~lZ+ځ BmRZJ}{8ᥪ@ҩEޭQIn9q;߆8TT|0:+1Uѽó㜅-eWrXQC}V+V9sBcob٠a⑾er;^nZX{1T΀q~wEvy&?w"B먎[Y._%>nΞNͮ)1nY^.=O-2Z1V~.<~`~}>~Xxh~ƨHɞ"SJԞVNxx#oY#+_ HuF.VMI?{.8"K%>KIߏaӽW4['TzK1\MAX]-¡ 3PJ@6pw%~Lh'N›M:!ɟʔ_L$ |(2WN&WK >Rt2Ʊf%RBOZ>--_g9:9aN~YX҅y)y+rb"`S(^'—D"vM  ,x@^[JCVnk tH0Ă$$ǃ!-f|8M9ux1%č*+\͝I8TS"6x1ɂUemxU+֓"Z!Pɫ ^ ѫEέ)@k]+ϘE&LӉ54/‘AmvӒp/gbJiYGDm-WJBE5ր%=l7o'^qɕ/gsѥO^'SVl_zlɵsf{`[F}r N?j<0@b"ӎh= 0wP?fC(mqbDMFQn)J.Cx䭥Ќ""(Hҳ |62!ȬKz eZL1tM8sN:N8=s> .PA PC#C4QF[QTNVnqN24SRK}s6QS}TV[5TcUZkUVTU$աM/P|UYaA pV春f 0]w]9l[ 7[[YuEN]ziW|w_~7om]RCOaN!^x0v_'&.2ncbd9FFy~Ufez]yfaedCq9)YПwΩghA"z:l:i $Y㧡Rjtiޓkæl誮b{ѶZmpٮmNVnzN_oOcnKW|qwq#|6-|5so.tOWsDGlգ#]Ӓ_OY?8vĽ w΃'xGuG~^y3ayo^8{??JߜA~zFǿnmܦ?olcLs }VH$+AD. ZDпt3pa`y*&`X?EX7ٞ)<#ΈD" T]ЉLw~x mTc)djj\DPH\T6ύr|O8;=y;}< B"HG d%-ɡH24d'=IPR$e)MIJƣ܇2VK],?E2ϖ*I0W*N!Cs.Zr._T3Ḱ튚%SMn*31,y=Q'nSTawZ";U)Nkn^2]@?Mr]ySCt2kɊePfvhSA- i5@9'H7PX+"F'lY._?EŒBͧ {N9Ht0j2MTUuWV8UzUeXm'V@4ak[VUsk]zWU{k_:^R%la {J~8ݍD`>5gcyVDzi%f9k;~u!fZдPjZ^֟0?;Ɲ^JMV/bn%k9TݰRfAW24-rz\EIwO}vݝPSh|;O\Eʲ_NÌBƷPz&[gCbwz]_w>KUT)әHޅYv%7aw %0^O-O0|ĀN`F7NpMxeArȈ\Y>G7ʑQr &'ۨWvSܵBU&.D{f4_7Q)f8YΨ\3Z* 3̑=OsS|Aˑ3}ME/|~t]Nә>/dShwc7vKbn$ >dQo˦ Lס9:xd;Td8(^A ƟZ׵w?qℙ&Srㅒ4<0g+s]De~#/bJs~7e*>:ң|OY:}s*gs~?tg_ YW _z̫o 쿺ޅ72Dt{_Ŋgbwo]ݩ4Myw9^!X"#3e.R)`m|#|u/drxuSQ8ɲdċxM}g:_BXاӟ?b9nv-6 gcbמ~3f)њ?bߨ?? 8ĿVَ@@@@ҳ:B+B0#aU .> YujaJxZd9dtAiS\h"dhלeR )(t^sJ\jI8IH0:)歹ߘc!zY(&IJ+)`걠=X~u(Q| ߊ^j~k5)%떍bkAFjVVR E66m,v+%;.e+@#d'YG/HoZZjnI^<l{,Cq0(yf@ 4r.#4u!L+e kgke2C'lsHrZg&pJmv7K*U^xpa=E=UBG.9e9g0w%.bHVvH+-٧{ޟ&^{w՜=|V BelJ.y]X{WGV%iX>zzxo@[X57l"oG7I)* I򯦻|nܕ:Bg>{cޅ2>:P{ >]h% , m$9:_ 2B0|2L_F]V3AЅ3OuxS%(/ Q @C0޻!(EyhL6pH:x̣=Ə)| IH%e`"+ȵ.GsOB+DC,VZKȰgl&WBQg,gV{,.w^b 0ɑƑK2'YGYܦIMبĉ 8NUӲINm)\VN6iora'=kx5ۧmh]tk &abyf6 hs&Ȟ kQ  'Nk^KE+&D^">AJg[54"GNs[ҎddD u͇.3DO TJaͩ[XϺy{=3Po9豛 H>jhϮIt7"6]MݸW-/UG"J/F3~*䇢" 3SDzH'U k߱}}sͣ۾=~s8}C}P]@A/4J%ldk,ckZ.t }z4ygh,(>.{;:W}4Gh&S~r~"&W|3v}O %w-Er z4~phS 8:Of5yׁ^^^R4bQb,SN'HO)']tYv5UZÁ\ENCTUF7tn8adžA"b|x!|wD)uB(!*I'#AS붥Q$k$z7>QackګsZ)JWlNj'ynWV{ҧ&S+3o(W![-b[ mn64%nLDꧬm)dZda+k=,DnѩEzfEĵs'zzmد>;bX۽;nQ}%gJ0|0BA@a $<# \(LY,p04.'LuZ:R>\#B(Q\{=,i6k,bb ?,Twgwi) WQԵQ cϻG,R"Ԝ|x*1fc!r1="(Ֆ9ѳ .5O|RU{)sd8xH+,I|o!]]15oMW*Q4 ץWZM p\@óXΖy./ɕFsY2r]ۭ3 ش|n`BMmؓZ)Y!3zRVRTM)Bx) I0J!ӕOh @GIeJV{SjĽƝPܥ#ܷ}4۽|@aG Q&UE#;Mڭݒ[}MKRm="ӂ͛.m"j7I}X}-#0`@rBa[\܆CBsW57 ੘M?n7\M8WX}8~ب!!wc8T^V.X^w&tM* m q>N[SаS%I$&a}٨@H҆.ۡ.sޑANy~~%rQ186!ϱs.G4I!.&H'R.WԮ=ڞrMY"N N~Ξ>=Nhi4 +,4*-zSU>Wrq#j=/. <jP̝/~* :%YaF6,mnpr]i9Oف IK?Nk^3nY,24b/N_B>?Bp_Έo-N(\uM?>*(-~_092'M[:2z=M^ar]tKGSCܴ?}7/?v_@<)qGY.}2oȉ$XA *`C%NXEWG7$YIVdҥC1eΜ B9uP%HVi%r@+I.eSQN}H`âY-kƫB%+qKi-6͞qݻG+ެE]IuFĉ0pTV%Uֲ@5_v7i& 3EdVVV toղ5pgabsѥO^]hlwuN2(dž{_=ry-;x3϶<^fjQ"n<3RpB oꛯB /C}*!̴[Tm.qFkFsqG{DȄqH"d ]TUD%[d8 ,JH`. Qˌ>|ɿSsM6B*E2D<; F䪼σ&3132L>%J TT3(!pRA'HO=jG7MPҤBuRSĔ5M[SUMQk5i6{հ7)JUWXWIX%i%BgL]cv,c+Weɹ4ŎmCvg*[$Wn+pW߄E^`-x|aM 1[xxc2i9>I/tSVN=!FNt(7kfsyg LЊLv O:R3if:'xj*2 ^kz:l&;c2d$ီKF!{`oεj[xoGn(!Iɉ=ˣM=5ו-CݦW?\OZKz*#:7\^`77e{oƼx|>^ jVcMMمh{#Q$ =-C%('L-Fr!O#.E3%fq^>DwPa{P_#9p[*#0mǺӡ57+>ܪ52A"gCnec$cbp%95z5"!E3bve'N/)Q~hxHD&RE*X0Y^da{ҨȐNGSd'=IPڐjb(MyJT`4*]JXnM$QK7k^QlY% -9<ƤL0GI:fE(Twm5CɺK7DUS"Mp > % K>Ħ)!x RЂ<sn>%8 < :%BIKdC35ԇu 7jPs!-B%}e5gdK3O:=b~~(:&DINkH䍙2sīțkSS>?\NZN *8fFjЋM(E+?qSpYcj#[7׫J5}"_kP=yIJӑKjc8ȌIkÄZ֮mdGkV~I,]ycdGN]aRefZʧ!-f ԓ2)mOÂ## ~"-.:E%CU6)Ŋs#9;Ju+Iqor_X&p |`'X fp`GXp-|a gXp=aX#&qM|bX+fq]bX3qm|cX;q}c % ;PKMKPKj?OEBPS/img/ssl0002.gif5GIF87a^^xMzܭW%;r6LL,^^ H*\ȰÇ#JHŋ3jX`Ǐ CI$ÎXɲ˗.;œI͛8sɳϟ@ jS&(0ӧPJJ'SHU%Pׯ`Êz5hV+]˶ZnʝKݻx˷߿ׅY&+^̸ 'Mgٱ3kY,Ô^LӨ[~Uשc˞MjEîͻ߈%8ȓc]MJHnzWZ)v8+̃.t:4S|y/u=<W 8UzS_O OTrXnzRy. ߙbu"y8|9·]8n5#x7)#-WT 2KՍKf#\.}>$+b`elv饖f&eyk5Wٔ1Yy[i1'ҹYihFjW茈*jݤ{w Z"ld)ar)ա飲grmJըwǖ쥊JkƚSljZNBkєnSr:'VofcN;;! UȪpk6+[k޺گƎV<~;U;#,q* rz1ۼ/2:r.J1,Kt2 Jf7)+vl-V5EztS*8i$]oWvx+et=߀w|n~a}1.G.Wny9At砇.褗n騧ꬷ.촣^K o'N|G/Wo=_w=/䗿|槯쯎~/o7_]HL:'H Z`mGnGH(L W0 gH+@ H"HLXTPH*ZщV̢E*;Xق_@ЈƳ|F;ѐ'MJyNai.zӠGMRԡհgMZZաcw^v:NjtnMjԴxl;B NgFt o{Vw(jx&TmW}oo\\, ~nEZ p)bK.# ?8[-<yʅ@bز_W8'Ƨs+]:O8q{|^..w#Q-Nuw{=vٿNR;T;>̐t`^˜z_:S}tm~Wy'5g!C5x>}9? \ W}1nQL{>y6oϾ@>Xo2秖G|s胳XE)Y٨yȦFx؋eءO}8ʜIItPlqqTڡxnhu[jI2))we*ky֨JjwKךbj֦ )*1WiɣkYk:Yy~zuȅK9Vo)G|vohN٥*ilz zJɂ zʞJ ՚ʤ٪Ś Z*:!Y:ڑڮ\(JnȊ :ʯ*ڊɗIڪ5 kWڰiCǪmx))gwZZVY.0*(lR:)GCˬz{yʩ{I&Xjiʛgp+ hW|ٵQzGXIk[{ֶ(G;{E vˋjv볦Ft۲Ysv4Z)+*ȹ:+b;TZ7rz W+Y++z(Z:N+Jo$F&zK@ ;» )Hի[{ )_4Y+deؾ|H˰H{j+X?۩|z.w{YJ|:x4ܿv[+t/_Kkx،˶1\3kGT&UHfi?V x N u;a,Ky k+j̵{Ž۹Ie܉kT \]t<,c̉9\u\m1{ŌȆ{ïvɧhwǚZ€VL\\ǝ{,Ʊɝɬ|I® ue {:/XŃ +{ɥȼЬ:@(LH(8֋ \üTEۏ=̿\M|ϕ;|  $]f '6ɧKtBFʜ,vkV:M{<;̰fΫX*Q[L˶|^^Zxl gKg>  p|ȍ~ :eA=i+[MmNI v ČMգ~Mq]M ՘۵Ԭڴ؋Imm@٧٩PMxiԃ+ۺ ̆*n)5ä }9Ͳm'\q7ޜp;խ=x*Hk *=ߺ}M}Mmnw& /kݥ˵s'|W:̦h-sUiŮܧᗽJl|Ql㉌L\{=ܶG{^LOkMh㎜a N>,wAxLKV- mW^:ڸ h HOMㄋ=ʣ;b~tn{g9G=Yp*3 ܫ'_.n"s̟.ɔ^फ़8= *.ޱ~^θNQN~>;̮ը>P }풫=]\gɍ]+ٹN*DSn=^c}Ԓi*B;Eޗ HՋ ^ʐV6:߾uCi䎮h-z{tƊ.--MĎDnh#ِ.fow,Ϸ=LK~Po+_?kC^!P֞՘vī+|.gILE\ ݽ;cZ _NY_CzNd@Hkj4LHi?:2 A]J?r]ȟ/_O֟JPCPDOadDVW:O $HP`A `xP၃NXE5nH`xI)S``D %B‚3cNӥŞm͹QIV$9 ȏNMgM7_^Yԫęa%زez S+ͷߚJӮ]t֌_1><ʖXj+[DFV,oֶd)Oܶ1!?v|WU,ēQZ=u㼜;o̷7%q{fԭ-{v3]*|t~xz?*زiOv/.=lN3PoB / 6BA3=;+2\l\lBioE"/ 2CK=~++742jrȺ0 sղ̐L4) 3M6L7sN:NtPA$PDPEu2NKH+Ҏ$SN;BMtTReTTSTU[uMV_ucV\5W^{MjW_#`Kdg(YfX!e7 cui3OH[ 8JsHZu "7tD]bC މ(|ŗ){)Z%FF]z(bb]+X%wxLJ Y\m,嘟\yz[2ܑJ*Glߝ9D?=49g j#Q&9F"I ښ^GW`{J8}AXϼf?GAvRNyh}Mڎ'|=Z}}}Ž]]޻=~ʏ5E+[{ M7|1}w}+ܩ3FEB x@ 4)DEA ZIE6A,qy#a MxBP+da ]BP3a mxC0`Qa}CPC$bxD$&QKdbD(FQE  3E4[bE0QKhE-QkdcF'19[x: {cG@R$d! yHD&R"EHHFRd%-yILf;PK1PKj?OEBPS/img/transdata_1.gifGIF89a412utvLIKhfgTQS۱睟\Z[WUVa`b`^_ROP@<=OLNخqop}{}# lklZWXտ~ڷ􆅇rprWWYױ!,2D2FʶF H}*\ȰÇBHŋ$bmK hE$LeK%XyVeLhDpIN#ϟČJtѡR9:TRV-UJh(LPEF@^).X|Բ4GBiKreZ[xsHUVS\5xߕ.WUU$+HSsªڢ90ƭ8,ӵ:՚sY e aj \n1tΥy)@TFC `[Hq2^!݅2w _-?)Tuoϟ[Y+1@ŦR as940 E 2`8`j0@K Z *[IaubBDHaI*pTxZ5xxw YP"VTT7`Ve h[l b\p@UK55\Dl!DR{mA8ޗ V4cv2@y3  P1a`hhX}ڕ }W jUYEQBա%uJ\XɵQ`g% @|}hyꗨ e֎F*U4&U+]ll^ \[Eb2Ј["^[NBȹؠ"R.}B_\bmaKX1mYTl'K@K] K %^@bDJ,*-k]ﱯQIF(B%qfq?Mam]Bu]i6ݗ6|MPfqS&TFDkff^S4*ptvYn6\u#318%e갷rz72:tThm<׾̿|G/6OoS}w}-/߇OGo~_/?oՏR(łg,IrP Z@ R0`Ƞ7j @C ]`6.;`g( 0]iF vp8h" HL&:QP0*ZUx.v1 ` #H2 h/(ʈ}nJ4Y84;.D$ 8F<'NqXE/^ b4HJ+H*SY6a+(Ќ9t£w(0ЏFء|X$LfHF6򑎌d&IJbᒘ9EO~Y(IYSrL)8d :GG:ԠL(3LhF3T5(js&8)N2B:GJv(MiJ ܛ|y|# up(]s6Յ0v=0aZr*[!E gnq_xAq~Ǎ+J~]CKni|(KTe貗1'2X@Ӭf%p3amLgx汞}<` t)LhC+YŠ&-hH'AȖta0`H妭@ d]jSթQoj;F|,d+)Y*ڲ[4}^'ٺhc;@`=6O!XMmۧqy[9t47!)kj}s"Ⱦ7o);u٘^0;'Nq2X\ýj',n`Zݝ\yAۛF]s ޹Ι@w&,`.@ ȍ% V( KxӝtR9ݸľdc9co9MIBvKZ{I@AY-`px'o_pyx~gs}󖬵o\9ҮeOwڻf@W^>? x|WjG_T[V\LP7k}yb7dWv/`wVvo7~~L~*hD`0` e8H|w||c7nTchr^r`Mr~7azW쇂$`l]2 28x—9 |7 ,RItḑE|8rHĎ'ل``XzЁ(Zo4y6:<ɓu CIpIKMڦNJC葱hy}Mn(8}Vh'joY8wq~su9u>7Ӊ|%9ZNJYJwR@ؘɀ{P" yH*əRfkzzp~r9\ {Y2 ٔxx}y!QUr%_鎚 ֙/9ZٖH癞)S 70 Pɛh9Y%ʉ̉y؎ә'عӅ1ȡs))u@P A 謁 /.ȗf rGHfaui'"o١8s"$4 a*0q jl*7ZI=*J#BMxٕ QSUڨW*x  )j耩9YJu8eLwZy{ZZڋŤ֝ ƈ ɨ9Y5J ʬ!O2xobqfsjY^9(hVN]P:e'pzKj ; KQy7Iiv:zCڠڧJK*s&ۏzu ])K5 9ۛ;ʟ?m*D;8ZȪ RNkPے 튡Ya)♲)_K*]`_ +жmʰ6 :Zy[ފKۙI:#+l%oR{TV:.[k9 ˹egZjtvEۺ?j ; B蚻.+U;W[\KkΫ { =[s{quK܋WI۷몹y[Tʸګڵ,#м Z m+ |>릧방+JFۀ?;@1<@QVdvP骻|! e%+ی,.l 3 8 7\nx uŭzA>p(G19ET d{S;~[$̫b {ۿ>@Wg簶+K뺊E}A') lDb H$DD<Nd`MA )`PEa EEa FPFv@ VjR\R ˜,Vjk)+l-{`*L &# < ,< ,@|BGu8gB'B0T1MSV$0 =2,-PӻAYL !.΁<`$+,dl<\ʖ̼=7̔9;lö,y;T;/= ]!A / õXzrmEt!ɬT!H4.0X.P`@U4SJ-s20F, -vPN} R .^nmD0Ka*'.@s{ECj$<(\®k5 x&Sɳn}͜t1C'@}1>>=.-EADPE8 : 0,[0 -v7t`J"/չLUM+ʮ r%$&Tb$wnyxzl_9T8\)Qz|걆\ϻ>Ͻn';>\]JO˾ŀj㥩 )|ܚ_KȖDFʋOROwma쾿 6`l]1jJ XX SY UV"GIL$AA#u56f6FFDQQd4pB(\Ç@HE21ȱ% C>9ɓER\Kb,Af8s&0'?OhQ*H*"CI ,iOŽJʕXlͥ_;LYfΤIf [p_:~+^̸+a@N&\-V̨ѣǐ"I>90eƬiSΞ>Jh uꢪb͚e+׮_ KVٳh=]۷pȝK]z:lpqMܽÐϿ|@iYg=Fijk&lvn&o'pJ qwr1לstUEtVLGY׵vҝwn'xՁyLEBzѬǞ_ f=`)f=SBF𐙁& h .Av$ᄪYx!+vņV9n$) b!.*12GcE)ʏA wF"dy9 %4RŅ F̗%8[嘸뮎NF`ЂqY'GwR'}jdhR*>bTx^b#ҩd*-C(ɤN5\0 CSZaj'̎+f *G:k!* ("$j-Sz nUUUdU)joko+eїJϭ 71܎<ÁMHxqynqOa"Z'w2եjJ(6;RϨڅ||%P7INA</ Il^/ 6Iώ]l W6Pٲۏ[w#{w/=A>oT87;Vpbd9ŢYya66Ғ~#͛ɫ:JB2R{Eo1[Fc @v`վ7y w魩 8D`usu\IƱ|:]Pf)BZѯn殜o yA( ^Z-OP(h j98p" +$>ѕ5 pCQc7ѭ~ҹ̢wHWJ`z8PX+86x/:(#j4VCiD[P£}rUgG~zܡzȷQ;ƽcH# y0MЌ~(IK"@"X_H-6czWmz-mxG-`WВ3o @;!yl(ҌDCqXbs0s(Sc( Gv'CO[1G:'xA]"%qrTQ?\T X w,! 8GXr2P)JSR8’8sNDL::`t;7֑䧦TSݳy}w}? z<+ADMB#S)?6I>Ѣj%1[OlzŮe3ٶ| p {/.tw!yE8ȟ?1YF'#ON.pz PoKfsݵ|/])54q}{$BWxĖ|4Qt]#}6R]irև}:py;W'v7~qvŁz'b3v9)\x8 G{G`f`dDFWF8&8] | =bdrF `}xVg 0vF~bbwv,Hp{tu0g[oWX=gr<`x+IalmOeQmftJ2(:Q]ZxyPC`$7gzYPps.0\g}(g&k}'GBpAxh|8bE7P'RmavNvKѦ\(:# PzP=jjFpr~:ʀ\t+ZPSB K4[TLa]pd4f۰2pC hBZ!0\EF-H-Je'iN ĭ Y- 8*Ŗ=bmѝ]gfA{zaQˤ4,?=Bpc]ZێϑĪ6=]ݐʼ0}%`2௺Lib &m̥8ϩ: 5 ִK~ k9N-A}Oۄ ߴa"n\Ƚy\Ѷ1+[<I0j˺=>i}PRZ{A|NN&RQ'M4 \.ݚPX ;{ \B ]M睔K `^%(ަ- >U[XiƵ]`^>%þ ^m0ФˆJ#|n҆m͉a  _VUӌΌ/~|JXVX3)N^Alnt_vxzw߶~r J_-*0?_C 2|5_-^h%D?[OQ ?_Ovʿvw?e OP@ݾmg?q@8o&U+A5/#_FBB%22[/GIL$AA#u6FFDQNRM@@PH`*'!"HEm ([C!䥓' )HGG>49SNj'Z$뗰aň!K֬hXVnͫXjӻZv7|p@.t0/N 8"A$ \ \:wz瑠B&)jhRK:}:"ԩYL6xfϢmv-[oʝKWݻxݻOسG:jK``Vs,ϟM,%Q =n6UovC(9p[P \d,PstzڅDh#fmf+聶^{v|-sk'))䐃Hdۂ9qQhaB>tMlj\t$;Xދx&h4^|8 k唀j،6gv|o8T8o$1gL뽳٫MBsZ_< ¤ӣ KGSla?fH`TAӂoKh; j(9c^B JSN5 !̪WC(!|¬9T3;c*("!ijMGn_*zPoBe/]5XXR8h&Jv:u"Zʗ(Ȁ_@x A 9 J6К!MRHfmui.<Wj6W񵯟(ǨEqiu6,v3Y*Z.2R;B`fsjAJn`leY4H#ض[w2Aʔ>kp ySaD97榰q%{cˡO⦻t:+"I~ d@"!A (Ys(tg4}t*!g>.v\ fDBA0v\&PɊzҎx^7Fx\VwH+pO|OS AA`3;GVeO þn]f^hDmah:x%K]8X E3z{+7ޛz$<rKD4 x ^QCoZ9XjH8]5AAb fmZù.yb_SĨdU¬_krX6(AyY-W(5# A WehsU4n,\q;l|I]&;[dDHK–ZI(0 60\d/o"4dgۃPEZnu\*sh\D[7oޚnv9gMU *lS7r4unxvsٟ^pUMn!Cd==QDLuyfVU){_oOnŇ9{-G%k+#}s/7%&k[ڵ򓿭)uY/}  wCP,'w~K7M']TSw!v&zGuRnkusGjz{4{V{67 h,"whkkPk7|w]NgqQ6QH83"3"Xel :xxw#g&@f?x0P|EU`xH@{pDrFRybEn5q:gFm'rUzf5Z/8ma &xYFxZf(f7|% X}l4<~(vpXGg2avp^%Dp_w 8/ܡ@r9P`(jȈշק& h(*,ْ.{ht0bwug|A@vM6^UgpdiY vFIm}hP[DQ^a 指aӈ}# %n] 6P^|ٗ{S{2;|=X=i,bmfՊ#clf]=F}4 9A_7:R'Vss(hW")8@VVC~Yɗ 3㍀ņL'NG'§!BYlfeRi]_q01iz֏pw_EVI7fjE)H-/+y2h, "مk؉)Nhp*yYhxՊ9~܀w@.l!1risGY#7}) E֡!2QMi?EdJg>xxQAc|d @'xRqhf[g Pn i)6J DJxyX Mӛ0,h2j8V"p+P%̹7-):ԙH%Nh/rRyL6*8x̘ixW,8o0 d'}`p4 o[?\Y\` 8 uӥx$N۩*u*Y[ xɈgٟZٖ  zi ":}`YYGbdfjʘǗB2nQ@ `jz*ȅဍT?ڲa*.+*ZǎEˁz F !q 񳏰_ұ_7kG;:*vz2#ج7۵LJP`@"U'h+NGk98vȫi:E@bV5 ?;}0/xY(,Ox$flKORM[9qWCzZ^` ۇ;x3FЮmz{zˈ˷l)Ng""ag+K#?Y*pGI`tt0[Y:~+}]{CߠH q + 1 )@_T֨sX&Ie{ h@Ž9Y*~,ܘ1YQ@j`L )`Pƣ|Tj{[jDJ k l=~ p-ٍLowM͞#Ͳ-^`}܍^߿aK|Ş@h"Q v>V }PPQ@ rd.nŀM\Ծ_^؎nԼ6<侘.}ԼQD@r T"~_ $ȏ_~M֮:Z z!2%o NZiXG~R*G/"LӑNlϊf=溭UEOLMؿJ_LN8&nցc!.蕐46幘I/]Z/`WXѭ @/ ޥ߆>.rtm{sQ~8eE[>煾h Y+j?WԊM9;~V]?=>ImuoDQNRM@@PKd??JOHEE\D% DZDŽƒƂQ99%τŊ[[[Q+GH:(TȤC!Hb3ٸQG6 2bD(\ɲe˒&cʜIJ8]bUӐ@|dR&): E)SVz%kV'r4eDXEƪ󆨘X_[rq,-nxĝ{X DQĶkaūgO~JH!… 6(ѢŌ92&I7sV Ӱ1SƹP؆o7*Z(ҤM2mjԩT*5+]E"pHZ;讠uկg3k?]5yq[P 1=Ǐ!϶pP;NلH|T"Szok"dL{;*ɲ.m3[@;l?|ЂA $}t4/ \JFӡ[45jcٓ.ڙ]ųܵjw57~b+^x@0#f58Ghp[@2p=:XPa;V 9ծ*Z#xWm8F@+.ʛH7AH cG8pzJ=9#~T$\BD$ @R4Q Q &&Df@Xn lQ7],ɳ`uAezcC%z!៶בZbx6!c7&Eh% CD-Y<Пç.u̤&1)>Q$o(v@R`,bsh$䝌cDRM& 6F|Y@t\ !=.( 9LHE(TH4,7gL 5d)7bUUcET`~ ?U@,MBE$?q˥@x'1"6hr6L}+A:WʈnNdYQΊ4=u1:Ӂ@J~BHU(!DԦoJcx‘@ e gtWeJ֓u5 MZPĩ)޳Z׾nʢ.!]Zj GzҘ(_' ȦU&Qd[21)X{|MٞX‰Gڙņ%I#;V:̥-qgNyʩxzEo+bt٨a;zU>3cY?;+Yոbr#OJŮVi^&gluQmWZzu(=/.IQ̞dIBDN˲w%Om O.7n~5ZpuoI`2`ֱ,ocIܰk°[GY5Mq~K]b\2.`aB0 5`[c( `rP%pT3y}iNN:@4 sH2[VHU6Tv,"W1ׇvq]=m߬2]D:5-Q1` DC[ad - vZAriLCnmehMb.EU^3 }t'uWG&R~u'PBK4y&cFwo(wDžko{O/RtC9D 8Cٝ 4={YGM:x EBsj$`qem`9=dZ/9qH<5/KVd po&C/ ȺnǓGguDR;U0 '1Rsm$v;ǰHrmz/<VwGcl2$mF|@ms9x@|v]'nf qv) +4 RDFarWrنM/F٤5%%:<~D5P4ޤx xDt@bEy'\tedcDQv4r1 BH%/4Ts0{0 „An:/]c3v|gdvv$k>k '/C&P`b  Hv(iC_\7f_L_O]6>6:Bwl9a(;¦5gfX\gHP@h`pUc4vczX^mF}p6s3zu!~d2twJjS{"#F>I?4D:%Z0`4BIrݨM&;kq2v|׉!^]k@wt1D H` v_VtXOK9[59Z  xNXMh6G!(T~zhf"HϨCv ƄR3)5dWqf(};H>?jOxb d؋Pyh$ s[aIx0D/_'vy鉹vgG/UISvSSXZ6xuVvqVr똘89(ד{a̩OiQѩ,Af|i(󨞓=GbYMYn)jT)o iZl($!2fK]PXz8䲠؞%:*dRIeRɡҹtV"zHz37Kkɠࠏ慤A_? ByyֹbyZ\JJ77)?FhkG"NaZbfZ ٧٦4-6yf:h׃ JoǨv;IZءgjoj*yu*(wWʩ5᥀ڜAZb,AFϊ 0"`"rת:Ȃ!z!Zr!S!b0)N:kPZvzv;)yL09ZI_^ʙbya_W\аpWа {\Hppб;e{Wp"{p-- 1[3 &` `Peд>LP۴H{@K/@m/] b۵ eg[Q`Q *Z(Rژ 3)V9I:Ut* ;V[ [g{9?0@{TT ; 0{{{Y [ Uk˼"P&Ƥ - };v蛾껾۾Bbt og+$hڪ+[й 9+?KD{˺Klۻ;{ʻkӛk׋ٮoZxs1ʷګZ^<>@lN=R{KE]6l ܹ l<,Kll !<$\Up(*"/*:'z9:vU::\AȂ<ȄJ]GʸďđĖř;Ŝ[W|" bŪ+-űbe|!hlj'or̮tvl4t}Ï3|Ȝ9kL\< B, ɩ+` -Pʦʸ;ƫʯ\ƴp|nۢދ|4ʜ І`ǿp<͠|8T`5f =.@ض< `.$P{ڳǬͫY\ ] #)R\*ah5đ۸3Y ?u|rt vܜ}Lw,TM8nl5sA.C]䡽s[,:ո ̯ ^m6B?7'{}A~mrN;|* Ď +Nɘ px->~T= CaP S`5>VCmߦ0ాxമ,.\~ή %P3_-t9?+a*a5*+Q0O(/`%0]-zP`3n/񬎢Vڶ*6l}#+Oώ{\Vm=-_|> b^g\~Bp7\.`*M&)@~0ӝ&ُ#~mzn6|@@PKd??JOHEW% &0'1; !!8* D-T-99CT-`XXD9 D.DGSB`..SzCa C UV '`A*DࡡC #JxE 1&ȑǏ )t9ɓ$R ² #bʬC7mɳOF3J?H YBT!)0` TP!rՏHY: ]3M'֮~I*U!C UԭjZ-0K!g*ߴWmV^b BDMvص-w&."E9$%LO6qE})SRr*,ZlE>SqƞԦl"} !>X1ЁtB 9DZtQFpQH!TI&K/4SMum@ NFEV066Zi%DXRTqd~T W\Tboq FbCflyVV) HeTHI)p"mi?9n&EpGqP r5E'Uge] uxwBy'*{g|اj~Yxπh *( :JxZja#X:-NdEzѥ[ ;nct\6Y& @V;[9@xd qq)!|ƉkzNl1Ƨn~ hjK(GF,(tB'Rݥfʊw&p *zba*|-Ck⚫*J${,iLxH.A-& PΙHJUʐd ڹVH^v$jfezgW9bN\Td$T5~p}K|q.l rōl(Cr- l͛r3^CgtH+ kMtRk ]5a+hmb+έSK&D V!SZ4[U !pu{0@(g9 Hh𶹫0@2`/H`Ai5MrCԎ(x׻C xĢ(y"fɻV3=g;݇UڃUG+/AT#C|ulM}bGF6&Т? 0 X ?@xdcJ!/.˶ H,Ҥ!`2|%JCq ҷVb@B$+K)8'gI0ґs1'AX!˚"@qfRb)eQbx40j{cG tFOkص8ʑkǶ=ZKEsJ,І:DcYvMݜf>oIDBQI&&oBylxXs'dg}N1{'@I|Y?!;Ə5GfX*FLzu`!H=:DbIfs۔N7ʚ,!+گ'e*2PC</˰p5;KaWez@keZ)6QVL;*rKV0PrGبZ{kp *d'hmH&b:;v\j{9^{Y{'{$[ K嶢0{ZyK86x;[ar% )#)`0$PC+j[_Vk[e1[{ۿL2б:Ы"m{oPty?a:ۖ盷۹6:|QzG۸z내 Lb%`L1 Ѱ4 3R@,­IKcwè<\P,7ۻ2 ++}k˳c<*NIŧZ([|؛^ Ƃt\u {YƏʵLlŅ\$f Z+%Ń`ɮA fj+ Ģʸ,n;ú鴭 Pʥ<1 BJg꾶<˺R{}Ȍ |˼ w;H[o%θV˞5x̤ -[[ͯ|=K\˒\” 2f Mܴӳ!=D]7B҉\W{ck 3}ji8ɏ ʼnF}h2`wȘ;iͲ쪞X+7ݺ924LEF\Q:r0ٔ]ٖ}٘ٚMRQӲ1i22P?@CJM胷|Ч { FҫJǺ3%@ %;C\1.J.Z@ ߸W8nO <@.>;|~߂^~A萾Ka0;=Z?Dh3HE<4jsv-kNǁΏd:%?<cH[n=m~> ^]U OɽH䆍@>B,~{ln޾>N^ mi^нVN];ҩɸ MC羯~ۂ.nϭl.ڰ>L[=> (B .3_Z=cpnr.HA[ [P*{T/JN9g% Qb'MAgOt~l&^/FP|̊MҊÅ'|_VoX/> .;Lb<Ӎ۞Bn۹;Jl%B<[ ,Ͻ?72Pm:ҽ?.ce_?Fu6FFDBD QB ZZDQNRM@@PKd??JOHE夞ZB90 &L°!#R@"IhǏAFYdIB8ٺDz˗0c>2&*[Q'GVt^#V1fPA5mںyd9sEȼ@Fv].}{B JX"Ƌ99IA( mZɶǐ;B9MG4pЬN Ҋ[8ʓҥL>L*UbͪU ׮^ 9R`D^\uś7^}JU`"j=Xj^ND_ޙ珬.v)JZn `$̾ Z'y^kҞ+&M9h3npb5FZeQl%eqeKbLْH+n)ثPN֪zrc on8ĚS1[7J2$Tl(T }-p +Ҽ'e޶;׍2&Dh.ϊ ![:Mһ- B&v#PqkuJ֪Z8H(莑Mm1Wd^Jڭ;.QP+`R@D< AMr'"87|x5NUCX)C痼@ q/`Dsǻf @+?wij:`\l<AU *nw CL$,ps ma ܅O(R`(yqJסfĶfVngD(JhhbO.({%KS^%[9bJ!B @#(W4DPh‘0H(%(Pgme˦jbP04 =Mo8#$JC̊ yAbs;Ca FP4#2mq+mzztb~H c2a4B 0=Ya5[p^#/^~"ꘔ vtGocX*ȗ1xjZ?Z9dQVϊ4D 4q6Ⱒ8vC (?6bUˆ^UT!wu0)oi(-r.xmHӖGj^GzW&Z\@ VzdA.!jכ <!OQ߻gSUOV!aD:JW#nI[fs,w'|$-c4D(Q6Co✺8r0 M |Rt )cȬP| %K1iIl"ǁW$8 5k\;.H9u6a"&FEw}bR1;BǪ; z#~s 3t|`+Ø!s}/~´x*{jƯ=یOnϿExl{_vH+G#r/3c-ȏ6uWMmV -O8S,K9K-1S*;jQq#IOg"0tLȫqF4L`$"Q9@G[c;rez-ݷrli^pmg4J"Kսi mP./EDQB9_^xa )Igg<ƹwNwߌKknzF 'Y_FgW!T^ WqCtތQ ;dLvʖQ_mǚýrqgk=͍WZ$(2᭳<.Z(h"ֈlѴ]v){ڛ1wQ=k$LFa|A *WBʧYe|*64a]cvGG-"v~47o6Vo4h9w~gTw̠mCDSZC I= nM^5SA s<"\z^9TdYx2iR! y@Й0i :jШ/ןYݹʔXꔁf JȞ:vUz)bjb๫YȠ(뙣6E?\D@IZ%CȜ#GIM ฺ:ۆvqBKMl$m_0r/ѯ*l݉lo]]hh⭠,һ}Wh .]ԇ)͜|ם] v=Rަ=ߪ=A"'c(-w˥jₜ@En0!uw[͈5}cf :1:ժL-x)Nc-.^F}؝V^HQ=>A~Mf 2➌P؂q>퀮埚#^%ac>7-~j>3#fw,B`Eؔ{p > 뾞m뀹vm'*Q5xRw0;]_ǎMN *:}8P@0˺޾>~AҮf<>>~nԝ~`u0e#JNޢ .l>NZu;ZPy\~&^.u`1?gY4l>w]n>A+?E!HW畮z.|>`NJs\{nDG!9o`~[ [ # El}ny$<. oނ` *ê^VB/!DDf^no?[3=m$WpMEki% N^yL Zp^5!gAFDSPao*O2[FFNRM@@PKd??JOHEE\DDQ҄QB %F2Q%2ZD2%9[BD%9F%BQBD9Z cD_ =&MK?+GB@IGRe0)ȜIB7Ig @ 2b B5JʴӧPJJARPZ Ylʥ˗`ˆ=9LYD#1#t HD9儔Sb?#Fؠж}q?0hL;}ޕ@G"H5ѣȑ'c\R̘5k̹SϟCtȓ+_μRWMi+PĎ%k,Z%jײEm҈y}{o+F\&B \sXO Wd9E2op F-ԛprEp,B]«.ٰ2fZBW>DTG' C`Qr߀3u =Jb!jĴLOG .]- .׷娧#\-"~׋/,6[孮$mgq:A'skWw8G2^@}Мx6ӊr/7yZW?˩wx{\臺}m^9(7>HE Z9Z0 PYovH°&l]fx ,TDӟ0@O@PBP*`UD'JQL(F-Q^ ͂HE JWj0C `4D <]6DIf8:Nq:549 A!ei1b;ݙxʓ'IT-AzІhE5J׋vԣ HIR.MKVElhpbA૩OlkbT'jFvիWkXJV~hMZV2X\ѻZ zk_*VMa+Ųp.Q,N{0ꐜ@*o,iQZkc dAm4`@\u+Q^0ܓ׸U\ O,j稛0`wG|Ae hNr}o|kV@8α5K!<`B L`gԷ ^pMJXǗN7 5|?4m`^θ5}%!W[Ѐ(4C-xPQ0,]0ui@/9u e #0e$cS2W= )6GbcYl<_9B>(r<B8nЀr0`10= .hr< 4M5l>,4Yoc.KkFm<^nA+|Ƕ-uVy \ `yp !sӄK79~7s,kқ] a}ϛ V3{i^|76uCЀ`4W踉h`CPma( @ @: , t/. K! :C󻛜 Z»8?\0|2c!(`,DZQ/<l>4%ox/ PGSx:@+F ]\דu@a =  Bq 9lyS`rCr|Wi=xyW}Ci.}2tyׂ2F^$hz/u%e_f `{'*0l0>pvCK0ܖm!8u$ܐYY95YRGu(9V*yV|IQI}AthN t7gq H;8z^Zָr՜jU,@CЦ! 9uZs6Y P{eDƜI_i@jJ 'OJZJ-Ы_ 0ha*zʪpJj@z߃ҐA3* ֚ڮoj:z(:گX[{A{ ϓ  8[2{Ec"$[&{(*,۲.02;4[6{8:<۳>:;PK2j`PKj?OEBPS/img/ssl0006.gif-5GIF87a̙3fMz33f333ffffffrf6LL̙xffffܭf33fff3W%;3ffff̙,H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳM @ JѣH*]ʴӧPJ5Xe^ʵU ŠKٳhӪ]˶۷p㚽ݪW ˷߿ LÈ+^AݻyeL˘3gvsɚCM4`ΞSmװO?VM%rWpw`߱ͭ[o|mG{:륑CN{d]7>_͟g/u߫ݷ^hxD~q_}5Bxaa|nFP_&"G z؞˜!8c7J^zjH!hc(ζ81H}a}L@3FHt8/ʹ=0ߑ$uN_mrWs5M_u1GvkKidrK6t F[}/~ Nx?x^OBn0K^7 giG^xg.{zǕ{{MݦW8뎫n{n;>8?o8w}Ϝg<'OO?}??8_}?{g9eJP<'@n{'@Yu_R'/ ^'@Br>)_CXB 24 uXCJ 3 20Ga'.QS P" 1^,|@R$)шsbEMs~$ Kȿ&rs!kE=Vs XD+lt!v7!1q$"hIC6zWY8q\e(Y)F2B͑4g7-.Җ2%<_34QiYi>2blx <&yGvНk ɶ'ސ~ٳf) :@<J brj c1ש季1\f,3' Ҵ}0b^.Nv7ʂ5v4pPҥOܐZĩ.jL*4 d KHŰhMZֶdYrvxͫ^:+!| `K6!<5bd'KY@ͬf%{zkgCKҚ69=jWʤl7*}-nw[2KϙT?Pڮ|i1XMRU{P* LF NbpB~Ѫ[݃$/.u*w\N:*P+>lC\p4aS)<س8  PrKBZ|+ K{&=~o)CX ֎`f\>#-a[Sz&F7m` hod~gֽuwI7X{δ&aWmelI /yk'6Eo;owT p {bch` ={N0[d[FBy܃_?ƎMi?ּn2ŋbt5i\aL)U3LoyO.87.pœ޹[]4CDtt*c?}o}p[ţWTw(qB:s,}wkŽYdX>:<<޶wvv[ӗ ָ`.y0ˊSu.)L|~>sc5c-}|,?_KWSLeWnj6pgG}7[xj8,GHZBqFs grᗁķ7#XzՁE.(l7%#"%x_E؁nǂ~Yr ( ZHH+-8@Hrq (|3g(TBci2.h3~&X-xȘj8I'CxؘXȊ(:XxV7Xt7՘XXh4(vﷅv986yH89yV"9%)'ydY, 2x%,/(V>Ifi-9nfAlq{!6+5x<&Y(<;Yyd)KٕdġKٖh9i fٖiY[iu9kɗpXYirO v\z1Y';f5x5H XtII|钐g1_Ii9iɖz)ɛyNyxb^Dž5ș)Yy+Iɕ靲iI牞ٞ ɞ q5$z?Ԝ`wXlinYiٙٗښ I ɘz鞮i#ZauT7gYJi֙*Z< ٠IHjN x@R#]|ᘋ򩞻Y9fٝ 빦~ٛ:^tڦbh*SJ,`y[Zgkʧt ڕFjʡx}u:n9lڨix)BꘜjY w6#Z 3dXzVW9jaIF8՟КڪpԊ-\jɺZ٭R Ojz1ډxdxТ[h xi{hر"K3ې(*4#0;"4{yb8'}@1+G+I;W_%Ʌ\pDBd֖I|36dCAml{mCnb[HrN{ `>xnRn;Hs"l=hf[Q|/_w;yWxT|[r#qeJq6Rl@rkdNv{uFo/h _Ƈ{zvnׇAqq?;YPǹ,OӲ bv_=pj:P/:G'jpi[k%pٻv[jbƻaٸm V݋(hu˰e`ek+6R<:p,gh(m&xFew(k|(ܯxQXRNK~TY+֛g@[&m QC#@~lCN7&zhnN߹[HvTn}媦8]Rj>V=&Fث2Q^ʙ'v7B(E^;؄NLec^&>L5~( Toݧ y<>r|| LfGf dτX}|.]ڊ}QY޺U =侐^f- ۃ9-WdxmŽMY YY5=y WY%_zNOӣ=wuHbm9MAM/BoΘZJ>6[\4`Nd_oQW_Yfp_qoM62z?ef_`VԤ^_.؂_V/?ۺ} ,|*0a/iwo!/o/Ŀ7?&:u_ʸ5vϟm X ~X٬ Hp`A.,%FpC1&8G!E$YI)UdK1eDPqM ^y0ō@38gƠ"`SQNZU5%QCjDJ.m[q΅ET;v)ijNfؖaĉ/iaڮ_ [6ʙ/vdgoLt/DC \:!NCϦ]]5ְ|qs/Ms5uV 0ܙ oX/.o2O?zo OA 3l;U{Cݛ:˻PCS.s1H@ ŲPEstD#:4){GB:rJ*SҪ=%e 8@rL24L4TsM4+M&qה M 1FǪTtѐ-KֺpRG+RL38E/7uTRK5uNg4tHPOuUXc%5U>QYsuW^91R'ŵWb5:)5XHEv]iYe7InvX-Vm%p<]>\WTsĶUg- ==U^}3X/`_SFҁMC[&_0xԈ Z5Ԋ7V8OKux?;6cuCxdИ6D&9EfrްGiڬHmb}db8Q%&  g=yO|S'BS'Ι9R2 ĥ̓ 9(3Ier&Fm}kZVVMOԤ4fc:aOu ,ˊVe=k [P^x´dbY.5%c֩ug:S[]j`RwD]&Qu9]fi;#۲gW}tk5V{Ym.ye[1HtYܺosPηk# Hk^ NoY( |i]&U{\]w77I ^qS`#d}.rBY3xe x*q`}NcQ ^0ld #ycUp|Q~P>,+(z#&/ `&ad-#8B]'͵:pY"7l!eD>S|ޜZƅ>N;Ӡ)OBUMYЛF6j\ VauDGcG;+(]g,d f{[۶Xu%k`+VaŴ̝+t_;wevٳ.iwM<轎O3uxm-PNYq [}nsZU կQ#GNӞen;MO:LgH]?oo'Rj]1q&<2'^pJB=gӥ.ߠ-97qcr8t/Yzw;h^ɷb֚~Ö#]%|kgK"^u0j.\v<[׸&vE ZqۏޭGow>A?_S܍9x]9wow:ov|˼'9M|RO)zKqw9~.:k;@?ˤK+2[::ÛS@Ұ0nS>:;;c zԘ?yS7$r)gJ4kBd J\AFlDG|DHDIW)C'cCԶIDlL䠁)ņPDu鵨D%8KE^I|EE][tTE`1b"K3`LF#flƉ73SFj jj3?mFY\Grhrd"=\z*kTtgGz(X_Gb PņX!iB}MDNtb4cFù@<=ʡ #eD7<IXI{lI>ȉ>ٸ>ļ>֛:S=3܊$$Ht>=;J? !?Hԏ؋JxJCM;;Ǽ˼ :LŐ,;AA ̟N$>sJ,|T=Ml+H!KM"B1J$̞BIشKdAkLPO5yIP0|\LN >$Ă MN0ClED5ųty< R4˙Q$raERe"]Z̾$&7)a<O,҃{zӳKQ0MS6GTS77SyS;F,;L3D>S@T=},TBS6DMEFGHIeJKELMNOEPU:TmdGU'aU$G1%SYUHP:ULU(Q4WoՍȃUDs'Ot7bݖh&c LrV+ pU^A>rl \@rVVfV1ɻSOl֣\k \S`kN'jNr׉[T:-OKMXMw5A BBUuL}-g4X ?*B5{M9MDqg̪aفXMbۡVSEmWlZKoyC_35nY:dw[N&OPӠYŒZʻMىYLͦZ|5 B9.}mڹ{PY&ae[_ZĻaPKde:b2wS;F`H^ߚ NW p)VP~Pr h/ESO͋45eٕ^h#^co^ }`-UMhV.iK%iғ^iShTui}liQUiTiinhg% 袮5dH.jjjU<]?jSj; kS.k7=kNS^,mkI\3#~TbAYW~AjcK6Fܹ%߽>#v^ft@NI̦Nʩl-J@V~!4f'.MlfhNte^md MLB6|ºkmKnb@|V{:nYoJZALn;*v&lP.ffAܼ/vn$K~f=Wu:\kue-{n?@gpmce܌m.dmmvkV샃kO %!=r$_$or'gd&Ur*G+GߙK oLwn*޾/vMI^d,̸@>nݔ"?'+_$^V8~m_nWpqq/cS[mbn%af\Bgvc GNu8>[pWndtUnM,oQ2uʔtawK1 b޼](MK^7\RuV7To_oeXoo ?i@I쵛t~Eч}9AgH/P<&OStcs`Xta?m?[_8ZNVІT0*_5rrxFl yF/d Integrating Authentication Devices Using RADIUS

    C Integrating Authentication Devices Using RADIUS

    This appendix describes how third-party authentication vendors customize the RADIUS challenge-response user interface to fit their particular device.

    This appendix contains the following topics:

    C.2 Customizing the RADIUS Challenge-Response User Interface

    You can customize this interface by creating your own class to support the functionality described in Table C-1. You can then open the sqlnet.ora file, look up the SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameter, and replace the name of the class listed there (DefaultRadiusInterface), with the name of the new class you have just created. When you make this change in the sqlnet.ora file, the class is loaded on the Oracle client in order to handle the authentication process.

    The third party must implement the Oracle RADIUS Interface, which is located in the ORACLE.NET.RADIUS package.

    public interface OracleRadiusInterface {
      public void radiusRequest();
      public void radiusChallenge(String challenge);
      public String getUserName();
      public String getPassword();
    }
    
    PK5DPKj?OEBPS/asowalet.htm Using Oracle Wallet Manager

    The script content on this page is for navigation purposes only and does not alter the content in any way.

    9 Using Oracle Wallet Manager

    Security administrators use Oracle Wallet Manager to manage public key security credentials on Oracle clients and servers. The wallets it creates can be read by Oracle Database, Oracle Application Server 10g, and the Oracle Identity Management infrastructure.

    This chapter describes Oracle Wallet Manager using the following topics:

    9.1 Oracle Wallet Manager Overview

    Oracle Wallet Manager is an application that wallet owners use to manage and edit the security credentials in their Oracle wallets. A wallet is a password-protected container used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. You can use Oracle Wallet Manager to perform the following tasks:

    Oracle Wallet Manager provides the following features:

    9.1.1 Wallet Password Management

    Oracle wallets are password protected. Oracle Wallet Manager includes an enhanced wallet password management module that enforces Password Management Policy guidelines, including the following:

    • Minimum password length (8 characters)

    • Maximum password length unlimited

    • Alphanumeric character mix required

    9.1.2 Strong Wallet Encryption

    Oracle Wallet Manager stores private keys associated with X.509 certificates and uses Triple-DES encryption.

    9.1.4 Backward Compatibility

    Oracle Wallet Manager is backward-compatible to Release 8.1.7.

    9.1.5 Public-Key Cryptography Standards (PKCS) Support

    RSA Laboratories, a division of RSA Security, Inc., has developed, in cooperation with representatives from industry, academia, and government, a family of basic cryptography standards called Public-Key Cryptography Standards, or PKCS for short. These standards establish interoperability between computer systems that use public-key technology to secure data across intranets and the Internet.

    Oracle Wallet Manager stores X.509 certificates and private keys in PKCS #12 format, and generates certificate requests according to the PKCS #10 specification. These capabilities make the Oracle wallet structure interoperable with supported third-party PKI applications and provide wallet portability across operating systems.

    Oracle Wallet Manager wallets can store credentials on hardware security modules that use APIs conforming to the PKCS #11 specification. When a wallet is created with PKCS11 chosen as the wallet type, then all keys stored in that wallet are saved to a hardware security module or token. Examples of such hardware devices include smart cards, PCMCIA cards, smart diskettes, or other portable hardware devices that store private keys or perform cryptographic operations (or both).


    Note:

    To use Oracle Wallet Manager with PKCS #11 integration on the 64-bit Solaris Operating System, enter the following at the command line: owm -pkcs11

    9.1.6 Multiple Certificate Support

    Oracle Wallet Manager enables you to store multiple certificates in each wallet, supporting any of the following Oracle PKI certificate usages:

      • SSL authentication

      • S/MIME signature

      • S/MIME encryption

      • Code-Signing

      • CA Certificate Signing

    Each certificate request you create generates a unique private/public key pair. The private key stays in the wallet and the public key is sent with the request to a certificate authority. When that certificate authority generates your certificate and signs it, you can import it only into the wallet that has the corresponding private key.

    If the wallet also contains a separate certificate request, the private/public key pair corresponding to that request is of course different from the pair for the first certificate request. Sending this separate certificate request to a certificate authority can get you a separate signed certificate, which you can import into this same wallet

    A single certificate request can be sent to a certificate authority multiple times to obtain multiple certificates. However, only one certificate corresponding to that certificate request can be installed in the wallet.

    Oracle Wallet Manager uses the X.509 Version 3 KeyUsage extension to define Oracle PKI certificate usages (Table 9-1). A single certificate cannot be applied to all possible certificate usages. Table 9-2 and Table 9-3 show legal usage combinations.

    When installing a certificate, Oracle Wallet Manager maps the KeyUsage extension values to Oracle PKI certificate usages as specified in Table 9-2 and Table 9-3.

    Footnote 1 If the KeyUsage extension is critical, the certificate cannot be used for other purposes.

    Footnote 1 If the KeyUsage extension is marked critical, the certificate cannot be used for other purposes.

    You should obtain, from the certificate authority, certificates with the correct KeyUsage value matching your required Oracle PKI certificate usage. A single wallet can contain multiple key pairs for the same usage. Each certificate can support multiple Oracle PKI certificate usages, as indicated by Table 9-2 and Table 9-3. Oracle PKI applications use the first certificate containing the required PKI certificate usage.

    For example, for SSL usage, the first certificate containing the SSL Oracle PKI certificate usage is used.

    If you do not have a certificate with SSL usage, then an ORA-28885 error (No certificate with required key usage found) is returned.

    9.1.7 LDAP Directory Support

    Oracle Wallet Manager can upload wallets to and retrieve them from an LDAP-compliant directory. Storing wallets in a centralized LDAP-compliant directory lets users access them from multiple locations or devices, ensuring consistent and reliable user authentication while providing centralized wallet management throughout the wallet life cycle. To prevent a user from accidentally overwriting functional wallets, only wallets containing an installed certificate can be uploaded.

    Directory user entries must be defined and configured in the LDAP directory before Oracle Wallet Manager can be used to upload or download wallets for a user. If a directory contains Oracle8i (or prior) users, then they are automatically upgraded to use the wallet upload and download feature on first use.

    Oracle Wallet Manager downloads a user wallet by using a simple password-based connection to the LDAP directory. However, for uploads it uses an SSL connection if the open wallet contains a certificate with SSL Oracle PKI certificate usage. If an SSL certificate is not present in the wallet, password-based authentication is used.


    Note:

    The directory password and the wallet password are independent and can be different. Oracle recommends that these passwords be maintained to be consistently different, where neither one can logically be derived from the other.

    9.2 Starting Oracle Wallet Manager

    To start Oracle Wallet Manager:

    • (Windows) Select Start, Programs, Oracle-HOME_NAME, Integrated Management Tools, Wallet Manager

    • (UNIX) At the command line, enter owm.

    9.3 How to Create a Complete Wallet: Process Overview

    Wallets provide a necessary repository in which you can securely store your user certificates and the trust point you need to validate the certificates of your peers.

    The following steps provide an overview of the complete wallet creation process:

    1. Use Oracle Wallet Manager to create a new wallet:

    2. Generate a certificate request. Note that when you create a new wallet with Oracle Wallet Manager, the tool automatically prompts you to create a certificate request.

    3. Send the certificate request to the CA you want to use. You can copy and paste the certificate request text into an e-mail message, or you can export the certificate request to a file. The certificate request becomes part of your wallet. It must remain there until you remove its associated certificate.

    4. When the CA sends your signed user certificate and its associated trusted certificate, then you can import these certificates in the following order. The user certificates and trusted certificates in the PKCS #7 format can be imported at the same time.

      • First import the CA's trusted certificate into your wallet. This step may be optional if the new user certificate has been issued by one of the CAs whose trusted certificate is already present in Oracle Wallet Manager by default.

      • After you have successfully imported the trusted certificate, then import the user certificate that the CA sent to you into your wallet.

    5. (Optional) Set the auto login feature for your wallet.

      Typically, this feature, which enables PKI-based access to services without a password, is required for most wallets. It is required for database server and client wallets. It is only optional for products that take the wallet password at the time of startup.

    After completing the preceding process, you have a wallet that contains a user certificate and its associated trust points.


    See Also:

    For more information about these steps, refer to Managing Certificates

    9.4 Managing Wallets

    This section describes how to create a new wallet and perform associated wallet management tasks, such as generating certificate requests, exporting certificate requests, and importing certificates into wallets, in the following subsections:

    9.4.1 Required Guidelines for Creating Wallet Passwords

    Because an Oracle wallet contains user credentials that can be used to authenticate the user to multiple databases, it is especially important to choose a strong wallet password. A malicious user who guesses the wallet password can access all the databases to which the wallet owner has access.

    Passwords must contain at least eight characters that consist of alphabetic characters combined with numbers or special characters.

    9.4.2 Creating a New Wallet

    You can use Oracle Wallet Manager to create PKCS #12 wallets (the standard default wallet type) that store credentials in a directory on your file system. It can also be used to create PKCS #11 wallets that store credentials on a hardware security module for servers, or private keys on tokens for clients. The following sections explain how to create both types of wallets by using Oracle Wallet Manager.

    9.4.2.1 Creating a Standard Wallet

    Unless you have a hardware security module (a PKCS #11 device), then you should use a standard wallet that stores credentials in a directory on your file system.

    To create a standard wallet, perform the following tasks:

    1. Select Wallet, then New from the menu bar. The New Wallet dialog box is displayed.

    2. Follow the "Required Guidelines for Creating Wallet Passwords" and enter a password in the Wallet Password field. This password protects unauthorized use of your credentials.

    3. Reenter that password in the Confirm Password field.

    4. Select Standard from the Wallet Type list.

    5. Click OK to continue. If the entered password does not conform to the required guidelines, then the following message is displayed:

      Password must have a minimum length of eight characters, and contain alphabetic characters combined with numbers or special characters. Do you want to try again?
      
    6. An alert is displayed, and informs you that a new empty wallet has been created. It prompts you to decide whether you want to add a certificate request. Refer to "Adding a Certificate Request".

      If you select No, then you are returned to the Oracle Wallet Manager main window. The new wallet you just created is displayed in the left window pane. The certificate has a status of [Empty], and the wallet displays its default trusted certificates.

    7. Select Wallet, then Save In System Default to save the new wallet.

      If you do not have permission to save the wallet in the system default, you can save it to another location. This location must be used in the SSL configuration for clients and servers.

      A message at the bottom of the window confirms that the wallet was successfully saved.

    9.4.2.2 Creating a Wallet to Store Hardware Security Module Credentials

    To create a wallet to store credentials on a hardware security module that complies with PKCS #11, perform the following tasks:

    1. Select Wallet, then New from the menu bar. The New Wallet dialog box is displayed.

    2. Follow the "Required Guidelines for Creating Wallet Passwords" and enter a password in the Wallet Password field.

    3. Reenter that password in the Confirm Password field.

    4. Select PKCS11 from the Wallet Type list, and click OK to continue. The New PKCS11 Wallet window is displayed.

    5. Select a vendor name from the Select Hardware Vendor list.


      Note:

      In the current release of Oracle Wallet Manager, SafeNET and nCipher hardware have been certified to interoperate with Oracle wallets.

    6. In the PKCS11 library filename field, enter the path to the directory where the PKCS11 library is stored, or click Browse to find it by searching the file system.

    7. Enter the SmartCard password, and click OK.

      The smart card password, which is different from the wallet password, is stored in the wallet.

    8. An alert is displayed, and informs you that a new empty wallet has been created. It prompts you to decide whether you want to add a certificate request. For more information, refer to "Adding a Certificate Request".

      If you select No, you are returned to the Oracle Wallet Manager main window. The new wallet you just created is displayed in the left window pane. The certificate has a status of [Empty], and the wallet displays its default trusted certificates.

    9. Select Wallet, then Save In System Default to save the new wallet.

      If you do not have permission to save the wallet in the system default, you can save it to another location.

      A message at the bottom of the window confirms that the wallet was successfully saved.


      Note:

      If you change the smart card password or move the PKCS #11 library, an error message displays when you try to open the wallet. Then you are prompted to enter the new smart card password or the new path to the library.

    9.4.5 Exporting Oracle Wallets to Third-Party Environments

    Oracle Wallet Manager can export its own wallets to third-party environments.

    To export a wallet to third-party environments:

    1. Use Oracle Wallet Manager to save the wallet file.

    2. Follow the procedure specific to your third-party product to import an operating system PKCS #12 wallet file created by Oracle Wallet Manager (called ewallet.p12 on UNIX and Windows platforms).


      Note:

      • Oracle Wallet Manager supports multiple certificates for each wallet, yet current browsers typically support import of single-certificate wallets only. For these browsers, you must export an Oracle wallet containing a single key-pair.

      • Oracle Wallet Manager supports wallet export to only Netscape Communicator 4.7.2 and later, OpenSSL, and Microsoft Internet Explorer 5.0 and later.


    9.4.6 Exporting Oracle Wallets to Tools that Do Not Support PKCS #12

    You can export a wallet to a text-based PKI format if you want to put a wallet into a tool that does not support PKCS #12. Individual components are formatted according to the standards listed in Table 9-4. Within the wallet, only those certificates with SSL key usage are exported with the wallet.

    To export a wallet to text-based PKI format:

    1. Select Operations, Export Wallet. The Export Wallet dialog box is displayed.

    2. Enter the destination file system directory for the wallet, or navigate to the directory structure under Folders.

    3. Enter the destination file name for the wallet.

    4. Click OK to return to the main window.

    9.4.7 Uploading a Wallet to an LDAP Directory

    To upload a wallet to an LDAP directory, Oracle Wallet Manager uses SSL if the specified wallet contains an SSL certificate. Otherwise, it lets you enter the directory password.

    To prevent accidental destruction of your wallet, Oracle Wallet Manager will not permit you to execute the upload option unless the target wallet is currently open and contains at least one user certificate.

    To upload a wallet:

    1. Select Wallet, Upload Into The Directory Service. If the currently open wallet has not been saved, a dialog box is displayed with the following message:

      The wallet needs to be saved before uploading

      Click Yes to proceed.

    2. Wallet certificates are checked for SSL key usage. Depending on whether a certificate with SSL key usage is found in the wallet, one of the following results occur:


    Note:

    • You should ensure that the distinguished name used matches a corresponding user entry of object class inetOrgPerson in the LDAP directory.

    • When uploading a wallet with an SSL certificate, use the SSL port. When uploading a wallet that does not contain an SSL certificate, use the non-SSL port.


    9.4.8 Downloading a Wallet from an LDAP Directory

    When a wallet is downloaded from an LDAP directory, it is resident in working memory. It is not saved to the file system unless you explicitly save it using any of the save options described in the following sections.

    To download a wallet from an LDAP directory:

    1. Select Wallet, Download From The Directory Service....

    2. A dialog box prompts for the user's distinguished name (DN), and the LDAP directory password, host name, and port information. Oracle Wallet Manager uses simple password authentication to connect to the LDAP directory.

      Depending on whether the downloading operation succeeds or not, one of the following results occurs:

      • If the download operation fails: Check to make sure that you have correctly entered the user's DN, and the LDAP server host name and port information. The port used must be the non-SSL port.

      • If the download is successful: Click OK to open the downloaded wallet. Oracle Wallet Manager attempts to open that wallet using the directory password. If the operation fails after using the directory password, then a dialog box prompts for the wallet password.

        If Oracle Wallet Manager cannot open the target wallet using the wallet password, then check to make sure you entered the correct password. Otherwise a message displays at the bottom of the window, indicating that the wallet was downloaded successfully.

    9.4.10 Saving the Open Wallet to a New Location

    To save open wallets to a new location, use the Save As menu option:

    1. Select Wallet, then Save As. The Select Directory dialog box is displayed.

    2. Select a directory location in which to save the wallet.

    3. Click OK.

      The following message is displayed if a wallet already exists in the selected location:

      A wallet already exists in the selected path. Do you want to overwrite it?
      

      Select Yes to overwrite the existing wallet or No to save the wallet to another location.

      A message at the bottom of the window confirms that the wallet was successfully saved to the selected directory location.

    9.4.11 Saving in System Default

    To save wallets in the default directory location, use the Save In System Default menu option:

    Select Wallet, Save In System Default.

    A message at the bottom of the window confirms that the wallet was successfully saved in the system default wallet location as follows for UNIX and Windows platforms:

    9.5 Managing Certificates

    All certificates are signed data structures that bind a network identity with a corresponding public key. Table 9-5 describes the two types of certificates distinguished in this chapter.

    The following subsections describe how to manage both types of certificates:

    • Managing User Certificates

    • Managing Trusted Certificates


      Note:

      Before a user certificate can be installed, the wallet must contain the trusted certificate representing the certificate authority who issued that user certificate. However, whenever you create a new wallet, several publicly trusted certificates are automatically installed, since they are so widely used. If the necessary certificate authority is not represented, then you must install its certificate first.

      Also, you can import using the PKCS#7 certificate chain format, which gives you the user certificate and the CA certificate at the same time.


    9.5.1 Managing User Certificates

    User certificates, including server certificates, are used by end users, smart cards, or applications, such as Web servers. For example, if a CA issues a certificate for a Web server, placing its distinguished name (DN) in the Subject field, then the Web server is the certificate owner, thus the "user" for this user certificate.

    Managing user certificates involves the following tasks:

    9.5.1.1 Adding a Certificate Request

    You can add multiple certificate requests with Oracle Wallet Manager. When adding multiple requests, Oracle Wallet Manager automatically populates each subsequent request dialog box with the content of the initial request that you can then edit.

    The actual certificate request becomes part of the wallet. You can reuse any certificate request to obtain a new certificate. However, you cannot edit an existing certificate request. Store only a correctly filled out certificate request in a wallet.

    To create a PKCS #10 certificate request:

    1. Select Operations, then Add Certificate Request. The Add Certificate Request dialog box is displayed.


      Note:

      The online Help for Oracle Wallet Manager becomes unresponsive when modal dialog boxes appear, such as the one for entering certificate request information. The online Help becomes responsive once the modal dialog box is closed.

    2. Enter the information specified in Table 9-6.

    3. Click OK. A message informs you that a certificate request was successfully created. You can either copy the certificate request text from the body of this dialog panel and paste it into an e-mail message to send to a certificate authority, or you can export the certificate request to a file. At this point, Oracle Wallet Manager has created your private/public key pair and stored it in the wallet. When the certificate authority issues your certificate, it will also be stored in the wallet and associate it with its corresponding private key.

    4. Click OK to return to the Oracle Wallet Manager main window. The status of the certificate changes to [Requested].

    Table 9-7 lists the available key sizes and the relative security each size provides. Typically, CAs use key sizes of 1024 or 2048. When certificate owners wish to keep their keys for a longer duration, they choose 3072 or 4096 bit keys.

    9.5.1.2 Importing the User Certificate into the Wallet

    When the Certificate Authority grants you a certificate, it may send you an e-mail that has your certificate in text (BASE64) form or attached as a binary file.

    9.5.1.2.1 To import the user certificate from the text of the Certificate Authority's e-mail

    Copy the certificate, represented as text (BASE64), from the e-mail message. Include the lines Begin Certificate and End Certificate.

    1. Select Operations, Import User Certificate. The Import Certificate dialog box is displayed.

    2. Select Paste the certificate, and then click OK. Another Import Certificate dialog box is displayed with the following message:

      Please provide a base64 format certificate and paste it below.
      
    3. Paste the certificate into the dialog box, and click OK.

      1. If the certificate received is in PKCS#7 format, it is installed, and all the other certificates included with the PKCS#7 data are placed in the Trusted Certificate list.

      2. If the certificate received is not in PKCS#7 format, and the certificate of its CA is not already in the Trusted Certificates list, then more must be done. Oracle Wallet Manager will ask you to import the certificate of the CA that issued your certificate. This CA certificate will be placed in the Trusted Certificates list. (If the CA certificate was already in the Trusted Certificates list, your certificate is imported without additional steps.)

      After either (a) or (b) succeeds, a message at the bottom of the window confirms that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the status of the corresponding entry in the left panel subtree changes to [Ready].


      Note:

      The standard X.509 certificate includes the following start and end text:
      • -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----
        

      A typical PKCS#7 certificate includes more, as described earlier, and includes the following start and end text:

      • -----BEGIN PKCS7-----
        -----END PKCS7-----
        

      You can use the standard Ctrl+c to copy, including all dashes, and Ctrl+v to paste.


    9.5.1.3 Importing Certificates and Wallets Created by Third Parties

    Third-party certificates are those created from certificate requests that were not generated using Oracle Wallet Manager. These third-party certificates are actually wallets, in the Oracle sense, because they contain more than just the user certificate; they also contain the private key for that certificate. Furthermore, they include the chain of trusted certificates validating that the certificate was created by a trustworthy entity.

    Oracle Wallet Manager makes these wallets available in a single step by importing them in PKCS#12 format, which includes all three elements described earlier: the user certificate, the private key, and the trusted certificates. It supports the following PKCS #12-format certificates:

    Oracle Wallet Manager adheres to the PKCS#12 standard, so certificates exported by any PKCS#12-compliant tool should be usable with Oracle Wallet Manager.

    Such third-party certificates cannot be stored into existing Oracle wallets because they would lack the private key and chain of trusted authorities. Therefore, each such certificate is exported and retrieved instead as an independent PKCS#12 file, that is, as its own wallet.

    9.5.1.3.1 Importing User Certificates Created with a Third-Party Tool

    Once a third party generates the wallet, you need to import it to make use of it, as described in this section.

    To import a certificate created with a third-party tool, perform the following tasks:

    1. Follow the procedures for your particular product to export the certificate. Take the actions indicated in the exporting product to include the private key in the export, and specify the new password to protect the exported certificate. Also include all associated trust points. (Under PKCS #12, browsers do not necessarily export trusted certificates, other than the signer's own certificate. You may need to add additional certificates to authenticate to your peers. You can use Oracle Wallet Manager to import trusted certificates.)

      The resulting file, containing the certificate, the private key, and the trust points, is the new wallet that enables the third-party certificate to be used.

    2. To be used by particular applications or servers, such as a web server or an LDAP server, wallets need to be located precisely. Each application has its own expectations as to which directory it will search to find the needed wallet. You must put the wallet where it will be sought, by copying it to the correct system and directory.

    3. For use with UNIX or Windows applications or servers, the wallet must be named ewallet.p12.

      For other operating systems, refer to the Oracle documentation for that specific operating system.

      Once a third-party certificate is stored as ewallet.p12, you can open and manage it using Oracle Wallet Manager. You will have to supply the password you created when exporting this wallet.


      Note:

      The password will be required whenever the associated application starts up or otherwise needs the certificate. To make such access automatic, refer to "Using Auto Login".

      However, if the private key for the desired certificate is held in a separate hardware security module,you will not be able to import that certificate.


    9.5.1.4 Removing a User Certificate from a Wallet

    To remove a user certificate from a wallet:

    1. In the left panel subtree, select the certificate that you want to remove.

    2. Select Operations, then Remove User Certificate. A dialog panel is displayed which prompts you to verify that you want to remove the user certificate from the wallet.

    3. Select Yes to return to the Oracle Wallet Manager main panel. The certificate displays a status of [Requested].

    9.5.1.5 Removing a Certificate Request

    You must remove a certificate before removing its associated request.

    To remove a certificate request:

    1. In the left panel subtree, select the certificate request that you want to remove.

    2. Select Operations, then Remove Certificate Request.

    3. Click Yes. The certificate displays a status of [Empty].

    9.5.1.6 Exporting a User Certificate

    To save the certificate in a file system directory, export the certificate by using the following steps:

    1. In the left panel subtree, select the certificate that you want to export.

    2. Select Operations, then Export User Certificate from the menu bar. The Export Certificate dialog box is displayed.

    3. Enter the file system directory location where you want to save your certificate, or navigate to the directory structure under Folders.

    4. Enter a file name for your certificate in the Enter File Name field.

    5. Click OK. A message at the bottom of the window confirms that the certificate was successfully exported to the file. You are returned to the Oracle Wallet Manager main window.


    See Also:

    "Exporting Oracle Wallets to Third-Party Environments" for information about exporting wallets. Note that Oracle Wallet Manager supports storing multiple certificates in a single wallet, yet current browsers typically support only single-certificate wallets. For these browsers, you must export an Oracle wallet that contains a single key-pair.

    9.5.1.7 Exporting a User Certificate Request

    To save the certificate request in a file system directory, export the certificate request by using the following steps:

    1. In the left panel subtree, select the certificate request that you want to export.

    2. Select Operations, then Export Certificate Request. The Export Certificate Request dialog box is displayed.

    3. Enter the file system directory location where you want to save your certificate request, or navigate to the directory structure under Folders.

    4. Enter a file name for your certificate request, in the Enter File Name field.

    5. Select OK. A message at the bottom of the window confirms that the certificate request was successfully exported to the file. You are returned to the Oracle Wallet Manager main window.

    9.5.2 Managing Trusted Certificates

    Managing trusted certificates includes the following tasks:

    9.5.2.1 Importing a Trusted Certificate

    You can import a trusted certificate into a wallet in either of two ways: paste the trusted certificate from an e-mail that you receive from the certificate authority, or import the trusted certificate from a file.

    Oracle Wallet Manager automatically installs trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when you create a new wallet.

    9.5.2.2 Removing a Trusted Certificate

    You cannot remove a trusted certificate if it has been used to sign a user certificate still present in the wallet. To remove such trusted certificates, you must first remove the certificates it has signed. Also, you cannot verify a certificate after its trusted certificate has been removed from your wallet.

    To remove a trusted certificate from a wallet:

    1. Select the trusted certificate listed in the Trusted Certificates tree.

    2. Select Operations, then Remove Trusted Certificate... from the menu bar.

      A dialog panel warns you that your user certificate will no longer be verifiable by its recipients if you remove the trusted certificate that was used to sign it.

    3. Select Yes. The selected trusted certificate is removed from the Trusted Certificates tree.

    9.5.2.3 Exporting a Trusted Certificate

    To export a trusted certificate to another file system location:

    1. In the left panel subtree, select the trusted certificate that you want to export.

    2. Select Operations, thenExport Trusted Certificate. The Export Trusted Certificate dialog box is displayed.

    3. Enter a file system directory in which you want to save your trusted certificate, or navigate to the directory structure under Folders.

    4. Enter a file name to save your trusted certificate.

    5. Click OK. You are returned to the Oracle Wallet Manager main window.

    9.5.2.4 Exporting All Trusted Certificates

    To export all of your trusted certificates to another file system location:

    1. Select Operations, then Export All Trusted Certificates.... The Export Trusted Certificate dialog box is displayed.

    2. Enter a file system directory location where you want to save your trusted certificates, or navigate to the directory structure under Folders.

    3. Enter a file name to save your trusted certificates.

    4. Click OK. You are returned to the Oracle Wallet Manager main window.

    PK^= Oracle Database Advanced Security Administrator's Guide 11g Release 2 (11.2)

    Oracle® Database

    Advanced Security Administrator's Guide

    11g Release 2 (11.2)

    E10746-02

    October 2009


    Oracle Database Advanced Security Administrator's Guide 11g Release 2 (11.2)

    E10746-02

    Copyright © 1996, 2009, Oracle and/or its affiliates. All rights reserved.

    Primary Author:  Sumit Jeloka

    Contributor:  Peter Wahl, Rahil Mir, Indra Fitzgerald, Paul Youn, Adam Lee, Preetam Ramakrishna, Gopal Mulagund, Daniel Wong, Rajbir Chahal, Min-Hank Ho, Michael Hwa, Sudha Iyer, Adam Lindsey Jacobs, Supriya Kalyanasundaram, Lakshmi Kethana, Andrew Koyfman, Van Le, Nina Lewis, Stella Li, Janaki Narasinghanallur, Vikram Pesati, Andy Philips, Richard Smith, Deborah Steiner, Philip Thornton, Ramana Turlapati, Paul Needham

    This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

    The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

    If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

    U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

    This software is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you use this software in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerous applications.

    Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

    This software and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

    PK#PKj?OEBPS/asoappb.htm Authentication Parameters

    B Authentication Parameters

    This appendix illustrates some sample configuration files with the profile file (sqlnet.ora) and the database initialization file authentication parameters, when using Kerberos, RADIUS, or SSL authentication.

    This appendix contains the following topics:

    B.2 Parameters for Clients and Servers using RADIUS Authentication

    The following sections describe the parameters for RADIUS authentication

    B.2.1 sqlnet.ora File Parameters

    The following sections describe the sqlnet.ora parameters that are used to specify RADIUS authentication.

    B.2.2 Minimum RADIUS Parameters

    sqlnet.authentication_services = (radius)
    sqlnet.radius.authentication = IP-address-of-RADIUS-server
    

    B.2.3 Initialization File Parameters

    REMOTE_OS_AUTHENT=FALSE
    OS_AUTHENT_PREFIX=""
    

    B.3 Parameters for Clients and Servers using SSL

    There are two ways to configure a parameter:

    • Static: The name of the parameter that exists in the sqlnet.ora file. Parameters like SSL_CIPHER_SUITES and SSL_VERSION can also be configured using the listener.ora file.

    • Dynamic: The name of the parameter used in the security subsection of the Oracle Net address.

    B.3.4 SSL Client Authentication Parameters

    This section describes the static and dynamic parameters for configuring SSL on the client.

    AttributeDescription
    Parameter Name (static)SSL_CLIENT_AUTHENTICATION
    Parameter Name (dynamic)SSL_CLIENT_AUTHENTICATION
    Parameter TypeBoolean
    Parameter ClassStatic
    Permitted ValuesTRUE/FALSE
    Default ValueTRUE
    DescriptionTo control whether a client, in addition to the server, is authenticated using SSL.
    Existing/New ParameterNew
    Syntax (static)SSL_CLIENT_AUTHENTICATION={TRUE | FALSE}
    Example (static)SSL_CLIENT_AUTHENTICATION=FALSE
    Syntax (dynamic)SSL_CLIENT_AUTHENTICATION={TRUE | FALSE}
    Example (dynamic)SSL_CLIENT_AUTHENTICATION=FALSE

    B.3.4.1 SSL X.509 Server Match Parameters

    This section describes the parameters that are used to validate the identity of a server that the client connects to.

    PKmgPKj?OEBPS/preface.htm Preface

    Preface

    Welcome to the Oracle Database Advanced Security Administrator's Guide for the 11g Release 2 (11.2) of Oracle Advanced Security.

    Oracle Advanced Security contains a comprehensive suite of security features that protect enterprise networks and securely extend them to the Internet. It provides a single source of integration with multiple network encryption and authentication solutions, single sign-on services, and security protocols.

    The Oracle Database Advanced Security Administrator's Guide describes how to implement, configure and administer Oracle Advanced Security.

    This preface contains these topics:

    Audience

    The Oracle Database Advanced Security Administrator's Guide is intended for users and systems professionals involved with the implementation, configuration, and administration of Oracle Advanced Security including:

    • Implementation consultants

    • System administrators

    • Security administrators

    • Database administrators (DBAs)

    Documentation Accessibility

    Our goal is to make Oracle products, services, and supporting documentation accessible to all users, including users that are disabled. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more information, visit the Oracle Accessibility Program Web site at http://www.oracle.com/accessibility/.

    Accessibility of Code Examples in Documentation

    Screen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace.

    Accessibility of Links to External Web Sites in Documentation

    This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.

    Deaf/Hard of Hearing Access to Oracle Support Services

    To reach Oracle Support Services, use a telecommunications relay service (TRS) to call Oracle Support at 1.800.223.1711. An Oracle Support Services engineer will handle technical issues and provide customer support according to the Oracle service request process. Information about TRS is available at http://www.fcc.gov/cgb/consumerfacts/trs.html, and a list of phone numbers is available at http://www.fcc.gov/cgb/dro/trsphonebk.html.

    Organization

    This document contains the following chapters:

    Part I, "Getting Started with Oracle Advanced Security"

    Chapter 1, "Introduction to Oracle Advanced Security"

    This chapter provides an overview of Oracle Advanced Security features provided with this release.

    Chapter 2, "Configuration and Administration Tools Overview"

    This chapter provides an introduction and overview of Oracle Advanced Security GUI and command-line tools.

    Part II, "Data Encryption and Integrity"

    Chapter 3, "Securing Stored Data Using Transparent Data Encryption"

    This chapter provides an overview of the transparent data encryption feature introduced in Oracle Advanced Security 11g Release 2 (11.2). It describes how to configure and use transparent data encryption services.

    Chapter 4, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients"

    This chapter describes how to configure data encryption and integrity within an existing Oracle Net Services 11g Release 2 (11.2) network.

    Chapter 5, "Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients"

    This chapter provides an overview of the Java implementation of Oracle Advanced Security, which lets Thin Java Database Connectivity (JDBC) clients securely connect to Oracle Database databases.

    Part III, "Oracle Advanced Security Strong Authentication"

    Chapter 6, "Configuring RADIUS Authentication"

    This chapter describes how to configure Oracle for use with RADIUS (Remote Authentication Dial-In User Service). It provides an overview of how RADIUS works within an Oracle environment, and describes how to enable RADIUS authentication and accounting. It also introduces the challenge-response user interface that third party vendors can customize to integrate with third party authentication devices.

    Chapter 7, "Configuring Kerberos Authentication"

    This chapter describes how to configure Oracle for use with MIT Kerberos and provides a brief overview of steps to configure Kerberos to authenticate Oracle users. It also includes a brief section that discusses interoperability between the Oracle Advanced Security Kerberos adapter and a Microsoft KDC.

    Chapter 8, "Configuring Secure Sockets Layer Authentication"

    This chapter describes how Oracle Advanced Security supports a public key infrastructure (PKI). It includes a discussion of configuring and using the Secure Sockets Layer (SSL), certificate validation, and hardware security module support features of Oracle Advanced Security.

    Chapter 9, "Using Oracle Wallet Manager"

    This chapter describes how to use Oracle Wallet Manager to manage Oracle wallets and PKI credentials.

    Chapter 10, "Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security"

    This chapter describes the authentication methods that can be used with Oracle Advanced Security, and how to use conventional user name and password authentication. It also describes how to configure the network so that Oracle clients can use a specific authentication method, and Oracle servers can accept any method specified.

    Part IV, "Appendixes"

    Appendix A, "Data Encryption and Integrity Parameters"

    This appendix describes Oracle Advanced Security data encryption and integrity configuration parameters.

    Appendix B, "Authentication Parameters"

    This appendix describes Oracle Advanced Security authentication configuration file parameters.

    Appendix C, "Integrating Authentication Devices Using RADIUS"

    This appendix explains how third party authentication device vendors can integrate their devices and customize the graphical user interface used in RADIUS challenge-response authentication.

    Appendix D, "Oracle Advanced Security FIPS 140-1 Settings"

    This appendix describes the sqlnet.ora configuration parameters required to comply with the FIPS 140-1 Level 2 evaluated configuration.

    Appendix E, "Oracle Advanced Security FIPS 140-2 Settings"

    This appendix describes the configuration parameters required to comply with the FIPS 140-2 Level 2 evaluated configuration.

    Appendix F, "orapki Utility"

    This appendix provides the syntax for the orapki command line utility. This utility must be used to manage certificate revocation lists (CRLs). You can also use this utility to create and manage Oracle wallets; create certificate requests, signed certificates, and user certificates for testing purposes; and to export certificates and certificate requests from Oracle wallets.

    Appendix G, "Entrust-Enabled SSL Authentication"

    This appendix describes how to configure and use Entrust-enabled Oracle Advanced Security for Secure Sockets Layer (SSL) authentication.

    Glossary

    Related Documentation

    For more information, refer to these Oracle resources:

    Many books in the documentation set use the sample schemas of the seed database, which is installed by default when you install Oracle. Refer to Oracle Database Sample Schemas for information on how these schemas were created and how you can use them yourself.

    To download free release notes, installation documentation, white papers, or other collateral, please visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free and can be done at

    http://www.oracle.com/technology/membership/index.html
    

    If you already have a user name and password for OTN, then you can go directly to the documentation section of the OTN Web site at

    http://www.oracle.com/technology/documentation/index.html
    

    For information from third-party vendors, refer to:

    For conceptual information about the network security technologies supported by Oracle Advanced Security, you can refer to the following third-party publications:

    Conventions

    This section describes the conventions used in the text and code examples of this documentation set. It describes:

    Conventions in Text

    We use various conventions in text to help you more quickly identify special terms. The following table describes those conventions and provides examples of their use.

    ConventionMeaningExample
    BoldBold typeface indicates terms that are defined in the text or terms that appear in a glossary, or both.When you specify this clause, you create an index-organized table.
    ItalicsItalic typeface indicates book titles or emphasis.Oracle Database Concepts

    Ensure that the recovery catalog and target database do not reside on the same disk.

    UPPERCASE monospace (fixed-width) fontUppercase monospace typeface indicates elements supplied by the system. Such elements include parameters, privileges, data types, RMAN keywords, SQL keywords, SQL*Plus or utility commands, packages and methods, as well as system-supplied column names, database objects and structures, user names, and roles.You can specify this clause only for a NUMBER column.

    You can back up the database by using the BACKUP command.

    Query the TABLE_NAME column in the USER_TABLES data dictionary view.

    Use the DBMS_STATS.GENERATE_STATS procedure.

    lowercase monospace (fixed-width) fontLowercase monospace typeface indicates executables, filenames, directory names, and sample user-supplied elements. Such elements include computer and database names, net service names, and connect identifiers, as well as user-supplied database objects and structures, column names, packages and classes, user names and roles, program units, and parameter values.

    Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown.

    Enter sqlplus to open SQL*Plus.

    The password is specified in the orapwd file.

    Back up the data files and control files in the /disk1/oracle/dbs directory.

    The department_id, department_name, and location_id columns are in the hr.departments table.

    Set the QUERY_REWRITE_ENABLED initialization parameter to true.

    Connect as oe user.

    The JRepUtil class implements these methods.

    lowercase italic monospace (fixed-width) fontLowercase italic monospace font represents placeholders or variables.You can specify the parallel_clause.

    Run Uold_release.SQL where old_release refers to the release you installed prior to upgrading.


    Conventions in Code Examples

    Code examples illustrate SQL, PL/SQL, SQL*Plus, or other command-line statements. They are displayed in a monospace (fixed-width) font and separated from normal text as shown in this example:

    SELECT username FROM dba_users WHERE username = 'MIGRATE';
    

    The following table describes typographic conventions used in code examples and provides examples of their use.

    ConventionMeaningExample
    [ ]
    
    Brackets enclose one or more optional items. Do not enter the brackets.
    DECIMAL (digits [ , precision ])
    
    { }
    
    Braces enclose two or more items, one of which is required. Do not enter the braces.
    {ENABLE | DISABLE}
    
    |
    

    A vertical bar represents a choice of two or more options within brackets or braces. Enter one of the options. Do not enter the vertical bar.
    {ENABLE | DISABLE}
    [COMPRESS | NOCOMPRESS]
    
    ...
    
    Horizontal ellipsis points indicate either:
    • That we have omitted parts of the code that are not directly related to the example

    • That you can repeat a portion of the code

    CREATE TABLE ... AS subquery;
    
    SELECT col1, col2, ... , coln FROM employees;
    
     .
     .
     .
    
    Vertical ellipsis points indicate that we have omitted several lines of code not directly related to the example.
    SQL> SELECT NAME FROM V$DATAFILE;
    NAME
    ------------------------------------
    /fsl/dbs/tbs_01.dbf
    /fs1/dbs/tbs_02.dbf
    .
    .
    .
    /fsl/dbs/tbs_09.dbf
    9 rows selected.
    
    Other notationYou must enter symbols other than brackets, braces, vertical bars, and ellipsis points as shown.
    acctbal NUMBER(11,2);
    acct    CONSTANT NUMBER(4) := 3;
    
    Italics
    
    Italicized text indicates placeholders or variables for which you must supply particular values.
    CONNECT SYSTEM/system_password
    DB_NAME = database_name
    
    UPPERCASE
    
    Uppercase typeface indicates elements supplied by the system. We show these terms in uppercase in order to distinguish them from terms you define. Unless terms appear in brackets, enter them in the order and with the spelling shown. However, because these terms are not case sensitive, you can enter them in lowercase.
    SELECT last_name, employee_id FROM employees;
    SELECT * FROM USER_TABLES;
    DROP TABLE hr.employees;
    
    lowercase
    
    Lowercase typeface indicates programmatic elements that you supply. For example, lowercase indicates names of tables, columns, or files.

    Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown.

    SELECT last_name, employee_id FROM employees;
    sqlplus hr/hr
    CREATE USER mjones IDENTIFIED BY ty3MU9;
    

    Conventions for Windows Operating Systems

    The following table describes conventions for Windows operating systems and provides examples of their use.

    ConventionMeaningExample
    Select StartHow to start a program.To start the Database Configuration Assistant, Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, Database Configuration Assistant.
    File and directory namesFile and directory names are not case sensitive. The following special characters are not allowed: left angle bracket (<), right angle bracket (>), colon (:), double quotation marks ("), slash (/), pipe (|), and dash (-). The special character backslash (\) is treated as an element separator, even when it appears in quotes. If the file name begins with \\, then Windows assumes it uses the Universal Naming Convention.
    c:\winnt"\"system32 is the same as C:\WINNT\SYSTEM32
    
    C:\>Represents the Windows command prompt of the current hard disk drive. The escape character in a command prompt is the caret (^). Your prompt reflects the subdirectory in which you are working. Referred to as the command prompt in this manual.
    C:\oracle\oradata>
    
    Special charactersThe backslash (\) special character is sometimes required as an escape character for the double quotation mark (") special character at the Windows command prompt. Parentheses and the single quotation mark (') do not require an escape character. Refer to your Windows operating system documentation for more information on escape and special characters.
    C:\>exp scott/tiger TABLES=emp QUERY=\"WHERE job='SALESMAN' and sal<1600\"
    C:\>imp SYSTEM/password FROMUSER=scott TABLES=(emp, dept)
    
    HOME_NAME
    
    Represents the Oracle home name. The home name can be up to 16 alphanumeric characters. The only special character allowed in the home name is the underscore.
    C:\> net start OracleHOME_NAMETNSListener
    
    ORACLE_HOME and ORACLE_BASEIn releases prior to Oracle8i release 8.1.3, when you installed Oracle components, all subdirectories were located under a top level ORACLE_HOME directory. For Windows, the default location was C:\orant.

    This release complies with Optimal Flexible Architecture (OFA) guidelines. All subdirectories are not under a top level ORACLE_HOME directory. There is a top level directory called ORACLE_BASE that by default is C:\oracle. If you install the latest Oracle release on a computer with no other Oracle software installed, then the default setting for the first Oracle home directory is C:\oracle\orann, where nn is the latest release number. The Oracle home directory is located directly under ORACLE_BASE.

    All directory path examples in this guide follow OFA conventions.

    Refer to Oracle Database Platform Guide for Windows for additional information about OFA compliances and for information about installing Oracle products in non-OFA compliant directories.

    Go to the ORACLE_BASE\ORACLE_HOME\rdbms\admin directory.

    PKTPKj?OEBPS/asoradus.htm Configuring RADIUS Authentication

    6 Configuring RADIUS Authentication

    This chapter describes how to configure an Oracle Database server for use with RADIUS (Remote Authentication Dial-In User Service). It contains the following topics:

    6.1 RADIUS Overview

    RADIUS is a client/server security protocol widely used to enable remote authentication and access. Oracle Advanced Security uses this industry standard in a client/server network environment.

    You can enable the network to use any authentication method that supports the RADIUS standard, including token cards and smart cards, by installing and configuring the RADIUS protocol. Moreover, when you use RADIUS, you can change the authentication method without modifying either the Oracle client or the Oracle database server.

    From the user's perspective, the entire authentication process is transparent. When the user seeks access to an Oracle database server, the Oracle database server, acting as the RADIUS client, notifies the RADIUS server. The RADIUS server:

    • Looks up the user's security information

    • Passes authentication and authorization information between the appropriate authentication server or servers and the Oracle database server

    • Grants the user access to the Oracle database server

    • Logs session information, including when, how often, and for how long the user was connected to the Oracle database server

    The Oracle/RADIUS environment is displayed in Figure 6-1:

    The Oracle database server acts as the RADIUS client, passing information between the Oracle client and the RADIUS server. Similarly, the RADIUS server passes information between the Oracle database server and the appropriate authentication servers. The authentication components are listed in Table 6-1:

    A RADIUS server vendor is often the authentication server vendor as well. In this case authentication can be processed on the RADIUS server. For example, the RSA ACE/Server is both a RADIUS server and an authentication server. It thus authenticates the user's pass code.


    See Also:

    Oracle Database Net Services Administrator's Guide, for information about the sqlnet.ora file

    6.2 RADIUS Authentication Modes

    User authentication can take place in the following ways:

    6.2.1 Synchronous Authentication Mode

    In the synchronous mode, RADIUS lets you use various authentication methods, including passwords and SecurID token cards. Figure 6-2 shows the sequence in which synchronous authentication occurs:

    Following steps describe the Synchronous Authentication Sequence:

    1. A user logs in by entering a connect string, pass code, or other value. The client system passes this data to the Oracle database server.

    2. The Oracle database server, acting as the RADIUS client, passes the data from the Oracle client to the RADIUS server.

    3. The RADIUS server passes the data to the appropriate authentication server, such as Smart Card or SecurID ACE for validation.

    4. The authentication server sends either an Access Accept or an Access Reject message back to the RADIUS server.

    5. The RADIUS server passes this response to the Oracle database server/RADIUS client.

    6. The Oracle database server/RADIUS client passes the response back to the Oracle client.

    Example: Synchronous Authentication with SecurID Token Cards

    With SecurID authentication, each user has a token card that displays a dynamic number that changes every sixty seconds. To gain access to the Oracle database server/RADIUS client, the user enters a valid pass code that includes both a personal identification number (PIN) and the dynamic number currently displayed on the user's SecurID card. The Oracle database server passes this authentication information from the Oracle client to the RADIUS server, which in this case is the authentication server for validation. Once the authentication server (RSA ACE/Server) validates the user, it sends an accept packet to the Oracle database server, which, in turn, passes it to the Oracle client. The user is now authenticated and able to access the appropriate tables and applications.


    See Also:


    6.2.2 Challenge-Response (Asynchronous) Authentication Mode

    When the system uses the asynchronous mode, the user does not need to enter a user name and password at the SQL*Plus CONNECT string. Instead, a graphical user interface asks the user for this information later in the process.

    Figure 6-3 shows the sequence in which challenge-response (asynchronous) authentication occurs.


    Note:

    If the RADIUS server is the authentication server, Steps 3, 4, and 5, and Steps 9, 10, and 11 in Figure 6-3 are combined.

    Following steps describe the Asynchronous Authentication Sequence:

    1. A user initiates a connection to an Oracle database server. The client system passes the data to the Oracle database server.

    2. The Oracle database server, acting as the RADIUS client, passes the data from the Oracle client to the RADIUS server.

    3. The RADIUS server passes the data to the appropriate authentication server, such as a Smart Card, SecurID ACE, or token card server.

    4. The authentication server sends a challenge, such as a random number, to the RADIUS server.

    5. The RADIUS server passes the challenge to the Oracle database server/RADIUS client.

    6. The Oracle database server/RADIUS client, in turn, passes it to the Oracle client. A graphical user interface presents the challenge to the user.

    7. The user provides a response to the challenge. To formulate a response, the user can, for example, enter the received challenge into the token card. The token card provides a dynamic password that is entered into the graphical user interface. The Oracle client passes the user's response to the Oracle database server/RADIUS client.

    8. The Oracle database server/RADIUS client sends the user's response to the RADIUS server.

    9. The RADIUS server passes the user's response to the appropriate authentication server for validation.

    10. The authentication server sends either an Access Accept or an Access Reject message back to the RADIUS server.

    11. The RADIUS server passes the response to the Oracle database server/RADIUS client.

    12. The Oracle database server/RADIUS client passes the response to the Oracle client.

    Example: Asynchronous Authentication with Smart Cards

    With smart card authentication, the user logs in by inserting the smart card into a smart card reader that reads the smart card. The smart card is a plastic card, like a credit card, with an embedded integrated circuit for storing information.

    The Oracle client sends the login information contained in the smart card to the authentication server by way of the Oracle database server/RADIUS client and the RADIUS server. The authentication server sends back a challenge to the Oracle client, by way of the RADIUS server and the Oracle database server, prompting the user for authentication information. The information could be, for example, a PIN as well as additional authentication information contained on the smart card.

    The Oracle client sends the user's response to the authentication server by way of the Oracle database server and the RADIUS server. If the user has entered a valid number, the authentication server sends an accept packet back to the Oracle client by way of the RADIUS server and the Oracle database server. The user is now authenticated and authorized to access the appropriate tables and applications. If the user has entered incorrect information, the authentication server sends back a message rejecting user's access.

    Example: Asynchronous Authentication with ActivCard Tokens

    One particular ActivCard token is a hand-held device with a keypad and which displays a dynamic password. When the user seeks access to an Oracle database server by entering a password, the information is passed to the appropriate authentication server by way of the Oracle database server/RADIUS client and the RADIUS server. The authentication server sends back a challenge to the client, by way of the RADIUS server and the Oracle database server. The user types that challenge into the token, and the token displays a number for the user to send in response.

    The Oracle client then sends the user's response to the authentication server by way of the Oracle database server and the RADIUS server. If the user has typed a valid number, the authentication server sends an accept packet back to the Oracle client by way of the RADIUS server and the Oracle database server. The user is now authenticated and authorized to access the appropriate tables and applications. If the user has entered an incorrect response, the authentication server sends back a message rejecting the user's access.

    6.3 Enabling RADIUS Authentication, Authorization, and Accounting

    To enable RADIUS authentication, authorization, and accounting, perform the following tasks:

    6.3.1 Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client

    RADIUS is installed with Oracle Advanced Security during a typical installation of Oracle Database.


    See Also:

    Oracle Database operating system-specific installation documentation, for information about installing Oracle Advanced Security and the RADIUS adapter

    6.3.2 Task 2: Configure RADIUS Authentication

    This task includes the following steps:

    Unless otherwise indicated, perform these configuration tasks by using Oracle Net Manager or by using any text editor to modify the sqlnet.ora file.

    6.3.2.2 Step 2: Configure RADIUS on the Oracle Database Server

    Following are the steps to configure RADIUS:

    Create the RADIUS Secret Key File on the Oracle Database Server

    Following are the steps to create Oracle Database Server:

    1. Obtain the RADIUS secret key from the RADIUS server. For each RADIUS client, the administrator of the RADIUS server creates a shared secret key, which must be less than or equal to 16 characters.

    2. On the Oracle database server, create a directory:

      • (UNIX) $ORACLE_HOME/network/security

      • (Windows) ORACLE_BASE\ORACLE_HOME\network\security

    3. Create the file radius.key to hold the shared secret copied from the RADIUS server. Place the file in the directory you created in Step 2.

    4. Copy the shared secret key and paste it (and nothing else) into the radius.key file created on the Oracle database server.

    5. For security purposes, change the file permission of radius.key to read only, accessible only by the Oracle owner. Oracle relies on the file system to keep this file secret.


      See Also:

      The RADIUS server administration documentation, for information about obtaining the secret key

    Configure RADIUS Parameters on the Server (sqlnet.ora file)

    Use Oracle Net Manager to configure RADIUS parameters on the server (Refer to "Starting Oracle Net Manager"):

    1. Navigate to the Oracle Advanced Security profile. (Refer to "Navigating to the Oracle Advanced Security Profile") The Oracle Advanced Security tabbed window is displayed. (Figure 6-4).

    2. Click the Authentication tab.

    3. From the Available Methods list, select RADIUS.

    4. Move RADIUS to the Selected Methods list by choosing the right-arrow (>).

    5. To arrange the selected methods in order of desired use, select a method in the Selected Methods list, and select Promote or Demote to position it in the list. For example, if you want RADIUS to be the first service used, put it at the top of the list.

    6. Click Other Params as shown in (Figure 6-5):

    1. From the Authentication Service list, select RADIUS.

    2. In the Host Name field, accept the localhost as the default primary RADIUS server, or enter another host name.

    3. Ensure that the default value of the Secret File field is valid.

    4. Select File, Save Network Configuration.

      The sqlnet.ora file is updated with the following entries:

      SQLNET.AUTHENTICATION_SERVICES=RADIUS
      SQLNET.RADIUS_AUTHENTICATION=RADIUS_server_{hostname|IP_address}
      

      Note:

      The IP_address can either be an Internet Protocol Version 4 (IPv4) or Internet Protocol Version 6 (IPv6) address. The RADIUS adapter supports both IPv4 and IPv6 based servers.

    Set Oracle Database Server Initialization Parameters

    Configure the initialization parameter file, located in

    • (UNIX) $ORACLE_HOME/admin/db_name/pfile

    • (Windows) ORACLE_BASE\ORACLE_HOME\admin\db_name\pfile

    with the following values:

    REMOTE_OS_AUTHENT=FALSE
    OS_AUTHENT_PREFIX=""
    

    Caution:

    Setting REMOTE_OS_AUTHENT to TRUE can enable a security breach because it lets someone using a non-secure protocol, such as TCP, perform an operating system-authorized login (formerly called an OPS$ login).



    Note:

    In addition to setting the REMOTE_OS_AUTHENT initialization parameter file to FALSE, you should issue the startup command with a PFILE option. This ensures that the parameters from your initSID.ora are used.


    See Also:

    Oracle Database Reference and the Oracle Database Administrator's Guide for information about setting initialization parameters on an Oracle Database server

    6.3.2.3 Step 3: Configure Additional RADIUS Features

    Change Default Settings

    Use Oracle Net Manager to change default settings (See "Starting Oracle Net Manager"):

    1. Navigate to the Oracle Advanced Security profile (See "Navigating to the Oracle Advanced Security Profile") The Oracle Advanced Security tabbed window is displayed. (Figure 6-5).

    2. Click the Other Params tab.

    3. From the Authentication Service list, select RADIUS.

    4. Change the default setting for any of the following fields:

      FieldDescription
      Port NumberSpecifies the listening port of the primary RADIUS server. The default value is 1645.
      Timeout (seconds)Specifies the time the Oracle database server waits for a response from the primary RADIUS server. The default is 15 seconds.
      Number of RetriesSpecifies the number of times the Oracle database server resends messages to the primary RADIUS server. The default is three retries.

      For instructions on configuring RADIUS accounting, see: Task 5: Configure RADIUS Accounting.

      Secret FileSpecifies the location of the secret key on the Oracle database server. The field specifies the location of the secret key file, not the secret key itself.

      For information about specifying the secret key, see: Create the RADIUS Secret Key File on the Oracle Database Server.


    5. Select File, Save Network Configuration.

      The sqlnet.ora file is updated with the following entries:

      SQLNET.RADIUS_AUTHENTICATION_PORT=(PORT)
      SQLNET.RADIUS_AUTHENTICATION_TIMEOUT= (NUMBER OF SECONDS TO WAIT FOR response)
      SQLNET.RADIUS_AUTHENTICATION_RETRIES= (NUMBER OF TIMES TO RE-SEND TO RADIUS server)
      SQLNET.RADIUS_SECRET=(path/radius.key)
      

    Configure Challenge-Response

    The challenge-response (asynchronous) mode presents the user with a graphical interface requesting first a password, then additional information, for example, a dynamic password that the user obtains from a token card. With the RADIUS adapter, this interfac