Oracle Advanced Security Administrator's Guide Release 8.1.6 A76932-01 |
|
This chapter provides information on how to use the Secure Socket Layer (SSL) protocol. It contains the following topics:
Secure Sockets Layer (SSL) is an industry standard protocol designed by Netscape Communications Corporation for securing network connections. SSL provides authentication, encryption, and data integrity in a public key infrastructure (PKI).
This section discusses the following topics:
By supporting SSL, Oracle Advanced Security expands its support for encryption and integrity and provides public key authentication based on the SSL standard.
You can use the Oracle Advanced Security SSL feature to secure communications between clients and servers. Specifically, you can use SSL to authenticate:
You can use SSL features by themselves or in combination with other authentication methods supported by Oracle Advanced Security. For example, you can use the encryption provided by SSL in combination with the authentication provided by Kerberos.
More Information:
For more information on authentication methods, see Chapter 1, "Introduction to Oracle Advanced Security." |
You can use SSL in one of the following authentication modes:
For a full explanation of SSL, see the Internet Engineering Task Force document, The SSL Protocol, Version 3.0.
For important security concepts and terminology, see the Glossary.
More Information:
In an Oracle environment, SSL operates at the Oracle Protocols layer using TCP/IP as illustrated in Figure 10-1.
The components of SSL in an Oracle environment include the following, each of which is described below:
A certificate ensures that the entity's identity information is correct and that the public key actually belongs to that entity. A certificate is created when an entity's public key is signed by a trusted identity, that is, a certificate authority (CA), described more fully in this section.
A certificate contains the entity's name, public key, a serial number, and an expiration date. It can contain information about the privileges associated with the certificate. Finally, it contains certificate chain information.
When an entity receives a certificate, either its own certificate from a CA or a certificate from another entity, it verifies that certificate is a trusted certificate, that is, that it is issued by a trusted certificate authority. A certificate is valid until it expires.
A certificate authority is a trusted third party that certifies that other entities--users, databases, administrators, clients, servers--are who they say they are. The certificate authority verifies the entity's identity and grants a certificate, signing it with the certificate authority's private key.
Different CAs may have different identification requirements when issuing certificates. One certificate authority may want to see a user's driver's license, another may want the certificate request form to be notarized, yet another may want fingerprints of the person requesting a certificate.
The certificate authority publishes its own certificate which includes its public key. Each network entity has a list of such certificates of the CAs it trusts. Before communicating with another entity, a given entity uses this list to verify that the signature on the other entity's certificate is from a known trusted CA.
Network entities can obtain their certificates from the same or from different CAs.
Note: Oracle Advanced Security automatically installs trusted certificates from VeriSign, RSA, and GTE CyberTrust by default when you create a new wallet. For information on adding certificates, see "Creating a New Wallet" in Chapter 18, "Using Oracle Wallet Manager." For information on adding trusted certificates, see "Managing Trusted Certificates" in Chapter 18, "Using Oracle Wallet Manager." |
A wallet is an abstraction used to store and manage authentication data such as keys, certificates, and trusted certificates that are needed by SSL. In an Oracle environment, each system using SSL has a wallet with an X.509 version 3 certificate, private key, and list of trusted certificates.
Security administrators use the Oracle Wallet Manager to manage security credentials on the server. Wallet owners use it to manage security credentials on clients. Specifically, the Oracle Wallet Manager is used to do the following:
For information on the Oracle Wallet Manager, see Chapter 18, "Using Oracle Wallet Manager."
More Information:
At the beginning of their communication, the client and server perform an SSL handshake that includes the following important tasks:
Similarly, if client authentication is required, the client sends its own certificate to the server. The server verifies that the client's certificate was signed by a trusted CA.
In an Oracle environment, the authentication process involves the following basic steps:
You can use the Oracle Advanced Security SSL feature to secure connections between non-Oracle clients and Oracle servers. For example, SSL can allow a client outside an Oracle network to access authorized data securely within the Oracle network.
Figure 10-2 shows an example of using SSL to secure connections between Oracle and non-Oracle entities, beginning over the Internet and proceeding to an Oracle server. In this example, a Web server runs as an Oracle8i Java client. It receives messages over HTTPS (HTTP secured by SSL), and sends CORBA requests to the Oracle server via a servlet over IIOP/SSL (IIOP secured by SSL). Note that, in this example, the Web server passes its own certificate, and not the Web client's, to the Oracle server.
You can combine the features of SSL with other authentication methods supported by Oracle Advanced Security, such as Kerberos, SecurID, RADIUS, or Identix.
More Information:
For information on authentication methods, see Chapter 1, "Introduction to Oracle Advanced Security." |
This section discusses the following topics:
As Figure 10-3 illustrates, Oracle Advanced Security operates at the session layer on top of SSL which uses TCP/IP at the transport layer.
More Information:
For more information on stack communications in an Oracle networking environment, see Net8 Administrator's Guide. |
Figure 10-4 shows a scenario in which SSL is used in combination with another authentication method supported by Oracle Advanced Security. In this scenario, server authentication uses SSL, and client authentication uses an authentication method supported by Oracle Advanced Security, such as Kerberos, SecurID, Identix, and Radius.
The user, at the client, can now access the Oracle server securely using SSL.
Warning: You can use SSL encryption in combination with another Oracle Advanced Security authentication method. When you do this, you must disable any non-SSL encryption to comply with government regulations prohibiting double encryption. If you do not do this, the connection fails. You cannot use SSL authentication with Oracle Advanced Security encryption. For information on how to disable Oracle Advanced Security encryption, see Chapter 2, "Configuring Data Encryption and Integrity." |
Consider the following issues when using SSL:
To enable SSL, perform the general tasks in the following list.
Install Oracle Advanced Security on both the client and server. When you install Oracle Advanced Security, the Oracle Universal Installer installs SSL, Oracle Wallet Manager, and Oracle Enterprise Login Assistant on your system.
To configure SSL on the client, perform the tasks in the following list:
There are two ways to configure a parameter:
Note:
sqlnet.ora
file, as described in "Specify Required Client Configuration (Wallet Location)".
To specify required configuration parameters for the client:
The Oracle Advanced Security tabbed pages appear.
The sqlnet.ora
file updates with the following entries:
SSL_CLIENT_AUTHENTICATION =TRUE
OSS.SOURCE.MY_WALLET =
(SOURCE=
(METHOD=File)
(METHOD_DATA=
(DIRECTORY=wallet_location
)))
A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth.
The SSL_CIPHER_SUITES parameter sets the cipher suites SSL uses.
When you install Oracle Advanced Security, several SSL cipher suites are set for you by default. Setting one or more cipher suites yourself overrides the other default cipher suites set during installation. For example, if you use Net8 Assistant to add the cipher suite SSL_RSA_WITH_RC4_128_SHA, all other cipher suites in the default setting are ignored.
You can prioritize the cipher suites. When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following:
You typically prioritize cipher suites starting with the strongest and moving to the weakest.
The following two tables list the available SSL cipher suites supported in both the domestic and export editions of Oracle Advanced Security. These cipher suites are set by default when you install Oracle Advanced Security. These tables also list the authentication, encryption, and data integrity types each cipher suite uses.
Warning: If you use SSL in conjunction with another authentication method supported by Oracle Advanced Security, you must disable any non-SSL encryption to comply with government regulations prohibiting double encryption. If you do not do this, the connection fails. For information on how to disable Oracle Advanced Security encryption, see "Negotiating Encryption and Integrity" in Chapter 2, "Configuring Data Encryption and Integrity." |
To specify cipher suites for the client:
The Oracle Advanced Security tabbed pages appear.
The sqlnet.ora
file updates with the following entry:
SSL_CIPHER_SUITES= (SSL cipher suite1 [,SSL cipher suite2])
You can set the SSL_VERSION parameter in the sqlnet.ora
file. The parameter defines the version of SSL that must run on the machines with which the client communicates. You can require those machines to use SSL 3.0, or any existing or future versions. The default setting for this parameter in sqlnet.ora
is 0; in Net8 Assistant it is Any.
To set the SSL version for the client:
The Oracle Advanced Security tabbed pages appear.
The sqlnet.ora
file updates with the following entry:
SSL_VERSION={ 0 | 3.0 }
The SQLNET.AUTHENTICATION_SERVICES parameter in the sqlnet.ora
file sets the SSL authentication service.
You must set this parameter only if both of the following two conditions apply:
and
If both of the above conditions apply, add TCP with SSL (TCPS) to this parameter in the sqlnet.ora
file by using a text editor. For example:
SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS, identix,securid)
If either or both of the above conditions do not apply, you do not need to set this parameter.
The client must be configured with the location of the listener. For an SSL connection, the client must be configured with a TCP/IP with SSL listener protocol address.
During installation, Oracle sets defaults on both the Oracle server and on the Oracle client for all SSL parameters except the location of the Oracle wallet. To configure SSL on the server, perform the following tasks.
There are two ways to configure a parameter:
Note:
sqlnet.ora
file, as described in "Specify Required Client Configuration (Wallet Location)".
To specify required configuration parameters for the server:
The Oracle Advanced Security tabbed pages appear.
The sqlnet.ora
and listener.ora
files update with the following entry. allowing for secure connections over SSL:
OSS.SOURCE.MY_WALLET =
(SOURCE=
(METHOD=File)
(METHOD_DATA=
(DIRECTORY=<wallet_location
)))
listener.ora
file to have the database authenticate the client rather than the listener:
SSL_CLIENT_AUTHENTICATION=FALSE
SSL_CLIENT_AUTHENTICATION is set to TRUE by default. Since the database authenticates the client, it is not necessary to have the listener authenticate the client. Therefore, Oracle Corporation recommends setting this parameter to FALSE. Decisions to set this parameter to TRUE are at the discretion of your security administrator.
Important: There are two occasions during the client and the server configuration when you set the location of the Oracle wallet. Be sure to enter the same location on both occasions.
|
The SSL_CIPHER_SUITES parameter sets the cipher suites SSL uses.
When you install Oracle Advanced Security, several SSL cipher suites are set for you by default. Setting one or more cipher suites yourself overrides the other default cipher suites set during installation. For example, if you use Net8 Assistant to add the cipher suite SSL_RSA_WITH_RC4_128_SHA, all other cipher suites in the default setting are removed.
You can prioritize the cipher suites. When the server negotiates with clients over which cipher suite to use, it follows the prioritization you set.
When you prioritize the cipher suites, consider the following:
For example, in the case of an Oracle Call Interface (OCI) user, the server requires the client to authenticate itself. In this case, you cannot use a cipher suite employing Diffie-Hellman anonymous authentication, which disallows the exchange of certificates. By contrast, in the case of an Enterprise JavaBeans (EJB) user, the server does not require the client to authenticate itself. In this case, you can use Diffie-Hellman anonymous authentication.
Note: In Oracle Advanced Security version 8.1.6, if you set a cipher suite employing Diffie-Hellman anonymous authentication on the server, you must also set the same cipher suite on the client. Otherwise, the connection fails. If you use a cipher suite employing Diffie-Hellman anonymous, you must set the SSL_CLIENT_AUTHENTICATION parameter to FALSE. See "Set SSL Client Authentication (Optional)"in this chapter. |
You would typically prioritize cipher suites starting with the strongest and moving to the weakest. The following two tables list the available SSL cipher suites supported in both the domestic and export editions of Oracle Advanced Security. These tables also list the authentication, encryption, and data integrity types each cipher suite uses.
To specify cipher suites for the server:
The Oracle Advanced Security tabbed pages appear.
The sqlnet.ora
file updates with the following entry:
SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2])
You can set the SSL_VERSION parameter in the sqlnet.ora
file. This parameter defines the version of SSL that must run on the machines with which the client communicates. You can require those machines to use SSL 3.0, or any existing or future versions. The default setting for this parameter in sqlnet.ora
is 0; in Net8 Assistant it is Any.
To set the SSL version on the server:
The Oracle Advanced Security tabbed pages appear.
The sqlnet.ora
file updates with the following entry, listing the version in order of priority used:
SSL_VERSION={ 0 | 3.0 }
The SSL_CLIENT_AUTHENTICATION parameter in the sqlnet.ora
file controls whether the client is authenticated using SSL. The default value is TRUE.
You must set this parameter to FALSE if you are using a cipher suite that contains Diffie-Hellman anonymous authentication (DH_anon). Also, you can set this parameter to FALSE for the client to authenticate itself to the server by using any of the non-SSL authentication methods supported by Oracle Advanced Security, such as Kerberos or CyberSafe.
To set this parameter to FALSE:
The Oracle Advanced Security tabbed pages appear.
The sqlnet.ora
file updates with the following entry:
SSL_CLIENT_AUTHENTICATION=FALSE
The SQLNET.AUTHENTICATION_SERVICES parameter sets the SSL authentication service.
You must set this parameter only if both of the following conditions apply:
If both of the above conditions apply, use a text editor to add TCP with SSL (TCPS) to this parameter in the sqlnet.ora
file. For example:
SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS, selected_method_1, selected_method_2)
If either or both of the above conditions do not apply, you do not need to set this parameter.
Configure the listener with a TCP/IP with SSL listening endpoint in the listener.ora
file. Oracle Corporation recommends a port number 2484 for typical Net8 clients and 2482 for client connections to Oracle8i JServer.
If you are using SSL authentication, launch SQL*Plus and enter the following:
CONNECT/@dnet_service_name
If you are not using SSL authentication, launch SQL*Plus and enter the following:
CONNECT username/password@net_service_name
|
Copyright © 1999 Oracle Corporation. All Rights Reserved. |
|