10
Configuring Secure Socket Layer Authentication

This chapter provides information on how to use the Secure Socket Layer (SSL) protocol. It contains the following topics:

• SSL In an Oracle Environment

• SSL Beyond an Oracle Environment

• SSL Combined with Other Authentication Methods

• Issues When Using SSL

• Enabling SSL

SSL In an Oracle Environment

Secure Sockets Layer (SSL) is an industry standard protocol designed by Netscape Communications Corporation for securing network connections. SSL provides authentication, encryption, and data integrity in a public key infrastructure (PKI).

This section discusses the following topics:

• What You Can Do with SSL

• Architecture of SSL in an Oracle Environment

• Components of SSL in an Oracle Environment

• How SSL Works in an Oracle Environment: The SSL Handshake

What You Can Do with SSL

By supporting SSL, Oracle Advanced Security expands its support for encryption and integrity and provides public key authentication based on the SSL standard.

You can use the Oracle Advanced Security SSL feature to secure communications between clients and servers. Specifically, you can use SSL to authenticate:

• Any client or server to one or more Oracle servers

• An Oracle server to any client

You can use SSL features by themselves or in combination with other authentication methods supported by Oracle Advanced Security. For example, you can use the encryption provided by SSL in combination with the authentication provided by Kerberos.

More Information: For more information on authentication methods, see Chapter 1, "Introduction to Oracle Advanced Security."

You can use SSL in one of the following authentication modes:

• Only the server authenticates itself to the client

• Both client and server authenticate themselves to each other

• Neither the client nor the server authenticates itself to the other, thus using the SSL encryption feature by itself

  More Information: For a full explanation of SSL, see the Internet Engineering Task Force document, The SSL Protocol, Version 3.0. For important security concepts and terminology, see the Glossary.

Architecture of SSL in an Oracle Environment

In an Oracle environment, SSL operates at the Oracle Protocols layer using TCP/IP as illustrated in Figure 10-1.

Figure 10-1 SSL Architecture in an Oracle Environment

Components of SSL in an Oracle Environment

The components of SSL in an Oracle environment include the following, each of which is described below:

• Certificate

• Certificate Authority (CA)

• Wallet

Certificate

A certificate ensures that the entity's identity information is correct and that the public key actually belongs to that entity. A certificate is created when an entity's public key is signed by a trusted identity, that is, a certificate authority (CA), described more fully in this section.

A certificate contains the entity's name, public key, a serial number, and an expiration date. It can contain information about the privileges associated with the certificate. Finally, it contains certificate chain information.

When an entity receives a certificate, either its own certificate from a CA or a certificate from another entity, it verifies that certificate is a trusted certificate, that is, that it is issued by a trusted certificate authority. A certificate is valid until it expires.

Certificate Authority (CA)

A certificate authority is a trusted third party that certifies that other entities--users, databases, administrators, clients, servers--are who they say they are. The certificate authority verifies the entity's identity and grants a certificate, signing it with the certificate authority's private key.

Different CAs may have different identification requirements when issuing certificates. One certificate authority may want to see a user's driver's license, another may want the certificate request form to be notarized, yet another may want fingerprints of the person requesting a certificate.

The certificate authority publishes its own certificate which includes its public key. Each network entity has a list of such certificates of the CAs it trusts. Before communicating with another entity, a given entity uses this list to verify that the signature on the other entity's certificate is from a known trusted CA.

Network entities can obtain their certificates from the same or from different CAs.

Note: Oracle Advanced Security automatically installs trusted certificates from VeriSign, RSA, and GTE CyberTrust by default when you create a new wallet. For information on adding certificates, see "Creating a New Wallet" in Chapter 18, "Using Oracle Wallet Manager." For information on adding trusted certificates, see "Managing Trusted Certificates" in Chapter 18, "Using Oracle Wallet Manager."

Wallet

A wallet is an abstraction used to store and manage authentication data such as keys, certificates, and trusted certificates that are needed by SSL. In an Oracle environment, each system using SSL has a wallet with an X.509 version 3 certificate, private key, and list of trusted certificates.

Security administrators use the Oracle Wallet Manager to manage security credentials on the server. Wallet owners use it to manage security credentials on clients. Specifically, the Oracle Wallet Manager is used to do the following:

• Generate a public-private key pair and create a certificate request for submission to a certificate authority

• Install a certificate for the identity

• Configure trusted certificates for the identity

  Note: Installation of Oracle Advanced Security, release 8.1.6, also installs Oracle Wallet Manager release 2.0 and Oracle Enterprise Login Assistant release 1.0.

  More Information: For information on the Oracle Wallet Manager, see Chapter 18, "Using Oracle Wallet Manager."

How SSL Works in an Oracle Environment: The SSL Handshake

At the beginning of their communication, the client and server perform an SSL handshake that includes the following important tasks:

• The client and server establish which cipher suites to use.

• The server sends its certificate to the client. The client verifies that the server's certificate was signed by a trusted CA.

  Similarly, if client authentication is required, the client sends its own certificate to the server. The server verifies that the client's certificate was signed by a trusted CA.

• The client and server exchange key material using public key cryptography, and, from this material, they each generate a session key. All subsequent communication between client and server is encrypted and decrypted by using this set of session keys and the negotiated cipher suite.

In an Oracle environment, the authentication process involves the following basic steps:

1. The user initiates a Net8 connection to the server by using SSL.

2. SSL performs the handshake between client and server.

3. If the handshake is successful, the server verifies that the user has the appropriate authorization to access the database.

   More Information: For a full explanation of SSL, see the Internet Engineering Task Force document The SSL Protocol, Version 3.0.

SSL Beyond an Oracle Environment

You can use the Oracle Advanced Security SSL feature to secure connections between non-Oracle clients and Oracle servers. For example, SSL can allow a client outside an Oracle network to access authorized data securely within the Oracle network.

Figure 10-2 shows an example of using SSL to secure connections between Oracle and non-Oracle entities, beginning over the Internet and proceeding to an Oracle server. In this example, a Web server runs as an Oracle8i Java client. It receives messages over HTTPS (HTTP secured by SSL), and sends CORBA requests to the Oracle server via a servlet over IIOP/SSL (IIOP secured by SSL). Note that, in this example, the Web server passes its own certificate, and not the Web client's, to the Oracle server.

Figure 10-2 Connecting to an Oracle Server over the Internet

More Information: For information on using and configuring IIOP/SSL, see Oracle8i Enterprise JavaBeans and CORBA Developer's Guide.

SSL Combined with Other Authentication Methods

You can combine the features of SSL with other authentication methods supported by Oracle Advanced Security, such as Kerberos, SecurID, RADIUS, or Identix.

More Information: For information on authentication methods, see Chapter 1, "Introduction to Oracle Advanced Security."

This section discusses the following topics:

• Architecture of SSL Combined with Other Authentication Methods

• Using SSL Combined with Other Oracle Authentication Methods

Architecture of SSL Combined with Other Authentication Methods

As Figure 10-3 illustrates, Oracle Advanced Security operates at the session layer on top of SSL which uses TCP/IP at the transport layer.

Figure 10-3 SSL in Relation to Oracle Advanced Security

More Information: For more information on stack communications in an Oracle networking environment, see Net8 Administrator's Guide.

Using SSL Combined with Other Oracle Authentication Methods

Figure 10-4 shows a scenario in which SSL is used in combination with another authentication method supported by Oracle Advanced Security. In this scenario, server authentication uses SSL, and client authentication uses an authentication method supported by Oracle Advanced Security, such as Kerberos, SecurID, Identix, and Radius.

Figure 10-4 SSL in Relation to Other Authentication Methods

1. The client seeks to connect to the Oracle server.

2. SSL performs a handshake during which the server authenticates itself to the client and both the client and server establish which cipher suite to use. See "How SSL Works in an Oracle Environment: The SSL Handshake" in this chapter.

3. Once the SSL handshake is successfully completed, the user seeks access to the database.

4. The Oracle server exchanges the user's authentication information with the authentication server.

5. Upon validation by the authentication server, the Oracle server grants access and authorization to the user.

The user, at the client, can now access the Oracle server securely using SSL.

Warning: You can use SSL encryption in combination with another Oracle Advanced Security authentication method. When you do this, you must disable any non-SSL encryption to comply with government regulations prohibiting double encryption. If you do not do this, the connection fails. You cannot use SSL authentication with Oracle Advanced Security encryption. For information on how to disable Oracle Advanced Security encryption, see Chapter 2, "Configuring Data Encryption and Integrity."

Issues When Using SSL

Consider the following issues when using SSL:

• SSL cannot be proxied through traditional application level firewalls, such as the CERN proxy server.

• SSL use enables authorizations to be retrieved from a LDAP-based directory service. Client-side SSL authentication is required in order to manage enterprise users and their privileges in a directory.

• Because SSL does authentication and encryption, from a performance standpoint, it is slower than the standard Net8 TCP/IP transport.

• The Oracle Advanced Security SSL feature does not work with versions of Oracle earlier than Oracle8i.

• Each SSL authentication mode requires unique configuration settings, as described in the following section.

Enabling SSL

To enable SSL, perform the general tasks in the following list.

• Task 1: Install Oracle Advanced Security and Related Products

• Task 2: Configure SSL on the Client

• Task 3: Configure SSL on the Server

• Task 4: Log on to the Database

Task 1: Install Oracle Advanced Security and Related Products

Install Oracle Advanced Security on both the client and server. When you install Oracle Advanced Security, the Oracle Universal Installer installs SSL, Oracle Wallet Manager, and Oracle Enterprise Login Assistant on your system.

More Information: See the Oracle8i installation documentation for your platform.

Task 2: Configure SSL on the Client

To configure SSL on the client, perform the tasks in the following list:

• Specify Required Client Configuration (Wallet Location)

• Set the SSL Cipher Suites on the Client (Optional)

• Set the Required SSL Version (Optional)

• Set SSL as an Authentication Service (Optional)

• Create a Net Service Name that Uses TCP/IP with SSL in the Connect Descriptor

  Note: There are two ways to configure a parameter: Statically, by setting the parameters in the sqlnet.ora file, as described in "Specify Required Client Configuration (Wallet Location)". Dynamically, by setting the parameters in the security subsection of the Net8 address.

  More Information: For the dynamic parameter names, see Appendix B, "Authentication Parameters".

Specify Required Client Configuration (Wallet Location)

To specify required configuration parameters for the client:

1. Start Net8 Assistant:
   • On UNIX, run netasst from $ORACLE_HOME/bin.

   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.

2. In the navigator's pane, expand Local > Profile.

3. From the list in the right pane, select Oracle Advanced Security.

   The Oracle Advanced Security tabbed pages appear.

4. Click the SSL tab.

   
   

5. Select Configure SSL for Client.

6. In the Wallet Directory box, enter the directory in which the Oracle wallet is located, or click the Browse button to find it by searching the file system.

   Note: You must later specify this same directory when you create a new wallet.

7. Choose File > Save Network Configuration.

   The sqlnet.ora file updates with the following entries:

   SSL_CLIENT_AUTHENTICATION =TRUE
   OSS.SOURCE.MY_WALLET = 
    (SOURCE=
     (METHOD=File)
     (METHOD_DATA=
      (DIRECTORY=wallet_location)))
   

Set the SSL Cipher Suites on the Client (Optional)

A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth.

The SSL_CIPHER_SUITES parameter sets the cipher suites SSL uses.

When you install Oracle Advanced Security, several SSL cipher suites are set for you by default. Setting one or more cipher suites yourself overrides the other default cipher suites set during installation. For example, if you use Net8 Assistant to add the cipher suite SSL_RSA_WITH_RC4_128_SHA, all other cipher suites in the default setting are ignored.

You can prioritize the cipher suites. When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following:

• The level of security you want to use. For example, triple-DES encryption is stronger than DES.

• The impact on performance. For example, triple-DES encryption is slower than DES.

• Administrative requirements. The cipher suites selected for a client must be compatible with those required by the server. For example, in the case of an Oracle Call Interface (OCI) user, the server requires the client to authenticate itself. You cannot, in this case, use a cipher suite employing Diffie-Hellman anonymous authentication which disallows the exchange of certificates. By contrast, in the case of an Enterprise JavaBeans (EJB) user, the server does not require the client to authenticate itself. In this case, you can use Diffie-Hellman anonymous authentication.

You typically prioritize cipher suites starting with the strongest and moving to the weakest.

The following two tables list the available SSL cipher suites supported in both the domestic and export editions of Oracle Advanced Security. These cipher suites are set by default when you install Oracle Advanced Security. These tables also list the authentication, encryption, and data integrity types each cipher suite uses.

Table 10-1 Oracle Advanced Security Domestic Edition Cipher Suites

Cipher Suite	Authentication	Encryption	Data Integrity
SSL_RSA_WITH_3DES_EDE_CBC_SHA	RSA	3DES EDE CBC	SHA
SSL_RSA_WITH_RC4_128_SHA	RSA	RC4 128	SHA
SSL_RSA_WITH_RC4_128_MD5	RSA	RC4 128	MD5
SSL_RSA_WITH_DES_CBC_SHA	RSA	DES CBC	SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA	DH anon	3DES EDE CBC	SHA
SSL_DH_anon_WITH_RC4_128_MD5	DH anon	RC4 128	MD5
SSL_DH_anon_WITH_DES_CBC_SHA	DH anon	DES CBC	SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5	RSA	RC4 40	MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA	RSA	DES40 CBC	SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5	DH anon	RC4 40	MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA	DH anon	DES40 CBC	SHA

Table 10-2 Oracle Advanced Security Export Edition Cipher Suites

Cipher Suite	Authentication	Encryption	Data Integrity
SSL_RSA_EXPORT_WITH_RC4_40_MD5	RSA	RC4 40	MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA	RSA	DES40 CBC	SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5	DH anon	RC4 40	MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA	DH anon	DES40 CBC	SHA

Warning: If you use SSL in conjunction with another authentication method supported by Oracle Advanced Security, you must disable any non-SSL encryption to comply with government regulations prohibiting double encryption. If you do not do this, the connection fails. For information on how to disable Oracle Advanced Security encryption, see "Negotiating Encryption and Integrity" in Chapter 2, "Configuring Data Encryption and Integrity."

To specify cipher suites for the client:

1. Start Net8 Assistant:
   • On UNIX, run netasst from $ORACLE_HOME/bin.

   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.

2. In the navigator's pane, expand Local > Profile.

3. From the list in the right pane, select Oracle Advanced Security.

   The Oracle Advanced Security tabbed pages appear.

4. Click the SSL tab.

   
   

5. Select Configure SSL for Client.

6. Click the Add button. A secondary dialog box listing available cipher suites appears.

   
   

7. Add a suite to the Cipher Suite Configuration list by selecting a suite and clicking OK. The Cipher Suite Configuration list updates with the cipher suite.

   
   

8. Use the up and down arrow buttons to prioritize the cipher suites. The order you set determines the order in which the client negotiates with other entities on which cipher suite to use.

9. Choose File > Save Network Configuration.

   The sqlnet.ora file updates with the following entry:

   SSL_CIPHER_SUITES= (SSL cipher suite1 [,SSL cipher suite2])
   

Set the Required SSL Version (Optional)

You can set the SSL_VERSION parameter in the sqlnet.ora file. The parameter defines the version of SSL that must run on the machines with which the client communicates. You can require those machines to use SSL 3.0, or any existing or future versions. The default setting for this parameter in sqlnet.ora is 0; in Net8 Assistant it is Any.

To set the SSL version for the client:

1. Start Net8 Assistant:
   • On UNIX, run netasst from $ORACLE_HOME/bin.

   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.

2. In the navigator's pane, expand Local > Profile.

3. From the list in the right pane, select Oracle Advanced Security.

   The Oracle Advanced Security tabbed pages appear.

4. Click the SSL tab.

   
   

5. Select Configure SSL for Client.

6. In the Require SSL Version scroll box the default is Any. Accept this default or select the SSL version you want to enforce.

7. Choose File > Save Network Configuration.

   The sqlnet.ora file updates with the following entry:

   SSL_VERSION={ 0 | 3.0 }
   

Set SSL as an Authentication Service (Optional)

The SQLNET.AUTHENTICATION_SERVICES parameter in the sqlnet.ora file sets the SSL authentication service.

You must set this parameter only if both of the following two conditions apply:

• You want to use SSL authentication in conjunction with another authentication method supported by Oracle Advanced Security. For example, you want the server to authenticate itself to the client by using SSL and the client to authenticate itself to the server by using Kerberos or SecurID.

  and

• You are not using Net8 Assistant to configure the client or the server.

If both of the above conditions apply, add TCP with SSL (TCPS) to this parameter in the sqlnet.ora file by using a text editor. For example:

 SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS, identix,securid)

If either or both of the above conditions do not apply, you do not need to set this parameter.

Create a Net Service Name that Uses TCP/IP with SSL in the Connect Descriptor

The client must be configured with the location of the listener. For an SSL connection, the client must be configured with a TCP/IP with SSL listener protocol address.

More Information: See the Net8 Administrator's Guide to create a net service name.

Task 3: Configure SSL on the Server

During installation, Oracle sets defaults on both the Oracle server and on the Oracle client for all SSL parameters except the location of the Oracle wallet. To configure SSL on the server, perform the following tasks.

1. Specify Server Configuration (Wallet Location)

2. Set the SSL Cipher Suites on the Server (Optional)

3. Set the Required SSL Version (Optional)

4. Set SSL as an Authentication Service (Optional)

5. Set SSL as an Authentication Service (Optional)

6. Create Listening Endpoint that Uses TCP/IP with SSL

   Note: There are two ways to configure a parameter: Statically, by setting the parameters in the sqlnet.ora file, as described in "Specify Required Client Configuration (Wallet Location)". Dynamically, by setting the parameters in the security subsection of the Net8 address.

   More Information: For the dynamic parameter names, see Appendix B, "Authentication Parameters".

Specify Server Configuration (Wallet Location)

To specify required configuration parameters for the server:

1. Start Net8 Assistant:
   • On UNIX, run netasst from $ORACLE_HOME/bin.

   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.

2. In the navigator's pane, expand Local > Profile.

3. From the list in the right pane, select Oracle Advanced Security.

   The Oracle Advanced Security tabbed pages appear.

4. Click the SSL tab.

   
   

5. Select Configure SSL for Server

6. In the Wallet Directory box, enter the directory in which the Oracle wallet is located, or click the Browse button to find it by searching the file system.

   Note: You must later specify this same directory when you create a new wallet.

7. Choose File > Save Network Configuration.

   The sqlnet.ora and listener.ora files update with the following entry. allowing for secure connections over SSL:

   OSS.SOURCE.MY_WALLET = 
    (SOURCE=
     (METHOD=File)
     (METHOD_DATA=
      (DIRECTORY=<wallet_location)))
   
   

8. Add the following line to the listener.ora file to have the database authenticate the client rather than the listener:

   SSL_CLIENT_AUTHENTICATION=FALSE
   
   

   SSL_CLIENT_AUTHENTICATION is set to TRUE by default. Since the database authenticates the client, it is not necessary to have the listener authenticate the client. Therefore, Oracle Corporation recommends setting this parameter to FALSE. Decisions to set this parameter to TRUE are at the discretion of your security administrator.

   Important: There are two occasions during the client and the server configuration when you set the location of the Oracle wallet. Be sure to enter the same location on both occasions. On the occasion described in this section, you set the location of the wallet either by using the Net8 Assistant or by modifying the sqlnet.ora file. Later, you use the Oracle Wallet Manager as described in "Creating a New Wallet" in Chapter 17.

Set the SSL Cipher Suites on the Server (Optional)

The SSL_CIPHER_SUITES parameter sets the cipher suites SSL uses.

When you install Oracle Advanced Security, several SSL cipher suites are set for you by default. Setting one or more cipher suites yourself overrides the other default cipher suites set during installation. For example, if you use Net8 Assistant to add the cipher suite SSL_RSA_WITH_RC4_128_SHA, all other cipher suites in the default setting are removed.

You can prioritize the cipher suites. When the server negotiates with clients over which cipher suite to use, it follows the prioritization you set.

When you prioritize the cipher suites, consider the following:

• The level of security you want to effect. For example, triple-DES encryption is stronger than DES. See Chapter 2, "Configuring Data Encryption and Integrity."

• The impact on performance. For example, Triple-DES encryption is slower than DES.

• Administrative requirements. The cipher suites selected for a server must be compatible with those required by the client.

  For example, in the case of an Oracle Call Interface (OCI) user, the server requires the client to authenticate itself. In this case, you cannot use a cipher suite employing Diffie-Hellman anonymous authentication, which disallows the exchange of certificates. By contrast, in the case of an Enterprise JavaBeans (EJB) user, the server does not require the client to authenticate itself. In this case, you can use Diffie-Hellman anonymous authentication.

  Note: In Oracle Advanced Security version 8.1.6, if you set a cipher suite employing Diffie-Hellman anonymous authentication on the server, you must also set the same cipher suite on the client. Otherwise, the connection fails. If you use a cipher suite employing Diffie-Hellman anonymous, you must set the SSL_CLIENT_AUTHENTICATION parameter to FALSE. See "Set SSL Client Authentication (Optional)"in this chapter.

You would typically prioritize cipher suites starting with the strongest and moving to the weakest. The following two tables list the available SSL cipher suites supported in both the domestic and export editions of Oracle Advanced Security. These tables also list the authentication, encryption, and data integrity types each cipher suite uses.

Table 10-3 SSL Cipher Suites in Domestic Edition of Oracle Advanced Security

Cipher Suite	Authentication	Encryption	Data Integrity
SSL_RSA_WITH_3DES_EDE_CBC_SHA	RSA	3DES EDE CBC	SHA
SSL_RSA_WITH_RC4_128_SHA	RSA	RC4 128	SHA
SSL_RSA_WITH_RC4_128_MD5	RSA	RC4 128	MD5
SSL_RSA_WITH_DES_CBC_SHA	RSA	DES CBC	SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA	DH anon	3DES EDE CBC	SHA
SSL_DH_anon_WITH_RC4_128_MD5	DH anon	RC4 128	MD5
SSL_DH_anon_WITH_DES_CBC_SHA	DH anon	DES CBC	SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5	RSA	RC4 40	MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA	RSA	DES40 CBC	SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5	DH anon	RC4 40	MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA	DH anon	DES40 CBC	SHA

Table 10-4 SSL Cipher Suites in Export Edition of Oracle Advanced Security

Cipher Suite	Authentication	Encryption	Data Integrity
SSL_RSA_EXPORT_WITH_RC4_40_MD5	RSA	RC4 40	MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA	RSA	DES40 CBC	SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5	DH anon	RC4 40	MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA	DH anon	DES40 CBC	SHA

To specify cipher suites for the server:

1. Start Net8 Assistant:
   • On UNIX, run netasst from $ORACLE_HOME/bin.

   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.

2. In the navigator's pane, expand Local > Profile.

3. From the list in the right pane, select Oracle Advanced Security.

   The Oracle Advanced Security tabbed pages appear.

4. Click the SSL tab.

   
   

5. Select Configure SSL for Server.

6. Click the Add button. A secondary dialog box listing available cipher suites appears.

   
   

7. Add a suite to the Cipher Suite Configuration list by selecting a suite and clicking OK. The Cipher Suite Configuration list updates with the cipher suite.

   
   

8. Use the up and down arrow buttons to prioritize the cipher suites. The order you set determines the order in which the client negotiates with other entities on which cipher suite to use.

9. Choose File > Save Network Configuration.

   The sqlnet.ora file updates with the following entry:

   SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2])
   

Set the Required SSL Version (Optional)

You can set the SSL_VERSION parameter in the sqlnet.ora file. This parameter defines the version of SSL that must run on the machines with which the client communicates. You can require those machines to use SSL 3.0, or any existing or future versions. The default setting for this parameter in sqlnet.ora is 0; in Net8 Assistant it is Any.

To set the SSL version on the server:

1. Start Net8 Assistant:
   • On UNIX, run netasst from $ORACLE_HOME/bin.

   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.

2. In the navigator's pane, expand Local > Profile.

3. From the list in the right pane, select Oracle Advanced Security.

   The Oracle Advanced Security tabbed pages appear.

4. Click the SSL tab.

   
   

5. Select Configure SSL for Server.

6. In the Require SSL Version scroll box the default is Any. Accept this default or select the SSL version you want to enforce.

7. Choose File > Save Network Configuration.

   The sqlnet.ora file updates with the following entry, listing the version in order of priority used:

   SSL_VERSION={ 0 | 3.0 }
   

Set SSL Client Authentication (Optional)

The SSL_CLIENT_AUTHENTICATION parameter in the sqlnet.ora file controls whether the client is authenticated using SSL. The default value is TRUE.

You must set this parameter to FALSE if you are using a cipher suite that contains Diffie-Hellman anonymous authentication (DH_anon). Also, you can set this parameter to FALSE for the client to authenticate itself to the server by using any of the non-SSL authentication methods supported by Oracle Advanced Security, such as Kerberos or CyberSafe.

To set this parameter to FALSE:

1. Start Net8 Assistant:
   • On UNIX, run netasst from $ORACLE_HOME/bin.

   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.

2. In the navigator's pane, expand Local > Profile.

3. From the list in the right pane, select Oracle Advanced Security.

   The Oracle Advanced Security tabbed pages appear.

4. Click the SSL tab.

   
   

5. Select Configure SSL for Server.

6. Deselect Require Client Authentication.

7. Choose File > Save Network Configuration.

   The sqlnet.ora file updates with the following entry:

   SSL_CLIENT_AUTHENTICATION=FALSE
   

Set SSL as an Authentication Service (Optional)

The SQLNET.AUTHENTICATION_SERVICES parameter sets the SSL authentication service.

You must set this parameter only if both of the following conditions apply:

• You want to use SSL authentication in conjunction with another authentication method supported by Oracle Advanced Security. For example, you want the server to authenticate itself to the client by using SSL, and the client to authenticate itself to the server by using Kerberos or SecurID.

• You are not using Net8 Assistant to make any configuration changes.

If both of the above conditions apply, use a text editor to add TCP with SSL (TCPS) to this parameter in the sqlnet.ora file. For example:

SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS, selected_method_1, selected_method_2)

If either or both of the above conditions do not apply, you do not need to set this parameter.

Create Listening Endpoint that Uses TCP/IP with SSL

Configure the listener with a TCP/IP with SSL listening endpoint in the listener.ora file. Oracle Corporation recommends a port number 2484 for typical Net8 clients and 2482 for client connections to Oracle8i JServer.

More Information: See the Net8 Administrator's Guide.

Task 4: Log on to the Database

If you are using SSL authentication, launch SQL*Plus and enter the following:

CONNECT/@dnet_service_name

If you are not using SSL authentication, launch SQL*Plus and enter the following:

CONNECT username/password@net_service_name