Oracle Advanced Security Administrator's Guide
Release 8.1.7

Part Number A85430-01





Go to previous page Go to next page

Managing Enterprise User Security

Enterprise user security management lets you create and administer large numbers of users in a secure, LDAP-compliant directory service. This chapter describes the configuration and setup of enterprise user security management, in the following sections:

Part I: Overview / Concepts:

Part II: Procedure

Part I: Overview / Concepts

Overview of Enterprise User Security

This section describes fundamental concepts related to enterprise user security management:

Introduction to Enterprise User Security

Administrators must manage complex user information, keeping it current and secure. These tasks become all the more challenging with increased use of technology and a high user turnover in enterprises. For example, in a typical enterprise, individual users can have multiple accounts on multiple databases. This can produce too many passwords for users to remember, and too many accounts for administrators to manage.

There are security problems as well. For example, any time a user leaves a company or changes jobs, that user's privileges should be changed the same day in order to guard against misuse of that user's accounts and privileges. However, in a large enterprise, with user accounts and passwords distributed over multiple databases, an administrator may not be able to make the timely changes required by good security practices.

Enterprise user security management addresses these user, administrative, and security challenges by centralizing storage and management of user-related information in an LDAP-compliant directory service. When an employee changes jobs in such an environment, the administrator need only modify information in one location--the directory--to make effective changes in multiple databases and systems. This centralization lowers administrative costs and improves enterprise security.

Enterprise user security provides single sign-on to Oracle8i using interoperable X.509 v3 certificates over Secure Sockets Layer (SSL) v3, and supports the following LDAP-compliant directory services:

It also provides a tool, Oracle Enterprise Security Manager, to create user entries in the directory and manage authorizations for those users.

See Also:

Chapter 20, Using Oracle Enterprise Security Manager 

About Directories

A directory is an index to information, organized so that you can find it easily. It lists objects--for example, people, books in a library, merchandise in a department store--and gives details about each one. Examples of directories include a telephone book, a library card catalog, and a department store catalog.

In a computerized environment, a directory is a specialized database that stores collections of information about objects. The information in such a directory might represent any resources that require management--for example, employee names, titles, and security credentials, information about e-commerce partners, or about shared network resources such as conference rooms and printers.

Some of the key concepts for understanding directories include:


In a directory, each collection of information about an object is called an entry. Just as a telephone directory includes entries for people, an online directory might include entries for employees, conference rooms, e-commerce partners, or shared network resources such as printers.

Distinguished Names and Directory Information Trees

Each entry in a directory is uniquely identified by a distinguished name (DN). The distinguished name tells you where the entry resides in the directory's hierarchy, called a directory information tree (DIT), illustrated by Figure 17-1:

Figure 17-1 A Directory Information Tree

The DIT in Figure 17-1 is structured along geographical and organizational lines. The branch on the right represents the entry for Anne Smith, who works in the organizational unit (ou) Server Development, in the country (c) of Great Britain (uk), in the organization (o) Acme.

The DN for this Anne Smith entry is:

cn=Anne Smith,ou=Server Development,c=uk,o=acme.

Note that the conventional format of a distinguished name starts with the least significant component (that naming the entry itself) and proceeds to the most significant component (that just below the root).


The example in Figure 17-1 uses the following notation to define distinguished name components:

  • o = organization

  • c = country

  • ou = organizational unit

  • cn = common name


Naming Contexts

A directory's information is divided into units called directory naming contexts. A directory naming context is a subtree that resides entirely on one server. It must be contiguous, beginning at an entry that serves as the top of the subtree, and extending downward to either leaf entries or references to subordinate naming contexts. It can range in size from a single entry to the entire DIT.

With Oracle8i Release 8.1.7, as described later in this chapter, you choose one or more naming contexts to contain Oracle enterprise information. These are called administrative contexts, and within each one, you can create a container to hold Oracle enterprise information--called an Oracle Context.

Authorization and Access Control

The authorization process ensures that a user has access to only that information for which that user has privileges. When directory operations are attempted within a directory session, the directory server ensures that the user has the required permissions to perform those operations. Otherwise, the operation is disallowed. Through this mechanism, the directory server protects directory data from unauthorized operations by directory users. This mechanism is called access control.

Access control policies are captured in an Access Control List (ACL). An ACL is associated with each directory object and governs the access policies for that object.

ACLs specify the following:

Oracle Internet Directory

Combining the flexibility of the Internet's LDAP standard with the robustness of the Oracle8i platform, the Oracle Internet Directory provides a scalable, reliable and secure LDAPv3 directory service for mission critical applications.

Oracle Internet Directory is an LDAP Version 3 service that combines the mission critical strength of Oracle's database technology with the flexibility and compatibility of the LDAP directory standard. Oracle Internet Directory is tightly integrated with the Oracle management environment, making it the enterprise directory of choice for Oracle using organizations. Its scalability, high availability and security features make it the ideal customer choice for internet service provider (ISP) and telecommunications carrier implementations.

The Oracle Internet Directory server is implemented as an application running on an Oracle8i database. Through its tight integration, Oracle Internet Directory effectively leverages the features of the Oracle platform to make it the compelling choice for mission-critical applications.

Oracle Internet Directory provides comprehensive and flexible support for LDAP v3 directory access control. This includes entry level, attribute level, and prescriptive access controls to provide varying levels of security to custom fit enterprise and service provider needs. An administrator can grant or control access to a specific directory object or an entire directory subtree. Oracle Internet Directory implements three levels of user authentication: anonymous, password-based, and certificate-based, using the Secure Socket Layer (SSL) v3 protocol for authenticated access and data privacy.

Oracle Internet Directory and Oracle Enterprise Manager both include Oracle Directory Manager, a graphical directory administrative tool for managing and administering directory information from anywhere in the distributed environment. It also manages directory schema, replication agreements, and access control information. Oracle Directory Manager provides administrative transparency for Oracle using organizations deploying both Enterprise Manager and Oracle Internet Directory. Written entirely in Java, Oracle Directory Manager is portable to all Oracle platforms.

See Also:

Oracle Internet Directory Administrator's Guide 

Elements of Enterprise User Security Management

The principal directory entries that relate to enterprise user security management include the following:

Enterprise Users

An enterprise user is one that is defined and managed in a directory. Each enterprise user has a unique identity across an enterprise.

Enterprise Roles and Global Roles

Enterprise users can be assigned enterprise roles, which determine their access privileges on databases. These enterprise roles are also stored and managed in a directory.

An enterprise role consists of one or more global roles. A global role includes privileges contained in a database, but the global role is managed in a directory. An enterprise role is thus a container of global roles. For example, the enterprise role CLERK could contain the global role HRCLERK with its unique privileges on the Human Resources database, and the ANALYST role with its unique privileges on the Payroll database.

An enterprise role can be granted to or revoked from one or more enterprise users. For example, you could grant the enterprise role CLERK to a number of enterprise users who hold the same job. This information is protected in the directory, and only the administrator can manage users and grant and revoke their roles. A user can be granted local roles and privileges in a database in addition to enterprise roles.

An enterprise domain subtree includes an enterprise role object that contains information about global roles for each server and enterprise roles for the domain. These are created and managed by the Domain Administrator by using Oracle Enterprise Security Manager.

See Also:

Creating an Enterprise Role within an Enterprise Domain


The database obtains a user's global roles when the user logs in. If you change a user's global roles, those changes do not take effect until the next time the user logs in. 

Local Roles and Privileges

Local roles are stored in the database, and can be used in combination with enterprise roles. Local roles and privileges can also be created in the database. They can be granted directly to a shared schema, or they can be granted to a global role--that is part of an enterprise role and granted to a user.

See Also:


Enterprise Domains

An enterprise domain is a group of databases and enterprise roles. An example of a domain could be the engineering division in an enterprise or a small enterprise itself. It is here, at the enterprise domain level, that the Domain Administrator, using Oracle Enterprise Security Manager, allocates enterprise roles to users and manages enterprise security. An enterprise domain subtree in a directory is composed of two objects: enterprise role objects (discussed by Enterprise Roles and Global Roles), and mapping objects.

Each mapping object contains mapping information between a full or partial DN and an Oracle database user name. Mapping objects are created by the Domain Administrator for a particular domain. Mapping objects also reside under server objects, and are created by the Database Administrator for a particular database.

See Also:

Mapping an Enterprise User to a Shared Schema

Oracle Context

An Oracle Context (cn=OracleContext) is a special entry in the directory that contains various Oracle entries to support directory naming and enterprise user security. An Oracle Context contains three administrative groups and a product subtree, and can also include server and Net8 objects.

The Oracle Context also contains the database security subtree under the cn=products and cn=OracleDBSecurity container objects. This subtree contains enterprise domains, which are the groups of database servers and enterprise roles. The Oracle Context subtree is created by Oracle Net8 Configuration Assistant (Net8CA), and is populated with server entries by Oracle Database Configuration Assistant (DBCA) during the database install, and by Oracle Enterprise Security Manager during administration. Databases (and other Oracle LDAP clients) refer to entries in the context to determine enterprise user authorization at login.

During database installation, a default enterprise domain (cn=OracleDefaultDomain) is established. The domain administrator can later add additional enterprise domains (represented in Figure 17-2 as cn=Domain1) by using Oracle Enterprise Security Manager.


Do not remove the default enterprise domain (cn=OracleDefaultDomain); it is required when using the Oracle Database Configuration Assistant to register a database. 

See Also:

Creating an Enterprise Domain

Administrative Context

The administrative context is the location for an Oracle Context. It can be any directory entry. During directory access configuration, which is completed with Oracle Net8 Configuration Assistant during or after installation, you select an administrative context. An administrative context, an Oracle Context, and its subtrees are illustrated by Figure 17-2:

Figure 17-2 An Administrative Context


Do not modify the ACLs for the objects contained in an Oracle Context; doing so breaks the security configuration for these objects--and may break enterprise user functionality as well. 

Administrative Groups

The Oracle Context contains three administrative groups, each with its associated ACL. The user who creates the Oracle Context with Net8CA automatically becomes the first member of each of these groups. The three administrative groups in an Oracle Context are described in Table 17-1:

Table 17-1 Administrative Groups in an Oracle Context
Administrative Group  Description 


Members of the OracleNetAdmins group (cn=OracleNetAdmins,cn=OracleContext) have create, modify, and read access to Net8 objects and attributes. Net8CA establishes these access rights for this group during Oracle Context creation.

In addition to the Oracle Context creator, other users can be added to this group by members of the OracleDBSecurityAdmins group or the OracleNetAdmins group. 


Members of the OracleDBCreators group (cn=OracleDBCreators,cn=OracleContext) are in charge of creating new databases, and this includes registering each database in the directory by using the Oracle Database Configuration Assistant. They have create and modify access to database service objects and attributes. They can also modify the Default Domain.

Net8CA establishes these access rights during Oracle Context creation.

In addition to the Oracle Context creator, other users can be added to this group by members of the OracleDBSecurityAdmins group by using Oracle Enterprise Security Manager. 


Members of OracleDBSecurityAdmins (cn=OracleDBSecurityAdmins,cn=OracleContext) have root privileges for the Oracle Context. They have create, modify, and read access for enterprise user security. They have permissions on all of the domains in the enterprise and are responsible for:

  • Administering the OracleDBSecurityAdmins and OracleDBCreators groups

  • Creating new enterprise domains

  • Moving databases from one domain to another within the enterprise

Net8CA sets up these access rights during Oracle Context creation.

In addition to the Oracle Context creator, members of this group can add other users to this group by using Oracle Enterprise Security Manager. 

You can also have a Domain Administrator responsible for managing a single domain. This administrator is less privileged than the Database Security Administrator. Similarly, you can have a Database Administrator responsible for a single database directory entry.

See Also:

Net8 Administrator's Guide for information about adding members to the OracleNetAdmins group 

Server-Related Objects

In addition to server-related objects, an Oracle Context may also include other types of objects (Table 17-2):

Table 17-2 Server-Related Objects in an Oracle Context
Object  Description 

Database server object 

A database server object (represented as cn=server1 in Figure 17-2) contains information about a database server. It is created by the Oracle Database Configuration Assistant during the database installation (or later, using the DBCA Modify Database command) and can be added later by members of the OracleDBCreators group by using Oracle Enterprise Security Manager. A database server object is the parent of database level mapping objects that contain mapping information between full or partial DNs and Oracle shared schema names. Database level mapping objects are created by the Database Administrator by using Oracle Enterprise Security Manager. 

Net service name object 

Net service name objects can be created during the database installation by using the Net8 Assistant. They can also be created later by members of the OracleNetAdmins group. 

Overview of Enterprise User Security Management

Figure 17-3 provides an overview of the Enterprise User Security Management process:

Figure 17-3 Overview of Enterprise User Security

The Enterprise User Security Process

Figure 17-4 describes the operation of the Enterprise User Security Management process, assuming:

Figure 17-4 How Enterprise User Security Management Works

  1. An administrator uses Net8CA to (i) select the administrative context in the directory, and (ii) and create an Oracle Context.

  2. A member of the OracleDBCreators group uses the Oracle Database Configuration Assistant to register the database with the directory.

  3. An administrator uses Oracle Enterprise Security Manager to set up both enterprise users and enterprise roles in the directory and relevant domains.

  4. A user initiates an SSL connection to the database (logs on), and the database uses SSL to authenticate the user.

  5. The database retrieves the user's enterprise roles from the directory, and authorizes any associated global roles applicable to that database.

Shared Schemas

The following sections describe shared schema features, and how to set them up:


Users do not necessarily require individual accounts or schemas set up in a database they wish to access. Alternatively, they can be granted access to common, shared schemas (also called user/schema separation) associated with target applications. For example, suppose that users Tom, Dick, and Harriet require access to the Payroll application on the Finance database. They do not need to create unique objects in the database, and therefore do not need their own schemas--they do need access to the Payroll schema.

Oracle8i Release 8.1.7 supports mapping multiple users stored in an enterprise directory to shared schema on an individual database. This separation of users from schemas reduces administration costs by reducing the number of user accounts. It means that you do not need to create an account for each user--a user schema--in multiple databases, in addition to creating the user in the directory. Instead, you can create a user in one location, the enterprise directory, and map the user to a shared schema that other enterprise users can also be mapped to. For example, if Tom, Dick and Harriet all access both the Sales and the Finance databases, you do not need to create an account for each user on each of these databases. Instead, you can create a single shared schema on each database, such as SALES_APPLICATION and FINANCE_APPLICATION, respectively, that all three users can access. A typical environment might have some 5,000 enterprise users mapped to just one of three or four shared schemas.


Setting Up Shared Schemas

To configure shared schemas, the local Database Administrator must create at least one database schema in a database. Enterprise users can be mapped to this schema.

In the following example, the administrator creates a shared schema and maps users to it:

When Harriet connects to the database, she is automatically connected to the EMPLOYEE schema and is given the global role HRMANAGER. Multiple enterprise users can be mapped to the same shared schema. For example, the enterprise security administrator can create another enterprise user Scott and map Scott to the EMPLOYEE schema. From that point on, both Harriet and Scott automatically use the EMPLOYEE schema when connecting to the HR database, but each can have different roles--and can be individually audited.

Shared Schema Functionality And SSL

Shared schema functionality relies on SSL for authentication to the database. SSL authentication occurs as follows:

Continuing this example, assume that the enterprise role MANAGER contains the global roles ANALYST on the HR database, and CLERK on the Payroll database. When Harriet, who has the enterprise role MANAGER, connects to the HR database, she uses the schema EMPLOYEE on that database. Her privileges on that database are determined by:

When Harriet connects to the Payroll database, her privileges are determined by:

Creating a Shared Schema

The syntax for creating a shared schema is:


For example, the administrator for the HR database creates a shared schema for the user SALES_APPLICATION as follows:



There is no space between the single quotation marks in the syntax for creating a shared schema. 

Creating an Enterprise User in the Directory

To load entries one at a time, you can use Oracle Enterprise Security Manager. To load large numbers of entries, use other LDAP processes such as the Oracle Internet Directory bulk load tool.

See Also:


Mapping an Enterprise User to a Shared Schema

The mapping between enterprise users and a schema can be done in either the database or the directory.

The mapping is done in the directory by means of one or more mapping objects. A mapping object is used to map the Distinguished Name (DN) of a user, contained in a user's X.509 certificate, to a database schema that the user will access. You create a mapping object by using Oracle Enterprise Security Manager. This mapping can be either of the following:

When determining the schema to which it should connect the user, the database uses the following precedence rules:

You can grant privileges to a specified group of users by granting roles and privileges to a database schema. Every user sharing such a schema gets these local roles and privileges in addition to personal enterprise roles. However, you should exercise caution when doing this, because every user who is mapped to this shared schema can exercise the privileges assigned to it.

Current User Database Links

Oracle8i supports current user database links, which let you make a procedural connection to a second database as another user and with that user's privileges--though it does not require that the second user's credentials be stored in the database link definition. Such access is limited to the scope of the database link procedure.

For example, a current user database link lets Harriet, a user of the Accounts Payable database, procedurally access the Human Resources database by connecting as Scott, and using Scott's credentials.

For Harriet to access a current user database link to connect to the schema Scott, Scott must be a schema created as IDENTIFIED GLOBALLY in both databases. Harriet, however, can be a user identified in one of three ways:

To create Scott as a global user in both the Accounts Payable and Human Resources databases, you must enter the following command in each database:


Note that the syntax for creating this kind of schema is slightly different from the syntax for creating a shared schema described in Creating a Shared Schema. In this case, the schema is Scott's alone. In order for the current user database link to work, the schema created for Scott cannot be shared with other users.

Current user database links operate only between databases within a single enterprise domain, and only if that domain is trusted. You specify a domain as trusted by using Oracle Enterprise Security Manager. To specify a database as untrusted that is part of a trusted enterprise domain, use the PL/SQL package DBMS_DISTRIBUTED_TRUST_ADMIN. To obtain a list of trusted servers, use the TRUSTED_SERVERS view.

See Also:


Oracle Enterprise User Security Components

Oracle enterprise user security functionality uses the following administration tools:

Oracle Wallet Manager

Oracle Wallet Manager is a standalone Java application that wallet owners and security administrators use to manage and edit the security credentials in their Oracle wallets. Wallet Manager tasks include:

Oracle Enterprise Login Assistant

Use Oracle Enterprise Login Assistant to open and close a user wallet in order to enable or disable secure SSL-based communications for an application. A functional subset of Oracle Wallet manager, this easy-to-use tool lets users connect to multiple services with a single sign-on. Oracle Enterprise Login Assistant masks the complexity of SSL, wallets, enterprise users, and the process of authenticating to multiple databases. It lets users securely access multiple databases and applications using a single password, entered only once per session.

See Also:

Chapter 19, Using Oracle Enterprise Login Assistant, for additional information about this tool 

Oracle Enterprise Security Manager

Oracle Enterprise Security Manager is an administration tool that provides a graphical user interface to help you manage enterprise users, enterprise domains, databases, and enterprise roles that are stored in a directory server. Use Oracle Enterprise Security Manager to:

Part II: Procedure

Installing and Configuring Enterprise User Security

This section describes how to set up enterprise user security. The required tasks follow:

Task 1: Install or Identify a Certificate Service

Oracle Wallet Manager requires you to have a certificate authority (CA) in your environment. You can use a CA vendor's certificates, or you can use your own CA that can process PKCS#10 certificate requests in Base 64 format and return X509v3 certificates--also in Base 64 format.

See Also:

Chapter 18, Using Oracle Wallet Manager, for a description of certificate authorities and Oracle Wallet Manager 

Task 2: Install and Configure a Directory Service

Conceptually, there are four major prerequisites for an Oracle RDBMS to communicate with the directory:

Net8CA performs the first three steps (called directory service access configuration), and the Oracle Database Configuration Assistant (DBCA) performs the fourth. Note that you must create the Oracle Context once per directory, but you need to create an ldap.ora file for each ORACLE_HOME used to access the directory. If there is no context, Net8CA asks if you want to create one; if one already exists, it asks which one you want to use. If there is no Oracle schema installed in the directory (which is done automatically for Oracle Internet Directory), Net8CA prompts you to install it.

If you run the recommended custom database install, Net8CA and DBCA automatically complete the directory-related configuration.

If you install the Oracle8i database using a typical install, Net8CA and DBCA do not complete the directory-related configuration. In this case, you must run both Net8CA and DBCA in standalone mode.

To install and configure a directory service:

Step 1: Install an LDAP v3-Compliant Directory Service

Oracle8i Release 8.1.7 supports the following:

Step 2: Set Up the Directory for Two-way SSL Authentication

This requires the creation of an Oracle wallet for the directory. If you are using Oracle Internet Directory, use Oracle Wallet Manager and Oracle Directory Manager to create a wallet for the directory and to configure SSL. If you are using Microsoft Active Directory, see the product-specific documentation for instructions about enabling two-way SSL authentication.

Step 3: Start the Directory

Step 4: Create Directory Naming Contexts

Step 5: Create Administrative Contexts

Create administrative contexts beneath the directory naming contexts in the DIT.

For example:

If your naming context is dc=my_company,dc=com, you can enter dc=us,dc=my_company,dc=com as an administrative context.

Step 6: Create Administrative Users

Create administrative users--especially those authorized to register databases.

Step 7: Create Oracle Contexts

If you are using Oracle Internet Directory, use Net8CA to create Oracle Contexts (the Oracle schema is installed automatically).

If you are not using Oracle Internet Directory, you can use Net8CA later to install the Oracle schema and create Oracle Contexts.

See Also:


Task 3: Install and Configure the Database

To install and configure one or more databases:

Step 1: Install Oracle8i Release 8.1.7 Database Software

Use the Oracle Universal Installer to install Oracle8i databases. Before installation, obtain the following from the directory administrator:

During installation, select Oracle8i Enterprise Edition and the Custom installation type with Oracle Advanced Security.

See Also:

Oracle8i Release 8.1.7 installation documentation for your platform, for detailed instructions about how to install and create a database. 

Net8CA runs automatically at the end of the Oracle8i installation process; see Step 2 for related instructions.

Step 2: Set Up Directory Access for ORACLE_HOME

To configure directory service access configuration, use Net8CA:

  1. Run Net8CA:

    • Microsoft NT: Select Start-->Programs-->Oracle - OraHome81-->Network Administration-->Net8 Configuration Assistant

    • UNIX: Type net8ca at the command line.

  2. Select Directory Service Access Configuration; choose Next.

  3. Select Perform directory access configuration for a server; choose Next.

  4. In the Directory Type window, select your Directory Type (Oracle Internet Directory, for example).

  5. In the Directory Location window:

    • Enter the name of your directory host system in the Hostname field.

    • Enter the non-SSL port number in the Port field; the default is 389.

    • Enter the SSL port number in the SSL Port field; the default is 636.

    • Choose Next.

  6. If an Oracle Context already exists in the directory, select it--and proceed to Step 11.

  7. In the next window, Net8 Configuration Assistant: Directory Access, No Oracle Context: choose Yes, I want to create a new Oracle Context; choose Next.

  8. The next window, Net8 Configuration Assistant: Directory Access, Create Oracle Context, asks where to create your context, and presents a list of the known naming contexts in the directory.

    Either select an existing naming context, or enter the distinguished name (DN) of a directory entry under which you want to create your new context; choose Next.

  9. In the next window, Net8 Configuration Assistant: Directory Access, Credentials, enter the directory credentials (User DN, Password) of a user authorized to create objects under the chosen administrative context in the directory; choose Next.

  10. These steps create a complete Oracle Context in the directory, and a local ldap.ora file that tells the database where to find the context and the directory, and which port to use. Choose Finish to exit Net8CA.

  11. Verify that an ldap.ora file is located in one of the following directory paths:

    • Microsoft NT: X:\Oracle\Ora81\network\admin (Figure 17-5)

    • UNIX: $ORACLE_HOME/network/admin

Figure 17-5 Example: The ldap.ora File (Microsoft NT)

  • Use Oracle Directory Manager to verify that there is a new Oracle context subtree in your directory. In the example (Figure 17-6), it is rooted at cn=OracleContext,o=nmt,c=us.

    Figure 17-6 Example: Oracle Context Subtree

    See Also:

    Net8 Administrator's Guide, for instructions about setting up directory access for the database (Configuring Naming Methods). 

    Step 3: Authorize Users for Administrative Functions

    To register your database in the directory (using DBCA), you must provide directory credentials for either (i) a user in the database Installation Administrator's group, or (ii) the directory superuser. If you choose the first approach, you may need to add appropriate users to that group before running DBCA. Use Oracle Enterprise Security Manager to put the appropriate directory users into the Database Installation Admin group--so they can register the database in the directory.


    This group is called the Database Installation Admin group by Oracle Enterprise Security Manager, but the actual group name in the directory is ORACLEDBCREATORS. 

    See Also:

    Chapter 20, Managing Enterprise User Security 

    To authorize users for administrative functions:

    1. Start Oracle Enterprise Security Manager:

      • Microsoft NT: Select Start-->Programs-->Oracle - OraHome81-->Extended Administration-->Enterprise Security Manager.

      • UNIX: Type oemapp esm at the command line.

    2. Log out:

      • Microsoft NT: Select Directory-->Logout

      • UNIX: Select Directory-->Logout

      This step is necessary because Oracle Enterprise Security Manager logs you into the directory anonymously by default.

    3. Log back in. Select Directory-->Login and log in as a directory administrator, or as a user with permission to modify the context. If it is a new context, this user is the one who created the context. If it is a pre-existing context, any user in the database security admin group is acceptable; the Directory Server Login window appears (Figure 17-7); choose Login.

    Figure 17-7 Example: The OID Directory Server Login Window

  • Use the User Search Base window to define the entry the directory is to search under (See: Chapter 20, Managing Enterprise User Security for details).

  • Using Oracle Enterprise Security Manager, add appropriate users to the following groups:

    Step 4: Use Oracle Database Configuration Assistant to Register the Database in the Directory

    1. If you performed a typical database installation, start DBCA in standalone mode as follows:

      • Microsoft NT: Select Start-->Programs-->Oracle - OraHome81-->Database Administration-->Database Configuration Assistant

      • UNIX: Enter dbassist at the command line.

    2. If you performed a custom database installation, Oracle Database Configuration Assistant asks if you want to register the database in the directory. Choose Yes.

    3. If you are running DBCA in a standalone mode, select Change database configuration and choose Next.

      • Select a database and choose Next (this process typically takes about a minute to complete).

      • Accept the correct server mode and choose Next.

      • Select any option and choose Next; the final Oracle Database Configuration Assistant window appears (Figure 17-8):

    Figure 17-8 Oracle Database Configuration Assistant Window (Finish)

    Figure 17-9 DBCA Locate Initialization File Window

    Task 4: Configure the Database for SSL

    To configure the database for SSL:

    Step 1: Configure Net8 for Listener and Database SSL Support

    If you are using an LDAP directory service for enterprise security, you can use Net8 directory naming. This lets the client connect to the database using the database entry registered with the directory by Oracle Database Configuration Assistant. You can alternatively use one of the other Net8 naming methods, such as local naming (tnsnames.ora file), to configure a net service name for the database. See the Oracle Net8 Administrator's Guide for more information.

    Net8 must be configured for SSL on both the listener and the database. The listener must have a listening endpoint that is configured for the TCP/IP with SSL protocol, and the location of the database wallet must be specified. Use Net8 Assistant to do this (See: Enabling SSL):

    1. Run Net8 Assistant:

      • Microsoft NT: Select Start-->Programs-->Oracle - OraHome81-->Network Administration-->Net8 Assistant.

      • UNIX: Enter netasst at the command line.

    2. Configure Profile:

    Step 2: Configure SSL Service Name

    To configure the SSL service name:

    1. In the Net8 Assistant Service Naming window, select the Service Naming icon and choose the Create icon (the big green plus sign at the upper-left side of the window).

    2. In the Net8 Service Name Wizard window (Welcome), enter your chosen Net Service Name; this is the name you use to access your database as an enterprise user. Choose Next.

    3. In the Net8 Net Service Name Wizard window (page 2 of 5: Protocol), select TCP/IP with SSL; choose Next.

    4. In the Net8 Net Service Name Wizard window (page 3 of 5: Protocol Settings), enter your database Host Name and Port Number--that you will use for the SSL connection.

    5. In the Net8 Net Service Name Wizard window (page 4 of 5: Service), enter the Oracle 8i Service Name; choose Next.

    6. Do not test this connection when asked. It will fail because (i) you have not set up the listener to listen for SSL connections, and (ii) you have not set up the database wallet; choose Finish.

    7. In the Net8 Assistant window, select File-->Save the network configuration; your TNSNAMES.ORA file is updated, and can be reviewed later.

    Step 3: Configure the Listener

    To configure the listener:

    1. In the Net8 Assistant window, expand Listeners and select Listener (in the expandable tree menu on the left side of the window).

    2. Select Listening Locations from the drop-down menu at the top right side of the window.

    3. Choose the Add Address button at the bottom right side of the window.

    4. Using the Protocol drop-down list, select TCI/IP with SSL; enter your host name and your chosen SSL port number.

    5. Select File-->Save Network Configuration; your listener.ora file is updated. Exit Net8 Assistant.


      • Do not attempt to start the listener--until you have set up a wallet for SSL connections.

      • Do not modify the value of SSL_CLIENT_AUTHENTICATION in listener.ora, which should be FALSE (the listener is not doing the authentication--the database uses SSL to authenticate the client).


    6. For Microsoft NT only: you must manually edit tnsnames.ora for the client; edit $ORACLE_HOME/network/admin/tnsnames.ora by adding the following to your SSL service name:


    Step 4: Review the .ORA Files

    To facilitate review of your .ora files, some Microsoft NT examples follow:

    Example: The SQLNET.ORA File

    (SOURCE =


    The wallet location matches the one you entered in Net8 Assistant for the database. 

    Example: The TNSNAMES.ORA File:

    (ADDRESS = (PROTOCOL = TCPS) (HOST = host1) (PORT = 5000)
    OE.WORLD =
    (ADDRESS = (PROTOCOL = TCP) (HOST = host1) (PORT = 1521)
    Example: The LISTENER.ORA File:

    (SOURCE =

    (ADDRESS = (PROTOCOL = TCP) (host = HOST1) (port = 1521)
    (ADDRESS = (PROTOCOL = TCPS) (HOST = host1) (PORT = 5000))
    (SID_LIST =
    (SID_DESC =
    (ORACLE_HOME = D:\Oracle\Ora81)
    (SID_NAME = oe)



    SSL client authentication is FALSE because the listener does not need to authenticate the client; the database authenticates the client. 

    Task 5: Create and Configure the Wallet

    To create and configure the wallet:

    Step 1: Create a Database Wallet

    To create a database wallet:

    1. Create a directory for the wallet for the location you specified in Step 1.

    2. Run Oracle Wallet Manager to create a new wallet for the database:

      • Microsoft NT: Select Start-->Programs-->Oracle-OracleHome81-->Network Administration-->Wallet Manager

      • UNIX: Enter owm at the command line.

    3. Select New from the wallet menu. Do not create a new default directory when asked--this is for user wallets. During certificate request creation, type the distinguished name (DN) of the database exactly:


      It is found in the initialization parameter file, in the parameter



      The Distinguished Name is case-sensitive. 

      For example:

      If the global database name chosen during installation is, and the administrative context selected within Net8CA is ou=division1,c=us,o=acme, the complete DN of the database that you enter into Oracle Wallet Manager is:



      cn=OracleContext must be included in the DN immediately after the simple database name. 

    4. Send the certificate request to your certificate authority (CA).

    5. Get the certificate text for the CA trusted certificate. The CA trusted certificate is sometimes called a root key certificate.

      The certificate text includes the lines BEGIN CERTIFICATE and END CERTIFICATE and the text between them.

    6. Import or paste the trusted certificate into the database wallet using the Oracle Wallet Manager Import Trusted Certificate function.

    7. Get the certificate text for the database certificate. The certificate text includes the lines BEGIN CERTIFICATE and END CERTIFICATE and the text between them.

    8. Import or paste the database certificate text into the wallet using the Oracle Wallet Manager Import User Certificate function.

    Step 2: Open the Wallet

    For users to access the database using two-way SSL authentication, the database wallet must be open, and the listener must be running. To open the wallet and run the listener:

    1. Shut down the listener. The listener needs to read the database's open wallet, so the database must log on before the listener can be started. Enter the following at the command line:

    2. In the Oracle Wallet Manager, select the Autologin check box under the Wallet menu to enable Autologin and to be able to start the listener on the database.

    3. Save the wallet to the directory you set up when you completed Step 1. For verification, check that there is a cwallet.sso file in the wallet directory.


      End users never have to use Oracle Wallet Manager, because Oracle Enterprise Login Assistant can be used to enable and disable autologin. 

    4. Change Oracle Services Login (Microsoft NT only). Because the database and the listener services are running as system (with few privileges in NT), and the wallets are opened under your user name, the database and the listener are not able to read the wallet. In order for them to read their wallet, they must be changed to log on as the user who enabled autologin for the database wallet.

      To change the Oracle Services login:

      • Shut down the database by opening the Services control panel and selecting OracleService <database name>; choose the Stop button; choose Yes to confirm.

      • Choose the Startup button.

      • In the Log On As region of the Service Window (Figure 17-10):

    Figure 17-10 The Oracle Service Window

    Choose This Account and enter <domain>\< NT user login> for the user who enabled autologin for the database wallet; alternatively, you can choose the browse button (...) to select from a list; enter your password in the Password and Confirm Password fields; choose OK.

  • Restart the listener by entering the following at the command line:

    The database wallet is now open, and the database is able to participate in authenticated communications using SSL; the OracleTNSListener service is also started.

    See Also:

    Chapter 18, Using Oracle Wallet Manager, for detailed instructions about creating a wallet. 

    Step 3: Perform Database Logout for Security


    If the database will be shut down for an extended period of time, perform a database logout and close the wallet for security purposes. 

    To log out of the database:

    1. Stop the listener by entering the following at the command line

      • Microsoft NT: lsnrctl stop

      • UNIX: lsnrctl stop

    2. Start Oracle Wallet Manager by entering:

      • Microsoft NT: Select Start-->Programs-->Oracle-OraHome81-->Network Administration-->Wallet Manager

      • UNIX: Enter owm at the command line.

    3. Clear the Autologin check box.

    4. Save your changes.

    5. Restart the listener by entering the following at the command line:

      • Microsoft NT: lsnrctl start

      • UNIX: lsnrctl start

    Step 4: Verify Database Installation

    To verify that the database was successfully installed:

    1. Verify that there is a cwallet.sso file located in the database wallet directory. If not, Autologin was not successfully enabled. If this happens, go back to the Oracle Wallet Manager, open the wallet, select the Autologin check box, and save the wallet.

    2. Verify that there is an ldap.ora file located in


      If there is no ldap.ora file, the Net8CA failed. Verify that the ORACLE_HOME is set and TNS_ADMIN is not set. Rerun Net8CA.

    3. Use the directory administration tool to verify that a database entry exists under the Oracle Context you specified when you ran the Net8CA. If you do not find the database entry, verify that the directory is running, the Oracle Context is set up, and the ldap.ora file exists and is correct. Then register the database again, using DBCA.

    Task 6: Create Global Schemas and Roles

    Although this step can be completed using Oracle Enterprise Manager, the following procedures use SQL*Plus directly.

    To create global schemas and roles:

    Step 1: Create a Shared Schema

    Using SQL*Plus, create a shared schema (called Guest, for example) for enterprise users by entering:


    Note the two single quotation marks with no space between them at the end of the line. If you enter a specific distinguished name (DN) between the quotation marks, only that user is able to connect to that schema.

    Step 2: Grant a Create Session Privilege

    Users connecting to this schema require a CREATE SESSION privilege. You can grant a CREATE SESSION privilege either to the guest schema, or to a global role which you grant to specific users though an enterprise role.

    Step 3: Create Global Roles

    Create global roles for the database to hold relevant privileges. These roles are associated with enterprise roles to be created later. Enterprise roles are allocated to users.

    For example:



    Step 4: Associate Privileges

    Associate privileges with the new global roles.

    For example:

    GRANT select ON products TO custrole, emprole;

    Task 7: Configure Database Clients

    Once you have installed Oracle8i clients, configure Net8 on the clients by using Net8 Assistant. You may complete this step during or after installation of Oracle8i Release 8.1.7.

    Because you will be using an LDAP directory service for enterprise security, you may also want to use Net8 directory naming. Net8 directory naming lets the client connect to the database using the database entry registered with the directory by Oracle Database Configuration Assistant. Alternatively, you can use one of the other Net8 naming methods, such as local naming (tnsnames.ora file), to configure a net service name for the database.

    Use SSL to enable clients to connect and authenticate to a database. Use Net8 Assistant to configure SSL on UNIX; configure an SSL net service name, as described by Step 2 and Table 17-2. Do not enter a wallet location when configuring a client profile. The lack of a specific wallet location indicates that SSL should find the default wallet for the current OS user. In this way, the sqlnet.ora file can be shared by enterprise users, providing easier administration and deployment. If you use a non-default wallet location, you must create separate sqlnet.ora files for each user.


    If you do not install clients, and ORACLE_HOME is set to a database server ORACLE_HOME, you must create at least one new TNS_ADMIN directory with a sqlnet.ora file--with no wallet location. This ensures that SSL uses the default location of the wallet for the operating system user. 

    To Create Wallet Directories for the User Wallets:

    Task 8: Configure an Enterprise Domain

    Oracle Enterprise Security Manager is installed automatically as part of the Oracle8i installation, and can be used to configure an enterprise domain. Note that the Oracle default domain is created by default when the Oracle Context is created in the directory, and databases are automatically added as members of that domain when they are registered by DBCA. Table 17-3 lists the steps required to set up an enterprise domain, and cross-references related instructions. If you are using the Oracle default domain, you can skip steps 1 and 4.

    Table 17-3 Setting up an Enterprise Domain
    Step  Related Instructions 

    1. Create an enterprise domain. 

    Creating an Enterprise Domain

    2. Make the enterprise domain trusted/untrusted. Only a trusted domain permits current user database links between member databases. 

    Creating an Enterprise Domain 

    3. Create enterprise roles in the domain. 

    Creating an Enterprise Role within an Enterprise Domain


    4. Use Oracle Enterprise Security Manager to make the database a member of the desired enterprise domain. 

    Adding a Database to an Enterprise Domain


    5. Create global roles on the databases. The SQL*Plus command is:




    6. Assign a global role to each enterprise role. 

    Creating an Enterprise Role within an Enterprise Domain


    Task 9: Configure Enterprise Users

    To create a new enterprise user:

    Step 1: Add a New Enterprise User to the Directory

    Any directory user can be an enterprise user. You can add users to the directory by using one of the following tools:

    You may want to populate the directory with users before using Oracle Enterprise Security Manager.

    See Also:

    • Administering Enterprise Databases, Domains, and Users for instructions about adding new enterprise users to the directory by using Oracle Enterprise Security Manager

    • Documentation for your directory service for information about using the directory administration tools


    Step 2: Create a User Wallet

    To create a user wallet, refer to Chapter 18, Using Oracle Wallet Manager.


    Store the user wallet in the default user wallet location:

    • Microsoft NT: x:\winnt\profiles\<os user>\ORACLE\WALLETS

    • UNIX: /etc/ORACLE/WALLETS/<os user>


    Step 3: Authorize the User

    You can do either or both of the following:

    If you are using a shared schema, use Oracle Enterprise Security Manager to map the user to a schema. You can choose either of the following mapping options:

    Task 10: Log In as the Enterprise User

    To log in as the Enterprise User:

    Step 1: Open the User Wallet

    The enterprise user must open the wallet created in Task 9 in order to log in to the database. Use Oracle Enterprise Login Assistant to open or close the wallet. Opening a user wallet generates a single sign-on file and allows authentication to the SSL adapter.

    To open a user wallet:

    1. Log in to the operating system as the appropriate user.

    2. To open the user wallet, run Oracle Enterprise Login Assistant by entering one of the following commands:

      • Microsoft NT: Start-->Programs-->Oracle - OraHome81-->Network Administration-->Enterprise Login Assistant

      • UNIX: Enter elogin at the command line

      The Oracle Enterprise Login Assistant window appears (Figure 17-11):

    Figure 17-11 The Oracle Enterprise Login Assistant Window

  • A red light indicates that you have not logged into the enterprise; select AutoLogin-->Login, and enter the wallet password.

  • The green light should now be on; save your changes. Your wallet is open, and you have authenticated access using the SSL adapter.


    If the ORACLE_HOME is set to a server ORACLE_HOME, you must set the TNS_ADMIN environment variable to address the directory where you placed the sqlnet.ora file--that you created in Task 7: Configure Database Clients.

    If you have a separate client ORACLE_HOME, you do not need to set the TNS_ADMIN environment variable.

    Step 2: Connect to the Database

    Launch SQL*Plus and enter:


    where connect_identifier is the net service name you set up in Task 7: Configure Database Clients. If you are using Net8 directory naming, the connect identifier is the simple database name.

    The system should respond Connected to:...; this is the principal confirmation of a successful connection and setup. If an error message is displayed, see: Troubleshooting Enterprise User Login.

    If you do connect successfully, check that the appropriate global roles were retrieved from the directory by entering:

    select * from session_roles

    In the Oracle Enterprise Login Assistant, select Autologin > Logout to disable authentication with the SSL adapter.

    See Also:

    Chapter 19, Using Oracle Enterprise Login Assistant, for instructions about using Oracle Enterprise Login Assistant. 

    Troubleshooting Enterprise User Login

    This section describes potential problems and associated corrective actions.

    No Global Roles

    The following tips help you verify that the user has been allocated the correct global roles upon database login and, if necessary, help determine the cause of failure:

    1. Check for the existence of global roles. Enter the following, including the semi-colon (;):

      SELECT * FROM session_roles;

    2. If there are no roles, one of the following applies:

      • The roles were not allocated to an enterprise role in Oracle Enterprise Security Manager.

      • The enterprise role was not assigned to the user in Oracle Enterprise Security Manager.

      • The database and Oracle Enterprise Security Manager have different values for the database domain; shut down and restart the database to update the database internal value.

      • Your database does not have proper permissions in the directory to see the roles. These permissions are created automatically, so it is possible that the distinguished name (DN) in the database certificate does not match the distinguished name registered for the database. In this case, the directory does not recognize the database as the proper entity, and denies access.

        Do an LDAP search to display the appropriate roles by entering the following:

        ldapsearch -h <directory hostname> P <SSL directory port number> -U 3

        -W "file:<walletpath>" -P [database wallet password]

        -b "[n=oracleDBSecurity, cn=Products, cn=OracleContext, [admin context]"


        If you do not see the roles, the database is not in the correct domain--or there is an incorrect distinguished name (DN) in the database wallet certificate. If the database appears to be receiving information from the wrong domain, try restarting the database to update its internal domain membership information.

    TNS Lost Connection

    This error may indicate that you attempted to configure a domestic cipher suite. Run the Net8 Assistant again, and be sure that you choose the Show Domestic Cipher Suites button.

    ORA-1004: Default username feature not supported

    This error indicates that the connection was not over SSL. Look at the tnsnames.ora file to verify the protocol value of the net service name that you are using. The value must be TCPS and not TCP.

    ORA-1017: Invalid username/password

    The distinguished name that the wallet uses to connect does not match the DN in the CREATE USER statement for any schema in the database, and it does not match the DN in any relevant mapping.

    1. Check the DN of the user in the mapping created using Oracle Enterprise Security Manager.

    2. Also check that your directory is actually listening properly for incoming SSL connections. From a command prompt, enter:


      ldapbind -h <directory hostname> -p <directory SSL port number> -U 3 -W "file:[database wallet path]" -P [database wallet password]

      Bind successful should be displayed. If the bind fails, try restarting the SSL instance of your directory.

      Then try the bind again.

      If it still doesn't work, carefully check the wallet location in the configuration set via Oracle Directory Manager. Make sure that it is set to the proper path name.

      Microsoft NT Example:

      Set the wallet location path name to:


      where oid represents your directory mnemonic. 


      You must get this ldapbind to work. If it does not work, do not continue. 

    3. If the prior steps do not work, circumvent the user-schema mapping step by altering the user guest to be a non-shared schema. In sqlplus as

    4. system/manager@database_name, enter:

      alter user guest identified globally as 'cn=oe20emp,c=us';

      and then try the connect /@connect_identifier again. If this succeeds, the problem is associated with the mapping of the user to the schema; use Oracle Enterprise Security Manager to check that mapping in the directory.

      Alter this user back to a shared schema by entering:

      alter user guest identified globally as '';

    ORA-12560: Protocol adapter error

    This error usually means that something is wrong with the wallet. Look in the sqlnet.log file in the current operating system directory for more information. Also, on Microsoft NT, this can mean that the Oracle service has stopped; check the Services control panel.

    Decryption of Encrypted Private Key Fails

    This error occurs when you attempt to open a wallet that you are not allowed to open.

    For Example:


    This is a catch-all Oracle8i error that indicates something unanticipated went wrong with the RDBMS to LDAP directory query.


    You can use tracing to help debug. This is appropriate if the ldapbind (See: ORA-1017: Invalid username/password) fails, indicating that the directory's SSL instance is not working properly.

    Oracle Internet Directory

    If you are using Oracle Internet Directory as your ldap directory, use the following tracing procedure:

    1. Turn on tracing in Oracle Internet Directory.

    2. At the command line, stop the SSL Oracle Internet Directory instance, and restart it with debug flags ON:

      oidctl conn=oiddb1 server=oidldapd instance=2 stop

      oidctl conn=oiddb1 server=oidldapd instance=2 conf=1

      flags="debug=65535" start

      This starts up the SSL Oracle Internet Directory instance in full debug mode. Log files will be written to $ORACLE_HOME\ldap\log. Look at the file with an 02 and an s in its filename, because it is for the instance 2 server. The log files without the s are for the monitor process (oidmon) and the dispatcher. Look at the end of the log file immediately after you have tried your connect /@connect_identifier. One thing to look for is the string Distinguished Name to ensure that it matches the DN of your user.

      To turn off Oracle Internet Directory tracing, restart via oidctl without the flags parameter.

  • Go to previous page Go to next page
    Copyright © 1996-2000, Oracle Corporation.

    All Rights Reserved.