|Oracle Advanced Security Administrator's Guide
Release 2 (9.2)
Part Number A96573-01
The ability of a system to grant or limit access to specific data for specific clients or groups of clients.
The group of access directives that you define. The directives grant levels of access to specific data for specific clients, or groups of clients, or both.
A client-side product based on the Component Object Model (COM). ADSI defines a directory service model and a set of COM interfaces that enable Windows 2000, Windows NT, Windows 98, and Windows 95 client applications to access several network directory services, including Active Directory. ADSI allow applications to communicate with Active Directory.
A directory entry under which an Oracle Context resides. An administrative context can be a directory naming context. During directory access configuration, clients are configured with an administrative context in the directory configuration file (ldap.ora). The administrative context specifies the location of the Oracle Context in the directory whose entries a client expects to access.
Advanced Encryption Standard (AES) is a new cryptographic algorithm that has been approved by the National Institute of Standards and Technology as a replacement for DES. The AES standard is available in Federal Information Processing Standards Publication 197. The AES algorithm is a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.
An item of information that describes some aspect of an entry. An entry comprises a set of attributes, each of which belongs to an object class. Moreover, each attribute has both a type, which describes the kind of information in the attribute, and a value, which contains the actual data.
The process of verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to granting access to resources in a system. A recipient of an authenticated message can be certain of the message's origin (its sender). Authentication is presumed to preclude the possibility that another party has impersonated the sender.
Permission given to a user, program, or process to access an object or set of objects. In Oracle, authorization is done through the role mechanism. A single person or a group of people can be granted a role or a group of roles. A role, in turn, can be granted other roles. The set of privileges available to an authenticated entity.
The entry point in an LDAP-compliant directory.
An external naming method that enables users to use Oracle tools transparently and applications to access Oracle9i databases in a Distributed Computing Environment (DCE).
An ITU x.509 v3 standard data structure that securely binds an identify to a public key.
A certificate is created when an entity's public key is signed by a trusted identity, a certificate authority. The certificate ensures that the entity's information is correct and that the public key actually belongs to that entity.
A certificate contains the entity's name, identifying information, and public key. It is also likely to contain a serial number, expiration date, and information about the rights, uses, and privileges associated with the certificate. Finally, it contains information about the certificate authority that issued it.
A trusted third party that certifies that other entities--users, databases, administrators, clients, servers--are who they say they are. When it certifies a user, the certificate authority first seeks verification that the user is not on the certificate revocation list (CRL), then verifies the user's identity and grants a certificate, signing it with the certificate authority's private key. The certificate authority has its own certificate and public key which it publishes. Servers and clients use these to verify signatures the certificate authority has made. A certificate authority might be an external company that offers certificate services, or an internal organization such as a corporate MIS department.
An ordered list of certificates containing an end-user or subscriber certificate and its certificate authority certificates.
A mechanism that computes a value for a message packet, based on the data it contains, and passes it along with the data to authenticate that the data has not been tampered with. The recipient of the data recomputes the cryptographic checksum and compares it with the cryptographic checksum passed with the data; if they match, it is "probabilistic" proof the data was not tampered with during transmission.
An encryption method that protects against block replay attacks by making the encryption of a cipher block dependent on all blocks that precede it; it is designed to make unauthorized decryption incrementally more difficult. Oracle Advanced Security employs outer cipher block chaining because it is more secure than inner cipher block chaining, with no material performance penalty.
A set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth.
Cipher suites describe the kind of cryptographics protection that is used by connections in a particular session.
Message text that has been encrypted.
Unencrypted plain text.
A client relies on a service. A client can sometimes be a user, sometimes a process acting on behalf of the user during a database link (sometimes called a proxy).
A function of cryptography. Confidentiality guarantees that only the intended recipient(s) of a message can view the message (decrypt the ciphertext).
A specially formatted description of the destination for a network connection. A connect descriptor contains destination service and network route information. The destination service is indicated by using its service name for Oracle9i or Oracle8i databases or its Oracle system identifier (SID) for Oracle8 release 8.0 databases. The network route provides, at a minimum, the location of the listener through use of a network address.
Common Object Request Broker Architecture. An architecture that enables pieces of programs, called objects, to communicate with one another regardless of the programming language in which they are written or the operating system on which they are running. CORBA was developed by an industry consortium known as the Object Management Group (OMG).
A username, password, or certificate used to gain access to the database.
The practice of encoding and decoding data, resulting in secure messages.
A set of read-only tables that provide information about a database.
The U.S. data encryption standard.
(1) A person responsible for operating and maintaining an Oracle Server or a database application. (2) An Oracle username that has been given DBA privileges and can perform database administration functions. Usually the two meanings coincide. Many sites have multiple DBAs.
See net service name.
Also called a database creator. This administrator is in charge of creating new databases. This includes registering each database in the directory using the Database Configuration Assistant. This administrator has create and modify access to database service objects and attributes. This administrator can also modify the Default domain.
A network object stored in the local database or in the network definition that identifies a remote database, a communication path to that database, and optionally, a username and password. Once defined, the database link is used to access the remote database.
A public or private database link from one database to another is created on the local database by a DBA or user.
A global database link is created automatically from each database to every other database in a network with Oracle Names. Global database links are stored in the network definition.
A database password verifier is an irreversible value that is derived from the user's database password. This value is used during password authentication to the database to prove the identity of the connecting user.
Has create, modify, and read access for enterprise user security. This administrator has permissions on all of the domains in the enterprise and is responsible for:
The process of converting the contents of an encrypted message (ciphertext) back into its original readable format (plaintext).
A common attack on passwords. the attacker creates a dictionary of many possible passwords and their corresponding verifiers. Through some means, the attacker then obtains the verifier corresponding to the target password, and obtains the target password by looking up the verifier in the dictionary.
This is a method that lets two parties communicating over an insecure channel to agree upon a random number known only to them. Though the parties exchange information over the insecure channel during execution of the Diffie-Hellman key negotiation algorithm, it is computationally infeasible for an attacker to deduce the random number they agree upon by analyzing their network communications. Oracle Advanced Security uses the Diffie-Hellman key negotiation algorithm to generate session keys.
A digital signature is created when a public key algorithm is used to sign the sender's message with the sender's private key. The digital signature assures that the document is authentic, has not been forged by another entity, has not been altered, and cannot be repudiated by the sender.
A hierarchical tree-like structure consisting of the DNs of the entries.
A subtree which is of significance within a directory server. It is usually the top of some organizational subtree. Some directories only permit one such context which is fixed; others permit none to many to be configured by the directory administrator.
A set of integrated network services that works across multiple systmes to provide a distributed environment. The middleware between distributed applications and the operating system or networkservices; based on a client/server computing model. DCE is supported by the Open Group.
The unique name of a directory entry. It comprises all of the individual names of the parent entries back to the root.
Any tree or subtree within the Domain Name System (DNS) namespace. Domain most commonly refers to a group of computers whose host names share a common suffix, the domain name.
A system for naming computers and network services that is organized into a hierarchy of domains. DNS is used in TCP/IP networks to locate computers through user-friendly names. DNS resolves a friendly name into an IP address, which is understood by computers.
In Oracle Net Services, DNS translates the host name in a TCP/IP address into an IP address.
Text that has been encrypted, using an encryption algorithm; the output stream of an encryption process. On its face, it is not readable or decipherable, without first being subject to decryption. Also called ciphertext. Encrypted text ultimately originates as plaintext.
The process of disguising a message rendering it unreadable to any but the intended recipient.
A directory construct that consists of a group of databases and enterprise roles. A database should only exist in one enterprise domain at any time. Enterprise domains are different from Windows 2000 domains, which are collections of computers that share a common directory database.
User authorized to manage a specific enterprise domain, including the authority to add new enterprise domain administrators.
Access privileges assigned to enterprise users. A set of Oracle role-based authorizations across one or more databases in an enterprise domain. Enterprise roles are stored in the directory and contain one or more global roles.
A user defined and managed in a directory. Each enterprise user has a unique identify across an enterprise and uses a wallet to store its login credentials.
The building block of a directory, it contains information about an object of interest to directory users.
Verification of a user identity by a third party authentication service, such as Kerberos or RADIUS.
Storing fingerprint templates in files when configuring Identix Biometric authentication. The alternative is to use the Oracle database method.
A U.S. government standard that defines security requirements for cryptographic modules--employed within a security system protecting unclassified information within computer and telecommunication systems. Published by the National Institute of Standards and Technology (NIST).
A group of one or more Active Directory trees that trust each other. All trees in a forest share a common schema, configuration, and global catalog. When a forest contains multiple trees, the trees do not form a contiguous namespace. All trees in a given forest trust each other through transitive bidirectional trust relationships.
A role managed in a directory, but its privileges are contained within a single database.
Hypertext Transfer Protocol: The set of rules for exchanging files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. Relative to the TCP/IP suite of protocols (which are the basis for information exchange on the Internet), HTTP is an application protocol.
The use of Secure Sockets Layer (SSL) as a sublayer under the regular HTTP application layer.
The combination of the public key and any other public information for an entity. The public information may include user identification data such as, for example, an e-mail address. A user certified as being the entity it claims to be.
In Kerberos authentication, an initial ticket or ticket granting ticket (TGT) identifies the user as having the right to ask for additional service tickets. No tickets can be obtained without an initial ticket. An initial ticket is retrieved by running the kinit program and providing a password.
Every running Oracle database is associated with an Oracle instance. When a database is started on a database server (regardless of the type of computer), Oracle allocates a memory area called the System Global Area (SGA) and starts an Oracle process. This combination of the SGA and an Oracle process is called an instance. The memory and the process of an instance manage the associated database's data efficiently and serve the one or more users of the database.
The guarantee that the contents of the message received were not altered from the contents of the original message sent.
Internet Inter-ORB Protocol. A protocol developed by the Object Management Group (OMG) to implement CORBA solutions over the World Wide Web. IIOP enables browsers and servers to exchange integers, arrays, and more complex objects, unlike HTTP, which supports only transmission of text.
Java code obfuscation is used to protect Java programs from reverse engineering. A special program (an obfuscator) is used to scramble Java symbols found in the code. The process leaves the original program structure intact, letting the program run correctly while changing the names of the classes, methods, and variables in order to hide the intended behavior. Although it is possible to decompile and read non-obfuscated Java code, the obfuscated Java code is sufficiently difficult to decompile to satisfy U.S. government export controls.
An industry-standard Java interface for connecting to a relational database from a Java program, defined by Sun Microsystems.
Key Distribution Center/Ticket Granting Service. In Kerberos authentication, the KDC maintains a list of user principals and is contacted through the kinit program for the user's initial ticket. The Ticket Granting Service maintains a list of service principals and is contacted when a user wants to authenticate to a server providing such a service.
The KDC/TGS is a trusted third party that must run on a secure host. It creates ticket-granting tickets and service tickets. The KDC and TGS are usually the same entity.
A network authentication service developed under Massachusetts Institute of Technology's Project Athena that strengthens security in distributed environments. Kerberos is a trusted third-party authentication system that relies on shared secrets and assumes that the third party is secure. It provides single sign-on capabilities and database link authentication (MIT Kerberos only) for users, provides centralized password storage, and enhances PC security.
When encrypting data, a key is a value which determines the ciphertext that a given algorithm will produce from given plaintext. When decrypting data, a key is a value required to correctly decrypt a ciphertext. A ciphertext is decrypted correctly only if the correct key is supplied.
With a symmetric encryption algorithm, the same key is used for both encryption and decryption of the same data. With an asymmetric encryption algorithm (also called a public-key encryption algorithm or public-key cryptosystem), different keys are used for encryption and decryption of the same data.
An instantiation or location of a service. This is an arbitrary string, but the host machine name for a service is typically specified.
An arbitrary name of a Kerberos service object.
A standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. The framework of design conventions supporting industry-standard directory products, such as the Oracle Internet Directory.
A process that resides on the server whose responsibility is to listen for incoming client connection requests and manage the traffic to the server.
Every time a client requests a network session with a server, a listener receives the actual request. If the client information matches the listener information, then the listener grants a connection to the server.
A configuration file for the listener that identifies the:
listener.ora file typically resides in
$ORACLE_HOME/network/admin on UNIX platforms and ORACLE_HOME
\network\admin on Windows NT.
A security attack characterized by the third-party, surreptitious interception of a message, wherein the third-party, the man-in-the-middle, decrypts the message, re-encrypts it (with or without alteration of the original message), and re-transmits it to the originally-intended recipient--all without the knowledge of the legitimate sender and receiver. This type of security attack works only in the absence of authentication.
An algorithm that assures data integrity by generating a 128-bit cryptographic message digest value from given data. If as little as a single bit value in the data is modified, the MD5 checksum for the data changes. Forgery of data in a way that will cause MD5 to generate the same result as that for the original data is considered computationally infeasible.
Also known as data authentication code (DAC). A checksumming with the addition of a secret key. Only someone with the key can verify the cryptographic checksum.
A means for authenticating clients to servers, servers to servers, and users to both clients and servers in distributed environments. A network authentication service is a repository for storing information about users and the services on different servers to which they have access, as well as information about clients and servers on the network. An authentication server can be a physically separate machine, or it can be a facility co-located on another server within the system. To ensure availability, some authentication services may be replicated to avoid a single point of failure.
An agency within the U.S. Department of Commerce responsible for the development of security standards related to the design, acquisition, and implementation of cryptographic-based security systems within computer and telecommunication systems, operated by a Federal agency or by a contractor of a Federal agency or other organization that processes information on behalf othe Federal Government to accomplish a Federal function.
A listener on a server that listens for connection requests for one or more databases on one or more protocols. See listener.
Incontestable proof of the origin, delivery, submission, or transmission of a message.
A process by which information is scrambled into a non-readable form, such that it is extremely difficult to de-scramble if the algorithm used for scrambling is not known.
A special program used to obfuscate Java source code. See: obfuscation.
A named group of attributes. When you want to assign attributes to an entry, you do so by assigning to that entry the object classes that hold those attributes. All objects associated with the same object class share the same attributes.
An entry in an LDAP-compliant internet directory called
cn=OracleContext, under which all Oracle software relevant information is kept, including entries for Oracle Net Services directory naming and enterprise user security. A top-level directory entry that contains the data used by any installed Oracle product that uses the directory.
There can be one or more Oracle Contexts in a directory. An Oracle Context is located under an administrative context.
Using an Oracle database to store fingerprint templates when configuring Indentix Biometric authentication. The alternative is to use the file system method.
An Oracle product that enables two or more computers that run the Oracle server or Oracle tools such as Designer/2000 to exchange data through a third-party network. Oracle Net Services support distributed processing and distributed database capability. Oracle Net Services is an open system because it is independent of the communication protocol, and users can interface Oracle Net to many network environments.
Defines Oracle application types that a certificate supports.
A group of enterprise domains configured to accept connections from password-authenticated users.
SSL connect sessions are between a particular client and a particular server. The identity of the peer may have been established as part of session setup. Peers are identified by X.509 certificate chains.
A public key encryption standard (PKCS). RSA Data Security, Inc. PKCS #12 is an industry standard for storing and transferring personal authentication credentials--typically in a format called a wallet.
Message text that has not been encrypted.
A uniquely-identified client or server. A Kerberos object, consisting of kservice/kinstance@REALM. See also kservice, kinstance, and realm.
In public-key cryptography, this key is the secret key. It is primarily used for decryption but is also used for encryption with digital signatures. See public/private key pair.
A process typically employed in an environment with a middle tier such as a firewall, wherein the end user authenticates to the middle tier, which thence authenticates to the directory on the user's behalf--as its proxy. The middle tier logs into the directory as a proxy user. A proxy user can switch identities and, once logged into the directory, switch to the end user's identity. It can perform operations on the end user's behalf, using the authorization appropriate to that particular end user.
In public-key cryptography, this key is made public to all. It is primarily used for encryption but can be used for verifying signatures. See public/private key pair.
The process where the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the message is decrypted by the recipient using its private key.
Information security technology utilizing the principles of public key cryptography. Public key cryptography involves encrypting and decrypting information using a shared public and private key pair. Provides for secure, private communications within a public network.
A set of two numbers used for encryption and decryption, where one is called the private key and the other is called the public key. Public keys are typically made widely available, while private keys are held by their respective owners. Though mathematically related, it is generally viewed as computationally infeasible to derive the private key from the public key. Public and private keys are used only with asymmetric encryption algorithms, also called public-key encryption algorithms, or public-key cryptosystems. Data encrypted with either a public key or a private key from a key pair can be decrypted with its associated key from the key-pair. However, data encrypted with a public key cannot be decrypted with the same public key, and data enwrapped with a private key cannot be decrypted with the same private key.
A Kerberos object. A set of clients and servers operating under a single key distribution center/ticket-granting service (KDC/TGS). kservices that are in different realms that share the same name are unique.
A Windows repository that stores configuration information for a computer.
A computer on a network other than the local computer.
See trusted certificate.
An algorithm that assures data integrity by generating a 160-bit cryptographic message digest value from given data. If as little as a single bit in the data is modified, the Secure Hash Algorithm checksum for the data changes. Forgery of a given data set in a way that will cause the Secure Hash Algorithm to generate the same result as that for the original data is considered computationally infeasible.
An algorithm that takes a message of less than 264 bits in length and produces a 160-bit message digest. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.
An industry standard protocol designed by Netscape Communications Corporation for securing network connections. SSL provides authentication, encryption, and data integrity using public key infrastructure (PKI).
A provider of a service.
1. A network resource used by clients; for example, an Oracle database server.
2. An executable process installed in the Windows NT registry and administered by Windows NT. Once a service is created and started, it can run even when no user is logged on to the computer.
For Kerberos-based authentication, the kservice portion of a service principal.
In Kerberos authentication, a service table is a list of service principals that exist on a kinstance. This information must be extracted from Kerberos and copied to the Oracle server machine before Kerberos can be used by Oracle.
Trusted information used to authenticate the client. A ticket-granting ticket, which is also known as the initial ticket, is obtained by directly or indirectly running
okinit and providing a password, and is used by the client to ask for service tickets. A service ticket is used by a client to authenticate to a service.
A key shared by at least two parties (usually a client and a server) that is used for data encryption for the duration of a single communication session. Session keys are typically used to encrypt network traffic; a client and a server can negotiate a session key at the beginning of a session, and that key is used to encrypt all network traffic between the parties for that session. If the client and server communicate again in a new session, they negotiate a new session key.
A network layer that provides the services needed by the presentation layer entities that enable them to organize and synchronize their dialogue and manage their data exchange. This layer establishes, manages, and terminates network sessions between the client and server. An example of a session layer is Network Session.
Database or application schemas that can be used by multiple enterprise users. Oracle Advanced Security supports the mapping of multiple enterprise users to the same shared schema on a database, which lets an administrator avoid creating an account for each user in every database. Instead, the administrator can create a user in one location, the enterprise directory, and map the user to a shared schema that other enterprise users can also map to. Sometimes called user/schema separation.
The ability of a user to authenticate with multiple databases by using a single password. After users authenticate to one database or application with a single password, they can then authenticate to other databases or applications with the same password. In the Oracle Advanced Security implementation, the password is stored in an LDAP-compliant directory and protected with encryption and Access Control Lists. Using single password authentication, users use a single password to authenticate multiple times (to multiple databases and applications). Single password, multiple authentications.
The ability of a user to authenticate once, combined with strong authentication occurring transparently in subsequent connections to other databases or applications. Single sign-on lets a user access multiple accounts and applications with a single password, entered during a single connection. Single password, single authentication. Oracle Advanced Security supports Kerberos, CyberSafe, DCE, and SSL-based single sign-on.
A plastic card (like a credit card) with an embedded integrated circuit for storing information, including such information as user names and passwords, and also for performing computations associated with authentication exchanges. A smart card is read by a hardware device at any client or server.
A smartcard can generate random numbers which can be used as one-time use passwords. In this case, smartcards are synchronized with a service on the server so that the server expects the same password generated by the smart card.
Device used to surreptitiously listen to or capture private data traffic from a network.
A configuration file for the client or server that specifies:
sqlnet.ora file typically resides in
$ORACLE_HOME/network/admin on UNIX platforms and
\network\admin on Windows platforms.
See single sign-on (SSO).
A group of shared memory structures that contain data and control information for an Oracle instance.
A unique name for an Oracle instance. To switch between Oracle databases, users must specify the desired SID. The SID is included in the
CONNECT DATA parts of the connect descriptor in a tnsnames.ora file, and in the definition of the network listener in a listener.ora file.
A piece of information that helps identify who the owner is. See service ticket.
A file that contains connect descriptors; each connect descriptor is mapped to a net service name. The file may be maintained centrally or locally, for use by all or individual clients. This file typically resides in the following locations depending on your platform:
A device for providing improved ease-of-use for users through several different mechanisms. Some token cards offer one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the token card at any given time by contacting the authentication service. Other token cards operate on a challenge-response basis. In this case, the server offers a challenge (a number) which the user types into the token card. The token card then provides another number (cryptographically-derived from the challenge), which the user then offers to the server.
A networking layer that maintains end-to-end reliability through data flow control and error recovery methods. Oracle Net Services uses Oracle protocol supports for the transport layer.
A trusted certificate, sometimes called a root key certificate, is a third party identity that is qualified with a level of trust. The trusted certificate is used when an identity is being validated as the entity it claims to be. Typically, the certificate authorities you trust are called trusted certificates. If there are several levels of trusted certificates, a trusted certificate at a lower level in the certificate chain does not need to have all its higher level certificates reverified.
See trusted certificate.
A name that can connect to and access objects in a database.
See shared schema.
Selective presentations of one or more tables (or other views), showing both their structure and their data.
A wallet is a data structure used to store and manage security credentials for an individual entity. It implements the storage and retrieval of credentials for use with various cryptographic services. A Wallet Resource Locator (WRL) provides all the necessary information to locate the wallet.
Wallet obfuscation is used to store and access an Oracle wallet without querying the user for a password prior to access (supports single sign-on (SSO)).Certain machine-specific information is used to generate a secret key that is used to encrypt the wallet.
A wallet resource locator (WRL) provides all necessary information to locate a wallet. It is a path to an operating system directory that contains a wallet.
An industry-standard specification for digital certificates.