Skip Headers

Table of Contents Image Oracle Advanced Security Administrator's Guide
Release 2 (9.2)
Part Number A96573-01
Go To Documentation Library
Home		 Go To Product List
Book List		 Go To Index
Index
Master Index
Feedback

Go to next page

Contents

Title and Copyright Information

List of Figures

List of Tables

Send Us Your Comments

Preface

Part I Introduction

1 Introduction to Oracle Advanced Security

About Oracle Advanced Security
Security in an Intranet or Internet Environment
Security Threats
Oracle Advanced Security Features
Data Privacy
Data Integrity
Authentication
Single Sign-On
Authorization
Oracle Advanced Security Architecture
Secure Data Transfer Across Network Protocol Boundaries
System Requirements
Oracle Advanced Security Restrictions

Part II Encryption, Integrity, and JDBC

2 Configuring Data Encryption and Integrity

Oracle Advanced Security Encryption
Overview
Advanced Encryption Standard
DES Algorithm Support
Triple-DES Support
RSA RC4 Algorithm for High Speed Encryption
Oracle Advanced Security Data Integrity
Data Integrity Algorithms Supported
Diffie-Hellman Based Key Management
Authentication Key Fold-in
Configuring Data Encryption and Integrity
Activating Encryption and Integrity
Negotiating Encryption and Integrity
Setting the Encryption Seed
Configuring Encryption and Integrity Parameters Using Oracle Net Manager

3 Thin JDBC Support

About the Java Implementation
Java Database Connectivity Support
Securing Thin JDBC
Implementation Overview
Obfuscation
Configuration Parameters
Client Encryption Level: ORACLE.NET.ENCRYPTION_CLIENT
Client Encryption Selected List: ORACLE.NET.ENCRYPTION_TYPES_CLIENT
Client Integrity Level: ORACLE.NET.CRYPTO_CHECKSUM_CLIENT
Client Integrity Selected List: ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT

Part III Configuring Authentication Methods

4 Configuring RADIUS Authentication

RADIUS Overview
RADIUS Authentication Modes
Synchronous Authentication Mode
Challenge-Response (Asynchronous) Authentication Mode
Enabling RADIUS Authentication, Authorization, and Accounting
Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client
Task 2: Configure RADIUS Authentication
Task 3: Create a User and Grant Access
Task 4: Configure External RADIUS Authorization (optional)
Task 5: Configure RADIUS Accounting
Task 6: Add the RADIUS Client Name to the RADIUS Server Database
Task 7: Configure the Authentication Server for Use with RADIUS
Task 8: Configure the RADIUS Server for Use with the Authentication Server
Task 9: Configure Mapping Roles
Using RADIUS to Log In to a Database
RSA ACE/Server Configuration Checklist

5 Configuring CyberSafe Authentication

Configuring CyberSafe Authentication
Task 1: Install the CyberSafe Server
Task 2: Install the CyberSafe TrustBroker Client
Task 3: Install the CyberSafe Application Security Toolkit
Task 4: Configure a Service Principal for an Oracle Database Server
Task 5: Extract the Service Table from CyberSafe
Task 6: Install an Oracle Database Server
Task 7: Install Oracle Advanced Security With CyberSafe
Task 8: Configure Oracle Net and Oracle9i
Task 9: Configure CyberSafe Authentication
Task 10: Create a CyberSafe User on the Authentication Server
Task 11: Create an Externally Authenticated Oracle User on the Oracle Database Server
Task 12: Get the Initial Ticket for the CyberSafe/Oracle User
Task 13: Connect to an Oracle Database Server Authenticated by CyberSafe
Troubleshooting
If you cannot get your ticket-granting ticket using kinit:
If you have an initial ticket, but still cannot connect:
If you have a service ticket, and you still cannot connect:
If everything seems to work fine, but then you issue another query and it fails:

6 Configuring Kerberos Authentication

Enabling Kerberos Authentication
Task 1: Install Kerberos
Task 2: Configure a Service Principal for an Oracle Database Server
Task 3: Extract a Service Table from Kerberos
Task 4: Install an Oracle Database Server and an Oracle Client
Task 5: Install Oracle Net Services and Oracle Advanced Security
Task 6: Configure Oracle Net Services and Oracle9i
Task 7: Configure Kerberos Authentication
Task 8: Create a Kerberos User
Task 9: Create an Externally Authenticated Oracle User
Task 10: Get an Initial Ticket for the Kerberos/Oracle User
Utilities for the Kerberos Authentication Adapter
Obtaining the Initial Ticket with the okinit Utility
Displaying Credentials with the oklist Utility
Removing Credentials from the Cache File with the okdstry Utility
Connecting to an Oracle Database Server Authenticated by Kerberos
Configuring Interoperability with a Windows 2000 Domain Controller KDC
Task 1: Configuring an Oracle Kerberos Client to Interoperate with a Windows 2000 Domain Controller KDC
Task 2: Configuring a Windows 2000 Domain Controller KDC to Interoperate with an Oracle Client
Task 3: Configuring an Oracle Database to Interoperate with a Windows 2000 Domain Controller KDC
Task 4: Getting an Initial Ticket for the Kerberos/Oracle User
Troubleshooting

7 Configuring Secure Sockets Layer Authentication

SSL in an Oracle Environment
What You Can Do with SSL
Components of SSL in an Oracle Environment
How SSL Works in an Oracle Environment: The SSL Handshake
SSL between Non-Oracle Clients and Oracle Database Servers
SSL Combined with Other Authentication Methods
Architecture: Oracle Advanced Security and SSL
Using SSL with Other Authentication Methods
SSL and Firewalls
SSL Usage Issues
Enabling SSL
Task 1: Install Oracle Advanced Security and Related Products
Task 2: Configure SSL on the Client
Task 3: Configure SSL on the Server
Task 4: Log on to the Database
Using an nCipher Secure Accelerator
Required Oracle Components To Use an nCipher Secure Accelerator
Configuring Oracle Advanced Security To Use an nCipher Secure Accelerator
Troubleshooting Using nCipher Secure Accelerator

8 Configuring Entrust-Enabled SSL Authentication

Overview
Oracle Advanced Security
Entrust/PKI
Entrust-Enabled Oracle Advanced Security
System Components
Entrust/PKI 6.0 for Oracle
Entrust/Toolkit Server Login 6.0
Entrust IPSEC Negotiator Toolkit 6.0
Entrust Authentication Process
Enabling Entrust Authentication
Creating Entrust Profiles
Installing Oracle Advanced Security and Related Products
Configuring SSL on the Client and Server
Configuring Entrust on the Client
Configuring Entrust on the Server
Creating Database Users
Logging Into the Database
Issues and Restrictions
Troubleshooting Entrust In Oracle Advanced Security
Error Messages Returned When Running Entrust on Any Platform
Error Messages Returned When Running Entrust on Windows Platforms
General Checklist for Running Entrust on Any Platform

9 Configuring Multiple Authentication Methods

Connecting with User Name and Password
Disabling Oracle Advanced Security Authentication
Configuring Multiple Authentication Methods
Configuring Oracle9i for External Authentication
Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora
Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE
Setting OS_AUTHENT_PREFIX to a Null Value

Part IV Oracle DCE Integration

10 Overview of Oracle DCE Integration

Oracle DCE Integration Requirements
System Requirements
Backward Compatibility
The Distributed Computing Environment
Components of Oracle DCE Integration
DCE Communication/Security
DCE Cell Directory Services Native Naming
Flexible DCE Deployment
Release Limitations

11 Configuring DCE for Oracle DCE Integration

To Configure DCE for Oracle DCE Integration:
Task 1: Create New Principals and Accounts
Task 2: Install the Key of the Server into a Keytab File
Task 3: Configure DCE CDS for Use by Oracle DCE Integration

12 Configuring Oracle9i for Oracle DCE Integration

DCE Address Parameters
Configuring Oracle9i and Oracle Net Services
Task 1: Configure the Server
Task 2: Create and Name Externally Authenticated Accounts
Task 3: Set up DCE Integration External Roles
Task 4: Configure DCE for SYSDBA and SYSOPER Connections to Oracle Databases
Task 5: Configure the Client
Task 6: Configure Clients to Use DCE CDS Naming

13 Connecting to an Oracle Database in DCE

Starting the Listener
Connecting to an Oracle Database Server in the DCE Environment
Method 1
Method 2

14 DCE and Non-DCE Interoperability

Connecting Clients Outside DCE to Oracle Servers in DCE
Sample Parameter Files
The listener.ora File
The tnsnames.ora File
Using tnsnames.ora for Name Lookup When CDS Is Inaccessible
SQL*Net Release 2.2 and Earlier
SQL*Net Release 2.3 and Oracle Net Services

Part V Oracle9i Enterprise User Security

15 Managing Enterprise User Security

Part I: Overview / Concepts
Overview of Enterprise User Security
Introduction to Enterprise User Security
Enterprise Users and Authentication Methods
Enterprise Users and Password Authentication
Enterprise User Security Directory Entries
Security of User Database Login Information
The Enterprise User Security Process with SSL
The Enterprise User Security Process with Passwords
Shared Schemas
Overview
Configuring Shared Schemas
Creating a Shared Schema
Shared Schemas
Mapping Enterprise Users to Schemas
Current User Database Links
Enterprise User Security Tools
Oracle Enterprise Security Manager
Oracle Enterprise Login Assistant
Oracle Wallet Manager
Deployment Considerations
Security Aspects of Centralizing Security Credentials
Database Membership in Enterprise Domains
Part II: Initial Configuration for SSL and Password Authentication
Prerequisites
Task 1: Configure the Database for SSL
Task 2: Create the Wallet and Start the Listener
Task 3: Verify Database Installation
Task 4: Create Global Schemas and Roles
Part III: Final Configuration for SSL Authentication
Task 5: Configure Database Clients
Task 6: Configure an Enterprise Domain
Task 7: Configure Enterprise Users
Task 8: Log In as an Enterprise User
Part IV: Final Configuration for Password Authentication
Task 9: Configure the Enterprise Domain
Task 10: Configure Oracle Context
Task 11: Configure Enterprise Users
Task 12: Connect as Password Authenticated Enterprise User
Part V: Troubleshooting Enterprise User Security
ORA-# Errors in Connection to the Database
User-Schema Error Checklist
DOMAIN-READ-ERROR Checklist
Decryption of Encrypted Private Key Fails (Windows Only)
Enabling Tracing

16 Migrating Local or External Users to Enterprise Users

Benefits of Migrating Local or External Users to Enterprise Users
Introduction to the User Migration Utility
Overview of the Bulk User Migration Process
About the ORCL_GLOBAL_USR_MIGRATION_DATA Table
Migration Effects on Users' Old Database Schemas
Migration Process
Prerequisites for Performing Migration
Required Database Privileges
Required Directory Privileges
Required Setup to Run the User Migration Utility
User Migration Utility Command Line Syntax
Accessing Help for the User Migration Utility
List of User Migration Utility Parameters
User Migration Utility Usage Examples
Migrating Users While Retaining Their Own Schemas
Migrating Users and Mapping to a Shared Schema
Migrating Users Using the PARFILE, USERSFILE, and LOGFILE Parameters
Troubleshooting Using the User Migration Utility
Common User Migration Utility Error Messages
Common User Migration Utility Log Messages
Summary of User Migration Utility Error and Log Messages

17 Using Oracle Wallet Manager

Overview
PKCS #12 Support
Importing Third-Party Wallets
Exporting Oracle Wallets
Multiple Certificate Support
LDAP Directory Support
Managing Wallets
Starting Oracle Wallet Manager
Creating a New Wallet
Opening an Existing Wallet
Closing a Wallet
Uploading a Wallet to an LDAP Directory
Downloading a Wallet from an LDAP Directory
Saving Changes
Saving the Open Wallet to a New Location
Saving in System Default
Deleting the Wallet
Changing the Password
Using Auto Login
Managing Certificates
Managing User Certificates
Managing Trusted Certificates

18 Using Oracle Enterprise Login Assistant

About Oracle Enterprise Login Assistant
Starting Oracle Enterprise Login Assistant
Managing Credentials for Certificate-Authenticated Enterprise Users
Opening Existing Wallet on Local System
Connecting to LDAP Directory and Downloading New Wallet
Changing Passwords
Uploading Wallet to LDAP Directory
Logging Out and Disabling SSL Connection
Managing Credentials for Password-Authenticated Enterprise Users
Changing Passwords

19 Using Oracle Enterprise Security Manager

Introduction
Installing and Configuring Oracle Enterprise Security Manager
Task 1: Configure an Oracle Internet Directory
Task 2: Install Oracle Enterprise Manager
Task 3: Start Oracle Enterprise Security Manager
Task 4: Log On to the Directory
Administering Enterprise Users
Creating New Enterprise Users
Defining a Directory Base
Defining a New Enterprise User Password
Defining an Initial Enterprise Role Assignment
Creating a Wallet
Browsing Users in the Directory
Enabling Database Access
Administering Oracle Contexts
Oracle Context Versions
Defining Properties of an Oracle Context
Registering a Database in the Directory
Defining User Search Bases
Defining Oracle Context Administrators
Managing Password Accessible Domains
Managing Database Security
Managing Database Administrators
Managing Database Schema Mappings
Administering Enterprise Domains
Defining Database Membership of an Enterprise Domain
Managing Database Security Options for an Enterprise Domain
Managing Enterprise Domain Administrators
Managing Enterprise Domain Database Schema Mappings
Administering Enterprise Roles
Assigning Database Global Role Membership to an Enterprise Role
Managing Enterprise Role Grantees

Part VI Appendixes

A Data Encryption and Integrity Parameters

Sample sqlnet.ora File
Data Encryption and Integrity Parameters
Encryption and Integrity Level Settings
Encryption and Integrity Selected Lists
Seeding the Random Key Generator

B Authentication Parameters

Parameters for Clients and Servers using CyberSafe Authentication
Parameters for Clients and Servers using Kerberos Authentication
Parameters for Clients and Servers using RADIUS Authentication
sqlnet.ora File Parameters
Minimum RADIUS Parameters
Initialization File (init.ora) Parameters
Parameters for Clients and Servers using SSL
SSL Authentication Parameters
Cipher Suite Parameters
SSL Version Parameters
SSL Client Authentication Parameters
Wallet Location

C Integrating Authentication Devices Using RADIUS

About the RADIUS Challenge-Response User Interface
Customizing the RADIUS Challenge-Response User Interface

D Oracle Advanced Security FIPS 140-1 Settings

Configuration Parameters
Server Encryption Level Setting
Client Encryption Level Setting
Server Encryption Selection List
Client Encryption Selection List
Cryptographic Seed Value
FIPS Parameter
Post Installation Checks
Status Information
Physical Security

E Using Enterprise User Security with Microsoft Active Directory

Oracle9i Directory Server Features That Support Active Directory
Directory Naming
Enterprise User Security
Integration with Active Directory
Overview of Active Directory
Automatic Discovery of Directory Servers
Integration with Microsoft Tools
User Interface Extensions for Oracle Net Directory Naming
Enhancement of Directory Object Type Descriptions
Integration with Windows Login Credentials
Oracle Directory Objects in Active Directory
Requirements for Using Oracle9i with Active Directory
Oracle Schema Creation
Oracle Context Creation
Directory Naming Software Requirements
Enterprise User Security Software Requirements
Configuring Oracle9i To Use Active Directory
Testing Connectivity
Testing Connectivity from Client Computers
Testing Connectivity from Microsoft Tools
Access Control List Management for Oracle Directory Objects
Security Groups
Accessing the Security Groups
Creating Enterprise Domains

F Oracle Implementation of Java SSL

Prerequisites
Oracle Java SSL Features
SSL Cipher Suites Supported by Oracle Java SSL
Certificate and Key Management with Oracle Wallet Manager
Security-Aware Applications Support
Oracle Java SSL Examples
Example: SSLServerExample Program
Example: SSLClientExample Program
Example: SSLProxyClientExample Program
Troubleshooting Oracle Java SSL
Oracle Java SSL API
Public Class: OracleSSLCredential
Public Interface: OracleSSLProtocolVersion
Public Class: OracleSSLServerSocketFactoryImpl
Public Class: OracleSSLSession
Public Class: OracleSSLSocketFactoryImpl
Public Interface: OracleX509TrustManagerInterface

G Abbreviations and Acronyms

Glossary

Index

Go to next page
Oracle
Copyright © 1996, 2002 Oracle Corporation.
All Rights Reserved.
Go To Documentation Library
Home		 Go To Product List
Book List		 Go To Index
Index
Master Index
Feedback