|Oracle9i Security and Network Integration Guide
Release 2 (9.2) for Windows
Part Number A95492-01
A client-side product based on Component Object Model (COM). ADSI defines a directory service model and a set of COM interfaces that enable Windows 2000, Windows NT, Windows 98, and Windows 95 client applications to access several network directory services, including Active Directory. ADSI allow applications to communicate with Active Directory.
A file that contains important information and error messages that are generated during database operations.
To verify the identity of a user, device, or other entity in a computer system, often as a prerequisite for allowing access to resources in a system.
Permission given to a user, program, or process to access an object or set of objects. In Oracle, authorization is done through the role mechanism. A single person or a group of people can be granted a role or a group of roles. A role, in turn, can be granted other roles.
A certificate authority (CA) is a trusted third party that certifies the identity of other entities such as users, databases, administrators, clients, and servers. The certificate authority verifies the user's identity and grants a certificate, signing it with one of the certificate authority's private keys.
A specially formatted description of the destination for a network connection. A connect descriptor contains destination service and network route information. The destination service is indicated by using its service name for Oracle9i or Oracle8i databases or its Oracle system identifier (SID) for Oracle8 release 8.0 databases. The network route provides, at a minimum, the location of the listener through use of a network address.
A net service name or service name, that maps to a connect descriptor. Users initiate a connect request by passing a username and password along with a connect identifier in a connect string for the service to which they wish to connect, for example:
A file that records the physical structure of a database and contains database name, names and locations of associated databases and online redo log files, timestamp of database creation, current log sequence number, and checkpoint information.
A username, password, or certificate used to gain access to the database.
A set of read-only tables that provide information about a database.
See net service name.
Process of converting contents of a message that has gone through encryption (ciphertext) back into its original readable format (plaintext).
ITU X.509 v3 standard data structures that securely bind an identity to a public key. A certificate is created when an entity's public key is signed by a trusted identity, a certificate authority. The certificate ensures that the entity's information is correct and that the public key actually belongs to that entity.
Digital signatures are created when a public key algorithm is used to sign messages with senders' private keys. A digital signature assures that a document is authentic, has not been forged by another entity, has not been altered, and cannot be repudiated by the sender.
Process of disguising a message, rendering it unreadable to any but the intended recipient.
Directory constructs consisting of Oracle9i databases and enterprise users and roles. Enterprise domains are different from Windows 2000 domains, which are collections of computers that share a common directory database.
A directory structure which contains global roles on multiple databases, and which can be granted to an enterprise user.
A user that has a unique identity across an enterprise. An enterprise user connects to individual databases through a schema and is assigned an enterprise role that determines the user's access privileges on databases.
Roles created and managed by Windows NT and Windows 20000 operating systems. Once an external role is created, you can grant or revoke that role to a database user. You must set init.ora parameter
true and restart your Oracle database before you can create an external role. You cannot use both Windows operating systems and the Oracle database to grant roles concurrently.
A user authenticated by the Windows 2000 or Windows NT operating system who can access the Oracle database without being prompted for a password. External users are typically regular database users (non-database administrators) to which you assign standard database roles (such as
RESOURCE), but do not want to assign SYSDBA (database administrator) or SYSOPER (database operator) privilege.
A group of one or more Active Directory trees that trust each other. All trees in a forest share a common schema, configuration, and global catalog. When a forest contains multiple trees, the trees do not form a contiguous namespace. All trees in a given forest trust each other through transitive bidirectional trust relationships.
A role whose privileges are contained within a single database, but which is managed in a directory.
Represents a unique registry subkey for each Oracle home directory in which you install products. A new HOMEID is created and incremented each time you install products to a different Oracle home directory on one computer. Each HOMEID contains its own configuration parameter settings for installed Oracle products.
Represents the name of an ORACLE_HOME. All Oracle homes have a unique HOME_NAME.
An ASCII text file that contains information needed to initialize a database and instance. File
init.ora resides in directory
\admin\DB_NAME\pfile on Windows operating systems.
Every running Oracle database is associated with an Oracle instance. When a database is started on a database server (regardless of computer type), Oracle allocates a memory area called System Global Area (SGA) and starts an Oracle process. This combination of SGA and an Oracle process is called an instance. The memory and the process of an instance manage the associated database's data efficiently and serve the one or more database users.
A standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. LDAP is a framework of design conventions supporting industry-standard directory products, such as Oracle Internet Directory.
A process that resides on the server whose responsibility is to listen for incoming client connection requests and manage traffic to the server. Every time a client requests a network session with a server, a listener receives the actual request. If client information matches listener information, then the listener grants a connection to the server.
A configuration file for the listener that identifies listener name, protocol addresses for accepting connection requests, and the services for which it is listening.
File listener.ora typically resides in
\network\admin on Windows operating systems.
Roles created and managed by the database. Once a local role is created, you can grant or revoke that role to a database user. You cannot use Windows NT (for external role management) and the Oracle database (for local role management) concurrently.
An application that serves as a host for administrative tools called snap-ins. By itself, Microsoft Management Console does not provide any functionality.
To associate a database with an instance that has been started.
Capability of having more than one Oracle home on a computer.
A listener on a server that listens for connection requests for one or more databases on one or more protocols. See listener.
In an Oracle application network, a service performs tasks for its service consumers. For example, an Oracle Names server provides name resolution services for clients.
Obfuscated information is scrambled into a non-readable form. De-scrambling is extremely difficult if the algorithm used for scrambling is not known.
Oracle base, known as
ORACLE_BASE in this guide, is the root of the Oracle directory tree.
Corresponds to the environment in which Oracle products run. This environment includes location of installed product files, PATH variable pointing to products' binary files, registry entries, net service names, and program groups.
A component of Oracle Net Services that enables a network session from a client application to an Oracle database server. Once a network session is established, Oracle Net acts as a data courier for the client application and the database server. It is responsible for establishing and maintaining the connection between the client application and database server, as well as exchanging messages between them. Oracle Net is able to perform these jobs because it is located on each computer in the network.
A suite of networking components that provide enterprise-wide connectivity solutions in distributed, heterogeneous computing environments. Oracle Net Services are comprised of Oracle Net, listener, Oracle Connection Manager, Oracle Net Configuration Assistant, and Oracle Net Manager.
A service that is associated with an Oracle component.
A right to execute a particular type of SQL statement or to access another user's object.
A mechanism in an operating system that can run an executable. (Some operating systems use the term job or task.) A process normally has its own private memory area in which it runs. On Windows NT, a process is created when a program runs (such as Oracle or Microsoft Word). In addition to an executable program, all processes consist of at least one thread. The Oracle master process contains hundreds of threads.
To restore a physical backup is to reconstruct it and make it available to the Oracle server. To recover a restored backup is to update it using redo records (that is, records of changes made to the database after the backup was taken). Recovering a backup involves two distinct operations: rolling forward the backup to a more current time by applying redo data, and rolling back all changes made in uncommitted transactions to their original state.
A Windows repository that stores configuration information for a computer.
A computer on a network other than the local computer.
A named group of related privileges. You can grant a role to users or other roles.
A named collection of objects, such as tables, views, clusters, procedures, and packages, associated with a particular user.
See net service name.
A special database administration role that permits a database administrator to perform
RECOVER, and includes
A group of shared memory structures that contain data and control information for an Oracle instance.
A unique name for an Oracle instance. To switch between Oracle databases, users must specify the desired SID. The SID is included in the
CONNECT DATA parts of the connect descriptor in a tnsnames.ora file, and in the definition of the network listener in a listener.ora file.
A standard DBA username automatically created with each database.
SYSTEM is created with an initial password of
SYSTEM is the preferred username for DBAs to use for database maintenance.
A database is divided into one or more logical storage units called tablespaces. Tablespaces are divided into logical units of storage called segments, which are further divided into extents.
An individual path of execution within a process. Threads are objects within a process that execute program instructions. Threads allow concurrent operations within a process so that a process can execute different parts of its program simultaneously on different processors. A thread is the most fundamental component that can be scheduled on Windows NT.
A file that contains connect descriptors; each connect descriptor is mapped to a net service name. The file may be maintained centrally or locally, for use by all or individual clients. This file typically resides in
\network\admin on Windows NT.
Trust points or trusted certificates are third party identities that are qualified with a level of trust. A trusted certificate is used when an identity is being validated as the entity it claims to be. Certificate authorities you trust are called trusted certificates. If there are several levels of trusted certificates, a trusted certificate at a lower level in the certificate chain does not need to have all its higher level certificates reverified.
A name that can connect to and access objects in a database.
Selective presentations of one or more tables (or other views), showing both their structure and their data.
Groups that can be granted permissions and rights in their own domain, member servers and workstations of their domain, and in trusted domains. They can also become members of Windows NT local groups in all these places. But global groups can contain user accounts only from their own domains.
Groups that can be granted permissions and rights only for its own computer or, if part of a domain, to the domain controllers of that domain. Local groups can, however, contain user accounts and Windows NT global groups from both their own domain and from trusted domains.