Oracle Advanced Security Administrator's Guide Release 8.1.5 A67766-01 |
|
This chapter introduces the Oracle Advanced Security option encryption, checksumming, and authentication features. These features are available to network products using Net8, including Oracle8i, Designer 2000, Developer 2000, and any other Oracle or third-party products that support Net8.
Topics covered in this chapter:
The Oracle Advanced Security option (formerly Secure Network Services and Oracle Advanced Networking Option) provides a comprehensive suite of security features to protect enterprise networks and securely extend corporate networks to the Internet. The Oracle Advanced Security option provides a single source of integration with network encryption and authentication solutions, single sign-on services, and security protocols. By integrating industry standards, it delivers unparalleled security to the Oracle network and beyond.
Organizations around the world are deploying distributed databases and client/server applications in record numbers, often on a national or global scale, based on Net8 and Oracle8i. This proliferation of distributed computing has been matched by an increase in the amount of information that organizations now place on computers. Employee records, financial records, product testing information, and other sensitive or critical data have moved from filing cabinets into file structures. The volume of critical or sensitive information on computers has increased the value of data that may be compromised.
The increased distribution of data in these environments brings with it some serious security threats:
Moreover, in distributed environments, malefactors may hijack connections. How can you be sure that Client B and Server A are what they claim to be? A transaction that should go from the Personnel system on Server A to the Payroll system on Server B could be intercepted in transit and routed instead to a terminal masquerading as Server B.
Users generally respond to multiple accounts in one of two ways:
Either strategy severely compromises password secrecy and service availability.
The Oracle Advanced Security option protects against these threats to the security of distributed environments. Specifically, the Oracle Advanced Security option provides the following features, each of which is described in the next few pages.
To ensure that data has not been modified, deleted, or replayed during transmission, the Oracle Advanced Security option optionally generates a cryptographically secure message digest--through cryptographic checksums using the MD5 algorithm--and includes it with each packet sent across the network.
Moreover, the SSL feature of the Oracle Advanced Security option allows the use of the Secure Hash Algorithm (SHA). SHA is slightly slower than MD5, but produces a larger message digest to make it more secure against brute-force collision and inversion attacks.
The Oracle Advanced Security option ensures data privacy through both RSA and DES encryption.
Since the Oracle Advanced Security option RSA RC4 40-bit implementation meets the U.S. government export guidelines for encryption products, Oracle provides an export version of the media and exports it to all but a few countries, allowing most companies to safeguard their entire worldwide operations with this software.
For more information on encryption and checksumming, see Chapter 2, "Configuring Encryption and Checksumming" and Appendix A, "Encryption and Checksumming Parameters".
More Information:
Establishing user identity is also of primary concern in distributed environments; otherwise, there can be little confidence in limiting privileges by user. The Oracle Advanced Security option release 8.1.5 provides authentication through Oracle authentication adapters that support third-party authentication services such as Kerberos, CyberSafe TrustBroker (a Kerberos-based authentication server), SecurID, Identix TouchNet II, and RADIUS. These adapters are described later in this chapter.
Many of the Oracle Advanced Security option authentication methods use centralized authentication. This can give you high confidence in the identity of users, clients, and servers in distributed environments. Having a central facility authenticate all members of the network (clients to servers, servers to servers, users to both clients and servers) is one effective way to address the threat of nodes on a network faking their identities.
Centralized authentication can also provide the benefit of single sign-on for users. Single sign-on allows users to access multiple accounts and applications with a single password, eliminates the need for multiple passwords, and simplifies management of user accounts and passwords for system administrators.
Note: Oracle Corporation does not provide centralized authentication servers. Rather, it supports only the authentication services provided through other vendors' security services or third-party Kerberos-based servers such as CyberSafe. For a list and brief description of authentication methods supported by the Oracle Advanced Security option, see "Authentication Methods Supported". |
Figure 1-1 illustrates how a centralized network authentication service typically operates.
The Oracle Advanced Security option supports the following authentication methods:
SSL--SSL (Secure Sockets Layer) is an industry standard protocol for securing network connections. SSL provides for authentication, encryption, and data integrity.
You can use the SSL feature of the Oracle Advanced Security option to secure communications between any client and any server. Specifically, you can use SSL to authenticate:
You can use SSL features by themselves or in combination with other authentication methods supported by the Oracle Advanced Security option. For example, you can use SSL along with Kerberos, using the encryption provided by SSL in combination with the Kerberos authentication method.
You can configure SSL to require server authentication only, or both client and server authentication.
RADIUS--RADIUS (Remote Authentication Dial-In User Service), a client-server security protocol, is most widely known for enabling remote authentication and access. The Oracle Advanced Security option uses this emerging standard in a client-server network environment to enable use of any authentication method that supports the RADIUS protocol. You can use RADIUS with a variety of authentication methods, including token cards and smartcards.
Kerberos and CyberSafe--The Oracle Advanced Security option support for Kerberos and CyberSafe provides the benefits of single sign-on and centralized authentication in an Oracle environment. Kerberos is a trusted third-party authentication system that relies on shared secrets. It assumes that the third party is secure. It provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. It does this through Kerberos authentication and through the CyberSafe TrustBroker, a Kerberos-based authentication server.
Smartcards (RADIUS-Compliant)--This authentication method uses a hardware device that looks much like a credit card. It has memory and a processor and is read by a smartcard reader located at the client workstation.
Smartcards offer the following benefits:
Token Cards (SecurID and RADIUS-Compliant)--Token cards can provide improved ease-of-use through several different mechanisms. Some token cards dynamically display one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the token card at any given time by contacting the authentication service. Other token cards have a keypad and operate on a challenge-response basis. In this case, the server offers a challenge (a number) which the user then types into a token card. The token card provides a response, namely, another number cryptographically-derived from the challenge, which the user then offers to the server.
Token cards provide the following benefits:
You can use SecurID tokens through either SecurID or through RADIUS.
Bull ISM--ISM (Integrated System Management) is an offering of Bull Worldwide Information Systems that provides system administrators with a variety of management tools. This authentication method is available on the AIX platform only. See your AIX-specific documentation for more information.
Biometric Authentication (Identix)--Identix Biometric Authentication is used on both the clients and Oracle servers to communicate biometric authentication data between the authentication server and the clients.
User authorization, already a standard features of Oracle8i, is significantly enhanced by using the authentication methods supported by the Oracle Advanced Security option. For example, on certain platforms such as Solaris, the Oracle Advanced Security option supports authorization with DCE.
The Oracle Advanced Security option is an add-on product to a standard Net8 Server or Net8 Client. Figure 1-2 shows the location of the Oracle Advanced Security option within a typical stack in an Oracle networking environment.
More Information:
For more information on stack communications in an Oracle networking environment, see Net8 Administrator's Guide. |
The Oracle Advanced Security option supports authentication through adapters that are very much like the existing Oracle protocol adapters. As Figure 1-3 shows, authentication adapters integrate below the Net8 interface and allow existing applications to take advantage of new authentication systems transparently, without any changes to the application.
The Oracle Advanced Security option is fully supported by the Oracle Connection Manager, making secure data transfer a reality across network protocol boundaries. Clients using LAN protocols such as NetWare (SPX/IPX), for instance, can now securely share data with large servers using different network protocols such as LU6.2, TCP/IP, or DECnet. To eliminate potential weak points in the network infrastructure and to maximize performance, Connection Manager passes encrypted data from protocol to protocol without the cost and exposure of decryption and re-encryption.
The Oracle Advanced Security option is an add-on product to standard Net8 Server or Net8 Client. It is an extra cost item, and, to be functional, must be purchased on both the client and the server.
The Oracle Advanced Security option release 8.1.5 requires Net8 release 8.1.5.
The Oracle Advanced Security option release 8.1.5 supports Oracle 8i Enterprise Edition.
TrustBrokerInstall the Oracle Advanced Security option on all clients and servers where the Oracle Advanced Security option is required.
This section discusses parameters you set when configuring Oracle for network authentication. Specifically, it discusses the following tasks:
For clients and servers to be able to use an Oracle authentication method, the following parameter must be in the sqlnet.ora file:
SQLNET.AUTHENTICATION_SERVICES=(oracle_authentication_method)
For example, the following parameter must be set in the sqlnet.ora files on all clients and servers that use the Kerberos Authentication:
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
It is strongly recommended that, when configuring the Oracle authentication methods, you add the following parameter to the initialization file used for the database instance:
REMOTE_OS_AUTHENT=FALSE
If REMOTE_OS_AUTHENT is set to FALSE
, and the server cannot support any of the authentication methods requested by the client, the authentication service negotiation will fail, and the connection will be terminated.
If the following parameter is set in the sqlnet.ora file on either the client or server side:
SQLNET.AUTHENTICATION_SERVICES=(NONE)
the database will attempt to use the provided user name and password to log the user in. However, if REMOTE_OS_AUTHENT is set to FALSE
, the connection will fail.
Authentication service-based user names can be long, and Oracle user names are limited to 30 characters. Oracle strongly recommends that you enter a null value for the OS_AUTHENT_PREFIX parameter in the init.ora file used for the database instance:
OS_AUTHENT_PREFIX=""
To create a user, launch SQL*Plus and type:
SQL> CREATE USER os_authent_prefix username IDENTIFIED EXTERNALLY;
When OS_AUTHENT_PREFIX
is set to a null value (""), you would create the user "king" with the following command:
SQL> CREATE USER king IDENTIFIED EXTERNALLY;
The advantage of creating a user in this way is that the administrator no longer needs to maintain different user names for externally-identified users.
The Oracle Advanced Security option requires Net8 to transmit data securely. Accordingly, the Oracle Advanced Security option's authentication features are not currently supported by some parts of Oracle Financial, Human Resource, and Manufacturing Applications when they are running on the Windows platform. The portions of these products that use Oracle Display Manager (ODM) cannot yet take advantage of the Oracle Advanced Security option, since ODM does not currently use Net8.