Transport Layer Security Combined with Other Authentication Methods

You can configure Oracle Database to use TLS concurrently with database user names and passwords, RADIUS, and Kerberos.

Architecture: Oracle Database and Transport Layer Security

It is important to understand the architecture of how Oracle Database works with TLS. The Oracle Database implementation of Transport Layer Security architecture operates at the session layer on top of TLS and uses TCP/IP at the transport layer. The session layer is a network layer that provides the services needed by the presentation layer entities that enable them to organize and synchronize their dialogue and manage their data exchange. This layer establishes, manages, and terminates network sessions between the client and server. The transport layer is a networking layer that maintains end-to-end reliability through data flow control and error recovery methods. Oracle Net Services uses Oracle protocol supports for the transport layer.

This separation of functionality lets you employ TLS concurrently with other supported protocols.

How Transport Layer Security Works with Other Authentication Methods

Transport Layer Security can be used with other authentication methods that Oracle Database supports. The following figure illustrates a configuration in which Transport Layer Security is used in combination with another authentication method.

Description of the illustration asoag018.gif

In this example, Transport Layer Security is used to establish the initial handshake (server authentication), and an alternative authentication method is used to authenticate the client. The process is as follows:

  1. The client seeks to connect to the Oracle database server.

  2. Transport Layer Security performs a handshake during which the server authenticates itself to the client and both the client and server establish which cipher suite to use.

  3. Once the Transport Layer Security handshake is successfully completed, the user seeks access to the database.

  4. The Oracle database server authenticates the user with the authentication server using a non-TLS authentication method such as Kerberos or RADIUS.

  5. Upon validation by the authentication server, the Oracle database server grants access and authorization to the user, and then the user can access the database securely by using TLS.