Preface

Welcome to the Administrator's Guide for Release 8.1.7 of Oracle Advanced Security (formerly Oracle Advanced Networking Option).

Oracle Advanced Security includes a comprehensive suite of security features that protect enterprise networks and securely extend them to the Internet. It provides a single source of integration with multiple network encryption and authentication solutions, single sign-on services, and security protocols.

This Administrator's Guide describes how to implement, configure and administer Oracle Advanced Security.

See Also: Related Documents

Intended Audience

This guide is intended for users or systems professionals involved with the implementation, configuration, and administration of Oracle Advanced Security including:

• Implementation consultants

• System administrators

• Security administrators

Structure

This guide is organized into the following parts:

• Part I: Introduction

• Part II: Encryption, Integrity, and JDBC

• Part III: Configuring Authentication Methods

• Part IV: Oracle DCE Integration

• Part V: Oracle8i Enterprise User Security

• Part VI: Appendices

Each part describes a different set of Oracle Advanced Security features.

Part I: Introduction

Chapter 1, Introduction to Oracle Advanced Security

This chapter provides an overview of Oracle Advanced Security features provided with this release.

Part II: Encryption, Integrity, and JDBC

Chapter 2, Configuring Data Encryption and Integrity

This chapter describes how to configure data encryption and integrity within an existing Net8 Release 8.1.7 network.

Chapter 3, Thin JDBC Support

This chapter provides an overview of the Java implementation of Oracle Advanced Security, which allows Thin Java Database Connectivity (JDBC) clients to connect securely to Oracle8i databases.

Part III: Configuring Authentication Methods

Chapter 4, Configuring RADIUS Authentication

This chapter describes how to configure Oracle for use with RADIUS (Remote Authentication Dial-In User Service). It provides an overview of how RADIUS works within an Oracle environment, and describes how to enable RADIUS authentication and accounting. It also introduces the challenge-response user interface that third party vendors can customize to integrate with third party authentication devices.

Chapter 5, Configuring CyberSafe Authentication

This chapter describes how to configure Oracle for use with CyberSafe, and provides a brief overview of steps to configure CyberSafe to authenticate Oracle users.

Chapter 6, Configuring Kerberos Authentication

This chapter describes how to configure Oracle for use with MIT Kerberos and provides a brief overview of steps to configure Kerberos to authenticate Oracle users.

Chapter 7, Configuring SecurID Authentication

This chapter describes how to configure SecurID authentication in combination with the Oracle server and Oracle clients for use with the Security Dynamics ACE/Server and token cards. It includes system requirements, known limitations, and troubleshooting information.

Chapter 8, Configuring Identix Biometric Authentication

This chapter describes how to configure and use Oracle biometric authentication, which enables use of the Identix fingerprint authentication device.

Chapter 9, Configuring Secure Socket Layer Authentication

This chapter describes the SSL feature of Oracle Advanced Security and explains how to configure SSL.

Chapter 10, Configuring Entrust-Enabled SSL Authentication

This chapter describes how to configure and use Entrust-enabled Oracle Advanced Security for Secure Socket Layer (SSL) authentication.

Chapter 11, Configuring Multiple Authentication Methods

This chapter describes the authentication methods that can be used with Oracle Advanced Security, and how to user conventional user name and password authentication. It also describes how to configure the network so that Oracle clients can user a specific authentication method, and Oracle servers can accept any method specified.

Part IV: Oracle DCE Integration

Chapter 12, Overview of Oracle DCE Integration

This chapter provides a brief discussion of Open Software Foundation (OSF) DCE and Oracle DCE Integration.

Chapter 13, Configuring DCE for Oracle DCE Integration

This chapter describes what you need to do to configure DCE to use Oracle DCE Integration. It also describes how to configure the DCE CDS naming adapter.

Chapter 14, Configuring Oracle8i for Oracle DCE Integration

This chapter describes the DCE parameters that you need to add to the configuration files to enable clients and servers to access Oracle servers in the DCE environment. It also describes some Oracle Server configuration that you need to perform, such as setting up DCE groups to map to external roles. Additionally, it describes how to configure clients to use the DCE CDS naming adapter.

Chapter 15, Connecting to an Oracle Database in DCE

This chapter describes how to connect to an Oracle database in a DCE environment.

Chapter 16, DCE and Non-DCE Interoperability

This chapter describes how clients outside of DCE can access Oracle databases using another protocol such as TCP/IP.

Part V: Oracle8i Enterprise User Security

Chapter 17, Managing Enterprise User Security

This chapter describes Oracle directory and security integration. It describes its components and provides an overview of the interaction between the components.

Chapter 18, Using Oracle Wallet Manager

This chapter describes how to configure and use the Oracle Wallet Manager.

Chapter 19, Using Oracle Enterprise Login Assistant

This chapter describes how to configure and use the Oracle Enterprise Login Assistant.

Chapter 20, Using Oracle Enterprise Security Manager

This chapter describes how an Enterprise DBA uses Oracle Enterprise Security Manager to administer database security in an enterprise domain of Oracle8i databases.

Part VI: Appendices

Appendix A, Data Encryption and Integrity Parameters

This appendix describes Oracle Advanced Security data encryption and integrity configuration parameters.

Appendix B, Authentication Parameters

This appendix describes Oracle Advanced Security authentication configuration file parameters.

Appendix C, Integrating Authentication Devices Using RADIUS

This appendix explains how third party authentication device vendors can integrate their devices and customize the graphical user interface used in RADIUS challenge-response authentication.

Appendix D, Oracle Advanced Security FIPS 140-1 Settings

This appendix describes the Sqlnet.ora configuration parameters required to comply with the FIPS 140-1 Level 2 evaluated configuration.

Appendix E, LDAP Directory Schema for Oracle Database Security

This appendix describes the object classes and attributes defined in the LDAP directory schema for Oracle database security.

Appendix F, Oracle Implementation of Java SSL

This appendix provides an overview of components and usage of the Oracle implementation of Java SSL.

Related Documents

Refer to the appropriate Oracle platform-specific documentation to install and configure Oracle Advanced Security software on your particular platform.

In addition, see the following:

• See the following Oracle documents for information that applies across platforms:
  • ACE/Server Administration Manual, Release 3.3, from Security Dynamics

  • ACE/Server Client for UNIX, Version 2.0, from Security Dynamics

  • ACE/Server Installation Manual, Release 3.3, from Security Dynamics

  • Net8 Administrator's Guide

  • Oracle8i Distributed Database Systems

  • Oracle8i Enterprise JavaBeans Developer's Guide and Reference

  • Oracle8i JDBC Developer's Guide and Reference

  • Oracle Internet Directory Administrator's Guide

• For information about roles and privileges, see:
  • Oracle8i Administrator's Guide

• For third-party vendor documentation about security and single sign-on features see:
  • RADIUS Administrator's Guide

  • Steel-Belted RADIUS v2.11 (Funk Software)

  • CyberSafe TrustBroker Release Notes, Release 5.2.6

  • CyberSafe TrustBroker Administrator's Guide, Release 5.2.6

  • CyberSafe TrustBroker Navigator Administrator's Guide, Release 5.2.6

  • CyberSafe TrustBroker UNIX User's Guide, Release 5.2.6

  • CyberSafe TrustBroker Windows and Windows NT User's Guide, Release 5.2.6

  • CyberSafe TrustBroker Client v1.2

  • CyberSafe TrustBroker Server v1.2

• For information about MIT Kerberos see:
  • CyberSafe Trust Broker documentation

  • Notes about building and installing Kerberos from Kerberos V5 source distribution

  • CNS (Cygnus Network Security) documentation see: http://www.cygnus.com/library-dir.html

• For information about Entrust/PKI see:
  • Entrust/PKI 5.0.2 for Oracle

  • Administering Entrust/PKI 5.0 on UNIX

• For additional information about the Open Software Foundation (OSF) Distributed Computing Environment (DCE), see the following OSF documents published by Prentice Hall, Inc.:
  • Transarc DCE User's Guide and Reference

  • Transarc DCE Application Development Guide

  • Transarc DCE Application Development Reference

  • Transarc DCE Administration Guide

  • Transarc DCE Administration Reference

  • Transarc DCE Porting and Testing Guide

  • Application Environment Specification/Distributed Computing

  • Transarc DCE Technical Supplement

• For information about Identix products, see the following Identix documentation.
  • Client-side documentation:

    Identix TouchSafe II User's Guide

• Server-side documentation:
  • Identix TouchSafe II System Administrator's Guide

Abbreviations and Acronyms

Table 0-1 defines abbreviations and acronyms used in this document:

Table 0-1 Abbreviations and Acronyms

3DES	A version of the DES encryption algorithm that provides triple-encryption; see Triple-DES.
ACL	Access Control List
CA	Certificate Authority
CBC	Outer Cypher-Block-Chaining mode
CDS	Cell Directory Service
CORBA	Common Object Request Broker Architecture
DBCA	Oracle Database Configuration Assistant
DCE	Distributed Computing Environment
DES	Data Encryption Standard (U.S.)
DES40	Data Encryption Standard with 40-bit encryption keys
DES56	Data Encryption Standard with 56-bit encryption keys
DIT	Directory Information Tree
DN	Distinguished Name
ESM	Oracle Enterprise Security Manager
FIPS	Federal Information Processing Standard
GSSAPI	Generic Security Services Application Programming Interface
IIOP	Internet Inter-ORB Protocol
ISM	Bull Integrated System Management
ISP	Internet Service Provider
JDBC	Java Database Connectivity
JDK	Java Development Kit
JRE	Java Runtime Environment
LAN	Local Area Network
LDAP	Lightweight Directory Access Protocol
MD4	Message Digest 4; a xxx-bit encryption algorithm.
MD5	Message Digest 5; a 128-bit encryption algorithm; successor to MD4.
Net8CA	Oracle Net8 Configuration Assistant
OCI	Oracle Call Interface
OID	Oracle Internet Directory
OSF	Open Software Foundation
PIN	Personal Identification Number
PKE	Public Key Encoding
PKI	Public Key Infrastructure
RADIUS	Remote Authentication Dial-In User Service
RC4	A public-key algorithm of RSA
RSA	RSA Data Security, Inc.; refers to the RSA encryption module
SASL	Simple Authentication and Security Layer
SHA	Secure Hash Algorithm
SSL	Secure Sockets Layer
SSO	Single Sign-on
Triple-DES	A version of the DES encryption algorithm that provides triple-encryption; see 3DES
WAN	Wide Area Network

Conventions

The following syntax conventions are used in this guide:

...	Horizontal ellipsis points in statements or commands mean that parts of the statement or command not directly related to the example have been omitted.
[ ]	Brackets enclose optional items. Do not enter the brackets.
( )	Parentheses enclose all SQL*Net and Net8 keyword-value pairs in connect descriptors. They must be entered as part of the connect descriptor, as in (KEYWORD=value).
|	A vertical bar represents a choice of two or more options. You must enter one of the options separated by the vertical bar. Do not enter the vertical bar.
Boldface text	Boldface text indicates a term defined in the glossary.
Italic Font	Italic characters indicate that the parameter, variable, or expression in the command syntax must be replaced by a value that you provide. Italics can also indicate emphasis or the first mention of a technical term.
Monospace Font	Monospace font indicates something the computer displays.
Punctuation	Punctuation other than brackets and vertical bars must be entered as shown.
UPPERCASE	Uppercase characters within the text represent parameters.