Release 8.1.7
Part Number A85430-01
 Library |
 Product |
 Contents |
 Index |
| Oracle Advanced Security Administrator's Guide Release 8.1.7 Part Number A85430-01 |
|
This chapter describes how to use the Secure Socket Layer (SSL) protocol in Oracle Advanced Security. It contains the following sections:
Secure Sockets Layer (SSL) is an industry standard protocol designed by Netscape Communications Corporation for securing network connections. SSL uses RSA public key cryptography to provide authentication, encryption, and data integrity in a public-key infrastructure (PKI).
This section discusses the following topics:
By supporting SSL, Oracle Advanced Security expands its support encryption and data integrity, and provides public key authentication based on the SSL standard.
You can use Oracle Advanced Security SSL functionality to secure communications between clients and servers. You can authenticate:
You can use SSL features by themselves or in combination with other authentication methods supported by Oracle Advanced Security. For example, you can use the encryption provided by SSL in combination with the authentication provided by Kerberos. SSL supports any of the following authentication modes:
See Also:
In an Oracle environment, SSL operates at the Oracle Protocols layer using TCP/IP, as illustrated by Figure 9-1:
The components of SSL in an Oracle environment include the following:
A certificate authority (CA) is a trusted third party that certifies the identity of third parties and other entities, such as users, databases, administrators, clients, and servers. The certificate authority verifies the party identity and grants a certificate, signing it with the its private key.
Different CAs may have different identification requirements when issuing certificates. One may require the presentation of a user's driver's license, while others may require notorization of the certificate request form, or fingerprints of the requesting party.
The CA publishes its own certificate, which includes its public key. Each network entity has a list of certificates of the CAs it trusts. Before communicating with another entity, a given entity uses this list to verify that the signature on the other entity's certificate is from a known, trusted CA.
Network entities can obtain their certificates from the same or different CAs. By default, Oracle Advanced Security automatically installs trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when you install a new wallet (See: Wallet).
A certificate is created when a party's public key is signed by a trusted certificate authority (CA). A certificate ensures that a party's identification information is correct, and that the public key actually belongs to that party.
A certificate contains the party's name, public key, and an expiration date--as well as a serial number and certificate chain information. It can also contain information about the privileges associated with the certificate.
When a network entity receives a certificate, it verifies that it is a trusted certificate--one issued and signed by a trusted certificate authority. A certificate remains valid until it expires or is sooner terminated.
A wallet is a transparent database used to manage authentication data such as keys, certificates, and trusted certificates needed by SSL. In an Oracle environment, each system using SSL has a wallet with an X.509 version 3 certificate, private key, and list of trusted certificates.
Security administrators use the Oracle Wallet Manager to manage security credentials on the server. Wallet owners use it to manage security credentials on clients. Specifically, the Oracle Wallet Manager is used to do the following:
At the commencement of a network connection under SSL, the client and server perform a SSL handshake that includes the following principal tasks:
In an Oracle environment, the authentication process consists of the following basic steps:
You can use the Oracle Advanced Security SSL feature to secure connections between non-Oracle clients and Oracle database servers. For example, SSL can grant secure access to a client outside an Oracle network to authorized data within the Oracle network.
Figure 9-2 shows how SSL is used to secure connections between Oracle and non-Oracle entities over the Internet. In this example, a Web server runs as an Oracle8i Java client. It receives messages over HTTPS (HTTP secured by SSL), and sends CORBA requests to the Oracle database server over IIOP/SSL (IIOP secured by SSL). In this example, the Web server passes its own certificate to the Oracle server, rather than the certificate of the Web client.
Because of its implementation architecture, you can configure Oracle Advanced Security to use SSL concurrently with other supported authentication methods, such as Kerberos, SecurID, RADIUS, and Identix--as discussed in the next sections:
Figure 9-3 displays the Oracle Advanced Security implementation architecture, which shows that (i) Oracle Advanced Security operates at the session layer on top of SSL, which (ii) uses TCP/IP at the transport layer. This separation of functionality lets you employ SSL concurrently with other supported protocols.
|
See Also:
Net8 Administrator's Guide, for information about stack communications in an Oracle networking environment |
Figure 9-4 illustrates a configuration in which SSL is used in combination with another authentication method supported by Oracle Advanced Security. In this example, SSL is used to establish the initial handshake (server authentication), and an alternative authentication method is used to authenticate the client.
Consider the following issues when using SSL:
Note:
To enable SSL:
Install Oracle Advanced Security on both the client and server. When you do this, the Oracle Universal Installer automatically installs SSL, Oracle Wallet Manager, and Oracle Enterprise Login Assistant on your system.
To configure SSL on the client:
Before proceeding with the next step, you must confirm that a wallet has been created.
|
See Also:
|
To specify required configuration parameters for the client:
There are two occasions during the client and the server configuration when you set the location of the Oracle wallet. Be sure to enter the same location on both occasions.
Important:
sqlnet.ora file.
The sqlnet.ora file is updated with the following entries:
SSL_CLIENT_AUTHENTICATION =TRUE
OSS.SOURCE.MY_WALLET =
(SOURCE=
(METHOD=File)
(METHOD_DATA=
(DIRECTORY=wallet_location)))
A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth.
When you install Oracle Advanced Security, several SSL cipher suites are set for you by default. You can override the default by setting the SSL_CIPHER_SUITES parameter. For example, if you use Net8 Assistant to add the cipher suite SSL_RSA_WITH_RC4_128_SHA, all other cipher suites in the default setting are ignored.
You can prioritize the cipher suites. When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following:
The cipher suites selected for a client must be compatible with those required by the server. For example, in the case of an Oracle Call Interface (OCI) user, the server requires the client to authenticate itself. You cannot, in this case, use a cipher suite employing Diffie-Hellman anonymous authentication which disallows the exchange of certificates. By contrast, in the case of an Enterprise JavaBeans (EJB) user, the server does not require the client to authenticate itself. In this case, you can use Diffie-Hellman anonymous authentication.
You typically prioritize cipher suites starting with the strongest and moving to the weakest.
Table 9-1 lists the SSL cipher suites supported in the current release of Oracle Advanced Security. These cipher suites are set by default when you install Oracle Advanced Security. This table also lists the authentication, encryption, and data integrity types each cipher suite uses.
The sqlnet.ora file is updated with the following entry:
SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2])
You can set the SSL_VERSION parameter in the sqlnet.ora file. This parameter defines the version of SSL that must run on the systems with which the client communicates. You can require these systems to use SSL 3.0, or any valid, future version. The default setting for this parameter in sqlnet.ora is 0; in Net8 Assistant, it is Any.
The sqlnet.ora file is updated with the following entry:
SSL_VERSION=UNDETERMINED
The SQLNET.AUTHENTICATION_SERVICES parameter in the sqlnet.ora file sets the SSL authentication service.
Set this parameter only if both of the following conditions apply:
If both of the above conditions apply, add TCP with SSL (TCPS) to this parameter in the sqlnet.ora file by using a text editor. For example:
SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS, identix, securid)
If either or both of the above conditions do not apply, do not set this parameter.
The client must be configured with the location of the listener. For an SSL connection, the client must be configured with a TCP/IP with SSL listener protocol address.
During installation, Oracle sets defaults on both the Oracle database server and on the Oracle client for all SSL parameters except the location of the Oracle wallet. To configure SSL on the server, perform these steps:
Before proceeding with the next step, you must confirm that a wallet has been created.
|
See Also:
|
To specify required configuration parameters for the server:
There are two occasions during the client and the server configuration process when you set the location of the Oracle wallet. Be sure to enter the same location on both occasions.
Important:
sqlnet.ora file.
The sqlnet.ora and listener.ora files are updated with the following entries:
OSS.SOURCE.MY_WALLET =
(SOURCE=
(METHOD=File)
(METHOD_DATA=
(DIRECTORY=wallet_location)))
A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth.
When you install Oracle Advanced Security, several SSL cipher suites are set for you by default. You can override the default by setting the SSL_CIPHER_SUITES parameter. For example, if you use Net8 Assistant to add the cipher suite SSL_RSA_WITH_RC4_128_SHA, all other cipher suites in the default setting are ignored.
You can prioritize the cipher suites. When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following:
The cipher suites selected for a server must be compatible with those required by the client.
You typically prioritize cipher suites starting with the strongest and moving to the weakest.
|
Note: In Oracle Advanced Security Release 8.1.7, if you set a cipher suite employing Diffie-Hellman anonymous authentication on the server, you must also set the same cipher suite on the client. Otherwise, the connection fails. If you use a cipher suite employing Diffie-Hellman anonymous, you must set the SSL_CLIENT_AUTHENTICATION parameter to FALSE. See: Step 5: Set SSL Client Authentication (Optional). |
Table 9-1 lists the SSL cipher suites supported in the current release of Oracle Advanced Security. These cipher suites are set by default when you install Oracle Advanced Security. This table also lists the authentication, encryption, and data integrity types each cipher suite uses.
The sqlnet.ora file is updated with the following entry:
SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2])
You can set the SSL_VERSION parameter in the sqlnet.ora file. This parameter defines the version of SSL that must run on the systems with which the client communicates. You can require these systems to use SSL 3.0, or any valid, future version. The default setting for this parameter in sqlnet.ora is 0; in Net8 Assistant, it is Any.
The sqlnet.ora file is updated with the following entry:
SSL_VERSION=UNDETERMINED
The SSL_CLIENT_AUTHENTICATION parameter in the sqlnet.ora file controls whether the client is authenticated using SSL. The default value is TRUE.
You must set this parameter to FALSE if you are using a cipher suite that contains Diffie-Hellman anonymous authentication (DH_anon). Also, you can set this parameter to FALSE for the client to authenticate itself to the server by using any of the non-SSL authentication methods supported by Oracle Advanced Security, such as Kerberos or CyberSafe.
To set this parameter to FALSE:
The sqlnet.ora file is updated with the following entry:
SSL_CLIENT_AUTHENTICATION=FALSE
The SQLNET.AUTHENTICATION_SERVICES parameter in the sqlnet.ora file sets the SSL authentication service.
Set this parameter only if both of the following conditions apply:
If both of the above conditions apply, add TCP with SSL (TCPS) to this parameter in the sqlnet.ora file by using a text editor.
For example:
SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS, identix,securid)
If either or both of the above conditions do not apply, do not set this parameter.
Configure the listener with a TCP/IP with SSL listening endpoint in the listener.ora file. Oracle Corporation recommends a port number 2484 for typical Net8 clients and 2482 for client connections to Oracle8i JServer.
If you are using SSL authentication, launch SQL*Plus and enter the following:
CONNECT/@dnet_service_name
If you are not using SSL authentication, launch SQL*Plus and enter the following:
CONNECT username/password@net_service_name
|
 Copyright © 1996-2000, Oracle Corporation. All Rights Reserved. |
|