Oracle Advanced Security Administrator's Guide
Release 8.1.7
Part Number A85430-01

Library
Product
Contents
Index

Go to previous page Go to next page

10
Configuring Entrust-Enabled SSL Authentication

This chapter describes how to configure and use Entrust-enabled Oracle Advanced Security for Secure Socket Layer (SSL) authentication. It contains the following topics:

Overview

A public-key infrastructure (PKI) includes various elements, such as a public key, bound into a digital certificate, a private key, and certain other security credentials. These credentials can be used for secure authentication over Secure Sockets Layer (SSL), to generate and process digital certificates--including digital signatures. A complete PKI includes the following:

This section describes how PKI elements are provided by the following:

Oracle Advanced Security

Oracle Advanced Security includes elements of a PKI, such as Oracle Wallet Manager, which creates and securely stores a user's public/private key pair, as well as the trust points (the list of root certificates the user trusts). The user's PKI credentials, stored in Oracle Wallet Manager, can be used to create a secure, authenticated session over SSL. However, Oracle Advanced Security does not provide certificate creation or certificate revocation status checking, which are important elements of a complete PKI.

For example, although Oracle Wallet Manager can generate a PKCS#10 certificate signing request, users must obtain certificate fulfillment from a certificate authority and load the resulting certificate into an Oracle wallet. Oracle wallets only support authentication to Oracle applications.

Entrust/PKI

Entrust/PKI is a PKI product provided by Entrust Technologies, Inc. that provides certificate generation, certificate revocation, and key and certificate management.

Entrust-Enabled Oracle Advanced Security

The integration of Oracle Advanced Security with Entrust/PKI enables users of both Entrust and Oracle to utilize the extensive PKI capabilities of Entrust to enhance the security of their Oracle environment.

Entrust-enabled Oracle Advanced Security provides:

Enhanced X.509-Based Authentication and Single Sign-On

Entrust-enabled Oracle Advanced Security supports the use of Entrust credentials for X.509-based authentication and single sign-on. Instead of using an Oracle wallet to hold user PKI credentials, Oracle Advanced Security can access PKI credentials created by Entrust/Authority and held in an Entrust profile (an.epf file). Users who have deployed Entrust software within their enterprise are thus able to use it for authentication and single sign-on to Oracle8i.

Integration with Entrust/PKI Key Management

Entrust-enabled Oracle Advanced Security uses the extensive key management and rollover functionality provided by Entrust/PKI, which shield users from the complexity of a PKI deployment. For example, users are automatically notified when their certificates are expiring, and certificates are reissued according to administrator-configurable preferences.

Integration with Entrust/PKI Certificate Revocation

Entrust provides a certificate authority component, which natively checks certificate revocation status and enables the revocation of certificates.

Users using Entrust credentials for authentication to Oracle are assured that the revocation status of the certificate is checked, and connections are prevented if the certificate is revoked.

System Components

This section describes the system components required for using Entrust-enabled Oracle Advanced Security:

Entrust/PKI 5.0.2 for Oracle can be downloaded from the Entrust Web site: 

http://www.entrust.com

Entrust/Toolkit Server Login and Entrust IPSEC Negotiator Toolkit can be downloaded from the Entrust Developer Network by registered members. Users can register for membership at: 

http://developer.entrust.com/memberships/registration.htm

The URLs for downloading the Entrust/Toolkit Server Login and Entrust IPSEC Negotiator Toolkit from the Entrust Developer Network are provided in the related sections.

Entrust/PKI 5.0.2 for Oracle

Entrust/PKI 5.0.2 for Oracle requires a database for storing information about Entrust users and the infastructure, and a Lightweight Directory Access Protocol (LDAP)-compliant directory for information such as user names, public certificates, and certificate revocation lists.

Entrust/PKI 5.0.2 for Oracle is comprised of the following software components:

Entrust/Authority

Entrust/Authority is the centerpiece of Entrust/PKI. It performs core certificate authority, certificate, and user management functions, such as creating users and user profiles containing the user's credentials.

Note:

Oracle Corporation only supports the use of Entrust-enabled Oracle Advanced Security with versions of Entrust/Authority that run on Oracle8i. 

See Also:

Chapter 9, Configuring Secure Socket Layer Authentication, for information about certificate authorities.  

Entrust/Authority supports unattended login, also called Server Login, which eliminates the need for a Database Administrator (DBA) to repeatedly enter a password for the Entrust profile on the server. With unattended login, the DBA need only enter a password once to open the Entrust profile for the server to authenticate itself to multiple incoming connections.

Entrust/RA

Entrust/RA is the administrator's secure interface to Entrust/Authority.

Entrust/Entelligence

Entrust/Entelligence provides support for user key management and single sign-on functionality on both clients and server by enabling Oracle8i server process access to incoming SSL connections.

Entrust/Toolkit Server Login

Entrust/Toolkit Server Login Toolkit Release 5.0.2 is required for single sign-on functionality on servers operating on UNIX platforms.

Entrust/Server Login Toolkit provides single sign-on by enabling Oracle8i server process access to incoming SSL connections. Without this capability, a database administrator or other privileged user would have to enter the password for the Entrust profile on the server for every incoming connection.

Entrust Developer Network members can download Entrust/Toolkit Server Login from the Entrust Web site: 

http://developer.entrust.com/software/files/desc_serverlogin.cfm

Entrust IPSEC Negotiator Toolkit

The Entrust IPSEC Negotiator Toolkit Release 5.0.2 is required on both clients and servers for integrating the Oracle Advanced Security SSL stack with Entrust/PKI, enabling SSL authentication to use Entrust profiles.

Entrust Developer Network members can download the IPSEC Negotiator Toolkit from the Entrust Web site: 

http://developer.entrust.com/software/index.htm

Entrust Authentication Process

Figure 10-1 illustrates the following Entrust authentication process:

  1. The Entrust user on the Oracle client establishes a secure connection with the server using SSL and Entrust credentials.

  2. The Oracle SSL adapter on the server communicates with the Entrust Authority to check the certificate revocation status of the Entrust user.

    Note::

    Figure 10-1 does not include client and server profiles creation, which is presumed. 

Figure 10-1 Entrust Authentication Process


See Also:

How SSL Works in an Oracle Environment: The SSL Handshake 

Enabling Entrust Authentication

This section describes the following tasks that enable Entrust-enabled Oracle Advanced Security SSL authentication:

Creating Entrust Profiles

This section describes how to create Entrust profiles. Entrust profiles can be created by either administrators or users.

Administrator-Created Entrust Profiles

Administrators create Entrust profiles as follows:

  1. The Entrust administrator adds the Entrust user using the New User dialog box with the Create Profile option selected.

    See Also:

    The Entrust administration documentation for information on creating Entrust Users 

  2. The administrator enters the user's name and password.

  3. The Entrust Authority creates the profile, or.epf file.

  4. The administrator securely sends all profile-related files to the user with a preset password.

User-Created Entrust Profiles

Entrust users create their own Entrust profiles as follows:

  1. The Entrust administrator adds the Entrust user using the New User dialog box with the Create Profile option deselected.

  2. The user receives a secure e-mail notification from the administrator that contains a reference number, authorization code, and expiration date.

  3. The user navigates to the Create Entrust Profiles screen in Entrust/Entelligence as follows:

    Start>Programs>Entrust>Entrust Profiles>Create Entrust Profiles

  4. The user enters the reference number, authorization code, and expiration date provided in the e-mail notification, creating a profile, or .epf file, and the Entrust initialization file.

Installing Oracle Advanced Security and Related Products

Use the Custom installation option to install Oracle Advanced Security on both the client and server. Select the Entrust adapter from the Authentication Methods screen.

See Also:

The Oracle8i installation documentation for your platform. 

Note:

After the Entrust adapter is installed, the Net8 SSL protocol adapter does not operate with Oracle wallets. 

Configuring SSL on the Client and Server

Configure SSL on the client and server.

See Also:

Chapter 9, Configuring Secure Socket Layer Authentication, for information about configuring SSL on the client and server; skip the section that describes the Oracle wallet location. 

Configuring Entrust on the Client

The steps for configuring Entrust on the client vary according to the type of platform:

Configuring Entrust on a UNIX Client

If the client resides on a non-Windows platform, perform the following steps:

  1. Set the JAVA_HOME variable to JDK or JRE location.

    For example:

    >setenv JAVA_HOME $ORACLE_HOME/JRE
  2. Either set the CLASSPATH environment variable or set the ssl_entrust_classpath parameter in the sqlnet.ora file to specify the required jar files for displaying the graphic user interface.

    For example:

    Set the CLASSPATH environment variable as follows:

    >setenv CLASSPATH $ORACLEHOME/JRE/lib/rt.jar:$ORACLE_HOME/JRE/lib/i18n.jar
  3. Use SQL*Plus to connect to the Oracle instance as follows:

    sqlplus /@tns_service_name

    where tns_service_name is the service name of the Oracle instance.

    The Entrust_Login dialog box appears.

  4. Enter the path to the profile and the password, as well as the path to the Entrust initialization file.

Configuring Entrust on a Windows Client

If the client resides on a Windows platform, ensure that the Entrust/Entelligence component is installed on the client and perform the following steps.

  1. Choose the Entrust icon on the system tray to open the Entrust_Login dialog box.

  2. Log on to Entrust by entering the profile name and password.

  3. Use SQL*Plus to connect to the Oracle instance as follows:

    sqlplus /@tns_service_name

    where tns_service_name is the service name of the Oracle instance.

Configuring Entrust on the Server

The steps for configuring Entrust on the client vary according to the type of platform:

Configuring Entrust on a UNIX Server

If the server is a UNIX platform, ensure that the Entrust/Server Login Toolkit component is installed on the server and perform the following steps:

See Also:

System Components for information about downloading the Entrust/Toolkit Server Login. 

  1. Stop the Oracle database instance.

  2. Set the ssl_entrust_profile and ssl_entrust_ini_file parameters in the sqlnet.ora and listener.ora files to specify the paths to the server's profile and the Entrust initialization file.

  3. Enter the binder command to create unattended login credentials, or .ual files.

    For example:

    binder_sun
  4. Enter the path to the profile, the password, and the path to the Entrust initialization file. A message informs you that you have successfully created a credential file.

  5. Start the Oracle database instance.

Configuring Entrust on a Windows Server

If the server is a Windows platform, ensure that the Entrust/Entelligence component is installed on the client and perform the following steps:

See Also:

System Components for information on downloading Entrust/Entelligence. 

  1. Stop the Oracle database instance.

  2. Choose the Entrust icon on the system tray to open the Entrust_Login dialog box.

  3. Log on to Entrust by entering the profile name and password.

  4. Start the Oracle database instance.

Creating Database Users

Create global user in the database based on the distinguished name (DN) of each Entrust user.

For example:

where "cn=jdoe, o=oracle, c=us" is the Entrust distinguished name of the user.

See Also:

Chapter 17, Configuring Entrust-Enabled SSL Authentication, for information about creating database users. 

Issues and Restrictions

The Entrust-ready designation from Entrust typically requires that a partner product integration with Entrust is done using an Entrust toolkit. This means that an application must be specifically modified to work with Entrust.

For example, Oracle has modified its SSL libraries to access an Entrust profile instead of an Oracle wallet. Accordingly, the Entrust profile is not accessible from standard SSL libraries.

In addition, the following restrictions apply:

Go to previous page Go to next page
Oracle
Copyright © 1996-2000, Oracle Corporation.
All Rights Reserved.

Library
Product
Contents
Index