Release 8.1.7
Part Number A85430-01
 Library |
 Product |
 Contents |
 Index |
| Oracle Advanced Security Administrator's Guide Release 8.1.7 Part Number A85430-01 |
|
This chapter describes how to configure Oracle Advanced Security for Oracle8i, or for the Oracle8i server, for use with SecurID authentication. It assumes that you are familiar with the RSA Data Security, Inc. ACE/Server, and that the ACE/Server is installed and running. This chapter contains the following sections:
Oracle Advanced Security Release 8.1.7 is the last release to support the SecurID adapter. Effective with the next release (8.2), the SecurID functionality will be available through RADIUS; RADIUS support is built into the RSA ACE/Server. The RADIUS adapter is described by Chapter 4, Configuring RADIUS Authentication.
Note:
The following are prerequisites for configuring and using SecurID authentication:
Because SecurID card codes can be used only once, SecurID authentication does not support database links, also known as proxy authentication.
When using SecurID authentication, password encryption is disabled. This means that the SecurID card code and, if you use standard cards, the PIN, are sent over to the Oracle database server in plain text. This can be a security problem. Consequently, Oracle Corporation recommends that you enable Oracle Advanced Security encryption, which ensures that the PIN is encrypted when it is sent to the Oracle database server.
Enable SecurID authentication by performing these tasks:
Register the system on which the Oracle server resides as a SecurID client with the ACE server. You can do this with the RSA Data Security tool sdadmin. To create a client:
Install Oracle Advanced Security on the Oracle database server and Oracle client when you install Oracle8i using the Oracle Installer.
Port numbers are typically stored in a file called services. On UNIX-based operating systems, the file is typically located in the /etc directory. If you are using Network Information Services (NIS) as a naming service, ensure that the services map contains the correct entries for SecurID.
This section provides separate instructions for:
Ask the SecurID administrator to ensure that:
\VAR\ACE
SERVICES file
You can obtain the files from any other SecurID client or from the system that runs the ACE/Server.
/var/ace) on the Oracle8i database server system and copy the configuration files to it; the sdconf.rec file must be present.
/var/ace and can create new files in this directory.
The configuration files are used by both Oracle and the standard SecurID tools. Because the SecurID tools run setuid root, there can be a problem with the access permissions on the directory /var/ace and the files in this directory.
There are two methods (Method 1, Method 2) for configuring Oracle8i as a SecurID client without compromising security. Both methods work, and each allows you to use Oracle8i with SecurID authentication, but Method 1 is the preferred method.
The owner of the oracle executable should also own the /var/ace directory and the files in /var/ace. For example, if the owner of the oracle executable is the user Oracle8, execute these commands as root:
# chown oracle8 /var/ace
# chmod 0770 /var/ace
# chown oracle8 /var/ace/*
# chmod 0660 /var/ace/*
The other option is to have root own the /var/ace directory and the files in /var/ace, but give the Oracle group read and write access. If the Oracle group is dba, execute the following commands as root:
# chown root /var/ace
# chmod 0770 /var/ace
# chgrp dba /var/ace
# chown root /var/ace/*
# chmod 0660 /var/ace/*
# chgrp dba /var/ace/*
The VAR_ACE environment variable is not supported. You must store the configuration data in the /var/ace directory. If you currently have the ACE configuration data in a different location, create a symbolic link using the following command:
# ln -s $VAR_ACE /var/ace
Oracle8i must be able to read and write the ACE configuration data. This data is stored in the directory /var/ace, or $VAR_ACE if you use the preceding symbolic link.
Whether Oracle can read the configuration data depends on how the ACE client software is installed on the Oracle database server. During the installation of the ACE client software, specify which administrator should own the configuration files.
If root is the owner of the ACE server configuration data files, change the UNIX file permissions so that the owner of the oracle executable can read and write to these files. For example, the following commands give Oracle access to the files, and all the RSA Data Security tools that run as setuid root can still access the files.
# chown oracle8 /var/ace
# chown oracle8 /var/ace/*
# chmod 0770 /var/ace
# chmod 0660 /var/ace/*
If the environment variable VAR_ACE is set to a different location than /var/ace, you should instead execute the following commands:
# ln -s $VAR_ACE /var/ace
# chown oracle8 $VAR_ACE
# chown oracle8 $VAR_ACE/*
# chmod 0770 $VAR_ACE
# chmod 0660 $VAR_ACE/*
If the ACE files are not owned by root, you have the following options:
You must install the ACE software as root, but you can specify which administrator should own the files. Specify the same user as the owner of the Oracle8i executable, typically Oracle8.
For the change to take effect (Method 1 or Method 2), do the following:
To configure the SecurID authentication service:
The sqlnet.ora file is updated with the following entries:
SQLNET.AUTHENTICATION_SERVICES=(SECURID)
You create users for SecurID authentication by performing the following steps:
You can create an Oracle database server account using SQL*Plus connected as a user with the CREATE USER database privilege. Enter the following to create an account:
SQL> CONNECT system/manager
SQL> CREATE USER os_authent_prefix username IDENTIFIED EXTERNALLY
The OS_AUTHENT_PREFIX Oracle initialization parameter has a default value of OPS$. The user name should be the same as the name you assigned to the card in Task 1: Assign a Card Using RSA Data Security sdadmin Program.
For example, if you have assigned a card to the user king, and
OS_AUTHENT_PREFIX has been set to a null value (""), create an Oracle user account using the following script:
SQL> CREATE USER king IDENTIFIED EXTERNALLY;
Grant the user the required database privileges. At a minimum, the user should be granted the CREATE SESSION privilege, as in the following example:
SQL> GRANT CREATE SESSION TO king;
The user king can now connect to Oracle8i using the appropriate SecurID card.
|
See Also:
"Logging On to the Oracle Server", for information about how to log on to an Oracle8i database server after SecurID authentication has been installed and configured |
This section describes how to use SecurID authentication with the Oracle client tools. It assumes that you are already familiar with SecurID concepts, and that you have configured Oracle for use with the SecurID authentication.
This section contains the following topics:
Before using SecurID authentication to verify passwords, ensure that the following tasks have been completed:
SecurID authentication allows users to log on to the Oracle database server with the passcode that is generated by the SecurID card. The passcode replaces the password in the Oracle connect statement.
There are two types of SecurID cards:
|
Standard (model SD200) |
Enter the PIN as part of the Oracle connect statement. |
|
PINPAD (model SD520) |
Enter the PIN directly onto the card. |
The standard cards generate and display a passcode. When logging in to Oracle, specify the user name, PIN, and current passcode as follows:
sqlplus username/pin><passcode>@net_service_name
For example, if the card is assigned to user king, the PIN is 3511, and the card shows the number 698244, log into Oracle using SQL*Plus as follows:
% sqlplus king/3511698244@oracle_database
or
% sqlplus king@oracle_database
% enter password: 3511698244
If you have a PINPAD card, you must enter the PIN on the card and generate a new passcode. Use the passcode to connect to Oracle as follows:
sqlplus username/passcode@net_service_name
For example, if the card is assigned to user king, first generate a passcode by entering the PIN on the PINPAD card as described in the RSA Data Security documentation.
For example, if the generated passcode is 698244, connect to Oracle using SQL*Plus as follows:
% sqlplus king/698244@oracle_dbname
If you are logging in for the first time or the administrator has put the card in the new-PIN mode, you must assign a PIN to the card. You can tell that this is the case if, while trying to connect to Oracle8i, you receive the following error message:
ORA-12681 "Login failed: the SecurID card does not have a pincode yet"
To assign a PIN to a card you must connect to the Oracle Server using a special syntax. First select a PIN, which is typically four to eight digits long. Depending on the type of SecurID card you have, you may be able to use letters as well.
If you have cleared the old PIN, use the following the syntax while connecting to the Oracle database:
sqlplus username/+"new_pin+tokencode"@oracle_dbname
For the tokencode, enter the card code that is currently displayed on the SecurID card's LCD. If you have a PINPAD card, do not enter the PIN on the card.
For example, if the card is assigned to user king, the new PIN is 45618, and the SecurID card currently displays number 564728, enter the following:
% sqlplus king/"+45618+564728"@oracle_dbname
If the old PIN was not cleared, use the following syntax while connecting to the database. Otherwise, the administrator must select the new PIN for you.
sqlplus username/+new_pin+old_pintokencode@oracle_dbname
For the tokencode, enter the card code that is currently displayed on the SecurID card. If you have a PINPAD card, do not enter the PIN on the card.
If the new PIN is accepted, you are connected to Oracle8i. The next time you want to connect to Oracle, use the procedure described in Logging On to the Oracle Server. If the new PIN is rejected, you receive the following error:
ORA-12688 "Login failed: the SecurID server rejected the new pincode"
The PIN may be rejected for the following reasons:
As an additional safety step, the ACE/Server sometimes asks for the next card code, to ensure that the person who is trying to log on actually has possession of the card. This is the case if you get the following error message when you try to log into Oracle:
ORA-12682, "Login failed: the SecurID card is in next PRN mode"
The next time you want to log on to Oracle8i, you must specify the next two card codes. The syntax you use to log on depends on the kind of SecurID card you have.
If you have a standard card, specify the following:
Steps 1, 2, and 3 replace the password. The + character is important, because it separates the first card code (passcode) from the second one. Use the following syntax:
sqlplus <username>/ "pincodepasscode+next_passcode"@<net_service_name>
For example, if the card is assigned to user king, the PIN is 3511, and the card first shows the number 98244 and the next number is 563866, enter the following:
% sqlplus king/"3511698244+563866"@oracle_dbname
This connects you to the Oracle8i database server and puts the card back into normal mode. The next time you want to log on to the Oracle server, use the procedure described in Logging On to the Oracle Server .
If you have a PINPAD card, perform the following steps to log on to the Oracle database server:
passcode.
passcode.
passcodes, separated by a plus (+) character as follows:
sqlplus username/ "<first passcode+second passcode"@net_service_name
For example, if the card is assigned to user king, perform the following steps:
passcode, such as 231003.
passcodes generated in steps 1 and 2:
% sqlplus king/"231003+831234"@oracle_dbname
This connects you to Oracle8i and puts the card back into normal mode. The next time you want to log in to Oracle, use the procedure described in Logging On to the Oracle Server.
If you experience problems while configuring SecurID authentication, verify the following:
Use the SecurID tool kitconts (for ACE/Server 1.2.4) or sdinfo (for ACE/Server 2.0) to verify the name of the authentication service and the port numbers that SecurID is expecting to use. Verify that these port numbers match those in /etc/services, or the services map if you are using NIS.
ACE/Server release 1.2.4 only: Verify that the /var/ace/sdconf.rec file is present on the system running the Oracle database server. Also verify that the permissions on the /var/ace/sdconf.rec file and the directory /var/ace are set so that the Oracle process can read and write in the directory.
ACE/Server release 2.0 only: Make sure the ACE configuration data is in the /var/ace directory. Use of the VAR_ACE environment variable is not supported. Also make sure that the owner of the oracle executable can read and write the files in this directory.
sqlnet.ora file on the Oracle side:
trace_level_server = admin
Turning tracing on at the client side is less informative, because all interaction between the Oracle database server and the ACE server happens at the Oracle database server side of the Net8 connection. Be sure to turn off tracing when you have completed your check.
SQL> SELECT * FROM all_users;
to get a list of all database users.
|
 Copyright © 1996-2000, Oracle Corporation. All Rights Reserved. |
|