Oracle Advanced Security Administrator's Guide
Release 8.1.7
Part Number A85430-01
Library
Product
Index
Contents
Title and Copyright Information
List of Figures
List of Tables
Send Us Your Comments
Preface
Part I Introduction
1 Introduction to Oracle Advanced Security
About Oracle Advanced Security
Security in an Intranet or Internet Environment
Security Threats
Oracle Advanced Security Features
Data Privacy
Data Integrity
Authentication
Single Sign-On
Authorization
Oracle Advanced Security Architecture
Secure Data Transfer Across Network Protocol Boundaries
System Requirements
Oracle Advanced Security Restrictions
Part II Encryption, Integrity, and JDBC
2 Configuring Data Encryption and Integrity
Oracle Advanced Security Encryption
Overview
DES Algorithm for Standards-Based Encryption
Triple-DES Support
RSA RC4 Algorithm for High Speed Encryption
Oracle Advanced Security Data Integrity
Data Integrity Algorithms Supported
Diffie-Hellman Based Key Management
Authentication Key Fold-in
Configuring Data Encryption and Integrity
Activating Encryption and Integrity
Negotiating Encryption and Integrity
Setting the Encryption Seed
Configuring Encryption and Integrity Parameters Using Net8 Assistant
3 Thin JDBC Support
About the Java Implementation
Java Database Connectivity Support
Securing Thin JDBC
Implementation Overview
Obfuscation
Configuration Parameters
Client Encryption Level
Client Encryption Selected List
Client Integrity Level
Client Integrity Selected List
Part III Configuring Authentication Methods
4 Configuring RADIUS Authentication
RADIUS Overview
RADIUS Authentication Modes
Synchronous Authentication Mode
Challenge-Response (Asynchronous) Authentication Mode
Enabling RADIUS Authentication and Accounting
Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client
Task 2: Configure RADIUS Authentication
Task 3: Create a User and Grant Access
Task 4: Configure RADIUS Accounting
Task 5: Add the RADIUS Client Name to the RADIUS Server Database
Task 6: Configure the Authentication Server for Use with RADIUS
Task 7: Configure the RADIUS Server for Use with the Authentication Server
Task 8: Configure Mapping Roles
Logging in to the Database
5 Configuring CyberSafe Authentication
Configuring CyberSafe Authentication
Task 1: Install the CyberSafe Server
Task 2: Install the CyberSafe TrustBroker Client
Task 3: Install the CyberSafe Application Security Toolkit
Task 4: Configure a Service Principal for an Oracle Database Server
Task 5: Extract the Service Table from CyberSafe
Task 6: Install an Oracle Database Server
Task 7: Install Oracle Advanced Security With CyberSafe
Task 8: Configure Net8 and Oracle8
i
Task 9: Configure CyberSafe Authentication
Task 10: Create a CyberSafe User on the Authentication Server
Task 11: Create an Externally Authenticated Oracle User on the Oracle Database Server
Task 12: Get the Initial Ticket for the CyberSafe/Oracle User
Task 13: Connect to an Oracle Database Server Authenticated by CyberSafe
Troubleshooting
If you cannot get your ticket-granting ticket using kinit:
If you have an initial ticket, but still cannot connect:
If you have a service ticket, and you still cannot connect:
If everything seems to work fine, but then you issue another query and it fails:
6 Configuring Kerberos Authentication
Enabling Kerberos Authentication
Task 1: Install Kerberos
Task 2: Configure a Service Principal for an Oracle Database Server
Task 3: Extract a Service Table from Kerberos
Task 4: Install an Oracle Database Server and an Oracle Client
Task 5: Install Net8 and Oracle Advanced Security
Task 6: Configure Net8 and Oracle
Task 7: Configure Kerberos Authentication
Task 8: Create a Kerberos User
Task 9: Create an Externally-authenticated Oracle User
Task 10: Get an Initial Ticket for the Kerberos/Oracle User
Utilities for the Kerberos Authentication Adapter
Use okinit to Obtain the Initial Ticket
Use OKLIST to Display Credentials
Use OKDSTRY to Remove Credentials from the Cache File
Connecting to an Oracle Database Server Authenticated by Kerberos
Troubleshooting
If you cannot get your ticket-granting ticket using OKINIT:
If you have an initial ticket, but still cannot connect:
If you have a service ticket and you still cannot connect:
If everything seems to work fine, but then you issue another query and it fails:
7 Configuring SecurID Authentication
Prerequisites
Known Limitations
Enabling SecurID Authentication
Task 1: Register Oracle as a SecurID Client
Task 2: Install Oracle Advanced Security
Task 3: Ensure that Oracle Can Find the Correct UDP Port
Task 4: Configure Oracle as a SecurID Client
Task 5: Configure SecurID Authentication
Creating Users for SecurID Authentication
Task 1: Assign a Card Using RSA Data Security sdadmin Program
Task 2: Create an Oracle Server Account for the User
Task 3: Grant the User Database Privileges
Using SecurID Authentication
Preparing to Use SecurID Authentication
Logging On to the Oracle Server
Assigning a New PIN to a SecurID Card
Logging on When the SecurID Card is in Next Code Mode
Troubleshooting
8 Configuring Identix Biometric Authentication
Overview
Architecture of the Biometric Authentication Service
Administration Architecture
Authentication Architecture
Prerequisites
Installing the TouchSafe II Encrypt Device Driver for Windows NT
Configuring the Biometric Manager PC
Configuring the Client PC
Configuring Each Database Server
Enabling Biometric Authentication
Task 1: Configure the Database Server
Task 2: Configure Identix Authentication
Task 3: Establish a Net Service Name
Task 4: Verify the Database Server Address
Task 5: Configure the Biometric Manager PC
Administering the Biometric Authentication Service
Create a Hashkey on Each of the Clients
Create a user for Biometric Authentication
Authenticating Users with a Biometric Authentication Service
Troubleshooting
9 Configuring Secure Socket Layer Authentication
SSL in an Oracle Environment
What You Can Do with SSL
Architecture of SSL in an Oracle Environment
Components of SSL in an Oracle Environment
How SSL Works in an Oracle Environment: The SSL Handshake
SSL Beyond an Oracle Environment
SSL Combined with Other Authentication Methods
Architecture: Oracle Advanced Security and SSL
Using SSL with Other Authentication Methods
Issues When Using SSL
Enabling SSL
Task 1: Install Oracle Advanced Security and Related Products
Task 2: Configure SSL on the Client
Task 3: Configure SSL on the Server
Task 4: Log on to the Database
10 Configuring Entrust-Enabled SSL Authentication
Overview
Oracle Advanced Security
Entrust/PKI
Entrust-Enabled Oracle Advanced Security
System Components
Entrust/PKI 5.0.2 for Oracle
Entrust/Toolkit Server Login
Entrust IPSEC Negotiator Toolkit
Entrust Authentication Process
Enabling Entrust Authentication
Creating Entrust Profiles
Installing Oracle Advanced Security and Related Products
Configuring SSL on the Client and Server
Configuring Entrust on the Client
Configuring Entrust on the Server
Creating Database Users
Issues and Restrictions
11 Configuring Multiple Authentication Methods
Connecting with User Name and Password
Disabling Oracle Advanced Security Authentication
Configuring Multiple Authentication Methods
Configuring Oracle8
i
for External Authentication
Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora
Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE
Setting OS_AUTHENT_PREFIX to a Null Value
Part IV Oracle DCE Integration
12 Overview of Oracle DCE Integration
Oracle DCE Integration Requirements
System Requirements
Backward Compatibility
The Distributed Computing Environment
Components of Oracle DCE Integration
DCE Communication/Security
DCE Cell Directory Services Native Naming
Flexible DCE Deployment
Release Limitations
13 Configuring DCE for Oracle DCE Integration
To Configure DCE for Oracle DCE Integration:
Task 1: Create New Principals and Accounts
Task 2: Install the Key of the Server into a Keytab File
Task 3: Configure DCE CDS for Use by Oracle DCE Integration
14 Configuring Oracle8
i
for Oracle DCE Integration
DCE Address Parameters
Configuring Oracle 8
i
and Net8:
Task 1: Configure the Server
Task 2: Create and Name Externally-Authenticated Accounts
Task 3: Set up DCE Integration External Roles
Task 4: Configure DCE for SYSDBA and SYSOPER Connections to Oracle Databases
Task 5: Configure the Client
Task 6: Configure Clients to Use DCE CDS Naming
15 Connecting to an Oracle Database in DCE
Starting the Listener
Connecting to an Oracle Database Server in the DCE Environment
Method 1
Method 2
16 DCE and Non-DCE Interoperability
Connecting Clients Outside DCE to Oracle Servers in DCE
Sample Parameter Files
The listener.ora File
The tnsnames.ora File
Using tnsnames.ora for Name Lookup When CDS Is Inaccessible
SQL*Net Release 2.2 and Earlier
SQL*Net Release 2.3 and Net8
Part V Oracle8
i
Enterprise User Security
17 Managing Enterprise User Security
Part I: Overview / Concepts
Overview of Enterprise User Security
Introduction to Enterprise User Security
About Directories
Elements of Enterprise User Security Management
Overview of Enterprise User Security Management
The Enterprise User Security Process
Shared Schemas
Overview
Setting Up Shared Schemas
Shared Schema Functionality And SSL
Creating a Shared Schema
Creating an Enterprise User in the Directory
Mapping an Enterprise User to a Shared Schema
Current User Database Links
Oracle Enterprise User Security Components
Oracle Wallet Manager
Oracle Enterprise Login Assistant
Oracle Enterprise Security Manager
Part II: Procedure
Installing and Configuring Enterprise User Security
Task 1: Install or Identify a Certificate Service
Task 2: Install and Configure a Directory Service
Task 3: Install and Configure the Database
Task 4: Configure the Database for SSL
Task 5: Create and Configure the Wallet
Task 6: Create Global Schemas and Roles
Task 7: Configure Database Clients
Task 8: Configure an Enterprise Domain
Task 9: Configure Enterprise Users
Task 10: Log In as the Enterprise User
Troubleshooting Enterprise User Login
No Global Roles
TNS Lost Connection
ORA-1004: Default username feature not supported
ORA-1017: Invalid username/password
ORA-12560: Protocol adapter error
Decryption of Encrypted Private Key Fails
ORA-28030
Tracing
18 Using Oracle Wallet Manager
Overview
Managing Wallets
Starting Oracle Wallet Manager
Creating a New Wallet
Opening an Existing Wallet
Closing a Wallet
Saving Changes
Saving the Open Wallet to a New Location
Saving in System Default
Deleting the Wallet
Changing the Password
Using Auto Login
Using Oracle Wallet Manager with Oracle Application Server
Managing Certificates
Managing User Certificates
Managing Trusted Certificates
19 Using Oracle Enterprise Login Assistant
About Oracle Enterprise Login Assistant
Starting Oracle Enterprise Login Assistant
Enabling Automatic Login
Disabling Automatic Login
Changing a Wallet Password
20 Using Oracle Enterprise Security Manager
Introduction
Installing and Configuring Oracle Enterprise Security Manager
Task 1: Install Oracle Enterprise Security Manager
Task 2: Configure Oracle Enterprise Security Manager
Task 3: Start Oracle Enterprise Security Manager
Task 4: Log Into the Directory
Navigating Oracle Enterprise Security Manager
Changing a Search Base
Browsing the Directory
Administering Enterprise Databases, Domains, and Users
Administering Databases
Administering Enterprise Domains
Administering Enterprise Users
Managing Security Administrators
Part VI Appendices
A Data Encryption and Integrity Parameters
Sample sqlnet.ora File
Data Encryption and Integrity Parameters
Encryption and Integrity Level Settings:
Encryption and Integrity Selected Lists
Seeding the Random Key Generator
B Authentication Parameters
Parameters for Clients and Servers using CyberSafe Authentication
Parameters for Clients and Servers using Identix Authentication
sqlnet.ora File Parameters
Recommended Minimum Sets of Identix Biometric Parameters
Initialization File Parameters
Parameters for Clients and Servers using Kerberos Authentication
Parameters for Clients and Servers using SecurID Authentication
Parameters for Clients and Servers using RADIUS Authentication
sqlnet.ora File Parameters
Recommended Minimum Sets of RADIUS Parameters
Initialization File (init.ora) Parameters
Parameters for Clients and Servers using SSL
Authentication Parameters
Cipher Suites
SSL Version
SSL Client Authentication
Wallet Location
C Integrating Authentication Devices Using RADIUS
About the RADIUS Challenge-Response User Interface
Customizing the RADIUS Challenge-Response User Interface
D Oracle Advanced Security FIPS 140-1 Settings
Configuration Parameters
Server Encryption Level Setting
Client Encryption Level Setting
Server Encryption Selection List
