Oracle
Advanced Networking Option Administrator's Guide Release 8.0.3 A54084_01 |
|
The proliferation of distributed computing has been matched by an increase in the amount of information that organizations now place on computers. Employee records, financial records, product testing information, and other sensitive or critical data have moved from filing cabinets into file structures. The volume of critical or sensitive information on computers has increased the value of data that may be compromised, and the increase in distributed computing, in particular, has increased the vulnerability of this data.
The principal challenges in distributed environments are:
The Oracle Advanced Networking Option ensures data integrity through cryptographic checksums using the MD5 algorithm. It also ensures data privacy through encryption. Release 8.0.3 provides 40-bit, 56-bit, and 128-bit RSA RC4 algorithms as well as 40-bit and 56-bit DES algorithms.
Establishing user identity is also of primary concern in distributed environments; otherwise, there can be little confidence in limiting privileges by user. For example, unless you have confidence in user authentication mechanisms, how can you be sure that user Smith connecting to Server A from Client B really is user Smith? Furthermore, you need to have confidence in the way clients and servers are made known to one another over the network, so that you have assurance not only that user Smith is who she says she is, but that Client B and Server A are also what they claim to be. The Oracle Advanced Networking Option release 8.0.3 provides this authentication ability through Oracle authentication adapters that support third-party authentication services such as Kerberos, CyberSAFE Challenger (a Kerberos-based authentication server), SecurID, and Identix TouchNet II. These adapters are described later in this chapter.
Note:
User authentication and authorization are already standard features of Oracle8; however, they are significantly enhanced in the Oracle Advanced Networking Option release 8.0.3. |
The first part of this chapter contains an introduction to the Oracle Advanced Networking Option encryption and checksumming features. These services are available to network products that use Net8, including the Oracle8 Server, Designer 2000, Developer 2000, and any other Oracle or third-party products that support Net8. For a comparison of the benefits of using one encryption algorithm over another, see Chapter 2.2, "Benefits of the Oracle Advanced Networking Option Encryption and Checksum Algorithms".
The second part of this chapter contains a discussion of how the Oracle Advanced Networking Option release 8.0.3 supports network user authentication in distributed environments through the use of Oracle authentication adapters.
For this release of the Oracle Advanced Networking Option, the following adapters are supported:
This release of the documentation only provides configuration instructions for Kerberos, CyberSAFE Challenger, SecurID, and Identix authentication adapters.
The Oracle Advanced Networking Option is an add-on product to standard Net8 which makes getting Net8 licenses a prerequisite. The Oracle Advanced Networking Option is an extra cost item, and to be functional, must be purchased on both the client and the server.
The Oracle Advanced Networking Option must be installed with the Oracle Installer (tapes, CDs, and floppies) on all clients and servers where the Oracle Advanced Networking Option is required.
To use the CyberSAFE Challenger Authentication Adapter you need to have:
To use the Kerberos Authentication Adapter you need to have:
To use the SecurID Authentication Adapter you need to have:
To use the Identix TouchNet II Authentication Adapter you need to have:
Organizations around the world are deploying distributed databases and client/server applications in record numbers, often on a national or global scale, based on Net8 and the Oracle8 Server. Along with the increased distribution of data in these environments comes increased exposure to theft of data through eavesdropping. In Wide Area Network (WAN) environments, both public carriers and private network owners often route portions of their network through either insecure land lines or extremely vulnerable microwave and satellite links, leaving valuable data open to view for any interested party. In Local Area Network (LAN) environments within a building or campus, the potential exists for insiders with access to the physical wiring to view data not intended for them. Even more dangerous is the possibility that a malicious third party can execute a computer crime by actually tampering with data as it moves between sites. Oracle Advanced Networking Option protects against these possibilities in distributed environments containing confidential or otherwise sensitive data.
To ensure that data has not been modified, deleted, or replayed during transmission, the Oracle Advanced Networking Option optionally generates a cryptographically secure message digest and includes it with each packet sent across the network.
To protect data from unauthorized viewing, the Oracle Advanced Networking Option includes an encryption module that uses the RSA Data Security RC4 encryption algorithm. Using a secret, randomly-generated key for every session, all network traffic is fully safeguarded (including all data values, SQL statements, and stored procedure calls and results). The client, server, or both, can request or require the use of the encryption module to guarantee that data is protected. Oracle's optimized implementation provides a high degree of security for a minimal performance penalty. For the RC4 algorithm, Oracle provides encryption key lengths of 40 bits, 56 bits, and 128 bits.
Since the Oracle Advanced Networking Option RSA RC4 40-bit implementation meets the U.S. government export guidelines for encryption products, Oracle provides an export version of the media and exports it to all but a few countries, allowing most companies to safeguard their entire worldwide operations with this software.
For financial institutions and other organizations that are required to use the U.S. Data Encryption Standard (DES), the Oracle Advanced Networking Option for Domestic Use offers a standard, optimized 56-bit key DES encryption algorithm. Due to current U.S. government export restrictions, standard DES is initially available only to customers located in the U.S.A. and Canada. For customers located outside the U.S.A. and Canada, the Oracle Advanced Networking Option for Export Use also offers DES40, a version of DES which combines the standard DES encryption algorithm with the international availability of a 40-bit key. Selecting the algorithm to use for network encryption is a user configuration option, allowing varying levels of security and performance for different types of data transfers.
The Oracle Advanced Networking Option is fully supported by the Connection Manager, making secure data transfer a reality across network protocol boundaries. Clients using LAN protocols such as NetWare (SPX/IPX), for instance, can now securely share data with large servers using different network protocols such as LU6.2, TCP/IP, or DECnet. To eliminate potential weak points in the network infrastructure and to maximize performance, Connection Manager passes encrypted data from protocol to protocol without the cost and exposure of decryption and re-encryption.
The Oracle Advanced Networking Option requires Net8 to transmit data securely. Accordingly, the Oracle Advanced Networking Option's authentication features are not currently supported by some parts of Oracle Financial, Human Resource, and Manufacturing Applications when they are running on the MS-Windows platform. The portions of these products that use Oracle Display Manager (ODM) can not yet take advantage of the Oracle Advanced Networking Option, since ODM does not currently use Net8. A maintenance version of Release 10 will allow the Oracle Advanced Networking Option to be used in all parts of these applications.
In any network connection, it is possible that both ends (client and server) may support more than one encryption algorithm and more than one cryptographic checksumming algorithm. When each connection is made, the server decides which algorithm to use, if any, based on which algorithms are available on each end of the connection and on what preferences have been specified in the Net8 configuration files.
When the server is trying to find a match between the algorithms it has made available and the algorithms the client has made available, it picks the first algorithm in its own list that also appears in the client's list. If one side of the connection does not specify a list of algorithms, all the algorithms that are installed on that side are acceptable.
Encryption and checksumming parameters are defined by modifying SQLNET.ORA files for the clients and servers on your network. Refer to Appendix A, "Encryption and Checksum Parameters" for an example of a SQLNET.ORA file for the client and server nodes in a network using encryption and checksumming.
Oracle servers and the Oracle Advanced Networking Option together provide the enhanced client/server authentication required in distributed, heterogeneous environments.
In a distributed system, users may need to remember multiple passwords for the different applications and services that they use. To use a software development organization as an example, a developer may have access to an application in development on a workstation, a production system on a mini-computer, a PC for creating documents, and several mini-computers or workstations for testing, reporting bugs, configuration management, and so on. Administration of all these accounts and passwords is complex and time-consuming.
Users generally respond to multiple accounts in one of two ways: if they can choose their own passwords, they may standardize them so that they are the same on all machines (which results in a potentially large exposure in the event of a compromised password) or use passwords with slight variations (which may be easily guessed from knowing one password). Users with complex passwords may just write them down or forget them, either of which severely compromises password secrecy and service availability.
Providing a single sign-on, so that users can access multiple accounts and applications with a single password, eliminates the need for multiple passwords for users and simplifies management of user accounts and passwords for system administrators.
Among the types of authentication mechanisms that can be used in networked environments are the following:
These authentication mechanisms are discussed in more detail in the following sections.
In distributed environments, unless you can physically secure all connections in a network, which may be either physically or economically impossible, malefactors may hijack connections. For example, a transaction that should go from the Personnel system on Server A to the Payroll system on Server B may be intercepted in transit and routed instead to a terminal masquerading as Server B.
This threat may be addressed by having a central facility authenticate all members of the network (clients to servers, servers to servers, users to both clients and servers), rather than relying on parties identifying themselves to one another directly. By having a centralized, secure authentication service, you can have high confidence in the identity of users, clients, and servers in distributed environments. Network authentication services also can provide the benefit of single sign-on for users (refer to Section 1.5.1, "Why Single Sign-On?").
Figure 1-1, "How a Network Authentication Service Works" illustrates how a network authentication service typically operates, while the steps below describe each operation.
The Oracle Advanced Networking Option support for Kerberos and CyberSAFE provides the benefits of single sign-on and centralized authentication in an Oracle environment. As shown in Figure 1-2, "Net8 with authentication adapters", support for authentication services is provided through authentication adapters, which are very much like the existing Net8 protocol adapters. Authentication adapters integrate below the Net8 interface and allow existing applications to take advantage of new authentication systems transparently, without any changes to the application.
Kerberos is a trusted third-party authentication system that relies on shared secrets. It assumes that the third party is secure. It provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security.
Support for Kerberos is provided in the Oracle Advanced Networking Option in two ways:
Token cards can provide improved ease-of-use for users through several different mechanisms. Some token cards offer one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the smart card at any given time by contacting the authentication service. Other token cards operate on a challenge-response basis, in which the server offers a challenge (a number) and the user types the challenge into a token card, which provides another number (cryptographically-derived from the challenge), which the user then offers to the server.
Token cards provide the following benefits:
The Oracle Advanced Networking Option supports the Security Dynamics'
SecurID card. SecurID provides two-factor user identification. Factor one
is something the user knows: a PIN. The second factor is something the
user possesses: the SecurID card. Single-use access codes change automatically
every 60 seconds, and no two cards ever display the same number at the
same time. The Oracle Advanced Networking Option support for SecurID provides
the convenience of token cards in an Oracle environment.
The Oracle Advanced Networking Option provides support for the Oracle Biometric Authentication adapter. Oracle Biometric Authentication adapters are used on both the clients and on the database servers to communicate biometric authentication data between the authentication server and the clients.
For clients and servers to be able to use an Oracle Authentication Adapter, the following parameter must be in the SQLNET.ORA configuration file:
SQLNET.AUTHENTICATION_SERVICES=(oracle_authent_adapter)
For example, the following parameter must be set in the SQLNET.ORA file on all clients and servers that use the Kerberos Authentication Adapter to authenticate users:
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
It is strongly recommended that when configuring the Oracle authentication adapters, you add the following parameter to the initialization file used for the database instance:
REMOTE_OS_AUTHENT=FALSE
If REMOTE_OS_AUTHENT is set to FALSE, and the server cannot support any of the authentication services requested by the client, the authentication service negotiation will fail, and the connection will be terminated.
If the following parameter is set in the SQLNET.ORA file on either the client or server side:
SQLNET.AUTHENTICATION_SERVICES=(NONE)
the database will attempt to use the provided username and password to log the user in. However, if REMOTE_OS_AUTHENT is set to FALSE, the connection will fail.
Authentication service-based user names can be long, and Oracle user names are limited to 30 characters. So, it is strongly recommended that you enter a null value for the OS_AUTHENT_PREFIX parameter in the initialization file used for the database instance:
OS_AUTHENT_PREFIX=""
Note:
The default value for OS_AUTHENT_PREFIX is OPS$; however, you can set it to any string. |
The command to create a user is:
create user <os_authent_prefix><username> identified externally;
When OS_AUTHENT_PREFIX is set to a null value (""), you would create the user "king" with the following command:
create user king identified externally;
The advantage of creating a user in this way is that the administrator no longer needs to maintain different usernames for externally-identified users.
Note:
This applies to creating Oracle users for use with all Oracle authentication adapters. |
|
Copyright © 1997 Oracle Corporation. All Rights Reserved. |
|