Oracle
Advanced Networking Option Administrator's Guide Release 8.0.3 A54084_01 |
|
This chapter contains information on how to configure Oracle for use with CyberSAFE, as well as a brief overview of the steps you need to follow to configure CyberSAFE to authenticate Oracle users. This information includes the following:
This section contains information on the following tasks:
Important:
You should perform these tasks in the order listed. |
For information on how to install the CyberSAFE Challenger Master Server on your machine, refer to the CyberSAFE documentation listed in the "Related Publications" section of the Preface of this guide.
For information on installing the CyberSAFE Challenger Client on clients, refer to the CyberSAFE documentation listed in the "Related Publications" section of the Preface of this guide.
Install the CyberSAFE Application Security Toolkit on the Oracle client and Oracle server machines.
For the Oracle server to validate the identity of clients, you need to configure a service principal for an Oracle server on the machine running the CyberSAFE Challenger Master Server. Also configure a realm if necessary.
The name of the principal should have the following format:
kservice/kinstance@REALM
where kservice is a string that represents the Oracle service. This may or may not be the same as the database service name; kinstance is typically the fully-qualified name of the machine on which Oracle is running, and REALM is the domain of the server.
For example, if kservice is "oracle", and the fully-qualified name of the machine on which Oracle is running is "dbserver.someco.com", and the realm is "SOMECO.COM", the principal name would be:
oracle/dbserver.someco.com@SOMECO.COM
Note:
It is a common convention to use the DNS domain name as the name of the realm. |
Run kdb5_edit as root to create the service principal.
# cd /krb5/admin # ./kdb5_edit
To add a principal called "oracle/dbserver.someco.com@SOMECO.COM" to the list of server principals known by CyberSAFE, from kdb5_edit type the following:
kdb5_edit: ark oracle/dbserver.someco.com@SOMECO.COM
You need to extract a service table from CyberSAFE and copy it to both the Oracle server and CyberSAFE Challenger client machines. For example, to extract a service table for dbserver.someco.com, type the following from kdb5_edit:
kdb5_edit: xst dbserver.someco.com oracle 'oracle/dbserver.someco.com@SOMECO.COM' added to keytab 'WRFILE:dbserver.someco.com-new-srvtab' kdb5_edit: exit # /krb5/bin/klist -k -t dbserver.someco.com-new-srvtab
Note:
If you do not enter a REALM (in the example, SOMECO.COM) when using xst, kdb5_edit uses the realm of the current host and displays it in the command output, as shown above. |
After the service table has been extracted, verify that the new entries are in the table in addition to the old entries. If the new entries are not in the service table, or if you need to add additional new entries, use kdb5_edit to append the additional entries.
At this point, you need to move the CyberSAFE service table to the CyberSAFE Challenger client machine. If the service table is on the same machine as the CyberSAFE client, you can simply move it (using a command such as that shown below). If the service table is on a different machine from the CyberSAFE Challenger client, you must transfer the file with a program like FTP. For example, to move it, type the following:
# mv dbserver.someco.com-new-srvtab /krb5/v5srvtab
Remember to transfer the file in binary mode when you use FTP.
Make sure that the owner of the Oracle Server executable can read the service table (in the previous example, /krb5/v5srvtab). Set the file owner to the Oracle user or make the file readable by the group to which Oracle belongs. Do not make the file readable to all users, since this would allow a security breach.
Install an Oracle server on the same machine that is running the CyberSAFE Challenger client. Refer to your operating system-specific documentation for information.
Install the Oracle Advanced Networking Option on your Oracle client and Oracle server machines. Refer to your operating system-specific documentation.
For information on how to configure Net8 and Oracle8 on servers and clients, see your operating system-specific documentation.
The following steps show you how to use the Net8 Assistant to configure the CyberSAFE authentication adapter. Refer also to the Net8 Assistant on-line HELP system for instructions on how to configure the CyberSAFE Authentication adapter.
Configure Clients, and Servers, to use encryption as follows. Refer to Figure 3-1, "Profile folder Encryption tab".
Next, you must configure an authentication service on your network. Refer to Figure 3-2, "Profile folder Authentication tab".
You now must configure the authentication parameters. Refer to Figure 3-3, "Profile folder Parameter tab". You must provide the value for only one parameter: GSSAPI Service.
oracle/dbserver.someco.com@SOMECO.COM
Perform the following steps to create Oracle users, so they can be authenticated by the CyberSAFE adapter:
Note:
Perform these steps on the authentication server (where the administration tools are installed). |
It is assumed that the realm already exists. (Refer to the CyberSAFE documentation listed in the "Preface" if the realm needs to be created.)
Note:
The utility names in this section are actual programs that you run. However, the CyberSAFE user name "cyberuser" and realm "SOMECO.COM" are examples only; these may vary among systems. |
Run /krb5/admin/kdb5_edit as root on the authentication server to create the new CyberSAFE user, that is, "cyberuser". Type the following:
Run Server Manager to create the Oracle user that corresponds to the CyberSAFE user, and perform the following commands on the Oracle server machine:
SVRMGR> connect internal; SVRMGR> create user "CYBERUSER@SOMECO.COM" identified externally; SVRMGR> grant create session to "CYBERUSER@SOMECO.COM";
In this example, OS_AUTHENT_PREFIX is set to:
""
When you create the Oracle user, the name must be in upper case and double-quoted. For example:
"CYBERUSER@SOMECO.COM"
Before users can connect to the database, they need to run kinit on the clients for an initial ticket.
% kinit (user name) Password for CYBERUSER@US.ORACLE.COM: <password not echoed to screen>
Users should run klist on the clients to list the tickets currently owned.
% klist
Creation Date | Expiration Date | Service |
11-Aug-95 16:29:51
|
12-Aug-95 00:29:21
|
krbtgt/SOMECO.COM@SOMECO.COM
|
11-Aug-95 16:29:51
|
12-Aug-95 00:29:21
|
oracledbserver.someco.com@SOMECO.COM
|
After running kinit to get an initial ticket, users can connect to an Oracle Server without using a username or password. Enter a command like the following:
% sqlplus /@service_name
where service_name is a Net8 service name.
For example:
% sqlplus /@npddoc_db
Refer to Chapter 1, "Overview of Network Security and Single Sign-On" and to Oracle8 Server Distributed Databases for more information on external authentication.
This section describes the parameters that need to exist in configuration files on Oracle servers and clients to enable CyberSAFE to authenticate users.
Note:
Use the Oracle Net8 Assistant to configure these files. |
Make sure the following line is present in the SQLNET.ORA file on the client:
SQLNET.AUTHENTICATION_SERVICES=(CYBERSAFE)
Make sure the following lines are present in the SQLNET.ORA file on the server.
sqlnet.authentication_services=(CYBERSAFE) sqlnet.authentication_gssapi_service=oracle/dbserver.someco.com@SOMECO.COM
Note:
You must insert the principal name, using the format described in Section 3.1.4, "Configure a Service Principal for an Oracle Server". |
It is strongly recommended that you add the following parameter to the INIT<SID>.ORA file used for the database instance:
REMOTE_OS_AUTHENT=FALSE
where <SID> is the database system identifier.
CyberSAFE user names can be long and Oracle user names are limited to 30 characters, so it is strongly recommended that you use the following null value for the value of OS_AUTHENT_PREFIX:
OS_AUTHENT_PREFIX=""
Restart the Oracle server after modifying the configuration files, so the changes will take effect. (For information on how to restart the Oracle server refer to your operating system-specific documentation and to the Oracle8 Server Administrator's Guide.)
Following are some common configuration problems and tips to help resolve them:
|
Copyright © 1997 Oracle Corporation. All Rights Reserved. |
|