Oracle Advanced Networking Option Administrator's Guide
Release 8.0.3
A54084_01
Library
Product
Index
Contents
Title and Copyright Information
Preface
1 Overview of Network Security and Single Sign-On
1.1 What's Covered in this Chapter
1.2 Authentication Adapters Supported
1.2.1 System Requirements
1.2.1.1 CyberSAFE Challenger Authentication Adapter Requirements
1.2.1.2 Kerberos Authentication Adapter Requirements
1.2.1.3 SecurID Authentication Adapter Requirements
1.2.1.4 Identix TouchNet II
1.3 Protection from Tampering and Unauthorized Viewing
1.3.1 Verification of Data Integrity
1.3.2 High-Speed Global Data Encryption
1.3.3 Standards-Based Encryption
1.3.4 Data Security Across Protocols
1.3.5 The Oracle Advanced Networking Option is Not Yet Supported by Some Oracle Products
1.4 How Encryption and Checksumming are Activated
1.4.1 Encryption and Checksumming Configuration
1.5 The Oracle Advanced Networking Option Provides Enhanced Client/Server Authentication
1.5.1 Why Single Sign-On?
1.6 How Oracle Authentication Adapters Provide Enhanced Security
1.6.1 Network Authentication Services
1.6.2 Centralized Authentication
1.6.3 Kerberos and CyberSAFE Support
1.6.4 Token Cards
1.6.5 SecurID Token Card
1.6.6 Biometric Authentication Adapter
1.6.7 Oracle Parameters that Must be Configured for Network Authentication
1.6.7.1 Set REMOTE_OS_AUTHENT to False
1.6.7.2 Set OS_AUTHENT_PREFIX to a Null Value
2 Configuring Encryption and Checksumming
2.1 Where to Get Information on Installing the Oracle Advanced Networking Option
2.2 Benefits of the Oracle Advanced Networking Option Encryption and Checksum Algorithms
2.2.1 DES Algorithm Provides Standards-Based Encryption
2.2.2 DES40 Algorithm is Provided for International Use
2.2.3 RSA RC4 is a Highly Secure, High Speed Algorithm
2.2.4 RC4_56 and RC4_128 Can be Used by Domestic Customers
2.2.5 RC4_40 Can be Used by Customers Outside the US and Canada
2.3 Diffie-Hellman-Based Key Management
2.3.1 Overview of Site-Specific Diffie-Hellman Encryption Enhancement
2.3.1.1 How to Generate the Diffie-Hellman Parameters with naegen
2.3.2 Overview of Authentication Key Fold-in Encryption Enhancement
2.3.2.1 Authentication Key Fold-in Feature Requires no Configuration
2.3.3 The MD5 Message Digest Algorithm
2.3.4 Domestic and Export Versions
2.4 Overview of Encryption and Checksumming Configuration Parameters
2.4.1 Negotiating Encryption and Checksumming
2.4.2 What the Encryption and Checksumming Parameters Do
2.4.2.1 Server Encryption Level Setting
2.4.2.2 Client Encryption Level Setting
2.4.2.3 Server Encryption Selected List
2.4.2.4 Client Encryption Selected List
2.4.2.5 Server Checksum Level Setting
2.4.2.6 Client Checksum Level Setting
2.4.2.7 Server Checksum Selected List
2.4.2.8 Client Checksum Selected List
2.4.2.9 Client Profile Encryption
2.5 Using Oracle Net8 Assistant to Configure Servers and Clients to Use Encryption and Checksumming
2.5.1 Configure Servers and Clients to Use Encryption
2.5.2 Configure Servers and Clients to Use Checksumming
3
3 Configuring the CyberSAFE Authentication Adapter
3.1 Steps to Perform to Enable CyberSAFE Authentication
3.1.1 Install the CyberSAFE Server on the Machine that will Act as the Authentication Server
3.1.2 Install the CyberSAFE Challenger Client on the Same Machine that Runs the Oracle Server and the Client
3.1.3 Install the CyberSAFE Application Security Toolkit on the Client and on the Server
3.1.4 Configure a Service Principal for an Oracle Server
3.1.5 Extract the Service Table from CyberSAFE
3.1.5.1 Ensure that the Oracle Server Can Read the Service Table
3.1.6 Install an Oracle Server
3.1.7 Install the Oracle Advanced Networking Option
3.1.8 Configure Net8 and Oracle8 on your Server and Client
3.1.9 Configure the CyberSAFE Authentication Adapter using the Net8 Assistant
3.1.10 Create a CyberSAFE User on the Authentication Server
3.1.11 Create an Externally Authenticated Oracle User on the Oracle Server
3.1.12 Use kinit on the Client to Get the Initial Ticket for the Kerberos/Oracle User
3.1.12.1 Use klist on the Client to Display Credentials
3.1.13 Connect to an Oracle Server Authenticated by CyberSAFE
3.2 CyberSAFE Configuration Parameters Required on the Oracle Server and Client
3.2.1 Oracle Client Configuration Parameters
3.2.1.1 Required SQLNET.ORA Parameters
3.2.2 Oracle Server Configuration Parameters
3.2.2.1 Required SQLNET.ORA Parameters
3.2.2.2 Required INIT.ORA Parameters
3.3 Troubleshooting the Configuration of the CyberSAFE Authentication Adapter
4
4 Configuring the Kerberos Authentication Adapter
4.1 Steps to Perform to Enable Kerberos Authentication
4.1.1 Install Kerberos on the Machine that will Act as the Authentication Server
4.1.2 Configure a Service Principal for an Oracle Server
4.1.3 Extract a Service Table from Kerberos
4.1.3.1 Ensure that the Oracle Server Can Read the Service Table
4.1.4 Install an Oracle Server and an Oracle Client
4.1.5 Install Net8
4.1.6 Configure Net8 and Oracle on the Oracle Server and Client
4.1.7 Create a Kerberos User on the Kerberos Authentication Server
4.1.8 Create an Externally-Authenticated User on the Oracle Database
4.1.9 Get an Initial Ticket for the Kerberos/Oracle User
4.1.10 Utilities to Use with the Kerberos Authentication Adapter
4.1.10.1 Use okinit to Obtain the Initial Ticket
4.1.10.2 Use oklist to Display Credentials
4.1.10.3 Use okdstry to Remove Credentials from Cache File
4.1.11 Connecting to an Oracle Server Authenticated by Kerberos
4.2 Configure the Kerberos Authentication Adapter Using the Oracle Net8 Assistant
4.3 Description of Configuration File Parameters on Oracle Server and Client
4.3.1 Oracle Client Configuration Parameters
4.3.1.1 Required SQLNET.ORA Parameters
4.3.2 Oracle Server Configuration Parameters
4.3.2.1 Required SQLNET.ORA Parameters
4.3.2.2 Required Initialization Parameters
4.3.2.3 Optional SQLNET.ORA Parameters
4.4 Troubleshooting the Configuration of the Kerberos Authentication Adapter
5
5 Configuring Oracle for Use with the SecurID Adapter
5.1 System Requirements
5.2 Known Limitations
5.3 Steps to Perform to Enable SecurID Authentication
5.3.1 Register Oracle as a SecurID Client (ACE/Server Release 1.2.4)
5.3.2 Ensure that Oracle Can Find the Correct UDP Port (ACE/Server Release 1.2.4)
5.3.3 Install the Oracle Advanced Networking Option on the Oracle Server and Client
5.3.4 Configure Oracle as a SecurID Client (for ACE/Server Release 1.2.4)
5.3.4.1 Install the SecurID configuration files on the Oracle server machine.
5.3.5 Configure Oracle as a SecurID Client (Release ACE/Server 2.0)
5.3.5.1 Method #1
5.3.5.2 Method #2
5.4 Configure the SecurID Authentication Adapter using the Net8 Assistant
5.5 Creating Users for the SecurID Adapter
5.6 Troubleshooting the Configuration of the SecurID Authentication Adapter
5.7 Using the SecurID Authentication Adapter
5.8 Configure the Oracle Client to Use the SecurID Authentication Adapter
5.8.1 Log into the Oracle Server
5.8.1.1 Using Standard Cards
5.8.1.2 Using PINPAD Cards
5.8.2 Assign a New PIN to a SecurID Card
5.8.2.1 Possible Reasons Why a PIN Would be Rejected
5.8.3 Log in When the SecurID Card is in "Next Code" Mode
5.8.3.1 Log in with a Standard Card
5.8.3.2 Log in with a PINPAD Card
6 Configuring and Using the Identix Biometric Authentication Adapter
6.1 Overview
6.2 Architecture of the Biometric Authentication Service
6.2.1 Administration Architecture
6.2.2 Authentication Architecture
6.3 Prerequisites
6.3.1 Oracle Biometric Manager PC
6.3.2 Client PC
6.3.3 Database Server
6.3.4 Biometric Authentication Service
6.4 Configuring the Biometric Authentication Service
6.5 Configuring the Oracle Biometric Authentication Service using the Oracle Net8 Assistant
6.6 Administering the Oracle Biometric Authentication Service
6.6.1 Create a Hashkey on each of the Clients
6.6.2 Create Users for the Biometric Authentication Adapter
6.7 Authenticating Users With the Oracle Biometric Authentication Service
6.8 Using the Biometric Manager
6.8.1 Logging On
6.8.2 Displaying Oracle Biometric Authentication Service Data
6.8.2.1 The Object Tree Window
6.8.2.2 The Properties Window
6.9 Troubleshooting
7 Choosing and Combining Authentication Services
7.1 Connect with a Username/Password When Authentication Has Been Configured
7.1.1 Configure No Authentication
7.2 Set Up an Oracle Server With Multiple Authentication Services
7.3 Set Up an Oracle Client to Use Multiple Authentication Services
7.4 Use the Oracle Net8 Assistant to Set Up Multiple Authentication Services
8 Configuring the DCE GSSAPI Authentication Adapter
8.1 Create the DCE Principal
8.2 Set Up Parameters to Use the New DCE Principal, and Turn On DCE GSSAPI Authentication
8.3 Set Up the Account You Will Use to Authenticate to the Database
8.4 Connect to an Oracle Server Using DCE GSSAPI Authentication
9 Overview of Oracle DCE Integration
9.1 System Requirements
9.2 Backward Compatibility
9.3 Overview of Distributed Computing Environment (DCE)
9.4 Overview of Oracle DCE Integration
9.4.1 DCE Communication/Security Adapter
9.4.2 DCE CDS Native Naming Adapter
9.4.3 Flexible DCE Deployment
9.4.4 Limitations in This Release
10 Configuring DCE for Oracle DCE Integration
10.1 Overview
10.2 Create New Principals and Accounts
10.3 Install the Key of the Server into a Keytab File
10.4 Configuring DCE CDS for Use by Oracle DCE Integration
10.4.1 Create Oracle Directories in the CDS Namespace
10.4.2 Give Servers Permission to Create Objects in the CDS Namespace
10.4.3 Load Oracle Service Names Into CDS
11 Configuring Oracle for DCE Integration
11.1 DCE Address Parameters
11.2 Configuring the Server
11.2.1 LISTENER.ORA Parameters
11.2.2 Sample DCE Address in LISTENER.ORA
11.3 Creating and Naming Externally-Authenticated Accounts
11.4 Setting up DCE Integration External Roles
11.5 Configuring the Client
11.5.1 Description of Parameters in PROTOCOL.ORA
11.6 Configuring Clients to Use the DCE CDS Naming Adapter
11.6.1 Enable CDS for use in Performing Name Lookup
11.6.2 Modify the CDS Attributes File and Restart the CDS
11.6.3 Create a TNSNAMES.ORA For Loading Oracle Connect Descriptors into CDS
11.6.4 Load Oracle Connect Descriptors into CDS
11.6.5 Delete or Rename TNSNAMES.ORA File
11.6.6 Modify SQLNET.ORA Parameter File to Have Names Resolved in CDS
11.6.6.1 SQL*Net Release 2.2 or Earlier
11.6.6.2 SQL*Net Release 2.3 and Later
11.6.7 Connect to Oracle Servers in DCE
12 Connecting to an Oracle Database in DCE
12.1 Starting the Network Listener
12.2 Connecting to an Oracle Database Server in the DCE Environment
13 DCE and Non-DCE Interoperability
13.1 Connecting Clients Outside DCE to Oracle Servers in DCE
13.2 Sample Parameter Files
13.2.1 LISTENER.ORA
13.2.2 TNSNAMES.ORA
13.3 Using TNSNAMES.ORA for Name Lookup When CDS is Inaccessible
13.3.1 SQL*Net Release 2.2 and Earlier
13.3.2 SQL*Net Release 2.3 and Net8
A Encryption and Checksum Parameters
A.1 SQLNET.ORA for a Single Community Set of Clients and Servers
B Authentication Parameters
B.1 Configuration Files for Clients and Servers using CyberSAFE Authentication
B.1.1 SQLNET.ORA
B.1.2 INIT.ORA
B.2 Configuration Files for Clients and Servers using Kerberos Authentication
B.2.1 SQLNET.ORA
B.2.2 INIT.ORA
B.3 Configuration Files for Clients and Servers using SecurID Authentication
B.3.1 SQLNET.ORA
B.3.2 INIT.ORA
Glossary
Index
Next
Copyright © 1997 Oracle Corporation.
All Rights Reserved.
Library
Product
Index