Oracle Advanced Security Administrator's Guide
Release 8.1.5

A67766-01

Library

Product

Index

Next

Contents

Title and Copyright Information

Send Us Your Comments

Preface

Part I Oracle Advanced Security Features

1 Introduction to Oracle Advanced Security

About the Oracle Advanced Security Option
Network Security in a Distributed Environment
Features of the Oracle Advanced Security Option
Data Integrity
Data Privacy
Authentication
Authorization
Architecture of the Oracle Advanced Security Option
Secure Data Transfer Across Network Protocol Boundaries
System Requirements
Oracle Configuration for Network Authentication
Oracle Products Not Yet Supported

2 Configuring Encryption and Checksumming

Encryption in the Oracle Advanced Security Option
Domestic and Export Versions
Encryption Algorithms Supported
DES Algorithm Provides Standards-Based Encryption
DES40 Algorithm is Provided for International Use
RSA RC4 is a Highly Secure, High Speed Algorithm
RC4_56 and RC4_128 Can be Used by Domestic Customers
RC4_40 Can be Used by Customers Outside the US and Canada
SSL Can Provide Triple-DES
Checksumming in the Oracle Advanced Security Option
Diffie-Hellman-Based Key Management
Overview of Site-Specific Diffie-Hellman Encryption Enhancement
Overview of Authentication Key Fold-in Encryption Enhancement
Authentication Key Fold-in Feature Requires No Configuration
Configuring Encryption and Checksumming
How Encryption and Checksumming are Activated
Negotiating Encryption and Checksumming
Setting Encryption and Checksumming Parameters
Configure encryption on the client and the server
Configure checksumming on the client and the server

3 Configuring RADIUS Authentication

RADIUS Overview
RADIUS in an Oracle Environment
RADIUS Authentication Modes
Synchronous Authentication Mode
Challenge-Response (Asynchronous) Authentication Mode
Enabling RADIUS Authentication and Accounting
Step 1: Install RADIUS on the Oracle server and the Oracle client
Step 2: Configure RADIUS authentication
Basic RADIUS Configuration on the Oracle Client
Basic RADIUS Configuration on the Oracle Server
Configuration of Additional RADIUS Features
Step 3: Add the RADIUS client name to the RADIUS server database
Step 4: Create and grant access to a user
Step 5: Configure RADIUS Accounting
Set RADIUS Accounting on the Oracle Server
Configure the RADIUS Accounting Server
Step 6: Configure the authentication server for use with RADIUS
Step 7: Configure the RADIUS server for use with the authentication server
Step 8: Create and grant roles
Step 9: Specify the RADIUS secret key on the Oracle server
Logging in to the Database

4 Configuring CyberSafe Authentication

Enabling CyberSafe Authentication
Step 1: Install the CyberSafe server
Step 2: Install the CyberSafe TrustBroker client
Step 3: Install the CyberSafe Application Security Toolkit
Step 4: Configure a service principal for an Oracle server
Step 5: Extract the service table from CyberSafe
Step 6: Install an Oracle server
Step 7: Install the Oracle Advanced Security and the CyberSafe adapter
Step 8: Configure Net8 and Oracle on your server and client
Step 9: Configure CyberSafe authentication
Configure the authentication service on the client and the server
Configure CyberSafe authentication service parameters on the client and the server
Set INIT.ORA Parameter
Step 10: Create a CyberSafe User on the authentication server
Step 11: Create an externally authenticated Oracle user on the Oracle server
Step 12: Get the initial ticket for the Kerberos/Oracle user
Use klist on the Client to Display Credentials
Step 13: Connect to an Oracle server authenticated by CyberSafe
Troubleshooting the Configuration of the CyberSafe Authentication Adapter

5 Configuring Kerberos Authentication

Enabling Kerberos Authentication
Step 1: Install Kerberos
Step 2: Configure a service principal for an Oracle server
Step 3: Extract a service table from Kerberos
Step 4: Install an Oracle server and an Oracle client
Step 5: Install Net8
Step 6: Configure Net8 and Oracle
Step 7: Configure Kerberos authentication
Configure the authentication service on the client and the server
Configure authentication parameters on the Oracle server and client
Step 8: Create a Kerberos user
Step 9: Create an externally-authenticated Oracle user
Step 10: Get an initial ticket for the Kerberos/Oracle user
Utilities for the Kerberos Authentication Adapter
Use okinit to Obtain the Initial Ticket
Use oklist to Display Credentials
Use okdstry to Remove Credentials from Cache File
Connecting to an Oracle Server Authenticated by Kerberos
Troubleshooting the Configuration of Kerberos Authentication

6 Configuring SecurID Authentication

System Requirements
Known Limitations
Enabling SecurID Authentication
Step 1: Register Oracle as a SecurID client (ACE/Server Release 1.2.4)
Step 2: Install Oracle Advanced Security
Step 3: Ensure that Oracle can find the correct UDP port (ACE/Server Release 1.2.4)
Step 4: Configure Oracle as a SecurID client
Windows NT and Windows 95/98 Platforms
UNIX Platform and ACE/Server Release 1.2.4
UNIX Platform and ACE/Server Release 2.0
Step 5: Configure SecurID authentication
Configure an authentication method on the client and the server
Creating Users for SecurID Authentication
Step 1: Assign a card to a person by using the Security Dynamics sdadmin program
Step 2: Create an Oracle server account for this user
Step 3: Grant the user database privileges
Troubleshooting the Configuration of SecurID Authentication
Using SecurID Authentication
Logging in to the Oracle Server
Using Standard Cards
Using PINPAD Cards
Assigning a New PIN to a SecurID Card
Possible Reasons Why a PIN Would be Rejected:
Logging in When the SecurID Card is in"Next Code" Mode
Logging in with a Standard Card
Logging in with a PINPAD Card

7 Configuring Identix Biometric Authentication

Overview
Architecture of the Biometric Authentication Service
Administration Architecture
Authentication Architecture
Prerequisites
Installing the TouchSAFE II Encrypt Device Driver for Windows NT
Biometric Manager PC
Client PC
Database Server
Biometric Authentication Service
Enabling Biometric Authentication
Step 1: Configure the database server that is to become the authentication server
Step 2: Configure Identix authentication
Step 3: Establish a net service name for the fingerprint repository server
Step 4: Verify that the address of the database server is accessible to the client
Step 5: Configure the manager PC
Administering the Biometric Authentication Service
Example
Authenticating Users With the Biometric Authentication Service
Troubleshooting

8 Configuring DCE GSSAPI Authentication

Configuring DCE GSSAPI Authentication
Step 1: Create the DCE principal
Step 2: Configure the new DCE principal and turn on DCE GSSAPI authentication
Step 3: Set up the account you will use to authenticate to the database
Step 4: Connect to an Oracle server using DCE GSSAPI authentication

9 Configuring SSL Authentication

SSL in an Oracle Environment
What You Can Do with the SSL Feature
Architecture of SSL in an Oracle Environment
Components of SSL in an Oracle Environment
Certificate
Certificate Authority (CA)
Wallet
How SSL Works in an Oracle Environment: The SSL Handshake
SSL beyond an Oracle Environment
SSL in Combination with Other Authentication Methods
Architecture of SSL in Combination with Other Authentication Methods
Example: Using SSL in Combination with Other Authentication Methods
Issues When Using SSL
Enabling SSL
Step 1: Install Oracle Advanced Security and the Oracle Wallet Manager
Step 2: Configure SSL on the client
If you have not yet configured SSL, specify client configuration
Set the Oracle wallet location
Set the SSL cipher suites (optional)
Set the required SSL version (optional)
Set SSL as an authentication service (optional)
Select"TCP/IP with SSL" as the Net Service Name
Step 3: Configure SSL on the server
If you have not yet configured SSL, specify server configuration
Set the Oracle wallet location
Set the SSL cipher suites (optional)
Set the required SSL version (optional)
Set SSL client authentication (optional)
Set SSL as an authentication service (optional)
Select"TCP/IP with SSL" as the listening endpoint
Step 4: Start the Oracle Wallet Manager
Step 5: Create a new wallet
Step 6: Install a certificate into the new wallet
Step 7: Add new trusted certificates
Step 8: Save changes to your wallet
Step 9: For single sign-on functionality, create an auto-login wallet
Step 10: Create a user identified globally through certificates on the Oracle server
Ongoing Administrative Tasks
Managing Wallets
Opening an Existing Wallet
Viewing Wallet Contents
Copying a Wallet to Remote Nodes
Managing Trusted Certificates
Adding a New Trusted Certificate
Viewing Existing Trusted Certificate Information
Deleting a Trusted Certificate
Saving a Wallet to an Existing WRL (Wallet Resource Locator)
Logging in to the Database

10 Choosing and Combining Authentication Methods

Connecting with User Name and Password
Disabling Oracle Advanced Security Authentication
Configuring Oracle For Multiple Authentication Methods

Part II Oracle Advanced Security and Oracle DCE Integration

11 Overview of Oracle DCE Integration

System Requirements
Backward Compatibility
Overview of Distributed Computing Environment (DCE)
Overview of Oracle DCE Integration
Components of Oracle DCE Integration
DCE Communication/Security
DCE CDS Native Naming
Flexible DCE Deployment
Limitations in This Release

12 Configuring DCE for Oracle DCE Integration

Configuring DCE to Use DCE Integration
Step 1: Create New Principals and Accounts
Step 2: Install the Key of the Server into a Keytab File
Step 3: Configure DCE CDS for Use by Oracle DCE Integration
Create Oracle Directories in the CDS Namespace
Give Servers Permission to Create Objects in the CDS Namespace
Load Oracle Service Names Into CDS

13 Configuring Oracle for Oracle DCE Integration

DCE Address Parameters
Configuring the Server
LISTENER.ORA Parameters
Sample DCE Address in LISTENER.ORA
Creating and Naming Externally-Authenticated Accounts
Setting up DCE Integration External Roles
Connecting to Oracle Database as SYSDBA or SYSOPER using DCE
Configuring the Client
Parameters in PROTOCOL.ORA
Configuring Clients to Use DCE CDS Naming
Enable CDS for use in Performing Name Lookup
Modify the CDS Attributes File and Restart the CDS
Create a TNSNAMES.ORA For Loading Oracle Connect Descriptors into CDS
Load Oracle Connect Descriptors into CDS
Delete or Rename TNSNAMES.ORA File
Modify SQLNET.ORA Parameter File to Have Names Resolved in CDS
SQL*Net Release 2.3 and Later and Net8
Connect to Oracle Servers in DCE

14 Connecting to an Oracle Database in DCE

Starting the Network Listener
Connecting to an Oracle Database Server in the DCE Environment

15 DCE and Non-DCE Interoperability

Connecting Clients Outside DCE to Oracle Servers in DCE
Sample Parameter Files
LISTENER.ORA
TNSNAMES.ORA
Using TNSNAMES.ORA for Name Lookup When CDS is Inaccessible
SQL*Net Release 2.2 and Earlier
SQL*Net Release 2.3 and Net8

A Encryption and Checksumming Parameters

Sample SQLNET.ORA File
Encryption and Checksumming Parameters

B Authentication Parameters

Parameters for Clients and Servers using CyberSafe Authentication
SQLNET.ORA Parameters
INIT.ORA Parameters
Parameters for Clients and Servers using Kerberos Authentication
SQLNET.ORA Parameters
INIT.ORA Parameters
Parameters for Clients and Servers using SecurID Authentication
SQLNET.ORA Parameters
INIT.ORA Parameters
Parameters for Clients and Servers using RADIUS Authentication
SQLNET.ORA Parameters
INIT.ORA Parameters
Parameters for Clients and Servers using SSL
Authentication
Cipher Suites
Supported SSL Cipher Suites
SSL Version
SSL Client Authentication
Wallet Location

C Integrating Authentication Devices Using RADIUS

About the RADIUS Challenge-Response User Interface
Customizing the Challenge-Response User Interface

Glossary

Index



Next
Oracle
Copyright © 1999 Oracle Corporation.

All Rights Reserved.

Library

Product

Index