Oracle Database Advanced Security 10g Release 1 Administrator'S Manual Download Page 213

Page: 213 / 518

Certificate Validation with Certificate Revocation Lists

Configuring Secure Sockets Layer Authentication

7-47

If necessary, use the

orapki

utility to configure CRLs for system use as

follows:

–

For CRLs stored on your local file system, see

"Renaming CRLs with a

Hash Value for Certificate Validation"

on page 7-41

–

CRLs stored in the directory, see

"Uploading CRLs to Oracle Internet

Directory"

on page 7-42

OID hostname or port number not set

Cause:

Oracle Internet Directory (OID) connection information is not set. Note

that this is not a fatal error. The search continues with CRL DP.

Action:

If you want to store the CRLs in Oracle Internet Directory, then use

Oracle Net Configuration Assistant to create and configure an

ldap.ora

file

for your Oracle home. See

"To create an ldap.ora file for your Oracle home:"

page 12-7

Fetch CRL from CRL DP: No CRLs found

Cause:

The CRL could not be fetched by using the CRL DP. This happens if the

certificate does not have a location specified in its CRL DP extension, or if the
URL specified in the CRL DP extension is incorrect.

Action:

Manually download the CRL. Then depending on whether you want to

store it on your local file system or in Oracle Internet Directory, perform the
following steps:

If you want to store the CRL on your local file system:

Use Oracle Net Manager to specify the path to the CRL directory or file. See

"Configuring Certificate Validation with Certificate Revocation Lists"

page 7-37

Use the

orapki

utility to configure the CRL for system use. See

"Renaming

CRLs with a Hash Value for Certificate Validation"

on page 7-41

If you want to store the CRL in Oracle Internet Directory:

Use Oracle Net Configuration Assistant to create and configure an

ldap.ora

file with directory connection information. See

"To create an

ldap.ora file for your Oracle home:"

on page 12-7

Use the

orapki

utility to upload the CRL to the directory. See

"Uploading

CRLs to Oracle Internet Directory"

on page 7-42

Summary of Contents for Database Advanced Security 10g Release 1

Page 1: ...Oracle Database Advanced Security Administrator s Guide 10g Release 1 10 1 Part No B10772 01 December 2003 ...

Page 2: ...ed Rights Notice Programs delivered subject to the DOD FAR Supplement are commercial computer software and use duplication and disclosure of the Programs including documentation shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement Otherwise Programs delivered subject to the Federal Acquisition Regulations are restricted computer software and use dupli...

Page 3: ...nd others Project Athena Athena Athena MUSE Discuss Hesiod Kerberos Moira and Zephyr are trademarks of the Massachusetts Institute of Technology M I T No commercial use of these trademarks may be made without prior written permission of M I T Commercial use means use of a name in a product or other for profit manner It does NOT prevent a commercial firm from referring to the M I T trademarks in or...

Page 4: ... for inclusion in the standard Kerberos 5 distribution This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by M I T and the Kerberos community Portions contributed by Matt Crawford crawdad fnal gov were work performed at Fermi National Accelerator Laboratory which is operated by Universities Researc...

Page 5: ...Environment 1 1 Security in Enterprise Grid Computing Environments 1 2 Security in an Intranet or Internet Environment 1 2 Common Security Threats 1 3 Solving Security Challenges with Oracle Advanced Security 1 4 Data Encryption 1 5 Strong Authentication 1 8 Enterprise User Management 1 13 Oracle Advanced Security Architecture 1 15 Secure Data Transfer Across Network Protocol Boundaries 1 16 Syste...

Page 6: ... 2 34 Duties of an Enterprise User Security Administrator DBA 2 35 Part II Network Data Encryption and Integrity 3 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients Oracle Advanced Security Encryption 3 1 About Encryption 3 2 Advanced Encryption Standard 3 2 DES Algorithm Support 3 2 Triple DES Support 3 2 RSA RC4 Algorithm for High Speed Encryption 3 3 Oracle Advanc...

Page 7: ...Modes 5 3 Synchronous Authentication Mode 5 3 Challenge Response Asynchronous Authentication Mode 5 5 Enabling RADIUS Authentication Authorization and Accounting 5 8 Task 1 Install RADIUS on the Oracle Database Server and on the Oracle Client 5 9 Task 2 Configure RADIUS Authentication 5 9 Task 3 Create a User and Grant Access 5 17 Task 4 Configure External RADIUS Authorization optional 5 17 Task 5...

Page 8: ...g to an Oracle Database Server Authenticated by Kerberos 6 13 Configuring Interoperability with a Windows 2000 Domain Controller KDC 6 13 Task 1 Configuring an Oracle Kerberos Client to Interoperate with a Windows 2000 Domain Controller KDC 6 14 Task 2 Configuring a Windows 2000 Domain Controller KDC to Interoperate with an Oracle Client 6 15 Task 3 Configuring an Oracle Database to Interoperate w...

Page 9: ...e Validation 7 45 Configuring Your System to Use Hardware Security Modules 7 48 General Guidelines for Using Hardware Security Modules with Oracle Advanced Security 7 48 Configuring Your System to Use nCipher Hardware Security Modules 7 49 Troubleshooting Using Hardware Security Modules 7 50 8 Using Oracle Wallet Manager Oracle Wallet Manager Overview 8 2 Wallet Password Management 8 2 Strong Wall...

Page 10: ...ertificates 8 25 9 Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security Connecting with User Name and Password 9 1 Disabling Oracle Advanced Security Authentication 9 2 Configuring Multiple Authentication Methods 9 4 Configuring Oracle Database for External Authentication 9 5 Setting the SQLNET AUTHENTICATION_SERVICES Parameter in sqlnet ora 9 5 Verifying that REMOTE_...

Page 11: ...d Authentication 10 25 Connecting Clients Outside DCE to Oracle Servers in DCE 10 25 Sample Parameter Files 10 25 Using tnsnames ora for Name Lookup When CDS Is Inaccessible 10 28 Part IV Enterprise User Security 11 Getting Started with Enterprise User Security Introduction to Enterprise User Security 11 2 The Challenges of User Management 11 2 Enterprise User Security The Big Picture 11 3 About E...

Page 12: ...se User Security 12 26 ORA Errors for Password Authenticated Enterprise Users 12 26 ORA Errors for Kerberos Authenticated Enterprise Users 12 29 ORA Errors for SSL Authenticated Enterprise Users 12 32 NO GLOBAL ROLES Checklist 12 33 USER SCHEMA ERROR Checklist 12 34 DOMAIN READ ERROR Checklist 12 35 13 Administering Enterprise User Security Enterprise User Security Administration Tools Overview 13...

Page 13: ...p to an Enterprise Role 13 28 Granting Enterprise Roles to Users 13 31 Part V Appendixes A Data Encryption and Integrity Parameters Sample sqlnet ora File A 1 Data Encryption and Integrity Parameters A 3 Encryption and Integrity Parameters A 4 Seeding the Random Key Generator Optional A 8 B Authentication Parameters Parameters for Clients and Servers using Kerberos Authentication B 1 Parameters fo...

Page 14: ... Physical Security D 5 E orapki Utility orapki Utility Overview E 2 orapki Utility Syntax E 2 Creating Signed Certificates for Testing Purposes E 3 Managing Oracle Wallets with orapki Utility E 4 Creating and Viewing Oracle Wallets with orapki E 4 Adding Certificates and Certificate Requests to Oracle Wallets with orapki E 5 Exporting Certificates and Certificate Requests from Oracle Wallets with ...

Page 15: ... for Entrust Enabled SSL F 8 Configuring SSL on the Client and Server for Entrust Enabled SSL F 8 Configuring Entrust on the Client F 8 Configuring Entrust on the Server F 9 Creating Entrust Enabled Database Users F 12 Logging Into the Database Using Entrust Enabled SSL F 12 Issues and Restrictions that Apply to Entrust Enabled SSL F 12 Troubleshooting Entrust In Oracle Advanced Security F 13 Erro...

Page 16: ...ion Utility Parameters G 12 User Migration Utility Usage Examples G 20 Migrating Users While Retaining Their Own Schemas G 20 Migrating Users and Mapping to a Shared Schema G 21 Migrating Users Using the PARFILE USERSFILE and LOGFILE Parameters G 25 Troubleshooting Using the User Migration Utility G 26 Common User Migration Utility Error Messages G 26 Common User Migration Utility Log Messages G 3...

Page 17: ...xvii ...

Page 18: ...nager Console Edit Group Page 2 29 2 13 Enterprise Security Manager Console Realm Configuration Tabbed Window 2 30 2 14 Opening Page of Oracle Net Configuration Assistant 2 33 3 1 Oracle Advanced Security Encryption Window 3 10 3 2 Oracle Advanced Security Integrity Window 3 12 5 1 RADIUS in an Oracle Environment 5 2 5 2 Synchronous Authentication Sequence 5 4 5 3 Asynchronous Authentication Seque...

Page 19: ...ise Security Manager Databases Tab Database Membership 13 17 13 7 Enterprise Security Manager Add Databases Window 13 18 13 8 Enterprise Security Manager Database Schema Mappings Tab 13 21 13 9 Enterprise Security Manager Add Database Schema Mappings Window 13 22 13 10 Enterprise Security Manager Add Accessible Enterprise Domains Dialog Box 13 24 13 11 Enterprise Security Manager Create Enterprise...

Page 20: ...xx ...

Page 21: ...inistrative Tasks 2 36 3 1 Encryption and Data Integrity Negotiations 3 8 3 2 Valid Encryption Algorithms 3 11 3 3 Valid Integrity Algorithms 3 13 4 1 ORACLE NET ENCRYPTION_CLIENT Parameter Attributes 4 4 4 2 ORACLE NET ENCRYPTION_TYPES_CLIENT Parameter Attributes 4 5 4 3 ORACLE NET CRYPTO_CHECKSUM_CLIENT Parameter Attributes 4 5 4 4 ORACLE NET CRYPTO_CHEKSUM_TYPES_CLIENT Parameter Attributes 4 6 ...

Page 22: ...HENTICATION_PORT Parameter Attributes B 3 B 5 SQLNET RADIUS_AUTHENTICATION_TIMEOUT Parameter Attributes B 3 B 6 SQLNET RADIUS_AUTHENTICATION_RETRIES Parameter Attributes B 3 B 7 SQLNET RADIUS_SEND_ACCOUNTING Parameter Attributes B 4 B 8 SQLNET RADIUS_SECRET Parameter Attributes B 4 B 9 SQLNET RADIUS_ALTERNATE Parameter Attributes B 4 B 10 SQLNET RADIUS_ALTERNATE_PORT Parameter Attributes B 4 B 11 ...

Page 23: ...u like most If you find any errors or have any other suggestions for improvement please indicate the document title and part number and the chapter section and page number if available You can send com ments to us in the following ways Electronic mail infodev_us oracle com FAX 650 506 7227 Attn Server Technologies Documentation Manager Postal service Oracle Corporation Server Technologies Document...

Page 24: ...xxiv ...

Page 25: ... and securely extend them to the Internet It provides a single source of integration with multiple network encryption and authentication solutions single sign on services and security protocols The Oracle Database Advanced Security Administrator s Guide describes how to implement configure and administer Oracle Advanced Security This preface contains these topics Audience Organization Related Docu...

Page 26: ...rity features provided with this release Chapter 2 Configuration and Administration Tools Overview This chapter provides an introduction and overview of Oracle Advanced Security GUI and command line tools Part II Network Data Encryption and Integrity Chapter 3 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients This chapter describes how to configure data encryption an...

Page 27: ...tion This chapter describes how Oracle Advanced Security supports a public key infrastructure PKI It includes a discussion of configuring and using the Secure Sockets Layer SSL certificate validation and hardware security module support features of Oracle Advanced Security Chapter 8 Using Oracle Wallet Manager This chapter describes how to use Oracle Wallet Manager to manage Oracle wallets and PKI...

Page 28: ...ns how to configure Enterprise User Security providing a configuration steps roadmap and the tasks required to configure password SSL and Kerberos based Enterprise User Security authentication Chapter 13 Administering Enterprise User Security This chapter describes how to use the Enterprise Security Manager to define directory identity management realm properties and to manage enterprise users ent...

Page 29: ...Sockets Layer SSL authentication Appendix G Using the User Migration Utility This appendix describes the User Migration Utility which can be used to perform bulk migrations of database users to an LDAP directory where they are stored and managed as enterprise users It provides utility syntax prerequisites and usage examples Glossary Related Documentation For more information see these Oracle resou...

Page 30: ...om Security Dynamics ACE Server Client for UNIX from Security Dynamics ACE Server Installation Manual from Security Dynamics RADIUS Administrator s Guide Notes about building and installing Kerberos from Kerberos version 5 source distribution Entrust PKI for Oracle Administering Entrust PKI on UNIX Transarc DCE User s Guide and Reference Transarc DCE Application Development Guide Transarc DCE Appl...

Page 31: ...ction describes the conventions used in the text and code examples of this documentation set It describes Conventions in Text Conventions in Code Examples Conventions for Windows Operating Systems Conventions in Text We use various conventions in text to help you more quickly identify special terms The following table describes those conventions and provides examples of their use Convention Meanin...

Page 32: ...ocedure lowercase monospace fixed width font Lowercase monospace typeface indicates executables filenames directory names and sample user supplied elements Such elements include computer and database names net service names and connect identifiers as well as user supplied database objects and structures column names packages and classes usernames and roles program units and parameter values Note S...

Page 33: ...veral lines of code not directly related to the example SQL SELECT NAME FROM V DATAFILE NAME fsl dbs tbs_01 dbf fs1 dbs tbs_02 dbf fsl dbs tbs_09 dbf 9 rows selected Other notation You must enter symbols other than brackets braces vertical bars and ellipsis points as shown acctbal NUMBER 11 2 acct CONSTANT NUMBER 4 3 Italics Italicized text indicates placeholders or variables for which you must su...

Page 34: ...Programs Oracle HOME_ NAME Configuration and Migration Tools Database Configuration Assistant File and directory names File and directory names are not case sensitive The following special characters are not allowed left angle bracket right angle bracket colon double quotation marks slash pipe and dash The special character backslash is treated as an element separator even when it appears in quote...

Page 35: ...stalled Oracle components all subdirectories were located under a top level ORACLE_HOME directory For Windows NT the default location was C orant This release complies with Optimal Flexible Architecture OFA guidelines All subdirectories are not under a top level ORACLE_HOME directory There is a top level directory called ORACLE_BASE that by default is C oracle If you install the latest Oracle rele...

Page 36: ...n be accessible to all of our customers For additional information visit the Oracle Accessibility Program Web site at http www oracle com accessibility Accessibility of Code Examples in Documentation JAWS a Windows screen reader may not always correctly read the code examples in this document The conventions for writing code require that closing braces should appear on an otherwise empty line howe...

Page 37: ...ecurity Oracle Database 10g Release 1 10 1 New Features in Oracle Advanced Security Oracle Advanced Security 10g Release 1 10 1 includes new features in the following areas New Features in Strong Authentication New Features in Enterprise User Security New Features in Strong Authentication Oracle Advanced Security provides several strong authentication options including support for RADIUS Kerberos ...

Page 38: ...ryptographic operations to off load RSA operations from the server freeing the CPU to respond to other transactions CRL Certificate Revocation Lists and CRLDP CRL Distribution Point Support for Certificate Validation In the current release you now have the option to configure certificate revocation status checking for both the client and the server Certificate revocation status is checked against ...

Page 39: ...credentials for the directory and multiple databases SASL Simple Authentication and Security Layer is a standard defined in the Internet Engineering Task Force RFC 2222 It is a method for adding authentication support to connection based protocols such as LDAP Support for User Management in Third Party LDAP Directories In the current release of Enterprise User Security you can store and manage you...

Page 40: ...Security Manager Console and Oracle Wallet Manager The following table lists which tool you should now use to perform tasks that you previously performed by using Oracle Enterprise Login Assistant If you used Oracle Enterprise Login Assistant to Then now you should use Change the directory to database password Enterprise Security Manager Console Change an Oracle wallet password Oracle Wallet Manag...

Page 41: ...e of SSL transactions New Enterprise User Security Tool User Migration Utility This utility enables administrators to perform bulk migrations of database users to Oracle Internet Directory for centralized user storage and management See Also Advanced Encryption Standard on page 1 6 for a brief overview of this encryption algorithm Chapter 3 Configuring Network Data Encryption and Integrity for Ora...

Page 42: ...xlii ...

Page 43: ... part introduces Oracle Advanced Security describing the security solutions it provides its features and its tools It contains the following chapters Chapter 1 Introduction to Oracle Advanced Security Chapter 2 Configuration and Administration Tools Overview ...

Page 44: ......

Page 45: ...oss Network Protocol Boundaries System Requirements Oracle Advanced Security Restrictions Security Challenges in an Enterprise Environment To increase efficiency and lower costs companies adopt strategies to automate business processes One such strategy is to conduct more business on the Web but that requires greater computing power translating to higher IT costs In response to rising IT costs mor...

Page 46: ...ition of who is a user and what are they allowed to do Without such uniform definitions administrators frequently must assign manage and revoke authorizations for every user on different software applications to protect employee customer and partner information This is expensive because it takes time which drives up costs Consequently the cost savings gained with grid computing are lost Heterogene...

Page 47: ...e and satellite links or a number of servers exposing valuable data to interested third parties In local area network environments within a building or campus the potential exists for insiders with access to the physical wiring to view data not intended for them and network sniffers can be installed to eavesdrop on network traffic Data Tampering Distributed environments bring with them the possibi...

Page 48: ...word They can also use passwords with slight variations that can be easily derived from known passwords Users with complex passwords may write them down where an attacker can easily find them or they may just forget them requiring costly administration and support efforts All of these strategies compromise password secrecy and service availability Moreover administration of multiple user accounts ...

Page 49: ...k to avoid eavesdropping If all communication between the client the database and the application server is encrypted then when the manager sends the bonus amount to the database it is protected Figure 1 1 Encryption This section discusses the following topics Supported Encryption Algorithms Data Integrity Federal Information Processing Standard Supported Encryption Algorithms Oracle Advanced Secu...

Page 50: ...rity for a minimal performance penalty For the RC4 algorithm Oracle provides encryption key lengths of 40 bits 56 bits 128 bits and 256 bits DES Encryption Oracle Advanced Security implements the U S Data Encryption Standard algorithm DES with a standard optimized 56 bit key encryption algorithm and also provides DES40 a 40 bit version for backward compatibility Triple DES Encryption Oracle Advanc...

Page 51: ...erhead and protect against the following attacks Data modification Deleted packets Replay attacks Federal Information Processing Standard Oracle Advanced Security Release 8 1 6 has been validated under U S Federal Information Processing Standard 140 1 FIPS at the Level 2 security level This provides independent confirmation that Oracle Advanced Security conforms to federal government standards FIP...

Page 52: ...embers of the network clients to servers servers to servers users to both clients and servers is one effective way to address the threat of network nodes falsifying their identities Figure 1 2 Strong Authentication with Oracle Authentication Adapters This section contains the following topics Centralized Authentication and Single Sign On Supported Authentication Methods Centralized Authentication ...

Page 53: ...rvice typically operates Figure 1 3 How a Network Authentication Service Authenticates a User 1 A user client requests authentication services and provides identifying information such as a token or password 2 The authentication server validates the user s identity and passes a ticket or credentials back to the client which may include an expiration time Authentication Server User Oracle Server 1 ...

Page 54: ...Oracle Advanced Security support for Kerberos provides the benefits of single sign on and centralized authentication of Oracle users Kerberos is a trusted third party authentication system that relies on shared secrets It presumes that the third party is secure and provides single sign on capabilities centralized password storage database link authentication and enhanced PC security It does this t...

Page 55: ...onse another number cryptographically derived from the challenge that the user enters and sends to the server You can use SecurID tokens through the RADIUS adapter DCE Distributed Computing Environment DCE is a set of integrated network services that works across multiple systems to provide a distributed environment Oracle DCE Integration consists of the following two components DCE Communication ...

Page 56: ...icate revocation lists CRLs Hardware security module support Entrust PKI Oracle Advanced Security supports the public key infrastructure provided by the Entrust PKI software from Entrust Technologies Inc Entrust enabled Oracle Advanced Security lets Entrust users incorporate Entrust single sign on into their Oracle applications and it lets Oracle users incorporate Entrust based single sign on into...

Page 57: ...information 1 A database server authenticates a user by accessing information stored in the directory 2 4 Once authenticated a user can access the databases which are configured for enterprise user security Figure 1 4 Centralized User Management with Enterprise User Security This centralized configuration enables the administrator to modify information in one location the directory It also lowers ...

Page 58: ... SSL with digital certificates See Also For detailed discussions of Enterprise User Security concepts configuration and management refer to the following chapters in this manual Chapter 11 Getting Started with Enterprise User Security Chapter 12 Enterprise User Security Configuration Tasks and Troubleshooting Chapter 13 Administering Enterprise User Security ...

Page 59: ...ced Security supports authentication through adapters that are similar to the existing Oracle protocol adapters As shown in Figure 1 6 authentication adapters integrate below the Oracle Net interface and let existing applications take advantage of new authentication systems transparently without any changes to the application Client Application OCI Oracle Protocols Network Specific Protocols To Ne...

Page 60: ...nection Manager passes encrypted data from protocol to protocol without the cost and exposure of decryption and re encryption System Requirements Oracle Advanced Security is an add on product bundled with the Oracle Net Server or Oracle Net Client It must be purchased and installed on both the client and the server Oracle Advanced Security 10g Release 1 10 1 requires Oracle Net 10g Release 1 10 1 ...

Page 61: ...ilable with Oracle Database Standard Edition Table 1 1 Authentication Methods and System Requirements Authentication Method System Requirements Kerberos MIT Kerberos Version 5 release 1 1 The Kerberos authentication server must be installed on a physically secure machine RADIUS A RADIUS server that is compliant with the standards in the Internet Engineering Task Force IETF RFC 2138 Remote Authenti...

Page 62: ...Oracle Advanced Security Restrictions 1 18 Oracle Database Advanced Security Administrator s Guide ...

Page 63: ...be configured to interoperate with an LDAP directory such as Oracle Internet Directory to enable Enterprise User Security a feature that enables you to store and manage database users in a centralized directory Such diverse advanced security features require a diverse set of tools with which to configure and administer them This chapter introduces the tools used to configure and administer advance...

Page 64: ... it also enables you to configure the following Oracle Advanced Security features which use the Oracle Net protocol Strong authentication Kerberos RADIUS and Secure Sockets Layer Network encryption RC4 DES Triple DES and AES Checksumming for data integrity MD5 SHA 1 This section introduces you to the features of Oracle Net Manager that are used to configure Oracle Advanced Security It contains the...

Page 65: ... Navigating to the Oracle Advanced Security Profile The Oracle Net Manager interface window contains two panes the navigator pane and the right pane which displays various property sheets that enable you to configure network components When you select a network object in the navigator pane its associated property sheets displays in the right pane To configure Oracle Advanced Security features choo...

Page 66: ...dvanced Security Profile in Oracle Net Manager Oracle Advanced Security Profile Property Sheets The Oracle Advanced Security Profile contains the following property sheets which are described in the following sections Authentication Property Sheet Other Params Property Sheet Integrity Property Sheet Encryption Property Sheet SSL Property Sheet ...

Page 67: ...ient or server connections with native encryption algorithms SSL Property Sheet Use this property sheet to configure Secure Sockets Layer SSL including the wallet location and cipher suite on a client or server Oracle Advanced Security Kerberos Adapter Command Line Utilities The Oracle Advanced Security Kerberos adapter provides three command line utilities that enable you to obtain cache display ...

Page 68: ...eir Oracle wallets A wallet is a password protected container that is used to store authentication and signing credentials including private keys certificates and trusted certificates needed by SSL You can use Oracle Wallet Manager to perform the following tasks The following topics introduce the Oracle Wallet Manager user interface Starting Oracle Wallet Manager Navigating the Oracle Wallet Manag...

Page 69: ... the following at the command line owm Windows Choose Start Programs Oracle HOME_NAME Integrated Management Tools Wallet Manager Navigating the Oracle Wallet Manager User Interface The Oracle Wallet Manager interface includes two panes a toolbar and various menu items as shown in Figure 2 2 Figure 2 2 Oracle Wallet Manager User Interface ...

Page 70: ... Right Pane The right pane displays information about an object that is selected in the navigator pane The right pane is read only Figure 2 3 shows what is displayed in the right pane when a certificate request object is selected in the navigator pane Information about the request and the requester s identity display in the Requested Identity Key Size and Key Type fields The PKCS 10 encoded certif...

Page 71: ...an copy this request into an e mail or export it into a file Figure 2 3 Certificate Request Information Displayed in Oracle Wallet Manager Right Pane Toolbar The toolbar contains buttons that enable you to manage your wallets Move the mouse cursor over a toolbar button to display a description of the button s function The toolbar buttons are listed and described in Table 2 2 ...

Page 72: ...ble 2 3 Oracle Wallet Manager Wallet Menu Options Option Description New Creates a new wallet Open Opens an existing wallet Close Closes the currently open wallet Upload Into The Directory Service Uploads a wallet to a specified LDAP directory server You must supply a directory password hostname and port information Download From The Directory Service Downloads a wallet from a specified LDAP direc...

Page 73: ...ve Certificate Request Deletes the certificate request in the currently open wallet You must remove the associated user certificate before you can delete a certificate request Remove User Certificate Deletes the user certificate from the currently open wallet Remove Trusted Certificate Removes the trusted certificate that is selected in the navigator pane from the currently open wallet You must re...

Page 74: ...all CRLs in the CRL subtree in an instance of Oracle Internet Directory that is installed on machine1 us acme com and that uses port 389 orapki crl list ldap machine1 us acme com 389 Table 2 5 Oracle Wallet Manager Help Menu Options Option Description Contents Opens Oracle Wallet Manager online help Search for Help on Opens Oracle Wallet Manager online help and displays the Search tab About Oracle...

Page 75: ...sponding entry and subtree in Oracle Internet Directory Table 2 6 Enterprise User Security Tools Summary Tool Task Database Configuration Assistant Register and un register databases in Oracle Internet Directory Enterprise Security Manager and Enterprise Security Manager Console Configure enterprise domains and databases in Oracle Internet Directory Create users and manage their passwords Manage i...

Page 76: ...onsole Overview on page 2 22 for details Enterprise users are users who are provisioned and managed centrally in an LDAP compliant directory such as Oracle Internet Directory for database access Enterprise domains are directory constructs that contain databases and enterprise roles the access privileges that are assigned to enterprise users This section discusses the following topics Enterprise Se...

Page 77: ... Directory Delegated Administration Services to provide an administrative GUI Enterprise Security Manager Console and OracleAS Single Sign On server to authenticate administrators when they log in to the console Consequently Oracle Internet Directory and OracleAS Single Sign On server which are part of the Oracle Identity Management infrastructure must be properly installed and configured before E...

Page 78: ...erating system use one of the following options UNIX From ORACLE_HOME bin enter the following at the command line esm Windows Choose Start Programs Oracle HOME_NAME Integrated Management Tools Enterprise Security Manager The directory server login window appears See Also Oracle Internet Directory Administrator s Guide for information about using Oracle Internet Directory Configuration Assistant to...

Page 79: ...ating the Enterprise Security Manager User Interface The Enterprise Security Manager user interface includes two panes a toolbar and various menu items as shown in Figure 2 5 Table 2 7 Enterprise Security Manager Authentication Methods Authentication Method Description Password Authentication Uses simple authentication requiring a distinguished name DN or a known directory user name and password1 ...

Page 80: ...ur directory s identity management realms and the databases enterprise domains and users they contain You can use the navigator pane to view modify add or delete enterprise domains and the objects they contain The navigator pane enables you to Expand and contract identity management realms by clicking the plus and minus symbols adjacent to the realm name in the navigation tree This enables you to ...

Page 81: ...nd user schema mappings For example when you select an enterprise domain in the navigator pane you can add databases to it by using the Databases tabbed window that is shown in Figure 2 6 Table 2 8 Enterprise Security Manager Navigator Pane Folders Folder Description Databases When you expand this folder you see the databases which are registered with this identity management realm Databases are r...

Page 82: ...embership of an Enterprise Domain on page 13 17 for a discussion of configuring enterprise domains by using the Databases tabbed window Tool Bar The toolbar contains two buttons that enable you to access the Enterprise Security Manager online help and to delete directory objects Menus You use Enterprise Security Manager menus to create or remove enterprise domains and to manage objects within the ...

Page 83: ... Console URL Enables you to specify the URL for your installation of Enterprise Security Manager Console See Enterprise Security Manager Console Overview on page 2 22 Exit Exits the Enterprise Security Manager application Table 2 10 Enterprise Security Manager Operations Menu Options Option Description Create Enterprise Domain Creates an enterprise domain in the realm that is selected in the navig...

Page 84: ... Enterprise Security Manager would use the following URL to connect to Enterprise Security Manager Console http machine123 us acme com 7777 After launching the console administrators must log in by using their OracleAS Single Sign On username and password pairs Logging in to Enterprise Security Manager Console If you can use the URL that is constructed by default to access an instance of Enterpris...

Page 85: ...rname and password After providing your OracleAS Single Sign On credentials you are returned to the console home page To change the default Enterprise Security Manager Console URL If you cannot use the default URL to connect to the Enterprise Security Manager Console then you must enter the appropriate URL before you can launch the console 1 In the Enterprise Security Manager main application choo...

Page 86: ...into the Oracle Internet Directory Self Service Console and choose the Configuration tab See Oracle Internet Directory Administrator s Guide for information about logging in and using the Oracle Internet Directory Self Service Console 2 In the Configuration page select the User Entry subtab and click Next until the Configure User Attributes page appears 3 In the Configure User Attributes page clic...

Page 87: ...nterface The Enterprise Security Manager Console user interface is browser based and uses tabbed windows instead of a navigator pane Figure 2 9 shows the layout of the console user interface The tabbed windows can be accessed by selecting one of the tabs at the top of the application or by selecting one of the links in the Tips box on the right You can also access the tabbed windows by selecting o...

Page 88: ...s Tabbed Window This tabbed window contains two subtabs the Users subtab shown in Figure 2 10 and the Groups subtab shown in Figure 2 11 on page 2 28 Figure 2 10 Enterprise Security Manager Console Users Subtab The Users subtab Figure 2 10 enables you to search for users in the directory by using the Search for user field at the top of the page After you locate users that match your search criteri...

Page 89: ...hown in Figure 2 12 on page 2 29 Table 2 12 Enterprise Security Manager Console User Subtab Buttons Button Name Description Go After entering user search criteria in the Search for user field click Go to display users who match your search criteria in the Search Results table This button is always available Create Enables you to create new enterprise users in the directory This button is always av...

Page 90: ...Enterprise User Security Configuration and Management Tools 2 28 Oracle Database Advanced Security Administrator s Guide Figure 2 11 Enterprise Security Manager Console Group Subtab ...

Page 91: ...Enterprise User Security Configuration and Management Tools Configuration and Administration Tools Overview 2 29 Figure 2 12 Enterprise Security Manager Console Edit Group Page ...

Page 92: ...ealm Configuration Tabbed Window Table 2 13 Realm Configuration Tabbed Window Fields Field Description Attribute for Login Name Name of the directory attribute used to store login names Attribute for Kerberos Principal Name Name of the directory attribute used to store Kerberos principal names See also Configuring Enterprise Security Manager Console for Kerberos Authenticated Enterprise Users on p...

Page 93: ... machine1 us acme com esm cmd search U SIMPLE D orcladmin w Y4ilbqve h machine1 us acme com p 3060 dn dc us dc acme dc com objectType user The following table describes each option used in this example Accessing Enterprise Security Manager Command Line Utility Help To view a full list of operations and options you can use with this utility enter the following at the command line esm cmd To view he...

Page 94: ... of Oracle Internet Directory on your network then you must use Oracle Net Configuration Assistant to create an ldap ora file for your Oracle home before you can register a database with the directory Your database uses the ldap ora file to locate the correct Oracle Internet Directory server on your network This configuration file contains the hostname port number and identity management realm inf...

Page 95: ... home Figure 2 14 Opening Page of Oracle Net Configuration Assistant User Migration Utility User Migration Utility is a command line tool that enables you to perform bulk migrations of database users to Oracle Internet Directory where they are stored and managed as enterprise users This tool performs a bulk migration in two phases In See Also Task 5 Optional Configure your Oracle home for director...

Page 96: ...nnections to and from Oracle databases are secure Table 2 14 lists the primary tasks of security administrators the tools used to perform the tasks and links to where the tasks are documented See Also Appendix G Using the User Migration Utility for complete instructions including usage examples for using this tool to migrate database users to a directory and its parameters Table 2 14 Common Securi...

Page 97: ... Obtaining the Initial Ticket with the okinit Utility on page 6 11 Displaying Credentials with the oklist Utility on page 6 12 Removing Credentials from the Cache File with the okdstry Utility on page 6 13 Create a wallet for a database client or server Oracle Wallet Manager Creating a New Wallet on page 8 10 Request a user certificate from a certificate authority CA for SSL authentication Oracle ...

Page 98: ... the directory on page 12 8 Configure password authentication for Enterprise User Security Enterprise Security Manager Oracle Net Manager Configuring Enterprise User Security for Password Authentication on page 12 16 Configure Kerberos authentication for Enterprise User Security Oracle Net Manager Enterprise Security Manager Console Enterprise Security Manager Configuring Enterprise User Security ...

Page 99: ...ial Kerberos ticket when KDC is not part of the operating system such as Kerberos V5 from MIT okinit utility Task 10 Get an Initial Ticket for the Kerberos Oracle User on page 6 11 Migrate large numbers of local or external database users to the directory for Enterprise User Security User Migration Utility Appendix G Using the User Migration Utility Table 2 15 Cont Common Enterprise User Security ...

Page 100: ...Duties of an Enterprise User Security Administrator DBA 2 38 Oracle Database Advanced Security Administrator s Guide ...

Page 101: ...n JDBC connections to the database by using the encryption features of Oracle Advanced Security It contains the following chapters Chapter 3 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients Chapter 4 Configuring Network Data Encryption and Integrity for Thin JDBC Clients See Also Oracle operating system specific documentation ...

Page 102: ......

Page 103: ...ced Security It contains the following topics Oracle Advanced Security Encryption Oracle Advanced Security Data Integrity Diffie Hellman Based Key Management How To Configure Data Encryption and Integrity Oracle Advanced Security Encryption This section describes data encryption algorithms available in the current release of Oracle Advanced Security About Encryption Advanced Encryption Standard DE...

Page 104: ...ect sensitive data over a network This encryption algorithm defines three standard key lengths which are 128 bit 192 bit and 256 bit All versions operate in outer Cipher Block Chaining CBC mode DES Algorithm Support Oracle Advanced Security provides the Data Encryption Standard DES algorithm DES has been a U S government standard for many years and is sometimes mandated in the financial services i...

Page 105: ...ive Now in Oracle Advanced Security 10g Release 1 10 1 DES40 DES and 3DES are all available for export DES40 is still supported to provide backward compatibility for international customers RSA RC4 Algorithm for High Speed Encryption The RC4 algorithm developed by RSA Data Security Inc has become the international standard for high speed data encryption RC4 is a variable key length stream cipher t...

Page 106: ...at changes if the data is altered in any way This protection operates independently from the encryption process so you can enable data integrity with or without enabling encryption Diffie Hellman Based Key Management The secrecy of encrypted data depends upon the existence of a secret key shared between the communicating parties A key is a secret exclusively shared by parties on both sides of a co...

Page 107: ... to generate a stronger session key designed to defeat a man in the middle attack How To Configure Data Encryption and Integrity This section describes how to configure Oracle Advanced Security native Oracle Net Services encryption and integrity and presumes the prior installation of Oracle Net Services The network or security administrator sets up the encryption and integrity configuration parame...

Page 108: ... clients and the servers on the network You can choose to configure any or all of the available Oracle Advanced Security encryption algorithms Table 3 2 and either or both of the available integrity algorithms Table 3 3 Only one encryption algorithm and one integrity algorithm are used for each connect session About Negotiating Encryption and Integrity To negotiate whether to turn on encryption or...

Page 109: ...D or REQUESTED If the other side is set to REQUIRED or REQUESTED and an encryption or integrity algorithm match is found the connection continues without error and with the security service enabled If the other side is set to REQUIRED and no algorithm match is found the connection terminates with error message ORA 12650 If the other side is set to REQUESTED and no algorithm match is found or if th...

Page 110: ...ing the Encryption Seed Optional Several seeds are used to generate a random number on the client and on the server One of the seeds that can be used is a user defined encryption seed This is set with Table 3 1 Encryption and Data Integrity Negotiations Client Setting Server Setting Encryption and Data Negotiation REJECTED REJECTED OFF ACCEPTED REJECTED OFF REQUESTED REJECTED OFF REQUIRED REJECTED...

Page 111: ...ettings using Oracle Net Manager This section describes the following topics Configuring Encryption on the Client and the Server Configuring Integrity on the Client and the Server Configuring Encryption on the Client and the Server Use Oracle Net Manager to configure encryption on the client and on the server See Starting Oracle Net Manager on page 2 2 1 Navigate to the Oracle Advanced Security pr...

Page 112: ... Encryption Type list select one of the following REQUESTED REQUIRED ACCEPTED REJECTED 5 Optional In the Encryption Seed field enter between 10 and 70 random characters the encryption seed for the client should not be the same as that for the server 6 Select an encryption algorithm in the Available Methods list Move it to the Selected Methods list by choosing the right arrow Repeat for each additi...

Page 113: ...d rejected requested required SQLNET ENCRYPTION_TYPES_CLIENT valid_encryption_algorithm valid_ encryption_algorithm Valid encryption algorithms and their associated legal values are summarized by Table 3 2 Configuring Integrity on the Client and the Server Use Oracle Net Manager to configure data integrity on the client and on the server See Starting Oracle Net Manager on page 2 2 Table 3 2 Valid ...

Page 114: ...rs Figure 3 2 Figure 3 2 Oracle Advanced Security Integrity Window 2 Choose the Integrity tab 3 Depending upon which system you are configuring choose the Server or Client check box 4 From the Checksum Level list select one of the following checksum level values REQUESTED REQUIRED ACCEPTED REJECTED 5 Select an integrity algorithm in the Available Methods list Move it to the Selected Methods list b...

Page 115: ...entries On the server SQLNET CRYPTO_CHECKSUM_SERVER accepted rejected requested required SQLNET CRYPTO_CHECKSUM_TYPES_SERVER valid_crypto_checksum_algorithm valid_crypto_checksum_algorithm On the client SQLNET CRYPTO_CHECKSUM_CLIENT accepted rejected requested required SQLNET CRYPTO_CHECKSUM_TYPES_CLIENT valid_crypto_checksum_algorithm valid_crypto_checksum_algorithm Valid integrity algorithms and...

Page 116: ...How To Configure Data Encryption and Integrity 3 14 Oracle Database Advanced Security Administrator s Guide ...

Page 117: ...ntation The Java implementation of Oracle Advanced Security provides network encryption and integrity protection for Thin JDBC clients communicating with Oracle Databases that have Oracle Advanced Security enabled This section contains the following topics Java Database Connectivity Support Securing Thin JDBC Implementation Overview Obfuscation Java Database Connectivity Support Java Database Conn...

Page 118: ...pplets used over the Internet Oracle designed a 100 Java implementation of Oracle Advanced Security encryption and integrity algorithms for use with thin clients Oracle Advanced Security provides the following features for Thin JDBC Data encryption Data integrity checking Secure connections from Thin JDBC clients to the Oracle RDBMS Ability for developers to build applets that transmit data over a...

Page 119: ...ption This enables backward and forward compatibility of clients and servers On the client side the algorithm negotiation and key generation occur in exactly the same manner as C based Oracle Advanced Security encryption The client and server negotiate encryption algorithms generate random numbers use Diffie Hellman to exchange session keys and use the Oracle Password Protocol O3LOGON key fold in ...

Page 120: ...ration parameters for the following Client Encryption Level ORACLE NET ENCRYPTION_CLIENT Client Encryption Selected List ORACLE NET ENCRYPTION_TYPES_CLIENT Client Integrity Level ORACLE NET CRYPTO_CHECKSUM_CLIENT Client Integrity Selected List ORACLE NET CRYPTO_CHEKSUM_TYPES_ CLIENT Client Encryption Level ORACLE NET ENCRYPTION_CLIENT This parameter defines the level of security that the client wa...

Page 121: ...r Attributes Attribute Description Parameter Type String Parameter Class Static Permitted Values RC4_256 RC4_128 RC4_56 RC4_40 DES56C DES40C Syntax up put oracle net encryption_types_ client alg Example up put oracle net encryption_types_client DES40C where up is defined as Properties up new Properties Note In this context C refers to CBC Cipher Block Chaining mode Table 4 3 ORACLE NET CRYPTO_CHEC...

Page 122: ... algorithm to be used Table 4 4 describes this parameter s attributes Table 4 4 ORACLE NET CRYPTO_CHEKSUM_TYPES_CLIENT Parameter Attributes Attribute Description Parameter Type String Parameter Class Static Permitted Values MD5 Syntax up put oracle net crypto_checksum_types_ client alg Example up put oracle net crypto_checksum_types_ client MD5 where up is defined as Properties up new Properties ...

Page 123: ...cation Chapter 7 Configuring Secure Sockets Layer Authentication Chapter 8 Using Oracle Wallet Manager Chapter 9 Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security Chapter 10 Configuring Oracle DCE Integration Note Oracle Advanced Security 10g Release 1 10 1 supports dynamic loading of authentication methods As a consequence you no longer need to specify all possibl...

Page 124: ......

Page 125: ...nt server security protocol widely used to enable remote authentication and access Oracle Advanced Security uses this industry standard in a client server network environment You can enable the network to use any authentication method that supports the RADIUS standard including token cards and smart cards by installing and configuring the RADIUS protocol Moreover when you use RADIUS you can Note S...

Page 126: ...and the Oracle database server Grants the user access to the Oracle database server Logs session information including when how often and for how long the user was connected to the Oracle database server The Oracle RADIUS environment is displayed in Figure 5 1 Figure 5 1 RADIUS in an Oracle Environment The Oracle database server acts as the RADIUS client passing information between the Oracle clie...

Page 127: ...in which synchronous authentication occurs Table 5 1 RADIUS Authentication Components Component Stored Information Oracle client Configuration setting for communicating through RADIUS Oracle database server RADIUS client Configuration settings for passing information between the Oracle client and the RADIUS server The secret key file RADIUS server Authentication and authorization information for a...

Page 128: ...ata from the Oracle client to the RADIUS server 3 The RADIUS server passes the data to the appropriate authentication server such as Smart Card or SecurID ACE for validation 4 The authentication server sends either an Access Accept or an Access Reject message back to the RADIUS server 5 The RADIUS server passes this response to the Oracle database server RADIUS client 6 The Oracle database server ...

Page 129: ...tication server RSA ACE Server validates the user it sends an accept packet to the Oracle database server which in turn passes it to the Oracle client The user is now authenticated and able to access the appropriate tables and applications Challenge Response Asynchronous Authentication Mode When the system uses the asynchronous mode the user does not need to enter a user name and password at the S...

Page 130: ...tor s Guide Figure 5 3 Asynchronous Authentication Sequence 1 A user seeks a connection to an Oracle database server The client system passes the data to the Oracle database server Oracle server RADIUS client Client RADIUS Server 1 7 Authentication Server 2 12 3 8 5 4 6 9 10 11 ...

Page 131: ... RADIUS client sends the user s response to the RADIUS server 9 The RADIUS server passes the user s response to the appropriate authentication server for validation 10 The authentication server sends either an Access Accept or an Access Reject message back to the RADIUS server 11 The RADIUS server passes the response to the Oracle database server RADIUS client 12 The Oracle database server RADIUS ...

Page 132: ...client by way of the RADIUS server and the Oracle database server The user types that challenge into the token and the token displays a number for the user to send in response The Oracle client then sends the user s response to the authentication server by way of the Oracle database server and the RADIUS server If the user has typed a valid number the authentication server sends an accept packet b...

Page 133: ... Step 3 Configure Additional RADIUS Features Unless otherwise indicated perform these configuration tasks by using Oracle Net Manager or by using any text editor to modify the sqlnet ora file Step 1 Configure RADIUS on the Oracle Client Use Oracle Net Manager to configure RADIUS on the Oracle client See Starting Oracle Net Manager on page 2 2 1 Navigate to the Oracle Advanced Security profile See ...

Page 134: ...selected methods in order of required usage by selecting a method in the Selected Methods list and clicking Promote or Demote to position it in the list For example put RADIUS at the top of the list for it to be the first service used 6 Choose File Save Network Configuration The sqlnet ora file is updated with the following entry SQLNET AUTHENTICATION_SERVICES RADIUS Step 2 Configure RADIUS on the...

Page 135: ...cessible only by the Oracle owner Oracle relies on the file system to keep this file secret Configure RADIUS Parameters on the Server sqlnet ora file Use Oracle Net Manager to configure RADIUS parameters on the server See Starting Oracle Net Manager on page 2 2 1 Navigate to the Oracle Advanced Security profile See Navigating to the Oracle Advanced Security Profile on page 2 3 The Oracle Advanced ...

Page 136: ...r another host name 9 Ensure that the default value of the Secret File field is valid 10 Choose File Save Network Configuration The sqlnet ora file is updated with the following entries SQLNET AUTHENTICATION_SERVICES RADIUS SQLNET RADIUS_AUTHENTICATION RADIUS_server_ hostname IP_address Set Oracle Database Server Initialization Parameters Configure the initialization parameter file located in UNIX...

Page 137: ...se the Other Params tab 3 From the Authentication Service list select RADIUS 4 Change the default setting for any of the following fields Caution Setting REMOTE_OS_AUTHENT to TRUE can enable a security breach because it lets someone using a non secure protocol such as TCP perform an operating system authorized login formerly called an OPS login See Also Oracle Database Reference and the Oracle Dat...

Page 138: ...atform independence Number of Retries Specifies the number of times the Oracle database server resends messages to the primary RADIUS server The default is three retries For instructions on configuring RADIUS accounting see Task 5 Configure RADIUS Accounting on page 5 19 Secret File Specifies the location of the secret key on the Oracle database server The field specifies the location of the secre...

Page 139: ...re1 1 7B 2 Navigate to the Oracle Advanced Security profile in Oracle Net Manager See Navigating to the Oracle Advanced Security Profile on page 2 3 The Oracle Advanced Security Other Params window appears Figure 5 5 3 From the Authentication Service list select RADIUS 4 In the Challenge Response field enter ON to enable challenge response 5 In the Default Keyword field accept the default value of...

Page 140: ... the package name delimited by for Set Parameters for an Alternate RADIUS Server If you are using an alternate RADIUS server set these parameters in the sqlnet ora file using any text editor SQLNET RADIUS_ALTERNATE hostname or ip address of alternate radius server SQLNET RADIUS_ALTERNATE_PORT 1812 SQLNET RADIUS_ALTERNATE_TIMEOUT number of seconds to wait for response SQLNET RADIUS_ALTERNATE_RETRIE...

Page 141: ... RADIUS Authorization optional If you require external RADIUS authorization for RADIUS users who connect to an Oracle database then you must perform the following steps to configure the Oracle server the Oracle client and the RADIUS server To configure the Oracle server RADIUS client 1 Add the OS_ROLE parameter to the init ora file and set this parameter to TRUE as follows OS_ROLE TRUE Then restar...

Page 142: ...t Private Enterprise Code of 111 For example enter the following in the RADIUS server attribute configuration file VALUE VENDOR_SPECIFIC ORACLE 111 3 Using the following syntax add the ORACLE_ROLE attribute to the user profile of the users who will use external RADIUS authorization ORA_databaseSID_rolename _ A D where ORA designates that this role is used for Oracle purposes databaseSID is the Ora...

Page 143: ...ng See Starting Oracle Net Manager on page 2 2 1 Navigate to the Oracle Advanced Security profile See Navigating to the Oracle Advanced Security Profile on page 2 3 The Other Params window appears Figure 5 5 2 From the Authentication Service list select RADIUS 3 In the Send Accounting field enter ON to enable accounting or OFF to disable accounting 4 Choose File Save Network Configuration The sqln...

Page 144: ... This file contains a list of clients which are allowed to make authentication requests and their encryption key The first field is a valid hostname The second field separated by blanks or tabs is the encryption key Client Name Key 2 In the CLIENT NAME column enter the host name or IP address of the host on which the Oracle database server is running In the KEY column type the shared secret The va...

Page 145: ...op and restart the Oracle database server 3 Create each role the RADIUS server is to manage on the Oracle database server with IDENTIFIED EXTERNALLY To configure roles on the RADIUS server refer to Table 5 1 and use the following syntax ORA_DatabaseName DatabaseDomainName_RoleName Example ORA_USERDB US ORACLE COM_MANAGER 4 Configure RADIUS challenge response mode Table 5 2 RADIUS Configuration Par...

Page 146: ... ACE Server Configuration Checklist If you are using an RSA ACE Server as a RADIUS server check the following items before making your initial connection Ensure that the host agent in the RSA ACE Server is set up to send a node secret In version 5 0 this is done by leaving the SENT Node secret box unchecked If the RSA ACE Server fails to send a node secret to the agent then a node verification fai...

Page 147: ...RSA ACE Server Configuration Checklist Configuring RADIUS Authentication 5 23 See Also RSA ACE Server documentation for specific information about troubleshooting ...

Page 148: ...RSA ACE Server Configuration Checklist 5 24 Oracle Database Advanced Security Administrator s Guide ...

Page 149: ...ity for Oracle Database for use with Kerberos authentication and how to configure Kerberos to authenticate Oracle database users This chapter contains the following topics Enabling Kerberos Authentication Utilities for the Kerberos Authentication Adapter Configuring Interoperability with a Windows 2000 Domain Controller KDC Troubleshooting ...

Page 150: ...Task 9 Create an Externally Authenticated Oracle User Task 10 Get an Initial Ticket for the Kerberos Oracle User Task 1 Install Kerberos Install Kerberos on the system that functions as the authentication server Task 2 Configure a Service Principal for an Oracle Database Server To enable the Oracle database server to validate the identity of clients that authenticate themselves using Kerberos you ...

Page 151: ...eros enter the following kadmin local addprinc randkey oracle dbserver someco com SOMECO COM Task 3 Extract a Service Table from Kerberos Extract the service table from Kerberos and copy it to the Oracle database server Kerberos client system For example use the following steps to extract a service table for dbserver someco com Service Principal Field Description kservice A case sensitive string t...

Page 152: ... service table is on the same system as the Kerberos client you can move it If the service table is on a different system from the Kerberos client you must transfer the file with a program such as FTP If using FTP transfer the file in binary mode The following example shows how to move the service table on a UNIX platform mv tmp keytab etc v5srvtab The default name of the service file is etc v5srv...

Page 153: ... the Client and on the Database Server Step 2 Set the Initialization Parameters Step 3 Set sqlnet ora Parameters optional Step 1 Configure Kerberos on the Client and on the Database Server Use Oracle Net Manager to perform the following steps to configure Kerberos authentication service parameters on the client and on the database server See Starting Oracle Net Manager on page 2 2 1 Navigate to th...

Page 154: ...vailable Methods list select KERBEROS5 4 Move KERBEROS5 to the Selected Methods list by clicking the right arrow 5 Arrange the selected methods in order of use To do this select a method in the Selected Methods list then click Promote or Demote to position it in the list For example if you want KERBEROS5 to be the first service used move it to the top of the list 6 Choose the Other Params tab Figu...

Page 155: ...e Oracle Database uses to obtain a Kerberos service ticket When you provide the value for this field the other fields are enabled 9 Optionally enter values for the following fields Credential Cache File Configuration File Realm Translation File Key Table Clock Skew 10 Choose File Save Network Configuration See Also Oracle Net Manager online help and Step 3 Set sqlnet ora Parameters optional on pag...

Page 156: ...e default value of OPS Step 3 Set sqlnet ora Parameters optional In addition to the required parameters you can optionally set the following parameters in the sqlnet ora file on the client and the Oracle database server Caution Setting REMOTE_OS_AUTHENT to TRUE can enable a security breach because it lets someone using a non secure protocol such as TCP perform an operating system authorized login ...

Page 157: ...realms to KDC hosts The default is operating system dependent For UNIX it is krb5 krb conf Example SQLNET KERBEROS5_CONF krb krb conf Parameter SQLNET KERBEROS5_CONF_MIT TRUE FALSE Description This parameter specifies whether the new MIT Kerberos configuration format is used If the value is set to TRUE it will parse the file according to the new configuration format rules When the value is set to ...

Page 158: ...ed Oracle User Run SQL Plus on the Oracle database server to create the Oracle user that corresponds to the Kerberos user In the following example OS_AUTHENT_PREFIX is set to null The Oracle user name is in uppercase enclosed in double quotation marks as shown in the following example SQL CONNECT AS SYSDBA SQL CREATE USER KRBUSER SOMECO COM IDENTIFIED EXTERNALLY SQL GRANT CREATE SESSION TO KRBUSER...

Page 159: ...racle Kerberos authentication adapter These utilities are intended for use on an Oracle client with Oracle Kerberos authentication support installed Use the following utilities for these specified tasks Obtaining the Initial Ticket with the okinit Utility Displaying Credentials with the oklist Utility Removing Credentials from the Cache File with the okdstry Utility Obtaining the Initial Ticket wi...

Page 160: ...s The example requests a ticket granting ticket that has a life time of 2 weeks 1 day 6 hours 20 minutes and 30 seconds c Specify an alternative credential cache For UNIX the default is tmp krb5cc_uid You can also specify the alternate credential cache by using the SQLNET KERBEROS5_CC_NAME parameter in the sqlnet ora file List command line options Table 6 2 Options for the oklist Utility Option De...

Page 161: ...r without using a user name or password Enter a command similar to the following sqlplus net_service_name where net_service_name is an Oracle Net Services service name For example sqlplus oracle_dbname Configuring Interoperability with a Windows 2000 Domain Controller KDC Oracle Advanced Security which complies with MIT Kerberos can interoperate with tickets that are issued by a Kerberos Key Distr...

Page 162: ...must be performed on the Oracle Kerberos client Step 1 Creating Client Kerberos Configuration Files to Use a Windows Domain Controller KDC Create the following Kerberos client configuration files that refer to the Windows 2000 domain controller as the Kerberos KDC In the examples that follow the Windows 2000 domain controller is running on a node named sales3854 us acme com krb conf file For examp...

Page 163: ...er The Windows 2000 domain controller KDC listens on UDP TCP port 88 Ensure that the system file entry for kerberos5 is set to UDP TCP port 88 as follows UNIX Ensure that the kerberos5 entry in the etc services file is set to 88 Task 2 Configuring a Windows 2000 Domain Controller KDC to Interoperate with an Oracle Client The following steps must be performed on the Windows 2000 domain controller S...

Page 164: ...out C temp v5srvtab This utility is part of the Windows 2000 Support Tools and can be found on the Windows 2000 distribution media in the support reskit netmgmt security folder 3 Copy the extracted keytab file to the host computer where the Oracle database is installed For example the keytab that was created in the previous step can be copied to krb5 v5svrtab Note Do not create a user as host host...

Page 165: ...eating an Externally Authenticated Oracle User Follow the task information for Task 9 Create an Externally Authenticated Oracle User on page 6 10 to create an externally authenticated Oracle user Ensure that the username is created in all uppercase characters For example ORAKRB SALES US ACME COM Task 4 Getting an Initial Ticket for the Kerberos Oracle User Before a client can connect to the databa...

Page 166: ...orresponds to a service known by Kerberos Check that the clocks on all systems involved are set to times that are within a few minutes of each other or change the SQLNET KERBEROS5_ CLOCKSKEW parameter in the sqlnet ora file If you have a service ticket and you still cannot connect Check the clocks on the client and database server Check that the v5srvtab file exists in the correct location and is ...

Page 167: ...LS protocols which are supported by Oracle Advanced Security It contains the following topics SSL and TLS in an Oracle Environment Public Key Infrastructure in an Oracle Environment SSL Combined with Other Authentication Methods SSL and Firewalls SSL Usage Issues Enabling SSL Troubleshooting SSL Certificate Validation with Certificate Revocation Lists Configuring Your System to Use Hardware Securi...

Page 168: ...t The SSL Handshake Difference between SSL and TLS Although SSL was primarily developed by Netscape Communications Corporation the Internet Engineering Task Force IETF took over development of it with Netscape s blessing and renamed it Transport Layer Security TLS Essentially TLS is an incremental improvement to SSL version 3 0 See Also The TLS Protocol Version 1 0 RFC 2246 at the IETF Web site wh...

Page 169: ... to communicate over SSL You can use SSL features by themselves or in combination with other authentication methods supported by Oracle Advanced Security For example you can use the encryption provided by SSL in combination with the authentication provided by Kerberos SSL supports any of the following authentication modes Only the server authenticates itself to the client Both client and server au...

Page 170: ...arly if client authentication is required the client sends its own certificate to the server and the server verifies that the client s certificate was signed by a trusted CA The client and server exchange key information using public key cryptography Based on this information each generates a session key All subsequent communications between the client and the server is encrypted and decrypted by ...

Page 171: ... the associated private key The private key is securely stored together with other security credentials in an encrypted container called a wallet Public key algorithms can guarantee the secrecy of a message but they don t necessarily guarantee secure communications because they don t verify the identities of the communicating parties In order to establish secure communications it is important to v...

Page 172: ...nts while others may require that requesters have their certificate request form notarized The CA publishes its own certificate which includes its public key Each network entity has a list of trusted CA certificates Before communicating network entities exchange certificates and check that each other s certificate is signed by one of the CAs on their respective trusted CA certificate lists Network...

Page 173: ...RL CAs periodically publish CRLs to alert the user population when it is no longer acceptable to use a particular public key to verify its associated user identity When servers or clients receive user certificates in an Oracle environment they can validate the certificate by checking its expiration date signature and revocation status Certificate revocation status is checked by validating it again...

Page 174: ...user certificate that matches with the private key Configure trusted certificates Hardware security modules Oracle Advanced Security uses these devices for the following functions Store cryptographic information such as private keys Perform cryptographic operations to off load RSA operations from the server freeing the CPU to respond to other transactions Cryptographic information can be stored on...

Page 175: ...Sockets Layer Authentication 7 9 Note Currently only nCipher devices are certified with Oracle Advanced Security Certificate with other vendors is in progress See Also Configuring Your System to Use Hardware Security Modules on page 7 48 for details configuration details ...

Page 176: ... TCP IP at the transport layer This separation of functionality lets you employ SSL concurrently with other supported protocols How SSL Works with Other Authentication Methods Figure 7 1 illustrates a configuration in which SSL is used in combination with another authentication method supported by Oracle Advanced Security In this example SSL is used to establish the initial handshake server authen...

Page 177: ... use 3 Once the SSL handshake is successfully completed the user seeks access to the database 4 The Oracle database server authenticates the user with the authentication server using a non SSL authentication method such as Kerberos or RADIUS 5 Upon validation by the authentication server the Oracle database server grants access and authorization to the user and then the user can access the databas...

Page 178: ...termines where to route its traffic The database listener requires access to a certificate in order to participate in the SSL handshake The listener inspects the SSL packet and identifies the target database returning the port on which the target database listens to the client This port must be designated as an SSL port The client communicates on this server designated port in all subsequent conne...

Page 179: ...r the following The internal connection between Oracle Connection Manager and the database is not an SSL connection You should encrypt such connections using Oracle Advanced Security native encryption Because such connections do not use SSL clients cannot use certificate based authentication See Also Oracle Net Services Administrator s Guide for information about Oracle Connection Manager ...

Page 180: ...s configuration settings Note U S government regulations prohibit double encryption Accordingly if you configure Oracle Advanced Security to use SSL encryption and another encryption method concurrently the connection fails you also cannot configure SSL authentication concurrently with non SSL authentication If you configure SSL encryption you must disable non SSL encryption To disable such encryp...

Page 181: ...ters except the location of the Oracle wallet To configure SSL on the server perform these steps Step 1 Confirm Wallet Creation on the Server Step 2 Specify the Database Wallet Location on the Server Step 3 Set the SSL Cipher Suites on the Server Optional Step 4 Set the Required SSL Version on the Server Optional Step 5 Set SSL Client Authentication on the Server Optional Step 6 Set SSL as an Auth...

Page 182: ...let Directory box enter the directory in which the Oracle wallet is located or click Browse to find it by searching the file system Note that if you are configuring the database to directory SSL connection for Enterprise User Security then Database Configuration Assistant automatically creates a database wallet while registering the database with the directory You must use that wallet to store the...

Page 183: ...anager to add the cipher suite SSL_RSA_WITH_ RC4_128_SHA all other cipher suites in the default setting are ignored You can prioritize the cipher suites When the client negotiates with servers regarding which cipher suite to use it follows the prioritization you set When you prioritize the cipher suites consider the following Server and client must be configured to use compatible cipher suites for...

Page 184: ...te employing Diffie Hellman anonymous then you must set the SSL_CLIENT_AUTHENTICATION parameter to FALSE See Step 5 Set SSL Client Authentication on the Server Optional on page 7 21 Table 7 1 Oracle Advanced Security Cipher Suites Cipher Suites Authentication Encryption Data Integrity SSL_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES EDE CBC SHA 1 SSL_RSA_WITH_RC4_128_SHA RSA RC4 128 SHA 1 SSL_RSA_WITH_RC4_1...

Page 185: ...vigate to the SSL tab of the Oracle Advanced Security window in Oracle Net Manager and select Configure SSL for Server 2 Click Add A dialog box displays available cipher suites Figure 7 2 Figure 7 2 SSL Cipher Suites Window 3 Select a suite and click OK The Cipher Suite Configuration list is updated Figure 7 3 ...

Page 186: ...HER_SUITES SSL_cipher_suite1 SSL_cipher_suite2 Step 4 Set the Required SSL Version on the Server Optional You can set the SSL_VERSION parameter in the sqlnet ora file This parameter defines the version of SSL that must run on the systems with which the server communicates You can require these systems to use any valid version The default setting for this parameter in sqlnet ora is undetermined whi...

Page 187: ...ATION parameter in the sqlnet ora file controls whether the client is authenticated using SSL The default value is TRUE You must set this parameter to FALSE if you are using a cipher suite that contains Diffie Hellman anonymous authentication DH_anon Also you can set this parameter to FALSE for the client to authenticate itself to the server by using any of the non SSL authentication methods suppo...

Page 188: ...ALSE Step 6 Set SSL as an Authentication Service on the Server Optional The SQLNET AUTHENTICATION_SERVICES parameter in the sqlnet ora file sets the SSL authentication service Set this parameter if you want to use SSL authentication in conjunction with another authentication method supported by Oracle Advanced Security For example use this parameter if you want the server to authenticate itself to...

Page 189: ...poration recommends using port number 2484 for typical Oracle Net clients Task 3 Configure SSL on the Client To configure SSL on the client Step 1 Confirm Client Wallet Creation Step 2 Configure Oracle Net Service Name to Include Server DNs and Use TCP IP with SSL on the Client Step 3 Specify Required Client SSL Configuration Wallet Location Step 4 Set the Client SSL Cipher Suites Optional Step 5 ...

Page 190: ...fy the server s DN and the TCP IP with SSL protocol The tnsnames ora file can be located on the client or in the LDAP directory If it is located on the client then it typically resides in the same directory as the listener ora file Depending on your operating system these files reside in the following directory locations UNIX ORACLE_HOME network admin Windows ORACLE_BASE ORACLE_HOME network admin ...

Page 191: ...lso shows an entry that specifies TCP IP with SSL as the connecting protocol in the tnsnames ora file 3 In the listener ora file enter tcps as the PROTOCOL in the ADDRESS parameter Example 7 2 shows an entry that specifies TCP IP with SSL as the protocol Example 7 1 Sample tnsnames ora File with Server Certificate DN and TCP IP with SSL Specified finance DESCRIPTION ADDRESS_LIST ADDRESS PROTOCOL t...

Page 192: ... Security SSL Window Client 2 Choose the SSL tab 3 Select Configure SSL for Client 4 In the Wallet Directory box enter the directory in which the Oracle wallet is located or click Browse to find it by searching the file system 5 From the Match server X 509 name list choose one of the following options Yes Requires that the server s distinguished name DN match its service name SSL ensures that the ...

Page 193: ...DIRECTORY wallet_location SSL_SERVER_DN_MATCH ON OFF Note This check can be made only when RSA ciphers are selected which is the default setting Note The following alert appears when you select No Security Alert Not enforcing the server X 509 name match allows a server to potentially fake its identity Oracle Corporation recommends selecting YES for this option so that connections are refused when ...

Page 194: ...tization you set When you prioritize the cipher suites consider the following The level of security you want to use For example triple DES encryption is stronger than DES The impact on performance For example triple DES encryption is slower than DES See Configuring Your System to Use Hardware Security Modules on page 7 48 for information about using SSL hardware accelerators with Oracle Advanced S...

Page 195: ...er Suite Configuration region click Add A dialog box displays available cipher suites Figure 7 2 3 Select a suite and click OK The Cipher Suite Configuration list is updated Figure 7 6 Figure 7 6 Oracle Advanced Security SSL Window Client Note If the SSL_CLIENT_AUTHENTICATION parameter is set to true in the sqlnet ora file then disable all cipher suites that use Diffie Hellman anonymous authentica...

Page 196: ...version the server uses To set the required SSL version for the client 1 Navigate to the SSL tab of the Oracle Advanced Security window in Oracle Net Manager and select Configure SSL for Client See Figure 7 5 2 In the Require SSL Version list the default setting is Any Accept this default or select the SSL version you want to configure 3 Choose File Save Network Configuration The sqlnet ora file i...

Page 197: ..._ AUTHENTICATION true in the listener ora file then launch SQL Plus and enter the following CONNECT net_service_name If you are not using SSL authentication SSL_CLIENT_AUTHENTICATION false in the listener ora file launch SQL Plus and enter the following CONNECT username password net_service_name Troubleshooting SSL The following section lists the most common errors you may receive while using the ...

Page 198: ...le Oracle Net tracing and attempt the connection again to produce trace output Then contact Oracle customer support with the trace output ORA 28859 SSL Negotiation Failure Cause An error occurred during the negotiation between two processes as part of the SSL protocol This error can occur when two sides of the connection do not support a common cipher suite Action Check the following Use Oracle Ne...

Page 199: ...or because the peer process quit unexpectedly Action Check the following Use Oracle Net Manager to ensure that the SSL versions on both the client and the server match or are compatible Sometimes this error occurs because the SSL version specified on the server and client do not match For example if the server accepts only SSL 3 0 and the client accepts only TLS 1 0 then the SSL connection will fa...

Page 200: ...e s key usage See Table 8 1 KeyUsage Values on page 8 5 ORA 29024 Certificate Validation Failure Cause The certificate sent by the other side could not be validated This may occur if the certificate has expired has been revoked or is invalid for another reason Action Check the following Check the certificate to determine whether it is valid If necessary get a new certificate inform the sender that...

Page 201: ... signer s CA s public key The certificate has not expired The certificate has not been revoked The SSL network layer automatically performs the first three validation checks but you must configure certificate revocation list CRL checking to ensure that certificates have not been revoked CRLs are signed data structures that contain a list of revoked certificates They are usually issued and signed b...

Page 202: ...on for any CRLs Note if you store CRLs on your local file system then you must use the orapki utility to periodically update them See Renaming CRLs with a Hash Value for Certificate Validation on page 7 41 2 Oracle Internet Directory If the server cannot locate the CRL on the local file system and directory connection information has been configured in an ldap ora file then the server searches in ...

Page 203: ...vocation status checking for the client or the server 1 Navigate to the SSL tab of the Oracle Advanced Security window in Oracle Net Manager and select either Client or Server for the Configure SSL for field Note For performance reasons only user certificates are checked Oracle recommends that you store CRLs in the directory rather than the local file system Note If you want to store CRLs on your ...

Page 204: ...t see Figure 7 7 REQUIRED Requires certificate revocation status checking The SSL connection is rejected if a certificate is revoked or no CRL is found SSL connections are accepted only if it can be verified that the certificate has not been revoked REQUESTED Performs certificate revocation status checking if a CRL is available The SSL connection is rejected if a certificate is revoked SSL connect...

Page 205: ...nter the path to a comprehensive CRL file where PEM encoded BASE64 CRLs are concatenated in order of preference in one file or click Browse to find it by searching the file system Specifying this file sets the SSL_CRL_ FILE parameter in the sqlnet ora file If this parameter is set then the file must be present in the specified location or else the application will error out during startup 4 Option...

Page 206: ...th a hash value or in a location uploaded to the directory where your system can use them Oracle Advanced Security provides a command line utility orapki that you can use to perform the following tasks Displaying orapki Help Renaming CRLs with a Hash Value for Certificate Validation Uploading CRLs to Oracle Internet Directory Listing CRLs Stored in Oracle Internet Directory Viewing CRLs in Oracle ...

Page 207: ... Certificate Revocation Lists Path field in Oracle Net Manager sets the SSL_CRL_PATH parameter in the sqlnet ora file use the orapki utility to rename CRLs with a hash value that represents the issuer s name Creating the hash value enables the server to load the CRLs On UNIX operating systems orapki creates a symbolic link to the CRL On Windows operating systems it creates a copy of the CRL file I...

Page 208: ...e prior to renaming the CRL Specifying the summary option causes the tool to display the CRL issuer s name Uploading CRLs to Oracle Internet Directory Publishing CRLs in the directory enables CRL validation throughout your enterprise eliminating the need for individual applications to configure their own CRLs All applications can use the CRLs stored in the directory where they can be centrally man...

Page 209: ... Oracle Internet Directory enter the following at the command line orapki crl list ldap hostname ssl_port where the hostname and ssl_port are for the system on which your directory is installed Note that this is the directory SSL port with no authentication as described in the preceding section Viewing CRLs in Oracle Internet Directory You can view specific CRLs that are stored in Oracle Internet ...

Page 210: ...icates it contains issuer CN root C us thisUpdate Sun Nov 16 10 56 58 PST 2003 nextUpdate Mon Sep 30 11 56 58 PDT 2013 revokedCertificates serialNo 153328337133459399575438325845117876415 revocationDate Sun Nov 16 10 56 58 PST 2003 CRL is valid Using the wallet option causes the orapki crl display command to validate the CRL against the CA s certificate Depending on the size of your CRL choosing t...

Page 211: ...sts the location of the deleted CRL in the directory Deleted CRL at cn root cd45860c rN cn CRLValidation cn Validation cn PKI cn Products cn OracleContext Troubleshooting Certificate Validation To determine whether certificates are being validated against CRLs you can enable Oracle Net tracing When a revoked certificate is validated by using CRLs then you will see the following entries in the Orac...

Page 212: ...ificate Revocation List Management on page 7 40 for information about using orapki for CRL management CRL date verification failed with RSA status Cause The current time is later than the time listed in the next update field You should not see this error if CRL DP is used The systems searches for the CRL in the following order 1 File system 2 Oracle Internet Directory 3 CRL DP The first CRL found ...

Page 213: ... not be fetched by using the CRL DP This happens if the certificate does not have a location specified in its CRL DP extension or if the URL specified in the CRL DP extension is incorrect Action Manually download the CRL Then depending on whether you want to store it on your local file system or in Oracle Internet Directory perform the following steps If you want to store the CRL on your local fil...

Page 214: ... if you are using a hardware security module with Oracle Advanced Security 1 Contact your hardware device vendor to obtain the necessary hardware software and PKCS 11 libraries 2 Install the hardware software and libraries where appropriate for the hardware security module you are using 3 Test your hardware security module installation to ensure that it is operating correctly Refer to your device ...

Page 215: ...r Hardware Security Module Supporting nCipher PKCS 11 library for your platform as follows UNIX 32 bit libcknfast so library UNIX 64 bit libcknfast 64 so library Windows cknfast dll library About Installing an nCipher Hardware Security Module To use the secure accelerator you must provide the absolute path to the directory that contains the nCipher PKCS 11 library including the library name when y...

Page 216: ... module is being used then you will see the following entries in the Oracle Net tracing file without error messages logged between entry and exit nzpkcs11_Init entry nzpkcs11CP_ChangeProviders entry nzpkcs11CP_ChangeProviders exit nzpkcs11GPK_GetPrivateKey entry nzpkcs11GPK_GetPrivateKey exit nzpkcs11_Init exit nzpkcs11_Decrypt entry nzpkcs11_Decrypt exit nzpkcs11_Sign entry nzpkcs11_Sign exit Not...

Page 217: ...ed to create the wallet is not present in the hardware security module slot Action Ensure that the smart card that was used when the wallet was created is present in the hardware security module slot ORA 43002 PKCS11 passphrase is wrong Cause This can occur when An incorrect password is specified at wallet creation or The PKCS 11 device password is changed after the wallet is created and not updat...

Page 218: ...les 7 52 Oracle Database Advanced Security Administrator s Guide Note The nCipher log file is in the directory where the module is installed at the following location log logfile See Also nCipher documentation for further information about troubleshooting ...

Page 219: ... infrastructure This chapter describes Oracle Wallet Manager and contains the following topics Oracle Wallet Manager Overview Starting Oracle Wallet Manager How To Create a Complete Wallet Process Overview Managing Wallets Managing Certificates See Also Public Key Infrastructure in an Oracle Environment on page 7 5 which discusses all of the Oracle PKI components Appendix E orapki Utility for info...

Page 220: ... Standards 11 PKCS 11 specification Oracle Wallet Manager can be used to upload wallets to and download them from an LDAP directory Oracle Wallet Manager can also be used to import third party PKCS 12 format wallets and export Oracle wallets to a third party environment Oracle Wallet Manager provides the following features Wallet Password Management Strong Wallet Encryption Microsoft Windows Regis...

Page 221: ...o that user s wallets is effectively precluded Easier Administration Since wallets are associated with specific user profiles no file permissions need to be managed and the wallets stored in the profile are automatically deleted when the user profile is deleted Oracle Wallet Manager can be used to create and manage the wallets in the registry Options Supported Open wallet from the registry Save wa...

Page 222: ...me of wallet creation then all keys stored in that wallet are saved to a hardware security module or token such as smart cards PCMCIA cards smart diskettes or other types of portable hardware devices that store private keys perform cryptographic operations or both Multiple Certificate Support Oracle Wallet Manager enables you to store multiple certificates for each wallet supporting the following ...

Page 223: ...or trusted certificate Oracle Wallet Manager maps the KeyUsage extension values to Oracle PKI certificate usages as specified in Table 8 2 and Table 8 3 Table 8 1 KeyUsage Values Value Usage 0 digitalSignature 1 nonRepudiation 2 keyEncipherment 3 dataEncipherment 4 keyAgreement 5 keyCertSign 6 cRLSign 7 encipherOnly 8 decipherOnly Table 8 2 Oracle Wallet Manager Import of User Certificates to an O...

Page 224: ...ate with required key usage found is returned 2 alone or 2 any combination excluding 5 na Accept certificate for SSL or S MIME encryption use 5 alone or any combination including 5 na Accept certificate for CA certificate signing use Any settings not listed previously Yes Not importable No Certificate is importable for SSL or S MIME encryption use 1 If the KeyUsage extension is critical the certif...

Page 225: ...upload and download feature on first use Oracle Wallet Manager downloads a user wallet by using a simple password based connection to the LDAP directory However for uploads it uses an SSL connection if the open wallet contains a certificate with SSL Oracle PKI certificate usage If an SSL certificate is not present in the wallet password based authentication is used Starting Oracle Wallet Manager T...

Page 226: ...aste the certificate request text into an e mail message or you can export the certificate request to a file See Exporting a User Certificate Request on page 8 25 Note that the certificate request becomes part of your wallet and must remain there until you remove its associated certificate 4 When the CA sends your signed user certificate and its associated trusted certificate then you can import t...

Page 227: ... Creating a New Wallet Opening an Existing Wallet Closing a Wallet Importing Third Party Wallets Exporting Oracle Wallets to Third Party Environments Exporting Oracle Wallets to Tools that Do Not Support PKCS 12 Uploading a Wallet to an LDAP Directory Downloading a Wallet from an LDAP Directory Saving Changes Saving the Open Wallet to a New Location Saving in System Default Deleting the Wallet Cha...

Page 228: ...ur file system To create a standard wallet perform the following tasks 1 Choose Wallet New from the menu bar The New Wallet dialog box appears 2 Follow the Required Guidelines for Creating Wallet Passwords on page 8 9 and enter a password in the Wallet Password field This password protects unauthorized use of your credentials 3 Re enter that password in the Confirm Password field 4 Choose Standard...

Page 229: ...to save the new wallet If you do not have permission to save the wallet in the system default you can save it to another location This location must be used in the SSL configuration for clients and servers A message at the bottom of the window confirms that the wallet was successfully saved Creating a Wallet to Store Hardware Security Module Credentials To create a wallet to store PKCS 11 credenti...

Page 230: ...a Certificate Request on page 8 21 If you choose No you are returned to the Oracle Wallet Manager main window The new wallet you just created appears in the left window pane The certificate has a status of Empty and the wallet displays its default trusted certificates 9 Select Wallet Save In System Default to save the new wallet If you do not have permission to save the wallet in the system defaul...

Page 231: ...a Wallet To close an open wallet in the currently selected directory Choose Wallet Close A message appears at the bottom of the window to confirm that the wallet is closed Importing Third Party Wallets Third party wallets are those where the certificate requests have been generated without using Oracle Wallet Manager Oracle Wallet Manager can import and support the following PKCS 12 format wallets...

Page 232: ... does not support PKCS 12 Individual components are formatted according to the standards listed in Table 8 4 Within the wallet only those certificates with SSL key usage are exported with the wallet To export a wallet to text based PKI format Note Because browsers typically do not export trusted certificates under PKCS 12 other than the signer s own certificate you may need to add trust points to ...

Page 233: ...ently open and contains at least one user certificate To upload a wallet 1 Choose Wallet Upload Into The Directory Service If the currently open wallet has not been saved a dialog box appears with the following message Wallet needs to be saved before uploading Choose Yes to proceed 2 Wallet certificates are checked for SSL key usage Depending on whether a certificate with SSL key usage is found in...

Page 234: ...n working memory It is not saved to the file system unless you expressly save it using any of the Save options described in the following sections To download a wallet from an LDAP directory 1 Choose Wallet Download From The Directory Service 2 A dialog box prompts for the user s distinguished name DN and the LDAP directory password hostname and port information Oracle Wallet Manager uses simple p...

Page 235: ... option 1 Choose Wallet Save As The Select Directory dialog box appears 2 Select a directory location in which to save the wallet 3 Choose OK The following message appears if a wallet already exists in the selected location A wallet already exists in the selected path Do you want to overwrite it Choose Yes to overwrite the existing wallet or No to save the wallet to another location A message at t...

Page 236: ...s saved to the currently selected directory with the new encrypted password Note SSL uses the wallet that is saved in the system default directory location Some Oracle applications are not able to use the wallet if it is not in the system default location Check the Oracle documentation for your specific application to determine whether wallets must be placed in the default wallet directory locatio...

Page 237: ...bled for the wallet File system permissions provide the necessary security for auto login wallets When auto login is enabled for a wallet it is only available to the operating system user who created that wallet You must enable auto login if you want single sign on access to multiple Oracle databases which is disabled by default Sometimes these are called SSO wallets because they provide single si...

Page 238: ...tes Managing Trusted Certificates Managing User Certificates User certificates can be used by end users smart cards or applications such as Web servers Server certificates are a type of user certificate For example if a CA issues a certificate for a Web server placing its distinguished name DN in the Subject field then the Web server is the certificate owner thus the user for this user certificate...

Page 239: ... create a PKCS 10 certificate request 1 Choose Operations Add Certificate Request The Add Certificate Request dialog box appears 2 Enter the information specified in Table 8 5 3 Choose OK A message informs you that a certificate request was successfully created You can either copy the certificate request text from the body of this dialog panel and paste it into an e mail message to send to a certi...

Page 240: ...on Optional Enter the name of the identity s organization Example XYZ Corp Locality City Optional Enter the name of the locality or city in which the identity resides State Province Optional Enter the full name of the state or province in which the identity resides Enter the full state name because some certificate authorities do not accept two letter abbreviations Country Mandatory Choose to view...

Page 241: ...tificate into the dialog box and choose OK A message at the bottom of the window confirms that the certificate was successfully installed You are returned to the Oracle Wallet Manager main panel and the status of the corresponding entry in the left panel subtree changes to Ready To import a file that contains the user certificate The file containing the user certificate should have been saved in e...

Page 242: ...t To remove a certificate request 1 In the left panel subtree select the certificate request that you want to remove 2 Choose Operations Remove Certificate Request 3 Click Yes The certificate displays a status of Empty Exporting a User Certificate To save the certificate in a file system directory export the certificate by using the following steps 1 In the left panel subtree select the certificat...

Page 243: ...let Manager main window Managing Trusted Certificates Managing trusted certificates includes the following tasks Importing a Trusted Certificate Removing a Trusted Certificate Exporting a Trusted Certificate Exporting All Trusted Certificates Importing a Trusted Certificate You can import a trusted certificate into a wallet in either of two ways paste the trusted certificate from an e mail that yo...

Page 244: ...he path or folder name of the trusted certificate location 3 Select the name of the trusted certificate file for example cert txt 4 Choose OK A message at the bottom of the window informs you that the trusted certificate was successfully imported into the wallet 5 Choose OK to exit the dialog panel You are returned to the Oracle Wallet Manager main panel and the trusted certificate appears at the ...

Page 245: ...icate dialog box appears 3 Enter a file system directory in which you want to save your trusted certificate or navigate to the directory structure under Folders 4 Enter a file name to save your trusted certificate 5 Choose OK You are returned to the Oracle Wallet Manager main window Exporting All Trusted Certificates To export all of your trusted certificates to another file system location 1 Choo...

Page 246: ...Managing Certificates 8 28 Oracle Database Advanced Security Administrator s Guide ...

Page 247: ...hod and Oracle servers can accept any method specified This chapter contains the following topics Connecting with User Name and Password Disabling Oracle Advanced Security Authentication Configuring Multiple Authentication Methods Configuring Oracle Database for External Authentication Connecting with User Name and Password To connect to an Oracle database server using a user name and password whe...

Page 248: ...ger to disable authentication methods See Starting Oracle Net Manager on page 2 2 1 Navigate to the Oracle Advanced Security profile See Navigating to the Oracle Advanced Security Profile on page 2 3 The Oracle Advanced Security tabbed window appears Figure 9 1 Note You can configure multiple authentication methods including both externally authenticated users and password authenticated users on a...

Page 249: ...vanced Security Authentication Window 2 Choose the Authentication tab 3 Sequentially move all authentication methods from the Selected Method list to the Available Methods list by selecting a method and choosing the left arrow 4 Choose File Save Network Configuration The sqlnet ora file is updated with the following entry SQLNET AUTHENTICATION_SERVICES NONE ...

Page 250: ...e Net Manager on page 2 2 1 Navigate to the Oracle Advanced Security profile See Navigating to the Oracle Advanced Security Profile on page 2 3 The Oracle Advanced Security tabbed window appears Figure 9 1 2 Choose the Authentication tab 3 Select a method listed in the Available Methods list 4 Sequentially move selected methods to the Selected Methods list by choosing the right arrow 5 Arrange the...

Page 251: ...pported authentication method SQLNET AUTHENTICATION_SERVICES oracle_authentication_method For example for all clients and servers using Kerberos authentication the sqlnet ora parameter must be set as follows SQLNET AUTHENTICATION_SERVICES KERBEROS5 Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE To verify that REMOVE_OS_AUTHENT is not set to TRUE add the following parameter to the initializati...

Page 252: ...Corporation strongly recommends that you enter a null value for the OS_AUTHENT_PREFIX parameter in the initialization file used for the database instance as follows OS_AUTHENT_PREFIX To create a user launch SQL Plus and enter the following SQL CREATE USER os_authent_prefix username IDENTIFIED EXTERNALLY When OS_AUTHENT_PREFIX is set to a null value enter the following to create the user king SQL C...

Page 253: ...e for External Authentication Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security 9 7 See Also Oracle Database Administrator s Guide Oracle Database Heterogeneous Connectivity Administrator s Guide ...

Page 254: ...Configuring Oracle Database for External Authentication 9 8 Oracle Database Advanced Security Administrator s Guide ...

Page 255: ...stributed Computing Environment DCE the Oracle DCE Integration product and how to configure it It contains the following topics Introduction to Oracle DCE Integration Configuring DCE for Oracle DCE Integration Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Connecting to an Oracle Database Server in the DCE Environment Connecting Clients Outside DCE to Oracle Servers...

Page 256: ...applications and tools to access Oracle database servers in a DCE environment System Requirements Oracle DCE Integration requires Oracle Net Services and Oracle Database It is based on the Open Software Foundation OSF DCE protocol V1 1 and later Note that OSF has merged with X OPEN another standards group to form The Open Group This group is committed to continuing DCE support Backward Compatibili...

Page 257: ...rd Data Privacy and Integrity Oracle DCE Integration uses the multiple levels of security that DCE provides to ensure data authenticity privacy and integrity Users have a range of choices from no protection to full encryption for each connection with a guarantee that no data is modified in transit DCE Cell Directory Services Native Naming The DCE Cell Directory Services CDS Native Naming component...

Page 258: ... DCE Global Directory Service GDS Internet Domain Naming Service DNS Flexible DCE Deployment Oracle Advanced Security provides flexibility in your use of DCE services You have the following options You can use full DCE integration in your environment to integrate with all the DCE Secure Core services RPC directory security threads You can use only the DCE directory services by using the DCE CDS Na...

Page 259: ...t cell Task 1 Create New Principals and Accounts Task 2 Install the Key of the Server into a Keytab File Task 3 Configure DCE CDS for Use by Oracle DCE Integration Task 1 Create New Principals and Accounts Use the following procedure model to add server principals dce_login cell_admin password rgy_edit Current site is registry server at cell1 subsys dce sec master rgy_edit do p Domain changed to p...

Page 260: ...uit bye Task 3 Configure DCE CDS for Use by Oracle DCE Integration 1 Create Oracle directories in the CDS namespace by entering the following after installing DCE Integration for the first time in a cell Create directories on all CDS replicas dce_login cell_admin Enter Password password not displayed cdscp Note Perform this task on the server only once after DCE Integration has been installed Do n...

Page 261: ...layed rgy_edit rgy_edit domain group Domain changed to group rgy_edit member subsys dce cds server a oracle rgy_edit exit 3 Load Oracle service names into CDS as described in Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration on page 10 8 Note The directory subsys oracle names contains objects that map Oracle Net service names to connect descriptors which are used by th...

Page 262: ...resses in the listener ora and tnsnames ora configuration files are defined by DCE parameters illustrated in the following ADDRESS PROTOCOL DCE SERVER_PRINCIPAL server_name CELL_NAME cell_name SERVICE dce_service_name These parameters are described by Table 10 1 Table 10 1 DCE Address Parameters and Definitions Component Description PROTOCOL A mandatory field that identifies the DCE RPC protocol S...

Page 263: ...ell name defaults to the local cell useful for single cell environments Optionally the SERVICE parameter described in the following section may specify the complete path including the cell name to the service making this parameter unnecessary SERVICE A mandatory field for both server and client For the server this is the service registered with CDS For the client this is the service name used when...

Page 264: ...der In the following sample the listener is running under principal oracle The following is a sample DCE address as it would appear in the listener ora file LSNR_DCE ADDRESS PROTOCOL DCE SERVER_PRINCIPAL oracle CELL_NAME cell1 SERVICE dce_svc SID_LIST_LSNR_DCE SID_DESC SID_NAME ORASID ORACLE_HOME private oracle9 Task 2 Create and Name Externally Authenticated Accounts To use DCE authentication for...

Page 265: ...lti cell DCE environment in which you let Oracle access across cell boundaries The way you define users depends on whether they are connecting within a single cell or across cell boundaries Local Cell If users are connecting within a local cell use the following format SQL CREATE USER server_principal IDENTIFIED EXTERNALLY SQL GRANT CREATE SESSION TO server_principal For example SQL CREATE USER or...

Page 266: ...col ora configuration file to FALSE dce local_cell_usernames false References to an Oracle account created in this manner must include the schema account in the correct format Consider requests for access to tables from another account When a user references the tables in another account created within a local cell the command might appear as follows SQL SELECT FROM oracle emp If a user wants to a...

Page 267: ...not certified Global Principal ilab1 oracle Cell 001c3f90 01f5 1f72 ba65 02608c2c84f3 ilab1 Principal 00000068 0568 2f72 bd00 02608c2c84f3 oracle Group 0000000c 01f5 2f72 ba01 02608c2c84f3 none Table 10 2 Setting Up External Role Syntax Components Component Definition ORA Designates that this group is used for Oracle purposes GLOBAL_NAME The global name for the database ROLE The name of the role a...

Page 268: ...c8 2fe8 a201 02608c2c84f3 ora_dce222_connect_d 00000087 8a13 2fe8 a201 02608c2c84f3 ora_dce222_resource_d 00000080 f681 2fe1 a201 02608c2c84f3 ora_dce222_role1_ad 5 Connect to the database as usual The following sample output lists external roles DBA CONNECT RESOURCE and ROLE1 that have been mapped to DCE groups SQL SELECT FROM session_roles ROLE CONNECT RESOURCE ROLE1 SQL SET ROLE all Role set SQ...

Page 269: ...rgy_edit add ora_dce222_dba_ad rgy_edit add ora_dce222_operator_ad rgy_edit member ora_dce222_dba_ad a oracle rgy_edit member ora_dce222_operator_ad a oracle 2 Add the GLOBAL_NAME parameter to the DCE address or TNS service name in the local configuration file tnsnames ora ORADCE ADDRESS PROTOCOL DCE SERVER_PRINCIPAL oracle CELL_NAME cell1 SERVICE dce_svc CONNECT_DATA SID ORASID GLOBAL_NAME dce222...

Page 270: ...acle com dce dlsun685 us oracle com valid 1999 12 04 00 28 22 to 1999 12 04 10 28 22 Server dce rgy dce dlsun685 us oracle com valid 1999 12 04 00 28 22 to 1999 12 04 10 28 22 Server dce ptgt dce dlsun685 us oracle com valid 1999 12 04 00 28 26 to 1999 12 04 02 28 26 Client dce ptgt dce dlsun685 us oracle com Server krbtgt dce dlsun685 us o racle com dce dlsun685 us oracle com valid 1999 12 04 00 ...

Page 271: ...ce_secret DCE PROTECTION pkt_integ DCE TNS_ADDRESS_OID 1 3 22 1 5 1 DCE LOCAL_CELL_USERNAMES TRUE Configuration parameters are not case sensitive you can enter them in either uppercase or lowercase DCE AUTHENTICATION The DCE AUTHENTICATION parameter is optional It indicates the authentication value to be used for each DCE RPC The client DCE_AUTHENTICATION value must be the same as the server DCE_A...

Page 272: ...king connections across cells with unique names The default for DCE LOCAL_CELL_USERNAMES is now TRUE it was set to FALSE in the DCE Integration 2 1 6 release The associated options follow Option Description NONE Perform no protection for the current connection DEFAULT Use the default cell wide protection level CONNECT Perform protection only when the client establishes a relationship with the serv...

Page 273: ...olution the DCE Integration CDS Naming Adapter must be installed on all clients and servers that use CDS Also the CDS namespace must have been configured for use by DCE Integration Option Description TRUE The default value Select TRUE if using just the SERVER_ PRINCIPAL format without the CELL_NAME An example of a user specified in this format is as follows oracle TRUE is an appropriate option if ...

Page 274: ..._Address to the CDS attributes file The object ID must be the same across all machines 1 Add a line in the following format to the opt dcelocal etc cds_ attributes file 1 3 22 1 5 1 TNS_Address char The first four digits of this TNS_Address attribute value 1 3 22 1 x y are fixed under DCE naming conventions If the default TNS_Address object ID value 1 3 22 1 5 1 already exists in the cds_attribute...

Page 275: ... connect descriptors of destinations or endpoints in the network The sample DCE address in the following section shows a network address for an Oracle server with the Oracle service name ORADCE It is used to connect to the service registered as DCE_SVC in the CDS directory cell_name subsys oracle names ORADCE DESCRIPTION ADDRESS PROTOCOL DCE SERVER_PRINCIPAL oracle CELL_ NAME cell1 SERVICE DCE_SVC...

Page 276: ...h name of the tnsnames ora file and ensure that the sqlnet ora file exists in the same directory as the tnsnames ora file Step 5 Delete or Rename the tnsnames ora File You can keep tnsnames ora available as a backup in case CDS becomes unavailable To assure that CDS is routinely searched instead of tnsnames ora configure the NAMES DIRECTORY_PATH parameter in a profile sqlnet ora as described by St...

Page 277: ...s how to connect to an Oracle database after installing Oracle DCE Integration and configuring both DCE and Oracle to use Oracle DCE Integration in the following topics Starting the Listener Connecting to an Oracle Database by Using DCE Authentication for Single Sign On Connecting to an Oracle Database by Using Password Authentication Starting the Listener To start the listener do the following 1 ...

Page 278: ...01 443343100 aa 00 04 00 3e 8c CDS_Class RPC_Server CDS_ClassVersion 1 0 CDS_Towers Tower ncacn_ip_tcp 144 25 23 57 Connecting to an Oracle Database by Using DCE Authentication for Single Sign On After externally identified accounts have been set up you can take advantage of DCE authentication to log in to Oracle without providing any username or password information To use this single sign on cap...

Page 279: ... server non DCE clients can use normal Oracle Database and Oracle Net Services procedures to connect to an Oracle server in DCE The following section contains these topics which include samples of listener ora and tnsnames ora files as they would be configured if a client from outside of DCE wanted to connect to Oracle database servers in a DCE environment Sample Parameter Files Using tnsnames ora...

Page 280: ...s and to indent if you must continue an element on the next line This example assumes the UNIX operating system and the TCP IP protocol for one listener and the DCE protocol for another listener A single listener can have multiple addresses For example instead of having two separate listeners for different database instances on a server node you could have one listener for both listening on both T...

Page 281: ...ENER usr prod Oracle Database network log LOG_FILE_LISTENER listener log The tnsnames ora File This file resides on both the client and the server nodes It lists the service names and addresses of all services on the network The following sample tnsnames ora file maps the service name ORATCP to the connect descriptor that includes a TCP IP address and the service name ORADCE to a connect descripto...

Page 282: ...ssible SQL Net Release 2 2 and Earlier To use the tnsnames ora file for name lookup and resolution remove or comment out the native name parameters from the sqlnet ora file on the client To comment out the lines add a pound sign at the beginning of each line For example native_names use_native true native_names directory_path dce SQL Net Release 2 3 and Oracle Net Services You can use tnsnames ora...

Page 283: ...in a client server environment It contains the following chapters which describe how to set up enterprise user security in an Oracle distributed database environment Chapter 11 Getting Started with Enterprise User Security Chapter 12 Enterprise User Security Configuration Tasks and Troubleshooting Chapter 13 Administering Enterprise User Security ...

Page 284: ......

Page 285: ...and administer large numbers of users in a secure LDAP compliant directory service The following topics in this chapter explain what Enterprise User Security is and how it works Introduction to Enterprise User Security About Using Shared Schemas for Enterprise User Security About Using Current User Database Links for Enterprise User Security Enterprise User Security Deployment Considerations ...

Page 286: ...ds of users accessing database accounts administrators must devote substantial resources to user administration Common information used by multiple applications such as usernames telephone numbers and system roles and privileges is typically fragmented across the enterprise contributing to data that is redundant inconsistent and difficult to manage In addition to user and account management proble...

Page 287: ...iant directory service Identity management is the process by which the complete security life cycle for network entities is managed in an organization It typically refers to the management of an organization s application users where steps in the security life cycle include account creation suspension privilege modification and account deletion Figure 11 1 shows how Enterprise User Security fits i...

Page 288: ...nt of Oracle Identity Management infrastructure Third Party Applications Authorization Auditing External Security Services Directory Services Access Management Provisioning Services Oracle Identity Management Infrastructure OracleAS Certificate Authority OracleAS Single Sign On Oracle Directory Integration Service Oracle Delegated Administration Services Oracle Internet Directory Oracle E Business...

Page 289: ...base Users About Enterprise User Schemas How Enterprise Users Access Database Resources with Database Links How Enterprise Users Are Authenticated How Oracle Internet Directory Implements Identity Management Oracle Internet Directory uses the concept of identity management realms to organize information in the directory information tree DIT which is a hierarchical tree like structure consisting of...

Page 290: ... to the particular identity management realm in which the realm Oracle Context is located Enterprise Users Compared to Database Users Database users are typically defined in the database by using the CREATE USER statement as follows CREATE USER username IDENTIFIED BY password This creates a database user associated with a user schema who can access the database and be authenticated by using a pass...

Page 291: ...s CREATE USER username IDENTIFIED GLOBALLY AS When you specify a null string with the AS clause the directory maps authenticated users to the appropriate database schema In this case multiple users can be mapped to a shared schema based on the mapping information set up and stored in Oracle Internet Directory When enterprise users connect over SSL to the database they do not use a password Instead...

Page 292: ...prise user solution Shared Schema Enterprise Users To receive the real benefit of the enterprise user solution you can use shared schemas for your enterprise users For this strategy Create enterprise users in the directory Create a single shared schema in each database and Create a single shared schema mapping in Oracle Internet Directory Mapping enterprise users to a generic shared schema on each...

Page 293: ...n in the link definition They require SSL for the database network connections which means public key infrastructure PKI credentials must be obtained and maintained for the databases Current user database links can be used to connect to the remote database only as an enterprise user How Enterprise Users Are Authenticated Enterprise User Security supports the following authentication methods Passwo...

Page 294: ...ompatible with either a two tier or multitier environment Compatible with either a two tier or multitier environment Supports Oracle Release 7 3 and later clients with an Oracle Database 10g Supports Oracle8i and later clients with an Oracle Database 10g Supports Oracle Database 10g clients and later with an Oracle Database 10g Supports current user database links only if the connection between da...

Page 295: ... in a directory Each enterprise user has a unique identity across an enterprise Enterprise user entries can reside at any location within the identity management realm except within the realm Oracle Context Note Enterprise User Security supports three tier environments Oracle Database 10g proxy authentication features enable i proxy of user names and passwords through multiple tiers and ii proxy o...

Page 296: ...f an enterprise role called Manager under the OracleDefaultDomain An enterprise role can consist of one or many global roles each one of which is defined in a specific database A global role includes privileges contained in a database but the global role is managed in a directory An enterprise role is thus a container of global roles For example the enterprise role sales_manager could contain the ...

Page 297: ...Enterprise Roles Acme Widgets Enterprise Domain Oracle Context Finance Database bonus_approval global role CRM Database sales_manager Enterprise Role manage_leads global role bonus_approval global role manage_leads global role Registered as members of Registered as members of Eastern Region Identity Management Realm ...

Page 298: ... realm It is here at the enterprise domain level that the Enterprise Domain Administrator using Enterprise Security Manager assigns enterprise roles to users and manages enterprise security An enterprise domain subtree in a directory is composed of three types of entries enterprise role entries user schema mappings and the enterprise domain administrator s group for that domain Enterprise domains ...

Page 299: ...apping information between full or partial user DNs and Oracle shared schema names user schema mappings Database level mapping entries are created by the Database Administrator by using Enterprise Security Manager This tool is also used to manage the database administrator s group which contains administrators for a specific database The directory entry for this group is located under the database...

Page 300: ...apply only to one database or they can apply to all databases in a domain depending on where they reside in the realm Oracle Context Groups OracleDBCreators OracleContextAdmins OracleDBSecurityAdmins OracleUserSecurityAdmins OraclePasswordAccessibleDomains Networking Sales Example Database Products OracleDBSecurity User Search Base Group Search Base OracleDBAdmins Group User Schema Mapping Example...

Page 301: ...t member of each of these groups thus gaining the associated privileges provided by each group but can be removed The relevant administrative groups in a realm are described in Table 11 2 on page 11 18 See Also How Enterprise Users Are Mapped to Schemas on page 11 20 Managing Enterprise Domain Database Schema Mappings on page 13 20 Note Observe the following practices Using other methods may break...

Page 302: ...se Security Manager DN cn OracleDBSecurityAdmins cn OracleContext Default owner All group members During default realm Oracle Context creation Oracle Internet Directory Configuration Assistant sets up the following access rights permissions for these group members All privileges in the OracleDBSecurity subtree Modify privileges for membership in this group OracleDBSecurityAdmins have permissions o...

Page 303: ...ration costs by reducing the number of user accounts on databases It means that you do not need to create an account for each user user schema in addition to creating the user in the directory Instead you can create a user in the enterprise directory and map that user to a shared schema which other enterprise users can also be mapped to For example if Tom Dick and Harriet all access both the Sales...

Page 304: ...amed MANAGER The administrator then assigns the HR database global role of HRMANAGER to the enterprise role MANAGER 3 The administrator assigns enterprise roles to enterprise users in the directory For example the administrator assigns the enterprise role MANAGER to Harriet 4 The administrator uses Enterprise Security Manager to map the user Harriet in the directory to the shared schema EMPLOYEE o...

Page 305: ...he subtree that these users share can be mapped to a shared schema on a database For example you can map all enterprise users in the subtree for the engineering division to one shared schema BUG_APP_USER on the bug database Note that the root of the subtree is not mapped to the specified schema When an enterprise user connects to a database the database retrieves a DN for the user either from the ...

Page 306: ...ccess Continuing this example assume that the enterprise role MANAGER contains the global roles ANALYST on the HR database and USER on the Payroll database When Harriet who has the enterprise role MANAGER connects to the HR database she uses the schema EMPLOYEE on that database Her privileges on the HR database are determined by The global role ANALYST Any local roles and privileges associated wit...

Page 307: ...ent user database link to connect to the schema Scott Scott must be a global schema created as IDENTIFIED GLOBALLY in both databases Harriet however can be a user identified in one of three ways By a password GLOBALLY EXTERNALLY To create Scott as a global user in the first database Finance you must enter CREATE USER Scott IDENTIFIED GLOBALLY as CN Scott O nmt so that Scott has an exclusive schema...

Page 308: ...pport RADIUS authentication over database links See Also What is Meant by Trusted Databases on page 11 26 Oracle Database Heterogeneous Connectivity Administrator s Guide for additional information about current user database links Oracle Database SQL Reference for more information about SQL syntax PL SQL Packages and Types Reference for information about the PL SQL package DBMS_DISTRIBUTED_TRUST_...

Page 309: ...gement the administrator can delete a user in one place to revoke all global privileges minimizing the risk of retaining unintended privileges Centralizing management makes it possible to centralize an organization s security expertise Specialized security aware administrators can manage all aspects of enterprise user security including directory security user roles and privileges and database acc...

Page 310: ...et Directory Oracle tools help set up ACLs in the directory to protect these password verifiers during identity management realm creation The approach that Oracle recommends is intended to balance security and usability considerations If you require maximum security and can set up wallets for all users you should require only SSL connections from users to databases This SSL only approach circumven...

Page 311: ...efaultDomain is a member of the OraclePasswordAccessibleDomains group It can be removed if desired Considerations for Defining Database Membership in Enterprise Domains Consider the following criteria when defining the database membership of a domain Current user database links operate only between databases within a single enterprise domain Use of these links requires mutual trust between these d...

Page 312: ...h this configuration is supported it does not provide consistent security for connections Ideally the database directory connection should be at least as secure as that between users and databases Typical Configurations The following combinations of authentication types between clients databases and directories are typical Password authentication for all connections with no need for current user d...

Page 313: ...prise User Security Configuration Roadmap Preparing the Directory for Enterprise User Security Configuring Enterprise User Security Objects in the Database and the Directory Configuring Enterprise User Security for Password Authentication Configuring Enterprise User Security for Kerberos Authentication Configuring Enterprise User Security for SSL Authentication Enabling Current User Database Links...

Page 314: ...tory connections Passwords for both connections SSL for both connections Kerberos for client database connections and passwords for database directory connections Primarily your network environment whether all clients databases and directories reside within the same network behind a firewall or are distributed across several networks and perhaps exposed to the Internet determines what authenticati...

Page 315: ...s authenticated ESM Set the Attribute for Kerberos Principal Name in the IM realm and the principal names for the users in the user entries in OID ESM Put the domain into the password accessible domains group OWM Netmgr Set up user and DB wallets and configure SSL for client and DB OWM ODM Set up OID wallet and configure SSL for OID ESM Set DB OID authentication type for the IM Realm DBCA Register...

Page 316: ...s in the Database and the Directory on page 12 11 3 Complete your Enterprise User Security configuration by performing the steps necessary for your authentication method Configuring Enterprise User Security for Password Authentication on page 12 16 Configuring Enterprise User Security for Kerberos Authentication on page 12 18 Abbreviation Meaning DBCA Database Configuration Assistant ESM Enterpris...

Page 317: ... management realm Task 5 Optional Configure your Oracle home for directory usage Task 6 Register the database in the directory Task 1 Optional Create an identity management realm in the directory If necessary use Oracle Internet Directory Self Service Console Delegated Administration Service to create an identity management realm in the directory You can also use this tool to upgrade an Oracle9i O...

Page 318: ...ot want to use this default setting then use Enterprise Security Manager to change it For example if you are using a public key infrastructure PKI then you would need to set this to SSL See Setting the Default Database to Directory Authentication Type for an Identity Management Realm on page 13 6 Note By default in a version 9 0 4 identity management realm the user search base is set to cn Users c...

Page 319: ...t realm so the database can connect to the directory See Starting Oracle Net Configuration Assistant on page 2 32 To create an ldap ora file for your Oracle home 1 In the Oracle Net Configuration Assistant welcome page choose Directory Service Usage Configuration and click Next 2 Select one of the options on the Directory Usage Configuration page that is appropriate for your environment Then follo...

Page 320: ...atabase attempts authentication to the directory The allowable settings are NONE PASSWORD or SSL The default setting is PASSWORD Creates a database wallet containing the database DN in the form cn short_ database_name cn OracleContext realm_DN where short_ database_name is the first part of the fully qualified domain name for a database For example if you have a database named db1 us oracle com th...

Page 321: ... 1 See Starting Database Configuration Assistant on page 2 14 to start this tool 2 After starting Database Configuration Assistant select Configure database options in a database and choose Next 3 Select a database and choose Next 4 Choose Yes Register the Database Enter the directory credentials for a user in the OracleDBCreators group 5 Enter a password for the database wallet 6 Choose Finish if...

Page 322: ...quires the wallet even if no SSL Secure Sockets Layer is used to secure the connection between the database and the directory If SSL is used then this wallet should be used to store the database s digital PKI certificate The wallet password you enter when using Database Configuration Assistant to register a database in the directory is the password to the wallet itself and is not the database s di...

Page 323: ...ion assume the following recommended setup You have prepared your database and your directory by completing the tasks described in Preparing the Directory for Enterprise User Security on page 12 5 Your users are stored in an identity management realm Users subtree You use the OracleDefaultDomain which is the default enterprise domain that Database Configuration Assistant uses when you register dat...

Page 324: ...enterprise users The following syntax example creates a shared schema named guest SQL CREATE USER guest IDENTIFIED GLOBALLY AS If you do not want to use a shared schema then specify a user DN between the single quotation marks to create an exclusive schema 2 Grant the CREATE SESSION privilege to the shared schema created in Step 1 so users can connect to it The following syntax example grants the ...

Page 325: ...ect ON products TO custrole emprole Task 2 Configure User Schema Mappings for the Enterprise Domain Use Enterprise Security Manager see Starting Enterprise Security Manager on page 2 16 to configure user schema mappings for the OracleDefaultDomain by using the following steps 1 Select the OracleDefaultDomain in the navigator pane 2 Choose the Database Schema Mapping tabbed window and click Add 3 I...

Page 326: ... to add the global database roles that you created in Task 1 on page 12 12 to the enterprise roles that you created in Task 3 by using the following steps 1 Select the enterprise role name in the navigator pane 2 Choose the Database Global Roles tabbed window and click Add 3 In the Add Global Database Roles dialog box select the database from which to obtain global roles A database logon window ap...

Page 327: ...ty management realm 2 Select the Users tab adjacent to the main application window and click Add 3 In the Add Enterprise Users dialog box top panel select a directory entry as a user search base or edit the Selection field to manually define the user search base 4 In the middle Search Criteria panel check Include Subtrees to enable searching for all users within the search including subtrees 5 Ent...

Page 328: ...ticated by passwords then you must configure that as described in the following tasks The configuration steps in this section assume the following You have prepared your directory by completing the tasks described in Preparing the Directory for Enterprise User Security on page 12 5 You have configured your Enterprise User Security objects in the database and the directory by completing the tasks d...

Page 329: ...thods listed 3 Click Apply 4 Select the identity management realm in the navigator pane 5 Choose the Accessible Domains tabbed window and click Add 6 In the Add Accessible Enterprise Domains dialog box select the OracleDefaultDomain from the list of enterprise domains and click OK The OracleDefaultDomain is added to the password accessible domains list For more information about this task see Mana...

Page 330: ...A Errors for Password Authenticated Enterprise Users on page 12 26 If you do connect successfully then check that the appropriate global roles were retrieved from the directory by entering the following at the SQL Plus prompt select from session_roles If the global roles were not retrieved from the directory then see NO GLOBAL ROLES Checklist on page 12 33 You have completed password authenticated...

Page 331: ...tory Attribute for the Identity Management Realm Task 3 Specify the Enterprise User s Kerberos Principal Name in the krbPrincipalName Attribute Task 4 Optional Enable the Enterprise Domain to Accept Kerberos Authentication Task 5 Connect as a Kerberos Authenticated Enterprise User Task 1 Configure the Enterprise Security Manager Console to display the Kerberos principal name attribute Use Oracle I...

Page 332: ...authentication for your enterprise domain by using the following steps 1 Select the enterprise domain in the navigator pane 2 Choose the Databases tabbed window and select Kerberos or All Types from the User Authentication methods listed 3 Click Apply For more information about this task see Managing Database Security Options for an Enterprise Domain on page 13 19 Task 5 Connect as a Kerberos Auth...

Page 333: ...ully then check that the appropriate global roles were retrieved from the directory by entering the following at the SQL Plus prompt select from session_roles If the global roles were not retrieved from the directory then see NO GLOBAL ROLES Checklist on page 12 33 You have completed Kerberos authenticated Enterprise User Security configuration Configuring Enterprise User Security for SSL Authenti...

Page 334: ...with two way authentication for Oracle Internet Directory as described in Oracle Internet Directory Administrator s Guide You have prepared your directory by completing the tasks described in Preparing the Directory for Enterprise User Security on page 12 5 You have configured your Enterprise User Security objects in the database and the directory by completing the tasks described in Configuring E...

Page 335: ... ora file If the client sqlnet ora file contains a wallet location then multiple users cannot share that file Only the server sqlnet ora file must have a value for the wallet location parameter To connect as an SSL authentication enterprise user perform the following steps 1 Use Oracle Wallet Manager to download a user wallet from the directory See Downloading a Wallet from an LDAP Directory on pa...

Page 336: ...ng at the SQL Plus prompt select from session_roles If the global roles were not retrieved from the directory then see NO GLOBAL ROLES Checklist on page 12 33 You have completed SSL authenticated Enterprise User Security configuration Viewing the Database DN in the Wallet and in the Directory For SSL authenticated Enterprise User Security to work the database DNs in the database wallet the databas...

Page 337: ...ase links require SSL enabled network connections between the databases Before you can enable current user database links you must enable SSL create Oracle wallets and obtain PKI credentials for all databases involved Then use Enterprise Security Manager to enable current user database links between databases within the enterprise domain in the directory by using the following steps 1 Select the e...

Page 338: ...lid username password login denied Action See USER SCHEMA ERROR Checklist on page 12 34 ORA 28030 Problem accessing LDAP directory service Cause Indicates a problem with the connection between the database and the directory Action Check the following 1 Check that there is a correct wallet_location value in the database s sqlnet ora file If not then use Oracle Net Manager to enter one 2 If Domain N...

Page 339: ...rd returned from mkstore in the following ldapbind ldapbind h directory host p non SSL directory port D database DN w password returned by mkstore 8 Check to ensure the database belongs to only one enterprise domain ORA 28271 No permission to read user entry in LDAP directory service Action Check the following 1 Use Enterprise Security Manager to check that a user search base containing this user ...

Page 340: ...empted user database login is the value for that attribute in the user directory entry 4 If you have an exclusive schema for the global user in the database then check that the DN in the database matches the DN of the user entry in Oracle Internet Directory ORA 28274 No ORACLE password attribute corresponding to user login name exists Action Check the following 1 Check that the user entry in the d...

Page 341: ...e database connection Action Use Enterprise Security Manager Console to make the login name value unique no two users share the same login name within all user search bases associated with the realm Oracle Context ORA 28277 LDAP search while authenticating global user with passwords failed Action Check that the relevant directory instance is up and running ORA 28278 No domain policy registered for...

Page 342: ... set the user authentication policy for this enterprise domain to KERBEROS or ALL 2 See DOMAIN READ ERROR Checklist on page 12 35 ORA 28290 Multiple entries found for the same Kerberos principal name Cause The Kerberos principal name for this user is not unique within the user search base containing this user Action Use Oracle Internet Directory Self Service Console to change the Kerberos principa...

Page 343: ...ted in the identity management realm that you are using 3 Check that the user entry in the directory contains the correct Kerberos principal name by using the following steps Use Enterprise Security Manager Console to find the Kerberos principal name attribute that is configured for the directory in your realm and Check that the correct Kerberos principal name appears in that attribute in the user...

Page 344: ...USER SCHEMA ERROR Checklist on page 12 34 ORA 28030 Problem accessing LDAP directory service Cause Indicates a problem with the connection between the database and the directory Action Check the following 1 Check that there is a correct wallet_location value in the database s sqlnet ora file If not then use Oracle Net Manager to enter one 2 If Domain Name System DNS server discovery of Oracle Inte...

Page 345: ...database can bind to Oracle Internet Directory by using its wallet with the following ldapbind ldapbind h directory_host p directory_SSLport U 3 W file database wallet_location P wallet_password 8 Check to ensure the database belongs to only one enterprise domain ORA 28301 Domain policy has not been registered for SSL authentication Action Use Enterprise Security Manager to set the user authentica...

Page 346: ...If this is an SSL authenticated enterprise user then ensure that the correct user wallet is being used by checking the following There is no WALLET_LOCATION parameter value in the client sqlnet ora file and The TNS_ADMIN parameter is set properly so that the correct sqlnet ora file is being used 2 Check that the schema was created in the database as a global user by using the following syntax CREA...

Page 347: ...ects to the directory over SSL then use ldapsearch h directory_host p directory_SSLport U 3 W file database_wallet_path P wallet_password b database_ DN objectclass where wallet_password is the password to the wallet which enables you to open or change the wallet If the database connects to the directory by using password authentication then use ldapsearch h directory_host p directory_port D datab...

Page 348: ... realm_DN objectclass orclDBEnterpriseDomain where database_directory_password is the password in the database wallet which is the database s password to Oracle Internet Directory This ldapsearch should return exactly one enterprise domain If no domain is returned and Enterprise Security Manager shows the database as a member of a domain then restart the database Restarting the database updates th...

Page 349: ...ssword is the password in the database wallet which is the database s password to Oracle Internet Directory This ldapsearch should return all of the enterprise roles that you have created for this domain If it does not then use Enterprise Security Manager to create enterprise roles and mappings 4 Use Enterprise Security Manager to set or reset the user authentication policy for the relevant enterp...

Page 350: ...Troubleshooting Enterprise User Security 12 38 Oracle Database Advanced Security Administrator s Guide ...

Page 351: ... Enterprise Security Manager to administer Enterprise User Security in Oracle Databases This chapter contains the following topics Enterprise User Security Administration Tools Overview Administering Identity Management Realms Administering Enterprise Users Administering Enterprise Domains Administering Enterprise Roles ...

Page 352: ...tools are introduced in Chapter 2 Configuration and Administration Tools Overview where you can find information about starting each tool and navigating its interface In particular refer to the following topics to get started using Enterprise User Security administration tools Tool Introductory Topics Enterprise Security Manager Enterprise Security Manager and Enterprise Security Manager Console o...

Page 353: ...nt realm properties that pertain to Enterprise User Security It contains the following topics Identity Management Realm Versions Setting Properties of an Identity Management Realm Setting Login Name Kerberos Principal Name User Search Base and Group Search Base Identity Management Realm Attributes Setting the Default Database to Directory Authentication Type for an Identity Management Realm Managi...

Page 354: ...ecurity directory entries in a version 9 0 4 identity management realm by using Enterprise Security Manager for Oracle Database 10g Enterprise Security Manager displays all existing version 9 0 4 identity management realms in its main application tree Note Enterprise User Security did not require identity management realms in Oracle8i nor in Oracle9i In those previous releases only an Oracle Conte...

Page 355: ... Table 13 1 Identity Management Realm Properties Property Description Attribute for Login Name Name of the directory attribute used to store login names By default login names are stored in the uid attribute but can be changed to correspond to your directory configuration In prior releases this was the cn attribute Attribute for Kerberos Principal Name Name of the directory attribute used to store...

Page 356: ...authentication type enters a value for the LDAP_DIRECTORY_ACCESS initialization parameter This parameter is set on individual databases when they are registered in Oracle Internet Directory To set the default database to directory authentication type for an identity management realm 1 Select the identity management realm in the left navigator pane 2 Choose the General tab in the right main window ...

Page 357: ...ct the administrative group you wish to edit and click Edit 5 In the Edit Group window enter group information into the appropriate fields You can change group owners add users to or remove them from groups and view group membership 6 Click Submit to save your changes to the directory Table 13 2 Enterprise User Security Identity Management Realm Administrators Administrative Group Definition Oracl...

Page 358: ...of the main application tree It lets you manage enterprise users and data that is relevant to Enterprise User Security in the identity management This section describes how to use Enterprise Security Manager to administer enterprise users It contains the following topics Creating New Enterprise Users Setting Enterprise User Passwords Defining an Initial Enterprise Role Assignment Browsing Users in...

Page 359: ...ole from the Operations menu The Enterprise Security Manager Console home page appears Figure 13 1 Log in with your OracleAS Single Sign On username and password Figure 13 1 Enterprise Security Manager Console Home Page Note Before creating new enterprise users you must define the user search base in the directory See Setting Login Name Kerberos Principal Name User Search Base and Group Search Bas...

Page 360: ...edentials and the krbPrincipalName attribute is not there then see Configuring Enterprise Security Manager Console for Kerberos Authenticated Enterprise Users on page 2 24 for information about how to configure this 5 Enter the appropriate user information in the Create User window and click Submit to create a new enterprise user Setting Enterprise User Passwords You can set and maintain enterpris...

Page 361: ...and click Go A list of all users that match your search criteria displays 5 Select the user for whom you wish to create a new password and click Edit 6 In the Edit User window enter the new password and click Submit Defining an Initial Enterprise Role Assignment When you create a new enterprise user you can grant any previously configured enterprise roles to the new user To assign existing enterpr...

Page 362: ...nager Console or by using the All Users tab in the main application window To browse enterprise users in the directory by using Enterprise Security Manager Console 1 Navigate to the Enterprise Security Manager Console home page Choose Launch Enterprise Security Manager Console from the Operations menu and log in by using your OracleAS Single Sign On username and password 2 Choose the Users and Gro...

Page 363: ...ate To browse enterprise users in the directory by using the All Users tab in the main application window 1 Select the directory in the left navigator pane 2 Choose the All Users tab in the right main window Figure 13 4 Figure 13 4 Enterprise Security Manager Main Window All Users Tab 3 Define the search criteria and click Search Now The window displays the results of the search Table 13 3 summari...

Page 364: ...is the base entry point in the directory where the search is performed Only users under this base are returned by the search Include Subtrees This determines whether to show all users found in the entire subtree under the selected base or to only show only those users that exist directly under that base location one level only Show names containing This limits the search to those users whose direc...

Page 365: ...main in that realm You can create and remove your own enterprise domains but you must not remove the OracleDefaultDomain from a realm This section describes how to use Enterprise Security Manager to administer enterprise domains in the directory It contains the following topics Creating a New Enterprise Domain Defining Database Membership of an Enterprise Domain Managing Database Security Options ...

Page 366: ...ck The Create Enterprise Domain window appears Figure 13 5 Figure 13 5 Enterprise Security Manager Create Enterprise Domain Window 2 In the Create Enterprise Domain window select the appropriate Realm from the list Figure 13 5 3 Enter the name of the new enterprise domain in the Domain Name field 4 Choose OK The new enterprise domain is created in the realm and appears on the main application tree...

Page 367: ... realm Choose OK to remove it Defining Database Membership of an Enterprise Domain Use the navigation tree of the main Enterprise Security Manager window to select a specific enterprise domain You can then use the Databases tab to manage database membership of an enterprise domain in a realm Figure 13 6 Figure 13 6 Enterprise Security Manager Databases Tab Database Membership Note You cannot remov...

Page 368: ...Choose Add The Add Databases window appears This window lists all the databases associated with the realm Figure 13 7 Figure 13 7 Enterprise Security Manager Add Databases Window Note The following restrictions apply to adding databases to an enterprise domain A database must be in an enterprise domain for enterprise users to be able to connect to it You can only add a database to an enterprise do...

Page 369: ...are summarized by Table 13 4 Table 13 4 Enterprise Security Manager Database Security Options Database Security Option Description Enable current user database links Any database pair can only permit use of Current User Database Links if both databases exist in the same enterprise domain where this setting is enabled By default current user database links are not enabled User authentication All da...

Page 370: ...n To remove a user from the list of Enterprise Domain Administrators 1 In the left navigator pane select the enterprise domain from which you wish to remove administrators 2 In the right pane select the Administrators tab 3 Select a user from the list of Administrators 4 Choose Remove The selected user is removed from the list 5 Choose Apply The user is removed as an Enterprise Domain Administrato...

Page 371: ...ndow to manage database schema mappings when a database is selected under a realm in the main application tree or when a domain is selected If a domain is selected these mappings apply to all databases that are members of the enterprise domain Therefore each database in the enterprise domain must have a schema of the same name used in the mapping for that mapping to be effective on that database T...

Page 372: ...h tree from which to select the user s DN or the base of users the option to choose either subtree level or entry level mapping and a field in which to enter a schema name Figure 13 9 Enterprise Security Manager Add Database Schema Mappings Window 2 Navigate the directory to select a desired entry as a base for the database schema mapping This can be any directory entry but should be either the ac...

Page 373: ... a database to accept a connection from a password authenticated user The database must be a member of a domain configured to accept Password authentication See Table 13 4 on page 13 19 The domain must be a member of a password accessible domains group called the Password Accessible Domains List added by a member of either the OracleContextAdmins or the OracleDBSecurityAdmins directory administrat...

Page 374: ... the list of enterprise domains and click OK The OracleDefaultDomain is added to the password accessible domains list Note By default the cn Users subtree in an identity management realm has ACLs access control lists to enable appropriate database access to user password attributes If you do not use this subtree to store users then see Oracle Internet Directory Administrator s Guide for informatio...

Page 375: ... To remove a user from the list of Database Administrators 1 In the Administrators tabbed window select a user from the list of administrators 2 Choose Remove the selected user is removed from the list 3 Choose Apply the user is removed as a Database Administrator for that database To add a new user to the list of Database Administrators 1 In the Administrators tabbed window choose Add the Add Use...

Page 376: ...Administering Enterprise Domains 13 26 Oracle Database Advanced Security Administrator s Guide See Also Creating New Enterprise Users on page 13 9 Browsing Users in the Directory on page 13 12 ...

Page 377: ...prise Role Assigning Database Global Role Membership to an Enterprise Role Granting Enterprise Roles to Users Creating a New Enterprise Role You can create an enterprise role in an enterprise domain either from the Operations menu on the Enterprise Security Manager main window Figure 13 8 or by right clicking an enterprise domain in the main application tree In either case the Create Enterprise Ro...

Page 378: ...in application tree 3 Enterprise Security Manager asks you to confirm the removal of the enterprise role Choose Yes Assigning Database Global Role Membership to an Enterprise Role Use the Database Global Roles tabbed window Figure 13 12 of the Enterprise Security Manager main window to manage database global role membership in an enterprise role This window lists the names of each global role that...

Page 379: ...ole_name IDENTIFIED GLOBALLY A Database Administrator cannot locally grant and revoke global roles to users of the database To add a global role to an enterprise role 1 Choose Add Figure 13 12 The Add Global Database Roles window appears This window lists all of the databases in the enterprise domain from which global roles can be selected to add to an enterprise role 2 Select a database from whic...

Page 380: ...ecurity Manager connects you to the given database and fetches the list of global roles supported on that database The list of values if any is displayed in the Add Global Database Roles window 4 Select one or more global roles from the list of returned values and choose OK These global roles appear in the Database Global Roles tabbed window Figure 13 12 5 Choose Apply The new global roles are add...

Page 381: ... that enterprise role Use the Users tabbed window To grant an enterprise role to users 1 Select the role in the navigation tree and choose Add in the Users tabbed window The Add Enterprise Users window appears Use this window to locate and select one or more directory users to add as enterprise role grantees Figure 13 14 Figure 13 14 Enterprise Security Manager Add Enterprise Users Window 2 Select...

Page 382: ...uide To remove a user from the list of enterprise role grantees 1 Select a user from the list of grantees in the Users tabbed window 2 Choose Remove The selected user is removed from the list 3 Choose Apply The user is removed as a grantee for that enterprise role in the enterprise domain ...

Page 383: ...ion and Integrity Parameters Appendix B Authentication Parameters Appendix C Integrating Authentication Devices Using RADIUS Appendix D Oracle Advanced Security FIPS 140 1 Settings Appendix E orapki Utility Appendix F Entrust Enabled SSL Authentication Appendix G Using the User Migration Utility ...

Page 384: ......

Page 385: ...yer Authentication This appendix contains the following topics Sample sqlnet ora File Data Encryption and Integrity Parameters Sample sqlnet ora File This section contains a sample sqlnet ora configuration file for a set of clients with similar characteristics and a set of servers with similar characteristics The file includes examples of Oracle Advanced Security encryption and data integrity para...

Page 386: ..._server MD5 sqlnet crypto_checksum_types_client MD5 SSL SSL WALLET_LOCATION SOURCE METHOD FILE METHOD_DATA DIRECTORY wallet SSL_CIPHER_SUITES SSL_DH_anon_WITH_RC4_128_MD5 SSL_VERSION 3 SSL_CLIENT_AUTHENTICATION FALSE Common Common automatic_ipc off sqlnet authentication_services beq names directory_path TNSNAMES Kerberos Kerberos sqlnet authentication_services beq kerberos5 sqlnet authentication_k...

Page 387: ...acle Advanced Security defaults to ACCEPTED For both data encryption and integrity algorithms the server selects the first algorithm listed in its sqlnet ora file that matches an algorithm listed in the client sqlnet ora file or in the client installed list if the client lists no algorithms in its sqlnet ora file If there are no entries in the server sqlnet ora file the server sequentially searche...

Page 388: ...acting as a client connects to this server The behavior of the server partially depends on the SQLNET ENCRYPTION_CLIENT setting at the other end of the connection SQLNET ENCRYPTION_CLIENT This parameter specifies the desired encryption behavior when this client or server acting as a client connects to a server The behavior of the client partially depends No No See Also Chapter 3 Configuring Networ...

Page 389: ... acting as a client connects to a server The behavior partially depends on the SQLNET CRYPTO_CHECKSUM_SERVER setting at the other end of the connection Table A 3 SQLNET ENCRYPTION_CLIENT Parameter Attributes Attribute Description Syntax SQLNET ENCRYPTION_CLIENT valid_value Valid Values ACCEPTED REJECTED REQUESTED REQUIRED Default Setting ACCEPTED Table A 4 SQLNET CRYPTO_CHECKSUM_SERVER Parameter A...

Page 390: ...RVER valid_ encryption_algorithm valid_encryption_ algorithm Valid Values RC4_256 RSA RC4 256 bit key size AES256 AES 256 bit key size AES192 AES 192 bit key size 3DES168 3 key Triple DES 168 bit effective key size RC4_128 RSA RC4 128 bit key size AES128 AES 128 bit key size 3DES112 2 key Triple DES 112 bit effective key size RC4_56 RSA RC4 56 bit key size DES Standard DES 56 bit key size RC4_40 R...

Page 391: ...st the list of available client algorithm types until a match is found If an algorithm is specified that is not installed on this side the connection terminates with error message ORA 12650 Table A 7 SQLNET ENCRYPTION_TYPES_CLIENT Parameter Attributes Attribute Description Syntax SQLNET ENCRYPTION_TYPES_CLIENT valid_ encryption_algorithm valid_encryption_ algorithm Valid Values RC4_256 RSA RC4 256...

Page 392: ...he more random the characters entered into this field are the stronger the keys are You set this parameter by entering from 10 to 70 random characters into the preceding statement Table A 8 SQLNET CRYPTO_CHECKSUM_TYPES_SERVER Parameter Attributes Attribute Description Syntax SQLNET CRYPTO_CHECKSUM_TYPES_SERVER valid_crypto_ checksum_algorithm valid_crypto_checksum_algorithm Valid Values SHA 1 Secu...

Page 393: ... system uses various sources of random numbers depending on your operating system to seed the random number generator Note If you use this parameter to seed the random number generator then Oracle recommends that you enter as many characters as possible up to 70 to make the resulting key more random and therefore stronger ...

Page 394: ...Data Encryption and Integrity Parameters A 10 Oracle Database Advanced Security Administrator s Guide ...

Page 395: ...ervers using SSL Parameters for Clients and Servers using Kerberos Authentication Following is a list of parameters to insert into the configuration files for clients and servers using Kerberos Table B 1 Kerberos Authentication Parameters File Name Configuration Parameters sqlnet ora SQLNET AUTHENTICATION_SERVICES KERBEROS5 SQLNET AUTHENTICATION_KERBEROS5_SERVICE oracle SQLNET KERBEROS5_CC_NAME us...

Page 396: ...s parameter sets the location of the primary RADIUS server either host name or dotted decimal format If the RADIUS server is on a different machine from the Oracle server you must specify either the host name or the IP address of that machine Table B 3 describes this parameter s attributes SQLNET RADIUS_AUTHENTICATION_PORT This parameter sets the listening port of the primary RADIUS server Table B...

Page 397: ...ult packets are sent to port 1646 You need to turn this feature on only when your RADIUS server supports accounting and you want to keep track of the number of times the user is logging on to the system Table B 7 describes this parameter s attributes Table B 4 SQLNET RADIUS_AUTHENTICATION_PORT Parameter Attributes Attribute Description Syntax SQLNET RADIUS_AUTHENTICATION_PORT port_number Default s...

Page 398: ...lternate RADIUS server Table B 10 describes this parameter s attributes Table B 7 SQLNET RADIUS_SEND_ACCOUNTING Parameter Attributes Attribute Description Syntax SQLNET RADIUS_SEND_ACCOUNTING on Default setting off Table B 8 SQLNET RADIUS_SECRET Parameter Attributes Attribute Description Syntax SQLNET RADIUS_SECRET path_to_RADIUS_secret_key Default setting ORACLE_HOME network security radius key T...

Page 399: ...onous mode support Table B 13 describes this parameter s attributes SQLNET RADIUS_CHALLENGE_KEYWORD This parameter sets the keyword to request a challenge from the RADIUS server User types no password on the client Table B 14 describes this parameter s attributes Table B 11 SQLNET RADIUS_ALTERNATE_TIMEOUT Parameter Attributes Attribute Description Syntax SQLNET RADIUS_ALTERNATE_TIMEOUT time_in_sec...

Page 400: ...ath for the Java classes for that graphical interface and to set the path to the JDK Java libraries Table B 16 describes this parameter s attributes Minimum RADIUS Parameters sqlnet authentication_services radius sqlnet authentication IP address of RADIUS server sqlnet radius_challenge_response ON Table B 14 SQLNET RADIUS_CHALLENGE_KEYWORD Parameter Attributes Attribute Description Syntax SQLNET R...

Page 401: ...atic and dynamic parameters for configuring SSL on the server Parameter Name static SQLNET AUTHENTICATION_SERVICES Parameter Name dynamic AUTHENTICATION Parameter Type String LIST Parameter Class Static Permitted Values Add TCPS to the list of available authentication services Default Value No default value Description To control which authentication services a user wants to use Note The dynamic v...

Page 402: ...ter Name static SSL_CIPHER_SUITES Parameter Name dynamic SSL_CIPHER_SUITES Parameter Type String LIST Parameter Class Static Permitted Values Any known SSL cipher suite Default Value No default Description Controls the combination of encryption and data integrity used by SSL Existing New Parameter Existing Syntax static SSL_CIPHER_SUITES SSL_cipher_suite1 SSL_cipher_suite2 SSL_cipher_suiteN Exampl...

Page 403: ...e Advanced Encryption Standard AES work with Transport Layer Security TLS 1 0 only SSL Version Parameters This section describes the static and dynamic parameters for configuring the version of SSL to be used Parameter Name static SSL_VERSION Parameter Name dynamic SSL_VERSION Parameter Type string Parameter Class Static Permitted Values Any version which is valid to SSL 0 3 0 Default Value 0 Desc...

Page 404: ...TCH Example dynamic SSL_VERSION 3 0 Parameter Name static SSL_CLIENT_AUTHENTICATION Parameter Name dynamic SSL_CLIENT_AUTHENTICATION Parameter Type Boolean Parameter Class Static Permitted Values TRUE FALSE Default Value TRUE Description To control whether a client in addition to the server is authenticated using SSL Existing New Parameter New Syntax static SSL_CLIENT_AUTHENTICATION TRUE FALSE Exa...

Page 405: ...but an error is logged to the sqlnet log file Default Oracle8i or later FALSE SSL client always checks server DN If it does not match the service name the connection succeeds but an error is logged to sqlnet log file Usage Notes Additionally configure the tnsnames ora parameter SSL_ SERVER_CERT_DN to enable server DN matching Parameter Name SSL_SERVER_CERT_DN Where stored tnsnames ora Can be store...

Page 406: ...n each of the following configuration files sqlnet ora listener ora The default wallet location is the ORACLE_HOME directory Example dbalias description address_ list address protocol tcps host hostname port portnum connect_ data sid Finance security SSL_SERVER_ DN CN Finance CN OracleContext C US O Acme Table B 17 Wallet Location Parameters Static Configuration Dynamic Configuration WALLET_LOCATI...

Page 407: ...rd to authenticate Oracle users When your authentication device uses the challenge response mode a graphical interface prompts the user first for a password then for additional information for example a dynamic password that the user obtains from a token card This interface is Java based to provide optimal platform independence Third party vendors of authentication devices must customize this grap...

Page 408: ... 1 Server Encryption Level Setting Parameter Description radiusRequest Generally this prompts the user for a user name and password which will later be retrieved through getUserName and getPassword getUserName Extracts the user name the user enters If this method returns an empty string it is assumed that the user wants to cancel the operation The user then receives a message indicating that the a...

Page 409: ...on list at the following Web site address http csrc nist gov cryptval 140 1 1401val htm This appendix contains the following topics Configuration Parameters Post Installation Checks Status Information Physical Security Configuration Parameters This appendix contains information on the Oracle Advanced Security parameters required in the sqlnet ora files that ensure that any connections created betw...

Page 410: ...nnection ensures that a connection is only permitted if encryption is used irrespective of the parameter value on the client Client Encryption Level Setting The ENCRYPTION_CLIENT parameter specifies the connection behavior for the client One of the following parameter settings in the client file is mandatory SQLNET ENCRYPTION_CLIENT ACCEPTED REQUESTED REQUIRED A connection to the server is only po...

Page 411: ... that is configured for FIPS 140 1 the following parameter setting is mandatory SQLNET ENCRYPTION_TYPES_CLIENT DES DES40 Cryptographic Seed Value The CRYPTO_SEED parameter contains characters which are part of the seed for the random number generator There are no explicit requirements for the value of this parameter within the FIPS 140 1 standard however it is suggested that a large set of random ...

Page 412: ...ses and the memory they are using in the operating system Status Information Status information for Oracle Advanced Security is available after the connection has been established The information is contained in the RDBMS virtual table v session_connect_info Running the query SELECT from V SESSION_CONNECT_INFO displays all of the product banner information for the active connection Table D 1 shows...

Page 413: ...e Advanced Security FIPS 140 1 Settings D 5 Physical Security To comply with FIPS 140 1 Level 2 requirements tamper evident seals must be applied to the cover of each machine to ensure that removal of the cover is detectable ...

Page 414: ...Physical Security D 6 Oracle Database Advanced Security Administrator s Guide ...

Page 415: ...d into scripts Providing a way to incorporate the management of PKI elements into scripts makes it possible to automate many of the routine tasks of maintaining a PKI The following topics are included in this appendix orapki Utility Overview Creating Signed Certificates for Testing Purposes Managing Oracle Wallets with orapki Utility Managing Certificate Revocation Lists CRLs with orapki Utility o...

Page 416: ...g listing viewing and deleting CRLs in Oracle Internet Directory orapki Utility Syntax The basic syntax of the orapki command line utility is as follows orapki module command parameter value where module can be wallet Oracle wallet crl certificate revocation list or cert PKI digital certificate The available commands depend on the module you are using For example if you are working with a wallet t...

Page 417: ...ameter specifies the wallet containing the user certificate and private key that will be used to sign the certificate request The validity parameter specifies the number of days starting from the current date that this certificate will be valid Specifying a certificate and certificate request is mandatory for this command To view a certificate orapki cert display cert certificate_location summary ...

Page 418: ...ill prompt you to enter and re enter a wallet password It creates a wallet in the location specified for wallet To create an Oracle wallet with auto login enabled orapki wallet create wallet wallet_location auto_login This command creates a wallet with auto login enabled or it can also be used to enable auto login on an existing wallet If the wallet_location already contains a wallet then auto log...

Page 419: ...ate chain of a user certificate before adding a user certificate or the command to add the user certificate will fail To add a root certificate to an Oracle wallet orapki wallet add wallet wallet_location dn certificate_dn keySize 512 1024 2048 self_signed validity number_of_days This command creates a new self signed root certificate and adds it to the wallet The validity parameter mandatory spec...

Page 420: ...uest from an Oracle wallet orapki wallet export wallet wallet_location dn certificate_request_dn request certificate_request_filename This command exports a certificate request with the subject s distinguished name dn from a wallet to a file that is specified by request Managing Certificate Revocation Lists CRLs with orapki Utility CRLs must be managed with orapki This utility creates a hashed val...

Page 421: ...ses Syntax orapki cert create wallet wallet_location request certificate_request_ location cert certificate_location validity number_of_days summary The wallet parameter specifies the wallet containing the user certificate and private key that will be used to sign the certificate request The request parameter mandatory specifies the location of the certificate request for the certificate you are c...

Page 422: ...s additional certificate information including the serial number and public key orapki crl delete Purpose Use this command to delete CRLs from Oracle Internet Directory Note that the user who deletes CRLs from the directory by using orapki must be a member of the CRLAdmins cn CRLAdmins cn groups s_OracleContextDN directory group Prerequisites None Syntax orapki crl delete issuer issuer_name ldap h...

Page 423: ...c CRLs that are stored in Oracle Internet Directory Syntax orapki crl display crl crl_location wallet wallet_location summary complete The crl parameter specifies the location of the CRL in the directory It is convenient to paste the CRL location from the list that displays when you use the orapki crl list command See orapki crl list on page E 10 The wallet parameter optional specifies the locatio...

Page 424: ...s the certificate of the certificate authority CA who issued the CRL Using it causes the tool to verify the validity of the CRL against the CA s certificate prior to uploading it to the directory Depending on your operating system use either the symlink or the copy parameter UNIX use symlink to create a symbolic link to the CRL at the crl_ directory location Windows use copy to create a copy of th...

Page 425: ...s the directory location or the URL where the CRL is located that you are uploading to the directory The ldap parameter specifies the hostname and SSL port for the directory where you are uploading the CRLs Note that this must be a directory SSL port with no authentication See Uploading CRLs to Oracle Internet Directory on page 7 42 for more information about this port The user parameter specifies...

Page 426: ...13 To add trusted certificates orapki wallet add wallet wallet_location trusted_cert cert certificate_ location The trusted_cert parameter causes the tool to add the trusted certificate at the location specified with cert to the wallet To add root certificates orapki wallet add wallet wallet_location dn certificate_dn keySize 512 1024 2048 self_signed validity number_of_days The self_signed parame...

Page 427: ...e new wallet or the location of the wallet for which you want to turn on auto login The auto_login parameter creates an auto login wallet or it turns on automatic login for the wallet specified with the wallet option See Using Auto Login on page 8 19 for details about auto login wallets orapki wallet display Purpose Use this command to view the certificate requests user certificates and trusted ce...

Page 428: ... of the wallet from which you want to export the certificate The dn parameter specifies the distinguished name of the certificate The cert parameter specifies the name of the file that contains the exported certificate To export a certificate request from an Oracle wallet orapki wallet export wallet wallet_location dn certificate_request_dn request certificate_request_filename The request paramete...

Page 429: ...e Advanced Security is integrated with Entrust Authority so both Entrust and Oracle users can enhance their Oracle environment security This appendix contains the following topics Benefits of Entrust Enabled Oracle Advanced Security Required System Components for Entrust Enabled Oracle Advanced Security Entrust Authentication Process Enabling Entrust Authentication Issues and Restrictions that App...

Page 430: ...ise are thus able to use it for authentication and single sign on to Oracle Database Integration with Entrust Authority Key Management Entrust enabled Oracle Advanced Security uses the extensive key management and rollover functionality provided by Entrust Authority which shields users from the complexity of a PKI deployment For example users are automatically notified when their certificates are ...

Page 431: ...d a Lightweight Directory Access Protocol LDAP compliant directory for information such as user names public certificates and certificate revocation lists Entrust Authority for Oracle is comprised of the following software components Entrust Authority Security Manager Entrust Authority Self Administration Server Entrust Entelligence Desktop Manager Note In the following sections the term client re...

Page 432: ...ority Self Administration Server is the administrator s secure interface to Entrust Authority Security Manager Entrust Entelligence Desktop Manager Entrust Entelligence Desktop Manager provides support for user key management and single sign on functionality on both clients and server by enabling Oracle Database server process access to incoming SSL connections Entrust Authority Server Login Featu...

Page 433: ...y IPSec Negotiator Toolkit is required on both clients and servers for integrating the Oracle Advanced Security SSL stack with Entrust Authority enabling SSL authentication to use Entrust profiles Contact your Entrust representative to get Entrust Authority IPSec Negotiator Toolkit Entrust Authentication Process Figure F 1 illustrates the following Entrust authentication process 1 The Entrust user...

Page 434: ... Entrust on the Client Configuring Entrust on the Server Creating Entrust Enabled Database Users Logging Into the Database Using Entrust Enabled SSL Creating Entrust Profiles This section describes how to create Entrust profiles which can be created by either administrators or users On UNIX platforms administrators create the Entrust profiles for all clients On Windows platforms users can create t...

Page 435: ...ust user using the Entrust Authority Self Administration Server In the New User dialog box the Create Profile option should be deselected 2 The user receives a secure e mail notification from the administrator that contains a reference number authorization code and expiration date 3 The user navigates to the Create Entrust Profiles screen in Entrust Entelligence Desktop Manager as follows Start Pr...

Page 436: ...ing to the type of platform Configuring Entrust on a UNIX Client Configuring Entrust on a Windows Client Configuring Entrust on a UNIX Client If the client resides on a non Windows platform perform the following steps 1 Set the JAVA_HOME variable to the JDK or JRE location For example setenv JAVA_HOME ORACLE_HOME JRE 2 Set WALLET_LOCATION in the sqlnet ora file For example WALLET_LOCATION SOURCE M...

Page 437: ...file 2 Choose the Entrust icon on the system tray to open the Entrust_Login dialog box 3 Log on to Entrust by entering the profile name and password Configuring Entrust on the Server The steps for configuring Entrust on the server vary according to the type of platform Configuring Entrust on a UNIX Server Configuring Entrust on a Windows Server Configuring Entrust on a UNIX Server If the server is...

Page 438: ... swingall jar ORACLE_HOME network jlib netentrust jar 4 Enter the etbinder command to create unattended login credentials or ual files by using the following steps a Set the PATH environment variable to include the path to the etbinder command which is located in the bin directory where the Server Login Toolkit is installed b Set the LD_LIBRARY_PATH to include the path to the Entrust libraries c S...

Page 439: ...Run the Entrust binder command to create unattended login credentials which are files with a ual extension Ensure that the owner of the ual file is the same as the owner of the Oracle service To run the binder command choose Start Programs Entrust Toolkit Server Login Entrust Binder Enter the path to the profile the password and the path to the Entrust initialization file A message informs you tha...

Page 440: ..._Login dialog box appears 2 Enter the path to the profile and the password 3 If you did not specify a value for the WALLET_LOCATION parameter you are prompted to enter the path to the Entrust initialization file Issues and Restrictions that Apply to Entrust Enabled SSL An application must be specifically modified to work with Entrust If a product is designated as Entrust ready then it has been int...

Page 441: ...ubleshooting Entrust In Oracle Advanced Security This section describes how to diagnose errors returned from Entrust to Oracle Advanced Security users Error Messages Returned When Running Entrust on Any Platform You may encounter the following error messages regardless of what platform you are running Entrust on ORA 28890 Entrust Login Failed Cause SQL Plus login on an Entrust enabled Oracle clien...

Page 442: ...T ON On the server TRACE_LEVEL_SERVER 16 TRACE_DIRECTORY_SERVER valid_server_directory name TRACE_FILE_SERVER server TRACE_UNIQUE_SERVER ON Search for and locate the string IKMP in the generated trace file Adjacent to this string error messages are listed that provide details about the problem you are encountering This detailed error code information is returned by the Entrust API ORA 28890 Entrus...

Page 443: ...176 Cause Due to a known symbol conflict between Entrust and Oracle libraries Entrust login may fail and return this error message Action Contact Entrust support to resolve this issue TNS 12560 TNS protocol adapter error TNS 00558 Entrust Login Failed ORACLE SERVER host_name This error may occur in the listener log file on the server when you attempt to log in to Entrust Cause If you configure the...

Page 444: ...COL in the listener ADDRESS For example change all of the PROTOCOL definitions to TCPS as follows listener_name DESCRIPTION ADDRESS PROTOCOL TCPS KEY extproc0 ADDRESS PROTOCOL TCPS HOST sales pc PORT 1521 Bringing up the listener only using TCPS will show whether there is a problem accessing the Entrust profile when you turn on tracing Set the SSL_CLIENT_AUTHENTICATION parameter to FALSE as follow...

Page 445: ...rary parameter This parameter setting enables generating a ual file on the server 4 Ensure that all Entrust toolkits including the Entrust IPSEC Negotiator toolkit and the Server Login toolkit are the same version so they are compatible 5 Ensure that you have specified TCP IP with SSL in the SQLNET AUTHENTICATION_SERVICES parameter in the sqlnet ora file as shown in the following example SQLNET AU...

Page 446: ...your database is running on a Microsoft platform If this is the case then only the ual file which enables unattended login is required 5 Confirm that Entrust Authority as specified in the Entrust Initialization file is accessible and running 6 Confirm that the profile password is correctly entered 7 If an Oracle database server fails to log in to Entrust confirm that the unattended login credentia...

Page 447: ...e User Migration Utility User Migration Utility Parameters User Migration Utility Usage Examples Troubleshooting Using the User Migration Utility Benefits of Migrating Local or External Users to Enterprise Users Migrating from a database user model to an enterprise user model provides solutions to administrative security and usability challenges in an enterprise environment In an enterprise user m...

Page 448: ... decide to move their users from a local database model to an enterprise user model This utility makes it easy to migrate thousands of local and external database users to an enterprise user environment in an LDAP directory where they can be managed from a central location It uses the Oracle JDBC OCI driver to connect to the database Enterprise user administrators can select for migration any comb...

Page 449: ...administrator can choose to reuse the table clearing its contents reuse the table and its contents or re create the table Phase one can be run multiple times each time adding to the interface table If the table does not exist then the utility creates it in the administrator s schema The interface table is populated with information about the migrating users from the database and the directory The ...

Page 450: ...s them in the DBPASSWORD and DIRPASSWORD interface table columns The enterprise user administrator can read these passwords from the interface table and inform migrating users About the ORCL_GLOBAL_USR_MIGRATION_DATA Table This is the interface table which is populated with information about the migrating users during phase one of the bulk user migration process The information that populates this...

Page 451: ...wo MAPPING_TYPE VARCHAR2 10 Mapping type database or domain MAPPING_LEVEL VARCHAR2 10 Mapping level entry or subtree CASCADE_FLAG CHAR 1 Cascade flag used when dropping a user for shared schema mapping only DBPASSWORD_EXIST_FLAG CHAR 1 Flag indicating whether the database password verifier already exists in the directory for this user DBPASSWORD VARCHAR2 30 Randomly generated database password ver...

Page 452: ... Modified between Phase One and Phase Two Column Name Valid Values Restrictions USERDN DN of user If this value is changed then the administrator should verify that the USERDN_EXIST_FLAG and the DBPASSWORD_ EXIST_FLAG values are set accordingly USERDN_EXIST_FLAG T F If the USERDN column value changes then this column value should also change to reflect the new USERDN status DBPASSWORD_EXIST_ FLAG ...

Page 453: ...ave a valid X 509 v3 certificate This utility performs the following steps during migration 1 Selects the users from the database for migration 2 Creates corresponding user entries or uses existing entries in the directory 3 Creates new database passwords and copies the corresponding verifiers to the directory for migrating users 4 Puts the schema mapping information for the migrating users entrie...

Page 454: ... Privileges To successfully use this utility enterprise user administrators must have the following database privileges ALTER USER DROP USER CREATE TABLE SELECT_CATALOG_ROLE These privileges enable the enterprise user administrator to alter users drop users look at dictionary views and create the interface table that is used by this utility Note In the current release the utility migrates users wi...

Page 455: ...ed 3 Ensure that the database listener has a TCP listening endpoint 4 Create an identity management realm in the directory if it does not already exist 5 Create the parent context for the user entries in the directory if it does not already exist The default and recommended location is in the cn users subtree in the identity management realm 6 Set up directory access for the database Oracle home b...

Page 456: ...phases of the bulk user migration process Example 13 1 User Migration Utility Command Line Syntax umu PHASE ONE DBADMIN dba_username password ENTADMIN enterprise_admin_DN password USERS ALL_GLOBAL ALL_EXTERNAL LIST FILE DBLOCATION database_host database_port database_sid Note If you plan to use shared schema mapping when migrating users then you must create the shared schema before running this ut...

Page 457: ...y_host ldap_directory_port LOGFILE filename PARFILE filename Accessing Help for the User Migration Utility To display the command line syntax for using the User Migration Utility enter the following command at the system prompt umu HELP YES While the HELP parameter is set to YES the utility cannot execute Note If the enterprise user administrator does not specify the mandatory parameters on the co...

Page 458: ...displays the complete command line syntax To execute a command set the value to NO or do not specify a value for the parameter to accept the default Restrictions None Valid Values ONE or TWO These values are not case sensitive Default Setting ONE Syntax Examples PHASE ONE PHASE TWO Description Indicates the phase for the utility If it is ONE then the utility populates the interface table with the ...

Page 459: ...ically populated from the ldap ora file by default Syntax Examples DIRLOCATION my_oracle us oracle com 636 Description Provides the host name and port number for the directory server where the LDAP server is running on SSL with no authentication Restrictions The value for this parameter must be the same for both phase one and phase two Valid Values username password Default Setting No default sett...

Page 460: ...alues value1 value2 Values can be ALL_EXTERNAL to select all external users including those who use Kerberos and RADIUS authentication ALL_GLOBAL to select all global users LIST to specify users on the command line with the Keyword USERSLIST USERSFILE for selecting users from the file that is specified with the Keyword USERSFILE This parameter takes multiple values Separate values with a colon The...

Page 461: ...scription Specifies a list of database users for migration The users in this list are migrated with other users that are specified with the USERS parameter Restrictions This optional parameter is effective only when LIST is specified with the USERS parameter Valid Values File name and path Default Setting No default setting Syntax Examples USERSFILE home orahome userslist hr_users txt Description ...

Page 462: ...ared schema Mapping entries are created in the directory Schema name specifies the shared schema name During shared schema mapping whether users local schemas are dropped from the database is determined by the Keyword CASCADE setting These values are not case sensitive Default Setting PRIVATE Syntax Examples MAPSCHEMA SHARED HR_ALL Description Specifies whether the utility populates the interface ...

Page 463: ...lied when Keyword MAPSCHEMA is set to SHARED If DB is specified as the mapping type then the utility creates a mapping in directory for the database If DOMAIN is specified as the mapping type then the utility creates a mapping in the directory for the domain containing the database For domain mapping the utility determines the domain that contains the database by an LDAP search in the relevant Ora...

Page 464: ... set to YES then all users schema objects are dropped along with their local schemas when they are migrated Privileges and roles that were previously granted to the users are also revoked These values are not case sensitive Default Setting NO Syntax Examples CASCADE YES Description Specifies whether a user s local schema is dropped when the user is mapped to a shared schema Restrictions This param...

Page 465: ...lated Entries in a Realm Oracle Context on page 11 16 for a directory information tree diagram that shows an Oracle Context Syntax Examples CONTEXT c Users c us Description Specifies the DN of the parent entry under which user entries are created in the directory if there is no directory entry that matches the userID for the user Restrictions This parameter is only valid for phase one Valid Values...

Page 466: ...ult umu PHASE ONE DBLOCATION machine1 1521 ora_sid DBADMIN system manager USERS ALL_EXTERNAL LIST USERSLIST scott1 scott2 DIRLOCATION machine2 636 CONTEXT c Users c us ENTADMIN cn janeadmin welcome umu PHASE TWO DBLOCATION machine1 1521 ora_sid DBADMIN system manager DIRLOCATION machine2 636 ENTADMIN cn janeadmin welcome After phase one completes successfully the interface table is populated with ...

Page 467: ... Example G 1 Migrating Users with MAPSCHEMA SHARED umu PHASE ONE DBLOCATION machine1 1521 ora_sid DBADMIN system manager USERS ALL_EXTERNAL LIST USERSLIST scott1 scott2 MAPSCHEMA SHARED schema_32 DIRLOCATION machine2 636 CONTEXT c Users c us ENTADMIN cn janeadmin welcome umu PHASE TWO DBLOCATION machine1 1521 ora_sid DBADMIN system manager DIRLOCATION machine2 636 ENTADMIN cn janeadmin welcome Aft...

Page 468: ...ts or want to retain the objects that they own in their old database schemas then setting the CASCADE parameter to YES automatically drops all users schemas and schema objects and maps them to the new shared schema Example G 2 shows the syntax to use when setting CASCADE to YES In this example users scott1 scott2 and all external database users are migrated to the directory at c Users c us while m...

Page 469: ...ns the database where the shared schema is stored and also applies to all databases in that domain Mapping level can be set to ENTRY or SUBTREE When ENTRY is specified then users are mapped to the shared schema using their full distinguished name DN This results in one mapping for each user When SUBTREE is specified then groups of users who share part of their DNs are mapped together This results ...

Page 470: ...to a schema However the database does not interpret the user to be in the subtree so the mapping does not apply to scott himself For example if you are migrating the user scott with the DN cn scott o acme and you choose SUBTREE as the mapping level when you run the utility then a new mapping is created from cn scott o acme to the shared schema but the user scott is not mapped to that schema Only n...

Page 471: ...e the USERSFILE parameter during phase one of the migration process The PARFILE and LOGFILE parameters can be used in both phases Example G 4 shows the syntax for a typical parameter text file to migrate users scott1 scott2 and all external database users while retaining their old schemas to the directory at c Users c us In this example a log of migration events is written to the file errorfile1 i...

Page 472: ... how to resolve the errors Resolving Error Messages Displayed for Both Phases Resolving Error Messages Displayed for Phase One Resolving Error Messages Displayed for Both Phases The following error messages may display while the utility is running either phase one or phase two of the migration Attribute value missing orclCommonNicknameAttribute Note Although the LOGFILE parameter is specified twic...

Page 473: ...t realm Database connection failure Cause The utility was unable to connect to the database Action Perform these steps 1 Check the database status to determine whether it is configured for encryption and integrity 2 Check the privileges and credentials of the enterprise user administrator who is running the utility Database error database_error_message Cause The utility encountered a database erro...

Page 474: ...ountered a directory error Action Check the directory error message details for the directory Multiple entries found uniqueMember database_DN Cause The database belongs to more than one enterprise domain in the directory Action Use Enterprise Security Manager or Oracle Directory Manager to ensure that the database belongs to only one enterprise domain Resolving Error Messages Displayed for Phase O...

Page 475: ... Action Check the usage syntax Database object missing SHARED SCHEMA shared_schema_name Cause The shared schema is not present in the database Action Create the shared schema Error reading file file_name io_error_message Cause Syntax error The utility cannot read the file that contains the users list that is specified in the USERSFILE parameter Action Perform these steps 1 Check to ensure that the...

Page 476: ...arameter Invalid argument or value argument Cause Syntax error The argument name or value has been entered incorrectly Action Check the usage syntax Invalid arguments for the phase Cause Syntax error This occurs when you have used a command line argument that is only intended for phase one but you are running phase two Action Check the usage syntax See Also Keyword DBLOCATION on page G 12 Keyword ...

Page 477: ...t a user in the database that is specified in the DBLOCATION parameter Action Remove the invalid user from the USERSLIST parameter Invalid value user USERSLIST DBADMIN Cause Syntax error The USERSLIST parameter contains the user who is running the migration utility Action Remove that user from the USERSLIST Logging failure io_error_message Cause Syntax error The utility cannot find the log file or...

Page 478: ... is migrated whether the user was migrated successfully or not The following sections describe these messages and explain how to resolve the errors Common Log Messages for Phase One While the utility is running phase one of the migration messages that indicate a user s information has not been successfully populated in the interface table may be written to the log file After the utility completes ...

Page 479: ...lumn_ name column_value Cause The entry already contains a value for the orclPassword attribute Action Check the DBPASSWORD_EXIST_FLAG column in the interface table for a T F value that correctly reflects whether a database password exists for this user Attribute value missing orclPassword This message typically occurs with the message Invalid value column_ name column_value Cause The orclPassword...

Page 480: ...is accompanied by additional log messages for this user Action Check to ensure that the correct value has been entered for this user No entry found DN user_DN This message typically occurs with the message Invalid value column_ name column_value Cause The entry for the DN is missing in the directory Action Check the USERDN_EXIST_FLAG column in the interface table for a T F value that correctly ref...

Page 481: ... creation in SYS schema not allowed on page G 30 1 Invalid argument or value argument on page G 30 1 Invalid arguments for the phase on page G 30 1 Invalid value user USERSFILE on page G 31 1 Invalid value user USERSFILE DBADMIN on page G 31 1 Invalid value user USERSLIST on page G 31 1 Invalid value user USERSLIST DBADMIN on page G 31 1 Logging failure io_error_message on page G 31 1 Multiple ent...

Page 482: ...mn_name interface_table_column_value on page G 34 2 Multiple entries found nickname_attribute username on page G 32 1 No entry found DN user_DN on page G 34 2 No entry found nickname_attribute username Entry found DN dn on page G 32 1 Table G 5 Alphabetical Listing of User Migration Utility Log Messages User Migration Utility Log Message Phase ...

Page 483: ...ional Institute of Standards and Technology as a replacement for DES The AES standard is available in Federal Information Processing Standards Publication 197 The AES algorithm is a symmetric block cipher that can process data blocks of 128 bits using cipher keys with lengths of 128 192 and 256 bits AES See Advanced Encryption Standard attribute An item of information that describes some aspect of...

Page 484: ...tication authorization Permission given to a user program or process to access an object or set of objects In Oracle authorization is done through the role mechanism A single person or a group of people can be granted a role or a group of roles A role in turn can be granted other roles The set of privileges available to an authenticated entity auto login wallet An Oracle Wallet Manager feature tha...

Page 485: ...other entities users databases administrators clients servers are who they say they are When it certifies a user the certificate authority first seeks verification that the user is not on the certificate revocation list CRL then verifies the user s identity and grants a certificate signing it with the certificate authority s private key The certificate authority has its own certificate and public ...

Page 486: ... data if they match it is probabilistic proof the data was not tampered with during transmission Cipher Block Chaining CBC An encryption method that protects against block replay attacks by making the encryption of a cipher block dependent on all blocks that precede it it is designed to make unauthorized decryption incrementally more difficult Oracle Advanced Security employs outer cipher block ch...

Page 487: ...twork address See connect identifier connect identifier A connect descriptor or a name that maps to a connect descriptor A connect identifier can be a net service name database service name or net service alias Users initiate a connect request by passing a username and password along with a connect identifier in a connect string for the service to which they wish to connect CONNECT username passwo...

Page 488: ... A person responsible for operating and maintaining an Oracle Server or a database application 2 An Oracle username that has been given DBA privileges and can perform database administration functions Usually the two meanings coincide Many sites have multiple DBAs database alias See net service name Database Installation Administrator Also called a database creator This administrator is in charge ...

Page 489: ...administrator for database enterprise user security This administrator has permissions on all of the enterprise domains and is responsible for Administering the Oracle DBSecurityAdmins and OracleDBCreators groups Creating new enterprise domains Moving databases from one domain to another within the enterprise DCE See Distributed Computing Environment DCE decryption The process of converting the co...

Page 490: ...rchical tree like structure consisting of the DNs of the entries in an LDAP directory See distinguished name DN directory naming A naming method that resolves a database service net service name or net service alias to a connect descriptor stored in a central directory server A directory naming context A subtree which is of significance within a directory server It is usually the top of some organ...

Page 491: ...erable without first being subject to decryption Also called ciphertext Encrypted text ultimately originates as plaintext encryption The process of disguising a message rendering it unreadable to any but the intended recipient enterprise domain A directory construct that consists of a group of databases and enterprise roles A database should only exist in one enterprise domain at any time Enterpri...

Page 492: ...ments for cryptographic modules employed within a security system protecting unclassified information within computer and telecommunication systems Published by the National Institute of Standards and Technology NIST FIPS See Federal Information Processing Standard FIPS forest A group of one or more Active Directory trees that trust each other All trees in a forest share a common schema configurat...

Page 493: ...omputing analyzes demand for resources and adjusts supply accordingly HTTP Hypertext Transfer Protocol The set of rules for exchanging files text graphic images sound video and other multimedia files on the World Wide Web Relative to the TCP IP suite of protocols which are the basis for information exchange on the Internet HTTP is an application protocol HTTPS The use of Secure Sockets Layer SSL a...

Page 494: ...led an instance The memory and the process of an instance manage the associated database s data efficiently and serve the one or more users of the database integrity The guarantee that the contents of the message received were not altered from the contents of the original message sent java code obfuscation Java code obfuscation is used to protect Java programs from reverse engineering A special pr...

Page 495: ...ign on capabilities and database link authentication MIT Kerberos only for users provides centralized password storage and enhances PC security key When encrypting data a key is a value which determines the ciphertext that a given algorithm will produce from given plaintext When decrypting data a key is a value required to correctly decrypt a ciphertext A ciphertext is decrypted correctly only if ...

Page 496: ...rk of design conventions supporting industry standard directory products such as the Oracle Internet Directory listener A process that resides on the server whose responsibility is to listen for incoming client connection requests and manage the traffic to the server Every time a client requests a network session with a server a listener receives the actual request If the client information matche...

Page 497: ...ion of a secret key Only someone with the key can verify the cryptographic checksum message digest See checksumming naming method The resolution method used by a client application to resolve a connect identifier to a connect descriptor when attempting to connect to a database service National Institute of Standards and Technology NIST An agency within the U S Department of Commerce responsible fo...

Page 498: ...hich they have access as well as information about clients and servers on the network An authentication server can be a physically separate machine or it can be a facility co located on another server within the system To ensure availability some authentication services may be replicated to avoid a single point of failure network listener A listener on a server that listens for connection requests...

Page 499: ... enables two or more computers that run the Oracle server or Oracle tools such as Designer 2000 to exchange data through a third party network Oracle Net Services support distributed processing and distributed database capability Oracle Net Services is an open system because it is independent of the communication protocol and users can interface Oracle Net to many network environments Oracle PKI c...

Page 500: ... and 1424 PKCS 10 An RSA Security Inc Public Key Cryptography Standards PKCS specification that describes a syntax for certification requests A certification request consists of a distinguished name a public key and optionally a set of attributes collectively signed by the entity requesting certification Certification requests are referred to as certificate requests in this manual See certificate ...

Page 501: ...t can perform operations on the end user s behalf using the authorization appropriate to that particular end user public key In public key cryptography this key is made public to all It is primarily used for encryption but can be used for verifying signatures See public and private key pair public key encryption The process where the sender of a message encrypts the message with the public key of ...

Page 502: ...nticate dial in users and authorize their access to the requested system or service realm 1 Short for identity management realm 2 A Kerberos object A set of clients and servers operating under a single key distribution center ticket granting service KDC TGS Services see kservice in different realms that share the same name are unique realm Oracle Context An Oracle Context that is part of an identi...

Page 503: ...d inversion attacks Secure Sockets Layer SSL An industry standard protocol designed by Netscape Communications Corporation for securing network connections SSL provides authentication encryption and data integrity using public key infrastructure PKI server A provider of a service service 1 A network resource used by clients for example an Oracle database server 2 An executable process installed in...

Page 504: ...onize their dialogue and manage their data exchange This layer establishes manages and terminates network sessions between the client and server An example of a session layer is Network Session SHA See Secure Hash Algorithm SHA shared schema A database or application schema that can be used by multiple enterprise users Oracle Advanced Security supports the mapping of multiple enterprise users to t...

Page 505: ... a hardware device at any client or server A smartcard can generate random numbers which can be used as one time use passwords In this case smartcards are synchronized with a service on the server so that the server expects the same password generated by the smart card sniffer Device used to surreptitiously listen to or capture private data traffic from a network sqlnet ora file A configuration fi...

Page 506: ... ORACLE_BASE ORACLE_HOME network admin token card A device for providing improved ease of use for users through several different mechanisms Some token cards offer one time passwords that are synchronized with an authentication service The server can verify the password provided by the token card at any given time by contacting the authentication service Other token cards operate on a challenge re...

Page 507: ...which they are mapped The users referenced in the mapping are connected to the specified schema when they connect to the database User schema mapping entries can apply only to one database or they can apply to all databases in a domain See shared schema user schema separation See shared schema user search base The node in the LDAP directory under which the user resides views Selective presentation...

Page 508: ...t is a path to an operating system directory that contains a wallet Windows NT native authentication An authentication method that enables a client single login access to a Windows server and a database running on that server WRL See Wallet Resource Locator X 509 An industry standard specification for digital certificates ...

Page 509: ...h orapki tool 7 40 uploading to LDAP directory 7 40 where to store them 7 37 certificate revocation status checking disabling on server 7 40 certificate validation error message CRL could not be found 7 46 CRL date verification failed with RSA status 7 46 CRL signature verification failed with RSA status 7 46 Fetch CRL from CRL DP No CRLs found 7 47 OID hostname or port number not set 7 47 challen...

Page 510: ...ed Computing Environment DCE backward compatibility 10 2 CDS naming adapter components 10 3 communication and security 10 3 components 10 2 configuration files required 10 9 configuring a server 10 9 configuring clients for DCE integration 10 16 configuring clients to use DCE CDS naming 10 19 configuring server 10 9 configuring to use DCE Integration 10 5 connecting to an Oracle database 10 23 con...

Page 511: ...management F 2 profiles F 6 administrator created F 6 user created F 7 Self Administration Server F 4 versions supported F 3 Entrust Inc F 1 Entrust enabled SSL troubleshooting F 13 Entrust PKI Software 1 12 error messages ORA 12650 3 6 3 7 A 6 A 7 A 8 ORA 28890 F 13 etbinder command F 10 F Federal Information Processing Standard configuration i xxix Federal Information Processing Standard FIPS 1 ...

Page 512: ...H parameter 10 23 nCipher hardware security module using Oracle Net tracing to troubleshoot 7 50 NEEDS_ATTENTION_FLAG column G 5 Netscape Communications Corporation 7 2 network protocol boundaries 1 16 O obfuscation 4 3 of 11 4 okdstry Kerberos adapter utility 6 11 okinit Kerberos adapter utility 6 11 oklist Kerberos adapter utility 6 11 OLD_SCHEMA_TYPE column G 5 ORA 12650 error message A 7 ORA 2...

Page 513: ... NEEDS_ATTENTION_FLAG column G 5 OLD_SCHEMA_TYPE column G 5 PASSWORD_VERIFIER column G 5 PHASE_COMPLETED column G 5 G 6 SHARED_SCHEMA column G 5 G 6 USERDN column G 5 G 6 USERDN_EXIST_FLAG column G 5 G 6 USERNAME column G 5 OS_AUTHENT_PREFIX parameter 9 6 OS_ROLES parameter setting 10 12 OSS SOURCE MY_WALLET parameter 7 17 7 27 P paragraph tags GT GlossaryTitle Glossary 1 parameters authentication...

Page 514: ...1 server configuration 7 15 sqlnet ora file sample A 2 system requirements 1 17 version parameter B 9 wallet location parameter B 12 SecurID 5 5 token cards 5 5 security Internet 1 2 Intranet 1 2 threats 1 3 data tampering 1 3 dictionary attacks 1 4 eavesdropping 1 3 falsifying identities 1 3 password related 1 4 Security Sockets Layer SSL use of term includes TLS 7 2 shared schemas 11 20 SHARED_S...

Page 515: ...parameter A 8 SQLNET ENCRYPTION_CLIENT parameter A 5 SQLNET ENCRYPTION_SERVER parameter 3 11 A 4 SQLNET ENCRYPTION_TYPES_CLIENT parameter 3 11 A 7 SQLNET ENCRYPTION_TYPES_SERVER parameter 3 11 A 6 SQLNET FIPS_140 parameter D 3 SQLNET KERBEROS5_CC_NAME parameter 6 8 SQLNET KERBEROS5_CLOCKSKEW parameter 6 9 SQLNET KERBEROS5_CONF parameter 6 9 SQLNET KERBEROS5_CONF_MIT parameter 6 9 SQLNET KERBEROS5_...

Page 516: ...ecedence G 26 MAPPING_LEVEL column G 5 G 6 MAPPING_TYPE column G 5 G 6 MAPSCHEMA parameter PRIVATE G 16 SHARED G 16 MAPTYPE parameter DB mapping type G 17 DOMAIN mapping type G 17 ENTRY mapping level G 17 SUBTREE mapping level G 17 G 24 NEEDS_ATTENTION_FLAG column G 5 OLD_SCHEMA_TYPE column G 5 ORCL_GLOBAL_USR_MIGRATION_DATA interface table G 3 password authenticated users G 7 PASSWORD_VERIFIER co...

Page 517: ...certificates 8 25 opening 8 13 Oracle Applications wallet location 8 18 saving 8 17 setting location 7 16 SSL wallet location 8 11 8 18 SSO wallets 8 19 X X 509 certificate difference from PKCS 7 certificate chain 8 22 X 509 PKI certificate standard F 2 ...

Page 518: ...Index 10 ...

Search results

Summary of Contents for Database Advanced Security 10g Release 1

Reviews:

Related manuals for Database Advanced Security 10g Release 1

Brands by name

Popular brands

Oracle Database Advanced Security 10g Release 1, Administrator'S Manual

Search results

Summary of Contents for Database Advanced Security 10g Release 1

Reviews:

Related manuals for Database Advanced Security 10g Release 1

Brands by name

Popular brands