Oracle B10772-01 User Manual

OracleDatabase
Advanced Security Administrator's Guide 10g Release 1 (10.1)
Part No. B10772-01
December 2003
Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1) Part No. B10772-01 Copyright © 1996, 2003 Oracle Corporation. All rights reserved. Primary Author: Laurel P. Hale Contributors: Rajbir Chahal, Min-Hank Ho, Michael Hwa, Sudha Iyer, Adam Lindsey Jacobs, Supriya
Kalyanasundaram, Lakshmi Kethana, Andrew Koyfman, Van Le, Nina Lewis, Stella Li, Janaki Narasinghanallur, Vikram Pesati, Andy Philips, Richard Smith, Deborah Steiner, Philip Thornton, Ramana Turlapati
Graphic Designer: Valarie Moore The Programs (which include both the software and documentation) contain proprietary information of
Oracle Corporation; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent and other intellectual and industrial property laws. Reverse engineering, disassembly or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited.
The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this document is error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Oracle Corporation.
If the Programs are delivered to the U.S. Government or anyone licensing or using the programs on behalf of the U.S. Government, the following notice is applicable:
Restricted Rights Notice Programs delivered subject to the DOD FAR Supplement are "commercial computer software" and use, duplication, and disclosure of the Programs, including documentation, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement. Otherwise, Programs delivered subject to the Federal Acquisition Regulations are "restricted computer software" and use, duplication, and disclosure of the Programs shall be subject to the restrictions in FAR
52.227-19, Commercial Computer Software - Restricted Rights (June, 1987). Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065.
The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and Oracle Corporation disclaims liability for any damages caused by such use of the Programs.
Oracle is a registered trademark, and Oracle Store, Oracle8i, Oracle9i, PL/SQL, SQL*Net, SQL*Plus, and Secure Network Services are trademarks or registered trademarks of Oracle Corporation. Other names may be trademarks of their respective owners.
Portions of Oracle Advanced Security have been licensed by Oracle Corporation from RSA Data Security.
This program contains third-party code from Massachusetts Institute of Technology (M.I.T.), OpenVision Technologies, Inc., and the Regents of the University of California. Under the terms of the Kerberos license, Oracle is required to license the Kerberos software to you under the following terms. Note that the terms contained in the Oracle program license that accompanied this product do not apply to the Kerberos software, and your rights to use the software are solely as set forth below. Oracle is not
responsible for the performance of the Kerberos software, does not provide technical support for the software, and shall not be liable for any damages arising out of any use of the Kerberos software.
Copyright © 1985-2002 by the Massachusetts Institute of Technology. All rights reserved. Export of this software from the United States of America may require a specific license from the United
States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore, if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T.software.M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
THIS SOFTWAREISPROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Individual source code files are copyright M.I.T., Cygnus Support, OpenVision, Oracle, Sun Soft, FundsXpress, and others.
Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachusetts Institute of Technology (M.I.T.). No commercial use of these trademarks may be made without prior written permission of M.I.T.
"Commercial use" means use of a name in a product or other for-profit manner. It does NOT prevent a commercial firm from referring to the M.I.T. trademarks in order to convey information (although in doing so, recognition of their trademark status should be given).
---­The following copyright and permission notice applies to the OpenVision Kerberos Administration
system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc:
Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described
below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system.
You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON.
OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to
derivative works of the Source Code, whether createdbyOpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code.
OpenVision Technologies, Inc., has donated this Kerberos Administration system to M.I.T. for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which hasbeenperformedby M.I.T. and the Kerberos community.
---­Portions contributed by Matt Crawford <crawdad@fnal.gov> were work performed at Fermi National
Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract DE-AC02-76CHO3000 with the U. S. Department of Energy.

Contents

List of Figures
List of Tables
Send Us Your Comments............................................................................................................... xxiii
Preface......................................................................................................................................................... xxv
What's New in Oracle Advanced Security?...................................................................... xxxvii
Part I Getting Started with Oracle Advanced Security
1 Introduction to Oracle Advanced Security
Security Challenges in an Enterprise Environment..................................................................... 1-1
Security in Enterprise Grid Computing Environments.......................................................... 1-2
Security in an Intranet or Internet Environment...................................................................... 1-2
Common Security Threats........................................................................................................... 1-3
Solving Security Challenges with Oracle Advanced Security................................................... 1-4
Data Encryption............................................................................................................................ 1-5
Strong Authentication.................................................................................................................. 1-8
Enterprise User Management................................................................................................... 1-13
Oracle Advanced Security Architecture....................................................................................... 1-15
Secure Data Transfer Across Network Protocol Boundaries.................................................... 1-16
System Requirements...................................................................................................................... 1-16
Oracle Advanced Security Restrictions........................................................................................ 1-17
v
2 Configuration and Administration Tools Overview
Network Encryption and Strong Authentication Configuration Tools.................................... 2-2
Oracle Net Manager ..................................................................................................................... 2-2
Oracle Advanced Security Kerberos Adapter Command-Line Utilities.............................. 2-5
Public Key Infrastructure Credentials Management Tools........................................................ 2-6
Oracle Wallet Manager ................................................................................................................ 2-6
orapki Utility ............................................................................................................................... 2-12
Enterprise User Security Configuration and Management Tools............................................ 2-13
Database Configuration Assistant............................................................................................ 2-13
Enterprise Security Manager and Enterprise Security Manager Console.......................... 2-14
Oracle Net Configuration Assistant......................................................................................... 2-32
User Migration Utility................................................................................................................ 2-33
Duties of a Security Administrator/DBA..................................................................................... 2-34
Duties of an Enterprise User Security Administrator/DBA ..................................................... 2-35
Part II Network Data Encryption and Integrity
3 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients
Oracle Advanced Security Encryption............................................................................................ 3-1
About Encryption ......................................................................................................................... 3-2
Advanced Encryption Standard................................................................................................. 3-2
DES Algorithm Support............................................................................................................... 3-2
Triple-DES Support ..................................................................................................................... 3-2
RSA RC4 Algorithm for High Speed Encryption..................................................................... 3-3
Oracle Advanced Security Data Integrity ...................................................................................... 3-3
Data Integrity Algorithms Supported ....................................................................................... 3-4
Diffie-Hellman Based Key Management ....................................................................................... 3-4
Authentication Key Fold-in......................................................................................................... 3-5
How To Configure Data Encryption and Integrity....................................................................... 3-5
About Activating Encryption and Integrity.............................................................................. 3-6
About Negotiating Encryption and Integrity........................................................................... 3-6
Setting the Encryption Seed (Optional)..................................................................................... 3-8
Configuring Encryption and Integrity Parameters Using Oracle Net Manager................. 3-9
vi
4 Configuring Network Data Encryption and Integrity for Thin JDBC Clients
About the Java Implementation....................................................................................................... 4-1
Java Database Connectivity Support......................................................................................... 4-1
Securing Thin JDBC...................................................................................................................... 4-2
Implementation Overview.......................................................................................................... 4-3
Obfuscation.................................................................................................................................... 4-3
Configuration Parameters.................................................................................................................. 4-4
Client Encryption Level: ORACLE.NET.ENCRYPTION_CLIENT....................................... 4-4
Client Encryption Selected List: ORACLE.NET.ENCRYPTION_TYPES_CLIENT............ 4-5
Client Integrity Level: ORACLE.NET.CRYPTO_CHECKSUM_CLIENT............................ 4-5
Client Integrity Selected List: ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT .... 4-6
Part III Oracle Advanced Security Strong Authentication
5 Configuring RADIUS Authentication
RADIUS Overview............................................................................................................................. 5-1
RADIUS Authentication Modes...................................................................................................... 5-3
Synchronous Authentication Mode........................................................................................... 5-3
Challenge-Response (Asynchronous) Authentication Mode................................................. 5-5
Enabling RADIUS Authentication, Authorization, and Accounting....................................... 5-8
Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client.............. 5-9
Task 2: Configure RADIUS Authentication.............................................................................. 5-9
Task 3: Create a User and Grant Access.................................................................................. 5-17
Task 4: Configure External RADIUS Authorization (optional)........................................... 5-17
Task 5: Configure RADIUS Accounting.................................................................................. 5-19
Task 6: Add the RADIUS Client Name to the RADIUS Server Database.......................... 5-20
Task 7: Configure the Authentication Server for Use with RADIUS.................................. 5-20
Task 8: Configure the RADIUS Server for Use with the Authentication Server............... 5-20
Task 9: Configure Mapping Roles............................................................................................ 5-21
Using RADIUS to Log In to a Database....................................................................................... 5-22
RSA ACE/Server Configuration Checklist................................................................................... 5-22
6 Configuring Kerberos Authentication
Enabling Kerberos Authentication ................................................................................................. 6-2
vii
Task 1: Install Kerberos................................................................................................................ 6-2
Task 2: Configure a Service Principal for an Oracle Database Server................................... 6-2
Task 3: Extract a Service Table from Kerberos ......................................................................... 6-3
Task 4: Install an Oracle Database Server and an Oracle Client............................................ 6-4
Task 5: Install Oracle Net Services and Oracle Advanced Security ...................................... 6-5
Task 6: Configure Oracle Net Services and Oracle Database................................................. 6-5
Task 7: Configure Kerberos Authentication ............................................................................. 6-5
Task 8: Create a Kerberos User................................................................................................. 6-10
Task 9: Create an Externally Authenticated Oracle User...................................................... 6-10
Task 10: Get an Initial Ticket for the Kerberos/Oracle User................................................ 6-11
Utilities for the Kerberos Authentication Adapter .................................................................... 6-11
Obtaining the Initial Ticket with the okinit Utility................................................................ 6-11
Displaying Credentials with the oklist Utility........................................................................ 6-12
Removing Credentials from the Cache File with the okdstry Utility ................................. 6-13
Connecting to an Oracle Database Server Authenticated by Kerberos.............................. 6-13
Configuring Interoperability with a Windows 2000 Domain Controller KDC.................... 6-13
Task 1: Configuring an Oracle Kerberos Client to Interoperate with a Windows 2000 Domain Controller KDC 6-14
Task 2: Configuring a Windows 2000 Domain Controller KDC to Interoperate with an Oracle Client 6-15
Task 3: Configuring an Oracle Database to Interoperate with a Windows 2000 Domain
Controller KDC........................................................................................................................... 6-17
Task 4: Getting an Initial Ticket for the Kerberos/Oracle User........................................... 6-17
Troubleshooting ................................................................................................................................ 6-18
7 Configuring Secure Sockets Layer Authentication
SSL and TLS in an Oracle Environment......................................................................................... 7-2
Difference between SSL and TLS................................................................................................ 7-2
About Using SSL........................................................................................................................... 7-3
How SSL Works in an Oracle Environment: The SSL Handshake........................................ 7-4
Public Key Infrastructure in an Oracle Environment.................................................................. 7-5
About Public Key Cryptography................................................................................................ 7-5
Public Key Infrastructure Components in an Oracle Environment...................................... 7-6
SSL Combined with Other Authentication Methods................................................................ 7-10
Architecture: Oracle Advanced Security and SSL ................................................................. 7-10
viii
How SSL Works with Other Authentication Methods ......................................................... 7-10
SSL and Firewalls............................................................................................................................. 7-12
SSL Usage Issues............................................................................................................................... 7-14
Enabling SSL ..................................................................................................................................... 7-15
Task 1: Install Oracle Advanced Security and Related Products ........................................ 7-15
Task 2: Configure SSL on the Server........................................................................................ 7-15
Task 3: Configure SSL on the Client ........................................................................................ 7-23
Task 4: Log on to the Database................................................................................................. 7-31
Troubleshooting SSL........................................................................................................................ 7-31
Certificate Validation with Certificate Revocation Lists ........................................................... 7-35
What CRLs Should You Use? ................................................................................................... 7-35
How CRL Checking Works....................................................................................................... 7-36
Configuring Certificate Validation with Certificate Revocation Lists................................ 7-37
Certificate Revocation List Management................................................................................ 7-40
Troubleshooting Certificate Validation................................................................................... 7-45
Configuring Your System to Use Hardware Security Modules ............................................... 7-48
General Guidelines for Using Hardware Security Modules with Oracle Advanced Security
....................................................................................................................................................... 7-48
Configuring Your System to Use nCipher Hardware Security Modules........................... 7-49
Troubleshooting Using Hardware Security Modules........................................................... 7-50
8 Using Oracle Wallet Manager
Oracle Wallet Manager Overview ................................................................................................... 8-2
Wallet Password Management................................................................................................... 8-2
Strong Wallet Encryption............................................................................................................ 8-3
Microsoft Windows Registry Wallet Storage ........................................................................... 8-3
Backward Compatibility.............................................................................................................. 8-3
Public-Key Cryptography Standards (PKCS) Support........................................................... 8-3
Multiple Certificate Support....................................................................................................... 8-4
LDAP Directory Support............................................................................................................. 8-7
Starting Oracle Wallet Manager....................................................................................................... 8-7
How To Create a Complete Wallet: Process Overview ................................................................ 8-8
Managing Wallets ............................................................................................................................... 8-9
Required Guidelines for Creating Wallet Passwords ............................................................. 8-9
Creating a New Wallet............................................................................................................... 8-10
ix
Opening an Existing Wallet....................................................................................................... 8-13
Closing a Wallet.......................................................................................................................... 8-13
Importing Third-Party Wallets................................................................................................. 8-13
Exporting Oracle Wallets to Third-Party Environments ...................................................... 8-14
Exporting Oracle Wallets to Tools that Do Not Support PKCS #12.................................... 8-14
Uploading a Wallet to an LDAP Directory............................................................................. 8-15
Downloading a Wallet from an LDAP Directory .................................................................. 8-16
Saving Changes........................................................................................................................... 8-17
Saving the Open Wallet to a New Location............................................................................ 8-17
Saving in System Default........................................................................................................... 8-17
Deleting the Wallet..................................................................................................................... 8-18
Changing the Password............................................................................................................. 8-18
Using Auto Login ....................................................................................................................... 8-19
Managing Certificates ...................................................................................................................... 8-20
Managing User Certificates....................................................................................................... 8-20
Managing Trusted Certificates ................................................................................................. 8-25
9 Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security
Connecting with User Name and Password.................................................................................. 9-1
Disabling Oracle Advanced Security Authentication................................................................. 9-2
Configuring Multiple Authentication Methods ........................................................................... 9-4
Configuring Oracle Database for External Authentication ....................................................... 9-5
Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora................ 9-5
Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE............................................... 9-5
Setting OS_AUTHENT_PREFIX to a Null Value..................................................................... 9-6
10 Configuring Oracle DCE Integration
Introduction to Oracle DCE Integration....................................................................................... 10-2
System Requirements................................................................................................................. 10-2
Backward Compatibility............................................................................................................ 10-2
Components of Oracle DCE Integration ................................................................................. 10-2
Flexible DCE Deployment......................................................................................................... 10-4
Release Limitations..................................................................................................................... 10-4
Configuring DCE for Oracle DCE Integration............................................................................ 10-5
x
Task 1: Create New Principals and Accounts......................................................................... 10-5
Task 2: Install the Key of the Server into a Keytab File......................................................... 10-6
Task 3: Configure DCE CDS for Use by Oracle DCE Integration ....................................... 10-6
Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration......... 10-8
DCE Address Parameters.......................................................................................................... 10-8
Task 1: Configure the Server..................................................................................................... 10-9
Task 2: Create and Name Externally Authenticated Accounts.......................................... 10-10
Task 3: Set up DCE Integration External Roles.................................................................... 10-12
Task 4: Configure DCE for SYSDBA and SYSOPER Connections to Oracle Databases 10-15
Task 5: Configure the Client ................................................................................................... 10-16
Task 6: Configure Clients to Use DCE CDS Naming.......................................................... 10-19
Connecting to an Oracle Database Server in the DCE Environment ................................... 10-23
Starting the Listener................................................................................................................. 10-23
Connecting to an Oracle Database by Using DCE Authentication for Single Sign-On.. 10-24
Connecting to an Oracle Database by Using Password Authentication.......................... 10-25
Connecting Clients Outside DCE to Oracle Servers in DCE................................................. 10-25
Sample Parameter Files............................................................................................................ 10-25
Using tnsnames.ora for Name Lookup When CDS Is Inaccessible................................... 10-28
Part IV Enterprise User Security
11 Getting Started with Enterprise User Security
Introduction to Enterprise User Security..................................................................................... 11-2
The Challenges of User Management...................................................................................... 11-2
Enterprise User Security: The Big Picture............................................................................... 11-3
About Enterprise User Security Directory Entries............................................................... 11-11
About Using Shared Schemas for Enterprise User Security.................................................. 11-19
Overview of Shared Schemas Used in Enterprise User Security....................................... 11-19
How Shared Schemas Are Configured for Enterprise Users............................................. 11-20
How Enterprise Users Are Mapped to Schemas.................................................................. 11-20
About Using Current User Database Links for Enterprise User Security........................... 11-23
Enterprise User Security Deployment Considerations........................................................... 11-25
Security Aspects of Centralizing Security Credentials ....................................................... 11-25
Security of Password-Authenticated Enterprise User Database Login Information...... 11-26
Considerations for Defining Database Membership in Enterprise Domains.................. 11-27
xi
Considerations for Choosing Authentication Types between Clients, Databases, and
Directories for Enterprise User Security................................................................................ 11-28
12 Enterprise User Security Configuration Tasks and Troubleshooting
Enterprise User Security Configuration Overview..................................................................... 12-1
Enterprise User Security Configuration Roadmap..................................................................... 12-4
Preparing the Directory for Enterprise User Security................................................................ 12-5
Configuring Enterprise User Security Objects in the Database and the Directory ........... 12-11
Configuring Enterprise User Security for Password Authentication ................................... 12-16
Configuring Enterprise User Security for Kerberos Authentication .................................... 12-18
Configuring Enterprise User Security for SSL Authentication.............................................. 12-21
Viewing the Database DN in the Wallet and in the Directory........................................... 12-24
Enabling Current User Database Links...................................................................................... 12-25
Troubleshooting Enterprise User Security................................................................................. 12-26
ORA-# Errors for Password-Authenticated Enterprise Users............................................ 12-26
ORA-# Errors for Kerberos-Authenticated Enterprise Users............................................. 12-29
ORA-# Errors for SSL-Authenticated Enterprise Users ...................................................... 12-32
NO-GLOBAL-ROLES Checklist ............................................................................................. 12-33
USER-SCHEMA ERROR Checklist........................................................................................ 12-34
DOMAIN-READ-ERROR Checklist ...................................................................................... 12-35
13 Administering Enterprise User Security
Enterprise User Security Administration Tools Overview....................................................... 13-2
Administering Identity Management Realms ............................................................................ 13-3
Identity Management Realm Versions.................................................................................... 13-4
Setting Properties of an Identity Management Realm .......................................................... 13-5
Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base
Identity Management Realm Attributes.................................................................................. 13-5
Setting the Default Database-to-Directory Authentication Type for an Identity Management
Realm ............................................................................................................................................ 13-6
Managing Identity Management Realm Administrators...................................................... 13-7
Administering Enterprise Users..................................................................................................... 13-8
Creating New Enterprise Users................................................................................................ 13-9
Setting Enterprise User Passwords ........................................................................................ 13-10
Defining an Initial Enterprise Role Assignment .................................................................. 13-11
xii
Browsing Users in the Directory ............................................................................................ 13-12
Administering Enterprise Domains............................................................................................ 13-15
Creating a New Enterprise Domain....................................................................................... 13-16
Defining Database Membership of an Enterprise Domain ................................................ 13-17
Managing Database Security Options for an Enterprise Domain..................................... 13-19
Managing Enterprise Domain Administrators .................................................................... 13-20
Managing Enterprise Domain Database Schema Mappings.............................................. 13-20
Managing Password Accessible Domains ............................................................................ 13-23
Managing Database Administrators...................................................................................... 13-25
Administering Enterprise Roles .................................................................................................. 13-27
Creating a New Enterprise Role............................................................................................. 13-27
Assigning Database Global Role Membership to an Enterprise Role............................... 13-28
Granting Enterprise Roles to Users........................................................................................ 13-31
Part V Appendixes
A Data Encryption and Integrity Parameters
Sample sqlnet.ora File........................................................................................................................ A-1
Data Encryption and Integrity Parameters .................................................................................... A-3
Encryption and Integrity Parameters ........................................................................................ A-4
Seeding the Random Key Generator (Optional)...................................................................... A-8
B Authentication Parameters
Parameters for Clients and Servers using Kerberos Authentication........................................ B-1
Parameters for Clients and Servers using RADIUS Authentication........................................ B-2
sqlnet.ora File Parameters ........................................................................................................... B-2
Minimum RADIUS Parameters.................................................................................................. B-6
Initialization File Parameters...................................................................................................... B-7
Parameters for Clients and Servers using SSL.............................................................................. B-7
SSL Authentication Parameters.................................................................................................. B-7
Cipher Suite Parameters.............................................................................................................. B-8
SSL Version Parameters............................................................................................................... B-9
SSL Client Authentication Parameters .................................................................................... B-10
Wallet Location........................................................................................................................... B-12
xiii
C Integrating Authentication Devices Using RADIUS
About the RADIUS Challenge-Response User Interface........................................................... C-1
Customizing the RADIUS Challenge-Response User Interface............................................... C-2
D Oracle Advanced Security FIPS 140-1 Settings
Configuration Parameters................................................................................................................. D-1
Server Encryption Level Setting................................................................................................ D-2
Client Encryption Level Setting................................................................................................. D-2
Server Encryption Selection List................................................................................................ D-2
Client Encryption Selection List ................................................................................................ D-3
Cryptographic Seed Value.......................................................................................................... D-3
FIPS Parameter............................................................................................................................. D-3
Post Installation Checks ................................................................................................................... D-4
Status Information............................................................................................................................. D-4
Physical Security................................................................................................................................ D-5
E orapki Utility
orapki Utility Overview..................................................................................................................... E-2
orapki Utility Syntax .................................................................................................................... E-2
Creating Signed Certificates for Testing Purposes....................................................................... E-3
Managing Oracle Wallets with orapki Utility............................................................................... E-4
Creating and Viewing Oracle Wallets with orapki.................................................................. E-4
Adding Certificates and Certificate Requests to Oracle Wallets with orapki...................... E-5
Exporting Certificates and Certificate Requests from Oracle Wallets with orapki............. E-6
Managing Certificate Revocation Lists (CRLs) with orapki Utility.......................................... E-6
orapki Utility Commands Summary............................................................................................... E-7
orapki cert create........................................................................................................................... E-7
orapki cert display........................................................................................................................ E-8
orapki crl delete............................................................................................................................. E-8
orapki crl display.......................................................................................................................... E-9
orapki crl hash............................................................................................................................ E-10
orapki crl list............................................................................................................................... E-10
orapki crl upload........................................................................................................................ E-11
orapki wallet add....................................................................................................................... E-12
xiv
orapki wallet create.................................................................................................................... E-13
orapki wallet display.................................................................................................................. E-13
orapki wallet export................................................................................................................... E-13
F Entrust-Enabled SSL Authentication
Benefits of Entrust-Enabled Oracle Advanced Security.............................................................. F-2
Enhanced X.509-Based Authentication and Single Sign-On.................................................. F-2
Integration with Entrust Authority Key Management ........................................................... F-2
Integration with Entrust Authority Certificate Revocation.................................................... F-2
Required System Components for Entrust-Enabled Oracle Advanced Security................... F-3
Entrust Authority for Oracle....................................................................................................... F-3
Entrust Authority Server Login Feature ................................................................................... F-4
Entrust Authority IPSec Negotiator Toolkit............................................................................. F-5
Entrust Authentication Process........................................................................................................ F-5
Enabling Entrust Authentication..................................................................................................... F-6
Creating Entrust Profiles ............................................................................................................. F-6
Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL ...... F-8
Configuring SSL on the Client and Server for Entrust-Enabled SSL.................................... F-8
Configuring Entrust on the Client ............................................................................................. F-8
Configuring Entrust on the Server............................................................................................. F-9
Creating Entrust-Enabled Database Users.............................................................................. F-12
Logging Into the Database Using Entrust-Enabled SSL ....................................................... F-12
Issues and Restrictions that Apply to Entrust-Enabled SSL................................................... F-12
Troubleshooting Entrust In Oracle Advanced Security............................................................ F-13
Error Messages Returned When Running Entrust on Any Platform ................................. F-13
Error Messages Returned When Running Entrust on Windows Platforms ...................... F-15
General Checklist for Running Entrust on Any Platform .................................................... F-17
G Using the User Migration Utility
Benefits of Migrating Local or External Users to Enterprise Users.......................................... G-1
Introduction to the User Migration Utility................................................................................... G-2
Bulk User Migration Process Overview................................................................................... G-3
About the ORCL_GLOBAL_USR_MIGRATION_DATA Table........................................... G-4
Migration Effects on Users' Old Database Schemas............................................................... G-6
Migration Process........................................................................................................................ G-7
xv
Prerequisites for Performing Migration........................................................................................ G-8
Required Database Privileges .................................................................................................... G-8
Required Directory Privileges.................................................................................................... G-9
Required Setup to Run the User Migration Utility................................................................. G-9
User Migration Utility Command Line Syntax.......................................................................... G-10
Accessing Help for the User Migration Utility.......................................................................... G-11
User Migration Utility Parameters ............................................................................................... G-12
User Migration Utility Usage Examples...................................................................................... G-20
Migrating Users While Retaining Their Own Schemas ....................................................... G-20
Migrating Users and Mapping to a Shared Schema............................................................. G-21
Migrating Users Using the PARFILE, USERSFILE, and LOGFILE Parameters............... G-25
Troubleshooting Using the User Migration Utility................................................................... G-26
Common User Migration Utility Error Messages................................................................. G-26
Common User Migration Utility Log Messages ................................................................... G-32
Summary of User Migration Utility Error and Log Messages............................................ G-34
Glossary Index
xvi
xvii

List of Figures

1–1 Encryption .............................................................................................................................. 1-5
1–2 Strong Authentication with Oracle Authentication Adapters........................................ 1-8
1–3 How a Network Authentication Service Authenticates a User...................................... 1-9
1–4 Centralized User Management with Enterprise User Security..................................... 1-13
1–5 Oracle Advanced Security in an Oracle Networking Environment ............................ 1-15
1–6 Oracle Net with Authentication Adapters....................................................................... 1-16
2–1 Oracle Advanced Security Profile in Oracle Net Manager.............................................. 2-4
2–2 Oracle Wallet Manager User Interface ............................................................................... 2-7
2–3 Certificate Request Information Displayed in Oracle Wallet Manager Right Pane .... 2-9
2–4 Directory Server Login Window....................................................................................... 2-17
2–5 Enterprise Security Manager User Interface.................................................................... 2-18
2–6 Enterprise Security Manager Databases Tabbed Window............................................ 2-20
2–7 Enterprise Security Manager Console Login Page ......................................................... 2-23
2–8 ESM Console URL Window............................................................................................... 2-24
2–9 Enterprise Security Manager Console User Interface .................................................... 2-25
2–10 Enterprise Security Manager Console Users Subtab...................................................... 2-26
2–11 Enterprise Security Manager Console Group Subtab .................................................... 2-28
2–12 Enterprise Security Manager Console Edit Group Page................................................ 2-29
2–13 Enterprise Security Manager Console Realm Configuration Tabbed Window......... 2-30
2–14 Opening Page of Oracle Net Configuration Assistant................................................... 2-33
3–1 Oracle Advanced Security Encryption Window............................................................. 3-10
3–2 Oracle Advanced Security Integrity Window................................................................. 3-12
5–1 RADIUS in an Oracle Environment.................................................................................... 5-2
5–2 Synchronous Authentication Sequence.............................................................................. 5-4
5–3 Asynchronous Authentication Sequence........................................................................... 5-6
5–4 Oracle Advanced Security Authentication Window...................................................... 5-10
5–5 Oracle Advanced Security Other Params Window........................................................ 5-12
6–1 Oracle Advanced Security Authentication Window (Kerberos).................................... 6-6
6–2 Oracle Advanced Security Other Params Window (Kerberos)...................................... 6-7
7–1 SSL in Relation to Other Authentication Methods......................................................... 7-11
7–2 SSL Cipher Suites Window................................................................................................ 7-19
7–3 Oracle Advanced Security SSL Window (Server)........................................................... 7-20
7–4 Oracle Advanced Security SSL Window (Server)........................................................... 7-22
7–5 Oracle Advanced Security SSL Window (Client) ........................................................... 7-26
7–6 Oracle Advanced Security SSL Window (Client) ........................................................... 7-29
7–7 Oracle Advanced Security SSL Window with Certificate Revocation Checking Selected
................................................................................................................................................ 7-38
9–1 Oracle Advanced Security Authentication Window........................................................ 9-3
11–1 Enterprise User Security and the Oracle Security Architecture ................................... 11-4
11–2 Example of Enterprise Roles............................................................................................ 11-13
xviii
11–3 Related Entries in a Realm Oracle Context.................................................................... 11-16
12–1 Enterprise User Security Configuration Flow Chart...................................................... 12-3
13–1 Enterprise Security Manager Console Home Page ........................................................ 13-9
13–2 Enterprise Security Manager Console Edit User Window: Basic Information ........ 13-10
13–3 Enterprise Security Manager: Add Enterprise Roles Window................................... 13-12
13–4 Enterprise Security Manager: Main Window (All Users Tab).................................... 13-13
13–5 Enterprise Security Manager: Create Enterprise Domain Window........................... 13-16
13–6 Enterprise Security Manager: Databases Tab (Database Membership) .................... 13-17
13–7 Enterprise Security Manager: Add Databases Window.............................................. 13-18
13–8 Enterprise Security Manager: Database Schema Mappings Tab................................ 13-21
13–9 Enterprise Security Manager: Add Database Schema Mappings Window.............. 13-22
13–10 Enterprise Security Manager: Add Accessible Enterprise Domains Dialog Box..... 13-24
13–11 Enterprise Security Manager: Create Enterprise Role Window................................. 13-27
13–12 Enterprise Security Manager: Database Global Roles Tab.......................................... 13-29
13–13 Enterprise Security Manager: Database Authentication Required Window............ 13-30
13–14 Enterprise Security Manager: Add Enterprise Users Window .................................. 13-31
F–1 Entrust Authentication Process........................................................................................... F-6
xix
xx

List of Tables

1–1 Authentication Methods and System Requirements ..................................................... 1-17
2–1 Oracle Wallet Manager Navigator Pane Objects ............................................................. 2-8
2–2 Oracle Wallet Manager Toolbar Buttons ........................................................................ 2-10
2–3 Oracle Wallet Manager Wallet Menu Options............................................................... 2-10
2–4 Oracle Wallet Manager Operations Menu Options....................................................... 2-11
2–5 Oracle Wallet Manager Help Menu Options ................................................................. 2-12
2–6 Enterprise User Security Tools Summary........................................................................ 2-13
2–7 Enterprise Security Manager Authentication Methods................................................ 2-17
2–8 Enterprise Security Manager Navigator Pane Folders ................................................. 2-19
2–9 Enterprise Security Manager File Menu Options.......................................................... 2-21
2–10 Enterprise Security Manager Operations Menu Options............................................. 2-21
2–11 Enterprise Security Manager Help Menu Options........................................................ 2-21
2–12 Enterprise Security Manager Console User Subtab Buttons........................................ 2-27
2–13 Realm Configuration Tabbed Window Fields ............................................................... 2-30
2–14 Common Security Administrator/DBA Configuration and Administrative Tasks. 2-34 2–15 Common Enterprise User Security Administrator Configuration and Administrative
Tasks...................................................................................................................................... 2-36
3–1 Encryption and Data Integrity Negotiations..................................................................... 3-8
3–2 Valid Encryption Algorithms............................................................................................ 3-11
3–3 Valid Integrity Algorithms................................................................................................. 3-13
4–1 ORACLE.NET.ENCRYPTION_CLIENT Parameter Attributes ..................................... 4-4
4–2 ORACLE.NET.ENCRYPTION_TYPES_CLIENT Parameter Attributes ....................... 4-5
4–3 ORACLE.NET.CRYPTO_CHECKSUM_CLIENT Parameter Attributes ...................... 4-5
4–4 ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT Parameter Attributes........... 4-6
5–1 RADIUS Authentication Components.............................................................................. 5-3
5–2 RADIUS Configuration Parameters ................................................................................. 5-21
6–1 Options for the okinit Utility ............................................................................................ 6-11
6–2 Options for the oklist Utility............................................................................................. 6-12
7–1 Oracle Advanced Security Cipher Suites........................................................................ 7-18
8–1 KeyUsage Values................................................................................................................... 8-5
8–2 Oracle Wallet Manager Import of User Certificates to an Oracle Wallet...................... 8-5
8–3 Oracle Wallet Manager Import of Trusted Certificates to an Oracle Wallet ................ 8-6
8–4 PKI Wallet Encoding Standards........................................................................................ 8-15
8–5 Certificate Request: Fields and Descriptions.................................................................. 8-21
8–6 Available Key Sizes............................................................................................................. 8-22
10–1 DCE Address Parameters and Definitions ..................................................................... 10-8
10–2 Setting Up External Role Syntax Components.............................................................. 10-13
11–1 Enterprise User Security Authentication: Selection Criteria....................................... 11-10
11–2 Administrative Groups in a Realm Oracle Context .................................................... 11-18
xxi
11–3 Enterprise User Security: Supported Authentication Types for Connections between
Clients, Databases, and Directories ................................................................................. 11-28
13–1 Identity Management Realm Properties .......................................................................... 13-5
13–2 Enterprise User Security Identity Management Realm Administrators ..................... 13-7
13–3 Directory Search Criteria.................................................................................................. 13-14
13–4 Enterprise Security Manager Database Security Options............................................ 13-19
A–1 Algorithm Type Selection..................................................................................................... A-3
A–2 SQLNET.ENCRYPTION_SERVER Parameter Attributes............................................... A-4
A–3 SQLNET.ENCRYPTION_CLIENT Parameter Attributes ............................................... A-5
A–4 SQLNET.CRYPTO_CHECKSUM_SERVER Parameter Attributes................................ A-5
A–5 SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter Attributes................................. A-5
A–6 SQLNET.ENCRYPTION_TYPES_SERVER Parameter Attributes................................. A-6
A–7 SQLNET.ENCRYPTION_TYPES_CLIENT Parameter Attributes ................................. A-7
A–8 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter Attributes.................. A-8
A–9 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter Attributes .................. A-8
B–1 Kerberos Authentication Parameters................................................................................. B-1
B–2 SQLNET.AUTHENTICATION_SERVICES Parameter Attributes ............................... B-2
B–3 SQLNET.RADIUS_AUTHENTICATION Parameter Attributes.................................... B-2
B–4 SQLNET.RADIUS_AUTHENTICATION_PORT Parameter Attributes....................... B-3
B–5 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter Attributes............... B-3
B–6 SQLNET.RADIUS_AUTHENTICATION_RETRIES Parameter Attributes.................. B-3
B–7 SQLNET.RADIUS_SEND_ACCOUNTING Parameter Attributes................................ B-4
B–8 SQLNET.RADIUS_SECRET Parameter Attributes........................................................... B-4
B–9 SQLNET.RADIUS_ALTERNATE Parameter Attributes................................................. B-4
B–10 SQLNET.RADIUS_ALTERNATE_PORT Parameter Attributes .................................... B-4
B–11 SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter Attributes ............................ B-5
B–12 SQLNET.RADIUS_ALTERNATE_RETRIES Parameter Attributes............................... B-5
B–13 SQLNET.RADIUS_CHALLENGE_RESPONSE Parameter Attributes ......................... B-5
B–14 SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter Attributes ......................... B-6
B–15 SQLNET.RADIUS_AUTHENTICATION_INTERFACE Parameter Attributes........... B-6
B–16 SQLNET.RADIUS_CLASSPATH Parameter Attributes.................................................. B-6
B–17 Wallet Location Parameters .............................................................................................. B-12
C–1 Server Encryption Level Setting......................................................................................... C-2
D–1 Sample Output from v$session_connect_info.................................................................. D-4
G–1 ORCL_GLOBAL_USR_MIGRATION_DATA Table Schema....................................... G-5
G–2 Interface Table Column Values That Can Be Modified between Phase One and Phase
Two ......................................................................................................................................... G-6
G–3 Effects of Choosing Shared Schema Mapping with CASCADE Options..................... G-7
G–4 Alphabetical Listing of User Migration Utility Error Messages................................. G-34
G–5 Alphabetical Listing of User Migration Utility Log Messages .................................... G-35
xxii

Send Us Your Comments

Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1)
Part No. B10772-01
Oracle Corporation welcomes your comments and suggestions on the quality and usefulness of this document. Your input is an important part of the information used for revision.
Did you find any errors?
Is the information clearly presented?
Do you need more information? If so, where?
Are the examples correct? Do you need more examples?
What features did you like most?
If you find any errors or have any other suggestions for improvement, please indicate the document title and part number, and the chapter, section, and page number (if available). You can send com­ments to us in the following ways:
Electronic mail: infodev_us@oracle.com
FAX: (650) 506-7227 Attn: Server Technologies Documentation Manager
Postal service:
Oracle Corporation Server Technologies Documentation 500 Oracle Parkway, Mailstop 4op11 Redwood Shores, CA 94065 USA
If you would like a reply, please give your name, address, telephone number, and (optionally) elec­tronic mail address.
If you have problems with the software, please contact your local Oracle Support Services.
xxiii
xxiv

Preface

Welcome to the Oracle Database Advanced Security Administrator's Guide for the 10g Release 1 (10.1) of Oracle Advanced Security.
Oracle Advanced Security contains a comprehensive suite of security features that protect enterprise networks and securely extend them to the Internet. It provides a single source of integration with multiple network encryption and authentication solutions, single sign-on services, and security protocols.
The Oracle Database Advanced Security Administrator's Guide describes how to implement, configure and administer Oracle Advanced Security.
This preface contains these topics:
Audience
Organization
Related Documentation
Conventions
Documentation Accessibility
xxv

Audience

Organization

The Oracle Database Advanced Security Administrator's Guide is intended for users and systems professionals involved with the implementation, configuration, and administration of Oracle Advanced Security including:
Implementation consultants
System administrators
Security administrators
Database administrators (DBAs)
This document contains the following chapters:
Part I, "Getting Started with Oracle Advanced Security"
Chapter 1, "Introduction to Oracle Advanced Security"
This chapter provides an overview of Oracle Advanced Security features provided with this release.
Chapter 2, "Configuration and Administration Tools Overview"
This chapter provides an introduction and overview of Oracle Advanced Security GUI and command-line tools.
xxvi
Part II, "Network Data Encryption and Integrity"
Chapter 3, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients"
This chapter describes how to configure data encryption and integrity within an existing Oracle Net Services 10g Release 1 (10.1) network.
Chapter 4, "Configuring Network Data Encryption and Integrity for Thin JDBC Clients"
This chapter provides an overview of the Java implementation of Oracle Advanced Security, which lets Thin Java Database Connectivity (JDBC) clients securely connect to Oracle Database databases.
Part III, "Oracle Advanced Security Strong Authentication"
Chapter 5, "Configuring RADIUS Authentication"
This chapter describes how to configure Oracle for use with RADIUS (Remote Authentication Dial-In User Service). It provides an overview of how RADIUS works within an Oracle environment, and describes how to enable RADIUS authentication and accounting. It also introduces the challenge-response user interface that third party vendors can customize to integrate with third party authentication devices.
Chapter 6, "Configuring Kerberos Authentication"
This chapter describes how to configure Oracle for use with MIT Kerberos and provides a brief overview of steps to configure Kerberos to authenticate Oracle users. It also includes a brief section that discusses interoperability between the Oracle Advanced Security Kerberos adapter and a Microsoft KDC.
Chapter 7, "Configuring Secure Sockets Layer Authentication"
This chapter describes how Oracle Advanced Security supports a public key infrastructure (PKI). It includes a discussion of configuring and using the Secure Sockets Layer (SSL), certificate validation, and hardware security module support features of Oracle Advanced Security.
Chapter 8, "Using Oracle Wallet Manager"
This chapter describes how to use Oracle Wallet Manager to manage Oracle wallets and PKI credentials.
Chapter 9, "Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security"
This chapter describes the authentication methods that can be used with Oracle Advanced Security, and how to use conventional user name and password authentication. It also describes how to configure the network so that Oracle clients can use a specific authentication method, and Oracle servers can accept any method specified.
Chapter 10, "Configuring Oracle DCE Integration"
This chapter provides a brief discussion of Open Software Foundation (OSF) DCE and Oracle DCE Integration, including what you need to do to configure DCE to use Oracle DCE Integration, how to configure the DCE CDS naming adapter, DCE
xxvii
parameters, and how clients outside of DCE can access Oracle databases using another protocol such as TCP/IP.
Part IV, "Enterprise User Security"
Chapter 11, "Getting Started with Enterprise User Security"
This chapter describes the Oracle LDAP directory and database integration that enables you to store and manage users' authentication information in Oracle Internet Directory. This feature makes identity management services available to Oracle databases, which provides single sign-on to users (users can authenticate themselves to the database once and subsequent authentications occur transparently). It describes the components and provides an overview of how Enterprise User Security works.
Chapter 12, "Enterprise User Security Configuration Tasks and Troubleshooting"
This chapter explains how to configure Enterprise User Security, providing a configuration steps roadmap and the tasks required to configure password-, SSL-, and Kerberos-based Enterprise User Security authentication.
Chapter 13, "Administering Enterprise User Security"
This chapter describes how to use the Enterprise Security Manager to define directory identity management realm properties and to manage enterprise users, enterprise domains, and enterprise roles.
xxviii
Part V, "Appendixes"
Appendix A, "Data Encryption and Integrity Parameters"
This appendix describes Oracle Advanced Security data encryption and integrity configuration parameters.
Appendix B, "Authentication Parameters"
This appendix describes Oracle Advanced Security authentication configuration file parameters.
Appendix C, "Integrating Authentication Devices Using RADIUS"
This appendix explains how third party authentication device vendors can integrate their devices and customize the graphical user interface used in RADIUS challenge-response authentication.
Appendix D, "Oracle Advanced Security FIPS 140-1 Settings"
This appendix describes the sqlnet.ora configuration parameters required to comply with the FIPS 140-1 Level 2 evaluated configuration.
Appendix E, "orapki Utility"
This appendix provides the syntax for the orapki command line utility. This utility must be used to manage certificate revocation lists (CRLs). You can also use this utility to create and manage Oracle wallets; create certificate requests, signed certificates, and user certificates for testing purposes; and to export certificates and certificate requests from Oracle wallets.
Appendix F, "Entrust-Enabled SSL Authentication"
This appendix describes how to configure and use Entrust-enabled Oracle Advanced Security for Secure Sockets Layer (SSL) authentication.
Appendix G, "Using the User Migration Utility"
This appendix describes the User Migration Utility, which can be used to perform bulk migrations of database users to an LDAP directory where they are stored and managed as enterprise users. It provides utility syntax, prerequisites, and usage examples.
Glossary

Related Documentation

For more information, see these Oracle resources:
Oracle Net Services Administrator's Guide
Oracle Database Heterogeneous Connectivity Administrator's Guide
Oracle Database JDBC Developer's Guide and Reference
Oracle Internet Directory Administrator's Guide
Oracle Database Administrator's Guide
Oracle Database Security Guide
Many books in the documentation set use the sample schemas of the seed database, which is installed by default when you install Oracle. Refer to Oracle Database Sample Schemas for information on how these schemas were created and how you can use them yourself.
xxix
Printed documentation is available for sale in the Oracle Store at
http://oraclestore.oracle.com/
To download free release notes, installation documentation, white papers, or other collateral, please visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free and can be done at
http://otn.oracle.com/membership/
If you already have a username and password for OTN, then you can go directly to the documentation section of the OTN Web site at
http://otn.oracle.com/documentation/
For information from third-party vendors, see:
ACE/Server Administration Manual, from Security Dynamics
ACE/Server Client for UNIX, from Security Dynamics
ACE/Server Installation Manual, from Security Dynamics
RADIUS Administrator's Guide
Notes about building and installing Kerberos from Kerberos version 5
source distribution
Entrust/PKI for Oracle
xxx
Administering Entrust/PKI on UNIX
Transarc DCE User's Guide and Reference
Transarc DCE Application Development Guide
Transarc DCE Application Development Reference
Transarc DCE Administration Guide
Transarc DCE Administration Reference
Transarc DCE Porting and Testing Guide
Application Environment Specification/Distributed Computing
Transarc DCE Technical Supplement
For conceptual information about the network security technologies supported by Oracle Advanced Security, you can refer to the following third-party publications:

Conventions

Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in
C by Bruce Schneier. New York: John Wiley & Sons, 1996.
SSL & TLS Essentials: Securing the Web by Stephen A. Thomas. New York:
John Wiley & Sons, 2000.
Understanding and Deploying LDAP Directory Services by Timothy A. Howes,
Ph.D., Mark C. Smith, and Gordon S. Good . Indianapolis: New Riders Publishing, 1999.
Understanding Public-Key Infrastructure: Concepts, Standards, and Deployment
Considerations by Carlisle Adams and Steve Lloyd. Indianapolis: New Riders Publishing, 1999.
This section describes the conventions used in the text and code examples of this documentation set. It describes:
Conventions in Text
Conventions in Code Examples
Conventions for Windows Operating Systems
Conventions in Text
We use various conventions in text to help you more quickly identify special terms. The following table describes those conventions and provides examples of their use.
Convention Meaning Example
Bold Bold typeface indicates terms that are
defined in the text or terms that appear in
When you specify this clause, you create an index-organized table.
a glossary, or both.
Italics Italic typeface indicates book titles or
emphasis.
Oracle Database Concepts
Ensure that the recovery catalog and target database do not reside on the same disk.
xxxi
Convention Meaning Example
UPPERCASE monospace (fixed-width) font
lowercase monospace (fixed-width) font
Uppercase monospace typeface indicates elements supplied by the system. Such elements include parameters, privileges, datatypes, RMAN keywords, SQL keywords, SQL*Plus or utility commands, packages and methods, as well as system-supplied column names, database objects and structures, usernames, and roles.
Lowercase monospace typeface indicates executables, filenames, directory names, and sample user-supplied elements. Such elements include computer and database names, net service names, and connect identifiers, as well as user-supplied database objects and structures, column names, packages and classes, usernames and roles, program units, and parameter values.
Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown.
You can specify this clause only for a NUMBER column.
You can back up the database by using the BACKUP command.
Query the TABLE_NAME column in the USER_ TABLES data dictionary view.
Use the DBMS_STATS.GENERATE_STATS procedure.
Enter sqlplus to open SQL*Plus. The password is specified in the orapwd file. Back up the datafiles and control files in the
/disk1/oracle/dbs directory. The department_id, department_name,
and location_id columns are in the hr.departments table.
Set the QUERY_REWRITE_ENABLED initialization parameter to true.
Connect as oe user. The JRepUtil class implements these
methods.
lowercase italic monospace (fixed-width) font
xxxii
Lowercase italic monospace font represents placeholders or variables.
You can specify the parallel_clause. Run Uold_release.SQL where old_
release refers to the release you installed prior to upgrading.
Conventions in Code Examples
Code examples illustrate SQL, PL/SQL, SQL*Plus, or other command-line statements. They are displayed in a monospace (fixed-width) font and separated from normal text as shown in this example:
SELECT username FROM dba_users WHERE username = 'MIGRATE';
The following table describes typographic conventions used in code examples and provides examples of their use.
Convention Meaning Example
[ ] Brackets enclose one or more optional
items. Do not enter the brackets.
{ } Braces enclose two or more items, one of
which is required. Do not enter the braces.
| A vertical bar represents a choice of two
or more options within brackets or braces. Enter one of the options. Do not enter the vertical bar.
... Horizontal ellipsis points indicate either:
That we have omitted parts of the
code that are not directly related to the example
That you can repeat a portion of the
code
. . .
Vertical ellipsis points indicate that we have omitted several lines of code not directly related to the example.
DECIMAL (digits [ , precision ])
{ENABLE | DISABLE}
{ENABLE | DISABLE} [COMPRESS | NOCOMPRESS]
CREATE TABLE ... AS subquery;
SELECT col1, col2, ... , coln FROM employees;
SQL> SELECT NAME FROM V$DATAFILE; NAME
-----------------------------------­/fsl/dbs/tbs_01.dbf /fs1/dbs/tbs_02.dbf . . . /fsl/dbs/tbs_09.dbf 9 rows selected.
Other notation You must enter symbols other than
brackets, braces, vertical bars, and ellipsis points as shown.
Italics Italicized text indicates placeholders or
variables for which you must supply particular values.
UPPERCASE Uppercase typeface indicates elements
supplied by the system. We show these terms in uppercase in order to distinguish them from terms you define. Unless terms appear in brackets, enter them in the order and with the spelling shown. However, because these terms are not case sensitive, you can enter them in lowercase.
acctbal NUMBER(11,2); acct CONSTANT NUMBER(4) := 3;
CONNECT SYSTEM/system_password DB_NAME = database_name
SELECT last_name, employee_id FROM employees; SELECT * FROM USER_TABLES; DROP TABLE hr.employees;
xxxiii
Convention Meaning Example
lowercase Lowercase typeface indicates
programmatic elements that you supply. For example, lowercase indicates names of tables, columns, or files.
Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown.
SELECT last_name, employee_id FROM employees; sqlplus hr/hr CREATE USER mjones IDENTIFIED BY ty3MU9;
Conventions for Windows Operating Systems
The following table describes conventions for Windows operating systems and provides examples of their use.
Convention Meaning Example
Choose Start > How to start a program. To start the Database Configuration Assistant,
File and directory names
C:\> Represents the Windows command
File and directory names are not case sensitive. The following special characters are not allowed: left angle bracket (<), right angle bracket (>), colon (:), double quotation marks ("), slash (/), pipe (|), and dash (-). The special character backslash (\) is treated as an element separator,even when it appears in quotes. If the file name begins with \\, then Windows assumes it uses the Universal Naming Convention.
prompt of the current hard disk drive. The escape character in a command prompt is the caret (^). Your prompt reflects the subdirectory in which you are working. Referred to as the command prompt in this manual.
choose Start > Programs > Oracle - HOME_ NAME > Configuration and Migration Tools > Database Configuration Assistant.
c:\winnt"\"system32 is the same as C:\WINNT\SYSTEM32
C:\oracle\oradata>
xxxiv
Convention Meaning Example
Special characters The backslash (\) special character is
HOME_NAME Represents the Oracle home name. The
ORACLE_HOME and ORACLE_ BASE
sometimes required as an escape character for the double quotation mark (") special character at the Windows command prompt. Parentheses and the single quotation mark (') do not require an escape character. Refer to your Windows operating system documentation for more information on escape and special characters.
home name can be up to 16 alphanumeric characters. The only special character allowed in the home name is the underscore.
In releases prior to Oracle8i release 8.1.3, when you installed Oracle components, all subdirectories were located under a top level ORACLE_HOME directory. For Windows NT, the default location was C:\orant.
This release complies with Optimal Flexible Architecture (OFA) guidelines. All subdirectories are not under a top level ORACLE_HOME directory. There is a top level directory called ORACLE_BASE that by default is C:\oracle. If you install the latest Oracle release on a computer with no other Oracle software installed, then the default setting for the first Oracle home directory is C:\oracle\orann, where nn is the latest release number. The Oracle home directory is located directly under ORACLE_BASE.
All directory path examples in this guide follow OFA conventions.
Refer to Oracle Database Platform Guide for Windows for additional information about OFA compliances and for information about installing Oracle products in non-OFA compliant directories.
C:\>exp scott/tiger TABLES=emp QUERY=\"WHERE job='SALESMAN' and sal<1600\" C:\>imp SYSTEM/password FROMUSER=scott TABLES=(emp, dept)
C:\> net start OracleHOME_NAMETNSListener
Go to the ORACLE_BASE\ORACLE_ HOME\rdbms\admin directory.
xxxv

Documentation Accessibility

Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology.This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at
http://www.oracle.com/accessibility/
Accessibility of Code Examples in Documentation JAWS, a Windows screen
reader, may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, JAWS may not always read a line of text that consists solely of a bracket or brace.
Accessibility of Links to External Web Sites in Documentation This
documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.
xxxvi

What's New in Orac le Ad vanced Security?

This section describes new features of Oracle Advanced Security 10g Release 1 (10.1) and provides pointers to additional information. New features information from the previous release is also retained to help those users migrating to the current release.
The following sections describe the new features in Oracle Advanced Security:

Oracle Database 10g Release 1 (10.1) New Features in Oracle Advanced Security

Oracle9i Release 2 (9.2) New Features in Oracle Advanced Security
Oracle Database 10g Release 1 (10.1) New Features in Oracle Advanced Security
Oracle Advanced Security 10g Release 1 (10.1) includes new features in the following areas:
New Features in Strong Authentication
New Features in Enterprise User Security
New Features in Strong Authentication
Oracle Advanced Security provides several strong authentication options, including support for RADIUS, Kerberos, and PKI (public key infrastructure). This release provides the following new features for strong authentication:
Support for TLS (Transport Layer Security), version 1.0
TLS is an industry-standard protocol which provides effective security for transactions conducted on the Web. It has been developed by the Internet
xxxvii
Engineering Task Force (IETF) to be the successor to SSL version 3.0. TLS is a configurable option provided in Oracle Net Manager.
See Also: Chapter 7, "Configuring Secure Sockets Layer
Authentication" for configuration details
Support for Hardware Security Modules, including Oracle Wallet Manager
Integration In this release, Oracle Advanced Security supports hardware security modules
which use APIs that conform to the RSA Security, Inc., Public-Key Cryptography Standards (PKCS) #11. In addition, it is now possible to create Oracle Wallets that can store credentials on a hardware security module for servers, or private keys on tokens for clients. This provides roaming authentication to the database.
Hardware security modules can be used for the following functions: – Store cryptographic information, such as private keys, which provides
stronger security
Perform cryptographic operations to off load RSA operations from the
server, freeing the CPU to respond to other transactions
See Also:
"Configuring Your System to Use Hardware Security Modules"
on page 7-48 for configuration details
xxxviii
"Creating a Wallet to Store Hardware Security Module
Credentials" on page 8-11
CRL (Certificate Revocation Lists) and CRLDP (CRL Distribution Point)
Support for Certificate Validation In the current release, you now have the option to configure certificate
revocation status checking for both the client and the server. Certificate revocation status is checked against CRLs which are located in file system directories, Oracle Internet Directory, or downloaded from the location specified in the CRL Distribution Point (CRL DP) extension on the certificate. The orapki utility has also been added for CRL management and for managing Oracle wallets and certificates.
See Also:
"Certificate Validation with Certificate Revocation Lists" on
page 7-35 for details
Appendix E, "orapki Utility" for details about orapki
command line utility
New Features in Enterprise User Security
Kerberos Authenticated Enterprise Users
Kerberos-based authentication to the database is available for users managed in an LDAP directory. This includes Oracle Internet Directory or any other third-party directory that is synchronized to work with Oracle Internet Directory by using the Directory Integration Platform. To use this feature, all directory users, including those synchronized from third-party directories, must include the Kerberos principal name attribute (krbPrincipalName attribute).
See Also: "Configuring Enterprise User Security for Kerberos
Authentication" on page 12-18 for configuration details
Public Key Infrastructure (PKI) Credentials No Longer Required for
Database-to-Oracle Internet Directory Connections In this release, a database can bind to Oracle Internet Directory by using
password/SASL-based authentication, eliminating the overhead of setting up PKI credentials for the directory and multiple databases. SASL (Simple Authentication and Security Layer) is a standard defined in the Internet Engineering Task Force RFC 2222. It is a method for adding authentication support to connection-based protocols such as LDAP.
See Also: "Configuring Enterprise User Security for Password
Authentication" on page 12-16 for configuration details
Support for User Management in Third-Party LDAP Directories
In the current release of Enterprise User Security, you can store and manage your users and their passwords in third-party LDAP directories. This feature is made possible with
Directory Integration Platform, which automatically synchronizes
third-party directories with Oracle Internet Directory, and
xxxix
Oracle Database recognition of standard password verifiers, which is also
new in this release.
Tool Changes
New Tool: Enterprise Security Manager Console
The Enterprise Security Manager Console, which is based on the Oracle Internet Directory Delegated Administration Service (DAS), is new in this release. Administrators can use this tool to create enterprise users, enterprise user security groups, and to configure identity management realm attributes in the directory that relate to Enterprise User Security.
In this release, Oracle Enterprise Login Assistant functionality has been
migrated to the new Enterprise Security Manager Console and Oracle Wallet Manager. The following table lists which tool you should now use to perform tasks that you previously performed by using Oracle Enterprise Login Assistant:
If you used Oracle Enterprise Login Assistant to... Then now you should use...
Change the directory-to-database password Enterprise Security Manager Console Change an Oracle wallet password Oracle Wallet Manager Enable auto login for an Oracle wallet Oracle Wallet Manager
See Also: The following sections for information about Enterprise
Security Manager Console and how to use it:
"Enterprise Security Manager Console Overview" on page 2-22,
which provides a brief introduction to the tool.
Chapter 13, "Administering Enterprise User Security", which
provides procedural information for using the tool to manage enterprise users.
xl

Oracle9i Release 2 (9.2) New Features in Oracle Advanced Security

The new features for Oracle Advanced Security in release 2 (9.2) include the following:
Support for Advanced Encryption Standard (AES)
AES is a new cryptographic algorithm standard developed to replace Data Encryption Standard (DES).
See Also:
"Advanced Encryption Standard" on page 1-6 for a brief
overview of this encryption algorithm
Chapter 3, "Configuring Network Data Encryption and
Integrity for Oracle Servers and Clients" for configuration
details
SSL Hardware Accelerator Support
In release 2 (9.2), complex public key cryptographic operations can be off loaded to hardware accelerators to improve the performance of SSL transactions.
See Also: "Configuring Your System to Use Hardware Security
Modules" on page 7-48 for configuration details
New Enterprise User Security Tool: User Migration Utility
This utility enables administrators to perform bulk migrations of database users to Oracle Internet Directory for centralized user storage and management.
See Also: Appendix G, "Using the User Migration Utility" for
information about this tool and how to use it.
xli
xlii
Part I
Getting Started with Oracle Advanced
Security
This part introduces Oracle Advanced Security, describing the security solutions it provides, its features, and its tools. It contains the following chapters:
Chapter 1, "Introduction to Oracle Advanced Security"
Chapter 2, "Configuration and Administration Tools Overview"
1

Introduction to Orac le Advanced Security

This chapter introduces Oracle Advanced Security, summarizing the security risks it addresses, and describing its features. These features are available to database and related products that interface with Oracle Net Services, including Oracle Database, Oracle Application Server, and Oracle Identity Management infrastructure.
This chapter contains the following topics:
Security Challenges in an Enterprise Environment
Solving Security Challenges with Oracle Advanced Security
Oracle Advanced Security Architecture
Secure Data Transfer Across Network Protocol Boundaries
System Requirements
Oracle Advanced Security Restrictions

Security Challenges in an Enterprise Environment

To increase efficiency and lower costs, companies adopt strategies to automate business processes. One such strategy is to conduct more business on the Web, but that requires greater computing power, translating to higher IT costs. In response to rising IT costs, more and more businesses are considering enterprise grid
computing architectures where inexpensive computers act as one powerful
machine. While such strategies improve the bottom line, they introduce risks, which are associated with securing data in motion and managing an ever increasing number of user identities.
This section examines the security challenges of today's enterprise computing environments in the following topics:
Introduction to Oracle Advanced Security 1-1
Security Challenges in an Enterprise Environment
Security in Enterprise Grid Computing Environments
Security in an Intranet or Internet Environment
Common Security Threats
Security in Enterprise Grid Computing Environments
Grid computing is a computing architecture that coordinates large numbers of servers and storage to act as a single large computer. It provides flexibility, lower costs, and IT investment protection because inexpensive, off-the-shelf components can be added to the grid as business needs change. While providing significant benefits, grid computing environments present unique security requirements because their computing resources are distributed and often heterogeneous. The following sections discuss these requirements.
Distributed Environment Security Requirements
Enterprise grid computing pools distributed business computing resources to cost effectively harness the power of clustered servers and storage. A distributed environment requires secure network connections. Even more critical in grid environments, it is necessary to have a uniform definition of "who is a user" and "what are they allowed to do." Without such uniform definitions, administrators frequently must assign, manage, and revoke authorizations for every user on different software applications to protect employee, customer, and partner information. This is expensive because it takes time, which drives up costs. Consequently, the cost savings gained with grid computing are lost.
Heterogeneous Environment Security Requirements
Because grid computing environments often grow as business needs change, computing resources are added over time, resulting in diverse collections of hardware and software. Such heterogeneous environments require support for different types of authentication mechanisms which adhere to industry standards. Without strict adherence to industry standards, integrating heterogeneous components becomes costly and time consuming. Once again the benefits of grid computing are squandered when the appropriate infrastructure is not present.
Security in an Intranet or Internet Environment
Oracle databases power the largest and most popular Web sites on the Internet. In record numbers, organizations throughout the world are deploying distributed databases and client/server applications based on Oracle Database and Oracle Net Services. This proliferation of distributed computing is matched by an increase in
1-2 Oracle Database Advanced Security Administrator's Guide
the amount of information that organizations place on computers. Employee and financial records, customer orders, product information, and other sensitive data have moved from filing cabinets to file structures. The volume of sensitive information on the Web has thus increased the value of data that can be compromised.
Common Security Threats
The increased volume of data in distributed, heterogeneous environments exposes users to a variety of security threats, including the following:
Eavesdropping and Data Theft
Data Tampering
Falsifying User Identities
Password-Related Threats
Eavesdropping and Data Theft
Over the Internet and in wide area network environments, both public carriers and private networks route portions of their network through insecure land lines, vulnerable microwave and satellite links, or a number of servers— exposing valuable data to interested third parties. In local area network environments within a building or campus, the potential exists for insiders with access to the physical wiring to view data not intended for them, and network sniffers can be installed to eavesdrop on network traffic.
Security Challenges in an Enterprise Environment
Data Tampering
Distributed environments bring with them the possibility that a malicious third party can compromise integrity by tampering with data as it moves between sites.
Falsifying User Identities
In a distributed environment, it is more feasible for a user to falsify an identity to gain access to sensitive information. How can you be sure that user Pat connecting to Server A from Client B really is user Pat?
Moreover, in distributed environments, malefactors can hijack connections. How can you be sure that Client B and Server A are what they claim to be? A transaction that should go from the Personnel system on Server A to the Payroll system on Server B could be intercepted in transit and re-routed to a terminal masquerading as Server B.
Introduction to Oracle Advanced Security 1-3

Solving Security Challenges with Oracle Advanced Security

Password-Related Threats
In large systems, users typically must remember multiple passwords for the different applications and services that they use. For example, a developer can have access to a development application on a workstation, a PC for sending e-mail, and several computers or intranet sites for testing, reporting bugs, and managing configurations.
Users typically respond to the problem of managing multiple passwords in several ways:
They may select easy-to-guess passwords—such as a name, fictional character,
or a word found in a dictionary. All of these passwords are vulnerable to
dictionary attacks.
They may also choose to standardize passwords so that they are the same on all
machines or web sites. This results in a potentially large exposure in the event of a compromised password. They can also use passwords with slight variations that can be easily derived from known passwords.
Users with complex passwords may write them down where an attacker can
easily find them, or they may just forget them—requiring costly administration and support efforts.
All of these strategies compromise password secrecy and service availability. Moreover, administration of multiple user accounts and passwords is complex, time-consuming, and expensive.
Solving Security Challenges with Oracle Advanced Security
To solve enterprise computing security problems, Oracle Advanced Security provides industry standards-based data privacy, integrity, authentication, single sign-on, and access authorization in a variety of ways. For example, you can configure either Oracle Net native encryption or Secure Sockets Layer (SSL) for data privacy. Oracle Advanced Security also provides the choice of several strong authentication methods, including Kerberos, smart cards, and digital certificates.
Oracle Advanced Security provides the following security features:
Data Encryption
Strong Authentication
Enterprise User Management
1-4 Oracle Database Advanced Security Administrator's Guide
Data Encryption
Sensitive information that travels over enterprise networks and the Internet can be protected by encryption algorithms. An encryption algorithm transforms information into a form that can be deciphered with a decryption key.
Figure 1–1 shows how encryption works to ensure the security of a transaction. For
example, if a manager approves a bonus, this data should be encrypted when sent over the network to avoid eavesdropping. If all communication between the client, the database, and the application server is encrypted, then when the manager sends the bonus amount to the database, it is protected.
Figure 1–1 Encryption
Solving Security Challenges with Oracle Advanced Security
Oracle
Client
#yu1(*^tp4e %oiu*{hjktyot https://
Database
Encrypted Data Packet
Oracle
Encrypted Data Packet
Oracle
Application
Server
Internet
This section discusses the following topics:
Supported Encryption Algorithms
Data Integrity
Federal Information Processing Standard
Supported Encryption Algorithms
Oracle Advanced Security provides the following encryption algorithms to protect the privacy of network data transmissions:
RC4 Encryption
DES Encryption
Triple-DES Encryption
Advanced Encryption Standard
Introduction to Oracle Advanced Security 1-5
Solving Security Challenges with Oracle Advanced Security
Selecting the network encryption algorithm is a user configuration option, providing varying levels of security and performance for different types of data transfers.
Prior versions of Oracle Advanced Security provided three editions: Domestic, Upgrade, and Export—each with different key lengths. 10g Release 1 (10.1) contains a complete complement of the available encryption algorithms and key lengths, previously only available in the Domestic edition. Users deploying prior versions of the product can obtain the Domestic edition for a specific product release.
Note: The U.S. government has relaxed its export guidelines for
encryption products. Accordingly, Oracle can ship Oracle Advanced Security with its strongest encryption features to all of its customers.
RC4 Encryption The RC4 encryption module uses the RSA Security, Inc., RC4 encryption algorithm. Using a secret, randomly-generated key unique to each session, all network traffic is fully safeguarded—including all data values, SQL statements, and stored procedure calls and results. The client, server, or both, can request or require the use of the encryption module to guarantee that data is protected. Oracle's optimized implementation provides a high degree of security for a minimal performance penalty. For the RC4 algorithm, Oracle provides encryption key lengths of 40-bits, 56-bits, 128-bits, and 256-bits.
DES Encryption Oracle Advanced Security implements the U.S. Data Encryption Standard algorithm (DES) with a standard, optimized 56-bit key encryption algorithm, and also provides DES40, a 40-bit version, for backward compatibility.
Triple-DES Encryption Oracle Advanced Security also supports Triple-DESencryption (3DES), which encrypts message data with three passes of the DES algorithm. 3DES provides a high degree of message security, but with a performance penalty. The magnitude of penalty depends on the speed of the processor performing the encryption. 3DES typically takes three times as long to encrypt a data block as compared with the standard DES algorithm.
3DES is available in two-key and three-key versions, with effective key lengths of 112-bits and 168-bits, respectively. Both versions operate in outer Cipher Block
Chaining (CBC) mode.
Advanced Encryption Standard Approved by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standards (FIPS) Publication
1-6 Oracle Database Advanced Security Administrator's Guide
Solving Security Challenges with Oracle Advanced Security
197, Advanced Encryption Standard (AES) is a new cryptographic algorithm standard developed to replace DES. AES is a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits, which are referred to as AES-128, AES-192, and AES-256, respectively. All three versions operate in outer-CBC mode.
See Also:
Chapter 3, "Configuring Network Data Encryption and
Integrity for Oracle Servers and Clients"
Appendix A, "Data Encryption and Integrity Parameters"
Data Integrity
To ensure the integrity of data packets during transmission, Oracle Advanced Security can generate a cryptographically secure message digest—using MD5 or SHA-1 hashing algorithms—and include it with each message sent across a network.
Data integrity algorithms add little overhead, and protect against the following attacks:
Data modification
Deleted packets
Replay attacks
Note: SHA-1 is slightly slower than MD5, but produces a larger
message digest, making it more secure against brute-force collision and inversion attacks.
See Also: Chapter 3, "Configuring Network Data Encryption and
Integrity for Oracle Servers and Clients", for information about
MD5 and SHA-1.
Federal Information Processing Standard
Oracle Advanced Security Release 8.1.6 has been validated under U.S. Federal Information Processing Standard 140-1 (FIPS) at the Level 2 security level. This provides independent confirmation that Oracle Advanced Security conforms to federal government standards. FIPS configuration settings are described by
Appendix D, "Oracle Advanced Security FIPS 140-1 Settings".
Introduction to Oracle Advanced Security 1-7
Solving Security Challenges with Oracle Advanced Security
Strong Authentication
Authentication is used to prove the identity of the user.Authenticating user identity is imperative in distributed environments, without which there can be little confidence in network security. Passwords are the most common means of authentication. Oracle Advanced Security enables strong authentication with Oracle authentication adapters that support various third-party authentication services, including SSL with digital certificates.
Figure 1–2 shows user authentication with an Oracle database configured to use a
third-party authentication server. Having a central facility to authenticate all members of the network (clients to servers, servers to servers, users to both clients and servers) is one effective way to address the threat of network nodes falsifying their identities.
Figure 1–2 Strong Authentication with Oracle Authentication Adapters
Client
Authentication Server
Intranet
Database
This section contains the following topics:
Centralized Authentication and Single Sign-On
Supported Authentication Methods
Centralized Authentication and Single Sign-On
Centralized authentication also provides the benefit of single sign-on (SSO) for users. Single sign-on enables users to access multiple accounts and applications with a single password. A user only needs to log on once and can then automatically connect to any other service without having to give a username and password again. Single sign-on eliminates the need for the user to remember and administer multiple passwords, reducing the time spent logging into multiple services.
1-8 Oracle Database Advanced Security Administrator's Guide
Solving Security Challenges with Oracle Advanced Security
How Centralized Network Authentication Works Figure 1–3 shows how a centralized
network authentication service typically operates:
Figure 1–3 How a Network Authentication Service Authenticates a User
User Oracle
1
3
. . .
Authentication
Server
2
5
Server
4
6
1.
A user (client) requests authentication services and provides identifying information, such as a token or password.
2. The authentication server validates the user's identity and passes a ticket or
credentials back to the client, which may include an expiration time.
Introduction to Oracle Advanced Security 1-9
Solving Security Challenges with Oracle Advanced Security
3.
The client passes these credentials to the Oracle server concurrent with a service request, such as connection to a database.
4. The server sends the credentials back to the authentication server for
authentication.
5. If the authentication server accepts the credentials, then it notifies the Oracle
Server, and the user is authenticated.
6. If the authentication server does not accept the credentials, then authentication
fails, and the service request is denied.
Supported Authentication Methods
Oracle Advanced Security supports the following industry-standard authentication methods:
Kerberos
RADIUS (Remote Authentication Dial-In User Service)
DCE (Distributed Computing Environment)
Secure Sockets Layer (with digital certificates)
Entrust/PKI
Kerberos Oracle Advanced Security support for Kerberos provides the benefits of single sign-on and centralized authentication of Oracle users. Kerberos is a trusted third-party authentication system that relies on shared secrets. It presumes that the third party is secure, and provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. It does this through a Kerberos authentication server. See Chapter 6, "Configuring Kerberos
Authentication" for information about configuring and using this adapter.
Note: Oracle authentication for Kerberos provides database link
authentication (also called proxy authentication). Kerberos is also an authentication method that is supported with Enterprise User Security.
RADIUS (Remote Authentication Dial-In User Service) RADIUS is a client/server security protocol that is most widely known for enabling remote authentication and access. Oracle Advanced Security uses this standard in a client/server network environment to enable use of any authentication method that supports the RADIUS
1-10 Oracle Database Advanced Security Administrator's Guide
Solving Security Challenges with Oracle Advanced Security
protocol. RADIUS can be used with a variety of authentication mechanisms, including token cards and smart cards. See Chapter 5, "Configuring RADIUS
Authentication" for information about configuring and using this adapter.
Smart Cards
A RADIUS-compliant smart card is a credit card-like hardware device. It has memory and a processor and is read by a smart card reader located at the client workstation.
Token Cards
Token cards (SecurID or RADIUS-compliant) can improve ease of use through several different mechanisms. Some token cards dynamically display one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the token card at any given time by contacting the authentication service. Other token cards have a keypad and operate on a challenge-response basis. In this case, the server offers a challenge (a number) that the user enters into a token card. The token card provides a response (another number cryptographically derived from the challenge) that the user enters and sends to the server.
You can use SecurID tokens through the RADIUS adapter.
DCE (Distributed Computing Environment) DCE is a set of integrated network services that works across multiple systems to provide a distributed environment. Oracle DCE Integration consists of the following two components:
DCE Communication/Security
DCE Cell Directory services Native Naming
Oracle DCE Integration provides applications the flexibility to have different levels of integration with DCE services. Depending on the need, applications can choose to integrate very tightly with the DCE services or choose to plug in the other security authentication services provided by Oracle Advanced Security. See
Chapter 10, "Configuring Oracle DCE Integration" for information about
configuring and using this adapter.
Secure Sockets Layer Secure Sockets Layer (SSL) is an industry standard protocol for securing network connections. SSL provides authentication, data encryption, and data integrity.
The SSL protocol is the foundation of a public key infrastructure (PKI). For authentication, SSL uses digital certificates that comply with the X.509v3 standard, and a public and private key pair.
Introduction to Oracle Advanced Security 1-11
Solving Security Challenges with Oracle Advanced Security
Oracle Advanced Security SSL can be used to secure communications between any client and any server. You can configure SSL to provide authentication for the server only, the client only, or both client and server. You can also configure SSL features in combination with other authentication methods supported by Oracle Advanced Security (database usernames and passwords, RADIUS, and Kerberos).
To support your PKI implementation, Oracle Advanced Security includes the following features in addition to SSL:
Oracle wallets, where you can store PKI credentials
Oracle Wallet Manager, which you can use to manage your Oracle wallets
Certificate validation with certificate revocation lists (CRLs)
Hardware security module support
See Also:
Chapter 7, "Configuring Secure Sockets Layer Authentication"
for conceptual, configuration, and usage information about SSL, certificate validation, and hardware security modules.
Chapter 8, "Using Oracle Wallet Manager" for information
about using this tool to manage Oracle wallets.
Chapter 9, "Configuring Multiple Authentication Methods and
Disabling Oracle Advanced Security" for information about
configuring SSL in combination with other authentication methods.
Entrust/PKI Oracle Advanced Security supports the public key infrastructure provided by the Entrust/PKI software from Entrust Technologies, Inc. Entrust-enabled Oracle Advanced Security lets Entrust users incorporate Entrust single sign-on into their Oracle applications, and it lets Oracle users incorporate Entrust-based single sign-on into Oracle applications. See Appendix F,
"Entrust-Enabled SSL Authentication" for more information about this feature.
1-12 Oracle Database Advanced Security Administrator's Guide
Enterprise User Management
Enterprise user management is provided by the Enterprise User Security feature of Oracle Advanced Security. Enterprise User Security enables storing database users and their corresponding administrative and security information in a centralized directory server.
Figure 1–4 shows how a directory server can be used to provide centralized storage
and management of user account, user role, and authentication information.
1. A database server authenticates a user by accessing information stored in the
directory.
2. - 4. Once authenticated, a user can access the databases, which are configured
for enterprise user security.
Figure 1–4 Centralized User Management with Enterprise User Security
Solving Security Challenges with Oracle Advanced Security
LDAP Compliant Directory Server
Stores user account, password, and role
1
information
2
Client
3
Database
Intranet
4
DatabaseDatabase
This centralized configuration enables the administrator to modify information in one location, the directory. It also lowers the cost of administration and makes the enterprise more secure because there is only one set of user information to manage and track.
Enterprise User Security supports the following authentication methods:
Introduction to Oracle Advanced Security 1-13
Solving Security Challenges with Oracle Advanced Security
Passwords
Kerberos
Secure Sockets Layer (SSL) with digital certificates
See Also: For detailed discussions of Enterprise User Security
concepts, configuration, and management, refer to the following chapters in this manual:
Chapter 11, "Getting Started with Enterprise User Security"
Chapter 12, "Enterprise User Security Configuration Tasks and
Troubleshooting"
Chapter 13, "Administering Enterprise User Security"
1-14 Oracle Database Advanced Security Administrator's Guide

Oracle Advanced Security Architecture

Oracle Advanced Security complements an Oracle server or client installation with advanced security features. Figure 1–5 shows the Oracle Advanced Security architecture within an Oracle networking environment.
Figure 1–5 Oracle Advanced Security in an Oracle Networking Environment
Client Application
OCI
Two-Task
Common
Encryption
Oracle Net
AES DES RSA 3DES
Oracle Advanced Security Architecture
Oracle Advanced Security
Authentication Kerberos
RADIUS DCE
Data Integrity
MD5 SHA
TCP/IP
SSL Libraries
SPX/IPX
Adapter
SPX/IPX
Oracle Protocols
Network Specific
Protocols
To Network
SSL Adapter
TCP/IP Adapter
Oracle Advanced Security supports authentication through adapters that are similar to the existing Oracle protocol adapters. As shown in Figure 1–6, authentication adapters integrate below the Oracle Net interface and let existing applications take advantage of new authentication systems transparently, without any changes to the application.
Introduction to Oracle Advanced Security 1-15

Secure Data Transfer Across Network Protocol Boundaries

Figure 1–6 Oracle Net with Authentication Adapters
Oracle Forms and Oracle Reports
3rd Party Tools
3GL Tools
Oracle Net
Oracle Server
Oracle Call Interface
Kerberos
Adapter
Kerberos
Oracle Advanced Security
SSL
Adapter
SSL
See Also: Oracle Net Services Administrator's Guide, for more
information about stack communications in an Oracle networking environment
Secure Data Transfer Across Network Protocol Boundaries
Oracle Advanced Security is fully supported by Oracle Connection Manager, making secure data transfer a reality across network protocol boundaries. Clients using LAN protocols such as NetWare (SPX/IPX), for example, can securely share data with large servers using different network protocols such as LU6.2, TCP/IP, or DECnet. To eliminate potential weak points in the network infrastructure and to maximize performance, Connection Manager passes encrypted data from protocol to protocol without the cost and exposure of decryption and re-encryption.
DCE
Adapter
DCE
RADIUS
Adapter
RADIUS

System Requirements

Oracle Advanced Security is an add-on product bundled with the Oracle Net Server or Oracle Net Client. It must be purchased and installed on both the client and the server.
Oracle Advanced Security 10g Release 1 (10.1) requires Oracle Net 10g Release 1 (10.1) and supports Oracle Database Enterprise Edition. Table 1–1 lists additional system requirements.
1-16 Oracle Database Advanced Security Administrator's Guide

Oracle Advanced Security Restrictions

Note: Oracle Advanced Security is not available with Oracle
Database Standard Edition.
Table 1–1 Authentication Methods and System Requirements
Authentication Method System Requirements
Kerberos
MIT Kerberos Version 5, release 1.1
The Kerberos authentication server must be installed on a
physically secure machine.
RADIUS A RADIUS server that is compliant with the standards in
the Internet Engineering Task Force (IETF) RFC #2138, Remote Authentication Dial In User Service (RADIUS) and RFC #2139 RADIUS Accounting.
To enable challenge-response authentication, you must
run RADIUS on an operating system that supports the Java Native Interface as specified in release 1.1 of the Java Development Kit from JavaSoft.
SSL
A wallet that is compatible with the Oracle Wallet
Manager version 10g. Wallets created in earlier releases of the Oracle Wallet Manager are not forward compatible.
Entrust/PKI
Entrust IPSEC Negotiator Toolkit Release 6.0
Entrust/PKI 6.0
Oracle Advanced Security Restrictions
Oracle Applications support Oracle Advanced Security encryption and data integrity. However, because Oracle Advanced Security requires Oracle Net Services to transmit data securely, Oracle Advanced Security external authentication features are not supported by some parts of Oracle Financial, Human Resource, and Manufacturing Applications when they are running on Microsoft Windows. The portions of these products that use Oracle Display Manager (ODM) do not take advantage of Oracle Advanced Security, since ODM does not use Oracle Net Services.
Introduction to Oracle Advanced Security 1-17
Oracle Advanced Security Restrictions
1-18 Oracle Database Advanced Security Administrator's Guide
2
Configuration and Administration Tools
Overview
Configuring advanced security features for an Oracle database includes configuring encryption, integrity (checksumming), and strong authentication methods for Oracle Net Services. Strong authentication method configuration can include third-party software, as is the case for Kerberos or RADIUS, or it may entail configuring and managing a public key infrastructure, as is required for Secure Sockets Layer (SSL). In addition, an Oracle database can be configured to interoperate with an LDAP directory, such as Oracle Internet Directory, to enable Enterprise User Security, a feature that enables you to store and manage database users in a centralized directory.
Such diverse advanced security features require a diverse set of tools with which to configure and administer them. This chapter introduces the tools used to configure and administer advanced security features for an Oracle database in the following topics:
Network Encryption and Strong Authentication Configuration Tools
Public Key Infrastructure Credentials Management Tools
Enterprise User Security Configuration and Management Tools
Duties of a Security Administrator/DBA
Duties of an Enterprise User Security Administrator/DBA
Conguration and Administration Tools Overview 2-1

Network Encryption and Strong Authentication Configuration Tools

Network Encryption and Strong Authentication Configuration Tools
Oracle Net Services can be configured to encrypt data using standard encryption algorithms, and for strong authentication methods, such as Kerberos, RADIUS, and SSL. The following sections introduce the Oracle tools you can use to configure these advanced security features for an Oracle Database:
Oracle Net Manager
Oracle Advanced Security Kerberos Adapter Command-Line Utilities
Oracle Net Manager
Oracle Net Manager is a graphical user interface tool, primarily used to configure Oracle Net Services for an Oracle home on a local client or server host.
Although you can use Oracle Net Manager to configure Oracle Net Services, such as naming, listeners, and general network settings, it also enables you to configure the following Oracle Advanced Security features, which use the Oracle Net protocol:
Strong authentication (Kerberos, RADIUS, and Secure Sockets Layer)
Network encryption (RC4, DES, Triple-DES, and AES)
Checksumming for data integrity (MD5, SHA-1)
This section introduces you to the features of Oracle Net Manager that are used to configure Oracle Advanced Security. It contains the following topics:
Starting Oracle Net Manager
Navigating to the Oracle Advanced Security Profile
See Also:
"Duties of a Security Administrator/DBA" on page 2-34 for
information about the tasks you can perform with this tool that configure advanced security features.
Oracle Net Services Administrator's Guide and Oracle Net
Manager online help for complete documentation of this tool.
Starting Oracle Net Manager
You can start Oracle Net Manager by using Oracle Enterprise Manager Console or as a standalone application. However, you must use the standalone application to access the Oracle Advanced Security Profile where you can configure Oracle Advanced Security features.
2-2 Oracle Database Advanced Security Administrator's Guide
Network Encryption and Strong Authentication Configuration Tools
To start Oracle Net Manager as a standalone application:
(UNIX) From $ORACLE_HOME/bin, enter the following at the command line:
netmgr
(Windows) Choose Start > Programs > Oracle - HOME_NAME >
Configuration and Migration Tools > Net Manager
Navigating to the Oracle Advanced Security Profile
The Oracle Net Manager interface window contains two panes: the navigator pane and the right pane, which displays various property sheets that enable you to configure network components. When you select a network object in the navigator pane, its associated property sheets displays in the right pane. To configure Oracle Advanced Security features, choose the Profile object in the navigator pane, and then select Oracle Advanced Security from the list in the right pane, as shown in
Figure 2–1.
Conguration and Administration Tools Overview 2-3
Network Encryption and Strong Authentication Configuration Tools
Figure 2–1 Oracle Advanced Security Profile in Oracle Net Manager
Oracle Advanced Security Profile Property Sheets
The Oracle Advanced Security Profile contains the following property sheets, which are described in the following sections:
Authentication Property Sheet
Other Params Property Sheet
Integrity Property Sheet
Encryption Property Sheet
SSL Property Sheet
2-4 Oracle Database Advanced Security Administrator's Guide
Network Encryption and Strong Authentication Configuration Tools
Authentication Property Sheet Use this property sheet to select a strong authentication method, such as Kerberos Version 5 (KERBEROS5), Windows NT native authentication (NTS), or RADIUS.
Other Params Property Sheet Use this property sheet to set other parameters for the authentication method you selected on the Authentication property sheet.
Integrity Property Sheet Use this property sheet to enable checksumming on the client or the server and to select an encryption algorithm for generating secure message digests.
Encryption Property Sheet Use this property sheet to select one or more cipher suites to encrypt client or server connections with native encryption algorithms.
SSL Property Sheet Use this property sheet to configure Secure Sockets Layer (SSL), including the wallet location and cipher suite, on a client or server.
Oracle Advanced Security Kerberos Adapter Command-Line Utilities
The Oracle Advanced Security Kerberos adapter provides three command-line utilities that enable you to obtain, cache, display, and remove Kerberos credentials. The following table briefly describes these utilities:
Utility Name Description
okinit Obtains Kerberos tickets from the key distribution center (KDC)
oklist Displays a list of Kerberos tickets in the specified credential
okdstry Removes Kerberos credentials from the specified credential
See Also: "Utilities for the Kerberos Authentication Adapter" on
and caches them in the user's credential cache
cache
cache
page 6-11 for complete descriptions of these utilities, their syntax, and available options.
Conguration and Administration Tools Overview 2-5

Public Key Infrastructure Credentials Management Tools

Public Key Infrastructure Credentials Management Tools
The security provided by a public key infrastructure (PKI) depends on how effectively you store, manage, and validate your PKI credentials. The following Oracle tools are used to manage certificates, wallets, and certificate revocation lists so your PKI credentials can be stored securely and your certificate validation mechanisms kept current:
Oracle Wallet Manager
orapki Utility
Oracle Wallet Manager
Oracle Wallet Manager is an application that wallet owners and security administrators use to manage and edit the security credentials in their Oracle wallets. A wallet is a password-protected container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. You can use Oracle Wallet Manager to perform the following tasks:
Create public and private key pairs Store and manage user credentials
Generate certificate requests Store and manage certificate
authority certificates (root key certificate and certificate chain)
Upload and download wallets to
and from an LDAP directory
Create wallets to store hardware
security module credentials
The following topics introduce the Oracle Wallet Manager user interface:
Starting Oracle Wallet Manager
Navigating the Oracle Wallet Manager User Interface
Toolbar
Menus
See Also: Chapter 8, "Using Oracle Wallet Manager" for detailed
information about using this application
Starting Oracle Wallet Manager
To start Oracle Wallet Manager:
2-6 Oracle Database Advanced Security Administrator's Guide
(UNIX) From $ORACLE_HOME/bin, enter the following at the command line:
owm
(Windows) Choose Start > Programs > Oracle - HOME_NAME > Integrated
Management Tools > Wallet Manager
Navigating the Oracle Wallet Manager User Interface
The Oracle Wallet Manager interface includes two panes, a toolbar, and various menu items as shown in Figure 2–2.
Figure 2–2 Oracle Wallet Manager User Interface
Public Key Infrastructure Credentials Management Tools
Conguration and Administration Tools Overview 2-7
Public Key Infrastructure Credentials Management Tools
Navigator Pane The navigator pane provides a graphical tree view of the certificate requests and certificates stored in the Oracle home where Oracle Wallet Manager is installed. You can use the navigator pane to view, modify, add, or delete certificates and certificate requests.
The navigator pane functions the same way as it does in other Oracle graphical user interface tools, enabling you to
Expand and contract wallet objects so that you can manage the user and trusted
certificates they contain.
Right-click a wallet, certificate, or certificate request to perform operations on it
such as add, remove, import, or export.
When you expand a wallet, you see a nested list of user and trusted certificates. When you select a wallet or certificate in the navigator pane, details about your selection display in the adjacent right pane of Oracle Wallet Manager. Table 2–1 lists the main objects that display in the navigator pane.
Table 2–1 Oracle Wallet Manager Navigator Pane Objects
Object Description
Wallet Password-protected container that is used to store
authentication and signing credentials
Certificate Request
1
A PKCS #10-encoded message containing the requester's
distinguished name (DN), a public key, the key size, and key
type. See also certificate request.
Certificate
1
An X.509 data structure containing the entity's DN, public key, and is signed by a trusted identity (certificate authority). See
certificate
Trusted Certificates
1
Sometimes called a root key certificate, is a certificate from a third party identity that is qualified with a level of trust. See
trusted certificate
1
These objects display only after you create a wallet, generate a certificate request, and import a certificate into the wallet.
Right Pane The right pane displays information about an object that is selected in the navigator pane. The right pane is read-only.
Figure 2–3 shows what is displayed in the right pane when a certificate request
object is selected in the navigator pane. Information about the request and the requester's identity display in the Requested Identity, Key Size, and Key Type fields. The PKCS #10-encoded certificate request displays in the Certificate Request
2-8 Oracle Database Advanced Security Administrator's Guide
Public Key Infrastructure Credentials Management Tools
text box. To request a certificate from a certificate authority, you can copy this request into an e-mail or export it into a file.
Figure 2–3 Certificate Request Information Displayed in Oracle Wallet Manager Right Pane
Toolbar
The toolbar contains buttons that enable you to manage your wallets. Move the mouse cursor over a toolbar button to display a description of the button's function. The toolbar buttons are listed and described in Table 2–2.
Conguration and Administration Tools Overview 2-9
Public Key Infrastructure Credentials Management Tools
Table 2–2 Oracle Wallet Manager Toolbar Buttons
Toolbar Button Description
New Creates a new wallet Open Wallet Enables you to browse your file system to locate and open an
existing wallet
Save Wallet Saves the currently open wallet Delete Wallet Deletes wallet currently selected in the navigator pane Help Opens the Oracle Wallet Manager online help
Menus
You use Oracle Wallet Manager menus to manage your wallets and the credentials they contain. The following sections describe the options that are available under each menu.
Wallet Menu Table 2–3 describes the contents of the Wallet menu.
Table 2–3 Oracle Wallet Manager Wallet Menu Options
Option Description
New Creates a new wallet Open Opens an existing wallet Close Closes the currently open wallet Upload Into The
Directory Service Download From The
Directory Service
Uploads a wallet to a specified LDAP directory server. You must supply a directory password, hostname, and port information
Downloads a wallet from a specified LDAP directory server. You must supply a directory password, hostname, and port information.
Save Saves the currently open wallet in the current working directory. Save As Enables you to browse your file system to choose a directory
location in which to save the currently open wallet.
Save In System Default
Saves the currently open wallet in the system default location:
(UNIX) /etc/ORACLE/WALLETS/<username>
(Windows) %USERPROFILE%\<username>
Delete Deletes the wallet in the current working directory. You must
supply the wallet password.
2-10 Oracle Database Advanced Security Administrator's Guide
Public Key Infrastructure Credentials Management Tools
Table 2–3 (Cont.) Oracle Wallet Manager Wallet Menu Options(Cont.)
Option Description
Change Password Changes the password for the currently open wallet. You must
Auto Login Sets the auto login feature for the currently open wallet. See auto
Exit Exits the Oracle Wallet Manager application
supply the old password before you can create a new one.
login wallet
Operations Menu Table 2–4 describes the contents of the Operations menu.
Table 2–4 Oracle Wallet Manager Operations Menu Options
Option Description
Add Certificate Request Generates a certificate request for the currently open wallet
Import User Certificate Imports the user certificate issued to you from the CA. You
Import Trusted Certificate Imports the CA's trusted certificate. Remove Certificate
Request
Remove User Certificate Deletes the user certificate from the currently open wallet. Remove Trusted
Certificate
that you can use to request a certificate from a certificate
authority (CA).
must import the issuing CA's certificate as a trusted certificate before you can import the user certificate.
Deletes the certificate request in the currently open wallet. You must remove the associated user certificate before you can delete a certificate request.
Removes the trusted certificate that is selected in the navigator pane from the currently open wallet. You must remove all user certificates that the trusted certificate signs before you can remove it.
Export User Certificate Exports the user certificate in the currently open wallet to save
Export Certificate Request Exports the certificate request in the currently open wallet to
Export Trusted Certificate Exports the trusted certificate that is selected in the navigator
Export All Trusted Certificates
Export Wallet Exports the currently open wallet to save as a text file.
in a file system directory.
save in a file.
pane to save in another location in your file system. Exports all trusted certificates in the currently open wallet to
save in another location in your file system.
Conguration and Administration Tools Overview 2-11
Public Key Infrastructure Credentials Management Tools
Help Menu Table 2–5 describes the contents of the Help menu.
Table 2–5 Oracle Wallet Manager Help Menu Options
Option Description
Contents Opens Oracle Wallet Manager online help.
orapki Utility
Search for Help on Opens Oracle Wallet Manager online help and displays the
About Oracle Wallet Manager
Search tab. Opens a window that displays the Oracle Wallet Manager
version number and copyright information.
The orapki utility is a command line tool that you can use to manage certificate revocation lists (CRLs), create and manage Oracle wallets, and to create signed certificates for testing purposes.
The basic syntax for this utility is as follows:
orapki module command -option_1 argument ... -option_n argument
For example, the following command lists all CRLs in the CRL subtree in an instance of Oracle Internet Directory that is installed on machine1.us.acme.com and that uses port 389:
orapki crl list -ldap machine1.us.acme.com:389
See Also:
"Certificate Revocation List Management" on page 7-40 for
information about how to use orapki to manage CRLs in the directory.
Appendix E, "orapki Utility" for reference information on all
available orapki commands
2-12 Oracle Database Advanced Security Administrator's Guide

Enterprise User Security Configuration and Management Tools

Enterprise User Security Configuration and Management Tools
Enterprise users are database users who are stored and centrally managed in an LDAP directory, such as Oracle Internet Directory. Table 2–6 provides a summary of the tools that are used to configure and manage Enterprise User Security. The following subsections introduce and describe these tools.
Table 2–6 Enterprise User Security Tools Summary
Tool Task
Database Configuration Assistant Register and un-register databases in Oracle
Enterprise Security Manager and Enterprise Security Manager Console
Oracle Internet Directory Self-Service Console (Delegated Administration Service)
Oracle Net Configuration Assistant Configure databases Oracle home for directory
Oracle Wallet Manager Manage Oracle wallets for Enterprise User
User Migration Utility Perform bulk migrations of database users to
Database Configuration Assistant
Database Configuration Assistant is a wizard-based tool which is used to create and configure Oracle databases.
Internet Directory
Configure enterprise domains and databases
in Oracle Internet Directory
Create users and manage their passwords
Manage identity management realm
attributes and administrative groups that pertain to Enterprise User Security in Oracle Internet Directory
Manage identity management realms in Oracle Internet Directory
For information about this tool, refer to Oracle Internet Directory Administrator's Guide.
usage over the network
Security
Oracle Internet Directory
Use Database Configuration Assistant to register a database with the directory. When you register a database with the directory, Database Configuration Assistant creates a distinguished name (DN) for the database and the corresponding entry and subtree in Oracle Internet Directory
Conguration and Administration Tools Overview 2-13
Enterprise User Security Configuration and Management Tools
Starting Database Configuration Assistant
To start Database Configuration Assistant:
(UNIX) From $ORACLE_HOME/bin, enter the following at the command line:
dbca
(Windows) Choose Start > Programs > Oracle - HOME_NAME > Database
Administration > Database Configuration Assistant
See Also:
"To register a database in the directory:" on page 12-9 for
information about using this tool to register your database.
Oracle Database Administrator's Guide for more information
about this tool.
Enterprise Security Manager and Enterprise Security Manager Console
Oracle Advanced Security employs Enterprise Security Manager and Enterprise Security Manager Console to administer enterprise users, administrative groups,
enterprise domains, and enterprise roles that are stored in Oracle Internet
Directory. (Enterprise Security Manager Console can be accessed through the Enterprise Security Manager Operations menu. See "Enterprise Security Manager
Console Overview" on page 2-22 for details.)
Enterprise users are users who are provisioned and managed centrally in an LDAP-compliant directory, such as Oracle Internet Directory, for database access. Enterprise domains are directory constructs that contain databases and enterprise roles, the access privileges that are assigned to enterprise users.
See Also: Chapter 11, "Getting Started with Enterprise User
Security" for a discussion of Enterprise User Security
administrative groups, enterprise domains, enterprise roles, enterprise users, shared schemas, and user-schema mappings.
This section discusses the following topics:
Enterprise Security Manager Initial Installation and Configuration Overview
Starting Enterprise Security Manager
Navigating the Enterprise Security Manager User Interface
Enterprise Security Manager Console Overview
2-14 Oracle Database Advanced Security Administrator's Guide
Enterprise User Security Configuration and Management Tools
Logging in to Enterprise Security Manager Console
Navigating Enterprise Security Manager Console User Interface
Enterprise Security Manager Initial Installation and Configuration Overview
The following tasks provide an overview of the initial Enterprise Security Manager installation and configuration:
Task 1: Install Enterprise Security Manager
Task 2: Configure an Oracle Identity Management Infrastructure
Task 1: Install Enterprise Security Manager Enterprise Security Manager is automatically installed by the Oracle Database Enterprise Edition server installation process.
See Also: The Oracle Database installation documentation for
your operating system.
Note: Use only the version of Enterprise Security Manager that
installs with Oracle Database 10g Release 1 (10.1).
Task 2: Configure an Oracle Identity Management Infrastructure Enterprise User Security uses Oracle Internet Directory in which to store enterprise users. Enterprise Security Manager uses Oracle Internet Directory Delegated Administration Services to provide an administrative GUI (Enterprise Security Manager Console), and OracleAS Single Sign-On server to authenticate administrators when they log in to the console. Consequently, Oracle Internet Directory and OracleAS Single Sign-On server, which are part of the Oracle Identity Management infrastructure, must be properly installed and configured before Enterprise Security Manager can be used to manage Enterprise User Security. The following elements of Oracle Identity Management infrastructure configuration must be completed before proceeding:
Oracle Internet Directory 10g (9.0.4) must be installed, running, and accessible
over standard LDAP or Secure Sockets Layer LDAP (LDAP/SSL).
Oracle Internet Directory must include an identity management realm. You can
use Oracle Internet Directory Configuration Assistant to configure this on the directory server.
Conguration and Administration Tools Overview 2-15
Enterprise User Security Configuration and Management Tools
OracleAS Single Sign-On server must be installed and configured to
authenticate enterprise user security administrators when they log in to the Enterprise Security Manager Console, an element of Enterprise Security Manager.
See Also:
Oracle Internet Directory Administrator's Guide for information
about using Oracle Internet Directory Configuration Assistant to create or upgrade an identity management realm in the directory. This manual also contains general information about how to configure and use the directory.
OracleAS Single Sign-On Administrator's Guide for information
about configuring OracleAS Single Sign-On Server.
Starting Enterprise Security Manager
To launch Enterprise Security Manager, use the following steps:
1. Depending on your operating system, use one of the following options:
(UNIX) From $ORACLE_HOME/bin, enter the following at the command
line:
esm
(Windows)
Choose Start > Programs > Oracle - HOME_NAME > Integrated Management Tools > Enterprise Security Manager
The directory server login window appears:
2-16 Oracle Database Advanced Security Administrator's Guide
Enterprise User Security Configuration and Management Tools
Figure 2–4 Directory Server Login Window
Log in to Oracle Internet Directory by selecting the authentication method and
2.
providing the hostname and port number for your directory. Table 2–7 describes the two available Enterprise Security Manager authentication methods and what each method requires:
Table 2–7 Enterprise Security Manager Authentication Methods
Authentication Method Description
Password Authentication Uses simple authentication requiring a distinguished
SSL Client Authentication Uses two-way SSL authentication in which both the
1
Known directory user name and password can be used only for the default identity management realm in the directory.
3. After providing the directory login information, click OK. The main Enterprise
name (DN) or a known directory user name and
password1.
client and server use Oracle Wallets containing digital certificates (that is, the user name and certificate). The subsequent connection is encrypted.
Security Manager user interface appears.
Navigating the Enterprise Security Manager User Interface
The Enterprise Security Manager user interface includes two panes, a toolbar, and various menu items as shown in Figure 2–5.
Conguration and Administration Tools Overview 2-17
Enterprise User Security Configuration and Management Tools
Figure 2–5 Enterprise Security Manager User Interface
Navigator Pane The navigator pane provides a graphical tree view of your directory's identity management realms and the databases, enterprise domains, and users they contain. You can use the navigator pane to view, modify, add, or delete enterprise domains and the objects they contain.
The navigator pane enables you to
Expand and contract identity management realms by clicking the plus and
minus symbols (+ -) adjacent to the realm name in the navigation tree. This enables you to manage the enterprise domains that they contain.
2-18 Oracle Database Advanced Security Administrator's Guide
Enterprise User Security Configuration and Management Tools
Right-click an enterprise domain to perform operations such as creating
enterprise roles or deleting the domain from the identity management realm.
When you expand an identity management realm, you see a nested list of folders that contain enterprise user security objects. Expanding these folders enables you to view the individual objects as described in Table 2–8.
Table 2–8 Enterprise Security Manager Navigator Pane Folders
Folder Description
Databases When you expand this folder, you see the databases which are
Enterprise Domains When you expand this folder, you see the enterprise domains
Users, by Search Base When you expand this folder, you see the users stored in the
registered with this identity management realm. Databases are registered with a directory by using Database Configuration Assistant.
that this realm contains. You can also expand each enterprise domain to view the databases and enterprise roles that it contains.
realm. The display of users is organized by search base, which is the node in the directory under which a collection of users resides.
Right Pane The right pane displays read-only information about an object that is selected in the navigator pane, or it displays tabbed windows that enable you to configure enterprise domains, enterprise roles, and user-schema mappings. For example, when you select an enterprise domain in the navigator pane, you can add databases to it by using the Databases tabbed window that is shown in Figure 2–6.
Conguration and Administration Tools Overview 2-19
Enterprise User Security Configuration and Management Tools
Figure 2–6 Enterprise Security Manager Databases Tabbed Window
The Databases tabbed window also enables you to set security options for databases which are members of an enterprise domain. See "Defining Database Membership
of an Enterprise Domain" on page 13-17 for a discussion of configuring enterprise
domains by using the Databases tabbed window.
Tool Bar The toolbar contains two buttons that enable you to access the Enterprise Security Manager online help and to delete directory objects.
Menus You use Enterprise Security Manager menus to create or remove enterprise domains and to manage objects within the domains, such as enterprise roles or database membership. The following sections describe the options that are available under each menu.
2-20 Oracle Database Advanced Security Administrator's Guide
Enterprise User Security Configuration and Management Tools
File Menu Table 2–9 describes the contents of the File menu.
Table 2–9 Enterprise Security Manager File Menu Options
Option Description
Change Directory Connection Causes the Directory Server Login window to reappear
Directory Search Options For user searches in the directory, this menu option
ESM Console URL Enables you to specify the URL for your installation of
Exit Exits the Enterprise Security Manager application.
(see Figure 2–4 on page 2-17), enabling you to log in to another directory server.
enables you to configure the maximum number of displayed search results, the maximum search duration, or an LDAP filter.
Enterprise Security Manager Console. (See "Enterprise
Security Manager Console Overview" on page 2-22)
Operations Menu Table 2–10 describes the contents of the Operations menu.
Table 2–10 Enterprise Security Manager Operations Menu Options
Option Description
Create Enterprise Domain Creates an enterprise domain in the realm that is selected in
Remove Enterprise Domain Removes the enterprise domain that is selected in the
Create Enterprise Role Creates an enterprise role in the enterprise domain that is
Remove Enterprise Role Removes the enterprise role that is selected in the navigator
the navigator pane.
navigator pane.
selected in the navigator pane.
pane.
Launch ESM Console Brings up the Enterprise Security Manager Console in your
default browser.
Help Menu Table 2–11 describes the contents of the Help menu.
Table 2–11 Enterprise Security Manager Help Menu Options
Option Description
Contents Opens the online help and displays its table of contents.
Conguration and Administration Tools Overview 2-21
Enterprise User Security Configuration and Management Tools
Table 2–11 (Cont.) Enterprise Security Manager Help Menu Options
Option Description
Search for Help on Displays the search window for the online help. Using Help Displays online help topics that describe how to use the online
About Enterprise Security Manager
help system Displays Enterprise Security Manager version number and
copyright information
Enterprise Security Manager Console Overview
Enterprise Security Manager uses a directory management console, Enterprise Security Manager Console, to administer enterprise users and groups, and to configure an identity management realm for Enterprise User Security. By default, when you log in to a directory server with Enterprise Security Manager it uses port 7777 with the fully qualified domain name of that directory server to construct an Enterprise Security Manager Console URL. Then, when you need to launch the console, Enterprise Security Manager uses this URL to connect to it over HTTP.
For example, if an Acme Company administrator logs into an instance of Oracle Internet Directory that is hosted on a machine named machine123, then Enterprise Security Manager would use the following URL to connect to Enterprise Security Manager Console:
http://machine123.us.acme.com:7777/
After launching the console, administrators must log in by using their OracleAS Single Sign-On username and password pairs.
Logging in to Enterprise Security Manager Console
If you can use the URL that is constructed by default to access an instance of Enterprise Security Manager Console, then use the following steps to log in to the console.
To log in to Enterprise Security Manager Console:
1. From the Enterprise Security Manager main application window, choose
Operations > Launch ESM Console. The Enterprise Security Manager Console login page appears, as shown in
Figure 2–7.
2-22 Oracle Database Advanced Security Administrator's Guide
Enterprise User Security Configuration and Management Tools
Figure 2–7 Enterprise Security Manager Console Login Page
Click the Login icon in the upper right-corner of the page to log in with your
2.
OracleAS Single Sign-On username and password. After providing your OracleAS Single Sign-On credentials, you are returned to
the console home page.
To change the default Enterprise Security Manager Console URL:
If you cannot use the default URL to connect to the Enterprise Security Manager Console, then you must enter the appropriate URL before you can launch the console.
1. In the Enterprise Security Manager main application, choose File > ESM
Console URL. The ESM Console URL window appears as shown in Figure 2–8.
Conguration and Administration Tools Overview 2-23
Enterprise User Security Configuration and Management Tools
Figure 2–8 ESM Console URL Window
2.
Enter the appropriate URL for connecting to Enterprise Security Manager Console, and click OK.
This saves the URL information in Enterprise Security Manager so you can launch the console again without reconfiguring the URL.
Configuring Enterprise Security Manager Console for Kerberos-Authenticated Enterprise Users By default, Enterprise Security Manager Console user interface does not
display the field where you can configure Kerberos principal names. The first time you create Kerberos-authenticated users in the directory, you must configure this tool to display the krbPrincipalName attribute in its Create User window by using the following steps:
1. Log into the Oracle Internet Directory Self-Service Console and choose the
Configuration tab. See: Oracle Internet Directory Administrator's Guide for information about logging in and using the Oracle Internet Directory Self-Service Console.
2. In the Configuration page, select the User Entry subtab and click Next until the
Configure User Attributes page appears.
3. In the Configure User Attributes page, click Add New Attribute and the Add
New Attribute page appears.
4. In the Add New Attribute page, select krbPrincipalName from the Directory
Attribute Name list (or the attribute that you have configured for
orclCommonKrbPrincipalAttribute in your identity management realm) and perform the following steps on this page:
a. Enter Kerberos Principal Name for the user interface label. b. Check Searchable and Viewable. c. Select Single Line Text from the UI Type list d. Click Done.
5. Click Next to navigate to the Configure Attribute Categories page, and click
Edit for Basic Information and perform the following steps on this page:
2-24 Oracle Database Advanced Security Administrator's Guide
Enterprise User Security Configuration and Management Tools
a. Select krbPrincipalName in the left category list. b. Click Move > to move krbPrincipalName to the right-hand list. c. Click Done.
6. Click Next until you reach the last page, and then click Finish to save your
work.
Navigating Enterprise Security Manager Console User Interface
The Enterprise Security Manager Console user interface is browser-based and uses tabbed windows instead of a navigator pane. Figure 2–9 shows the layout of the console user interface. The tabbed windows can be accessed by selecting one of the tabs at the top of the application or by selecting one of the links in the Tips box on the right. You can also access the tabbed windows by selecting one of the corresponding links at the bottom of the page.
Figure 2–9 Enterprise Security Manager Console User Interface
The tabbed windows are explained in the following sections:
Conguration and Administration Tools Overview 2-25
Enterprise User Security Configuration and Management Tools
Home Tabbed Window The Home page is your entry point to the console. You can access each tabbed window and read a brief summary of what you can do with this tool. The Home tabbed window is shown in Figure 2–9 on page 2-25.
Users and Groups Tabbed Window This tabbed window contains two subtabs: the Users subtab (shown in Figure 2–10) and the Groups subtab (shown in Figure 2–11 on page 2-28).
Figure 2–10 Enterprise Security Manager Console Users Subtab
The Users subtab (Figure 2–10) enables you to search for users in the directory by using the Search for user field at the top of the page. After you locate users that match your search criteria, you can select specific users and perform tasks with the buttons that are listed in Table 2–12 on page 2-27. This subtab also enables you to create new users.
2-26 Oracle Database Advanced Security Administrator's Guide
Enterprise User Security Configuration and Management Tools
Table 2–12 Enterprise Security Manager Console User Subtab Buttons
Button Name Description
Go After entering user search criteria in the Search for user field,
click Go to display users who match your search criteria in the
Search Results table. This button is always available.
Create Enables you to create new enterprise users in the directory.
This button is always available.
Edit Enables you to edit a user's information in the directory. This
button is available only after you have entered search criteria in the Search for user field and clicked Go.
Delete Enables you to delete a user from the directory. This button is
available only after you have entered search criteria in the
Search for user field and clicked Go.
Assign Privileges Enables you to assign directory privileges to a specified user.
For example, you can assign the privilege to create new users by using this button. This button is available only after you have entered search criteria in the Search for user field and clicked Go.
The Group subtab (shown in Figure 2–11 on page 2-28) enables you to view, or to add new users or groups to the Enterprise User Security directory administrative groups. To view or edit an administrative group, select the adjacent radio button, and click Edit in the upper right corner of the page. When you click Edit, an Edit Group page for the specified group appears, displaying the following information:
Members of the group
Groups of which the specified administrative group is a member
Edit history for the group
You can add members or other groups to a specified Enterprise User Security directory administrative group by clicking either Add User or Add Group in the Member region of the Edit Group page, which is shown in Figure 2–12 on page 2-29.
Conguration and Administration Tools Overview 2-27
Enterprise User Security Configuration and Management Tools
Figure 2–11 Enterprise Security Manager Console Group Subtab
2-28 Oracle Database Advanced Security Administrator's Guide
Enterprise User Security Configuration and Management Tools
Figure 2–12 Enterprise Security Manager Console Edit Group Page
Conguration and Administration Tools Overview 2-29
Enterprise User Security Configuration and Management Tools
Realm Configuration Tabbed Window The Realm Configuration tabbed window, which is shown in Figure 2–13, enables you to configure identity management realm attributes that pertain to Enterprise User Security. The fields that you can edit on this page are described in Table 2–13 on page 2-30.
Figure 2–13 Enterprise Security Manager Console Realm Configuration Tabbed Window
Table 2–13 Realm Configuration Tabbed Window Fields
Field Description
Attribute for Login Name Name of the directory attribute used to store login names. Attribute for Kerberos
Principal Name
User Search Base Full distinguished name (DN) for the node under which
Group Search Base Full DN for the node at which user groups (not Enterprise User
2-30 Oracle Database Advanced Security Administrator's Guide
Name of the directory attribute used to store Kerberos principal names. See also: "Configuring Enterprise Security
Manager Console for Kerberos-Authenticated Enterprise Users" on page 2-24
enterprise users are stored for this realm.
Security administrative groups) are stored in the directory.
Enterprise User Security Configuration and Management Tools
Enterprise Security Manager Command-Line Utility
Enterprise Security Manager provides a command-line utility, which can be used to perform the most common tasks that the graphical user interface tool performs. Enter all Enterprise Security Manager command-line utility commands from the Oracle Enterprise Manager Oracle home.
The basic syntax for this utility is as follows:
esm -cmd [operation] [-option_1 -option_2 -option_3 ... -option_n]
For example, the following command searches for users in a directory that is installed on a host machine named machine1.us.acme.com:
esm -cmd search -U SIMPLE -D orcladmin -w Y4ilbqve -h machine1.us.acme.com
-p 3060 -dn dc=us,dc=acme,dc=com -objectType user
The following table describes each option used in this example:
Command Option Description
-U Specifies which authentication type used to log in to the
-D Specifies the username.
-w Specifies the password.
-h Specifies the directory host machine name.
-p Specifies the directory port number.
-dn Specifies the search base.
-objectType Specifies the type of object for which to search.
directory. SIMPLE specifies password authentication.
Accessing Enterprise Security Manager Command-Line Utility Help To view a full list of operations and options you can use with this utility, enter the following at the command line:
esm -cmd
To view help on a specific operation, enter the following at the command line:
esm -cmd help [operation]
Conguration and Administration Tools Overview 2-31
Enterprise User Security Configuration and Management Tools
See Also:
"Duties of an Enterprise User Security Administrator/DBA" on
page 2-35 for a list of tasks that can be performed with Enterprise Security Manager and Enterprise Security Manager Console.
Chapter 13, "Administering Enterprise User Security" for
detailed information about how to use Enterprise Security Manager and Enterprise Security Manager Console to administer enterprise users.
Oracle Net Configuration Assistant
Oracle Net Configuration Assistant is a wizard-based tool that has a graphical user interface. It is primarily used to configure basic Oracle Net network components, such as listener names and protocol addresses. It also enables you to configure your Oracle home for directory server usage. The latter use is what makes this tool important for configuring Enterprise User Security.
If you use Domain Name System (DNS) discovery (automatic domain name lookup) to locate Oracle Internet Directory on your network, then this tool is not necessary. Note that using DNS discovery is the recommended configuration. See Oracle Internet Directory Administrator's Guide for information about this configuration.
If you have not configured DNS discovery of Oracle Internet Directory on your network, then you must use Oracle Net Configuration Assistant to create an ldap.ora file for your Oracle home before you can register a database with the directory. Your database uses the ldap.ora file to locate the correct Oracle Internet Directory server on your network. This configuration file contains the hostname, port number, and identity management realm information for your directory server.
Starting Oracle Net Configuration Assistant
To start Oracle Net Configuration Assistant:
(UNIX) From $ORACLE_HOME/bin, enter the following at the command line:
netca
(Windows) Choose Start > Programs > Oracle-HOME_NAME > Configuration
and Migration Tools > Net Configuration Assistant
2-32 Oracle Database Advanced Security Administrator's Guide
Enterprise User Security Configuration and Management Tools
After you start this tool, you will be presented with the opening page that is shown in Figure 2–14 on page 2-33.
Choose the Directory Usage Configuration option on this page, click Next, and choose the directory server where you wish to store your enterprise users. Then click Finish to create a properly configured ldap.ora file for your Oracle home.
Figure 2–14 Opening Page of Oracle Net Configuration Assistant
User Migration Utility
User Migration Utility is a command-line tool that enables you to perform bulk migrations of database users to Oracle Internet Directory where they are stored and managed as enterprise users. This tool performs a bulk migration in two phases: In
See Also:
"Task 5: (Optional) Configure your Oracle home for directory
usage" on page 12-7 for more information about using this tool
to configure your Oracle home for Enterprise User Security.
Oracle Net Services Administrator's Guide and Oracle Net
Configuration Assistant online help for complete documentation of this tool.
Conguration and Administration Tools Overview 2-33

Duties of a Security Administrator/DBA

phase one, it populates a table with database user information. During phase two, the database user information is migrated to the directory.
This tool is automatically installed in the following location when you install an Oracle Database client:
$ORACLE_HOME/rdbms/bin/umu
The basic syntax for this utility is as follows:
umu parameter_keyword_1=value1:value2
parameter_keyword_2=value parameter_keyword_3=value1:value2:value3 . . . parameter_keyword_n=value
Note that when a parameter takes multiple values, they are separated with colons (:).
See Also: Appendix G, "Using the User Migration Utility" for
complete instructions (including usage examples) for using this tool to migrate database users to a directory and its parameters.
Duties of a Security Administrator/DBA
Most of the tasks of a security administrator involve ensuring that the connections to and from Oracle databases are secure. Table 2–14 lists the primary tasks of security administrators, the tools used to perform the tasks, and links to where the tasks are documented.
Table 2–14 Common Security Administrator/DBA Configuration and Administrative Tasks
Task Tools Used See Also
Configure encrypted Oracle Net connections between database servers and clients
Configure checksumming on Oracle Net connections between database servers and clients
Configure database clients to accept RADIUS authentication
2-34 Oracle Database Advanced Security Administrator's Guide
Oracle Net Manager "Configuring Encryption on the Client
and the Server" on page 3-9
Oracle Net Manager "Configuring Integrity on the Client and
the Server" on page 3-11
Oracle Net "Step 1: Configure RADIUS on the Oracle
Client" on page 5-9

Duties of an Enterprise User Security Administrator/DBA

Table 2–14 (Cont.) Common Security Administrator/DBA Configuration and Administrative Tasks
Task Tools Used See Also
Configure a database to accept RADIUS authentication
Create a RADIUS user and grant them access to a database session
Configure Kerberos authentication on a database client and server
Create a Kerberos database user kadmin.local
Manage Kerberoscredentials in the credential cache
Create a wallet for a database client or server Oracle Wallet Manager "Creating a New Wallet" on page 8-10 Request a user certificate from a certificate
authority (CA) for SSL authentication
Import a user certificate and its associated trusted certificate (CA certificate) into a wallet
Configuring SSL connections for a database client
Configuring SSL connections for a database server
Enabling certificate validationwith certificate
revocation lists
Oracle Net "Step 2: Configure RADIUS on the Oracle
Database Server" on page 5-10
SQL*Plus "Task 3: Create a User and Grant Access"
on page 5-17
Oracle Net Manager "Task 7: Configure Kerberos
Authentication" on page 6-5
"Task 8: Create a Kerberos User" on
Oracle Net Manager
page 6-10
"Task 9: Create an Externally
Authenticated Oracle User" on
page 6-10
okinit
oklist
okdstry
"Obtaining the Initial Ticket with the
okinit Utility" on page 6-11
"Displaying Credentials with the
oklist Utility" on page 6-12
"Removing Credentials from the
Cache File with the okdstry Utility"
on page 6-13
Oracle Wallet Manager "Adding a Certificate Request" on
page 8-21
"Importing the User Certificate into
the Wallet" on page 8-22
Oracle Wallet Manager "Importing a Trusted Certificate" on
page 8-25
"Importing the User Certificate into
the Wallet" on page 8-22
Oracle Net Manager "Task 3: Configure SSL on the Client" on
page 7-23
Oracle Net Manager "Task 2: Configure SSL on the Server" on
page 7-15
Oracle Net Manager "Configuring Certificate Validation
with Certificate Revocation Lists" on
page 7-37
Duties of an Enterprise User Security Administrator/DBA
Enterprise User Security administrators plan, implement, and administer enterprise users. Table 2–15 lists the primary tasks of Enterprise User Security administrators, the tools used to perform the tasks, and links to where the tasks are documented.
Conguration and Administration Tools Overview 2-35
Duties of an Enterprise User Security Administrator/DBA
Table 2–15 Common Enterprise User Security Administrator Configuration and Administrative Tasks
Task Tools Used See Also
Create an identity management realm in Oracle Internet Directory
Upgrade an identity management realm in Oracle Internet Directory
Set up DNS to enable automatic discovery of Oracle Internet Directory over the network. Note that this is the recommended configuration.
Create an ldap.ora file to enable directory access
Register a database in the directory Database Configuration Assistant "Task 6: Register the database in the
Configure password authentication for Enterprise User Security
Configure Kerberos authentication for Enterprise User Security
Configure SSL authentication for Enterprise User Security
Create or modify user entries and Oracle administrative groups in the directory
Create or modify enterprise roles and domains in the directory
Create or modify wallets for directory, databases, and clients
Change a user's database or directory password
Change a database's directory password Database Configuration Assistant "To change the database's directory
Oracle Internet Directory Self-Service Console (Delegated Administration Service)
Oracle Internet Directory Configuration Assistant
Oracle Internet Directory Configuration Assistant
Oracle Internet Directory Administrator's Guide for information about how to
perform this task
Oracle Internet Directory Administrator's Guide and the online help for this tool
Oracle Internet Directory Administrator's Guide (Domain Name System server
discovery) and the online help for this tool
Oracle Net Configuration Assistant
"Task 5: (Optional) Configure your Oracle home for directory usage" on page 12-7
directory" on page 12-8
Enterprise Security Manager
Oracle Net Manager
Oracle Net Manager
Enterprise Security Manager
"Configuring Enterprise User Security for Password Authentication" on page 12-16
"Configuring Enterprise User Security for Kerberos Authentication" on page 12-18
Console
Enterprise Security Manager
Oracle Net Manager
Enterprise Security Manager
text editor or SQL*Plus
Oracle Wallet Manager
Enterprise Security Manager Console
"Configuring Enterprise User Security for SSL Authentication" on page 12-21
"Administering Identity
Management Realms" on page 13-3
"Administering Enterprise Users" on
page 13-8
Enterprise Security Manager "Administering Enterprise Domains"
on page 13-15
"Administering Enterprise Roles" on
page 13-27
Oracle Wallet Manager Chapter 8, "Using Oracle Wallet Manager"
Enterprise Security Manager Console
"Setting Enterprise User Passwords" on
page 13-10
password:" on page 12-9
2-36 Oracle Database Advanced Security Administrator's Guide
Duties of an Enterprise User Security Administrator/DBA
Table 2–15 (Cont.) Common Enterprise User Security Administrator Configuration and Administrative
Task Tools Used See Also
Manage user wallets on the local system or update database and directory user passwords
Request initial Kerberos ticket when KDC is not part of the operating system, such as Kerberos V5 from MIT
Migrate large numbers of local or external database users to the directory for Enterprise User Security
Oracle Wallet Manager Chapter 8, "Using Oracle Wallet Manager"
okinit utility "Task 10: Get an Initial Ticket for the
Kerberos/Oracle User" on page 6-11
User Migration Utility Appendix G, "Using the User Migration
Utility"
Conguration and Administration Tools Overview 2-37
Duties of an Enterprise User Security Administrator/DBA
2-38 Oracle Database Advanced Security Administrator's Guide
Loading...