Oracle B10772-01 User Manual

OracleDatabase

Advanced Security Administrator's Guide 10g Release 1 (10.1)

Part No. B10772-01

December 2003

Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1) Part No. B10772-01 Copyright © 1996, 2003 Oracle Corporation. All rights reserved. Primary Author: Laurel P. Hale Contributors: Rajbir Chahal, Min-Hank Ho, Michael Hwa, Sudha Iyer, Adam Lindsey Jacobs, Supriya

Kalyanasundaram, Lakshmi Kethana, Andrew Koyfman, Van Le, Nina Lewis, Stella Li, Janaki Narasinghanallur, Vikram Pesati, Andy Philips, Richard Smith, Deborah Steiner, Philip Thornton, Ramana Turlapati

Graphic Designer: Valarie Moore The Programs (which include both the software and documentation) contain proprietary information of

Oracle Corporation; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent and other intellectual and industrial property laws. Reverse engineering, disassembly or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as speciﬁed by law, is prohibited.

The information contained in this document is subject to change without notice. If you ﬁnd any problems in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this document is error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Oracle Corporation.

If the Programs are delivered to the U.S. Government or anyone licensing or using the programs on behalf of the U.S. Government, the following notice is applicable:

Restricted Rights Notice Programs delivered subject to the DOD FAR Supplement are "commercial computer software" and use, duplication, and disclosure of the Programs, including documentation, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement. Otherwise, Programs delivered subject to the Federal Acquisition Regulations are "restricted computer software" and use, duplication, and disclosure of the Programs shall be subject to the restrictions in FAR

52.227-19, Commercial Computer Software - Restricted Rights (June, 1987). Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065.

The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and Oracle Corporation disclaims liability for any damages caused by such use of the Programs.

Oracle is a registered trademark, and Oracle Store, Oracle8i, Oracle9i, PL/SQL, SQL*Net, SQL*Plus, and Secure Network Services are trademarks or registered trademarks of Oracle Corporation. Other names may be trademarks of their respective owners.

Portions of Oracle Advanced Security have been licensed by Oracle Corporation from RSA Data Security.

This program contains third-party code from Massachusetts Institute of Technology (M.I.T.), OpenVision Technologies, Inc., and the Regents of the University of California. Under the terms of the Kerberos license, Oracle is required to license the Kerberos software to you under the following terms. Note that the terms contained in the Oracle program license that accompanied this product do not apply to the Kerberos software, and your rights to use the software are solely as set forth below. Oracle is not

responsible for the performance of the Kerberos software, does not provide technical support for the software, and shall not be liable for any damages arising out of any use of the Kerberos software.

States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without speciﬁc, written prior permission. Furthermore, if you modify this software you must label your software as modiﬁed software and not distribute it in such a fashion that it might be confused with the original M.I.T.software.M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.

THIS SOFTWAREISPROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

Individual source code ﬁles are copyright M.I.T., Cygnus Support, OpenVision, Oracle, Sun Soft, FundsXpress, and others.

Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachusetts Institute of Technology (M.I.T.). No commercial use of these trademarks may be made without prior written permission of M.I.T.

"Commercial use" means use of a name in a product or other for-proﬁt manner. It does NOT prevent a commercial ﬁrm from referring to the M.I.T. trademarks in order to convey information (although in doing so, recognition of their trademark status should be given).

---The following copyright and permission notice applies to the OpenVision Kerberos Administration

system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc:

below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system.

You may freely use and distribute the Source Code and Object Code compiled from it, with or without modiﬁcation, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON.

OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to

derivative works of the Source Code, whether createdbyOpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code.

OpenVision Technologies, Inc., has donated this Kerberos Administration system to M.I.T. for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which hasbeenperformedby M.I.T. and the Kerberos community.

---Portions contributed by Matt Crawford <crawdad@fnal.gov> were work performed at Fermi National

Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract DE-AC02-76CHO3000 with the U. S. Department of Energy.

List of Figures

List of Tables

Send Us Your Comments............................................................................................................... xxiii

Preface......................................................................................................................................................... xxv

What's New in Oracle Advanced Security?...................................................................... xxxvii

Part I Getting Started with Oracle Advanced Security

1 Introduction to Oracle Advanced Security

Security Challenges in an Enterprise Environment..................................................................... 1-1

Security in Enterprise Grid Computing Environments.......................................................... 1-2

Security in an Intranet or Internet Environment...................................................................... 1-2

Common Security Threats........................................................................................................... 1-3

Solving Security Challenges with Oracle Advanced Security................................................... 1-4

Data Encryption............................................................................................................................ 1-5

Strong Authentication.................................................................................................................. 1-8

Enterprise User Management................................................................................................... 1-13

Oracle Advanced Security Architecture....................................................................................... 1-15

Secure Data Transfer Across Network Protocol Boundaries.................................................... 1-16

System Requirements...................................................................................................................... 1-16

Oracle Advanced Security Restrictions........................................................................................ 1-17

2 Configuration and Administration Tools Overview

Network Encryption and Strong Authentication Conﬁguration Tools.................................... 2-2

Oracle Net Manager ..................................................................................................................... 2-2

Oracle Advanced Security Kerberos Adapter Command-Line Utilities.............................. 2-5

Public Key Infrastructure Credentials Management Tools........................................................ 2-6

Oracle Wallet Manager ................................................................................................................ 2-6

orapki Utility ............................................................................................................................... 2-12

Enterprise User Security Conﬁguration and Management Tools............................................ 2-13

Database Configuration Assistant............................................................................................ 2-13

Enterprise Security Manager and Enterprise Security Manager Console.......................... 2-14

Oracle Net Configuration Assistant......................................................................................... 2-32

User Migration Utility................................................................................................................ 2-33

Duties of a Security Administrator/DBA..................................................................................... 2-34

Duties of an Enterprise User Security Administrator/DBA ..................................................... 2-35

Part II Network Data Encryption and Integrity

3 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients

Oracle Advanced Security Encryption............................................................................................ 3-1

About Encryption ......................................................................................................................... 3-2

Advanced Encryption Standard................................................................................................. 3-2

DES Algorithm Support............................................................................................................... 3-2

Triple-DES Support ..................................................................................................................... 3-2

RSA RC4 Algorithm for High Speed Encryption..................................................................... 3-3

Oracle Advanced Security Data Integrity ...................................................................................... 3-3

Data Integrity Algorithms Supported ....................................................................................... 3-4

Difﬁe-Hellman Based Key Management ....................................................................................... 3-4

Authentication Key Fold-in......................................................................................................... 3-5

How To Conﬁgure Data Encryption and Integrity....................................................................... 3-5

About Activating Encryption and Integrity.............................................................................. 3-6

About Negotiating Encryption and Integrity........................................................................... 3-6

Setting the Encryption Seed (Optional)..................................................................................... 3-8

Configuring Encryption and Integrity Parameters Using Oracle Net Manager................. 3-9

4 Configuring Network Data Encryption and Integrity for Thin JDBC Clients

About the Java Implementation....................................................................................................... 4-1

Java Database Connectivity Support......................................................................................... 4-1

Securing Thin JDBC...................................................................................................................... 4-2

Implementation Overview.......................................................................................................... 4-3

Obfuscation.................................................................................................................................... 4-3

Conﬁguration Parameters.................................................................................................................. 4-4

Client Encryption Level: ORACLE.NET.ENCRYPTION_CLIENT....................................... 4-4

Client Encryption Selected List: ORACLE.NET.ENCRYPTION_TYPES_CLIENT............ 4-5

Client Integrity Level: ORACLE.NET.CRYPTO_CHECKSUM_CLIENT............................ 4-5

Client Integrity Selected List: ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT .... 4-6

Part III Oracle Advanced Security Strong Authentication

5 Configuring RADIUS Authentication

RADIUS Overview............................................................................................................................. 5-1

RADIUS Authentication Modes...................................................................................................... 5-3

Synchronous Authentication Mode........................................................................................... 5-3

Challenge-Response (Asynchronous) Authentication Mode................................................. 5-5

Enabling RADIUS Authentication, Authorization, and Accounting....................................... 5-8

Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client.............. 5-9

Task 2: Configure RADIUS Authentication.............................................................................. 5-9

Task 3: Create a User and Grant Access.................................................................................. 5-17

Task 4: Configure External RADIUS Authorization (optional)........................................... 5-17

Task 5: Configure RADIUS Accounting.................................................................................. 5-19

Task 6: Add the RADIUS Client Name to the RADIUS Server Database.......................... 5-20

Task 7: Configure the Authentication Server for Use with RADIUS.................................. 5-20

Task 8: Configure the RADIUS Server for Use with the Authentication Server............... 5-20

Task 9: Configure Mapping Roles............................................................................................ 5-21

Using RADIUS to Log In to a Database....................................................................................... 5-22

RSA ACE/Server Conﬁguration Checklist................................................................................... 5-22

6 Configuring Kerberos Authentication

Enabling Kerberos Authentication ................................................................................................. 6-2

vii

Task 1: Install Kerberos................................................................................................................ 6-2

Task 2: Configure a Service Principal for an Oracle Database Server................................... 6-2

Task 3: Extract a Service Table from Kerberos ......................................................................... 6-3

Task 4: Install an Oracle Database Server and an Oracle Client............................................ 6-4

Task 5: Install Oracle Net Services and Oracle Advanced Security ...................................... 6-5

Task 6: Configure Oracle Net Services and Oracle Database................................................. 6-5

Task 7: Configure Kerberos Authentication ............................................................................. 6-5

Task 8: Create a Kerberos User................................................................................................. 6-10

Task 9: Create an Externally Authenticated Oracle User...................................................... 6-10

Task 10: Get an Initial Ticket for the Kerberos/Oracle User................................................ 6-11

Utilities for the Kerberos Authentication Adapter .................................................................... 6-11

Obtaining the Initial Ticket with the okinit Utility................................................................ 6-11

Displaying Credentials with the oklist Utility........................................................................ 6-12

Removing Credentials from the Cache File with the okdstry Utility ................................. 6-13

Connecting to an Oracle Database Server Authenticated by Kerberos.............................. 6-13

Conﬁguring Interoperability with a Windows 2000 Domain Controller KDC.................... 6-13

Task 1: Configuring an Oracle Kerberos Client to Interoperate with a Windows 2000 Domain Controller KDC 6-14

Task 2: Configuring a Windows 2000 Domain Controller KDC to Interoperate with an Oracle Client 6-15

Task 3: Configuring an Oracle Database to Interoperate with a Windows 2000 Domain

Controller KDC........................................................................................................................... 6-17

Task 4: Getting an Initial Ticket for the Kerberos/Oracle User........................................... 6-17

Troubleshooting ................................................................................................................................ 6-18

7 Configuring Secure Sockets Layer Authentication

SSL and TLS in an Oracle Environment......................................................................................... 7-2

Difference between SSL and TLS................................................................................................ 7-2

About Using SSL........................................................................................................................... 7-3

How SSL Works in an Oracle Environment: The SSL Handshake........................................ 7-4

Public Key Infrastructure in an Oracle Environment.................................................................. 7-5

About Public Key Cryptography................................................................................................ 7-5

Public Key Infrastructure Components in an Oracle Environment...................................... 7-6

SSL Combined with Other Authentication Methods................................................................ 7-10

Architecture: Oracle Advanced Security and SSL ................................................................. 7-10

viii

How SSL Works with Other Authentication Methods ......................................................... 7-10

SSL and Firewalls............................................................................................................................. 7-12

SSL Usage Issues............................................................................................................................... 7-14

Enabling SSL ..................................................................................................................................... 7-15

Task 1: Install Oracle Advanced Security and Related Products ........................................ 7-15

Task 2: Configure SSL on the Server........................................................................................ 7-15

Task 3: Configure SSL on the Client ........................................................................................ 7-23

Task 4: Log on to the Database................................................................................................. 7-31

Troubleshooting SSL........................................................................................................................ 7-31

Certiﬁcate Validation with Certiﬁcate Revocation Lists ........................................................... 7-35

What CRLs Should You Use? ................................................................................................... 7-35

How CRL Checking Works....................................................................................................... 7-36

Configuring Certificate Validation with Certificate Revocation Lists................................ 7-37

Certificate Revocation List Management................................................................................ 7-40

Troubleshooting Certificate Validation................................................................................... 7-45

Conﬁguring Your System to Use Hardware Security Modules ............................................... 7-48

General Guidelines for Using Hardware Security Modules with Oracle Advanced Security

....................................................................................................................................................... 7-48

Configuring Your System to Use nCipher Hardware Security Modules........................... 7-49

Troubleshooting Using Hardware Security Modules........................................................... 7-50

8 Using Oracle Wallet Manager

Oracle Wallet Manager Overview ................................................................................................... 8-2

Wallet Password Management................................................................................................... 8-2

Strong Wallet Encryption............................................................................................................ 8-3

Microsoft Windows Registry Wallet Storage ........................................................................... 8-3

Backward Compatibility.............................................................................................................. 8-3

Public-Key Cryptography Standards (PKCS) Support........................................................... 8-3

Multiple Certificate Support....................................................................................................... 8-4

LDAP Directory Support............................................................................................................. 8-7

Starting Oracle Wallet Manager....................................................................................................... 8-7

How To Create a Complete Wallet: Process Overview ................................................................ 8-8

Managing Wallets ............................................................................................................................... 8-9

Required Guidelines for Creating Wallet Passwords ............................................................. 8-9

Creating a New Wallet............................................................................................................... 8-10

Opening an Existing Wallet....................................................................................................... 8-13

Closing a Wallet.......................................................................................................................... 8-13

Importing Third-Party Wallets................................................................................................. 8-13

Exporting Oracle Wallets to Third-Party Environments ...................................................... 8-14

Exporting Oracle Wallets to Tools that Do Not Support PKCS #12.................................... 8-14

Uploading a Wallet to an LDAP Directory............................................................................. 8-15

Downloading a Wallet from an LDAP Directory .................................................................. 8-16

Saving Changes........................................................................................................................... 8-17

Saving the Open Wallet to a New Location............................................................................ 8-17

Saving in System Default........................................................................................................... 8-17

Deleting the Wallet..................................................................................................................... 8-18

Changing the Password............................................................................................................. 8-18

Using Auto Login ....................................................................................................................... 8-19

Managing Certiﬁcates ...................................................................................................................... 8-20

Managing User Certificates....................................................................................................... 8-20

Managing Trusted Certificates ................................................................................................. 8-25

9 Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security

Connecting with User Name and Password.................................................................................. 9-1

Disabling Oracle Advanced Security Authentication................................................................. 9-2

Conﬁguring Multiple Authentication Methods ........................................................................... 9-4

Conﬁguring Oracle Database for External Authentication ....................................................... 9-5

Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora................ 9-5

Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE............................................... 9-5

Setting OS_AUTHENT_PREFIX to a Null Value..................................................................... 9-6

10 Configuring Oracle DCE Integration

Introduction to Oracle DCE Integration....................................................................................... 10-2

System Requirements................................................................................................................. 10-2

Backward Compatibility............................................................................................................ 10-2

Components of Oracle DCE Integration ................................................................................. 10-2

Flexible DCE Deployment......................................................................................................... 10-4

Release Limitations..................................................................................................................... 10-4

Conﬁguring DCE for Oracle DCE Integration............................................................................ 10-5

Task 1: Create New Principals and Accounts......................................................................... 10-5

Task 2: Install the Key of the Server into a Keytab File......................................................... 10-6

Task 3: Configure DCE CDS for Use by Oracle DCE Integration ....................................... 10-6

Conﬁguring Oracle Database and Oracle Net Services for Oracle DCE Integration......... 10-8

DCE Address Parameters.......................................................................................................... 10-8

Task 1: Configure the Server..................................................................................................... 10-9

Task 2: Create and Name Externally Authenticated Accounts.......................................... 10-10

Task 3: Set up DCE Integration External Roles.................................................................... 10-12

Task 4: Configure DCE for SYSDBA and SYSOPER Connections to Oracle Databases 10-15

Task 5: Configure the Client ................................................................................................... 10-16

Task 6: Configure Clients to Use DCE CDS Naming.......................................................... 10-19

Connecting to an Oracle Database Server in the DCE Environment ................................... 10-23

Starting the Listener................................................................................................................. 10-23

Connecting to an Oracle Database by Using DCE Authentication for Single Sign-On.. 10-24

Connecting to an Oracle Database by Using Password Authentication.......................... 10-25

Connecting Clients Outside DCE to Oracle Servers in DCE................................................. 10-25

Sample Parameter Files............................................................................................................ 10-25

Using tnsnames.ora for Name Lookup When CDS Is Inaccessible................................... 10-28

Part IV Enterprise User Security

11 Getting Started with Enterprise User Security

Introduction to Enterprise User Security..................................................................................... 11-2

The Challenges of User Management...................................................................................... 11-2

Enterprise User Security: The Big Picture............................................................................... 11-3

About Enterprise User Security Directory Entries............................................................... 11-11

About Using Shared Schemas for Enterprise User Security.................................................. 11-19

Overview of Shared Schemas Used in Enterprise User Security....................................... 11-19

How Shared Schemas Are Configured for Enterprise Users............................................. 11-20

How Enterprise Users Are Mapped to Schemas.................................................................. 11-20

About Using Current User Database Links for Enterprise User Security........................... 11-23

Enterprise User Security Deployment Considerations........................................................... 11-25

Security Aspects of Centralizing Security Credentials ....................................................... 11-25

Security of Password-Authenticated Enterprise User Database Login Information...... 11-26

Considerations for Defining Database Membership in Enterprise Domains.................. 11-27

Considerations for Choosing Authentication Types between Clients, Databases, and

Directories for Enterprise User Security................................................................................ 11-28

12 Enterprise User Security Configuration Tasks and Troubleshooting

Enterprise User Security Conﬁguration Overview..................................................................... 12-1

Enterprise User Security Conﬁguration Roadmap..................................................................... 12-4

Preparing the Directory for Enterprise User Security................................................................ 12-5

Conﬁguring Enterprise User Security Objects in the Database and the Directory ........... 12-11

Conﬁguring Enterprise User Security for Password Authentication ................................... 12-16

Conﬁguring Enterprise User Security for Kerberos Authentication .................................... 12-18

Conﬁguring Enterprise User Security for SSL Authentication.............................................. 12-21

Viewing the Database DN in the Wallet and in the Directory........................................... 12-24

Enabling Current User Database Links...................................................................................... 12-25

Troubleshooting Enterprise User Security................................................................................. 12-26

ORA-# Errors for Password-Authenticated Enterprise Users............................................ 12-26

ORA-# Errors for Kerberos-Authenticated Enterprise Users............................................. 12-29

ORA-# Errors for SSL-Authenticated Enterprise Users ...................................................... 12-32

NO-GLOBAL-ROLES Checklist ............................................................................................. 12-33

USER-SCHEMA ERROR Checklist........................................................................................ 12-34

DOMAIN-READ-ERROR Checklist ...................................................................................... 12-35

13 Administering Enterprise User Security

Enterprise User Security Administration Tools Overview....................................................... 13-2

Administering Identity Management Realms ............................................................................ 13-3

Identity Management Realm Versions.................................................................................... 13-4

Setting Properties of an Identity Management Realm .......................................................... 13-5

Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base

Identity Management Realm Attributes.................................................................................. 13-5

Setting the Default Database-to-Directory Authentication Type for an Identity Management

Realm ............................................................................................................................................ 13-6

Managing Identity Management Realm Administrators...................................................... 13-7

Administering Enterprise Users..................................................................................................... 13-8

Creating New Enterprise Users................................................................................................ 13-9

Setting Enterprise User Passwords ........................................................................................ 13-10

Defining an Initial Enterprise Role Assignment .................................................................. 13-11

xii

Browsing Users in the Directory ............................................................................................ 13-12

Administering Enterprise Domains............................................................................................ 13-15

Creating a New Enterprise Domain....................................................................................... 13-16

Defining Database Membership of an Enterprise Domain ................................................ 13-17

Managing Database Security Options for an Enterprise Domain..................................... 13-19

Managing Enterprise Domain Administrators .................................................................... 13-20

Managing Enterprise Domain Database Schema Mappings.............................................. 13-20

Managing Password Accessible Domains ............................................................................ 13-23

Managing Database Administrators...................................................................................... 13-25

Administering Enterprise Roles .................................................................................................. 13-27

Creating a New Enterprise Role............................................................................................. 13-27

Assigning Database Global Role Membership to an Enterprise Role............................... 13-28

Granting Enterprise Roles to Users........................................................................................ 13-31

Part V Appendixes

A Data Encryption and Integrity Parameters

Sample sqlnet.ora File........................................................................................................................ A-1

Data Encryption and Integrity Parameters .................................................................................... A-3

Encryption and Integrity Parameters ........................................................................................ A-4

Seeding the Random Key Generator (Optional)...................................................................... A-8

B Authentication Parameters

Parameters for Clients and Servers using Kerberos Authentication........................................ B-1

Parameters for Clients and Servers using RADIUS Authentication........................................ B-2

sqlnet.ora File Parameters ........................................................................................................... B-2

Minimum RADIUS Parameters.................................................................................................. B-6

Initialization File Parameters...................................................................................................... B-7

Parameters for Clients and Servers using SSL.............................................................................. B-7

SSL Authentication Parameters.................................................................................................. B-7

Cipher Suite Parameters.............................................................................................................. B-8

SSL Version Parameters............................................................................................................... B-9

SSL Client Authentication Parameters .................................................................................... B-10

Wallet Location........................................................................................................................... B-12

xiii

C Integrating Authentication Devices Using RADIUS

About the RADIUS Challenge-Response User Interface........................................................... C-1

Customizing the RADIUS Challenge-Response User Interface............................................... C-2

D Oracle Advanced Security FIPS 140-1 Settings

Conﬁguration Parameters................................................................................................................. D-1

Server Encryption Level Setting................................................................................................ D-2

Client Encryption Level Setting................................................................................................. D-2

Server Encryption Selection List................................................................................................ D-2

Client Encryption Selection List ................................................................................................ D-3

Cryptographic Seed Value.......................................................................................................... D-3

FIPS Parameter............................................................................................................................. D-3

Post Installation Checks ................................................................................................................... D-4

Status Information............................................................................................................................. D-4

Physical Security................................................................................................................................ D-5

E orapki Utility

orapki Utility Overview..................................................................................................................... E-2

orapki Utility Syntax .................................................................................................................... E-2

Creating Signed Certiﬁcates for Testing Purposes....................................................................... E-3

Managing Oracle Wallets with orapki Utility............................................................................... E-4

Creating and Viewing Oracle Wallets with orapki.................................................................. E-4

Adding Certificates and Certificate Requests to Oracle Wallets with orapki...................... E-5

Exporting Certificates and Certificate Requests from Oracle Wallets with orapki............. E-6

Managing Certiﬁcate Revocation Lists (CRLs) with orapki Utility.......................................... E-6

orapki Utility Commands Summary............................................................................................... E-7

orapki cert create........................................................................................................................... E-7

orapki cert display........................................................................................................................ E-8

orapki crl delete............................................................................................................................. E-8

orapki crl display.......................................................................................................................... E-9

orapki crl hash............................................................................................................................ E-10

orapki crl list............................................................................................................................... E-10

orapki crl upload........................................................................................................................ E-11

orapki wallet add....................................................................................................................... E-12

xiv

orapki wallet create.................................................................................................................... E-13

orapki wallet display.................................................................................................................. E-13

orapki wallet export................................................................................................................... E-13

F Entrust-Enabled SSL Authentication

Beneﬁts of Entrust-Enabled Oracle Advanced Security.............................................................. F-2

Enhanced X.509-Based Authentication and Single Sign-On.................................................. F-2

Integration with Entrust Authority Key Management ........................................................... F-2

Integration with Entrust Authority Certificate Revocation.................................................... F-2

Required System Components for Entrust-Enabled Oracle Advanced Security................... F-3

Entrust Authority for Oracle....................................................................................................... F-3

Entrust Authority Server Login Feature ................................................................................... F-4

Entrust Authority IPSec Negotiator Toolkit............................................................................. F-5

Entrust Authentication Process........................................................................................................ F-5

Enabling Entrust Authentication..................................................................................................... F-6

Creating Entrust Profiles ............................................................................................................. F-6

Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL ...... F-8

Configuring SSL on the Client and Server for Entrust-Enabled SSL.................................... F-8

Configuring Entrust on the Client ............................................................................................. F-8

Configuring Entrust on the Server............................................................................................. F-9

Creating Entrust-Enabled Database Users.............................................................................. F-12

Logging Into the Database Using Entrust-Enabled SSL ....................................................... F-12

Issues and Restrictions that Apply to Entrust-Enabled SSL................................................... F-12

Troubleshooting Entrust In Oracle Advanced Security............................................................ F-13

Error Messages Returned When Running Entrust on Any Platform ................................. F-13

Error Messages Returned When Running Entrust on Windows Platforms ...................... F-15

General Checklist for Running Entrust on Any Platform .................................................... F-17

G Using the User Migration Utility

Beneﬁts of Migrating Local or External Users to Enterprise Users.......................................... G-1

Introduction to the User Migration Utility................................................................................... G-2

Bulk User Migration Process Overview................................................................................... G-3

About the ORCL_GLOBAL_USR_MIGRATION_DATA Table........................................... G-4

Migration Effects on Users' Old Database Schemas............................................................... G-6

Migration Process........................................................................................................................ G-7

Prerequisites for Performing Migration........................................................................................ G-8

Required Database Privileges .................................................................................................... G-8

Required Directory Privileges.................................................................................................... G-9

Required Setup to Run the User Migration Utility................................................................. G-9

User Migration Utility Command Line Syntax.......................................................................... G-10

Accessing Help for the User Migration Utility.......................................................................... G-11

User Migration Utility Parameters ............................................................................................... G-12

User Migration Utility Usage Examples...................................................................................... G-20

Migrating Users While Retaining Their Own Schemas ....................................................... G-20

Migrating Users and Mapping to a Shared Schema............................................................. G-21

Migrating Users Using the PARFILE, USERSFILE, and LOGFILE Parameters............... G-25

Troubleshooting Using the User Migration Utility................................................................... G-26

Common User Migration Utility Error Messages................................................................. G-26

Common User Migration Utility Log Messages ................................................................... G-32

Summary of User Migration Utility Error and Log Messages............................................ G-34

Glossary Index

xvi

xvii

List of Figures

1–1 Encryption .............................................................................................................................. 1-5

1–2 Strong Authentication with Oracle Authentication Adapters........................................ 1-8

1–3 How a Network Authentication Service Authenticates a User...................................... 1-9

1–4 Centralized User Management with Enterprise User Security..................................... 1-13

1–5 Oracle Advanced Security in an Oracle Networking Environment ............................ 1-15

1–6 Oracle Net with Authentication Adapters....................................................................... 1-16

2–1 Oracle Advanced Security Profile in Oracle Net Manager.............................................. 2-4

2–2 Oracle Wallet Manager User Interface ............................................................................... 2-7

2–3 Certificate Request Information Displayed in Oracle Wallet Manager Right Pane .... 2-9

2–4 Directory Server Login Window....................................................................................... 2-17

2–5 Enterprise Security Manager User Interface.................................................................... 2-18

2–6 Enterprise Security Manager Databases Tabbed Window............................................ 2-20

2–7 Enterprise Security Manager Console Login Page ......................................................... 2-23

2–8 ESM Console URL Window............................................................................................... 2-24

2–9 Enterprise Security Manager Console User Interface .................................................... 2-25

2–10 Enterprise Security Manager Console Users Subtab...................................................... 2-26

2–11 Enterprise Security Manager Console Group Subtab .................................................... 2-28

2–12 Enterprise Security Manager Console Edit Group Page................................................ 2-29

2–13 Enterprise Security Manager Console Realm Configuration Tabbed Window......... 2-30

2–14 Opening Page of Oracle Net Configuration Assistant................................................... 2-33

3–1 Oracle Advanced Security Encryption Window............................................................. 3-10

3–2 Oracle Advanced Security Integrity Window................................................................. 3-12

5–1 RADIUS in an Oracle Environment.................................................................................... 5-2

5–2 Synchronous Authentication Sequence.............................................................................. 5-4

5–3 Asynchronous Authentication Sequence........................................................................... 5-6

5–4 Oracle Advanced Security Authentication Window...................................................... 5-10

5–5 Oracle Advanced Security Other Params Window........................................................ 5-12

6–1 Oracle Advanced Security Authentication Window (Kerberos).................................... 6-6

6–2 Oracle Advanced Security Other Params Window (Kerberos)...................................... 6-7

7–1 SSL in Relation to Other Authentication Methods......................................................... 7-11

7–2 SSL Cipher Suites Window................................................................................................ 7-19

7–3 Oracle Advanced Security SSL Window (Server)........................................................... 7-20

7–4 Oracle Advanced Security SSL Window (Server)........................................................... 7-22

7–5 Oracle Advanced Security SSL Window (Client) ........................................................... 7-26

7–6 Oracle Advanced Security SSL Window (Client) ........................................................... 7-29

7–7 Oracle Advanced Security SSL Window with Certificate Revocation Checking Selected

................................................................................................................................................ 7-38

9–1 Oracle Advanced Security Authentication Window........................................................ 9-3

11–1 Enterprise User Security and the Oracle Security Architecture ................................... 11-4

11–2 Example of Enterprise Roles............................................................................................ 11-13

xviii

11–3 Related Entries in a Realm Oracle Context.................................................................... 11-16

12–1 Enterprise User Security Configuration Flow Chart...................................................... 12-3

13–1 Enterprise Security Manager Console Home Page ........................................................ 13-9

13–2 Enterprise Security Manager Console Edit User Window: Basic Information ........ 13-10

13–3 Enterprise Security Manager: Add Enterprise Roles Window................................... 13-12

13–4 Enterprise Security Manager: Main Window (All Users Tab).................................... 13-13

13–5 Enterprise Security Manager: Create Enterprise Domain Window........................... 13-16

13–6 Enterprise Security Manager: Databases Tab (Database Membership) .................... 13-17

13–7 Enterprise Security Manager: Add Databases Window.............................................. 13-18

13–8 Enterprise Security Manager: Database Schema Mappings Tab................................ 13-21

13–9 Enterprise Security Manager: Add Database Schema Mappings Window.............. 13-22

13–10 Enterprise Security Manager: Add Accessible Enterprise Domains Dialog Box..... 13-24

13–11 Enterprise Security Manager: Create Enterprise Role Window................................. 13-27

13–12 Enterprise Security Manager: Database Global Roles Tab.......................................... 13-29

13–13 Enterprise Security Manager: Database Authentication Required Window............ 13-30

13–14 Enterprise Security Manager: Add Enterprise Users Window .................................. 13-31

F–1 Entrust Authentication Process........................................................................................... F-6

xix

List of Tables

1–1 Authentication Methods and System Requirements ..................................................... 1-17

2–1 Oracle Wallet Manager Navigator Pane Objects ............................................................. 2-8

2–2 Oracle Wallet Manager Toolbar Buttons ........................................................................ 2-10

2–3 Oracle Wallet Manager Wallet Menu Options............................................................... 2-10

2–4 Oracle Wallet Manager Operations Menu Options....................................................... 2-11

2–5 Oracle Wallet Manager Help Menu Options ................................................................. 2-12

2–6 Enterprise User Security Tools Summary........................................................................ 2-13

2–7 Enterprise Security Manager Authentication Methods................................................ 2-17

2–8 Enterprise Security Manager Navigator Pane Folders ................................................. 2-19

2–9 Enterprise Security Manager File Menu Options.......................................................... 2-21

2–10 Enterprise Security Manager Operations Menu Options............................................. 2-21

2–11 Enterprise Security Manager Help Menu Options........................................................ 2-21

2–12 Enterprise Security Manager Console User Subtab Buttons........................................ 2-27

2–13 Realm Configuration Tabbed Window Fields ............................................................... 2-30

2–14 Common Security Administrator/DBA Configuration and Administrative Tasks. 2-34 2–15 Common Enterprise User Security Administrator Configuration and Administrative

Tasks...................................................................................................................................... 2-36

3–1 Encryption and Data Integrity Negotiations..................................................................... 3-8

3–2 Valid Encryption Algorithms............................................................................................ 3-11

3–3 Valid Integrity Algorithms................................................................................................. 3-13

4–1 ORACLE.NET.ENCRYPTION_CLIENT Parameter Attributes ..................................... 4-4

4–2 ORACLE.NET.ENCRYPTION_TYPES_CLIENT Parameter Attributes ....................... 4-5

4–3 ORACLE.NET.CRYPTO_CHECKSUM_CLIENT Parameter Attributes ...................... 4-5

4–4 ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT Parameter Attributes........... 4-6

5–1 RADIUS Authentication Components.............................................................................. 5-3

5–2 RADIUS Configuration Parameters ................................................................................. 5-21

6–1 Options for the okinit Utility ............................................................................................ 6-11

6–2 Options for the oklist Utility............................................................................................. 6-12

7–1 Oracle Advanced Security Cipher Suites........................................................................ 7-18

8–1 KeyUsage Values................................................................................................................... 8-5

8–2 Oracle Wallet Manager Import of User Certificates to an Oracle Wallet...................... 8-5

8–3 Oracle Wallet Manager Import of Trusted Certificates to an Oracle Wallet ................ 8-6

8–4 PKI Wallet Encoding Standards........................................................................................ 8-15

8–5 Certificate Request: Fields and Descriptions.................................................................. 8-21

8–6 Available Key Sizes............................................................................................................. 8-22

10–1 DCE Address Parameters and Definitions ..................................................................... 10-8

10–2 Setting Up External Role Syntax Components.............................................................. 10-13

11–1 Enterprise User Security Authentication: Selection Criteria....................................... 11-10

11–2 Administrative Groups in a Realm Oracle Context .................................................... 11-18

xxi

11–3 Enterprise User Security: Supported Authentication Types for Connections between

Clients, Databases, and Directories ................................................................................. 11-28

13–1 Identity Management Realm Properties .......................................................................... 13-5

13–2 Enterprise User Security Identity Management Realm Administrators ..................... 13-7

13–3 Directory Search Criteria.................................................................................................. 13-14

13–4 Enterprise Security Manager Database Security Options............................................ 13-19

A–1 Algorithm Type Selection..................................................................................................... A-3

A–2 SQLNET.ENCRYPTION_SERVER Parameter Attributes............................................... A-4

A–3 SQLNET.ENCRYPTION_CLIENT Parameter Attributes ............................................... A-5

A–4 SQLNET.CRYPTO_CHECKSUM_SERVER Parameter Attributes................................ A-5

A–5 SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter Attributes................................. A-5

A–6 SQLNET.ENCRYPTION_TYPES_SERVER Parameter Attributes................................. A-6

A–7 SQLNET.ENCRYPTION_TYPES_CLIENT Parameter Attributes ................................. A-7

A–8 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter Attributes.................. A-8

A–9 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter Attributes .................. A-8

B–1 Kerberos Authentication Parameters................................................................................. B-1

B–2 SQLNET.AUTHENTICATION_SERVICES Parameter Attributes ............................... B-2

B–3 SQLNET.RADIUS_AUTHENTICATION Parameter Attributes.................................... B-2

B–4 SQLNET.RADIUS_AUTHENTICATION_PORT Parameter Attributes....................... B-3

B–5 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter Attributes............... B-3

B–6 SQLNET.RADIUS_AUTHENTICATION_RETRIES Parameter Attributes.................. B-3

B–7 SQLNET.RADIUS_SEND_ACCOUNTING Parameter Attributes................................ B-4

B–8 SQLNET.RADIUS_SECRET Parameter Attributes........................................................... B-4

B–9 SQLNET.RADIUS_ALTERNATE Parameter Attributes................................................. B-4

B–10 SQLNET.RADIUS_ALTERNATE_PORT Parameter Attributes .................................... B-4

B–11 SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter Attributes ............................ B-5

B–12 SQLNET.RADIUS_ALTERNATE_RETRIES Parameter Attributes............................... B-5

B–13 SQLNET.RADIUS_CHALLENGE_RESPONSE Parameter Attributes ......................... B-5

B–14 SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter Attributes ......................... B-6

B–15 SQLNET.RADIUS_AUTHENTICATION_INTERFACE Parameter Attributes........... B-6

B–16 SQLNET.RADIUS_CLASSPATH Parameter Attributes.................................................. B-6

B–17 Wallet Location Parameters .............................................................................................. B-12

C–1 Server Encryption Level Setting......................................................................................... C-2

D–1 Sample Output from v$session_connect_info.................................................................. D-4

G–1 ORCL_GLOBAL_USR_MIGRATION_DATA Table Schema....................................... G-5

G–2 Interface Table Column Values That Can Be Modified between Phase One and Phase

Two ......................................................................................................................................... G-6

G–3 Effects of Choosing Shared Schema Mapping with CASCADE Options..................... G-7

G–4 Alphabetical Listing of User Migration Utility Error Messages................................. G-34

G–5 Alphabetical Listing of User Migration Utility Log Messages .................................... G-35

xxii

Send Us Your Comments

Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1)

Part No. B10772-01

Oracle Corporation welcomes your comments and suggestions on the quality and usefulness of this document. Your input is an important part of the information used for revision.

■ Did you ﬁnd any errors?

■ Is the information clearly presented?

■ Do you need more information? If so, where?

■ Are the examples correct? Do you need more examples?

■ What features did you like most?

If you ﬁnd any errors or have any other suggestions for improvement, please indicate the document title and part number, and the chapter, section, and page number (if available). You can send comments to us in the following ways:

■ Electronic mail: infodev_us@oracle.com

■ FAX: (650) 506-7227 Attn: Server Technologies Documentation Manager

■ Postal service:

Oracle Corporation Server Technologies Documentation 500 Oracle Parkway, Mailstop 4op11 Redwood Shores, CA 94065 USA

If you would like a reply, please give your name, address, telephone number, and (optionally) electronic mail address.

If you have problems with the software, please contact your local Oracle Support Services.

xxiii

xxiv

Preface

Welcome to the Oracle Database Advanced Security Administrator's Guide for the 10g Release 1 (10.1) of Oracle Advanced Security.

Oracle Advanced Security contains a comprehensive suite of security features that protect enterprise networks and securely extend them to the Internet. It provides a single source of integration with multiple network encryption and authentication solutions, single sign-on services, and security protocols.

The Oracle Database Advanced Security Administrator's Guide describes how to implement, conﬁgure and administer Oracle Advanced Security.

This preface contains these topics:

■ Audience

■ Organization

■ Related Documentation

■ Conventions

■ Documentation Accessibility

xxv

Audience

Organization

The Oracle Database Advanced Security Administrator's Guide is intended for users and systems professionals involved with the implementation, conﬁguration, and administration of Oracle Advanced Security including:

■ Implementation consultants

■ System administrators

■ Security administrators

■ Database administrators (DBAs)

This document contains the following chapters:

Part I, "Getting Started with Oracle Advanced Security"

Chapter 1, "Introduction to Oracle Advanced Security"

This chapter provides an overview of Oracle Advanced Security features provided with this release.

Chapter 2, "Conﬁguration and Administration Tools Overview"

This chapter provides an introduction and overview of Oracle Advanced Security GUI and command-line tools.

xxvi

Part II, "Network Data Encryption and Integrity"

Chapter 3, "Conﬁguring Network Data Encryption and Integrity for Oracle Servers and Clients"

This chapter describes how to conﬁgure data encryption and integrity within an existing Oracle Net Services 10g Release 1 (10.1) network.

Chapter 4, "Conﬁguring Network Data Encryption and Integrity for Thin JDBC Clients"

This chapter provides an overview of the Java implementation of Oracle Advanced Security, which lets Thin Java Database Connectivity (JDBC) clients securely connect to Oracle Database databases.

Part III, "Oracle Advanced Security Strong Authentication"

Chapter 5, "Conﬁguring RADIUS Authentication"

This chapter describes how to conﬁgure Oracle for use with RADIUS (Remote Authentication Dial-In User Service). It provides an overview of how RADIUS works within an Oracle environment, and describes how to enable RADIUS authentication and accounting. It also introduces the challenge-response user interface that third party vendors can customize to integrate with third party authentication devices.

Chapter 6, "Conﬁguring Kerberos Authentication"

This chapter describes how to conﬁgure Oracle for use with MIT Kerberos and provides a brief overview of steps to conﬁgure Kerberos to authenticate Oracle users. It also includes a brief section that discusses interoperability between the Oracle Advanced Security Kerberos adapter and a Microsoft KDC.

Chapter 7, "Conﬁguring Secure Sockets Layer Authentication"

This chapter describes how Oracle Advanced Security supports a public key infrastructure (PKI). It includes a discussion of conﬁguring and using the Secure Sockets Layer (SSL), certiﬁcate validation, and hardware security module support features of Oracle Advanced Security.

Chapter 8, "Using Oracle Wallet Manager"

This chapter describes how to use Oracle Wallet Manager to manage Oracle wallets and PKI credentials.

Chapter 9, "Conﬁguring Multiple Authentication Methods and Disabling Oracle Advanced Security"

This chapter describes the authentication methods that can be used with Oracle Advanced Security, and how to use conventional user name and password authentication. It also describes how to conﬁgure the network so that Oracle clients can use a speciﬁc authentication method, and Oracle servers can accept any method speciﬁed.

Chapter 10, "Conﬁguring Oracle DCE Integration"

This chapter provides a brief discussion of Open Software Foundation (OSF) DCE and Oracle DCE Integration, including what you need to do to conﬁgure DCE to use Oracle DCE Integration, how to conﬁgure the DCE CDS naming adapter, DCE

xxvii

parameters, and how clients outside of DCE can access Oracle databases using another protocol such as TCP/IP.

Part IV, "Enterprise User Security"

Chapter 11, "Getting Started with Enterprise User Security"

This chapter describes the Oracle LDAP directory and database integration that enables you to store and manage users' authentication information in Oracle Internet Directory. This feature makes identity management services available to Oracle databases, which provides single sign-on to users (users can authenticate themselves to the database once and subsequent authentications occur transparently). It describes the components and provides an overview of how Enterprise User Security works.

Chapter 12, "Enterprise User Security Conﬁguration Tasks and Troubleshooting"

This chapter explains how to conﬁgure Enterprise User Security, providing a conﬁguration steps roadmap and the tasks required to conﬁgure password-, SSL-, and Kerberos-based Enterprise User Security authentication.

Chapter 13, "Administering Enterprise User Security"

This chapter describes how to use the Enterprise Security Manager to deﬁne directory identity management realm properties and to manage enterprise users, enterprise domains, and enterprise roles.

xxviii

Part V, "Appendixes"

Appendix A, "Data Encryption and Integrity Parameters"

This appendix describes Oracle Advanced Security data encryption and integrity conﬁguration parameters.

Appendix B, "Authentication Parameters"

This appendix describes Oracle Advanced Security authentication conﬁguration ﬁle parameters.

Appendix C, "Integrating Authentication Devices Using RADIUS"

This appendix explains how third party authentication device vendors can integrate their devices and customize the graphical user interface used in RADIUS challenge-response authentication.

Appendix D, "Oracle Advanced Security FIPS 140-1 Settings"

This appendix describes the sqlnet.ora conﬁguration parameters required to comply with the FIPS 140-1 Level 2 evaluated conﬁguration.

Appendix E, "orapki Utility"

This appendix provides the syntax for the orapki command line utility. This utility must be used to manage certiﬁcate revocation lists (CRLs). You can also use this utility to create and manage Oracle wallets; create certiﬁcate requests, signed certiﬁcates, and user certiﬁcates for testing purposes; and to export certiﬁcates and certiﬁcate requests from Oracle wallets.

Appendix F, "Entrust-Enabled SSL Authentication"

This appendix describes how to conﬁgure and use Entrust-enabled Oracle Advanced Security for Secure Sockets Layer (SSL) authentication.

Appendix G, "Using the User Migration Utility"

This appendix describes the User Migration Utility, which can be used to perform bulk migrations of database users to an LDAP directory where they are stored and managed as enterprise users. It provides utility syntax, prerequisites, and usage examples.

Glossary

Conventions

■ Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in

C by Bruce Schneier. New York: John Wiley & Sons, 1996.

■ SSL & TLS Essentials: Securing the Web by Stephen A. Thomas. New York:

John Wiley & Sons, 2000.

■ Understanding and Deploying LDAP Directory Services by Timothy A. Howes,

Ph.D., Mark C. Smith, and Gordon S. Good . Indianapolis: New Riders Publishing, 1999.

■ Understanding Public-Key Infrastructure: Concepts, Standards, and Deployment

Considerations by Carlisle Adams and Steve Lloyd. Indianapolis: New Riders Publishing, 1999.

This section describes the conventions used in the text and code examples of this documentation set. It describes:

■ Conventions in Text

■ Conventions in Code Examples

■ Conventions for Windows Operating Systems

Conventions in Text

We use various conventions in text to help you more quickly identify special terms. The following table describes those conventions and provides examples of their use.

Convention Meaning Example

Bold Bold typeface indicates terms that are

deﬁned in the text or terms that appear in

When you specify this clause, you create an index-organized table.

a glossary, or both.

Italics Italic typeface indicates book titles or

emphasis.

Oracle Database Concepts

Ensure that the recovery catalog and target database do not reside on the same disk.

xxxi

Convention Meaning Example

UPPERCASE monospace (fixed-width) font

lowercase monospace (fixed-width) font

Uppercase monospace typeface indicates elements supplied by the system. Such elements include parameters, privileges, datatypes, RMAN keywords, SQL keywords, SQL*Plus or utility commands, packages and methods, as well as system-supplied column names, database objects and structures, usernames, and roles.

Lowercase monospace typeface indicates executables, ﬁlenames, directory names, and sample user-supplied elements. Such elements include computer and database names, net service names, and connect identiﬁers, as well as user-supplied database objects and structures, column names, packages and classes, usernames and roles, program units, and parameter values.

Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown.

You can specify this clause only for a NUMBER column.

You can back up the database by using the BACKUP command.

Query the TABLE_NAME column in the USER_ TABLES data dictionary view.

Use the DBMS_STATS.GENERATE_STATS procedure.

Enter sqlplus to open SQL*Plus. The password is speciﬁed in the orapwd ﬁle. Back up the dataﬁles and control ﬁles in the

/disk1/oracle/dbs directory. The department_id, department_name,

and location_id columns are in the hr.departments table.

Set the QUERY_REWRITE_ENABLED initialization parameter to true.

Connect as oe user. The JRepUtil class implements these

methods.

lowercase italic monospace (fixed-width) font

xxxii

Lowercase italic monospace font represents placeholders or variables.

You can specify the parallel_clause. Run Uold_release.SQL where old_

release refers to the release you installed prior to upgrading.

Conventions in Code Examples

Code examples illustrate SQL, PL/SQL, SQL*Plus, or other command-line statements. They are displayed in a monospace (ﬁxed-width) font and separated from normal text as shown in this example:

SELECT username FROM dba_users WHERE username = 'MIGRATE';

The following table describes typographic conventions used in code examples and provides examples of their use.

Convention Meaning Example

[ ] Brackets enclose one or more optional

items. Do not enter the brackets.

{ } Braces enclose two or more items, one of

which is required. Do not enter the braces.

| A vertical bar represents a choice of two

or more options within brackets or braces. Enter one of the options. Do not enter the vertical bar.

... Horizontal ellipsis points indicate either:

■ That we have omitted parts of the

code that are not directly related to the example

■ That you can repeat a portion of the

code

. . .

Vertical ellipsis points indicate that we have omitted several lines of code not directly related to the example.

DECIMAL (digits [ , precision ])

{ENABLE | DISABLE}

{ENABLE | DISABLE} [COMPRESS | NOCOMPRESS]

CREATE TABLE ... AS subquery;

SELECT col1, col2, ... , coln FROM employees;

SQL> SELECT NAME FROM V$DATAFILE; NAME

-----------------------------------/fsl/dbs/tbs_01.dbf /fs1/dbs/tbs_02.dbf . . . /fsl/dbs/tbs_09.dbf 9 rows selected.

Other notation You must enter symbols other than

brackets, braces, vertical bars, and ellipsis points as shown.

Italics Italicized text indicates placeholders or

variables for which you must supply particular values.

UPPERCASE Uppercase typeface indicates elements

supplied by the system. We show these terms in uppercase in order to distinguish them from terms you deﬁne. Unless terms appear in brackets, enter them in the order and with the spelling shown. However, because these terms are not case sensitive, you can enter them in lowercase.

acctbal NUMBER(11,2); acct CONSTANT NUMBER(4) := 3;

CONNECT SYSTEM/system_password DB_NAME = database_name

SELECT last_name, employee_id FROM employees; SELECT * FROM USER_TABLES; DROP TABLE hr.employees;

xxxiii

Convention Meaning Example

lowercase Lowercase typeface indicates

programmatic elements that you supply. For example, lowercase indicates names of tables, columns, or ﬁles.

Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown.

SELECT last_name, employee_id FROM employees; sqlplus hr/hr CREATE USER mjones IDENTIFIED BY ty3MU9;

Conventions for Windows Operating Systems

The following table describes conventions for Windows operating systems and provides examples of their use.

Convention Meaning Example

Choose Start > How to start a program. To start the Database Conﬁguration Assistant,

File and directory names

C:\> Represents the Windows command

File and directory names are not case sensitive. The following special characters are not allowed: left angle bracket (<), right angle bracket (>), colon (:), double quotation marks ("), slash (/), pipe (|), and dash (-). The special character backslash (\) is treated as an element separator,even when it appears in quotes. If the ﬁle name begins with \\, then Windows assumes it uses the Universal Naming Convention.

prompt of the current hard disk drive. The escape character in a command prompt is the caret (^). Your prompt reﬂects the subdirectory in which you are working. Referred to as the command prompt in this manual.

choose Start > Programs > Oracle - HOME_ NAME > Conﬁguration and Migration Tools > Database Conﬁguration Assistant.

c:\winnt"\"system32 is the same as C:\WINNT\SYSTEM32

C:\oracle\oradata>

xxxiv

Convention Meaning Example

Special characters The backslash (\) special character is

HOME_NAME Represents the Oracle home name. The

ORACLE_HOME and ORACLE_ BASE

sometimes required as an escape character for the double quotation mark (") special character at the Windows command prompt. Parentheses and the single quotation mark (') do not require an escape character. Refer to your Windows operating system documentation for more information on escape and special characters.

home name can be up to 16 alphanumeric characters. The only special character allowed in the home name is the underscore.

In releases prior to Oracle8i release 8.1.3, when you installed Oracle components, all subdirectories were located under a top level ORACLE_HOME directory. For Windows NT, the default location was C:\orant.

This release complies with Optimal Flexible Architecture (OFA) guidelines. All subdirectories are not under a top level ORACLE_HOME directory. There is a top level directory called ORACLE_BASE that by default is C:\oracle. If you install the latest Oracle release on a computer with no other Oracle software installed, then the default setting for the ﬁrst Oracle home directory is C:\oracle\orann, where nn is the latest release number. The Oracle home directory is located directly under ORACLE_BASE.

All directory path examples in this guide follow OFA conventions.

Refer to Oracle Database Platform Guide for Windows for additional information about OFA compliances and for information about installing Oracle products in non-OFA compliant directories.

C:\>exp scott/tiger TABLES=emp QUERY=\"WHERE job='SALESMAN' and sal<1600\" C:\>imp SYSTEM/password FROMUSER=scott TABLES=(emp, dept)

C:\> net start OracleHOME_NAMETNSListener

Go to the ORACLE_BASE\ORACLE_ HOME\rdbms\admin directory.

xxxv

Documentation Accessibility

Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology.This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at

http://www.oracle.com/accessibility/

Accessibility of Code Examples in Documentation JAWS, a Windows screen

reader, may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, JAWS may not always read a line of text that consists solely of a bracket or brace.

Accessibility of Links to External Web Sites in Documentation This

documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.

xxxvi

What's New in Orac le Ad vanced Security?

This section describes new features of Oracle Advanced Security 10g Release 1 (10.1) and provides pointers to additional information. New features information from the previous release is also retained to help those users migrating to the current release.

The following sections describe the new features in Oracle Advanced Security:

■ Oracle Database 10g Release 1 (10.1) New Features in Oracle Advanced Security

■ Oracle9i Release 2 (9.2) New Features in Oracle Advanced Security

Oracle Database 10g Release 1 (10.1) New Features in Oracle Advanced Security

Oracle Advanced Security 10g Release 1 (10.1) includes new features in the following areas:

■ New Features in Strong Authentication

■ New Features in Enterprise User Security

New Features in Strong Authentication

Oracle Advanced Security provides several strong authentication options, including support for RADIUS, Kerberos, and PKI (public key infrastructure). This release provides the following new features for strong authentication:

■ Support for TLS (Transport Layer Security), version 1.0

TLS is an industry-standard protocol which provides effective security for transactions conducted on the Web. It has been developed by the Internet

xxxvii

Engineering Task Force (IETF) to be the successor to SSL version 3.0. TLS is a conﬁgurable option provided in Oracle Net Manager.

See Also: Chapter 7, "Conﬁguring Secure Sockets Layer

Authentication" for conﬁguration details

■ Support for Hardware Security Modules, including Oracle Wallet Manager

Integration In this release, Oracle Advanced Security supports hardware security modules

which use APIs that conform to the RSA Security, Inc., Public-Key Cryptography Standards (PKCS) #11. In addition, it is now possible to create Oracle Wallets that can store credentials on a hardware security module for servers, or private keys on tokens for clients. This provides roaming authentication to the database.

Hardware security modules can be used for the following functions: – Store cryptographic information, such as private keys, which provides

stronger security

– Perform cryptographic operations to off load RSA operations from the

server, freeing the CPU to respond to other transactions

See Also:

■ "Conﬁguring Your System to Use Hardware Security Modules"

on page 7-48 for conﬁguration details

xxxviii

■ "Creating a Wallet to Store Hardware Security Module

Credentials" on page 8-11

■ CRL (Certiﬁcate Revocation Lists) and CRLDP (CRL Distribution Point)

Support for Certiﬁcate Validation In the current release, you now have the option to conﬁgure certiﬁcate

revocation status checking for both the client and the server. Certiﬁcate revocation status is checked against CRLs which are located in ﬁle system directories, Oracle Internet Directory, or downloaded from the location speciﬁed in the CRL Distribution Point (CRL DP) extension on the certiﬁcate. The orapki utility has also been added for CRL management and for managing Oracle wallets and certiﬁcates.

See Also:

■ "Certiﬁcate Validation with Certiﬁcate Revocation Lists" on

page 7-35 for details

■ Appendix E, "orapki Utility" for details about orapki

command line utility

New Features in Enterprise User Security

■ Kerberos Authenticated Enterprise Users

Kerberos-based authentication to the database is available for users managed in an LDAP directory. This includes Oracle Internet Directory or any other third-party directory that is synchronized to work with Oracle Internet Directory by using the Directory Integration Platform. To use this feature, all directory users, including those synchronized from third-party directories, must include the Kerberos principal name attribute (krbPrincipalName attribute).

See Also: "Conﬁguring Enterprise User Security for Kerberos

Authentication" on page 12-18 for conﬁguration details

■ Public Key Infrastructure (PKI) Credentials No Longer Required for

Database-to-Oracle Internet Directory Connections In this release, a database can bind to Oracle Internet Directory by using

password/SASL-based authentication, eliminating the overhead of setting up PKI credentials for the directory and multiple databases. SASL (Simple Authentication and Security Layer) is a standard deﬁned in the Internet Engineering Task Force RFC 2222. It is a method for adding authentication support to connection-based protocols such as LDAP.

See Also: "Conﬁguring Enterprise User Security for Password

Authentication" on page 12-16 for conﬁguration details

■ Support for User Management in Third-Party LDAP Directories

In the current release of Enterprise User Security, you can store and manage your users and their passwords in third-party LDAP directories. This feature is made possible with

– Directory Integration Platform, which automatically synchronizes

third-party directories with Oracle Internet Directory, and

xxxix

– Oracle Database recognition of standard password veriﬁers, which is also

new in this release.

■ Tool Changes

– New Tool: Enterprise Security Manager Console

The Enterprise Security Manager Console, which is based on the Oracle Internet Directory Delegated Administration Service (DAS), is new in this release. Administrators can use this tool to create enterprise users, enterprise user security groups, and to conﬁgure identity management realm attributes in the directory that relate to Enterprise User Security.

– In this release, Oracle Enterprise Login Assistant functionality has been

migrated to the new Enterprise Security Manager Console and Oracle Wallet Manager. The following table lists which tool you should now use to perform tasks that you previously performed by using Oracle Enterprise Login Assistant:

If you used Oracle Enterprise Login Assistant to... Then now you should use...

Change the directory-to-database password Enterprise Security Manager Console Change an Oracle wallet password Oracle Wallet Manager Enable auto login for an Oracle wallet Oracle Wallet Manager

See Also: The following sections for information about Enterprise

Security Manager Console and how to use it:

■ "Enterprise Security Manager Console Overview" on page 2-22,

which provides a brief introduction to the tool.

■ Chapter 13, "Administering Enterprise User Security", which

provides procedural information for using the tool to manage enterprise users.

Oracle9i Release 2 (9.2) New Features in Oracle Advanced Security

The new features for Oracle Advanced Security in release 2 (9.2) include the following:

■ Support for Advanced Encryption Standard (AES)

AES is a new cryptographic algorithm standard developed to replace Data Encryption Standard (DES).

See Also:

■ "Advanced Encryption Standard" on page 1-6 for a brief

overview of this encryption algorithm

■ Chapter 3, "Conﬁguring Network Data Encryption and

Integrity for Oracle Servers and Clients" for conﬁguration

details

■ SSL Hardware Accelerator Support

In release 2 (9.2), complex public key cryptographic operations can be off loaded to hardware accelerators to improve the performance of SSL transactions.

See Also: "Conﬁguring Your System to Use Hardware Security

Modules" on page 7-48 for conﬁguration details

■ New Enterprise User Security Tool: User Migration Utility

This utility enables administrators to perform bulk migrations of database users to Oracle Internet Directory for centralized user storage and management.

See Also: Appendix G, "Using the User Migration Utility" for

information about this tool and how to use it.

xli

xlii

Part I

Getting Started with Oracle Advanced

Security

This part introduces Oracle Advanced Security, describing the security solutions it provides, its features, and its tools. It contains the following chapters:

■ Chapter 1, "Introduction to Oracle Advanced Security"

■ Chapter 2, "Conﬁguration and Administration Tools Overview"

Introduction to Orac le Advanced Security

This chapter introduces Oracle Advanced Security, summarizing the security risks it addresses, and describing its features. These features are available to database and related products that interface with Oracle Net Services, including Oracle Database, Oracle Application Server, and Oracle Identity Management infrastructure.

This chapter contains the following topics:

■ Security Challenges in an Enterprise Environment

■ Solving Security Challenges with Oracle Advanced Security

■ Oracle Advanced Security Architecture

■ Secure Data Transfer Across Network Protocol Boundaries

■ System Requirements

■ Oracle Advanced Security Restrictions

Security Challenges in an Enterprise Environment

To increase efﬁciency and lower costs, companies adopt strategies to automate business processes. One such strategy is to conduct more business on the Web, but that requires greater computing power, translating to higher IT costs. In response to rising IT costs, more and more businesses are considering enterprise grid

computing architectures where inexpensive computers act as one powerful

machine. While such strategies improve the bottom line, they introduce risks, which are associated with securing data in motion and managing an ever increasing number of user identities.

This section examines the security challenges of today's enterprise computing environments in the following topics:

Introduction to Oracle Advanced Security 1-1

Security Challenges in an Enterprise Environment

■ Security in Enterprise Grid Computing Environments

■ Security in an Intranet or Internet Environment

■ Common Security Threats

Security in Enterprise Grid Computing Environments

Grid computing is a computing architecture that coordinates large numbers of servers and storage to act as a single large computer. It provides ﬂexibility, lower costs, and IT investment protection because inexpensive, off-the-shelf components can be added to the grid as business needs change. While providing signiﬁcant beneﬁts, grid computing environments present unique security requirements because their computing resources are distributed and often heterogeneous. The following sections discuss these requirements.

Distributed Environment Security Requirements

Enterprise grid computing pools distributed business computing resources to cost effectively harness the power of clustered servers and storage. A distributed environment requires secure network connections. Even more critical in grid environments, it is necessary to have a uniform deﬁnition of "who is a user" and "what are they allowed to do." Without such uniform deﬁnitions, administrators frequently must assign, manage, and revoke authorizations for every user on different software applications to protect employee, customer, and partner information. This is expensive because it takes time, which drives up costs. Consequently, the cost savings gained with grid computing are lost.

Heterogeneous Environment Security Requirements

Because grid computing environments often grow as business needs change, computing resources are added over time, resulting in diverse collections of hardware and software. Such heterogeneous environments require support for different types of authentication mechanisms which adhere to industry standards. Without strict adherence to industry standards, integrating heterogeneous components becomes costly and time consuming. Once again the beneﬁts of grid computing are squandered when the appropriate infrastructure is not present.

Security in an Intranet or Internet Environment

Oracle databases power the largest and most popular Web sites on the Internet. In record numbers, organizations throughout the world are deploying distributed databases and client/server applications based on Oracle Database and Oracle Net Services. This proliferation of distributed computing is matched by an increase in

1-2 Oracle Database Advanced Security Administrator's Guide

the amount of information that organizations place on computers. Employee and ﬁnancial records, customer orders, product information, and other sensitive data have moved from ﬁling cabinets to ﬁle structures. The volume of sensitive information on the Web has thus increased the value of data that can be compromised.

Common Security Threats

The increased volume of data in distributed, heterogeneous environments exposes users to a variety of security threats, including the following:

■ Eavesdropping and Data Theft

■ Data Tampering

■ Falsifying User Identities

■ Password-Related Threats

Eavesdropping and Data Theft

Over the Internet and in wide area network environments, both public carriers and private networks route portions of their network through insecure land lines, vulnerable microwave and satellite links, or a number of servers— exposing valuable data to interested third parties. In local area network environments within a building or campus, the potential exists for insiders with access to the physical wiring to view data not intended for them, and network sniffers can be installed to eavesdrop on network trafﬁc.

Security Challenges in an Enterprise Environment

Data Tampering

Distributed environments bring with them the possibility that a malicious third party can compromise integrity by tampering with data as it moves between sites.

Falsifying User Identities

In a distributed environment, it is more feasible for a user to falsify an identity to gain access to sensitive information. How can you be sure that user Pat connecting to Server A from Client B really is user Pat?

Moreover, in distributed environments, malefactors can hijack connections. How can you be sure that Client B and Server A are what they claim to be? A transaction that should go from the Personnel system on Server A to the Payroll system on Server B could be intercepted in transit and re-routed to a terminal masquerading as Server B.

Introduction to Oracle Advanced Security 1-3

Solving Security Challenges with Oracle Advanced Security

Password-Related Threats

In large systems, users typically must remember multiple passwords for the different applications and services that they use. For example, a developer can have access to a development application on a workstation, a PC for sending e-mail, and several computers or intranet sites for testing, reporting bugs, and managing conﬁgurations.

Users typically respond to the problem of managing multiple passwords in several ways:

■ They may select easy-to-guess passwords—such as a name, ﬁctional character,

or a word found in a dictionary. All of these passwords are vulnerable to

dictionary attacks.

■ They may also choose to standardize passwords so that they are the same on all

machines or web sites. This results in a potentially large exposure in the event of a compromised password. They can also use passwords with slight variations that can be easily derived from known passwords.

■ Users with complex passwords may write them down where an attacker can

easily ﬁnd them, or they may just forget them—requiring costly administration and support efforts.

All of these strategies compromise password secrecy and service availability. Moreover, administration of multiple user accounts and passwords is complex, time-consuming, and expensive.

Solving Security Challenges with Oracle Advanced Security

To solve enterprise computing security problems, Oracle Advanced Security provides industry standards-based data privacy, integrity, authentication, single sign-on, and access authorization in a variety of ways. For example, you can conﬁgure either Oracle Net native encryption or Secure Sockets Layer (SSL) for data privacy. Oracle Advanced Security also provides the choice of several strong authentication methods, including Kerberos, smart cards, and digital certiﬁcates.

Oracle Advanced Security provides the following security features:

■ Data Encryption

■ Strong Authentication

■ Enterprise User Management

1-4 Oracle Database Advanced Security Administrator's Guide

Data Encryption

Sensitive information that travels over enterprise networks and the Internet can be protected by encryption algorithms. An encryption algorithm transforms information into a form that can be deciphered with a decryption key.

Figure 1–1 shows how encryption works to ensure the security of a transaction. For

example, if a manager approves a bonus, this data should be encrypted when sent over the network to avoid eavesdropping. If all communication between the client, the database, and the application server is encrypted, then when the manager sends the bonus amount to the database, it is protected.

Figure 1–1 Encryption

Solving Security Challenges with Oracle Advanced Security

Oracle

Client

#yu1(*^tp4e %oiu*{hjktyot https://

Database

Encrypted Data Packet

Oracle

Encrypted Data Packet

Oracle

Application

Server

Internet

This section discusses the following topics:

■ Supported Encryption Algorithms

■ Data Integrity

■ Federal Information Processing Standard

Supported Encryption Algorithms

Oracle Advanced Security provides the following encryption algorithms to protect the privacy of network data transmissions:

■ RC4 Encryption

■ DES Encryption

■ Triple-DES Encryption

■ Advanced Encryption Standard

Introduction to Oracle Advanced Security 1-5

Solving Security Challenges with Oracle Advanced Security

Selecting the network encryption algorithm is a user conﬁguration option, providing varying levels of security and performance for different types of data transfers.

Prior versions of Oracle Advanced Security provided three editions: Domestic, Upgrade, and Export—each with different key lengths. 10g Release 1 (10.1) contains a complete complement of the available encryption algorithms and key lengths, previously only available in the Domestic edition. Users deploying prior versions of the product can obtain the Domestic edition for a speciﬁc product release.

Note: The U.S. government has relaxed its export guidelines for

encryption products. Accordingly, Oracle can ship Oracle Advanced Security with its strongest encryption features to all of its customers.

RC4 Encryption The RC4 encryption module uses the RSA Security, Inc., RC4 encryption algorithm. Using a secret, randomly-generated key unique to each session, all network trafﬁc is fully safeguarded—including all data values, SQL statements, and stored procedure calls and results. The client, server, or both, can request or require the use of the encryption module to guarantee that data is protected. Oracle's optimized implementation provides a high degree of security for a minimal performance penalty. For the RC4 algorithm, Oracle provides encryption key lengths of 40-bits, 56-bits, 128-bits, and 256-bits.

DES Encryption Oracle Advanced Security implements the U.S. Data Encryption Standard algorithm (DES) with a standard, optimized 56-bit key encryption algorithm, and also provides DES40, a 40-bit version, for backward compatibility.

Triple-DES Encryption Oracle Advanced Security also supports Triple-DESencryption (3DES), which encrypts message data with three passes of the DES algorithm. 3DES provides a high degree of message security, but with a performance penalty. The magnitude of penalty depends on the speed of the processor performing the encryption. 3DES typically takes three times as long to encrypt a data block as compared with the standard DES algorithm.

3DES is available in two-key and three-key versions, with effective key lengths of 112-bits and 168-bits, respectively. Both versions operate in outer Cipher Block

Chaining (CBC) mode.

Advanced Encryption Standard Approved by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standards (FIPS) Publication

1-6 Oracle Database Advanced Security Administrator's Guide

Solving Security Challenges with Oracle Advanced Security

197, Advanced Encryption Standard (AES) is a new cryptographic algorithm standard developed to replace DES. AES is a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits, which are referred to as AES-128, AES-192, and AES-256, respectively. All three versions operate in outer-CBC mode.

See Also:

■ Chapter 3, "Conﬁguring Network Data Encryption and

Integrity for Oracle Servers and Clients"

■ Appendix A, "Data Encryption and Integrity Parameters"

Data Integrity

To ensure the integrity of data packets during transmission, Oracle Advanced Security can generate a cryptographically secure message digest—using MD5 or SHA-1 hashing algorithms—and include it with each message sent across a network.

Data integrity algorithms add little overhead, and protect against the following attacks:

■ Data modiﬁcation

■ Deleted packets

■ Replay attacks

Note: SHA-1 is slightly slower than MD5, but produces a larger

message digest, making it more secure against brute-force collision and inversion attacks.

See Also: Chapter 3, "Conﬁguring Network Data Encryption and

Integrity for Oracle Servers and Clients", for information about

MD5 and SHA-1.

Federal Information Processing Standard

Oracle Advanced Security Release 8.1.6 has been validated under U.S. Federal Information Processing Standard 140-1 (FIPS) at the Level 2 security level. This provides independent conﬁrmation that Oracle Advanced Security conforms to federal government standards. FIPS conﬁguration settings are described by

Appendix D, "Oracle Advanced Security FIPS 140-1 Settings".

Introduction to Oracle Advanced Security 1-7

Solving Security Challenges with Oracle Advanced Security

Strong Authentication

Authentication is used to prove the identity of the user.Authenticating user identity is imperative in distributed environments, without which there can be little conﬁdence in network security. Passwords are the most common means of authentication. Oracle Advanced Security enables strong authentication with Oracle authentication adapters that support various third-party authentication services, including SSL with digital certiﬁcates.

Figure 1–2 shows user authentication with an Oracle database conﬁgured to use a

third-party authentication server. Having a central facility to authenticate all members of the network (clients to servers, servers to servers, users to both clients and servers) is one effective way to address the threat of network nodes falsifying their identities.

Figure 1–2 Strong Authentication with Oracle Authentication Adapters

Client

Authentication Server

Intranet

Database

This section contains the following topics:

■ Centralized Authentication and Single Sign-On

■ Supported Authentication Methods

Centralized Authentication and Single Sign-On

Centralized authentication also provides the beneﬁt of single sign-on (SSO) for users. Single sign-on enables users to access multiple accounts and applications with a single password. A user only needs to log on once and can then automatically connect to any other service without having to give a username and password again. Single sign-on eliminates the need for the user to remember and administer multiple passwords, reducing the time spent logging into multiple services.

1-8 Oracle Database Advanced Security Administrator's Guide

Solving Security Challenges with Oracle Advanced Security

How Centralized Network Authentication Works Figure 1–3 shows how a centralized

network authentication service typically operates:

Figure 1–3 How a Network Authentication Service Authenticates a User

User Oracle

. . .

Authentication

Server

A user (client) requests authentication services and provides identifying information, such as a token or password.

2. The authentication server validates the user's identity and passes a ticket or

credentials back to the client, which may include an expiration time.

Introduction to Oracle Advanced Security 1-9

Solving Security Challenges with Oracle Advanced Security

The client passes these credentials to the Oracle server concurrent with a service request, such as connection to a database.

4. The server sends the credentials back to the authentication server for

authentication.

5. If the authentication server accepts the credentials, then it notiﬁes the Oracle

Server, and the user is authenticated.

6. If the authentication server does not accept the credentials, then authentication

fails, and the service request is denied.

Supported Authentication Methods

Oracle Advanced Security supports the following industry-standard authentication methods:

■ Kerberos

■ RADIUS (Remote Authentication Dial-In User Service)

■ DCE (Distributed Computing Environment)

■ Secure Sockets Layer (with digital certiﬁcates)

■ Entrust/PKI

Kerberos Oracle Advanced Security support for Kerberos provides the beneﬁts of single sign-on and centralized authentication of Oracle users. Kerberos is a trusted third-party authentication system that relies on shared secrets. It presumes that the third party is secure, and provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. It does this through a Kerberos authentication server. See Chapter 6, "Conﬁguring Kerberos

Authentication" for information about conﬁguring and using this adapter.

Note: Oracle authentication for Kerberos provides database link

authentication (also called proxy authentication). Kerberos is also an authentication method that is supported with Enterprise User Security.

RADIUS (Remote Authentication Dial-In User Service) RADIUS is a client/server security protocol that is most widely known for enabling remote authentication and access. Oracle Advanced Security uses this standard in a client/server network environment to enable use of any authentication method that supports the RADIUS

1-10 Oracle Database Advanced Security Administrator's Guide

Solving Security Challenges with Oracle Advanced Security

protocol. RADIUS can be used with a variety of authentication mechanisms, including token cards and smart cards. See Chapter 5, "Conﬁguring RADIUS

Authentication" for information about conﬁguring and using this adapter.

■ Smart Cards

A RADIUS-compliant smart card is a credit card-like hardware device. It has memory and a processor and is read by a smart card reader located at the client workstation.

■ Token Cards

Token cards (SecurID or RADIUS-compliant) can improve ease of use through several different mechanisms. Some token cards dynamically display one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the token card at any given time by contacting the authentication service. Other token cards have a keypad and operate on a challenge-response basis. In this case, the server offers a challenge (a number) that the user enters into a token card. The token card provides a response (another number cryptographically derived from the challenge) that the user enters and sends to the server.

You can use SecurID tokens through the RADIUS adapter.

DCE (Distributed Computing Environment) DCE is a set of integrated network services that works across multiple systems to provide a distributed environment. Oracle DCE Integration consists of the following two components:

■ DCE Communication/Security

■ DCE Cell Directory services Native Naming

Oracle DCE Integration provides applications the ﬂexibility to have different levels of integration with DCE services. Depending on the need, applications can choose to integrate very tightly with the DCE services or choose to plug in the other security authentication services provided by Oracle Advanced Security. See

Chapter 10, "Conﬁguring Oracle DCE Integration" for information about

conﬁguring and using this adapter.

Secure Sockets Layer Secure Sockets Layer (SSL) is an industry standard protocol for securing network connections. SSL provides authentication, data encryption, and data integrity.

The SSL protocol is the foundation of a public key infrastructure (PKI). For authentication, SSL uses digital certiﬁcates that comply with the X.509v3 standard, and a public and private key pair.

Introduction to Oracle Advanced Security 1-11

Solving Security Challenges with Oracle Advanced Security

Oracle Advanced Security SSL can be used to secure communications between any client and any server. You can conﬁgure SSL to provide authentication for the server only, the client only, or both client and server. You can also conﬁgure SSL features in combination with other authentication methods supported by Oracle Advanced Security (database usernames and passwords, RADIUS, and Kerberos).

To support your PKI implementation, Oracle Advanced Security includes the following features in addition to SSL:

■ Oracle wallets, where you can store PKI credentials

■ Oracle Wallet Manager, which you can use to manage your Oracle wallets

■ Certiﬁcate validation with certiﬁcate revocation lists (CRLs)

■ Hardware security module support

See Also:

■ Chapter 7, "Conﬁguring Secure Sockets Layer Authentication"

for conceptual, conﬁguration, and usage information about SSL, certiﬁcate validation, and hardware security modules.

■ Chapter 8, "Using Oracle Wallet Manager" for information

about using this tool to manage Oracle wallets.

■ Chapter 9, "Conﬁguring Multiple Authentication Methods and

Disabling Oracle Advanced Security" for information about

conﬁguring SSL in combination with other authentication methods.

Entrust/PKI Oracle Advanced Security supports the public key infrastructure provided by the Entrust/PKI software from Entrust Technologies, Inc. Entrust-enabled Oracle Advanced Security lets Entrust users incorporate Entrust single sign-on into their Oracle applications, and it lets Oracle users incorporate Entrust-based single sign-on into Oracle applications. See Appendix F,

"Entrust-Enabled SSL Authentication" for more information about this feature.

1-12 Oracle Database Advanced Security Administrator's Guide

Enterprise User Management

Enterprise user management is provided by the Enterprise User Security feature of Oracle Advanced Security. Enterprise User Security enables storing database users and their corresponding administrative and security information in a centralized directory server.

Figure 1–4 shows how a directory server can be used to provide centralized storage

and management of user account, user role, and authentication information.

1. A database server authenticates a user by accessing information stored in the

directory.

2. - 4. Once authenticated, a user can access the databases, which are conﬁgured

for enterprise user security.

Figure 1–4 Centralized User Management with Enterprise User Security

Solving Security Challenges with Oracle Advanced Security

LDAP Compliant Directory Server

Stores user account, password, and role

information

Client

Database

Intranet

DatabaseDatabase

This centralized conﬁguration enables the administrator to modify information in one location, the directory. It also lowers the cost of administration and makes the enterprise more secure because there is only one set of user information to manage and track.

Enterprise User Security supports the following authentication methods:

Introduction to Oracle Advanced Security 1-13

Solving Security Challenges with Oracle Advanced Security

■ Passwords

■ Kerberos

■ Secure Sockets Layer (SSL) with digital certiﬁcates

See Also: For detailed discussions of Enterprise User Security

concepts, conﬁguration, and management, refer to the following chapters in this manual:

■ Chapter 11, "Getting Started with Enterprise User Security"

■ Chapter 12, "Enterprise User Security Conﬁguration Tasks and

Troubleshooting"

■ Chapter 13, "Administering Enterprise User Security"

1-14 Oracle Database Advanced Security Administrator's Guide

Oracle Advanced Security Architecture

Oracle Advanced Security complements an Oracle server or client installation with advanced security features. Figure 1–5 shows the Oracle Advanced Security architecture within an Oracle networking environment.

Figure 1–5 Oracle Advanced Security in an Oracle Networking Environment

Client Application

OCI

Two-Task

Common

Encryption

Oracle Net

AES DES RSA 3DES

Oracle Advanced Security Architecture

Oracle Advanced Security

Authentication Kerberos

RADIUS DCE

Data Integrity

MD5 SHA

TCP/IP

SSL Libraries

SPX/IPX

Adapter

SPX/IPX

Oracle Protocols

Network Specific

Protocols

To Network

SSL Adapter

TCP/IP Adapter

Oracle Advanced Security supports authentication through adapters that are similar to the existing Oracle protocol adapters. As shown in Figure 1–6, authentication adapters integrate below the Oracle Net interface and let existing applications take advantage of new authentication systems transparently, without any changes to the application.

Introduction to Oracle Advanced Security 1-15

Secure Data Transfer Across Network Protocol Boundaries

Figure 1–6 Oracle Net with Authentication Adapters

Oracle Forms and Oracle Reports

3rd Party Tools

3GL Tools

Oracle Net

Oracle Server

Oracle Call Interface

Kerberos

Adapter

Kerberos

Oracle Advanced Security

SSL

Adapter

SSL

See Also: Oracle Net Services Administrator's Guide, for more

information about stack communications in an Oracle networking environment

Secure Data Transfer Across Network Protocol Boundaries

Oracle Advanced Security is fully supported by Oracle Connection Manager, making secure data transfer a reality across network protocol boundaries. Clients using LAN protocols such as NetWare (SPX/IPX), for example, can securely share data with large servers using different network protocols such as LU6.2, TCP/IP, or DECnet. To eliminate potential weak points in the network infrastructure and to maximize performance, Connection Manager passes encrypted data from protocol to protocol without the cost and exposure of decryption and re-encryption.

DCE

Adapter

DCE

RADIUS

Adapter

RADIUS

System Requirements

Oracle Advanced Security is an add-on product bundled with the Oracle Net Server or Oracle Net Client. It must be purchased and installed on both the client and the server.

Oracle Advanced Security 10g Release 1 (10.1) requires Oracle Net 10g Release 1 (10.1) and supports Oracle Database Enterprise Edition. Table 1–1 lists additional system requirements.

1-16 Oracle Database Advanced Security Administrator's Guide

Oracle Advanced Security Restrictions

Note: Oracle Advanced Security is not available with Oracle

Database Standard Edition.

Table 1–1 Authentication Methods and System Requirements

Authentication Method System Requirements

Kerberos

■ MIT Kerberos Version 5, release 1.1

■ The Kerberos authentication server must be installed on a

physically secure machine.

RADIUS ■ A RADIUS server that is compliant with the standards in

the Internet Engineering Task Force (IETF) RFC #2138, Remote Authentication Dial In User Service (RADIUS) and RFC #2139 RADIUS Accounting.

■ To enable challenge-response authentication, you must

run RADIUS on an operating system that supports the Java Native Interface as speciﬁed in release 1.1 of the Java Development Kit from JavaSoft.

SSL

■ A wallet that is compatible with the Oracle Wallet

Manager version 10g. Wallets created in earlier releases of the Oracle Wallet Manager are not forward compatible.

Entrust/PKI

■ Entrust IPSEC Negotiator Toolkit Release 6.0

■ Entrust/PKI 6.0

Oracle Advanced Security Restrictions

Oracle Applications support Oracle Advanced Security encryption and data integrity. However, because Oracle Advanced Security requires Oracle Net Services to transmit data securely, Oracle Advanced Security external authentication features are not supported by some parts of Oracle Financial, Human Resource, and Manufacturing Applications when they are running on Microsoft Windows. The portions of these products that use Oracle Display Manager (ODM) do not take advantage of Oracle Advanced Security, since ODM does not use Oracle Net Services.

Introduction to Oracle Advanced Security 1-17

Oracle Advanced Security Restrictions

1-18 Oracle Database Advanced Security Administrator's Guide

Configuration and Administration Tools

Overview

Conﬁguring advanced security features for an Oracle database includes conﬁguring encryption, integrity (checksumming), and strong authentication methods for Oracle Net Services. Strong authentication method conﬁguration can include third-party software, as is the case for Kerberos or RADIUS, or it may entail conﬁguring and managing a public key infrastructure, as is required for Secure Sockets Layer (SSL). In addition, an Oracle database can be conﬁgured to interoperate with an LDAP directory, such as Oracle Internet Directory, to enable Enterprise User Security, a feature that enables you to store and manage database users in a centralized directory.

Such diverse advanced security features require a diverse set of tools with which to conﬁgure and administer them. This chapter introduces the tools used to conﬁgure and administer advanced security features for an Oracle database in the following topics:

■ Network Encryption and Strong Authentication Conﬁguration Tools

■ Public Key Infrastructure Credentials Management Tools

■ Enterprise User Security Conﬁguration and Management Tools

■ Duties of a Security Administrator/DBA

■ Duties of an Enterprise User Security Administrator/DBA

Conﬁguration and Administration Tools Overview 2-1

Network Encryption and Strong Authentication Configuration Tools

Network Encryption and Strong Authentication Conﬁguration Tools

Oracle Net Services can be conﬁgured to encrypt data using standard encryption algorithms, and for strong authentication methods, such as Kerberos, RADIUS, and SSL. The following sections introduce the Oracle tools you can use to conﬁgure these advanced security features for an Oracle Database:

■ Oracle Net Manager

■ Oracle Advanced Security Kerberos Adapter Command-Line Utilities

Oracle Net Manager

Oracle Net Manager is a graphical user interface tool, primarily used to conﬁgure Oracle Net Services for an Oracle home on a local client or server host.

Although you can use Oracle Net Manager to conﬁgure Oracle Net Services, such as naming, listeners, and general network settings, it also enables you to conﬁgure the following Oracle Advanced Security features, which use the Oracle Net protocol:

■ Strong authentication (Kerberos, RADIUS, and Secure Sockets Layer)

■ Network encryption (RC4, DES, Triple-DES, and AES)

■ Checksumming for data integrity (MD5, SHA-1)

This section introduces you to the features of Oracle Net Manager that are used to conﬁgure Oracle Advanced Security. It contains the following topics:

■ Starting Oracle Net Manager

■ Navigating to the Oracle Advanced Security Proﬁle

See Also:

■ "Duties of a Security Administrator/DBA" on page 2-34 for

information about the tasks you can perform with this tool that conﬁgure advanced security features.

■ Oracle Net Services Administrator's Guide and Oracle Net

Manager online help for complete documentation of this tool.

Starting Oracle Net Manager

You can start Oracle Net Manager by using Oracle Enterprise Manager Console or as a standalone application. However, you must use the standalone application to access the Oracle Advanced Security Proﬁle where you can conﬁgure Oracle Advanced Security features.

2-2 Oracle Database Advanced Security Administrator's Guide

Network Encryption and Strong Authentication Configuration Tools

To start Oracle Net Manager as a standalone application:

■ (UNIX) From $ORACLE_HOME/bin, enter the following at the command line:

netmgr

■ (Windows) Choose Start > Programs > Oracle - HOME_NAME >

Conﬁguration and Migration Tools > Net Manager

Navigating to the Oracle Advanced Security Profile

The Oracle Net Manager interface window contains two panes: the navigator pane and the right pane, which displays various property sheets that enable you to conﬁgure network components. When you select a network object in the navigator pane, its associated property sheets displays in the right pane. To conﬁgure Oracle Advanced Security features, choose the Proﬁle object in the navigator pane, and then select Oracle Advanced Security from the list in the right pane, as shown in

Figure 2–1.

Conﬁguration and Administration Tools Overview 2-3

Network Encryption and Strong Authentication Configuration Tools

Figure 2–1 Oracle Advanced Security Proﬁle in Oracle Net Manager

Oracle Advanced Security Profile Property Sheets

The Oracle Advanced Security Proﬁle contains the following property sheets, which are described in the following sections:

■ Authentication Property Sheet

■ Other Params Property Sheet

■ Integrity Property Sheet

■ Encryption Property Sheet

■ SSL Property Sheet

2-4 Oracle Database Advanced Security Administrator's Guide

Network Encryption and Strong Authentication Configuration Tools

Authentication Property Sheet Use this property sheet to select a strong authentication method, such as Kerberos Version 5 (KERBEROS5), Windows NT native authentication (NTS), or RADIUS.

Other Params Property Sheet Use this property sheet to set other parameters for the authentication method you selected on the Authentication property sheet.

Integrity Property Sheet Use this property sheet to enable checksumming on the client or the server and to select an encryption algorithm for generating secure message digests.

Encryption Property Sheet Use this property sheet to select one or more cipher suites to encrypt client or server connections with native encryption algorithms.

SSL Property Sheet Use this property sheet to conﬁgure Secure Sockets Layer (SSL), including the wallet location and cipher suite, on a client or server.

Oracle Advanced Security Kerberos Adapter Command-Line Utilities

The Oracle Advanced Security Kerberos adapter provides three command-line utilities that enable you to obtain, cache, display, and remove Kerberos credentials. The following table brieﬂy describes these utilities:

Utility Name Description

okinit Obtains Kerberos tickets from the key distribution center (KDC)

oklist Displays a list of Kerberos tickets in the speciﬁed credential

okdstry Removes Kerberos credentials from the speciﬁed credential

See Also: "Utilities for the Kerberos Authentication Adapter" on

and caches them in the user's credential cache

cache

page 6-11 for complete descriptions of these utilities, their syntax, and available options.

Conﬁguration and Administration Tools Overview 2-5

Public Key Infrastructure Credentials Management Tools

The security provided by a public key infrastructure (PKI) depends on how effectively you store, manage, and validate your PKI credentials. The following Oracle tools are used to manage certiﬁcates, wallets, and certiﬁcate revocation lists so your PKI credentials can be stored securely and your certiﬁcate validation mechanisms kept current:

■ Oracle Wallet Manager

■ orapki Utility

Oracle Wallet Manager

Oracle Wallet Manager is an application that wallet owners and security administrators use to manage and edit the security credentials in their Oracle wallets. A wallet is a password-protected container that is used to store authentication and signing credentials, including private keys, certiﬁcates, and trusted certiﬁcates needed by SSL. You can use Oracle Wallet Manager to perform the following tasks:

■ Create public and private key pairs ■ Store and manage user credentials

■ Generate certiﬁcate requests ■ Store and manage certiﬁcate

authority certiﬁcates (root key certiﬁcate and certiﬁcate chain)

■ Upload and download wallets to

and from an LDAP directory

■ Create wallets to store hardware

security module credentials

The following topics introduce the Oracle Wallet Manager user interface:

■ Starting Oracle Wallet Manager

■ Navigating the Oracle Wallet Manager User Interface

■ Toolbar

■ Menus

See Also: Chapter 8, "Using Oracle Wallet Manager" for detailed

information about using this application

Starting Oracle Wallet Manager

To start Oracle Wallet Manager:

2-6 Oracle Database Advanced Security Administrator's Guide

■ (UNIX) From $ORACLE_HOME/bin, enter the following at the command line:

owm

■ (Windows) Choose Start > Programs > Oracle - HOME_NAME > Integrated

Management Tools > Wallet Manager

Navigating the Oracle Wallet Manager User Interface

The Oracle Wallet Manager interface includes two panes, a toolbar, and various menu items as shown in Figure 2–2.

Figure 2–2 Oracle Wallet Manager User Interface

Public Key Infrastructure Credentials Management Tools

Conﬁguration and Administration Tools Overview 2-7

Public Key Infrastructure Credentials Management Tools

Navigator Pane The navigator pane provides a graphical tree view of the certiﬁcate requests and certiﬁcates stored in the Oracle home where Oracle Wallet Manager is installed. You can use the navigator pane to view, modify, add, or delete certiﬁcates and certiﬁcate requests.

The navigator pane functions the same way as it does in other Oracle graphical user interface tools, enabling you to

■ Expand and contract wallet objects so that you can manage the user and trusted

certiﬁcates they contain.

■ Right-click a wallet, certiﬁcate, or certiﬁcate request to perform operations on it

such as add, remove, import, or export.

When you expand a wallet, you see a nested list of user and trusted certiﬁcates. When you select a wallet or certiﬁcate in the navigator pane, details about your selection display in the adjacent right pane of Oracle Wallet Manager. Table 2–1 lists the main objects that display in the navigator pane.

Table 2–1 Oracle Wallet Manager Navigator Pane Objects

Object Description

Wallet Password-protected container that is used to store

authentication and signing credentials

Certiﬁcate Request

A PKCS #10-encoded message containing the requester's

distinguished name (DN), a public key, the key size, and key

type. See also certiﬁcate request.

Certiﬁcate

An X.509 data structure containing the entity's DN, public key, and is signed by a trusted identity (certiﬁcate authority). See

certiﬁcate

Trusted Certiﬁcates

Sometimes called a root key certiﬁcate, is a certiﬁcate from a third party identity that is qualiﬁed with a level of trust. See

trusted certiﬁcate

These objects display only after you create a wallet, generate a certiﬁcate request, and import a certiﬁcate into the wallet.

Right Pane The right pane displays information about an object that is selected in the navigator pane. The right pane is read-only.

Figure 2–3 shows what is displayed in the right pane when a certiﬁcate request

object is selected in the navigator pane. Information about the request and the requester's identity display in the Requested Identity, Key Size, and Key Type ﬁelds. The PKCS #10-encoded certiﬁcate request displays in the Certiﬁcate Request

2-8 Oracle Database Advanced Security Administrator's Guide

Public Key Infrastructure Credentials Management Tools

text box. To request a certiﬁcate from a certiﬁcate authority, you can copy this request into an e-mail or export it into a ﬁle.

Figure 2–3 Certiﬁcate Request Information Displayed in Oracle Wallet Manager Right Pane

Toolbar

The toolbar contains buttons that enable you to manage your wallets. Move the mouse cursor over a toolbar button to display a description of the button's function. The toolbar buttons are listed and described in Table 2–2.

Conﬁguration and Administration Tools Overview 2-9

Public Key Infrastructure Credentials Management Tools

Table 2–2 Oracle Wallet Manager Toolbar Buttons

Toolbar Button Description

New Creates a new wallet Open Wallet Enables you to browse your ﬁle system to locate and open an

existing wallet

Save Wallet Saves the currently open wallet Delete Wallet Deletes wallet currently selected in the navigator pane Help Opens the Oracle Wallet Manager online help

Menus

You use Oracle Wallet Manager menus to manage your wallets and the credentials they contain. The following sections describe the options that are available under each menu.

Wallet Menu Table 2–3 describes the contents of the Wallet menu.

Table 2–3 Oracle Wallet Manager Wallet Menu Options

Option Description

New Creates a new wallet Open Opens an existing wallet Close Closes the currently open wallet Upload Into The

Directory Service Download From The

Directory Service

Uploads a wallet to a speciﬁed LDAP directory server. You must supply a directory password, hostname, and port information

Downloads a wallet from a speciﬁed LDAP directory server. You must supply a directory password, hostname, and port information.

Save Saves the currently open wallet in the current working directory. Save As Enables you to browse your ﬁle system to choose a directory

location in which to save the currently open wallet.

Save In System Default

Saves the currently open wallet in the system default location:

■ (UNIX) /etc/ORACLE/WALLETS/<username>

■ (Windows) %USERPROFILE%\<username>

Delete Deletes the wallet in the current working directory. You must

supply the wallet password.

2-10 Oracle Database Advanced Security Administrator's Guide

Public Key Infrastructure Credentials Management Tools

Table 2–3 (Cont.) Oracle Wallet Manager Wallet Menu Options(Cont.)

Option Description

Change Password Changes the password for the currently open wallet. You must

Auto Login Sets the auto login feature for the currently open wallet. See auto

Exit Exits the Oracle Wallet Manager application

supply the old password before you can create a new one.

Operations Menu Table 2–4 describes the contents of the Operations menu.

Table 2–4 Oracle Wallet Manager Operations Menu Options

Option Description

Add Certiﬁcate Request Generates a certiﬁcate request for the currently open wallet

Import User Certiﬁcate Imports the user certiﬁcate issued to you from the CA. You

Import Trusted Certiﬁcate Imports the CA's trusted certiﬁcate. Remove Certiﬁcate

Request

Remove User Certiﬁcate Deletes the user certiﬁcate from the currently open wallet. Remove Trusted

Certiﬁcate

that you can use to request a certiﬁcate from a certiﬁcate

authority (CA).

must import the issuing CA's certiﬁcate as a trusted certiﬁcate before you can import the user certiﬁcate.

Deletes the certiﬁcate request in the currently open wallet. You must remove the associated user certiﬁcate before you can delete a certiﬁcate request.

Removes the trusted certiﬁcate that is selected in the navigator pane from the currently open wallet. You must remove all user certiﬁcates that the trusted certiﬁcate signs before you can remove it.

Export User Certiﬁcate Exports the user certiﬁcate in the currently open wallet to save

Export Certiﬁcate Request Exports the certiﬁcate request in the currently open wallet to

Export Trusted Certiﬁcate Exports the trusted certiﬁcate that is selected in the navigator

Export All Trusted Certiﬁcates

Export Wallet Exports the currently open wallet to save as a text ﬁle.

in a ﬁle system directory.

save in a ﬁle.

pane to save in another location in your ﬁle system. Exports all trusted certiﬁcates in the currently open wallet to

save in another location in your ﬁle system.

Conﬁguration and Administration Tools Overview 2-11

Public Key Infrastructure Credentials Management Tools

Help Menu Table 2–5 describes the contents of the Help menu.

Table 2–5 Oracle Wallet Manager Help Menu Options

Option Description

Contents Opens Oracle Wallet Manager online help.

orapki Utility

Search for Help on Opens Oracle Wallet Manager online help and displays the

About Oracle Wallet Manager

Search tab. Opens a window that displays the Oracle Wallet Manager

version number and copyright information.

The orapki utility is a command line tool that you can use to manage certiﬁcate revocation lists (CRLs), create and manage Oracle wallets, and to create signed certiﬁcates for testing purposes.

The basic syntax for this utility is as follows:

orapki module command -option_1 argument ... -option_n argument

For example, the following command lists all CRLs in the CRL subtree in an instance of Oracle Internet Directory that is installed on machine1.us.acme.com and that uses port 389:

orapki crl list -ldap machine1.us.acme.com:389

See Also:

■ "Certiﬁcate Revocation List Management" on page 7-40 for

information about how to use orapki to manage CRLs in the directory.

■ Appendix E, "orapki Utility" for reference information on all

available orapki commands

2-12 Oracle Database Advanced Security Administrator's Guide

Enterprise User Security Configuration and Management Tools

Enterprise User Security Conﬁguration and Management Tools

Enterprise users are database users who are stored and centrally managed in an LDAP directory, such as Oracle Internet Directory. Table 2–6 provides a summary of the tools that are used to conﬁgure and manage Enterprise User Security. The following subsections introduce and describe these tools.

Table 2–6 Enterprise User Security Tools Summary

Tool Task

Database Conﬁguration Assistant Register and un-register databases in Oracle

Enterprise Security Manager and Enterprise Security Manager Console

Oracle Internet Directory Self-Service Console (Delegated Administration Service)

Oracle Net Conﬁguration Assistant Conﬁgure databases Oracle home for directory

Oracle Wallet Manager Manage Oracle wallets for Enterprise User

User Migration Utility Perform bulk migrations of database users to

Database Conﬁguration Assistant

Database Conﬁguration Assistant is a wizard-based tool which is used to create and conﬁgure Oracle databases.

Internet Directory

■ Conﬁgure enterprise domains and databases

in Oracle Internet Directory

■ Create users and manage their passwords

■ Manage identity management realm

attributes and administrative groups that pertain to Enterprise User Security in Oracle Internet Directory

Manage identity management realms in Oracle Internet Directory

For information about this tool, refer to Oracle Internet Directory Administrator's Guide.

usage over the network

Security

Oracle Internet Directory

Use Database Conﬁguration Assistant to register a database with the directory. When you register a database with the directory, Database Conﬁguration Assistant creates a distinguished name (DN) for the database and the corresponding entry and subtree in Oracle Internet Directory

Conﬁguration and Administration Tools Overview 2-13

Enterprise User Security Configuration and Management Tools

Starting Database Configuration Assistant

To start Database Conﬁguration Assistant:

■ (UNIX) From $ORACLE_HOME/bin, enter the following at the command line:

dbca

■ (Windows) Choose Start > Programs > Oracle - HOME_NAME > Database

Administration > Database Conﬁguration Assistant

See Also:

■ "To register a database in the directory:" on page 12-9 for

information about using this tool to register your database.

■ Oracle Database Administrator's Guide for more information

about this tool.

Enterprise Security Manager and Enterprise Security Manager Console

Oracle Advanced Security employs Enterprise Security Manager and Enterprise Security Manager Console to administer enterprise users, administrative groups,

enterprise domains, and enterprise roles that are stored in Oracle Internet

Directory. (Enterprise Security Manager Console can be accessed through the Enterprise Security Manager Operations menu. See "Enterprise Security Manager

Console Overview" on page 2-22 for details.)

Enterprise users are users who are provisioned and managed centrally in an LDAP-compliant directory, such as Oracle Internet Directory, for database access. Enterprise domains are directory constructs that contain databases and enterprise roles, the access privileges that are assigned to enterprise users.

See Also: Chapter 11, "Getting Started with Enterprise User

Security" for a discussion of Enterprise User Security

administrative groups, enterprise domains, enterprise roles, enterprise users, shared schemas, and user-schema mappings.

This section discusses the following topics:

■ Enterprise Security Manager Initial Installation and Conﬁguration Overview

■ Starting Enterprise Security Manager

■ Navigating the Enterprise Security Manager User Interface

■ Enterprise Security Manager Console Overview

2-14 Oracle Database Advanced Security Administrator's Guide

Enterprise User Security Configuration and Management Tools

■ Logging in to Enterprise Security Manager Console

■ Navigating Enterprise Security Manager Console User Interface

Enterprise Security Manager Initial Installation and Configuration Overview

The following tasks provide an overview of the initial Enterprise Security Manager installation and conﬁguration:

■ Task 1: Install Enterprise Security Manager

■ Task 2: Conﬁgure an Oracle Identity Management Infrastructure

Task 1: Install Enterprise Security Manager Enterprise Security Manager is automatically installed by the Oracle Database Enterprise Edition server installation process.

See Also: The Oracle Database installation documentation for

your operating system.

Note: Use only the version of Enterprise Security Manager that

installs with Oracle Database 10g Release 1 (10.1).

Task 2: Conﬁgure an Oracle Identity Management Infrastructure Enterprise User Security uses Oracle Internet Directory in which to store enterprise users. Enterprise Security Manager uses Oracle Internet Directory Delegated Administration Services to provide an administrative GUI (Enterprise Security Manager Console), and OracleAS Single Sign-On server to authenticate administrators when they log in to the console. Consequently, Oracle Internet Directory and OracleAS Single Sign-On server, which are part of the Oracle Identity Management infrastructure, must be properly installed and conﬁgured before Enterprise Security Manager can be used to manage Enterprise User Security. The following elements of Oracle Identity Management infrastructure conﬁguration must be completed before proceeding:

■ Oracle Internet Directory 10g (9.0.4) must be installed, running, and accessible

over standard LDAP or Secure Sockets Layer LDAP (LDAP/SSL).

■ Oracle Internet Directory must include an identity management realm. You can

use Oracle Internet Directory Conﬁguration Assistant to conﬁgure this on the directory server.

Conﬁguration and Administration Tools Overview 2-15

Enterprise User Security Configuration and Management Tools

■ OracleAS Single Sign-On server must be installed and conﬁgured to

authenticate enterprise user security administrators when they log in to the Enterprise Security Manager Console, an element of Enterprise Security Manager.

See Also:

■ Oracle Internet Directory Administrator's Guide for information

about using Oracle Internet Directory Conﬁguration Assistant to create or upgrade an identity management realm in the directory. This manual also contains general information about how to conﬁgure and use the directory.

■ OracleAS Single Sign-On Administrator's Guide for information

about conﬁguring OracleAS Single Sign-On Server.

Starting Enterprise Security Manager

To launch Enterprise Security Manager, use the following steps:

1. Depending on your operating system, use one of the following options:

■ (UNIX) From $ORACLE_HOME/bin, enter the following at the command

line:

esm

■ (Windows)

Choose Start > Programs > Oracle - HOME_NAME > Integrated Management Tools > Enterprise Security Manager

The directory server login window appears:

2-16 Oracle Database Advanced Security Administrator's Guide

Enterprise User Security Configuration and Management Tools

Figure 2–4 Directory Server Login Window

providing the hostname and port number for your directory. Table 2–7 describes the two available Enterprise Security Manager authentication methods and what each method requires:

Table 2–7 Enterprise Security Manager Authentication Methods

Authentication Method Description

Password Authentication Uses simple authentication requiring a distinguished

SSL Client Authentication Uses two-way SSL authentication in which both the

Known directory user name and password can be used only for the default identity management realm in the directory.

3. After providing the directory login information, click OK. The main Enterprise

name (DN) or a known directory user name and

password1.

client and server use Oracle Wallets containing digital certiﬁcates (that is, the user name and certiﬁcate). The subsequent connection is encrypted.

Security Manager user interface appears.

Navigating the Enterprise Security Manager User Interface

The Enterprise Security Manager user interface includes two panes, a toolbar, and various menu items as shown in Figure 2–5.

Conﬁguration and Administration Tools Overview 2-17

Enterprise User Security Configuration and Management Tools

Figure 2–5 Enterprise Security Manager User Interface

Navigator Pane The navigator pane provides a graphical tree view of your directory's identity management realms and the databases, enterprise domains, and users they contain. You can use the navigator pane to view, modify, add, or delete enterprise domains and the objects they contain.

The navigator pane enables you to

■ Expand and contract identity management realms by clicking the plus and

minus symbols (+ -) adjacent to the realm name in the navigation tree. This enables you to manage the enterprise domains that they contain.

2-18 Oracle Database Advanced Security Administrator's Guide

Enterprise User Security Configuration and Management Tools

■ Right-click an enterprise domain to perform operations such as creating

enterprise roles or deleting the domain from the identity management realm.

When you expand an identity management realm, you see a nested list of folders that contain enterprise user security objects. Expanding these folders enables you to view the individual objects as described in Table 2–8.

Table 2–8 Enterprise Security Manager Navigator Pane Folders

Folder Description

Databases When you expand this folder, you see the databases which are

Enterprise Domains When you expand this folder, you see the enterprise domains

Users, by Search Base When you expand this folder, you see the users stored in the

registered with this identity management realm. Databases are registered with a directory by using Database Conﬁguration Assistant.

that this realm contains. You can also expand each enterprise domain to view the databases and enterprise roles that it contains.

realm. The display of users is organized by search base, which is the node in the directory under which a collection of users resides.

Right Pane The right pane displays read-only information about an object that is selected in the navigator pane, or it displays tabbed windows that enable you to conﬁgure enterprise domains, enterprise roles, and user-schema mappings. For example, when you select an enterprise domain in the navigator pane, you can add databases to it by using the Databases tabbed window that is shown in Figure 2–6.

Conﬁguration and Administration Tools Overview 2-19

Enterprise User Security Configuration and Management Tools

Figure 2–6 Enterprise Security Manager Databases Tabbed Window

The Databases tabbed window also enables you to set security options for databases which are members of an enterprise domain. See "Deﬁning Database Membership

of an Enterprise Domain" on page 13-17 for a discussion of conﬁguring enterprise

domains by using the Databases tabbed window.

Tool Bar The toolbar contains two buttons that enable you to access the Enterprise Security Manager online help and to delete directory objects.

Menus You use Enterprise Security Manager menus to create or remove enterprise domains and to manage objects within the domains, such as enterprise roles or database membership. The following sections describe the options that are available under each menu.

2-20 Oracle Database Advanced Security Administrator's Guide

Enterprise User Security Configuration and Management Tools

File Menu Table 2–9 describes the contents of the File menu.

Table 2–9 Enterprise Security Manager File Menu Options

Option Description

Change Directory Connection Causes the Directory Server Login window to reappear

Directory Search Options For user searches in the directory, this menu option

ESM Console URL Enables you to specify the URL for your installation of

Exit Exits the Enterprise Security Manager application.

(see Figure 2–4 on page 2-17), enabling you to log in to another directory server.

enables you to conﬁgure the maximum number of displayed search results, the maximum search duration, or an LDAP ﬁlter.

Enterprise Security Manager Console. (See "Enterprise

Security Manager Console Overview" on page 2-22)

Operations Menu Table 2–10 describes the contents of the Operations menu.

Table 2–10 Enterprise Security Manager Operations Menu Options

Option Description

Create Enterprise Domain Creates an enterprise domain in the realm that is selected in

Remove Enterprise Domain Removes the enterprise domain that is selected in the

Create Enterprise Role Creates an enterprise role in the enterprise domain that is

Remove Enterprise Role Removes the enterprise role that is selected in the navigator

the navigator pane.

navigator pane.

selected in the navigator pane.

pane.

Launch ESM Console Brings up the Enterprise Security Manager Console in your

default browser.

Help Menu Table 2–11 describes the contents of the Help menu.

Table 2–11 Enterprise Security Manager Help Menu Options

Option Description

Contents Opens the online help and displays its table of contents.

Conﬁguration and Administration Tools Overview 2-21

Enterprise User Security Configuration and Management Tools

Table 2–11 (Cont.) Enterprise Security Manager Help Menu Options

Option Description

Search for Help on Displays the search window for the online help. Using Help Displays online help topics that describe how to use the online

About Enterprise Security Manager

help system Displays Enterprise Security Manager version number and

Enterprise Security Manager Console Overview

Enterprise Security Manager uses a directory management console, Enterprise Security Manager Console, to administer enterprise users and groups, and to conﬁgure an identity management realm for Enterprise User Security. By default, when you log in to a directory server with Enterprise Security Manager it uses port 7777 with the fully qualiﬁed domain name of that directory server to construct an Enterprise Security Manager Console URL. Then, when you need to launch the console, Enterprise Security Manager uses this URL to connect to it over HTTP.

For example, if an Acme Company administrator logs into an instance of Oracle Internet Directory that is hosted on a machine named machine123, then Enterprise Security Manager would use the following URL to connect to Enterprise Security Manager Console:

http://machine123.us.acme.com:7777/

After launching the console, administrators must log in by using their OracleAS Single Sign-On username and password pairs.

Logging in to Enterprise Security Manager Console

If you can use the URL that is constructed by default to access an instance of Enterprise Security Manager Console, then use the following steps to log in to the console.

To log in to Enterprise Security Manager Console:

1. From the Enterprise Security Manager main application window, choose

Operations > Launch ESM Console. The Enterprise Security Manager Console login page appears, as shown in

Figure 2–7.

2-22 Oracle Database Advanced Security Administrator's Guide

Enterprise User Security Configuration and Management Tools

Figure 2–7 Enterprise Security Manager Console Login Page

Click the Login icon in the upper right-corner of the page to log in with your

OracleAS Single Sign-On username and password. After providing your OracleAS Single Sign-On credentials, you are returned to

the console home page.

To change the default Enterprise Security Manager Console URL:

If you cannot use the default URL to connect to the Enterprise Security Manager Console, then you must enter the appropriate URL before you can launch the console.

1. In the Enterprise Security Manager main application, choose File > ESM

Console URL. The ESM Console URL window appears as shown in Figure 2–8.

Conﬁguration and Administration Tools Overview 2-23

Enterprise User Security Configuration and Management Tools

Figure 2–8 ESM Console URL Window

Enter the appropriate URL for connecting to Enterprise Security Manager Console, and click OK.

This saves the URL information in Enterprise Security Manager so you can launch the console again without reconﬁguring the URL.

Conﬁguring Enterprise Security Manager Console for Kerberos-Authenticated Enterprise Users By default, Enterprise Security Manager Console user interface does not

display the ﬁeld where you can conﬁgure Kerberos principal names. The ﬁrst time you create Kerberos-authenticated users in the directory, you must conﬁgure this tool to display the krbPrincipalName attribute in its Create User window by using the following steps:

1. Log into the Oracle Internet Directory Self-Service Console and choose the

Conﬁguration tab. See: Oracle Internet Directory Administrator's Guide for information about logging in and using the Oracle Internet Directory Self-Service Console.

2. In the Conﬁguration page, select the User Entry subtab and click Next until the

Conﬁgure User Attributes page appears.

3. In the Conﬁgure User Attributes page, click Add New Attribute and the Add

New Attribute page appears.

4. In the Add New Attribute page, select krbPrincipalName from the Directory

Attribute Name list (or the attribute that you have conﬁgured for

orclCommonKrbPrincipalAttribute in your identity management realm) and perform the following steps on this page:

a. Enter Kerberos Principal Name for the user interface label. b. Check Searchable and Viewable. c. Select Single Line Text from the UI Type list d. Click Done.

5. Click Next to navigate to the Conﬁgure Attribute Categories page, and click

Edit for Basic Information and perform the following steps on this page:

2-24 Oracle Database Advanced Security Administrator's Guide

Enterprise User Security Configuration and Management Tools

a. Select krbPrincipalName in the left category list. b. Click Move > to move krbPrincipalName to the right-hand list. c. Click Done.

6. Click Next until you reach the last page, and then click Finish to save your

work.

Navigating Enterprise Security Manager Console User Interface

The Enterprise Security Manager Console user interface is browser-based and uses tabbed windows instead of a navigator pane. Figure 2–9 shows the layout of the console user interface. The tabbed windows can be accessed by selecting one of the tabs at the top of the application or by selecting one of the links in the Tips box on the right. You can also access the tabbed windows by selecting one of the corresponding links at the bottom of the page.

Figure 2–9 Enterprise Security Manager Console User Interface

The tabbed windows are explained in the following sections:

Conﬁguration and Administration Tools Overview 2-25

Enterprise User Security Configuration and Management Tools

Home Tabbed Window The Home page is your entry point to the console. You can access each tabbed window and read a brief summary of what you can do with this tool. The Home tabbed window is shown in Figure 2–9 on page 2-25.

Users and Groups Tabbed Window This tabbed window contains two subtabs: the Users subtab (shown in Figure 2–10) and the Groups subtab (shown in Figure 2–11 on page 2-28).

Figure 2–10 Enterprise Security Manager Console Users Subtab

The Users subtab (Figure 2–10) enables you to search for users in the directory by using the Search for user ﬁeld at the top of the page. After you locate users that match your search criteria, you can select speciﬁc users and perform tasks with the buttons that are listed in Table 2–12 on page 2-27. This subtab also enables you to create new users.

2-26 Oracle Database Advanced Security Administrator's Guide

Enterprise User Security Configuration and Management Tools

Table 2–12 Enterprise Security Manager Console User Subtab Buttons

Button Name Description

Go After entering user search criteria in the Search for user ﬁeld,

click Go to display users who match your search criteria in the

Search Results table. This button is always available.

Create Enables you to create new enterprise users in the directory.

This button is always available.

Edit Enables you to edit a user's information in the directory. This

button is available only after you have entered search criteria in the Search for user ﬁeld and clicked Go.

Delete Enables you to delete a user from the directory. This button is

available only after you have entered search criteria in the

Search for user ﬁeld and clicked Go.

Assign Privileges Enables you to assign directory privileges to a speciﬁed user.

For example, you can assign the privilege to create new users by using this button. This button is available only after you have entered search criteria in the Search for user ﬁeld and clicked Go.

The Group subtab (shown in Figure 2–11 on page 2-28) enables you to view, or to add new users or groups to the Enterprise User Security directory administrative groups. To view or edit an administrative group, select the adjacent radio button, and click Edit in the upper right corner of the page. When you click Edit, an Edit Group page for the speciﬁed group appears, displaying the following information:

■ Members of the group

■ Groups of which the speciﬁed administrative group is a member

■ Edit history for the group

You can add members or other groups to a speciﬁed Enterprise User Security directory administrative group by clicking either Add User or Add Group in the Member region of the Edit Group page, which is shown in Figure 2–12 on page 2-29.

Conﬁguration and Administration Tools Overview 2-27

Enterprise User Security Configuration and Management Tools

Figure 2–11 Enterprise Security Manager Console Group Subtab

2-28 Oracle Database Advanced Security Administrator's Guide

Enterprise User Security Configuration and Management Tools

Figure 2–12 Enterprise Security Manager Console Edit Group Page

Conﬁguration and Administration Tools Overview 2-29

Enterprise User Security Configuration and Management Tools

Realm Conﬁguration Tabbed Window The Realm Conﬁguration tabbed window, which is shown in Figure 2–13, enables you to conﬁgure identity management realm attributes that pertain to Enterprise User Security. The ﬁelds that you can edit on this page are described in Table 2–13 on page 2-30.

Figure 2–13 Enterprise Security Manager Console Realm Conﬁguration Tabbed Window

Table 2–13 Realm Conﬁguration Tabbed Window Fields

Field Description

Attribute for Login Name Name of the directory attribute used to store login names. Attribute for Kerberos

Principal Name

User Search Base Full distinguished name (DN) for the node under which

Group Search Base Full DN for the node at which user groups (not Enterprise User

2-30 Oracle Database Advanced Security Administrator's Guide

Name of the directory attribute used to store Kerberos principal names. See also: "Conﬁguring Enterprise Security

Manager Console for Kerberos-Authenticated Enterprise Users" on page 2-24

enterprise users are stored for this realm.

Security administrative groups) are stored in the directory.

Enterprise User Security Configuration and Management Tools

Enterprise Security Manager Command-Line Utility

Enterprise Security Manager provides a command-line utility, which can be used to perform the most common tasks that the graphical user interface tool performs. Enter all Enterprise Security Manager command-line utility commands from the Oracle Enterprise Manager Oracle home.

The basic syntax for this utility is as follows:

esm -cmd [operation] [-option_1 -option_2 -option_3 ... -option_n]

For example, the following command searches for users in a directory that is installed on a host machine named machine1.us.acme.com:

esm -cmd search -U SIMPLE -D orcladmin -w Y4ilbqve -h machine1.us.acme.com

-p 3060 -dn dc=us,dc=acme,dc=com -objectType user

The following table describes each option used in this example:

Command Option Description

-U Speciﬁes which authentication type used to log in to the

-D Speciﬁes the username.

-w Speciﬁes the password.

-h Speciﬁes the directory host machine name.

-p Speciﬁes the directory port number.

-dn Speciﬁes the search base.

-objectType Speciﬁes the type of object for which to search.

directory. SIMPLE speciﬁes password authentication.

Accessing Enterprise Security Manager Command-Line Utility Help To view a full list of operations and options you can use with this utility, enter the following at the command line:

esm -cmd

To view help on a speciﬁc operation, enter the following at the command line:

esm -cmd help [operation]

Conﬁguration and Administration Tools Overview 2-31

Enterprise User Security Configuration and Management Tools

See Also:

■ "Duties of an Enterprise User Security Administrator/DBA" on

page 2-35 for a list of tasks that can be performed with Enterprise Security Manager and Enterprise Security Manager Console.

■ Chapter 13, "Administering Enterprise User Security" for

detailed information about how to use Enterprise Security Manager and Enterprise Security Manager Console to administer enterprise users.

Oracle Net Conﬁguration Assistant

Oracle Net Conﬁguration Assistant is a wizard-based tool that has a graphical user interface. It is primarily used to conﬁgure basic Oracle Net network components, such as listener names and protocol addresses. It also enables you to conﬁgure your Oracle home for directory server usage. The latter use is what makes this tool important for conﬁguring Enterprise User Security.

If you use Domain Name System (DNS) discovery (automatic domain name lookup) to locate Oracle Internet Directory on your network, then this tool is not necessary. Note that using DNS discovery is the recommended conﬁguration. See Oracle Internet Directory Administrator's Guide for information about this conﬁguration.

If you have not conﬁgured DNS discovery of Oracle Internet Directory on your network, then you must use Oracle Net Conﬁguration Assistant to create an ldap.ora ﬁle for your Oracle home before you can register a database with the directory. Your database uses the ldap.ora ﬁle to locate the correct Oracle Internet Directory server on your network. This conﬁguration ﬁle contains the hostname, port number, and identity management realm information for your directory server.

Starting Oracle Net Configuration Assistant

To start Oracle Net Conﬁguration Assistant:

■ (UNIX) From $ORACLE_HOME/bin, enter the following at the command line:

netca

■ (Windows) Choose Start > Programs > Oracle-HOME_NAME > Conﬁguration

and Migration Tools > Net Conﬁguration Assistant

2-32 Oracle Database Advanced Security Administrator's Guide

Enterprise User Security Configuration and Management Tools

After you start this tool, you will be presented with the opening page that is shown in Figure 2–14 on page 2-33.

Choose the Directory Usage Conﬁguration option on this page, click Next, and choose the directory server where you wish to store your enterprise users. Then click Finish to create a properly conﬁgured ldap.ora ﬁle for your Oracle home.

Figure 2–14 Opening Page of Oracle Net Conﬁguration Assistant

User Migration Utility

User Migration Utility is a command-line tool that enables you to perform bulk migrations of database users to Oracle Internet Directory where they are stored and managed as enterprise users. This tool performs a bulk migration in two phases: In

See Also:

■ "Task 5: (Optional) Conﬁgure your Oracle home for directory

usage" on page 12-7 for more information about using this tool

to conﬁgure your Oracle home for Enterprise User Security.

■ Oracle Net Services Administrator's Guide and Oracle Net

Conﬁguration Assistant online help for complete documentation of this tool.

Conﬁguration and Administration Tools Overview 2-33

Duties of a Security Administrator/DBA

phase one, it populates a table with database user information. During phase two, the database user information is migrated to the directory.

This tool is automatically installed in the following location when you install an Oracle Database client:

$ORACLE_HOME/rdbms/bin/umu

The basic syntax for this utility is as follows:

umu parameter_keyword_1=value1:value2

parameter_keyword_2=value parameter_keyword_3=value1:value2:value3 . . . parameter_keyword_n=value

Note that when a parameter takes multiple values, they are separated with colons (:).

See Also: Appendix G, "Using the User Migration Utility" for

complete instructions (including usage examples) for using this tool to migrate database users to a directory and its parameters.

Duties of a Security Administrator/DBA

Most of the tasks of a security administrator involve ensuring that the connections to and from Oracle databases are secure. Table 2–14 lists the primary tasks of security administrators, the tools used to perform the tasks, and links to where the tasks are documented.

Table 2–14 Common Security Administrator/DBA Conﬁguration and Administrative Tasks

Task Tools Used See Also

Conﬁgure encrypted Oracle Net connections between database servers and clients

Conﬁgure checksumming on Oracle Net connections between database servers and clients

Conﬁgure database clients to accept RADIUS authentication

2-34 Oracle Database Advanced Security Administrator's Guide

Oracle Net Manager "Conﬁguring Encryption on the Client

and the Server" on page 3-9

Oracle Net Manager "Conﬁguring Integrity on the Client and

the Server" on page 3-11

Oracle Net "Step 1: Conﬁgure RADIUS on the Oracle

Client" on page 5-9

Duties of an Enterprise User Security Administrator/DBA

Table 2–14 (Cont.) Common Security Administrator/DBA Conﬁguration and Administrative Tasks

Task Tools Used See Also

Conﬁgure a database to accept RADIUS authentication

Create a RADIUS user and grant them access to a database session

Conﬁgure Kerberos authentication on a database client and server

Create a Kerberos database user ■ kadmin.local

Manage Kerberoscredentials in the credential cache

Create a wallet for a database client or server ■ Oracle Wallet Manager "Creating a New Wallet" on page 8-10 Request a user certiﬁcate from a certiﬁcate

authority (CA) for SSL authentication

Import a user certiﬁcate and its associated trusted certiﬁcate (CA certiﬁcate) into a wallet

Conﬁguring SSL connections for a database client

Conﬁguring SSL connections for a database server

Enabling certiﬁcate validationwith certiﬁcate

revocation lists

Oracle Net "Step 2: Conﬁgure RADIUS on the Oracle

Database Server" on page 5-10

SQL*Plus "Task 3: Create a User and Grant Access"

on page 5-17

Oracle Net Manager "Task 7: Conﬁgure Kerberos

Authentication" on page 6-5

■ "Task 8: Create a Kerberos User" on

■ Oracle Net Manager

page 6-10

■ "Task 9: Create an Externally

Authenticated Oracle User" on

page 6-10

■ okinit

■ oklist

■ okdstry

■ "Obtaining the Initial Ticket with the

okinit Utility" on page 6-11

■ "Displaying Credentials with the

oklist Utility" on page 6-12

■ "Removing Credentials from the

Cache File with the okdstry Utility"

on page 6-13

■ Oracle Wallet Manager ■ "Adding a Certiﬁcate Request" on

page 8-21

■ "Importing the User Certiﬁcate into

the Wallet" on page 8-22

■ Oracle Wallet Manager ■ "Importing a Trusted Certiﬁcate" on

page 8-25

■ "Importing the User Certiﬁcate into

the Wallet" on page 8-22

■ Oracle Net Manager "Task 3: Conﬁgure SSL on the Client" on

page 7-23

■ Oracle Net Manager "Task 2: Conﬁgure SSL on the Server" on

page 7-15

■ Oracle Net Manager ■ "Conﬁguring Certiﬁcate Validation

with Certiﬁcate Revocation Lists" on

page 7-37

Duties of an Enterprise User Security Administrator/DBA

Enterprise User Security administrators plan, implement, and administer enterprise users. Table 2–15 lists the primary tasks of Enterprise User Security administrators, the tools used to perform the tasks, and links to where the tasks are documented.

Conﬁguration and Administration Tools Overview 2-35

Duties of an Enterprise User Security Administrator/DBA

Table 2–15 Common Enterprise User Security Administrator Conﬁguration and Administrative Tasks

Task Tools Used See Also

Create an identity management realm in Oracle Internet Directory

Upgrade an identity management realm in Oracle Internet Directory

Set up DNS to enable automatic discovery of Oracle Internet Directory over the network. Note that this is the recommended conﬁguration.

Create an ldap.ora ﬁle to enable directory access

Conﬁgure password authentication for Enterprise User Security

Conﬁgure Kerberos authentication for Enterprise User Security

Conﬁgure SSL authentication for Enterprise User Security

Create or modify user entries and Oracle administrative groups in the directory

Create or modify enterprise roles and domains in the directory

Create or modify wallets for directory, databases, and clients

Change a user's database or directory password

Change a database's directory password Database Conﬁguration Assistant "To change the database's directory

Oracle Internet Directory Self-Service Console (Delegated Administration Service)

Oracle Internet Directory Conﬁguration Assistant

Oracle Internet Directory Administrator's Guide for information about how to

perform this task

Oracle Internet Directory Administrator's Guide and the online help for this tool

Oracle Internet Directory Administrator's Guide (Domain Name System server

discovery) and the online help for this tool

Oracle Net Conﬁguration Assistant

"Task 5: (Optional) Conﬁgure your Oracle home for directory usage" on page 12-7

directory" on page 12-8

■ Enterprise Security Manager

■ Oracle Net Manager

■ Enterprise Security Manager

"Conﬁguring Enterprise User Security for Password Authentication" on page 12-16

"Conﬁguring Enterprise User Security for Kerberos Authentication" on page 12-18

Console

■ Enterprise Security Manager

■ Oracle Net Manager

■ Enterprise Security Manager

■ text editor or SQL*Plus

■ Oracle Wallet Manager

Enterprise Security Manager Console

"Conﬁguring Enterprise User Security for SSL Authentication" on page 12-21

■ "Administering Identity

Management Realms" on page 13-3

■ "Administering Enterprise Users" on

page 13-8

Enterprise Security Manager ■ "Administering Enterprise Domains"

on page 13-15

■ "Administering Enterprise Roles" on

page 13-27

Oracle Wallet Manager Chapter 8, "Using Oracle Wallet Manager"

Enterprise Security Manager Console

"Setting Enterprise User Passwords" on

page 13-10

password:" on page 12-9

2-36 Oracle Database Advanced Security Administrator's Guide

Duties of an Enterprise User Security Administrator/DBA

Table 2–15 (Cont.) Common Enterprise User Security Administrator Conﬁguration and Administrative

Task Tools Used See Also

Manage user wallets on the local system or update database and directory user passwords

Request initial Kerberos ticket when KDC is not part of the operating system, such as Kerberos V5 from MIT

Migrate large numbers of local or external database users to the directory for Enterprise User Security

Oracle Wallet Manager Chapter 8, "Using Oracle Wallet Manager"

okinit utility "Task 10: Get an Initial Ticket for the

Kerberos/Oracle User" on page 6-11

User Migration Utility Appendix G, "Using the User Migration

Utility"

Conﬁguration and Administration Tools Overview 2-37

Duties of an Enterprise User Security Administrator/DBA

2-38 Oracle Database Advanced Security Administrator's Guide

Oracle B10772-01 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

List of Figures

List of Tables

Send Us Your Comments

Preface

Audience

Organization

Related Documentation

Conventions

Documentation Accessibility

What's New in Orac le Ad vanced Security?

■ Oracle Database 10g Release 1 (10.1) New Features in Oracle Advanced Security

Oracle9i Release 2 (9.2) New Features in Oracle Advanced Security

Introduction to Orac le Advanced Security

Security Challenges in an Enterprise Environment

Security in Enterprise Grid Computing Environments

Security in an Intranet or Internet Environment

Common Security Threats

Eavesdropping and Data Theft

Data Tampering

Falsifying User Identities

Solving Security Challenges with Oracle Advanced Security

Password-Related Threats

Data Encryption

Supported Encryption Algorithms

DES Encryption Oracle Advanced Security implements the U.S. Data Encryption Standard algorithm (DES) with a standard, optimized 56-bit key encryption algorithm, and also provides DES40, a 40-bit version, for backward compatibility.

Advanced Encryption Standard Approved by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standards (FIPS) Publication

Data Integrity

Federal Information Processing Standard

Strong Authentication

Centralized Authentication and Single Sign-On

How Centralized Network Authentication Works Figure 1–3 shows how a centralized

Supported Authentication Methods

■ Kerberos

DCE (Distributed Computing Environment) DCE is a set of integrated network services that works across multiple systems to provide a distributed environment. Oracle DCE Integration consists of the following two components:

Secure Sockets Layer Secure Sockets Layer (SSL) is an industry standard protocol for securing network connections. SSL provides authentication, data encryption, and data integrity.

Enterprise User Management

Oracle Advanced Security Architecture

Secure Data Transfer Across Network Protocol Boundaries

System Requirements

Oracle Advanced Security Restrictions

Network Encryption and Strong Authentication Configuration Tools

Oracle Net Manager

Starting Oracle Net Manager

Navigating to the Oracle Advanced Security Profile

Oracle Advanced Security Profile Property Sheets

Authentication Property Sheet Use this property sheet to select a strong authentication method, such as Kerberos Version 5 (KERBEROS5), Windows NT native authentication (NTS), or RADIUS.

Other Params Property Sheet Use this property sheet to set other parameters for the authentication method you selected on the Authentication property sheet.

Integrity Property Sheet Use this property sheet to enable checksumming on the client or the server and to select an encryption algorithm for generating secure message digests.

Encryption Property Sheet Use this property sheet to select one or more cipher suites to encrypt client or server connections with native encryption algorithms.

SSL Property Sheet Use this property sheet to conﬁgure Secure Sockets Layer (SSL), including the wallet location and cipher suite, on a client or server.

Oracle Advanced Security Kerberos Adapter Command-Line Utilities

Public Key Infrastructure Credentials Management Tools

Oracle Wallet Manager

Starting Oracle Wallet Manager

Navigating the Oracle Wallet Manager User Interface

Navigator Pane The navigator pane provides a graphical tree view of the certiﬁcate requests and certiﬁcates stored in the Oracle home where Oracle Wallet Manager is installed. You can use the navigator pane to view, modify, add, or delete certiﬁcates and certiﬁcate requests.

Right Pane The right pane displays information about an object that is selected in the navigator pane. The right pane is read-only.

Toolbar

Menus

Wallet Menu Table 2–3 describes the contents of the Wallet menu.

Operations Menu Table 2–4 describes the contents of the Operations menu.

Help Menu Table 2–5 describes the contents of the Help menu.

orapki Utility

Enterprise User Security Configuration and Management Tools

Starting Database Configuration Assistant

Enterprise Security Manager and Enterprise Security Manager Console

Enterprise Security Manager Initial Installation and Configuration Overview

Task 1: Install Enterprise Security Manager Enterprise Security Manager is automatically installed by the Oracle Database Enterprise Edition server installation process.

Starting Enterprise Security Manager

Navigating the Enterprise Security Manager User Interface

Navigator Pane The navigator pane provides a graphical tree view of your directory's identity management realms and the databases, enterprise domains, and users they contain. You can use the navigator pane to view, modify, add, or delete enterprise domains and the objects they contain.

Tool Bar The toolbar contains two buttons that enable you to access the Enterprise Security Manager online help and to delete directory objects.

Menus You use Enterprise Security Manager menus to create or remove enterprise domains and to manage objects within the domains, such as enterprise roles or database membership. The following sections describe the options that are available under each menu.

File Menu Table 2–9 describes the contents of the File menu.

Operations Menu Table 2–10 describes the contents of the Operations menu.