Oracle B10772-01 User Manual

OracleDatabase

Advanced Security Administrator's Guide 10g Release 1 (10.1)

Part No. B10772-01

December 2003

Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1) Part No. B10772-01 Copyright © 1996, 2003 Oracle Corporation. All rights reserved. Primary Author: Laurel P. Hale Contributors: Rajbir Chahal, Min-Hank Ho, Michael Hwa, Sudha Iyer, Adam Lindsey Jacobs, Supriya

Kalyanasundaram, Lakshmi Kethana, Andrew Koyfman, Van Le, Nina Lewis, Stella Li, Janaki Narasinghanallur, Vikram Pesati, Andy Philips, Richard Smith, Deborah Steiner, Philip Thornton, Ramana Turlapati

Graphic Designer: Valarie Moore The Programs (which include both the software and documentation) contain proprietary information of

Oracle Corporation; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent and other intellectual and industrial property laws. Reverse engineering, disassembly or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as speciﬁed by law, is prohibited.

The information contained in this document is subject to change without notice. If you ﬁnd any problems in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this document is error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Oracle Corporation.

If the Programs are delivered to the U.S. Government or anyone licensing or using the programs on behalf of the U.S. Government, the following notice is applicable:

Restricted Rights Notice Programs delivered subject to the DOD FAR Supplement are "commercial computer software" and use, duplication, and disclosure of the Programs, including documentation, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement. Otherwise, Programs delivered subject to the Federal Acquisition Regulations are "restricted computer software" and use, duplication, and disclosure of the Programs shall be subject to the restrictions in FAR

52.227-19, Commercial Computer Software - Restricted Rights (June, 1987). Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065.

The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and Oracle Corporation disclaims liability for any damages caused by such use of the Programs.

Oracle is a registered trademark, and Oracle Store, Oracle8i, Oracle9i, PL/SQL, SQL*Net, SQL*Plus, and Secure Network Services are trademarks or registered trademarks of Oracle Corporation. Other names may be trademarks of their respective owners.

Portions of Oracle Advanced Security have been licensed by Oracle Corporation from RSA Data Security.

This program contains third-party code from Massachusetts Institute of Technology (M.I.T.), OpenVision Technologies, Inc., and the Regents of the University of California. Under the terms of the Kerberos license, Oracle is required to license the Kerberos software to you under the following terms. Note that the terms contained in the Oracle program license that accompanied this product do not apply to the Kerberos software, and your rights to use the software are solely as set forth below. Oracle is not

responsible for the performance of the Kerberos software, does not provide technical support for the software, and shall not be liable for any damages arising out of any use of the Kerberos software.

States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without speciﬁc, written prior permission. Furthermore, if you modify this software you must label your software as modiﬁed software and not distribute it in such a fashion that it might be confused with the original M.I.T.software.M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.

THIS SOFTWAREISPROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

Individual source code ﬁles are copyright M.I.T., Cygnus Support, OpenVision, Oracle, Sun Soft, FundsXpress, and others.

Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachusetts Institute of Technology (M.I.T.). No commercial use of these trademarks may be made without prior written permission of M.I.T.

"Commercial use" means use of a name in a product or other for-proﬁt manner. It does NOT prevent a commercial ﬁrm from referring to the M.I.T. trademarks in order to convey information (although in doing so, recognition of their trademark status should be given).

---The following copyright and permission notice applies to the OpenVision Kerberos Administration

system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc:

below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system.

You may freely use and distribute the Source Code and Object Code compiled from it, with or without modiﬁcation, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON.

OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to

derivative works of the Source Code, whether createdbyOpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code.

OpenVision Technologies, Inc., has donated this Kerberos Administration system to M.I.T. for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which hasbeenperformedby M.I.T. and the Kerberos community.

---Portions contributed by Matt Crawford <crawdad@fnal.gov> were work performed at Fermi National

Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract DE-AC02-76CHO3000 with the U. S. Department of Energy.

List of Figures

List of Tables

Send Us Your Comments............................................................................................................... xxiii

Preface......................................................................................................................................................... xxv

What's New in Oracle Advanced Security?...................................................................... xxxvii

Part I Getting Started with Oracle Advanced Security

1 Introduction to Oracle Advanced Security

Security Challenges in an Enterprise Environment..................................................................... 1-1

Security in Enterprise Grid Computing Environments.......................................................... 1-2

Security in an Intranet or Internet Environment...................................................................... 1-2

Common Security Threats........................................................................................................... 1-3

Solving Security Challenges with Oracle Advanced Security................................................... 1-4

Data Encryption............................................................................................................................ 1-5

Strong Authentication.................................................................................................................. 1-8

Enterprise User Management................................................................................................... 1-13

Oracle Advanced Security Architecture....................................................................................... 1-15

Secure Data Transfer Across Network Protocol Boundaries.................................................... 1-16

System Requirements...................................................................................................................... 1-16

Oracle Advanced Security Restrictions........................................................................................ 1-17

2 Configuration and Administration Tools Overview

Network Encryption and Strong Authentication Conﬁguration Tools.................................... 2-2

Oracle Net Manager ..................................................................................................................... 2-2

Oracle Advanced Security Kerberos Adapter Command-Line Utilities.............................. 2-5

Public Key Infrastructure Credentials Management Tools........................................................ 2-6

Oracle Wallet Manager ................................................................................................................ 2-6

orapki Utility ............................................................................................................................... 2-12

Enterprise User Security Conﬁguration and Management Tools............................................ 2-13

Database Configuration Assistant............................................................................................ 2-13

Enterprise Security Manager and Enterprise Security Manager Console.......................... 2-14

Oracle Net Configuration Assistant......................................................................................... 2-32

User Migration Utility................................................................................................................ 2-33

Duties of a Security Administrator/DBA..................................................................................... 2-34

Duties of an Enterprise User Security Administrator/DBA ..................................................... 2-35

Part II Network Data Encryption and Integrity

3 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients

Oracle Advanced Security Encryption............................................................................................ 3-1

About Encryption ......................................................................................................................... 3-2

Advanced Encryption Standard................................................................................................. 3-2

DES Algorithm Support............................................................................................................... 3-2

Triple-DES Support ..................................................................................................................... 3-2

RSA RC4 Algorithm for High Speed Encryption..................................................................... 3-3

Oracle Advanced Security Data Integrity ...................................................................................... 3-3

Data Integrity Algorithms Supported ....................................................................................... 3-4

Difﬁe-Hellman Based Key Management ....................................................................................... 3-4

Authentication Key Fold-in......................................................................................................... 3-5

How To Conﬁgure Data Encryption and Integrity....................................................................... 3-5

About Activating Encryption and Integrity.............................................................................. 3-6

About Negotiating Encryption and Integrity........................................................................... 3-6

Setting the Encryption Seed (Optional)..................................................................................... 3-8

Configuring Encryption and Integrity Parameters Using Oracle Net Manager................. 3-9

4 Configuring Network Data Encryption and Integrity for Thin JDBC Clients

About the Java Implementation....................................................................................................... 4-1

Java Database Connectivity Support......................................................................................... 4-1

Securing Thin JDBC...................................................................................................................... 4-2

Implementation Overview.......................................................................................................... 4-3

Obfuscation.................................................................................................................................... 4-3

Conﬁguration Parameters.................................................................................................................. 4-4

Client Encryption Level: ORACLE.NET.ENCRYPTION_CLIENT....................................... 4-4

Client Encryption Selected List: ORACLE.NET.ENCRYPTION_TYPES_CLIENT............ 4-5

Client Integrity Level: ORACLE.NET.CRYPTO_CHECKSUM_CLIENT............................ 4-5

Client Integrity Selected List: ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT .... 4-6

Part III Oracle Advanced Security Strong Authentication

5 Configuring RADIUS Authentication

RADIUS Overview............................................................................................................................. 5-1

RADIUS Authentication Modes...................................................................................................... 5-3

Synchronous Authentication Mode........................................................................................... 5-3

Challenge-Response (Asynchronous) Authentication Mode................................................. 5-5

Enabling RADIUS Authentication, Authorization, and Accounting....................................... 5-8

Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client.............. 5-9

Task 2: Configure RADIUS Authentication.............................................................................. 5-9

Task 3: Create a User and Grant Access.................................................................................. 5-17

Task 4: Configure External RADIUS Authorization (optional)........................................... 5-17

Task 5: Configure RADIUS Accounting.................................................................................. 5-19

Task 6: Add the RADIUS Client Name to the RADIUS Server Database.......................... 5-20

Task 7: Configure the Authentication Server for Use with RADIUS.................................. 5-20

Task 8: Configure the RADIUS Server for Use with the Authentication Server............... 5-20

Task 9: Configure Mapping Roles............................................................................................ 5-21

Using RADIUS to Log In to a Database....................................................................................... 5-22

RSA ACE/Server Conﬁguration Checklist................................................................................... 5-22

6 Configuring Kerberos Authentication

Enabling Kerberos Authentication ................................................................................................. 6-2

vii

Task 1: Install Kerberos................................................................................................................ 6-2

Task 2: Configure a Service Principal for an Oracle Database Server................................... 6-2

Task 3: Extract a Service Table from Kerberos ......................................................................... 6-3

Task 4: Install an Oracle Database Server and an Oracle Client............................................ 6-4

Task 5: Install Oracle Net Services and Oracle Advanced Security ...................................... 6-5

Task 6: Configure Oracle Net Services and Oracle Database................................................. 6-5

Task 7: Configure Kerberos Authentication ............................................................................. 6-5

Task 8: Create a Kerberos User................................................................................................. 6-10

Task 9: Create an Externally Authenticated Oracle User...................................................... 6-10

Task 10: Get an Initial Ticket for the Kerberos/Oracle User................................................ 6-11

Utilities for the Kerberos Authentication Adapter .................................................................... 6-11

Obtaining the Initial Ticket with the okinit Utility................................................................ 6-11

Displaying Credentials with the oklist Utility........................................................................ 6-12

Removing Credentials from the Cache File with the okdstry Utility ................................. 6-13

Connecting to an Oracle Database Server Authenticated by Kerberos.............................. 6-13

Conﬁguring Interoperability with a Windows 2000 Domain Controller KDC.................... 6-13

Task 1: Configuring an Oracle Kerberos Client to Interoperate with a Windows 2000 Domain Controller KDC 6-14

Task 2: Configuring a Windows 2000 Domain Controller KDC to Interoperate with an Oracle Client 6-15

Task 3: Configuring an Oracle Database to Interoperate with a Windows 2000 Domain

Controller KDC........................................................................................................................... 6-17

Task 4: Getting an Initial Ticket for the Kerberos/Oracle User........................................... 6-17

Troubleshooting ................................................................................................................................ 6-18

7 Configuring Secure Sockets Layer Authentication

SSL and TLS in an Oracle Environment......................................................................................... 7-2

Difference between SSL and TLS................................................................................................ 7-2

About Using SSL........................................................................................................................... 7-3

How SSL Works in an Oracle Environment: The SSL Handshake........................................ 7-4

Public Key Infrastructure in an Oracle Environment.................................................................. 7-5

About Public Key Cryptography................................................................................................ 7-5

Public Key Infrastructure Components in an Oracle Environment...................................... 7-6

SSL Combined with Other Authentication Methods................................................................ 7-10

Architecture: Oracle Advanced Security and SSL ................................................................. 7-10

viii

How SSL Works with Other Authentication Methods ......................................................... 7-10

SSL and Firewalls............................................................................................................................. 7-12

SSL Usage Issues............................................................................................................................... 7-14

Enabling SSL ..................................................................................................................................... 7-15

Task 1: Install Oracle Advanced Security and Related Products ........................................ 7-15

Task 2: Configure SSL on the Server........................................................................................ 7-15

Task 3: Configure SSL on the Client ........................................................................................ 7-23

Task 4: Log on to the Database................................................................................................. 7-31

Troubleshooting SSL........................................................................................................................ 7-31

Certiﬁcate Validation with Certiﬁcate Revocation Lists ........................................................... 7-35

What CRLs Should You Use? ................................................................................................... 7-35

How CRL Checking Works....................................................................................................... 7-36

Configuring Certificate Validation with Certificate Revocation Lists................................ 7-37

Certificate Revocation List Management................................................................................ 7-40

Troubleshooting Certificate Validation................................................................................... 7-45

Conﬁguring Your System to Use Hardware Security Modules ............................................... 7-48

General Guidelines for Using Hardware Security Modules with Oracle Advanced Security

....................................................................................................................................................... 7-48

Configuring Your System to Use nCipher Hardware Security Modules........................... 7-49

Troubleshooting Using Hardware Security Modules........................................................... 7-50

8 Using Oracle Wallet Manager

Oracle Wallet Manager Overview ................................................................................................... 8-2

Wallet Password Management................................................................................................... 8-2

Strong Wallet Encryption............................................................................................................ 8-3

Microsoft Windows Registry Wallet Storage ........................................................................... 8-3

Backward Compatibility.............................................................................................................. 8-3

Public-Key Cryptography Standards (PKCS) Support........................................................... 8-3

Multiple Certificate Support....................................................................................................... 8-4

LDAP Directory Support............................................................................................................. 8-7

Starting Oracle Wallet Manager....................................................................................................... 8-7

How To Create a Complete Wallet: Process Overview ................................................................ 8-8

Managing Wallets ............................................................................................................................... 8-9

Required Guidelines for Creating Wallet Passwords ............................................................. 8-9

Creating a New Wallet............................................................................................................... 8-10

Opening an Existing Wallet....................................................................................................... 8-13

Closing a Wallet.......................................................................................................................... 8-13

Importing Third-Party Wallets................................................................................................. 8-13

Exporting Oracle Wallets to Third-Party Environments ...................................................... 8-14

Exporting Oracle Wallets to Tools that Do Not Support PKCS #12.................................... 8-14

Uploading a Wallet to an LDAP Directory............................................................................. 8-15

Downloading a Wallet from an LDAP Directory .................................................................. 8-16

Saving Changes........................................................................................................................... 8-17

Saving the Open Wallet to a New Location............................................................................ 8-17

Saving in System Default........................................................................................................... 8-17

Deleting the Wallet..................................................................................................................... 8-18

Changing the Password............................................................................................................. 8-18

Using Auto Login ....................................................................................................................... 8-19

Managing Certiﬁcates ...................................................................................................................... 8-20

Managing User Certificates....................................................................................................... 8-20

Managing Trusted Certificates ................................................................................................. 8-25

9 Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security

Connecting with User Name and Password.................................................................................. 9-1

Disabling Oracle Advanced Security Authentication................................................................. 9-2

Conﬁguring Multiple Authentication Methods ........................................................................... 9-4

Conﬁguring Oracle Database for External Authentication ....................................................... 9-5

Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora................ 9-5

Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE............................................... 9-5

Setting OS_AUTHENT_PREFIX to a Null Value..................................................................... 9-6

10 Configuring Oracle DCE Integration

Introduction to Oracle DCE Integration....................................................................................... 10-2

System Requirements................................................................................................................. 10-2

Backward Compatibility............................................................................................................ 10-2

Components of Oracle DCE Integration ................................................................................. 10-2

Flexible DCE Deployment......................................................................................................... 10-4

Release Limitations..................................................................................................................... 10-4

Conﬁguring DCE for Oracle DCE Integration............................................................................ 10-5

Task 1: Create New Principals and Accounts......................................................................... 10-5

Task 2: Install the Key of the Server into a Keytab File......................................................... 10-6

Task 3: Configure DCE CDS for Use by Oracle DCE Integration ....................................... 10-6

Conﬁguring Oracle Database and Oracle Net Services for Oracle DCE Integration......... 10-8

DCE Address Parameters.......................................................................................................... 10-8

Task 1: Configure the Server..................................................................................................... 10-9

Task 2: Create and Name Externally Authenticated Accounts.......................................... 10-10

Task 3: Set up DCE Integration External Roles.................................................................... 10-12

Task 4: Configure DCE for SYSDBA and SYSOPER Connections to Oracle Databases 10-15

Task 5: Configure the Client ................................................................................................... 10-16

Task 6: Configure Clients to Use DCE CDS Naming.......................................................... 10-19

Connecting to an Oracle Database Server in the DCE Environment ................................... 10-23

Starting the Listener................................................................................................................. 10-23

Connecting to an Oracle Database by Using DCE Authentication for Single Sign-On.. 10-24

Connecting to an Oracle Database by Using Password Authentication.......................... 10-25

Connecting Clients Outside DCE to Oracle Servers in DCE................................................. 10-25

Sample Parameter Files............................................................................................................ 10-25

Using tnsnames.ora for Name Lookup When CDS Is Inaccessible................................... 10-28

Part IV Enterprise User Security

11 Getting Started with Enterprise User Security

Introduction to Enterprise User Security..................................................................................... 11-2

The Challenges of User Management...................................................................................... 11-2

Enterprise User Security: The Big Picture............................................................................... 11-3

About Enterprise User Security Directory Entries............................................................... 11-11

About Using Shared Schemas for Enterprise User Security.................................................. 11-19

Overview of Shared Schemas Used in Enterprise User Security....................................... 11-19

How Shared Schemas Are Configured for Enterprise Users............................................. 11-20

How Enterprise Users Are Mapped to Schemas.................................................................. 11-20

About Using Current User Database Links for Enterprise User Security........................... 11-23

Enterprise User Security Deployment Considerations........................................................... 11-25

Security Aspects of Centralizing Security Credentials ....................................................... 11-25

Security of Password-Authenticated Enterprise User Database Login Information...... 11-26

Considerations for Defining Database Membership in Enterprise Domains.................. 11-27

Considerations for Choosing Authentication Types between Clients, Databases, and

Directories for Enterprise User Security................................................................................ 11-28

12 Enterprise User Security Configuration Tasks and Troubleshooting

Enterprise User Security Conﬁguration Overview..................................................................... 12-1

Enterprise User Security Conﬁguration Roadmap..................................................................... 12-4

Preparing the Directory for Enterprise User Security................................................................ 12-5

Conﬁguring Enterprise User Security Objects in the Database and the Directory ........... 12-11

Conﬁguring Enterprise User Security for Password Authentication ................................... 12-16

Conﬁguring Enterprise User Security for Kerberos Authentication .................................... 12-18

Conﬁguring Enterprise User Security for SSL Authentication.............................................. 12-21

Viewing the Database DN in the Wallet and in the Directory........................................... 12-24

Enabling Current User Database Links...................................................................................... 12-25

Troubleshooting Enterprise User Security................................................................................. 12-26

ORA-# Errors for Password-Authenticated Enterprise Users............................................ 12-26

ORA-# Errors for Kerberos-Authenticated Enterprise Users............................................. 12-29

ORA-# Errors for SSL-Authenticated Enterprise Users ...................................................... 12-32

NO-GLOBAL-ROLES Checklist ............................................................................................. 12-33

USER-SCHEMA ERROR Checklist........................................................................................ 12-34

DOMAIN-READ-ERROR Checklist ...................................................................................... 12-35

13 Administering Enterprise User Security

Enterprise User Security Administration Tools Overview....................................................... 13-2

Administering Identity Management Realms ............................................................................ 13-3

Identity Management Realm Versions.................................................................................... 13-4

Setting Properties of an Identity Management Realm .......................................................... 13-5

Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base

Identity Management Realm Attributes.................................................................................. 13-5

Setting the Default Database-to-Directory Authentication Type for an Identity Management

Realm ............................................................................................................................................ 13-6

Managing Identity Management Realm Administrators...................................................... 13-7

Administering Enterprise Users..................................................................................................... 13-8

Creating New Enterprise Users................................................................................................ 13-9

Setting Enterprise User Passwords ........................................................................................ 13-10

Defining an Initial Enterprise Role Assignment .................................................................. 13-11

xii

Browsing Users in the Directory ............................................................................................ 13-12

Administering Enterprise Domains............................................................................................ 13-15

Creating a New Enterprise Domain....................................................................................... 13-16

Defining Database Membership of an Enterprise Domain ................................................ 13-17

Managing Database Security Options for an Enterprise Domain..................................... 13-19

Managing Enterprise Domain Administrators .................................................................... 13-20

Managing Enterprise Domain Database Schema Mappings.............................................. 13-20

Managing Password Accessible Domains ............................................................................ 13-23

Managing Database Administrators...................................................................................... 13-25

Administering Enterprise Roles .................................................................................................. 13-27

Creating a New Enterprise Role............................................................................................. 13-27

Assigning Database Global Role Membership to an Enterprise Role............................... 13-28

Granting Enterprise Roles to Users........................................................................................ 13-31

Part V Appendixes

A Data Encryption and Integrity Parameters

Sample sqlnet.ora File........................................................................................................................ A-1

Data Encryption and Integrity Parameters .................................................................................... A-3

Encryption and Integrity Parameters ........................................................................................ A-4

Seeding the Random Key Generator (Optional)...................................................................... A-8

B Authentication Parameters

Parameters for Clients and Servers using Kerberos Authentication........................................ B-1

Parameters for Clients and Servers using RADIUS Authentication........................................ B-2

sqlnet.ora File Parameters ........................................................................................................... B-2

Minimum RADIUS Parameters.................................................................................................. B-6

Initialization File Parameters...................................................................................................... B-7

Parameters for Clients and Servers using SSL.............................................................................. B-7

SSL Authentication Parameters.................................................................................................. B-7

Cipher Suite Parameters.............................................................................................................. B-8

SSL Version Parameters............................................................................................................... B-9

SSL Client Authentication Parameters .................................................................................... B-10

Wallet Location........................................................................................................................... B-12

xiii

C Integrating Authentication Devices Using RADIUS

About the RADIUS Challenge-Response User Interface........................................................... C-1

Customizing the RADIUS Challenge-Response User Interface............................................... C-2

D Oracle Advanced Security FIPS 140-1 Settings

Conﬁguration Parameters................................................................................................................. D-1

Server Encryption Level Setting................................................................................................ D-2

Client Encryption Level Setting................................................................................................. D-2

Server Encryption Selection List................................................................................................ D-2

Client Encryption Selection List ................................................................................................ D-3

Cryptographic Seed Value.......................................................................................................... D-3

FIPS Parameter............................................................................................................................. D-3

Post Installation Checks ................................................................................................................... D-4

Status Information............................................................................................................................. D-4

Physical Security................................................................................................................................ D-5

E orapki Utility

orapki Utility Overview..................................................................................................................... E-2

orapki Utility Syntax .................................................................................................................... E-2

Creating Signed Certiﬁcates for Testing Purposes....................................................................... E-3

Managing Oracle Wallets with orapki Utility............................................................................... E-4

Creating and Viewing Oracle Wallets with orapki.................................................................. E-4

Adding Certificates and Certificate Requests to Oracle Wallets with orapki...................... E-5

Exporting Certificates and Certificate Requests from Oracle Wallets with orapki............. E-6

Managing Certiﬁcate Revocation Lists (CRLs) with orapki Utility.......................................... E-6

orapki Utility Commands Summary............................................................................................... E-7

orapki cert create........................................................................................................................... E-7

orapki cert display........................................................................................................................ E-8

orapki crl delete............................................................................................................................. E-8

orapki crl display.......................................................................................................................... E-9

orapki crl hash............................................................................................................................ E-10

orapki crl list............................................................................................................................... E-10

orapki crl upload........................................................................................................................ E-11

orapki wallet add....................................................................................................................... E-12

xiv

orapki wallet create.................................................................................................................... E-13

orapki wallet display.................................................................................................................. E-13

orapki wallet export................................................................................................................... E-13

F Entrust-Enabled SSL Authentication

Beneﬁts of Entrust-Enabled Oracle Advanced Security.............................................................. F-2

Enhanced X.509-Based Authentication and Single Sign-On.................................................. F-2

Integration with Entrust Authority Key Management ........................................................... F-2

Integration with Entrust Authority Certificate Revocation.................................................... F-2

Required System Components for Entrust-Enabled Oracle Advanced Security................... F-3

Entrust Authority for Oracle....................................................................................................... F-3

Entrust Authority Server Login Feature ................................................................................... F-4

Entrust Authority IPSec Negotiator Toolkit............................................................................. F-5

Entrust Authentication Process........................................................................................................ F-5

Enabling Entrust Authentication..................................................................................................... F-6

Creating Entrust Profiles ............................................................................................................. F-6

Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL ...... F-8

Configuring SSL on the Client and Server for Entrust-Enabled SSL.................................... F-8

Configuring Entrust on the Client ............................................................................................. F-8

Configuring Entrust on the Server............................................................................................. F-9

Creating Entrust-Enabled Database Users.............................................................................. F-12

Logging Into the Database Using Entrust-Enabled SSL ....................................................... F-12

Issues and Restrictions that Apply to Entrust-Enabled SSL................................................... F-12

Troubleshooting Entrust In Oracle Advanced Security............................................................ F-13

Error Messages Returned When Running Entrust on Any Platform ................................. F-13

Error Messages Returned When Running Entrust on Windows Platforms ...................... F-15

General Checklist for Running Entrust on Any Platform .................................................... F-17

G Using the User Migration Utility

Beneﬁts of Migrating Local or External Users to Enterprise Users.......................................... G-1

Introduction to the User Migration Utility................................................................................... G-2

Bulk User Migration Process Overview................................................................................... G-3

About the ORCL_GLOBAL_USR_MIGRATION_DATA Table........................................... G-4

Migration Effects on Users' Old Database Schemas............................................................... G-6

Migration Process........................................................................................................................ G-7

Prerequisites for Performing Migration........................................................................................ G-8

Required Database Privileges .................................................................................................... G-8

Required Directory Privileges.................................................................................................... G-9

Required Setup to Run the User Migration Utility................................................................. G-9

User Migration Utility Command Line Syntax.......................................................................... G-10

Accessing Help for the User Migration Utility.......................................................................... G-11

User Migration Utility Parameters ............................................................................................... G-12

User Migration Utility Usage Examples...................................................................................... G-20

Migrating Users While Retaining Their Own Schemas ....................................................... G-20

Migrating Users and Mapping to a Shared Schema............................................................. G-21

Migrating Users Using the PARFILE, USERSFILE, and LOGFILE Parameters............... G-25

Troubleshooting Using the User Migration Utility................................................................... G-26

Common User Migration Utility Error Messages................................................................. G-26

Common User Migration Utility Log Messages ................................................................... G-32

Summary of User Migration Utility Error and Log Messages............................................ G-34

Glossary Index

xvi

xvii

List of Figures

1–1 Encryption .............................................................................................................................. 1-5

1–2 Strong Authentication with Oracle Authentication Adapters........................................ 1-8

1–3 How a Network Authentication Service Authenticates a User...................................... 1-9

1–4 Centralized User Management with Enterprise User Security..................................... 1-13

1–5 Oracle Advanced Security in an Oracle Networking Environment ............................ 1-15

1–6 Oracle Net with Authentication Adapters....................................................................... 1-16

2–1 Oracle Advanced Security Profile in Oracle Net Manager.............................................. 2-4

2–2 Oracle Wallet Manager User Interface ............................................................................... 2-7

2–3 Certificate Request Information Displayed in Oracle Wallet Manager Right Pane .... 2-9

2–4 Directory Server Login Window....................................................................................... 2-17

2–5 Enterprise Security Manager User Interface.................................................................... 2-18

2–6 Enterprise Security Manager Databases Tabbed Window............................................ 2-20

2–7 Enterprise Security Manager Console Login Page ......................................................... 2-23

2–8 ESM Console URL Window............................................................................................... 2-24

2–9 Enterprise Security Manager Console User Interface .................................................... 2-25

2–10 Enterprise Security Manager Console Users Subtab...................................................... 2-26

2–11 Enterprise Security Manager Console Group Subtab .................................................... 2-28

2–12 Enterprise Security Manager Console Edit Group Page................................................ 2-29

2–13 Enterprise Security Manager Console Realm Configuration Tabbed Window......... 2-30

2–14 Opening Page of Oracle Net Configuration Assistant................................................... 2-33

3–1 Oracle Advanced Security Encryption Window............................................................. 3-10

3–2 Oracle Advanced Security Integrity Window................................................................. 3-12

5–1 RADIUS in an Oracle Environment.................................................................................... 5-2

5–2 Synchronous Authentication Sequence.............................................................................. 5-4

5–3 Asynchronous Authentication Sequence........................................................................... 5-6

5–4 Oracle Advanced Security Authentication Window...................................................... 5-10

5–5 Oracle Advanced Security Other Params Window........................................................ 5-12

6–1 Oracle Advanced Security Authentication Window (Kerberos).................................... 6-6

6–2 Oracle Advanced Security Other Params Window (Kerberos)...................................... 6-7

7–1 SSL in Relation to Other Authentication Methods......................................................... 7-11

7–2 SSL Cipher Suites Window................................................................................................ 7-19

7–3 Oracle Advanced Security SSL Window (Server)........................................................... 7-20

7–4 Oracle Advanced Security SSL Window (Server)........................................................... 7-22

7–5 Oracle Advanced Security SSL Window (Client) ........................................................... 7-26

7–6 Oracle Advanced Security SSL Window (Client) ........................................................... 7-29

7–7 Oracle Advanced Security SSL Window with Certificate Revocation Checking Selected

................................................................................................................................................ 7-38

9–1 Oracle Advanced Security Authentication Window........................................................ 9-3

11–1 Enterprise User Security and the Oracle Security Architecture ................................... 11-4

11–2 Example of Enterprise Roles............................................................................................ 11-13

xviii

11–3 Related Entries in a Realm Oracle Context.................................................................... 11-16

12–1 Enterprise User Security Configuration Flow Chart...................................................... 12-3

13–1 Enterprise Security Manager Console Home Page ........................................................ 13-9

13–2 Enterprise Security Manager Console Edit User Window: Basic Information ........ 13-10

13–3 Enterprise Security Manager: Add Enterprise Roles Window................................... 13-12

13–4 Enterprise Security Manager: Main Window (All Users Tab).................................... 13-13

13–5 Enterprise Security Manager: Create Enterprise Domain Window........................... 13-16

13–6 Enterprise Security Manager: Databases Tab (Database Membership) .................... 13-17

13–7 Enterprise Security Manager: Add Databases Window.............................................. 13-18

13–8 Enterprise Security Manager: Database Schema Mappings Tab................................ 13-21

13–9 Enterprise Security Manager: Add Database Schema Mappings Window.............. 13-22

13–10 Enterprise Security Manager: Add Accessible Enterprise Domains Dialog Box..... 13-24

13–11 Enterprise Security Manager: Create Enterprise Role Window................................. 13-27

13–12 Enterprise Security Manager: Database Global Roles Tab.......................................... 13-29

13–13 Enterprise Security Manager: Database Authentication Required Window............ 13-30

13–14 Enterprise Security Manager: Add Enterprise Users Window .................................. 13-31

F–1 Entrust Authentication Process........................................................................................... F-6

xix

List of Tables

1–1 Authentication Methods and System Requirements ..................................................... 1-17

2–1 Oracle Wallet Manager Navigator Pane Objects ............................................................. 2-8

2–2 Oracle Wallet Manager Toolbar Buttons ........................................................................ 2-10

2–3 Oracle Wallet Manager Wallet Menu Options............................................................... 2-10

2–4 Oracle Wallet Manager Operations Menu Options....................................................... 2-11

2–5 Oracle Wallet Manager Help Menu Options ................................................................. 2-12

2–6 Enterprise User Security Tools Summary........................................................................ 2-13

2–7 Enterprise Security Manager Authentication Methods................................................ 2-17

2–8 Enterprise Security Manager Navigator Pane Folders ................................................. 2-19

2–9 Enterprise Security Manager File Menu Options.......................................................... 2-21

2–10 Enterprise Security Manager Operations Menu Options............................................. 2-21

2–11 Enterprise Security Manager Help Menu Options........................................................ 2-21

2–12 Enterprise Security Manager Console User Subtab Buttons........................................ 2-27

2–13 Realm Configuration Tabbed Window Fields ............................................................... 2-30

2–14 Common Security Administrator/DBA Configuration and Administrative Tasks. 2-34 2–15 Common Enterprise User Security Administrator Configuration and Administrative

Tasks...................................................................................................................................... 2-36

3–1 Encryption and Data Integrity Negotiations..................................................................... 3-8

3–2 Valid Encryption Algorithms............................................................................................ 3-11

3–3 Valid Integrity Algorithms................................................................................................. 3-13

4–1 ORACLE.NET.ENCRYPTION_CLIENT Parameter Attributes ..................................... 4-4

4–2 ORACLE.NET.ENCRYPTION_TYPES_CLIENT Parameter Attributes ....................... 4-5

4–3 ORACLE.NET.CRYPTO_CHECKSUM_CLIENT Parameter Attributes ...................... 4-5

4–4 ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT Parameter Attributes........... 4-6

5–1 RADIUS Authentication Components.............................................................................. 5-3

5–2 RADIUS Configuration Parameters ................................................................................. 5-21

6–1 Options for the okinit Utility ............................................................................................ 6-11

6–2 Options for the oklist Utility............................................................................................. 6-12

7–1 Oracle Advanced Security Cipher Suites........................................................................ 7-18

8–1 KeyUsage Values................................................................................................................... 8-5

8–2 Oracle Wallet Manager Import of User Certificates to an Oracle Wallet...................... 8-5

8–3 Oracle Wallet Manager Import of Trusted Certificates to an Oracle Wallet ................ 8-6

8–4 PKI Wallet Encoding Standards........................................................................................ 8-15

8–5 Certificate Request: Fields and Descriptions.................................................................. 8-21

8–6 Available Key Sizes............................................................................................................. 8-22

10–1 DCE Address Parameters and Definitions ..................................................................... 10-8

10–2 Setting Up External Role Syntax Components.............................................................. 10-13

11–1 Enterprise User Security Authentication: Selection Criteria....................................... 11-10

11–2 Administrative Groups in a Realm Oracle Context .................................................... 11-18

xxi

11–3 Enterprise User Security: Supported Authentication Types for Connections between

Clients, Databases, and Directories ................................................................................. 11-28

13–1 Identity Management Realm Properties .......................................................................... 13-5

13–2 Enterprise User Security Identity Management Realm Administrators ..................... 13-7

13–3 Directory Search Criteria.................................................................................................. 13-14

13–4 Enterprise Security Manager Database Security Options............................................ 13-19

A–1 Algorithm Type Selection..................................................................................................... A-3

A–2 SQLNET.ENCRYPTION_SERVER Parameter Attributes............................................... A-4

A–3 SQLNET.ENCRYPTION_CLIENT Parameter Attributes ............................................... A-5

A–4 SQLNET.CRYPTO_CHECKSUM_SERVER Parameter Attributes................................ A-5

A–5 SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter Attributes................................. A-5

A–6 SQLNET.ENCRYPTION_TYPES_SERVER Parameter Attributes................................. A-6

A–7 SQLNET.ENCRYPTION_TYPES_CLIENT Parameter Attributes ................................. A-7

A–8 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter Attributes.................. A-8

A–9 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter Attributes .................. A-8

B–1 Kerberos Authentication Parameters................................................................................. B-1

B–2 SQLNET.AUTHENTICATION_SERVICES Parameter Attributes ............................... B-2

B–3 SQLNET.RADIUS_AUTHENTICATION Parameter Attributes.................................... B-2

B–4 SQLNET.RADIUS_AUTHENTICATION_PORT Parameter Attributes....................... B-3

B–5 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter Attributes............... B-3

B–6 SQLNET.RADIUS_AUTHENTICATION_RETRIES Parameter Attributes.................. B-3

B–7 SQLNET.RADIUS_SEND_ACCOUNTING Parameter Attributes................................ B-4

B–8 SQLNET.RADIUS_SECRET Parameter Attributes........................................................... B-4

B–9 SQLNET.RADIUS_ALTERNATE Parameter Attributes................................................. B-4

B–10 SQLNET.RADIUS_ALTERNATE_PORT Parameter Attributes .................................... B-4

B–11 SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter Attributes ............................ B-5

B–12 SQLNET.RADIUS_ALTERNATE_RETRIES Parameter Attributes............................... B-5

B–13 SQLNET.RADIUS_CHALLENGE_RESPONSE Parameter Attributes ......................... B-5

B–14 SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter Attributes ......................... B-6

B–15 SQLNET.RADIUS_AUTHENTICATION_INTERFACE Parameter Attributes........... B-6

B–16 SQLNET.RADIUS_CLASSPATH Parameter Attributes.................................................. B-6

B–17 Wallet Location Parameters .............................................................................................. B-12

C–1 Server Encryption Level Setting......................................................................................... C-2

D–1 Sample Output from v$session_connect_info.................................................................. D-4

G–1 ORCL_GLOBAL_USR_MIGRATION_DATA Table Schema....................................... G-5

G–2 Interface Table Column Values That Can Be Modified between Phase One and Phase

Two ......................................................................................................................................... G-6

G–3 Effects of Choosing Shared Schema Mapping with CASCADE Options..................... G-7

G–4 Alphabetical Listing of User Migration Utility Error Messages................................. G-34

G–5 Alphabetical Listing of User Migration Utility Log Messages .................................... G-35

xxii

Send Us Your Comments

Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1)

Part No. B10772-01

Oracle Corporation welcomes your comments and suggestions on the quality and usefulness of this document. Your input is an important part of the information used for revision.

■ Did you ﬁnd any errors?

■ Is the information clearly presented?

■ Do you need more information? If so, where?

■ Are the examples correct? Do you need more examples?

■ What features did you like most?

If you ﬁnd any errors or have any other suggestions for improvement, please indicate the document title and part number, and the chapter, section, and page number (if available). You can send comments to us in the following ways:

■ Electronic mail: infodev_us@oracle.com

■ FAX: (650) 506-7227 Attn: Server Technologies Documentation Manager

■ Postal service:

Oracle Corporation Server Technologies Documentation 500 Oracle Parkway, Mailstop 4op11 Redwood Shores, CA 94065 USA

If you would like a reply, please give your name, address, telephone number, and (optionally) electronic mail address.

If you have problems with the software, please contact your local Oracle Support Services.

xxiii

xxiv

Preface

Welcome to the Oracle Database Advanced Security Administrator's Guide for the 10g Release 1 (10.1) of Oracle Advanced Security.

Oracle Advanced Security contains a comprehensive suite of security features that protect enterprise networks and securely extend them to the Internet. It provides a single source of integration with multiple network encryption and authentication solutions, single sign-on services, and security protocols.

The Oracle Database Advanced Security Administrator's Guide describes how to implement, conﬁgure and administer Oracle Advanced Security.

This preface contains these topics:

■ Audience

■ Organization

■ Related Documentation

■ Conventions

■ Documentation Accessibility

xxv

Audience

Organization

The Oracle Database Advanced Security Administrator's Guide is intended for users and systems professionals involved with the implementation, conﬁguration, and administration of Oracle Advanced Security including:

■ Implementation consultants

■ System administrators

■ Security administrators

■ Database administrators (DBAs)

This document contains the following chapters:

Part I, "Getting Started with Oracle Advanced Security"

Chapter 1, "Introduction to Oracle Advanced Security"

This chapter provides an overview of Oracle Advanced Security features provided with this release.

Chapter 2, "Conﬁguration and Administration Tools Overview"

This chapter provides an introduction and overview of Oracle Advanced Security GUI and command-line tools.

xxvi

Part II, "Network Data Encryption and Integrity"

Chapter 3, "Conﬁguring Network Data Encryption and Integrity for Oracle Servers and Clients"

This chapter describes how to conﬁgure data encryption and integrity within an existing Oracle Net Services 10g Release 1 (10.1) network.

Chapter 4, "Conﬁguring Network Data Encryption and Integrity for Thin JDBC Clients"

This chapter provides an overview of the Java implementation of Oracle Advanced Security, which lets Thin Java Database Connectivity (JDBC) clients securely connect to Oracle Database databases.

Part III, "Oracle Advanced Security Strong Authentication"

Chapter 5, "Conﬁguring RADIUS Authentication"

This chapter describes how to conﬁgure Oracle for use with RADIUS (Remote Authentication Dial-In User Service). It provides an overview of how RADIUS works within an Oracle environment, and describes how to enable RADIUS authentication and accounting. It also introduces the challenge-response user interface that third party vendors can customize to integrate with third party authentication devices.

Chapter 6, "Conﬁguring Kerberos Authentication"

This chapter describes how to conﬁgure Oracle for use with MIT Kerberos and provides a brief overview of steps to conﬁgure Kerberos to authenticate Oracle users. It also includes a brief section that discusses interoperability between the Oracle Advanced Security Kerberos adapter and a Microsoft KDC.

Chapter 7, "Conﬁguring Secure Sockets Layer Authentication"

This chapter describes how Oracle Advanced Security supports a public key infrastructure (PKI). It includes a discussion of conﬁguring and using the Secure Sockets Layer (SSL), certiﬁcate validation, and hardware security module support features of Oracle Advanced Security.

Chapter 8, "Using Oracle Wallet Manager"

This chapter describes how to use Oracle Wallet Manager to manage Oracle wallets and PKI credentials.

Chapter 9, "Conﬁguring Multiple Authentication Methods and Disabling Oracle Advanced Security"

This chapter describes the authentication methods that can be used with Oracle Advanced Security, and how to use conventional user name and password authentication. It also describes how to conﬁgure the network so that Oracle clients can use a speciﬁc authentication method, and Oracle servers can accept any method speciﬁed.

Chapter 10, "Conﬁguring Oracle DCE Integration"

This chapter provides a brief discussion of Open Software Foundation (OSF) DCE and Oracle DCE Integration, including what you need to do to conﬁgure DCE to use Oracle DCE Integration, how to conﬁgure the DCE CDS naming adapter, DCE

xxvii

parameters, and how clients outside of DCE can access Oracle databases using another protocol such as TCP/IP.

Part IV, "Enterprise User Security"

Chapter 11, "Getting Started with Enterprise User Security"

This chapter describes the Oracle LDAP directory and database integration that enables you to store and manage users' authentication information in Oracle Internet Directory. This feature makes identity management services available to Oracle databases, which provides single sign-on to users (users can authenticate themselves to the database once and subsequent authentications occur transparently). It describes the components and provides an overview of how Enterprise User Security works.

Chapter 12, "Enterprise User Security Conﬁguration Tasks and Troubleshooting"

This chapter explains how to conﬁgure Enterprise User Security, providing a conﬁguration steps roadmap and the tasks required to conﬁgure password-, SSL-, and Kerberos-based Enterprise User Security authentication.

Chapter 13, "Administering Enterprise User Security"

This chapter describes how to use the Enterprise Security Manager to deﬁne directory identity management realm properties and to manage enterprise users, enterprise domains, and enterprise roles.

xxviii

Part V, "Appendixes"

Appendix A, "Data Encryption and Integrity Parameters"

This appendix describes Oracle Advanced Security data encryption and integrity conﬁguration parameters.

Appendix B, "Authentication Parameters"

This appendix describes Oracle Advanced Security authentication conﬁguration ﬁle parameters.

Appendix C, "Integrating Authentication Devices Using RADIUS"

This appendix explains how third party authentication device vendors can integrate their devices and customize the graphical user interface used in RADIUS challenge-response authentication.

Appendix D, "Oracle Advanced Security FIPS 140-1 Settings"

This appendix describes the sqlnet.ora conﬁguration parameters required to comply with the FIPS 140-1 Level 2 evaluated conﬁguration.

Appendix E, "orapki Utility"

This appendix provides the syntax for the orapki command line utility. This utility must be used to manage certiﬁcate revocation lists (CRLs). You can also use this utility to create and manage Oracle wallets; create certiﬁcate requests, signed certiﬁcates, and user certiﬁcates for testing purposes; and to export certiﬁcates and certiﬁcate requests from Oracle wallets.

Appendix F, "Entrust-Enabled SSL Authentication"

This appendix describes how to conﬁgure and use Entrust-enabled Oracle Advanced Security for Secure Sockets Layer (SSL) authentication.

Appendix G, "Using the User Migration Utility"

This appendix describes the User Migration Utility, which can be used to perform bulk migrations of database users to an LDAP directory where they are stored and managed as enterprise users. It provides utility syntax, prerequisites, and usage examples.

Glossary

Oracle B10772-01 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

List of Figures

List of Tables

Send Us Your Comments

Preface

Audience

Organization

Related Documentation