Kalyanasundaram, Lakshmi Kethana, Andrew Koyfman, Van Le, Nina Lewis, Stella Li, Janaki
Narasinghanallur, Vikram Pesati, Andy Philips, Richard Smith, Deborah Steiner, Philip Thornton,
Ramana Turlapati
Graphic Designer: Valarie Moore
The Programs (which include both the software and documentation) contain proprietary information of
Oracle Corporation; they are provided under a license agreement containing restrictions on use and
disclosure and are also protected by copyright, patent and other intellectual and industrial property
laws. Reverse engineering, disassembly or decompilation of the Programs, except to the extent required
to obtain interoperability with other independently created software or as specified by law, is prohibited.
The information contained in this document is subject to change without notice. If you find any problems
in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this
document is error-free. Except as may be expressly permitted in your license agreement for these
Programs, no part of these Programs may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of Oracle Corporation.
If the Programs are delivered to the U.S. Government or anyone licensing or using the programs on
behalf of the U.S. Government, the following notice is applicable:
Restricted Rights Notice Programs delivered subject to the DOD FAR Supplement are "commercial
computer software" and use, duplication, and disclosure of the Programs, including documentation,
shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement.
Otherwise, Programs delivered subject to the Federal Acquisition Regulations are "restricted computer
software" and use, duplication, and disclosure of the Programs shall be subject to the restrictions in FAR
52.227-19, Commercial Computer Software - Restricted Rights (June, 1987). Oracle Corporation, 500
Oracle Parkway, Redwood City, CA 94065.
The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently
dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup,
redundancy, and other measures to ensure the safe use of such applications if the Programs are used for
such purposes, and Oracle Corporation disclaims liability for any damages caused by such use of the
Programs.
Oracle is a registered trademark, and Oracle Store, Oracle8i, Oracle9i, PL/SQL, SQL*Net, SQL*Plus, and
Secure Network Services are trademarks or registered trademarks of Oracle Corporation. Other names
may be trademarks of their respective owners.
Portions of Oracle Advanced Security have been licensed by Oracle
Corporation from RSA Data Security.
This program contains third-party code from Massachusetts Institute of Technology (M.I.T.), OpenVision
Technologies, Inc., and the Regents of the University of California. Under the terms of the Kerberos
license, Oracle is required to license the Kerberos software to you under the following terms. Note that
the terms contained in the Oracle program license that accompanied this product do not apply to the
Kerberos software, and your rights to use the software are solely as set forth below. Oracle is not
responsible for the performance of the Kerberos software, does not provide technical support for the
software, and shall not be liable for any damages arising out of any use of the Kerberos software.
States Government. It is the responsibility of any person or organization contemplating export to obtain
such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and this permission notice appear in
supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining
to distribution of the software without specific, written prior permission. Furthermore, if you modify this
software you must label your software as modified software and not distribute it in such a fashion that it
might be confused with the original M.I.T.software.M.I.T. makes no representations about the suitability
of this software for any purpose. It is provided "as is" without express or implied warranty.
THIS SOFTWAREISPROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND
FITNESS FOR A PARTICULAR PURPOSE.
Individual source code files are copyright M.I.T., Cygnus Support, OpenVision, Oracle, Sun Soft,
FundsXpress, and others.
Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of
the Massachusetts Institute of Technology (M.I.T.). No commercial use of these trademarks may be made
without prior written permission of M.I.T.
"Commercial use" means use of a name in a product or other for-profit manner. It does NOT prevent a
commercial firm from referring to the M.I.T. trademarks in order to convey information (although in
doing so, recognition of their trademark status should be given).
---The following copyright and permission notice applies to the OpenVision Kerberos Administration
system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and
portions of lib/rpc:
Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described
below, indicates your acceptance of the following terms. If you do not agree to the following terms, do
not retrieve the OpenVision Kerberos administration system.
You may freely use and distribute the Source Code and Object Code compiled from it, with or without
modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED.
IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF
DATA, OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY
SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT,
INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON.
OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to
derivative works of the Source Code, whether createdbyOpenVision or by a third party. The OpenVision
copyright notice must be preserved if derivative works are made based on the donated Source Code.
OpenVision Technologies, Inc., has donated this Kerberos Administration system to M.I.T. for inclusion
in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing
Kerberos technology development and our gratitude for the valuable work which hasbeenperformedby
M.I.T. and the Kerberos community.
---Portions contributed by Matt Crawford <crawdad@fnal.gov> were work performed at Fermi National
Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract
DE-AC02-76CHO3000 with the U. S. Department of Energy.
Contents
List of Figures
List of Tables
Send Us Your Comments............................................................................................................... xxiii
Oracle Corporation welcomes your comments and suggestions on the quality and usefulness of this
document. Your input is an important part of the information used for revision.
■Did you find any errors?
■Is the information clearly presented?
■Do you need more information? If so, where?
■Are the examples correct? Do you need more examples?
■What features did you like most?
If you find any errors or have any other suggestions for improvement, please indicate the document
title and part number, and the chapter, section, and page number (if available). You can send comments to us in the following ways:
■Electronic mail: infodev_us@oracle.com
■FAX: (650) 506-7227 Attn: Server Technologies Documentation Manager
■Postal service:
Oracle Corporation
Server Technologies Documentation
500 Oracle Parkway, Mailstop 4op11
Redwood Shores, CA 94065
USA
If you would like a reply, please give your name, address, telephone number, and (optionally) electronic mail address.
If you have problems with the software, please contact your local Oracle Support Services.
xxiii
xxiv
Preface
Welcome to the Oracle Database Advanced Security Administrator's Guide for the
10g Release 1 (10.1) of Oracle Advanced Security.
Oracle Advanced Security contains a comprehensive suite of security features that
protect enterprise networks and securely extend them to the Internet. It provides a
single source of integration with multiple network encryption and authentication
solutions, single sign-on services, and security protocols.
The Oracle Database Advanced Security Administrator's Guide describes how to
implement, configure and administer Oracle Advanced Security.
This preface contains these topics:
■Audience
■Organization
■Related Documentation
■Conventions
■Documentation Accessibility
xxv
Audience
Organization
The Oracle Database Advanced Security Administrator's Guide is intended for
users and systems professionals involved with the implementation, configuration,
and administration of Oracle Advanced Security including:
■Implementation consultants
■System administrators
■Security administrators
■Database administrators (DBAs)
This document contains the following chapters:
Part I, "Getting Started with Oracle Advanced Security"
Chapter 1, "Introduction to Oracle Advanced Security"
This chapter provides an overview of Oracle Advanced Security features provided
with this release.
Chapter 2, "Configuration and Administration Tools Overview"
This chapter provides an introduction and overview of Oracle Advanced Security
GUI and command-line tools.
xxvi
Part II, "Network Data Encryption and Integrity"
Chapter 3, "Configuring Network Data Encryption and Integrity for Oracle
Servers and Clients"
This chapter describes how to configure data encryption and integrity within an
existing Oracle Net Services 10g Release 1 (10.1) network.
Chapter 4, "Configuring Network Data Encryption and Integrity for Thin JDBC
Clients"
This chapter provides an overview of the Java implementation of Oracle Advanced
Security, which lets Thin Java Database Connectivity (JDBC) clients securely
connect to Oracle Database databases.
Part III, "Oracle Advanced Security Strong Authentication"
Chapter 5, "Configuring RADIUS Authentication"
This chapter describes how to configure Oracle for use with RADIUS (Remote
Authentication Dial-In User Service). It provides an overview of how RADIUS
works within an Oracle environment, and describes how to enable RADIUS
authentication and accounting. It also introduces the challenge-response user
interface that third party vendors can customize to integrate with third party
authentication devices.
Chapter 6, "Configuring Kerberos Authentication"
This chapter describes how to configure Oracle for use with MIT Kerberos and
provides a brief overview of steps to configure Kerberos to authenticate Oracle
users. It also includes a brief section that discusses interoperability between the
Oracle Advanced Security Kerberos adapter and a Microsoft KDC.
This chapter describes how Oracle Advanced Security supports a public key
infrastructure (PKI). It includes a discussion of configuring and using the Secure
Sockets Layer (SSL), certificate validation, and hardware security module support
features of Oracle Advanced Security.
Chapter 8, "Using Oracle Wallet Manager"
This chapter describes how to use Oracle Wallet Manager to manage Oracle wallets
and PKI credentials.
This chapter describes the authentication methods that can be used with Oracle
Advanced Security, and how to use conventional user name and password
authentication. It also describes how to configure the network so that Oracle clients
can use a specific authentication method, and Oracle servers can accept any method
specified.
Chapter 10, "Configuring Oracle DCE Integration"
This chapter provides a brief discussion of Open Software Foundation (OSF) DCE
and Oracle DCE Integration, including what you need to do to configure DCE to
use Oracle DCE Integration, how to configure the DCE CDS naming adapter, DCE
xxvii
parameters, and how clients outside of DCE can access Oracle databases using
another protocol such as TCP/IP.
Part IV, "Enterprise User Security"
Chapter 11, "Getting Started with Enterprise User Security"
This chapter describes the Oracle LDAP directory and database integration that
enables you to store and manage users' authentication information in Oracle
Internet Directory. This feature makes identity management services available to
Oracle databases, which provides single sign-on to users (users can authenticate
themselves to the database once and subsequent authentications occur
transparently). It describes the components and provides an overview of how
Enterprise User Security works.
Chapter 12, "Enterprise User Security Configuration Tasks and
Troubleshooting"
This chapter explains how to configure Enterprise User Security, providing a
configuration steps roadmap and the tasks required to configure password-, SSL-,
and Kerberos-based Enterprise User Security authentication.
Chapter 13, "Administering Enterprise User Security"
This chapter describes how to use the Enterprise Security Manager to define
directory identity management realm properties and to manage enterprise users,
enterprise domains, and enterprise roles.
xxviii
Part V, "Appendixes"
Appendix A, "Data Encryption and Integrity Parameters"
This appendix describes Oracle Advanced Security data encryption and integrity
configuration parameters.
Appendix B, "Authentication Parameters"
This appendix describes Oracle Advanced Security authentication configuration file
parameters.
Appendix C, "Integrating Authentication Devices Using RADIUS"
This appendix explains how third party authentication device vendors can integrate
their devices and customize the graphical user interface used in RADIUS
challenge-response authentication.
Appendix D, "Oracle Advanced Security FIPS 140-1 Settings"
This appendix describes the sqlnet.ora configuration parameters required to
comply with the FIPS 140-1 Level 2 evaluated configuration.
Appendix E, "orapki Utility"
This appendix provides the syntax for the orapki command line utility. This utility
must be used to manage certificate revocation lists (CRLs). You can also use this
utility to create and manage Oracle wallets; create certificate requests, signed
certificates, and user certificates for testing purposes; and to export certificates and
certificate requests from Oracle wallets.
Appendix F, "Entrust-Enabled SSL Authentication"
This appendix describes how to configure and use Entrust-enabled Oracle
Advanced Security for Secure Sockets Layer (SSL) authentication.
Appendix G, "Using the User Migration Utility"
This appendix describes the User Migration Utility, which can be used to perform
bulk migrations of database users to an LDAP directory where they are stored and
managed as enterprise users. It provides utility syntax, prerequisites, and usage
examples.
■Oracle Database JDBC Developer's Guide and Reference
■Oracle Internet Directory Administrator's Guide
■Oracle Database Administrator's Guide
■Oracle Database Security Guide
Many books in the documentation set use the sample schemas of the seed database,
which is installed by default when you install Oracle. Refer to Oracle DatabaseSample Schemas for information on how these schemas were created and how you
can use them yourself.
xxix
Printed documentation is available for sale in the Oracle Store at
http://oraclestore.oracle.com/
To download free release notes, installation documentation, white papers, or other
collateral, please visit the Oracle Technology Network (OTN). You must register
online before using OTN; registration is free and can be done at
http://otn.oracle.com/membership/
If you already have a username and password for OTN, then you can go directly to
the documentation section of the OTN Web site at
http://otn.oracle.com/documentation/
For information from third-party vendors, see:
■ACE/Server Administration Manual, from Security Dynamics
■ACE/Server Client for UNIX, from Security Dynamics
■ACE/Server Installation Manual, from Security Dynamics
■RADIUS Administrator's Guide
■Notes about building and installing Kerberos from Kerberos version 5
For conceptual information about the network security technologies supported by
Oracle Advanced Security, you can refer to the following third-party publications:
Conventions
■Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in
C by Bruce Schneier. New York: John Wiley & Sons, 1996.
■SSL & TLS Essentials: Securing the Web by Stephen A. Thomas. New York:
John Wiley & Sons, 2000.
■Understanding and Deploying LDAP Directory Services by Timothy A. Howes,
Ph.D., Mark C. Smith, and Gordon S. Good . Indianapolis: New Riders
Publishing, 1999.
■Understanding Public-Key Infrastructure: Concepts, Standards, and Deployment
Considerations by Carlisle Adams and Steve Lloyd. Indianapolis: New
Riders Publishing, 1999.
This section describes the conventions used in the text and code examples of this
documentation set. It describes:
■Conventions in Text
■Conventions in Code Examples
■Conventions for Windows Operating Systems
Conventions in Text
We use various conventions in text to help you more quickly identify special terms.
The following table describes those conventions and provides examples of their use.
ConventionMeaningExample
BoldBold typeface indicates terms that are
defined in the text or terms that appear in
When you specify this clause, you create an
index-organized table.
a glossary, or both.
ItalicsItalic typeface indicates book titles or
emphasis.
Oracle Database Concepts
Ensure that the recovery catalog and target
database do not reside on the same disk.
xxxi
ConventionMeaningExample
UPPERCASE
monospace
(fixed-width)
font
lowercase
monospace
(fixed-width)
font
Uppercase monospace typeface indicates
elements supplied by the system. Such
elements include parameters, privileges,
datatypes, RMAN keywords, SQL
keywords, SQL*Plus or utility commands,
packages and methods, as well as
system-supplied column names, database
objects and structures, usernames, and
roles.
Lowercase monospace typeface indicates
executables, filenames, directory names,
and sample user-supplied elements. Such
elements include computer and database
names, net service names, and connect
identifiers, as well as user-supplied
database objects and structures, column
names, packages and classes, usernames
and roles, program units, and parameter
values.
Note: Some programmatic elements use a
mixture of UPPERCASE and lowercase.
Enter these elements as shown.
You can specify this clause only for a NUMBER
column.
You can back up the database by using the
BACKUP command.
Query the TABLE_NAME column in the USER_TABLES data dictionary view.
Use the DBMS_STATS.GENERATE_STATS
procedure.
Enter sqlplus to open SQL*Plus.
The password is specified in the orapwd file.
Back up the datafiles and control files in the
/disk1/oracle/dbs directory.
The department_id, department_name,
and location_id columns are in the
hr.departments table.
Set the QUERY_REWRITE_ENABLED
initialization parameter to true.
Connect as oe user.
The JRepUtil class implements these
methods.
lowercase
italic
monospace
(fixed-width)
font
xxxii
Lowercase italic monospace font
represents placeholders or variables.
You can specify the parallel_clause.
Run Uold_release.SQL where old_
release refers to the release you installed
prior to upgrading.
Conventions in Code Examples
Code examples illustrate SQL, PL/SQL, SQL*Plus, or other command-line
statements. They are displayed in a monospace (fixed-width) font and separated
from normal text as shown in this example:
SELECT username FROM dba_users WHERE username = 'MIGRATE';
The following table describes typographic conventions used in code examples and
provides examples of their use.
ConventionMeaningExample
[ ]Brackets enclose one or more optional
items. Do not enter the brackets.
{ }Braces enclose two or more items, one of
which is required. Do not enter the braces.
|A vertical bar represents a choice of two
or more options within brackets or braces.
Enter one of the options. Do not enter the
vertical bar.
...Horizontal ellipsis points indicate either:
■That we have omitted parts of the
code that are not directly related to
the example
■That you can repeat a portion of the
code
.
.
.
Vertical ellipsis points indicate that we
have omitted several lines of code not
directly related to the example.
brackets, braces, vertical bars, and ellipsis
points as shown.
ItalicsItalicized text indicates placeholders or
variables for which you must supply
particular values.
UPPERCASEUppercase typeface indicates elements
supplied by the system. We show these
terms in uppercase in order to distinguish
them from terms you define. Unless terms
appear in brackets, enter them in the
order and with the spelling shown.
However, because these terms are not
case sensitive, you can enter them in
lowercase.
SELECT last_name, employee_id FROM
employees;
SELECT * FROM USER_TABLES;
DROP TABLE hr.employees;
xxxiii
ConventionMeaningExample
lowercaseLowercase typeface indicates
programmatic elements that you supply.
For example, lowercase indicates names
of tables, columns, or files.
Note: Some programmatic elements use a
mixture of UPPERCASE and lowercase.
Enter these elements as shown.
SELECT last_name, employee_id FROM
employees;
sqlplus hr/hr
CREATE USER mjones IDENTIFIED BY ty3MU9;
Conventions for Windows Operating Systems
The following table describes conventions for Windows operating systems and
provides examples of their use.
ConventionMeaningExample
Choose Start >How to start a program.To start the Database Configuration Assistant,
File and directory
names
C:\>Represents the Windows command
File and directory names are not case
sensitive. The following special characters
are not allowed: left angle bracket (<),
right angle bracket (>), colon (:), double
quotation marks ("), slash (/), pipe (|),
and dash (-). The special character
backslash (\) is treated as an element
separator,even when it appears in quotes.
If the file name begins with \\, then
Windows assumes it uses the Universal
Naming Convention.
prompt of the current hard disk drive.
The escape character in a command
prompt is the caret (^). Your prompt
reflects the subdirectory in which you are
working. Referred to as the commandprompt in this manual.
c:\winnt"\"system32 is the same as
C:\WINNT\SYSTEM32
C:\oracle\oradata>
xxxiv
ConventionMeaningExample
Special characters The backslash (\) special character is
HOME_NAMERepresents the Oracle home name. The
ORACLE_HOME
and ORACLE_
BASE
sometimes required as an escape
character for the double quotation mark
(") special character at the Windows
command prompt. Parentheses and the
single quotation mark (') do not require
an escape character. Refer to your
Windows operating system
documentation for more information on
escape and special characters.
home name can be up to 16 alphanumeric
characters. The only special character
allowed in the home name is the
underscore.
In releases prior to Oracle8i release 8.1.3,
when you installed Oracle components,
all subdirectories were located under a
top level ORACLE_HOME directory. For
Windows NT, the default location was
C:\orant.
This release complies with Optimal
Flexible Architecture (OFA) guidelines.
All subdirectories are not under a top
level ORACLE_HOME directory. There is a
top level directory called ORACLE_BASE
that by default is C:\oracle. If you
install the latest Oracle release on a
computer with no other Oracle software
installed, then the default setting for the
first Oracle home directory is
C:\oracle\orann, where nn is the
latest release number. The Oracle home
directory is located directly under
ORACLE_BASE.
All directory path examples in this guide
follow OFA conventions.
Refer to Oracle Database Platform Guide forWindows for additional information about
OFA compliances and for information
about installing Oracle products in
non-OFA compliant directories.
Go to the ORACLE_BASE\ORACLE_
HOME\rdbms\admin directory.
xxxv
Documentation Accessibility
Our goal is to make Oracle products, services, and supporting documentation
accessible, with good usability, to the disabled community. To that end, our
documentation includes features that make information available to users of
assistive technology.This documentation is available in HTML format, and contains
markup to facilitate access by the disabled community. Standards will continue to
evolve over time, and Oracle is actively engaged with other market-leading
technology vendors to address technical obstacles so that our documentation can be
accessible to all of our customers. For additional information, visit the Oracle
Accessibility Program Web site at
http://www.oracle.com/accessibility/
Accessibility of Code Examples in Documentation JAWS, a Windows screen
reader, may not always correctly read the code examples in this document. The
conventions for writing code require that closing braces should appear on an
otherwise empty line; however, JAWS may not always read a line of text that
consists solely of a bracket or brace.
Accessibility of Links to External Web Sites in Documentation This
documentation may contain links to Web sites of other companies or organizations
that Oracle does not own or control. Oracle neither evaluates nor makes any
representations regarding the accessibility of these Web sites.
xxxvi
What's New in Orac le Ad vanced Security?
This section describes new features of Oracle Advanced Security 10g Release 1
(10.1) and provides pointers to additional information. New features information
from the previous release is also retained to help those users migrating to the
current release.
The following sections describe the new features in Oracle Advanced Security:
■Oracle Database 10g Release 1 (10.1) New Features in Oracle Advanced Security
■Oracle9i Release 2 (9.2) New Features in Oracle Advanced Security
Oracle Database 10g Release 1 (10.1) New Features in Oracle Advanced
Security
Oracle Advanced Security 10g Release 1 (10.1) includes new features in the
following areas:
■New Features in Strong Authentication
■New Features in Enterprise User Security
New Features in Strong Authentication
Oracle Advanced Security provides several strong authentication options, including
support for RADIUS, Kerberos, and PKI (public key infrastructure). This release
provides the following new features for strong authentication:
■Support for TLS (Transport Layer Security), version 1.0
TLS is an industry-standard protocol which provides effective security for
transactions conducted on the Web. It has been developed by the Internet
xxxvii
Engineering Task Force (IETF) to be the successor to SSL version 3.0. TLS is a
configurable option provided in Oracle Net Manager.
See Also: Chapter 7, "Configuring Secure Sockets Layer
Authentication" for configuration details
■Support for Hardware Security Modules, including Oracle Wallet Manager
Integration
In this release, Oracle Advanced Security supports hardware security modules
which use APIs that conform to the RSA Security, Inc., Public-Key
Cryptography Standards (PKCS) #11. In addition, it is now possible to create
Oracle Wallets that can store credentials on a hardware security module for
servers, or private keys on tokens for clients. This provides roaming
authentication to the database.
Hardware security modules can be used for the following functions:
–Store cryptographic information, such as private keys, which provides
stronger security
–Perform cryptographic operations to off load RSA operations from the
server, freeing the CPU to respond to other transactions
See Also:
■"Configuring Your System to Use Hardware Security Modules"
on page 7-48 for configuration details
xxxviii
■"Creating a Wallet to Store Hardware Security Module
Credentials" on page 8-11
■CRL (Certificate Revocation Lists) and CRLDP (CRL Distribution Point)
Support for Certificate Validation
In the current release, you now have the option to configure certificate
revocation status checking for both the client and the server. Certificate
revocation status is checked against CRLs which are located in file system
directories, Oracle Internet Directory, or downloaded from the location
specified in the CRL Distribution Point (CRL DP) extension on the certificate.
The orapki utility has also been added for CRL management and for
managing Oracle wallets and certificates.
See Also:
■"Certificate Validation with Certificate Revocation Lists" on
page 7-35 for details
■Appendix E, "orapki Utility" for details about orapki
command line utility
New Features in Enterprise User Security
■Kerberos Authenticated Enterprise Users
Kerberos-based authentication to the database is available for users managed in
an LDAP directory. This includes Oracle Internet Directory or any other
third-party directory that is synchronized to work with Oracle Internet
Directory by using the Directory Integration Platform. To use this feature, all
directory users, including those synchronized from third-party directories, must
include the Kerberos principal name attribute (krbPrincipalName attribute).
See Also: "Configuring Enterprise User Security for Kerberos
Authentication" on page 12-18 for configuration details
■Public Key Infrastructure (PKI) Credentials No Longer Required for
Database-to-Oracle Internet Directory Connections
In this release, a database can bind to Oracle Internet Directory by using
password/SASL-based authentication, eliminating the overhead of setting up
PKI credentials for the directory and multiple databases. SASL (Simple
Authentication and Security Layer) is a standard defined in the Internet
Engineering Task Force RFC 2222. It is a method for adding authentication
support to connection-based protocols such as LDAP.
See Also: "Configuring Enterprise User Security for Password
Authentication" on page 12-16 for configuration details
■Support for User Management in Third-Party LDAP Directories
In the current release of Enterprise User Security, you can store and manage
your users and their passwords in third-party LDAP directories. This feature is
made possible with
–Directory Integration Platform, which automatically synchronizes
third-party directories with Oracle Internet Directory, and
xxxix
–Oracle Database recognition of standard password verifiers, which is also
new in this release.
■Tool Changes
–New Tool: Enterprise Security Manager Console
The Enterprise Security Manager Console, which is based on the Oracle
Internet Directory Delegated Administration Service (DAS), is new in this
release. Administrators can use this tool to create enterprise users,
enterprise user security groups, and to configure identity management
realm attributes in the directory that relate to Enterprise User Security.
–In this release, Oracle Enterprise Login Assistant functionality has been
migrated to the new Enterprise Security Manager Console and Oracle
Wallet Manager. The following table lists which tool you should now use to
perform tasks that you previously performed by using Oracle Enterprise
Login Assistant:
If you used
Oracle Enterprise Login Assistant to...Then now you should use...
Change the directory-to-database passwordEnterprise Security Manager Console
Change an Oracle wallet passwordOracle Wallet Manager
Enable auto login for an Oracle walletOracle Wallet Manager
See Also: The following sections for information about Enterprise
Security Manager Console and how to use it:
■"Enterprise Security Manager Console Overview" on page 2-22,
which provides a brief introduction to the tool.
■Chapter 13, "Administering Enterprise User Security", which
provides procedural information for using the tool to manage
enterprise users.
xl
Oracle9i Release 2 (9.2) New Features in Oracle Advanced Security
The new features for Oracle Advanced Security in release 2 (9.2) include the
following:
■Support for Advanced Encryption Standard (AES)
AES is a new cryptographic algorithm standard developed to replace Data
Encryption Standard (DES).
See Also:
■"Advanced Encryption Standard" on page 1-6 for a brief
overview of this encryption algorithm
■Chapter 3, "Configuring Network Data Encryption and
Integrity for Oracle Servers and Clients" for configuration
details
■SSL Hardware Accelerator Support
In release 2 (9.2), complex public key cryptographic operations can be off
loaded to hardware accelerators to improve the performance of SSL
transactions.
See Also: "Configuring Your System to Use Hardware Security
Modules" on page 7-48 for configuration details
■New Enterprise User Security Tool: User Migration Utility
This utility enables administrators to perform bulk migrations of database users
to Oracle Internet Directory for centralized user storage and management.
See Also: Appendix G, "Using the User Migration Utility" for
information about this tool and how to use it.
xli
xlii
Part I
Getting Started with Oracle Advanced
Security
This part introduces Oracle Advanced Security, describing the security solutions it
provides, its features, and its tools. It contains the following chapters:
■Chapter 1, "Introduction to Oracle Advanced Security"
■Chapter 2, "Configuration and Administration Tools Overview"
1
Introduction to Orac le Advanced Security
This chapter introduces Oracle Advanced Security, summarizing the security risks
it addresses, and describing its features. These features are available to database
and related products that interface with Oracle Net Services, including Oracle
Database, Oracle Application Server, and Oracle Identity Management
infrastructure.
This chapter contains the following topics:
■Security Challenges in an Enterprise Environment
■Solving Security Challenges with Oracle Advanced Security
■Oracle Advanced Security Architecture
■Secure Data Transfer Across Network Protocol Boundaries
■System Requirements
■Oracle Advanced Security Restrictions
Security Challenges in an Enterprise Environment
To increase efficiency and lower costs, companies adopt strategies to automate
business processes. One such strategy is to conduct more business on the Web, but
that requires greater computing power, translating to higher IT costs. In response to
rising IT costs, more and more businesses are considering enterprise grid
computing architectures where inexpensive computers act as one powerful
machine. While such strategies improve the bottom line, they introduce risks, which
are associated with securing data in motion and managing an ever increasing
number of user identities.
This section examines the security challenges of today's enterprise computing
environments in the following topics:
Introduction to Oracle Advanced Security 1-1
Security Challenges in an Enterprise Environment
■Security in Enterprise Grid Computing Environments
■Security in an Intranet or Internet Environment
■Common Security Threats
Security in Enterprise Grid Computing Environments
Grid computing is a computing architecture that coordinates large numbers of
servers and storage to act as a single large computer. It provides flexibility, lower
costs, and IT investment protection because inexpensive, off-the-shelf components
can be added to the grid as business needs change. While providing significant
benefits, grid computing environments present unique security requirements
because their computing resources are distributed and often heterogeneous. The
following sections discuss these requirements.
Distributed Environment Security Requirements
Enterprise grid computing pools distributed business computing resources to cost
effectively harness the power of clustered servers and storage. A distributed
environment requires secure network connections. Even more critical in grid
environments, it is necessary to have a uniform definition of "who is a user" and
"what are they allowed to do." Without such uniform definitions, administrators
frequently must assign, manage, and revoke authorizations for every user on
different software applications to protect employee, customer, and partner
information. This is expensive because it takes time, which drives up costs.
Consequently, the cost savings gained with grid computing are lost.
Heterogeneous Environment Security Requirements
Because grid computing environments often grow as business needs change,
computing resources are added over time, resulting in diverse collections of
hardware and software. Such heterogeneous environments require support for
different types of authentication mechanisms which adhere to industry standards.
Without strict adherence to industry standards, integrating heterogeneous
components becomes costly and time consuming. Once again the benefits of grid
computing are squandered when the appropriate infrastructure is not present.
Security in an Intranet or Internet Environment
Oracle databases power the largest and most popular Web sites on the Internet. In
record numbers, organizations throughout the world are deploying distributed
databases and client/server applications based on Oracle Database and Oracle Net
Services. This proliferation of distributed computing is matched by an increase in
the amount of information that organizations place on computers. Employee and
financial records, customer orders, product information, and other sensitive data
have moved from filing cabinets to file structures. The volume of sensitive
information on the Web has thus increased the value of data that can be
compromised.
Common Security Threats
The increased volume of data in distributed, heterogeneous environments exposes
users to a variety of security threats, including the following:
■Eavesdropping and Data Theft
■Data Tampering
■Falsifying User Identities
■Password-Related Threats
Eavesdropping and Data Theft
Over the Internet and in wide area network environments, both public carriers and
private networks route portions of their network through insecure land lines,
vulnerable microwave and satellite links, or a number of servers— exposing
valuable data to interested third parties. In local area network environments within
a building or campus, the potential exists for insiders with access to the physical
wiring to view data not intended for them, and network sniffers can be installed to
eavesdrop on network traffic.
Security Challenges in an Enterprise Environment
Data Tampering
Distributed environments bring with them the possibility that a malicious third
party can compromise integrity by tampering with data as it moves between sites.
Falsifying User Identities
In a distributed environment, it is more feasible for a user to falsify an identity to
gain access to sensitive information. How can you be sure that user Pat connecting
to Server A from Client B really is user Pat?
Moreover, in distributed environments, malefactors can hijack connections. How
can you be sure that Client B and Server A are what they claim to be? A transaction
that should go from the Personnel system on Server A to the Payroll system on
Server B could be intercepted in transit and re-routed to a terminal masquerading as
Server B.
Introduction to Oracle Advanced Security 1-3
Solving Security Challenges with Oracle Advanced Security
Password-Related Threats
In large systems, users typically must remember multiple passwords for the
different applications and services that they use. For example, a developer can have
access to a development application on a workstation, a PC for sending e-mail, and
several computers or intranet sites for testing, reporting bugs, and managing
configurations.
Users typically respond to the problem of managing multiple passwords in several
ways:
■They may select easy-to-guess passwords—such as a name, fictional character,
or a word found in a dictionary. All of these passwords are vulnerable to
dictionary attacks.
■They may also choose to standardize passwords so that they are the same on all
machines or web sites. This results in a potentially large exposure in the event
of a compromised password. They can also use passwords with slight
variations that can be easily derived from known passwords.
■Users with complex passwords may write them down where an attacker can
easily find them, or they may just forget them—requiring costly administration
and support efforts.
All of these strategies compromise password secrecy and service availability.
Moreover, administration of multiple user accounts and passwords is complex,
time-consuming, and expensive.
Solving Security Challenges with Oracle Advanced Security
To solve enterprise computing security problems, Oracle Advanced Security
provides industry standards-based data privacy, integrity, authentication, single
sign-on, and access authorization in a variety of ways. For example, you can
configure either Oracle Net native encryption or Secure Sockets Layer (SSL) for data
privacy. Oracle Advanced Security also provides the choice of several strong
authentication methods, including Kerberos, smart cards, and digital certificates.
Oracle Advanced Security provides the following security features:
Sensitive information that travels over enterprise networks and the Internet can be
protected by encryption algorithms. An encryption algorithm transforms
information into a form that can be deciphered with a decryption key.
Figure 1–1 shows how encryption works to ensure the security of a transaction. For
example, if a manager approves a bonus, this data should be encrypted when sent
over the network to avoid eavesdropping. If all communication between the client,
the database, and the application server is encrypted, then when the manager sends
the bonus amount to the database, it is protected.
Figure 1–1 Encryption
Solving Security Challenges with Oracle Advanced Security
Oracle
Client
#yu1(*^tp4e%oiu*{hjktyothttps://
Database
Encrypted Data
Packet
Oracle
Encrypted Data
Packet
Oracle
Application
Server
Internet
This section discusses the following topics:
■Supported Encryption Algorithms
■Data Integrity
■Federal Information Processing Standard
Supported Encryption Algorithms
Oracle Advanced Security provides the following encryption algorithms to protect
the privacy of network data transmissions:
■RC4 Encryption
■DES Encryption
■Triple-DES Encryption
■Advanced Encryption Standard
Introduction to Oracle Advanced Security 1-5
Solving Security Challenges with Oracle Advanced Security
Selecting the network encryption algorithm is a user configuration option,
providing varying levels of security and performance for different types of data
transfers.
Prior versions of Oracle Advanced Security provided three editions: Domestic,
Upgrade, and Export—each with different key lengths. 10g Release 1 (10.1) contains
a complete complement of the available encryption algorithms and key lengths,
previously only available in the Domestic edition. Users deploying prior versions of
the product can obtain the Domestic edition for a specific product release.
Note: The U.S. government has relaxed its export guidelines for
encryption products. Accordingly, Oracle can ship Oracle
Advanced Security with its strongest encryption features to all of its
customers.
RC4 Encryption The RC4 encryption module uses the RSA Security, Inc., RC4
encryption algorithm. Using a secret, randomly-generated key unique to each
session, all network traffic is fully safeguarded—including all data values, SQL
statements, and stored procedure calls and results. The client, server, or both, can
request or require the use of the encryption module to guarantee that data is
protected. Oracle's optimized implementation provides a high degree of security for
a minimal performance penalty. For the RC4 algorithm, Oracle provides encryption
key lengths of 40-bits, 56-bits, 128-bits, and 256-bits.
DES Encryption Oracle Advanced Security implements the U.S. Data Encryption
Standard algorithm (DES) with a standard, optimized 56-bit key encryption
algorithm, and also provides DES40, a 40-bit version, for backward compatibility.
Triple-DES Encryption Oracle Advanced Security also supports Triple-DESencryption
(3DES), which encrypts message data with three passes of the DES algorithm. 3DES
provides a high degree of message security, but with a performance penalty. The
magnitude of penalty depends on the speed of the processor performing the
encryption. 3DES typically takes three times as long to encrypt a data block as
compared with the standard DES algorithm.
3DES is available in two-key and three-key versions, with effective key lengths of
112-bits and 168-bits, respectively. Both versions operate in outer Cipher Block
Chaining (CBC) mode.
Advanced Encryption Standard Approved by the National Institute of Standards and
Technology (NIST) in Federal Information Processing Standards (FIPS) Publication
Solving Security Challenges with Oracle Advanced Security
197, Advanced Encryption Standard (AES) is a new cryptographic algorithm
standard developed to replace DES. AES is a symmetric block cipher that can
process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256
bits, which are referred to as AES-128, AES-192, and AES-256, respectively. All three
versions operate in outer-CBC mode.
See Also:
■Chapter 3, "Configuring Network Data Encryption and
Integrity for Oracle Servers and Clients"
■Appendix A, "Data Encryption and Integrity Parameters"
Data Integrity
To ensure the integrity of data packets during transmission, Oracle Advanced
Security can generate a cryptographically secure message digest—using MD5 or
SHA-1 hashing algorithms—and include it with each message sent across a
network.
Data integrity algorithms add little overhead, and protect against the following
attacks:
■Data modification
■Deleted packets
■Replay attacks
Note: SHA-1 is slightly slower than MD5, but produces a larger
message digest, making it more secure against brute-force collision
and inversion attacks.
See Also: Chapter 3, "Configuring Network Data Encryption and
Integrity for Oracle Servers and Clients", for information about
MD5 and SHA-1.
Federal Information Processing Standard
Oracle Advanced Security Release 8.1.6 has been validated under U.S. Federal
Information Processing Standard 140-1 (FIPS) at the Level 2 security level. This
provides independent confirmation that Oracle Advanced Security conforms to
federal government standards. FIPS configuration settings are described by
Appendix D, "Oracle Advanced Security FIPS 140-1 Settings".
Introduction to Oracle Advanced Security 1-7
Solving Security Challenges with Oracle Advanced Security
Strong Authentication
Authentication is used to prove the identity of the user.Authenticating user identity
is imperative in distributed environments, without which there can be little
confidence in network security. Passwords are the most common means of
authentication. Oracle Advanced Security enables strong authentication with Oracle
authentication adapters that support various third-party authentication services,
including SSL with digital certificates.
Figure 1–2 shows user authentication with an Oracle database configured to use a
third-party authentication server. Having a central facility to authenticate all
members of the network (clients to servers, servers to servers, users to both clients
and servers) is one effective way to address the threat of network nodes falsifying
their identities.
Figure 1–2 Strong Authentication with Oracle Authentication Adapters
Client
Authentication
Server
Intranet
Database
This section contains the following topics:
■Centralized Authentication and Single Sign-On
■Supported Authentication Methods
Centralized Authentication and Single Sign-On
Centralized authentication also provides the benefit of single sign-on (SSO) for
users. Single sign-on enables users to access multiple accounts and applications
with a single password. A user only needs to log on once and can then
automatically connect to any other service without having to give a username and
password again. Single sign-on eliminates the need for the user to remember and
administer multiple passwords, reducing the time spent logging into multiple
services.
Solving Security Challenges with Oracle Advanced Security
How Centralized Network Authentication Works Figure 1–3 shows how a centralized
network authentication service typically operates:
Figure 1–3 How a Network Authentication Service Authenticates a User
UserOracle
1
3
. . .
Authentication
Server
2
5
Server
4
6
1.
A user (client) requests authentication services and provides identifying
information, such as a token or password.
2. The authentication server validates the user's identity and passes a ticket or
credentials back to the client, which may include an expiration time.
Introduction to Oracle Advanced Security 1-9
Solving Security Challenges with Oracle Advanced Security
3.
The client passes these credentials to the Oracle server concurrent with a service
request, such as connection to a database.
4. The server sends the credentials back to the authentication server for
authentication.
5. If the authentication server accepts the credentials, then it notifies the Oracle
Server, and the user is authenticated.
6. If the authentication server does not accept the credentials, then authentication
fails, and the service request is denied.
Supported Authentication Methods
Oracle Advanced Security supports the following industry-standard authentication
methods:
■Kerberos
■RADIUS (Remote Authentication Dial-In User Service)
■DCE (Distributed Computing Environment)
■Secure Sockets Layer (with digital certificates)
■Entrust/PKI
Kerberos Oracle Advanced Security support for Kerberos provides the benefits of
single sign-on and centralized authentication of Oracle users. Kerberos is a trusted
third-party authentication system that relies on shared secrets. It presumes that the
third party is secure, and provides single sign-on capabilities, centralized password
storage, database link authentication, and enhanced PC security. It does this
through a Kerberos authentication server. See Chapter 6, "Configuring Kerberos
Authentication" for information about configuring and using this adapter.
Note: Oracle authentication for Kerberos provides database link
authentication (also called proxy authentication). Kerberos is also
an authentication method that is supported with Enterprise User
Security.
RADIUS (Remote Authentication Dial-In User Service) RADIUS is a client/server security
protocol that is most widely known for enabling remote authentication and access.
Oracle Advanced Security uses this standard in a client/server network
environment to enable use of any authentication method that supports the RADIUS
Solving Security Challenges with Oracle Advanced Security
protocol. RADIUS can be used with a variety of authentication mechanisms,
including token cards and smart cards. See Chapter 5, "Configuring RADIUS
Authentication" for information about configuring and using this adapter.
■Smart Cards
A RADIUS-compliant smart card is a credit card-like hardware device. It has
memory and a processor and is read by a smart card reader located at the client
workstation.
■Token Cards
Token cards (SecurID or RADIUS-compliant) can improve ease of use through
several different mechanisms. Some token cards dynamically display one-time
passwords that are synchronized with an authentication service. The server can
verify the password provided by the token card at any given time by contacting
the authentication service. Other token cards have a keypad and operate on a
challenge-response basis. In this case, the server offers a challenge (a number)
that the user enters into a token card. The token card provides a response
(another number cryptographically derived from the challenge) that the user
enters and sends to the server.
You can use SecurID tokens through the RADIUS adapter.
DCE (Distributed Computing Environment) DCE is a set of integrated network services
that works across multiple systems to provide a distributed environment. Oracle
DCE Integration consists of the following two components:
■DCE Communication/Security
■DCE Cell Directory services Native Naming
Oracle DCE Integration provides applications the flexibility to have different levels
of integration with DCE services. Depending on the need, applications can choose
to integrate very tightly with the DCE services or choose to plug in the other
security authentication services provided by Oracle Advanced Security. See
Chapter 10, "Configuring Oracle DCE Integration" for information about
configuring and using this adapter.
Secure Sockets Layer Secure Sockets Layer (SSL) is an industry standard protocol for
securing network connections. SSL provides authentication, data encryption, and
data integrity.
The SSL protocol is the foundation of a public key infrastructure (PKI). For
authentication, SSL uses digital certificates that comply with the X.509v3 standard,
and a public and private key pair.
Introduction to Oracle Advanced Security 1-11
Solving Security Challenges with Oracle Advanced Security
Oracle Advanced Security SSL can be used to secure communications between any
client and any server. You can configure SSL to provide authentication for the server
only, the client only, or both client and server. You can also configure SSL features in
combination with other authentication methods supported by Oracle Advanced
Security (database usernames and passwords, RADIUS, and Kerberos).
To support your PKI implementation, Oracle Advanced Security includes the
following features in addition to SSL:
■Oracle wallets, where you can store PKI credentials
■Oracle Wallet Manager, which you can use to manage your Oracle wallets
■Certificate validation with certificate revocation lists (CRLs)
for conceptual, configuration, and usage information about
SSL, certificate validation, and hardware security modules.
■Chapter 8, "Using Oracle Wallet Manager" for information
about using this tool to manage Oracle wallets.
■Chapter 9, "Configuring Multiple Authentication Methods and
Disabling Oracle Advanced Security" for information about
configuring SSL in combination with other authentication
methods.
Entrust/PKI Oracle Advanced Security supports the public key infrastructure
provided by the Entrust/PKI software from Entrust Technologies, Inc.
Entrust-enabled Oracle Advanced Security lets Entrust users incorporate Entrust
single sign-on into their Oracle applications, and it lets Oracle users incorporate
Entrust-based single sign-on into Oracle applications. See Appendix F,
"Entrust-Enabled SSL Authentication" for more information about this feature.
Enterprise user management is provided by the Enterprise User Security feature of
Oracle Advanced Security. Enterprise User Security enables storing database users
and their corresponding administrative and security information in a centralized
directory server.
Figure 1–4 shows how a directory server can be used to provide centralized storage
and management of user account, user role, and authentication information.
1. A database server authenticates a user by accessing information stored in the
directory.
2. - 4. Once authenticated, a user can access the databases, which are configured
for enterprise user security.
Figure 1–4 Centralized User Management with Enterprise User Security
Solving Security Challenges with Oracle Advanced Security
LDAP Compliant
Directory Server
Stores user account,
password, and role
1
information
2
Client
3
Database
Intranet
4
DatabaseDatabase
This centralized configuration enables the administrator to modify information in
one location, the directory. It also lowers the cost of administration and makes the
enterprise more secure because there is only one set of user information to manage
and track.
Enterprise User Security supports the following authentication methods:
Introduction to Oracle Advanced Security 1-13
Solving Security Challenges with Oracle Advanced Security
■Passwords
■Kerberos
■Secure Sockets Layer (SSL) with digital certificates
See Also: For detailed discussions of Enterprise User Security
concepts, configuration, and management, refer to the following
chapters in this manual:
■Chapter 11, "Getting Started with Enterprise User Security"
■Chapter 12, "Enterprise User Security Configuration Tasks and
Troubleshooting"
■Chapter 13, "Administering Enterprise User Security"
Oracle Advanced Security complements an Oracle server or client installation with
advanced security features. Figure 1–5 shows the Oracle Advanced Security
architecture within an Oracle networking environment.
Figure 1–5 Oracle Advanced Security in an Oracle Networking Environment
Client Application
OCI
Two-Task
Common
Encryption
Oracle Net
AES
DES
RSA
3DES
Oracle Advanced Security Architecture
Oracle Advanced Security
Authentication
Kerberos
RADIUS
DCE
Data
Integrity
MD5
SHA
TCP/IP
SSL Libraries
SPX/IPX
Adapter
SPX/IPX
Oracle Protocols
Network Specific
Protocols
To Network
SSL Adapter
TCP/IP Adapter
Oracle Advanced Security supports authentication through adapters that are
similar to the existing Oracle protocol adapters. As shown in Figure 1–6,
authentication adapters integrate below the Oracle Net interface and let existing
applications take advantage of new authentication systems transparently, without
any changes to the application.
Introduction to Oracle Advanced Security 1-15
Secure Data Transfer Across Network Protocol Boundaries
Figure 1–6 Oracle Net with Authentication Adapters
Oracle
Forms
and
Oracle
Reports
3rd
Party
Tools
3GL
Tools
Oracle Net
Oracle
Server
Oracle
Call
Interface
Kerberos
Adapter
Kerberos
Oracle Advanced Security
SSL
Adapter
SSL
See Also: Oracle Net Services Administrator's Guide, for more
information about stack communications in an Oracle networking
environment
Secure Data Transfer Across Network Protocol Boundaries
Oracle Advanced Security is fully supported by Oracle Connection Manager,
making secure data transfer a reality across network protocol boundaries. Clients
using LAN protocols such as NetWare (SPX/IPX), for example, can securely share
data with large servers using different network protocols such as LU6.2, TCP/IP, or
DECnet. To eliminate potential weak points in the network infrastructure and to
maximize performance, Connection Manager passes encrypted data from protocol
to protocol without the cost and exposure of decryption and re-encryption.
DCE
Adapter
DCE
RADIUS
Adapter
RADIUS
System Requirements
Oracle Advanced Security is an add-on product bundled with the Oracle Net Server
or Oracle Net Client. It must be purchased and installed on both the client and the
server.
Oracle Advanced Security 10g Release 1 (10.1) requires Oracle Net 10g Release 1
(10.1) and supports Oracle Database Enterprise Edition. Table 1–1 lists additional
system requirements.
Note: Oracle Advanced Security is not available with Oracle
Database Standard Edition.
Table 1–1 Authentication Methods and System Requirements
Authentication MethodSystem Requirements
Kerberos
■MIT Kerberos Version 5, release 1.1
■The Kerberos authentication server must be installed on a
physically secure machine.
RADIUS■A RADIUS server that is compliant with the standards in
the Internet Engineering Task Force (IETF) RFC #2138,
Remote Authentication Dial In User Service (RADIUS) and
RFC #2139 RADIUS Accounting.
■To enable challenge-response authentication, you must
run RADIUS on an operating system that supports the
Java Native Interface as specified in release 1.1 of the Java
Development Kit from JavaSoft.
SSL
■A wallet that is compatible with the Oracle Wallet
Manager version 10g. Wallets created in earlier releases of
the Oracle Wallet Manager are not forward compatible.
Entrust/PKI
■Entrust IPSEC Negotiator Toolkit Release 6.0
■Entrust/PKI 6.0
Oracle Advanced Security Restrictions
Oracle Applications support Oracle Advanced Security encryption and data
integrity. However, because Oracle Advanced Security requires Oracle Net Services
to transmit data securely, Oracle Advanced Security external authentication features
are not supported by some parts of Oracle Financial, Human Resource, and
Manufacturing Applications when they are running on Microsoft Windows. The
portions of these products that use Oracle Display Manager (ODM) do not take
advantage of Oracle Advanced Security, since ODM does not use Oracle Net
Services.
Configuring advanced security features for an Oracle database includes configuring
encryption, integrity (checksumming), and strong authentication methods for
Oracle Net Services. Strong authentication method configuration can include
third-party software, as is the case for Kerberos or RADIUS, or it may entail
configuring and managing a public key infrastructure, as is required for Secure
Sockets Layer (SSL). In addition, an Oracle database can be configured to
interoperate with an LDAP directory, such as Oracle Internet Directory, to enable
Enterprise User Security, a feature that enables you to store and manage database
users in a centralized directory.
Such diverse advanced security features require a diverse set of tools with which to
configure and administer them. This chapter introduces the tools used to configure
and administer advanced security features for an Oracle database in the following
topics:
■Network Encryption and Strong Authentication Configuration Tools
■Enterprise User Security Configuration and Management Tools
■Duties of a Security Administrator/DBA
■Duties of an Enterprise User Security Administrator/DBA
Configuration and Administration Tools Overview 2-1
Network Encryption and Strong Authentication Configuration Tools
Network Encryption and Strong Authentication Configuration Tools
Oracle Net Services can be configured to encrypt data using standard encryption
algorithms, and for strong authentication methods, such as Kerberos, RADIUS, and
SSL. The following sections introduce the Oracle tools you can use to configure
these advanced security features for an Oracle Database:
Oracle Net Manager is a graphical user interface tool, primarily used to configure
Oracle Net Services for an Oracle home on a local client or server host.
Although you can use Oracle Net Manager to configure Oracle Net Services, such as
naming, listeners, and general network settings, it also enables you to configure the
following Oracle Advanced Security features, which use the Oracle Net protocol:
■Strong authentication (Kerberos, RADIUS, and Secure Sockets Layer)
■Network encryption (RC4, DES, Triple-DES, and AES)
■Checksumming for data integrity (MD5, SHA-1)
This section introduces you to the features of Oracle Net Manager that are used to
configure Oracle Advanced Security. It contains the following topics:
■Starting Oracle Net Manager
■Navigating to the Oracle Advanced Security Profile
See Also:
■"Duties of a Security Administrator/DBA" on page 2-34 for
information about the tasks you can perform with this tool that
configure advanced security features.
■Oracle Net Services Administrator's Guide and Oracle Net
Manager online help for complete documentation of this tool.
Starting Oracle Net Manager
You can start Oracle Net Manager by using Oracle Enterprise Manager Console or
as a standalone application. However, you must use the standalone application to
access the Oracle Advanced Security Profile where you can configure Oracle
Advanced Security features.
Navigating to the Oracle Advanced Security Profile
The Oracle Net Manager interface window contains two panes: the navigator pane
and the right pane, which displays various property sheets that enable you to
configure network components. When you select a network object in the navigator
pane, its associated property sheets displays in the right pane. To configure Oracle
Advanced Security features, choose the Profile object in the navigator pane, and
then select Oracle Advanced Security from the list in the right pane, as shown in
Figure 2–1.
Configuration and Administration Tools Overview 2-3
Network Encryption and Strong Authentication Configuration Tools
Figure 2–1 Oracle Advanced Security Profile in Oracle Net Manager
Oracle Advanced Security Profile Property Sheets
The Oracle Advanced Security Profile contains the following property sheets, which
are described in the following sections:
Network Encryption and Strong Authentication Configuration Tools
Authentication Property Sheet Use this property sheet to select a strong authentication
method, such as Kerberos Version 5 (KERBEROS5), Windows NT native
authentication (NTS), or RADIUS.
Other Params Property Sheet Use this property sheet to set other parameters for the
authentication method you selected on the Authentication property sheet.
Integrity Property Sheet Use this property sheet to enable checksumming on the client
or the server and to select an encryption algorithm for generating secure message
digests.
Encryption Property Sheet Use this property sheet to select one or more cipher suites
to encrypt client or server connections with native encryption algorithms.
SSL Property Sheet Use this property sheet to configure Secure Sockets Layer (SSL),
including the wallet location and cipher suite, on a client or server.
The Oracle Advanced Security Kerberos adapter provides three command-line
utilities that enable you to obtain, cache, display, and remove Kerberos credentials.
The following table briefly describes these utilities:
Utility NameDescription
okinitObtains Kerberos tickets from the key distribution center (KDC)
oklistDisplays a list of Kerberos tickets in the specified credential
okdstryRemoves Kerberos credentials from the specified credential
See Also: "Utilities for the Kerberos Authentication Adapter" on
and caches them in the user's credential cache
cache
cache
page 6-11 for complete descriptions of these utilities, their syntax,
and available options.
Configuration and Administration Tools Overview 2-5
Public Key Infrastructure Credentials Management Tools
Public Key Infrastructure Credentials Management Tools
The security provided by a public key infrastructure (PKI) depends on how
effectively you store, manage, and validate your PKI credentials. The following
Oracle tools are used to manage certificates, wallets, and certificate revocation lists
so your PKI credentials can be stored securely and your certificate validation
mechanisms kept current:
■Oracle Wallet Manager
■orapki Utility
Oracle Wallet Manager
Oracle Wallet Manager is an application that wallet owners and security
administrators use to manage and edit the security credentials in their Oracle
wallets. A wallet is a password-protected container that is used to store
authentication and signing credentials, including private keys, certificates, and
trusted certificates needed by SSL. You can use Oracle Wallet Manager to perform
the following tasks:
■Create public and private key pairs ■Store and manage user credentials
■Generate certificate requests■Store and manage certificate
authority certificates (root key
certificate and certificate chain)
■Upload and download wallets to
and from an LDAP directory
■Create wallets to store hardware
security module credentials
The following topics introduce the Oracle Wallet Manager user interface:
■Starting Oracle Wallet Manager
■Navigating the Oracle Wallet Manager User Interface
■Toolbar
■Menus
See Also: Chapter 8, "Using Oracle Wallet Manager" for detailed
Navigating the Oracle Wallet Manager User Interface
The Oracle Wallet Manager interface includes two panes, a toolbar, and various
menu items as shown in Figure 2–2.
Figure 2–2 Oracle Wallet Manager User Interface
Public Key Infrastructure Credentials Management Tools
Configuration and Administration Tools Overview 2-7
Public Key Infrastructure Credentials Management Tools
Navigator Pane The navigator pane provides a graphical tree view of the certificate
requests and certificates stored in the Oracle home where Oracle Wallet Manager is
installed. You can use the navigator pane to view, modify, add, or delete certificates
and certificate requests.
The navigator pane functions the same way as it does in other Oracle graphical user
interface tools, enabling you to
■Expand and contract wallet objects so that you can manage the user and trusted
certificates they contain.
■Right-click a wallet, certificate, or certificate request to perform operations on it
such as add, remove, import, or export.
When you expand a wallet, you see a nested list of user and trusted certificates.
When you select a wallet or certificate in the navigator pane, details about your
selection display in the adjacent right pane of Oracle Wallet Manager. Table 2–1 lists
the main objects that display in the navigator pane.
WalletPassword-protected container that is used to store
authentication and signing credentials
Certificate Request
1
A PKCS #10-encoded message containing the requester's
distinguished name (DN), a public key, the key size, and key
type. See also certificate request.
Certificate
1
An X.509 data structure containing the entity's DN, public key,
and is signed by a trusted identity (certificate authority). See
certificate
Trusted Certificates
1
Sometimes called a root key certificate, is a certificate from a
third party identity that is qualified with a level of trust. See
trusted certificate
1
These objects display only after you create a wallet, generate a certificate request, and import a
certificate into the wallet.
Right Pane The right pane displays information about an object that is selected in the
navigator pane. The right pane is read-only.
Figure 2–3 shows what is displayed in the right pane when a certificate request
object is selected in the navigator pane. Information about the request and the
requester's identity display in the Requested Identity, Key Size, and Key Type
fields. The PKCS #10-encoded certificate request displays in the Certificate Request
Public Key Infrastructure Credentials Management Tools
text box. To request a certificate from a certificate authority, you can copy this
request into an e-mail or export it into a file.
Figure 2–3 Certificate Request Information Displayed in Oracle Wallet Manager Right Pane
Toolbar
The toolbar contains buttons that enable you to manage your wallets. Move the
mouse cursor over a toolbar button to display a description of the button's function.
The toolbar buttons are listed and described in Table 2–2.
Configuration and Administration Tools Overview 2-9
Public Key Infrastructure Credentials Management Tools
Table 2–2Oracle Wallet Manager Toolbar Buttons
Toolbar ButtonDescription
NewCreates a new wallet
Open WalletEnables you to browse your file system to locate and open an
existing wallet
Save WalletSaves the currently open wallet
Delete WalletDeletes wallet currently selected in the navigator pane
HelpOpens the Oracle Wallet Manager online help
Menus
You use Oracle Wallet Manager menus to manage your wallets and the credentials
they contain. The following sections describe the options that are available under
each menu.
Wallet Menu Table 2–3 describes the contents of the Wallet menu.
Table 2–3Oracle Wallet Manager Wallet Menu Options
OptionDescription
NewCreates a new wallet
OpenOpens an existing wallet
CloseCloses the currently open wallet
Upload Into The
Directory Service
Download From The
Directory Service
Uploads a wallet to a specified LDAP directory server. You must
supply a directory password, hostname, and port information
Downloads a wallet from a specified LDAP directory server. You
must supply a directory password, hostname, and port
information.
SaveSaves the currently open wallet in the current working directory.
Save AsEnables you to browse your file system to choose a directory
location in which to save the currently open wallet.
Save In System
Default
Saves the currently open wallet in the system default location:
■(UNIX) /etc/ORACLE/WALLETS/<username>
■(Windows) %USERPROFILE%\<username>
DeleteDeletes the wallet in the current working directory. You must
Public Key Infrastructure Credentials Management Tools
Table 2–3 (Cont.) Oracle Wallet Manager Wallet Menu Options(Cont.)
OptionDescription
Change PasswordChanges the password for the currently open wallet. You must
Auto LoginSets the auto login feature for the currently open wallet. See auto
ExitExits the Oracle Wallet Manager application
supply the old password before you can create a new one.
login wallet
Operations Menu Table 2–4 describes the contents of the Operations menu.
Table 2–4Oracle Wallet Manager Operations Menu Options
OptionDescription
Add Certificate RequestGenerates a certificate request for the currently open wallet
Import User CertificateImports the user certificate issued to you from the CA. You
Import Trusted CertificateImports the CA's trusted certificate.
Remove Certificate
Request
Remove User CertificateDeletes the user certificate from the currently open wallet.
Remove Trusted
Certificate
that you can use to request a certificate from a certificate
authority (CA).
must import the issuing CA's certificate as a trusted certificate
before you can import the user certificate.
Deletes the certificate request in the currently open wallet. You
must remove the associated user certificate before you can
delete a certificate request.
Removes the trusted certificate that is selected in the navigator
pane from the currently open wallet. You must remove all user
certificates that the trusted certificate signs before you can
remove it.
Export User CertificateExports the user certificate in the currently open wallet to save
Export Certificate Request Exports the certificate request in the currently open wallet to
Export Trusted CertificateExports the trusted certificate that is selected in the navigator
Export All Trusted
Certificates
Export WalletExports the currently open wallet to save as a text file.
in a file system directory.
save in a file.
pane to save in another location in your file system.
Exports all trusted certificates in the currently open wallet to
save in another location in your file system.
Configuration and Administration Tools Overview 2-11
Public Key Infrastructure Credentials Management Tools
Help Menu Table 2–5 describes the contents of the Help menu.
Table 2–5Oracle Wallet Manager Help Menu Options
OptionDescription
ContentsOpens Oracle Wallet Manager online help.
orapki Utility
Search for Help onOpens Oracle Wallet Manager online help and displays the
About Oracle Wallet
Manager
Search tab.
Opens a window that displays the Oracle Wallet Manager
version number and copyright information.
The orapki utility is a command line tool that you can use to manage certificate
revocation lists (CRLs), create and manage Oracle wallets, and to create signed
certificates for testing purposes.
For example, the following command lists all CRLs in the CRL subtree in an
instance of Oracle Internet Directory that is installed on machine1.us.acme.com
and that uses port 389:
orapki crl list -ldap machine1.us.acme.com:389
See Also:
■"Certificate Revocation List Management" on page 7-40 for
information about how to use orapki to manage CRLs in the
directory.
■Appendix E, "orapki Utility" for reference information on all
Enterprise User Security Configuration and Management Tools
Enterprise User Security Configuration and Management Tools
Enterprise users are database users who are stored and centrally managed in an
LDAP directory, such as Oracle Internet Directory. Table 2–6 provides a summary of
the tools that are used to configure and manage Enterprise User Security. The
following subsections introduce and describe these tools.
Table 2–6 Enterprise User Security Tools Summary
ToolTask
Database Configuration AssistantRegister and un-register databases in Oracle
Enterprise Security Manager and
Enterprise Security Manager Console
Oracle Internet Directory Self-Service
Console (Delegated Administration
Service)
Oracle Net Configuration AssistantConfigure databases Oracle home for directory
Oracle Wallet ManagerManage Oracle wallets for Enterprise User
User Migration UtilityPerform bulk migrations of database users to
Database Configuration Assistant
Database Configuration Assistant is a wizard-based tool which is used to create and
configure Oracle databases.
Internet Directory
■Configure enterprise domains and databases
in Oracle Internet Directory
■Create users and manage their passwords
■Manage identity management realm
attributes and administrative groups that
pertain to Enterprise User Security in Oracle
Internet Directory
Manage identity management realms in Oracle
Internet Directory
For information about this tool, refer to OracleInternet Directory Administrator's Guide.
usage over the network
Security
Oracle Internet Directory
Use Database Configuration Assistant to register a database with the directory.
When you register a database with the directory, Database Configuration Assistant
creates a distinguished name (DN) for the database and the corresponding entry
and subtree in Oracle Internet Directory
Configuration and Administration Tools Overview 2-13
Enterprise User Security Configuration and Management Tools
Starting Database Configuration Assistant
To start Database Configuration Assistant:
■(UNIX) From $ORACLE_HOME/bin, enter the following at the command line:
■"To register a database in the directory:" on page 12-9 for
information about using this tool to register your database.
■Oracle Database Administrator's Guide for more information
about this tool.
Enterprise Security Manager and Enterprise Security Manager Console
Oracle Advanced Security employs Enterprise Security Manager and Enterprise
Security Manager Console to administer enterprise users, administrative groups,
enterprise domains, and enterprise roles that are stored in Oracle Internet
Directory. (Enterprise Security Manager Console can be accessed through the
Enterprise Security Manager Operations menu. See "Enterprise Security Manager
Console Overview" on page 2-22 for details.)
Enterprise users are users who are provisioned and managed centrally in an
LDAP-compliant directory, such as Oracle Internet Directory, for database access.
Enterprise domains are directory constructs that contain databases and enterprise
roles, the access privileges that are assigned to enterprise users.
See Also: Chapter 11, "Getting Started with Enterprise User
Security" for a discussion of Enterprise User Security
Enterprise User Security Configuration and Management Tools
■Logging in to Enterprise Security Manager Console
■Navigating Enterprise Security Manager Console User Interface
Enterprise Security Manager Initial Installation and Configuration Overview
The following tasks provide an overview of the initial Enterprise Security Manager
installation and configuration:
■Task 1: Install Enterprise Security Manager
■Task 2: Configure an Oracle Identity Management Infrastructure
Task 1: Install Enterprise Security Manager Enterprise Security Manager is automatically
installed by the Oracle Database Enterprise Edition server installation process.
See Also: The Oracle Database installation documentation for
your operating system.
Note: Use only the version of Enterprise Security Manager that
installs with Oracle Database 10g Release 1 (10.1).
Task 2: Configure an Oracle Identity Management Infrastructure Enterprise User Security
uses Oracle Internet Directory in which to store enterprise users. Enterprise Security
Manager uses Oracle Internet Directory Delegated Administration Services to
provide an administrative GUI (Enterprise Security Manager Console), and
OracleAS Single Sign-On server to authenticate administrators when they log in to
the console. Consequently, Oracle Internet Directory and OracleAS Single Sign-On
server, which are part of the Oracle Identity Management infrastructure, must be
properly installed and configured before Enterprise Security Manager can be used
to manage Enterprise User Security. The following elements of Oracle Identity
Management infrastructure configuration must be completed before proceeding:
■Oracle Internet Directory 10g (9.0.4) must be installed, running, and accessible
over standard LDAP or Secure Sockets Layer LDAP (LDAP/SSL).
■Oracle Internet Directory must include an identity management realm. You can
use Oracle Internet Directory Configuration Assistant to configure this on the
directory server.
Configuration and Administration Tools Overview 2-15
Enterprise User Security Configuration and Management Tools
■OracleAS Single Sign-On server must be installed and configured to
authenticate enterprise user security administrators when they log in to the
Enterprise Security Manager Console, an element of Enterprise Security
Manager.
See Also:
■Oracle Internet Directory Administrator's Guide for information
about using Oracle Internet Directory Configuration Assistant
to create or upgrade an identity management realm in the
directory. This manual also contains general information about
how to configure and use the directory.
■OracleAS Single Sign-On Administrator's Guide for information
about configuring OracleAS Single Sign-On Server.
Starting Enterprise Security Manager
To launch Enterprise Security Manager, use the following steps:
1. Depending on your operating system, use one of the following options:
■(UNIX) From $ORACLE_HOME/bin, enter the following at the command
Enterprise User Security Configuration and Management Tools
Figure 2–4 Directory Server Login Window
Log in to Oracle Internet Directory by selecting the authentication method and
2.
providing the hostname and port number for your directory. Table 2–7
describes the two available Enterprise Security Manager authentication
methods and what each method requires:
Password AuthenticationUses simple authentication requiring a distinguished
SSL Client Authentication Uses two-way SSL authentication in which both the
1
Known directory user name and password can be used only for the default identity
management realm in the directory.
3. After providing the directory login information, click OK. The main Enterprise
name (DN) or a known directory user name and
password1.
client and server use Oracle Wallets containing digital
certificates (that is, the user name and certificate). The
subsequent connection is encrypted.
Security Manager user interface appears.
Navigating the Enterprise Security Manager User Interface
The Enterprise Security Manager user interface includes two panes, a toolbar, and
various menu items as shown in Figure 2–5.
Configuration and Administration Tools Overview 2-17
Enterprise User Security Configuration and Management Tools
Figure 2–5 Enterprise Security Manager User Interface
Navigator Pane The navigator pane provides a graphical tree view of your directory's
identity management realms and the databases, enterprise domains, and users they
contain. You can use the navigator pane to view, modify, add, or delete enterprise
domains and the objects they contain.
The navigator pane enables you to
■Expand and contract identity management realms by clicking the plus and
minus symbols (+ -) adjacent to the realm name in the navigation tree. This
enables you to manage the enterprise domains that they contain.
Enterprise User Security Configuration and Management Tools
■Right-click an enterprise domain to perform operations such as creating
enterprise roles or deleting the domain from the identity management realm.
When you expand an identity management realm, you see a nested list of folders
that contain enterprise user security objects. Expanding these folders enables you to
view the individual objects as described in Table 2–8.
DatabasesWhen you expand this folder, you see the databases which are
Enterprise DomainsWhen you expand this folder, you see the enterprise domains
Users, by Search BaseWhen you expand this folder, you see the users stored in the
registered with this identity management realm. Databases are
registered with a directory by using Database Configuration
Assistant.
that this realm contains. You can also expand each enterprise
domain to view the databases and enterprise roles that it
contains.
realm. The display of users is organized by search base, which is
the node in the directory under which a collection of users
resides.
Right Pane The right pane displays read-only information about an object that is
selected in the navigator pane, or it displays tabbed windows that enable you to
configure enterprise domains, enterprise roles, and user-schema mappings. For
example, when you select an enterprise domain in the navigator pane, you can add
databases to it by using the Databases tabbed window that is shown in Figure 2–6.
Configuration and Administration Tools Overview 2-19
Enterprise User Security Configuration and Management Tools
The Databases tabbed window also enables you to set security options for databases
which are members of an enterprise domain. See "Defining Database Membership
of an Enterprise Domain" on page 13-17 for a discussion of configuring enterprise
domains by using the Databases tabbed window.
Tool Bar The toolbar contains two buttons that enable you to access the Enterprise
Security Manager online help and to delete directory objects.
Menus You use Enterprise Security Manager menus to create or remove enterprise
domains and to manage objects within the domains, such as enterprise roles or
database membership. The following sections describe the options that are available
under each menu.
Enterprise User Security Configuration and Management Tools
File Menu Table 2–9 describes the contents of the File menu.
Table 2–9Enterprise Security Manager File Menu Options
OptionDescription
Change Directory Connection Causes the Directory Server Login window to reappear
Directory Search OptionsFor user searches in the directory, this menu option
ESM Console URLEnables you to specify the URL for your installation of
ExitExits the Enterprise Security Manager application.
(see Figure 2–4 on page 2-17), enabling you to log in to
another directory server.
enables you to configure the maximum number of
displayed search results, the maximum search duration, or
an LDAP filter.
Enterprise Security Manager Console. (See "Enterprise
Security Manager Console Overview" on page 2-22)
Operations Menu Table 2–10 describes the contents of the Operations menu.
Table 2–10Enterprise Security Manager Operations Menu Options
OptionDescription
Create Enterprise DomainCreates an enterprise domain in the realm that is selected in
Remove Enterprise Domain Removes the enterprise domain that is selected in the
Create Enterprise RoleCreates an enterprise role in the enterprise domain that is
Remove Enterprise RoleRemoves the enterprise role that is selected in the navigator
the navigator pane.
navigator pane.
selected in the navigator pane.
pane.
Launch ESM ConsoleBrings up the Enterprise Security Manager Console in your
default browser.
Help Menu Table 2–11 describes the contents of the Help menu.
Table 2–11Enterprise Security Manager Help Menu Options
OptionDescription
ContentsOpens the online help and displays its table of contents.
Configuration and Administration Tools Overview 2-21
Enterprise User Security Configuration and Management Tools
Table 2–11 (Cont.) Enterprise Security Manager Help Menu Options
OptionDescription
Search for Help onDisplays the search window for the online help.
Using HelpDisplays online help topics that describe how to use the online
About Enterprise Security
Manager
help system
Displays Enterprise Security Manager version number and
copyright information
Enterprise Security Manager Console Overview
Enterprise Security Manager uses a directory management console, Enterprise
Security Manager Console, to administer enterprise users and groups, and to
configure an identity management realm for Enterprise User Security. By default,
when you log in to a directory server with Enterprise Security Manager it uses port
7777 with the fully qualified domain name of that directory server to construct an
Enterprise Security Manager Console URL. Then, when you need to launch the
console, Enterprise Security Manager uses this URL to connect to it over HTTP.
For example, if an Acme Company administrator logs into an instance of Oracle
Internet Directory that is hosted on a machine named machine123, then Enterprise
Security Manager would use the following URL to connect to Enterprise Security
Manager Console:
http://machine123.us.acme.com:7777/
After launching the console, administrators must log in by using their OracleAS
Single Sign-On username and password pairs.
Logging in to Enterprise Security Manager Console
If you can use the URL that is constructed by default to access an instance of
Enterprise Security Manager Console, then use the following steps to log in to the
console.
To log in to Enterprise Security Manager Console:
1. From the Enterprise Security Manager main application window, choose
Operations > Launch ESM Console.
The Enterprise Security Manager Console login page appears, as shown in
Click the Login icon in the upper right-corner of the page to log in with your
2.
OracleAS Single Sign-On username and password.
After providing your OracleAS Single Sign-On credentials, you are returned to
the console home page.
To change the default Enterprise Security Manager Console URL:
If you cannot use the default URL to connect to the Enterprise Security Manager
Console, then you must enter the appropriate URL before you can launch the
console.
1. In the Enterprise Security Manager main application, choose File > ESM
Console URL. The ESM Console URL window appears as shown in Figure 2–8.
Configuration and Administration Tools Overview 2-23
Enterprise User Security Configuration and Management Tools
Figure 2–8 ESM Console URL Window
2.
Enter the appropriate URL for connecting to Enterprise Security Manager
Console, and click OK.
This saves the URL information in Enterprise Security Manager so you can
launch the console again without reconfiguring the URL.
Configuring Enterprise Security Manager Console for Kerberos-Authenticated Enterprise
Users By default, Enterprise Security Manager Console user interface does not
display the field where you can configure Kerberos principal names. The first time
you create Kerberos-authenticated users in the directory, you must configure this
tool to display the krbPrincipalName attribute in its Create User window by
using the following steps:
1. Log into the Oracle Internet Directory Self-Service Console and choose the
Configuration tab. See: Oracle Internet Directory Administrator's Guide for
information about logging in and using the Oracle Internet Directory
Self-Service Console.
2. In the Configuration page, select the User Entry subtab and click Next until the
Configure User Attributes page appears.
3. In the Configure User Attributes page, click Add New Attribute and the Add
New Attribute page appears.
4. In the Add New Attribute page, select krbPrincipalName from the Directory
Attribute Name list (or the attribute that you have configured for
orclCommonKrbPrincipalAttribute in your identity management realm)
and perform the following steps on this page:
a. Enter Kerberos Principal Name for the user interface label.
b. Check Searchable and Viewable.
c. Select Single Line Text from the UI Type list
d. Click Done.
5. Click Next to navigate to the Configure Attribute Categories page, and click
Edit for Basic Information and perform the following steps on this page:
Enterprise User Security Configuration and Management Tools
a. Select krbPrincipalName in the left category list.
b. Click Move > to move krbPrincipalName to the right-hand list.
c. Click Done.
6. Click Next until you reach the last page, and then click Finish to save your
work.
Navigating Enterprise Security Manager Console User Interface
The Enterprise Security Manager Console user interface is browser-based and uses
tabbed windows instead of a navigator pane. Figure 2–9 shows the layout of the
console user interface. The tabbed windows can be accessed by selecting one of the
tabs at the top of the application or by selecting one of the links in the Tips box on
the right. You can also access the tabbed windows by selecting one of the
corresponding links at the bottom of the page.
Figure 2–9 Enterprise Security Manager Console User Interface
The tabbed windows are explained in the following sections:
Configuration and Administration Tools Overview 2-25
Enterprise User Security Configuration and Management Tools
Home Tabbed Window The Home page is your entry point to the console. You can
access each tabbed window and read a brief summary of what you can do with this
tool. The Home tabbed window is shown in Figure 2–9 on page 2-25.
Users and Groups Tabbed Window This tabbed window contains two subtabs: the
Users subtab (shown in Figure 2–10) and the Groups subtab (shown in Figure 2–11
on page 2-28).
The Users subtab (Figure 2–10) enables you to search for users in the directory by
using the Search for user field at the top of the page. After you locate users that
match your search criteria, you can select specific users and perform tasks with the
buttons that are listed in Table 2–12 on page 2-27. This subtab also enables you to
create new users.
Enterprise User Security Configuration and Management Tools
Table 2–12Enterprise Security Manager Console User Subtab Buttons
Button NameDescription
GoAfter entering user search criteria in the Search for user field,
click Go to display users who match your search criteria in the
Search Results table. This button is always available.
CreateEnables you to create new enterprise users in the directory.
This button is always available.
EditEnables you to edit a user's information in the directory. This
button is available only after you have entered search criteria
in the Search for user field and clicked Go.
DeleteEnables you to delete a user from the directory. This button is
available only after you have entered search criteria in the
Search for user field and clicked Go.
Assign PrivilegesEnables you to assign directory privileges to a specified user.
For example, you can assign the privilege to create new users
by using this button. This button is available only after you
have entered search criteria in the Search for user field and
clicked Go.
The Group subtab (shown in Figure 2–11 on page 2-28) enables you to view, or to
add new users or groups to the Enterprise User Security directory administrative
groups. To view or edit an administrative group, select the adjacent radio button,
and click Edit in the upper right corner of the page. When you click Edit, an Edit
Group page for the specified group appears, displaying the following information:
■Members of the group
■Groups of which the specified administrative group is a member
■Edit history for the group
You can add members or other groups to a specified Enterprise User Security
directory administrative group by clicking either Add User or Add Group in the
Member region of the Edit Group page, which is shown in Figure 2–12 on page 2-29.
Configuration and Administration Tools Overview 2-27
Enterprise User Security Configuration and Management Tools
Figure 2–11 Enterprise Security Manager Console Group Subtab
Enterprise User Security Configuration and Management Tools
Figure 2–12 Enterprise Security Manager Console Edit Group Page
Configuration and Administration Tools Overview 2-29
Enterprise User Security Configuration and Management Tools
Realm Configuration Tabbed Window The Realm Configuration tabbed window, which
is shown in Figure 2–13, enables you to configure identity management realm
attributes that pertain to Enterprise User Security. The fields that you can edit on
this page are described in Table 2–13 on page 2-30.
Name of the directory attribute used to store Kerberos
principal names. See also: "Configuring Enterprise Security
Manager Console for Kerberos-Authenticated Enterprise
Users" on page 2-24
enterprise users are stored for this realm.
Security administrative groups) are stored in the directory.
Enterprise User Security Configuration and Management Tools
Enterprise Security Manager Command-Line Utility
Enterprise Security Manager provides a command-line utility, which can be used to
perform the most common tasks that the graphical user interface tool performs.
Enter all Enterprise Security Manager command-line utility commands from the
Oracle Enterprise Manager Oracle home.
Accessing Enterprise Security Manager Command-Line Utility Help To view a full list of
operations and options you can use with this utility, enter the following at the
command line:
esm -cmd
To view help on a specific operation, enter the following at the command line:
esm -cmd help [operation]
Configuration and Administration Tools Overview 2-31
Enterprise User Security Configuration and Management Tools
See Also:
■"Duties of an Enterprise User Security Administrator/DBA" on
page 2-35 for a list of tasks that can be performed with
Enterprise Security Manager and Enterprise Security Manager
Console.
■Chapter 13, "Administering Enterprise User Security" for
detailed information about how to use Enterprise Security
Manager and Enterprise Security Manager Console to
administer enterprise users.
Oracle Net Configuration Assistant
Oracle Net Configuration Assistant is a wizard-based tool that has a graphical user
interface. It is primarily used to configure basic Oracle Net network components,
such as listener names and protocol addresses. It also enables you to configure your
Oracle home for directory server usage. The latter use is what makes this tool
important for configuring Enterprise User Security.
If you use Domain Name System (DNS) discovery (automatic domain name
lookup) to locate Oracle Internet Directory on your network, then this tool is not
necessary. Note that using DNS discovery is the recommended configuration. See
Oracle Internet Directory Administrator's Guide for information about this
configuration.
If you have not configured DNS discovery of Oracle Internet Directory on your
network, then you must use Oracle Net Configuration Assistant to create an
ldap.ora file for your Oracle home before you can register a database with the
directory. Your database uses the ldap.ora file to locate the correct Oracle Internet
Directory server on your network. This configuration file contains the hostname,
port number, and identity management realm information for your directory
server.
Starting Oracle Net Configuration Assistant
To start Oracle Net Configuration Assistant:
■(UNIX) From $ORACLE_HOME/bin, enter the following at the command line:
Enterprise User Security Configuration and Management Tools
After you start this tool, you will be presented with the opening page that is shown
in Figure 2–14 on page 2-33.
Choose the Directory Usage Configuration option on this page, click Next, and
choose the directory server where you wish to store your enterprise users. Then
click Finish to create a properly configured ldap.ora file for your Oracle home.
Figure 2–14 Opening Page of Oracle Net Configuration Assistant
User Migration Utility
User Migration Utility is a command-line tool that enables you to perform bulk
migrations of database users to Oracle Internet Directory where they are stored and
managed as enterprise users. This tool performs a bulk migration in two phases: In
See Also:
■"Task 5: (Optional) Configure your Oracle home for directory
usage" on page 12-7 for more information about using this tool
to configure your Oracle home for Enterprise User Security.
■Oracle Net Services Administrator's Guide and Oracle Net
Configuration Assistant online help for complete
documentation of this tool.
Configuration and Administration Tools Overview 2-33
Duties of a Security Administrator/DBA
phase one, it populates a table with database user information. During phase two,
the database user information is migrated to the directory.
This tool is automatically installed in the following location when you install an
Oracle Database client:
Note that when a parameter takes multiple values, they are separated with colons
(:).
See Also: Appendix G, "Using the User Migration Utility" for
complete instructions (including usage examples) for using this tool
to migrate database users to a directory and its parameters.
Duties of a Security Administrator/DBA
Most of the tasks of a security administrator involve ensuring that the connections
to and from Oracle databases are secure. Table 2–14 lists the primary tasks of
security administrators, the tools used to perform the tasks, and links to where the
tasks are documented.
Table 2–14Common Security Administrator/DBA Configuration and Administrative Tasks
TaskTools UsedSee Also
Configure encrypted Oracle Net connections
between database servers and clients
Configure checksumming on Oracle Net
connections between database servers and
clients
Configure database clients to accept RADIUS
authentication
Oracle Net Manager"Configuring Encryption on the Client
and the Server" on page 3-9
Oracle Net Manager"Configuring Integrity on the Client and
the Server" on page 3-11
Oracle Net"Step 1: Configure RADIUS on the Oracle
Client" on page 5-9
Duties of an Enterprise User Security Administrator/DBA
Table 2–14 (Cont.) Common Security Administrator/DBA Configuration and Administrative Tasks
TaskTools UsedSee Also
Configure a database to accept RADIUS
authentication
Create a RADIUS user and grant them access
to a database session
Configure Kerberos authentication on a
database client and server
Create a Kerberos database user■kadmin.local
Manage Kerberoscredentials in the credential
cache
Create a wallet for a database client or server ■Oracle Wallet Manager"Creating a New Wallet" on page 8-10
Request a user certificate from a certificate
authority (CA) for SSL authentication
Import a user certificate and its associated
trusted certificate (CA certificate) into a
wallet
Configuring SSL connections for a database
client
Configuring SSL connections for a database
server
Enabling certificate validationwith certificate
revocation lists
Oracle Net"Step 2: Configure RADIUS on the Oracle
Database Server" on page 5-10
SQL*Plus"Task 3: Create a User and Grant Access"
on page 5-17
Oracle Net Manager"Task 7: Configure Kerberos
Authentication" on page 6-5
■"Task 8: Create a Kerberos User" on
■Oracle Net Manager
page 6-10
■"Task 9: Create an Externally
Authenticated Oracle User" on
page 6-10
■okinit
■oklist
■okdstry
■"Obtaining the Initial Ticket with the
okinit Utility" on page 6-11
■"Displaying Credentials with the
oklist Utility" on page 6-12
■"Removing Credentials from the
Cache File with the okdstry Utility"
on page 6-13
■Oracle Wallet Manager■"Adding a Certificate Request" on
page 8-21
■"Importing the User Certificate into
the Wallet" on page 8-22
■Oracle Wallet Manager■"Importing a Trusted Certificate" on
page 8-25
■"Importing the User Certificate into
the Wallet" on page 8-22
■Oracle Net Manager"Task 3: Configure SSL on the Client" on
page 7-23
■Oracle Net Manager"Task 2: Configure SSL on the Server" on
page 7-15
■Oracle Net Manager■"Configuring Certificate Validation
with Certificate Revocation Lists" on
page 7-37
Duties of an Enterprise User Security Administrator/DBA
Enterprise User Security administrators plan, implement, and administer enterprise
users. Table 2–15 lists the primary tasks of Enterprise User Security administrators,
the tools used to perform the tasks, and links to where the tasks are documented.
Configuration and Administration Tools Overview 2-35
Duties of an Enterprise User Security Administrator/DBA
Table 2–15Common Enterprise User Security Administrator Configuration and Administrative Tasks
TaskTools UsedSee Also
Create an identity management realm in
Oracle Internet Directory
Upgrade an identity management realm in
Oracle Internet Directory
Set up DNS to enable automatic discovery of
Oracle Internet Directory over the network.
Note that this is the recommended
configuration.
Create an ldap.ora file to enable directory
access
Register a database in the directoryDatabase Configuration Assistant "Task 6: Register the database in the
Configure password authentication for
Enterprise User Security
Configure Kerberos authentication for
Enterprise User Security
Configure SSL authentication for Enterprise
User Security
Create or modify user entries and Oracle
administrative groups in the directory
Create or modify enterprise roles and
domains in the directory
Create or modify wallets for directory,
databases, and clients
Change a user's database or directory
password
Change a database's directory passwordDatabase Configuration Assistant "To change the database's directory
Oracle Internet Directory
Self-Service Console (Delegated
Administration Service)
Oracle Internet Directory
Configuration Assistant
Oracle Internet Directory
Configuration Assistant
Oracle Internet Directory Administrator's
Guide for information about how to
perform this task
Oracle Internet Directory Administrator's
Guide and the online help for this tool
Oracle Internet Directory Administrator's
Guide (Domain Name System server
discovery) and the online help for this
tool
Oracle Net Configuration
Assistant
"Task 5: (Optional) Configure your Oracle
home for directory usage" on page 12-7
directory" on page 12-8
■Enterprise Security Manager
■Oracle Net Manager
■Oracle Net Manager
■Enterprise Security Manager
"Configuring Enterprise User Security for
Password Authentication" on page 12-16
"Configuring Enterprise User Security for
Kerberos Authentication" on page 12-18
Console
■Enterprise Security Manager
■Oracle Net Manager
■Enterprise Security Manager
■text editor or SQL*Plus
■Oracle Wallet Manager
Enterprise Security Manager
Console
"Configuring Enterprise User Security for
SSL Authentication" on page 12-21