Skip Headers

Oracle® Database Advanced Security Administrator's Guide
10g Release 1 (10.1)
Part Number B10772-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Feedback
Go to next page
Next
 View PDF

Contents

Title and Copyright Information

List of Figures

List of Tables

Send Us Your Comments

Preface

What's New in Oracle Advanced Security?

Part I Getting Started with Oracle Advanced Security

1 Introduction to Oracle Advanced Security

Security Challenges in an Enterprise Environment
Security in Enterprise Grid Computing Environments
Security in an Intranet or Internet Environment
Common Security Threats
Solving Security Challenges with Oracle Advanced Security
Data Encryption
Strong Authentication
Enterprise User Management
Oracle Advanced Security Architecture
Secure Data Transfer Across Network Protocol Boundaries
System Requirements
Oracle Advanced Security Restrictions

2 Configuration and Administration Tools Overview

Network Encryption and Strong Authentication Configuration Tools
Oracle Net Manager
Oracle Advanced Security Kerberos Adapter Command-Line Utilities
Public Key Infrastructure Credentials Management Tools
Oracle Wallet Manager
orapki Utility
Enterprise User Security Configuration and Management Tools
Database Configuration Assistant
Enterprise Security Manager and Enterprise Security Manager Console
Oracle Net Configuration Assistant
User Migration Utility
Duties of a Security Administrator/DBA
Duties of an Enterprise User Security Administrator/DBA

Part II Network Data Encryption and Integrity

3 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients

Oracle Advanced Security Encryption
About Encryption
Advanced Encryption Standard
DES Algorithm Support
Triple-DES Support
RSA RC4 Algorithm for High Speed Encryption
Oracle Advanced Security Data Integrity
Data Integrity Algorithms Supported
Diffie-Hellman Based Key Management
Authentication Key Fold-in
How To Configure Data Encryption and Integrity
About Activating Encryption and Integrity
About Negotiating Encryption and Integrity
Setting the Encryption Seed (Optional)
Configuring Encryption and Integrity Parameters Using Oracle Net Manager

4 Configuring Network Data Encryption and Integrity for Thin JDBC Clients

About the Java Implementation
Java Database Connectivity Support
Securing Thin JDBC
Implementation Overview
Obfuscation
Configuration Parameters
Client Encryption Level: ORACLE.NET.ENCRYPTION_CLIENT
Client Encryption Selected List: ORACLE.NET.ENCRYPTION_TYPES_CLIENT
Client Integrity Level: ORACLE.NET.CRYPTO_CHECKSUM_CLIENT
Client Integrity Selected List: ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT

Part III Oracle Advanced Security Strong Authentication

5 Configuring RADIUS Authentication

RADIUS Overview
RADIUS Authentication Modes
Synchronous Authentication Mode
Challenge-Response (Asynchronous) Authentication Mode
Enabling RADIUS Authentication, Authorization, and Accounting
Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client
Task 2: Configure RADIUS Authentication
Task 3: Create a User and Grant Access
Task 4: Configure External RADIUS Authorization (optional)
Task 5: Configure RADIUS Accounting
Task 6: Add the RADIUS Client Name to the RADIUS Server Database
Task 7: Configure the Authentication Server for Use with RADIUS
Task 8: Configure the RADIUS Server for Use with the Authentication Server
Task 9: Configure Mapping Roles
Using RADIUS to Log In to a Database
RSA ACE/Server Configuration Checklist

6 Configuring Kerberos Authentication

Enabling Kerberos Authentication
Task 1: Install Kerberos
Task 2: Configure a Service Principal for an Oracle Database Server
Task 3: Extract a Service Table from Kerberos
Task 4: Install an Oracle Database Server and an Oracle Client
Task 5: Install Oracle Net Services and Oracle Advanced Security
Task 6: Configure Oracle Net Services and Oracle Database
Task 7: Configure Kerberos Authentication
Task 8: Create a Kerberos User
Task 9: Create an Externally Authenticated Oracle User
Task 10: Get an Initial Ticket for the Kerberos/Oracle User
Utilities for the Kerberos Authentication Adapter
Obtaining the Initial Ticket with the okinit Utility
Displaying Credentials with the oklist Utility
Removing Credentials from the Cache File with the okdstry Utility
Connecting to an Oracle Database Server Authenticated by Kerberos
Configuring Interoperability with a Windows 2000 Domain Controller KDC
Task 1: Configuring an Oracle Kerberos Client to Interoperate with a Windows 2000 Domain Controller KDC
Task 2: Configuring a Windows 2000 Domain Controller KDC to Interoperate with an Oracle Client
Task 3: Configuring an Oracle Database to Interoperate with a Windows 2000 Domain Controller KDC
Task 4: Getting an Initial Ticket for the Kerberos/Oracle User
Troubleshooting

7 Configuring Secure Sockets Layer Authentication

SSL and TLS in an Oracle Environment
Difference between SSL and TLS
About Using SSL
How SSL Works in an Oracle Environment: The SSL Handshake
Public Key Infrastructure in an Oracle Environment
About Public Key Cryptography
Public Key Infrastructure Components in an Oracle Environment
SSL Combined with Other Authentication Methods
Architecture: Oracle Advanced Security and SSL
How SSL Works with Other Authentication Methods
SSL and Firewalls
SSL Usage Issues
Enabling SSL
Task 1: Install Oracle Advanced Security and Related Products
Task 2: Configure SSL on the Server
Task 3: Configure SSL on the Client
Task 4: Log on to the Database
Troubleshooting SSL
Certificate Validation with Certificate Revocation Lists
What CRLs Should You Use?
How CRL Checking Works
Configuring Certificate Validation with Certificate Revocation Lists
Certificate Revocation List Management
Troubleshooting Certificate Validation
Configuring Your System to Use Hardware Security Modules
General Guidelines for Using Hardware Security Modules with Oracle Advanced
Configuring Your System to Use nCipher Hardware Security Modules
Troubleshooting Using Hardware Security Modules

8 Using Oracle Wallet Manager

Oracle Wallet Manager Overview
Wallet Password Management
Strong Wallet Encryption
Microsoft Windows Registry Wallet Storage
Backward Compatibility
Public-Key Cryptography Standards (PKCS) Support
Multiple Certificate Support
LDAP Directory Support
Starting Oracle Wallet Manager
How To Create a Complete Wallet: Process Overview
Managing Wallets
Required Guidelines for Creating Wallet Passwords
Creating a New Wallet
Opening an Existing Wallet
Closing a Wallet
Importing Third-Party Wallets
Exporting Oracle Wallets to Third-Party Environments
Exporting Oracle Wallets to Tools that Do Not Support PKCS #12
Uploading a Wallet to an LDAP Directory
Downloading a Wallet from an LDAP Directory
Saving Changes
Saving the Open Wallet to a New Location
Saving in System Default
Deleting the Wallet
Changing the Password
Using Auto Login
Managing Certificates
Managing User Certificates
Managing Trusted Certificates

9 Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security

Connecting with User Name and Password
Disabling Oracle Advanced Security Authentication
Configuring Multiple Authentication Methods
Configuring Oracle Database for External Authentication
Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora
Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE
Setting OS_AUTHENT_PREFIX to a Null Value

10 Configuring Oracle DCE Integration

Introduction to Oracle DCE Integration
System Requirements
Backward Compatibility
Components of Oracle DCE Integration
Flexible DCE Deployment
Release Limitations
Configuring DCE for Oracle DCE Integration
Task 1: Create New Principals and Accounts
Task 2: Install the Key of the Server into a Keytab File
Task 3: Configure DCE CDS for Use by Oracle DCE Integration
Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration
DCE Address Parameters
Task 1: Configure the Server
Task 2: Create and Name Externally Authenticated Accounts
Task 3: Set up DCE Integration External Roles
Task 4: Configure DCE for SYSDBA and SYSOPER Connections to Oracle Databases
Task 5: Configure the Client
Task 6: Configure Clients to Use DCE CDS Naming
Connecting to an Oracle Database Server in the DCE Environment
Starting the Listener
Connecting to an Oracle Database by Using DCE Authentication for Single Sign-On
Connecting to an Oracle Database by Using Password Authentication
Connecting Clients Outside DCE to Oracle Servers in DCE
Sample Parameter Files
Using tnsnames.ora for Name Lookup When CDS Is Inaccessible

Part IV Enterprise User Security

11 Getting Started with Enterprise User Security

Introduction to Enterprise User Security
The Challenges of User Management
Enterprise User Security: The Big Picture
About Enterprise User Security Directory Entries
About Using Shared Schemas for Enterprise User Security
Overview of Shared Schemas Used in Enterprise User Security
How Shared Schemas Are Configured for Enterprise Users
How Enterprise Users Are Mapped to Schemas
About Using Current User Database Links for Enterprise User Security
Enterprise User Security Deployment Considerations
Security Aspects of Centralizing Security Credentials
Security of Password-Authenticated Enterprise User Database Login Information
Considerations for Defining Database Membership in Enterprise Domains
Considerations for Choosing Authentication Types between Clients, Databases, and Directories for Enterprise User Security

12 Enterprise User Security Configuration Tasks and Troubleshooting

Enterprise User Security Configuration Overview
Enterprise User Security Configuration Roadmap
Preparing the Directory for Enterprise User Security
Configuring Enterprise User Security Objects in the Database and the Directory
Configuring Enterprise User Security for Password Authentication
Configuring Enterprise User Security for Kerberos Authentication
Configuring Enterprise User Security for SSL Authentication
Viewing the Database DN in the Wallet and in the Directory
Enabling Current User Database Links
Troubleshooting Enterprise User Security
ORA-# Errors for Password-Authenticated Enterprise Users
ORA-# Errors for Kerberos-Authenticated Enterprise Users
ORA-# Errors for SSL-Authenticated Enterprise Users
NO-GLOBAL-ROLES Checklist
USER-SCHEMA ERROR Checklist
DOMAIN-READ-ERROR Checklist

13 Administering Enterprise User Security

Enterprise User Security Administration Tools Overview
Administering Identity Management Realms
Identity Management Realm Versions
Setting Properties of an Identity Management Realm
Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base Identity Management Realm Attributes
Setting the Default Database-to-Directory Authentication Type for an Identity Management Realm
Managing Identity Management Realm Administrators
Administering Enterprise Users
Creating New Enterprise Users
Setting Enterprise User Passwords
Defining an Initial Enterprise Role Assignment
Browsing Users in the Directory
Administering Enterprise Domains
Creating a New Enterprise Domain
Defining Database Membership of an Enterprise Domain
Managing Database Security Options for an Enterprise Domain
Managing Enterprise Domain Administrators
Managing Enterprise Domain Database Schema Mappings
Managing Password Accessible Domains
Managing Database Administrators
Administering Enterprise Roles
Creating a New Enterprise Role
Assigning Database Global Role Membership to an Enterprise Role
Granting Enterprise Roles to Users

Part V Appendixes

A Data Encryption and Integrity Parameters

Sample sqlnet.ora File
Data Encryption and Integrity Parameters
Encryption and Integrity Parameters
Seeding the Random Key Generator (Optional)

B Authentication Parameters

Parameters for Clients and Servers using Kerberos Authentication
Parameters for Clients and Servers using RADIUS Authentication
sqlnet.ora File Parameters
Minimum RADIUS Parameters
Initialization File Parameters
Parameters for Clients and Servers using SSL
SSL Authentication Parameters
Cipher Suite Parameters
SSL Version Parameters
SSL Client Authentication Parameters
Wallet Location

C Integrating Authentication Devices Using RADIUS

About the RADIUS Challenge-Response User Interface
Customizing the RADIUS Challenge-Response User Interface

D Oracle Advanced Security FIPS 140-1 Settings

Configuration Parameters
Server Encryption Level Setting
Client Encryption Level Setting
Server Encryption Selection List
Client Encryption Selection List
Cryptographic Seed Value
FIPS Parameter
Post Installation Checks
Status Information
Physical Security

E orapki Utility

orapki Utility Overview
orapki Utility Syntax
Creating Signed Certificates for Testing Purposes
Managing Oracle Wallets with orapki Utility
Creating and Viewing Oracle Wallets with orapki
Adding Certificates and Certificate Requests to Oracle Wallets with orapki
Exporting Certificates and Certificate Requests from Oracle Wallets with orapki
Managing Certificate Revocation Lists (CRLs) with orapki Utility
orapki Utility Commands Summary
orapki cert create
orapki cert display
orapki crl delete
orapki crl display
orapki crl hash
orapki crl list
orapki crl upload
orapki wallet add
orapki wallet create
orapki wallet display
orapki wallet export

F Entrust-Enabled SSL Authentication

Benefits of Entrust-Enabled Oracle Advanced Security
Enhanced X.509-Based Authentication and Single Sign-On
Integration with Entrust Authority Key Management
Integration with Entrust Authority Certificate Revocation
Required System Components for Entrust-Enabled Oracle Advanced Security
Entrust Authority for Oracle
Entrust Authority Server Login Feature
Entrust Authority IPSec Negotiator Toolkit
Entrust Authentication Process
Enabling Entrust Authentication
Creating Entrust Profiles
Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL
Configuring SSL on the Client and Server for Entrust-Enabled SSL
Configuring Entrust on the Client
Configuring Entrust on the Server
Creating Entrust-Enabled Database Users
Logging Into the Database Using Entrust-Enabled SSL
Issues and Restrictions that Apply to Entrust-Enabled SSL
Troubleshooting Entrust In Oracle Advanced Security
Error Messages Returned When Running Entrust on Any Platform
Error Messages Returned When Running Entrust on Windows Platforms
General Checklist for Running Entrust on Any Platform

G Using the User Migration Utility

Benefits of Migrating Local or External Users to Enterprise Users
Introduction to the User Migration Utility
Bulk User Migration Process Overview
About the ORCL_GLOBAL_USR_MIGRATION_DATA Table
Migration Effects on Users' Old Database Schemas
Migration Process
Prerequisites for Performing Migration
Required Database Privileges
Required Directory Privileges
Required Setup to Run the User Migration Utility
User Migration Utility Command Line Syntax
Accessing Help for the User Migration Utility
User Migration Utility Parameters
User Migration Utility Usage Examples
Migrating Users While Retaining Their Own Schemas
Migrating Users and Mapping to a Shared Schema
Migrating Users Using the PARFILE, USERSFILE, and LOGFILE Parameters
Troubleshooting Using the User Migration Utility
Common User Migration Utility Error Messages
Common User Migration Utility Log Messages
Summary of User Migration Utility Error and Log Messages

Glossary

Index

Go to next page
Next
 Oracle
Copyright © 1996, 2003 Oracle Corporation
All Rights Reserved.
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Feedback