ebook img

Oracle Advanced Security Administrator's Guide PDF

486 Pages·2001·3.307 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Oracle Advanced Security Administrator's Guide

(cid:226) Oracle Advanced Security Administrator’s Guide Release 9.0.1 June 2001 Part No. A90150-01 Oracle Advanced Security Administrator’s Guide, Release 9.0.1 Part No. A90150-01 Copyright © 1996, 2001, Oracle Corporation. All rights reserved. Author: Mike Cowan Contributors: Kristy Browder, Sudha Iyer, Nina Lewis, Michael Hwa, Adam Lindsey Jacobs, Lakshmi Kethana, Andrew Koyfman, Van Le, Andy Philips, Ramana Turlapati, Philip Thornton, Gary Gilchrist, Min-Hank Ho, Torrance Brooksfuller, Cynthia Kibbe. Graphic Artist: Valarie Moore The Programs (which include both the software and documentation) contain proprietary information of Oracle Corporation; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs is prohibited. Portions of Oracle Advanced Security have been licensed by Oracle Corporation from RSA Data Security. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this document is error free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Oracle Corporation. If the Programs are delivered to the U.S. Government or anyone licensing or using the programs on behalf of the U.S. Government, the following notice is applicable: Restricted Rights Notice Programs delivered subject to the DOD FAR Supplement are "commercial computer software" and use, duplication, and disclosure of the Programs, including documentation, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement. Otherwise, Programs delivered subject to the Federal Acquisition Regulations are "restricted computer software" and use, duplication, and disclosure of the Programs shall be subject to the restrictions in FAR 52.227-19, Commercial Computer Software - Restricted Rights (June, 1987). Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065. The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and Oracle Corporation disclaims liability for any damages caused by such use of the Programs. Oracle is a registered trademark, and SQL*Plus, Oracle Enterprise Manager, Oracle8i, and Oracle9i are trademarks or registered trademarks of Oracle Corporation. Other names may be trademarks of their respective owners. Contents LLiisstt ooff TFaigbuleress Send Us Your Comments................................................................................................................. xix Preface.......................................................................................................................................................... xxi Audience.............................................................................................................................................. xxii Organization........................................................................................................................................ xxii Related Documentation.................................................................................................................... xxvi Conventions....................................................................................................................................... xxviii Documentation Accessibility.......................................................................................................... xxxii Part I Introduction 1 Introduction to Oracle Advanced Security About Oracle Advanced Security.................................................................................................... 1-2 Security in an Intranet or Internet Environment...................................................................... 1-2 Security Threats............................................................................................................................ 1-2 Oracle Advanced Security Features................................................................................................ 1-5 Data Privacy.................................................................................................................................. 1-5 Data Integrity................................................................................................................................ 1-7 Authentication.............................................................................................................................. 1-8 Single Sign-On............................................................................................................................. 1-13 Authorization.............................................................................................................................. 1-14 Oracle Advanced Security Architecture....................................................................................... 1-15 Secure Data Transfer Across Network Protocol Boundaries.................................................... 1-17 iii System Requirements...................................................................................................................... 1-18 Oracle Advanced Security Restrictions........................................................................................ 1-19 Part II Encryption, Integrity, and JDBC 2 Configuring Data Encryption and Integrity Oracle Advanced Security Encryption............................................................................................ 2-2 Overview........................................................................................................................................ 2-2 DES Algorithm for Standards-Based Encryption.................................................................... 2-2 Triple-DES Support ..................................................................................................................... 2-2 RSA RC4 Algorithm for High Speed Encryption..................................................................... 2-3 Oracle Advanced Security Data Integrity...................................................................................... 2-4 Data Integrity Algorithms Supported....................................................................................... 2-4 Diffie-Hellman Based Key Management....................................................................................... 2-5 Authentication Key Fold-in......................................................................................................... 2-5 Configuring Data Encryption and Integrity.................................................................................. 2-6 Activating Encryption and Integrity.......................................................................................... 2-6 Negotiating Encryption and Integrity....................................................................................... 2-8 Setting the Encryption Seed........................................................................................................ 2-9 Configuring Encryption and Integrity Parameters Using Oracle Net Manager............... 2-10 3 Thin JDBC Support About the Java Implementation....................................................................................................... 3-2 Java Database Connectivity Support......................................................................................... 3-2 Securing Thin JDBC...................................................................................................................... 3-3 Implementation Overview.......................................................................................................... 3-4 Obfuscation.................................................................................................................................... 3-4 Configuration Parameters................................................................................................................. 3-5 Client Encryption Level............................................................................................................... 3-5 Client Encryption Selected List................................................................................................... 3-6 Client Integrity Level................................................................................................................... 3-6 Client Integrity Selected List....................................................................................................... 3-7 Part III Configuring Authentication Methods iv 4 Configuring RADIUS Authentication RADIUS Overview............................................................................................................................. 4-2 RADIUS Authentication Modes...................................................................................................... 4-4 Synchronous Authentication Mode........................................................................................... 4-4 Challenge-Response (Asynchronous) Authentication Mode................................................. 4-5 Enabling RADIUS Authentication and Accounting.................................................................. 4-10 Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client............ 4-10 Task 2: Configure RADIUS Authentication............................................................................ 4-10 Task 3: Create a User and Grant Access.................................................................................. 4-19 Task 4: Configure RADIUS Accounting.................................................................................. 4-19 Task 5: Add the RADIUS Client Name to the RADIUS Server Database.......................... 4-20 Task 6: Configure the Authentication Server for Use with RADIUS.................................. 4-21 Task 7: Configure the RADIUS Server for Use with the Authentication Server............... 4-21 Task 8: Configure Mapping Roles............................................................................................ 4-21 Using RADIUS to Log In to a Database....................................................................................... 4-23 5 Configuring CyberSafe Authentication Configuring CyberSafe Authentication......................................................................................... 5-2 Task 1: Install the CyberSafe Server........................................................................................... 5-2 Task 2: Install the CyberSafe TrustBroker Client..................................................................... 5-2 Task 3: Install the CyberSafe Application Security Toolkit.................................................... 5-2 Task 4: Configure a Service Principal for an Oracle Database Server.................................. 5-3 Task 5: Extract the Service Table from CyberSafe................................................................... 5-4 Task 6: Install an Oracle Database Server................................................................................. 5-5 Task 7: Install Oracle Advanced Security With CyberSafe.................................................... 5-5 Task 8: Configure Oracle Net and Oracle9i.............................................................................. 5-5 Task 9: Configure CyberSafe Authentication........................................................................... 5-5 Task 10: Create a CyberSafe User on the Authentication Server........................................... 5-8 Task 11: Create an Externally Authenticated Oracle User on the Oracle Database Server 5-9 Task 12: Get the Initial Ticket for the CyberSafe/Oracle User............................................. 5-10 Task 13: Connect to an Oracle Database Server Authenticated by CyberSafe.................. 5-10 Troubleshooting................................................................................................................................ 5-11 If you cannot get your ticket-granting ticket using kinit:..................................................... 5-11 If you have an initial ticket, but still cannot connect:............................................................ 5-11 If you have a service ticket, and you still cannot connect:................................................... 5-11 v If everything seems to work fine, but then you issue another query and it fails:............. 5-11 6 Configuring Kerberos Authentication Enabling Kerberos Authentication.................................................................................................. 6-2 Task 1: Install Kerberos................................................................................................................ 6-2 Task 2: Configure a Service Principal for an Oracle Database Server................................... 6-3 Task 3: Extract a Service Table from Kerberos......................................................................... 6-4 Task 4: Install an Oracle Database Server and an Oracle Client............................................ 6-5 Task 5: Install Oracle Net and Oracle Advanced Security...................................................... 6-5 Task 6: Configure Oracle Net and Oracle9i.............................................................................. 6-5 Task 7: Configure Kerberos Authentication............................................................................. 6-5 Task 8: Create a Kerberos User................................................................................................. 6-10 Task 9: Create an Externally-authenticated Oracle User...................................................... 6-11 Task 10: Get an Initial Ticket for the Kerberos/Oracle User................................................ 6-11 Utilities for the Kerberos Authentication Adapter.................................................................... 6-12 Use okinit to Obtain the Initial Ticket...................................................................................... 6-12 Use OKLIST to Display Credentials......................................................................................... 6-13 Use OKDSTRY to Remove Credentials from the Cache File................................................ 6-14 Connecting to an Oracle Database Server Authenticated by Kerberos.............................. 6-14 Troubleshooting................................................................................................................................ 6-15 If you cannot get your ticket-granting ticket using OKINIT:............................................... 6-15 If you have an initial ticket, but still cannot connect:............................................................ 6-15 If you have a service ticket and you still cannot connect:..................................................... 6-15 If everything seems to work fine, but then you issue another query and it fails:............. 6-15 7 Configuring Secure Sockets Layer Authentication SSL in an Oracle Environment......................................................................................................... 7-2 What You Can Do with SSL........................................................................................................ 7-2 Architecture of SSL in an Oracle Environment........................................................................ 7-3 Components of SSL in an Oracle Environment........................................................................ 7-4 How SSL Works in an Oracle Environment: The SSL Handshake........................................ 7-6 SSL Beyond an Oracle Environment............................................................................................... 7-7 SSL Combined with Other Authentication Methods.................................................................. 7-8 Architecture: Oracle Advanced Security and SSL................................................................... 7-9 Using SSL with Other Authentication Methods.................................................................... 7-10 vi SSL and Firewalls............................................................................................................................. 7-11 SSL Usage Issues............................................................................................................................... 7-13 Enabling SSL..................................................................................................................................... 7-14 Task 1: Install Oracle Advanced Security and Related Products........................................ 7-14 Task 2: Configure SSL on the Client........................................................................................ 7-14 Task 3: Configure SSL on the Server........................................................................................ 7-24 Task 4: Log on to the Database................................................................................................. 7-31 8 Configuring Entrust-Enabled SSL Authentication Overview.............................................................................................................................................. 8-2 Oracle Advanced Security........................................................................................................... 8-2 Entrust/PKI................................................................................................................................... 8-2 Entrust-Enabled Oracle Advanced Security............................................................................. 8-3 System Components........................................................................................................................... 8-4 Entrust/PKI 5.0.2 for Oracle....................................................................................................... 8-4 Entrust/Toolkit Server Login 5.0.2............................................................................................ 8-5 Entrust IPSEC Negotiator Toolkit 5.0.2..................................................................................... 8-6 Entrust Authentication Process........................................................................................................ 8-7 Enabling Entrust Authentication..................................................................................................... 8-8 Creating Entrust Profiles............................................................................................................. 8-8 Installing Oracle Advanced Security and Related Products.................................................. 8-9 Configuring SSL on the Client and Server................................................................................ 8-9 Configuring Entrust on the Client........................................................................................... 8-10 Configuring Entrust on the Server........................................................................................... 8-11 Creating Database Users............................................................................................................ 8-13 Logging Into the Database........................................................................................................ 8-13 Issues and Restrictions................................................................................................................... 8-13 Troubleshooting Entrust In Oracle Advanced Security............................................................ 8-15 ORA-28890 Entrust Login Failed............................................................................................. 8-15 General Problems and Guidelines........................................................................................... 8-16 9 Configuring Multiple Authentication Methods Connecting with User Name and Password.................................................................................. 9-2 Disabling Oracle Advanced Security Authentication................................................................. 9-3 Configuring Multiple Authentication Methods........................................................................... 9-5 vii Configuring Oracle9i for External Authentication ..................................................................... 9-7 Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora................ 9-7 Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE............................................... 9-7 Setting OS_AUTHENT_PREFIX to a Null Value..................................................................... 9-8 Part IV Oracle DCE Integration 10 Overview of Oracle DCE Integration Oracle DCE Integration Requirements......................................................................................... 10-2 System Requirements................................................................................................................. 10-2 Backward Compatibility............................................................................................................ 10-2 The Distributed Computing Environment.................................................................................. 10-3 Components of Oracle DCE Integration...................................................................................... 10-4 DCE Communication/Security................................................................................................ 10-4 DCE Cell Directory Services Native Naming......................................................................... 10-5 Flexible DCE Deployment.............................................................................................................. 10-7 Release Limitations.......................................................................................................................... 10-8 11 Configuring DCE for Oracle DCE Integration To Configure DCE for Oracle DCE Integration:......................................................................... 11-2 Task 1: Create New Principals and Accounts......................................................................... 11-2 Task 2: Install the Key of the Server into a Keytab File......................................................... 11-2 Task 3: Configure DCE CDS for Use by Oracle DCE Integration........................................ 11-3 12 Configuring Oracle9i for Oracle DCE Integration DCE Address Parameters................................................................................................................ 12-2 Configuring Oracle9i and Oracle Net........................................................................................... 12-4 Task 1: Configure the Server..................................................................................................... 12-4 Task 2: Create and Name Externally-Authenticated Accounts........................................... 12-5 Task 3: Set up DCE Integration External Roles...................................................................... 12-7 Task 4: Configure DCE for SYSDBA and SYSOPER Connections to Oracle Databases... 12-9 Task 5: Configure the Client.................................................................................................... 12-11 Task 6: Configure Clients to Use DCE CDS Naming.......................................................... 12-13 viii 13 Connecting to an Oracle Database in DCE Starting the Listener......................................................................................................................... 13-2 Connecting to an Oracle Database Server in the DCE Environment..................................... 13-3 Method 1...................................................................................................................................... 13-3 Method 2...................................................................................................................................... 13-3 14 DCE and Non-DCE Interoperability Connecting Clients Outside DCE to Oracle Servers in DCE................................................... 14-2 Sample Parameter Files................................................................................................................... 14-3 The listener.ora File.................................................................................................................... 14-3 The tnsnames.ora File................................................................................................................ 14-4 Using tnsnames.ora for Name Lookup When CDS Is Inaccessible........................................ 14-6 SQL*Net Release 2.2 and Earlier.............................................................................................. 14-6 SQL*Net Release 2.3 and Oracle Net....................................................................................... 14-6 Part V Oracle9i Enterprise User Security 15 Managing Enterprise User Security Part I: Overview / Concepts............................................................................................................ 15-2 Overview of Enterprise User Security.......................................................................................... 15-3 Introduction to Enterprise User Security................................................................................ 15-3 Enterprise Users and Authentication Methods...................................................................... 15-4 Enterprise Users and Password Authentication.................................................................... 15-6 Elements of Enterprise User Security...................................................................................... 15-7 The Enterprise User Security Process with SSL................................................................... 15-16 The Enterprise User Security Process with Passwords....................................................... 15-17 Shared Schemas.............................................................................................................................. 15-19 Overview.................................................................................................................................... 15-19 Configuring Shared Schemas.................................................................................................. 15-20 Shared Schema Functionality and SSL.................................................................................. 15-20 Creating a Shared Schema....................................................................................................... 15-23 Creating an Enterprise User in the Directory....................................................................... 15-23 Mapping an Enterprise User to a Shared Schema............................................................... 15-23 Current User Database Links....................................................................................................... 15-25 ix Enterprise User Security Components........................................................................................ 15-27 Oracle Enterprise Security Manager...................................................................................... 15-27 Oracle Enterprise Login Assistant.......................................................................................... 15-27 Oracle Wallet Manager............................................................................................................ 15-28 Deployment Considerations......................................................................................................... 15-29 Security Aspects of Centralizing Security Credentials........................................................ 15-29 Database Membership in Enterprise Domains..................................................................... 15-29 Part II: Initial Configuration for SSL and Password Authentication................................... 15-31 Task 1: Install or Identify a Certificate Service..................................................................... 15-32 Task 2: Install and Configure a Directory Service................................................................ 15-32 Task 3: Install and Configure the Database.......................................................................... 15-35 Task 4: Configure the Database for SSL................................................................................ 15-39 Task 5: Create the Wallet and Start the Listener.................................................................. 15-44 Task 6: Verify Database Installation....................................................................................... 15-48 Task 7: Create Global Schemas and Roles............................................................................. 15-49 Part III: Final Configuration for SSL Authentication.............................................................. 15-51 Task 8: Configure Database Clients....................................................................................... 15-52 Task 9: Configure an Enterprise Domain.............................................................................. 15-53 Task 10: Configure Enterprise Users...................................................................................... 15-54 Task 11: Log In as an Enterprise User.................................................................................... 15-57 Part IV: Final Configuration for Password Authentication.................................................... 15-59 Task 12: Complete Initial Setup Steps.................................................................................... 15-60 Task 13: Configure the Enterprise Domain........................................................................... 15-60 Task 14: Configure Oracle Context........................................................................................ 15-63 Task 15: Configure Enterprise Users...................................................................................... 15-65 Task 16: Connect as Password Authenticated Enterprise User......................................... 15-70 Part V: TroubleShooting Enterprise User Login....................................................................... 15-71 No Global Roles........................................................................................................................ 15-72 TNS Lost Connection............................................................................................................... 15-73 ORA-1004: Default username feature not supported.......................................................... 15-73 ORA-1017: Invalid username/password.............................................................................. 15-73 ORA-12560: Protocol adapter error........................................................................................ 15-74 Decryption of Encrypted Private Key Fails.......................................................................... 15-74 ORA-28030................................................................................................................................. 15-74 Tracing........................................................................................................................................ 15-75 x

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.