Oracle Advanced Networking Option Administrator's Guide Go to Product Documentation Library
Library
Go to books for this product
Product
Go to Contents for this book
Contents
Go to Index
Index



Go to previous file in sequence Go to next file in sequence

CHAPTER 6. Configuring Oracle for Use with SecurID Adapter


This chapter describes how to configure the SecurID authentication adapter along with with the Oracle server and clients. It assumes that you are familiar with the Security Dynamics ACE/Server and that the ACE/Server is installed and running.

Refer to Chapter 6, "Using the SecurID Authentication Adapter" for information on using the SecurID card itself. Refer to the Preface for a list of related publications to read.

System Requirements

To use the SecurID authentication adapter included in the Advanced Networking Option release 2.3.2, you need the following:

Note: Install the Oracle Advanced Networking Option release 2.3.2 product with the Oracle Installer.

Known Limitations

Following are the known limitations:

Steps to Perform to Enable SecurID Authentication

This section contains information on the following tasks:

Register Oracle as a SecurID Client (Releases 1.2.4 and 2.0)

Register the machine on which the Oracle Server resides, as a SecurID client with the ACE server. You can do this with the Security Dynamics tool sdadmin. From the Client menu, choose Create Client (ACE/Server 1.2.4) or Add Client (ACE/Server 2.0), to create a client.

Refer to the Security Dynamics ACE/Server Instruction manual, version 1.2.4 or to the Security Dynamics ACE/Server version 2.0 Administration manual for more detailed information.

Ensure that Oracle Can Find the Correct UDP Port (ACE/Server Releases 1.2.4 and 2.0)

Note: Verify that the ACE/Server, the Oracle server, and the Advanced Networking Option is installed.

Make sure that the Oracle server can discover what the correct UDP port for contacting the ACE/Server is. These port numbers are typically stored in a file called services. On the UNIX operating system, this file is typically in the /etc directory. If you are using NIS (Network Information Services) as a naming service, make sure that the services map contains the correct entries for SecurID.

Note: You can verify which port the ACE server is using by running the Security Dynamics tool Kitconts (for ACE/Server 1.2.4) or sdinfo (for ACE/Server 2.0).

Install the Advanced Networking Option on the Oracle Server and Client

Install the Advanced Networking Option on the Oracle server and Oracle client.

Configure Oracle as a SecurID Client (for ACE/Server Release 1.2.4)

Note: The information in the following sections is UNIX-specific.

The SecurID configuration files are typically stored in /var/ace. On the Oracle server machine, create this directory and copy the configuration files to it. At the minimum, you need the file sdconf.rec. The configuration files are used by both Oracle and the standard SecurID tools. Because the SecurID tools run setuid root, there can be a problem with the access permissions on the directory /var/ace and the files in this directory. Make sure that the owner of the Oracle executable (for example, the user "oracle7") is able to read all the files in /var/ace and can create new files in this directory.

Attention: Do not attempt to overcome this by running Oracle setuid root. It is not necessary and dangerous to do so.

There are two ways to reach this goal without compromising security. Both ways work, but it is recommended that you use method #1. Both methods allow you to use Oracle with the SecurID authentication adapter and still continue using the other SecurID tools.

Method #1 The owner of the Oracle executable should also own the /var/ace directory and the files in /var/ace. For example, if the owner of the Oracle executable is the user "oracle7," perform the following steps, as root:

  # chown oracle7 /var/ace
  # chmod 0700 /var/ace
  # chown oracle7 /var/ace/*
  # chmod 0600 /var/ace/*

Method #2 The other option is to have root own the /var/ace directory and the files in /var/ace, but give the Oracle group read and write access. If the Oracle group is 'dba', you need to perform the following steps, as root:

# chown root /var/ace
# chmod 0770 /var/ace
# chgrp dba /var/ace
# chown root /var/ace/*
# chmod 0660 /var/ace/*
# chgrp dba /var/ace/*  

Configure Oracle as a SecurID Client (Release ACE/Server 2.0)

The Oracle process will act as an ACE server client. For this reason, you need to install the ACE client software on the Oracle server machine. For information on how to install an ACE client, refer to the ACE/Server Version 2.0 Client for UNIX manual.

Note the following:

			# ln -s $VAR_ACE /var/ace

Attention: Whether you use Method 1 or Method 2 (following), make sure that you do not install Oracle as root.

			# chown oracle7 /var/ace 
			# chown oracle7 /var/ace/*
			# chmod 0770 /var/ace
			# chmod 0660 /var/ace/*

			# ln -s $VAR_ACE /var/ace
			# chown oracle7 $VAR_ACE
			# chown oracle7 $VAR_ACE/*
			# chmod 0770 $VAR_ACE
			# chmod 0660 $VAR_ACE/*

1. Install the ACE client or server and Oracle under the same UNIX account. (You have to install the ACE software as root, but you can specify which administrator should own the files. Specify the same user as the owner of the Oracle executable, typically oracle7).

2. Add the owner of the oracle executable to the ACE administrators' group.

Note: Make sure the owner of the oracle executable remains a member of the DBA group; otherwise you will not be able to control your database.

Configure the SecurID Authentication Adapter with Network Manager

This section provides the procedure for configuring the SecurID authentication adapter.

Select the General Page from Client Profile

In Network Manager, select the Client Profile icon in the Treeview representation of your network (to edit an existing client profile), or the Client Profile icon from the Network Object Tool Bar (to create a new client profile). The General page shown in Figure 6 - 1 appears.

Figure 6 - 1. Client Profile: General Page

Note: Network Manager generates a Client Profile for every community created (for example, TCP.world), and for every node that is a member of more than one community. If you create additional Client Profiles, Network Manager names them PRF2, PRF3, and so forth. Change the names to something more meaningful.

Attention: Use the Client Profile to configure the Advanced Networking Option parameters for servers, the same way you do for clients. (The parameters you configure are generated to SQLNET.ORA files, which reside on both clients and servers.)

Select the Authentication Page from Client Profile

Select this folder tab to configure an authentication service on your network. When you select Authentication, the initial Authentication page shown in Figure 6 - 2 appears.

Figure 6 - 2. Client Profile: Initial Authentication Page

To configure the SecurID authentication adapter, select Create from the Initial Authentication page. The Default Authentication Services page displays, as shown in Figure 6 - 3.

Default Authentication Services Page

The Default Authentication Services page is shown in Figure 6 - 3.

Figure 6 - 3. Default Authentication Services Page

The default is NO AUTHENTICATION, which disables authentication.

Note: You must select NO AUTHENTICATION uniquely. You will not be able to select any other authentication service when NO AUTHENTICATION is selected.

If you want to specify one or more authentication services to be used in a specific order, select one of the authentication services from the drop down list at the top of the page. Choices are: Access Manager, CyberSAFE, Identix, Kerberos (V5), NO AUTHENTICATION, and SecurID.

Note: Access Manager is not supported in this release of the Advanced Networking Option.

Attention: Do not select an authentication service unless it is installed and linked into your SQL*Net network. If you do, it will cause connections to fail because they will look for authentication where none is available.

Each authentication adapter you select has different parameters for which you may need to supply values. Some are required and some are optional. You will be prompted to enter all required parameters for each authentication adapter.

For further information about how to use Oracle Network Manager to configure authentication services, see the Oracle Network Manager Administrator's Guide.

Select the SecurID Authentication Page

If you select SecurID on the default Authentication page, the SecurID page shown in Figure 6 - 4 displays.

Figure 6 - 4. SecurID Authentication Page

The SecurID authentication service does not require any parameters.

Create Users for the SecurID Adapter

To create users for the SecurID authentication adapter, perform the following steps:

	SQLDBA> connect system/manager 
	SQLDBA> create user <os_authent_prefix><username>
			   identified externally;

Note: Because user names can be long and Oracle user names are limited to 30 characters, it is strongly recommended that OS_AUTHENT_PREFIX be set to a null value:

			OS_AUTHENT_PREFIX=""

Note: At this point, an Oracle user with <username> should not yet exist.

	SQLDBA> create user king identified externally;

	SQLDBA> grant create session to king;

Troubleshooting the Configuration of the SecurID Authentication Adapter

This section lists some things to verify if you experience problems while configuring the SecurID Adapter:

Note: Also verify that the permissions on the /var/ace/sdconf.rec file and the directory /var/ace are set so that the Oracle process can read and write in the directory.

Note: Also make sure that the owner of the oracle executable can read and write the files in this directory.

		 	trace_level_server = admin

	SQL> select * from all_users;

		sqlplus system/manager@oracle_dbname

		03/24/95   10:04  User not on client machinename

	SQLNET.AUTHENTICATION_SERVICES=(NONE) 

Attention: Setting this parameter to this value disables the SecurID authentication adapter. You will no longer be able to connect to Oracle using the SecurID card.




Go to previous file in sequence Go to next file in sequence
Prev Next
Oracle
Copyright © 1996 Oracle Corporation.
All Rights Reserved.
Go to Product Documentation Library
Library
Go to books for this product
Product
Go to Contents for this book
Contents
Go to Index
Index