CHAPTER 7. Using the SecurID Authentication Adapter
This chapter describes how to use the Oracle SecurID authentication adapter with the Oracle client tools. This chapter assumes that you are already familiar with SecurID concepts, and that you have configured Oracle for use with the SecurID adapter. (See Chapter 6, "Configuring Oracle for Use with SecurID Authentication Adapter" for information.) Also refer to the Preface of this guide for a list of publications to read.
Configure the Oracle Client to Use the SecurID Authentication Adapter
Before you can use the SecurID authentication adapter to verify passwords, make sure the following things have been done:
- the SecurID authentication adapter has been installed and linked into the SQL*Net configuration
- Oracle has been configured for use with the ACE/Server (that is, it can act as a SecurID client)
- the client and server have been configured with the necessary parameters so that database passwords can be verified by the central SecurID authentication server.
- users have been configured for use with the SecurID adapter as described in Chapter 6, "Configuring Oracle for Use with the SecurID Authentication Adapter".
Log into the Oracle Server
The SecurID authentication adapter allows you to log into the Oracle server with the PASSCODE that is generated by the SecurID card. The PASSCODE replaces the password in the Oracle connect statement.
There are two types of SecurID cards:
Depending on the type of card, you type in the PIN number
or
- or as part of the Oracle connect statement
Using Standard Cards
The standard cards generate and display a PASSCODE. When logging in to Oracle, you need to specify your username, your pincode and the current PASSCODE, using the following syntax:
SQL>connect <username>/<pin><passcode>@<service_name>
For example, if the card is assigned to user king, the pin number is "3511," and the card shows the number "698244," this is how you would log into Oracle using SQL*Plus:
% sqlplus king/3511698244@oracle_database
Note: Although the Security Dynamics tools support the characters
" ", <tab>, "\", "/", ";", ":"
as delimiters between the pin number and the PASSCODE, you should not use these characters because Oracle will interpret these characters in a different way.
Using PINPAD Cards
If you have a PINPAD card, you first have to type in your pincode on the card and generate a new PASSCODE. You would then use this PASSCODE to connect to Oracle using the following syntax:
SQL>connect <username>/<passcode>@<service_name>
For example, if the card is assigned to user king, first generate a PASSCODE by typing the pin number on the PINPAD card. (Refer to the Security Dynamics documentation on how to do this.) For example, if the generated PASSCODE is "698244", to connect to Oracle using SQL*Plus, you would type:
% sqlplus king/698244@oracle_dbname
Assign a New Pincode to a SecurID Card
If you are logging in for the first time, or the administrator has put your card in the new-PIN mode, you have to assign a pincode to the card. You can tell that this is the case if, while trying to connect to Oracle, you get the following error message:
ORA-12681 "Login failed: the SecurID card does not have a pincode yet"
Assigning a pincode to a card is easy and can be done by connecting to the Oracle Server using a special syntax. First, you need to select a pin number, which is typically 4 to 8 digits long. Depending on the type of SecurID card you have, you may be able to use letters too.
The syntax while connecting to the Oracle database is:
SQL>connect <username>/
"+<pincode>+<passcode>"@oracle_dbname
For the passcode, enter the cardcode that is currently displayed on your SecurID card's LCD. If you have a PINPAD card, do not enter the pin code on the card.
Note: You must add the two '+' characters in the connect string, because they tell Oracle that this is an attempt to assign a pincode to the card. Also, they separate the new pin code from the passcode.
Note: You must enclose the pincode/passcode combination in double quotes. Some Oracle tools such as Server Manager truncate the password string (pincode/passcode) just before the plus ("+") character. Surrounding the password string (pincode/passcode) in double quotes ("") prevents the password string from being truncated.
For example, if the card is assigned to user king, your new pin code is "45618" and the SecurID card currently displays number "564728", you would type:
% sqlplus king/"+45618+564728"@oracle_dbname
If the new pin code is accepted, you will be connected to Oracle. The next time you want to connect to Oracle you should use the procedure described in "Logging into the Oracle Server".
If the new pincode were rejected, you would get the following error:
ORA-12688 "Login failed: the SecurID server rejected the new pincode"
Possible Reasons Why a PIN Code Would be Rejected
Following are some possible reasons why a PIN code would be rejected:
1. The new pin code is less than 4 or more than 8 characters long.
2. The pin code contains invalid characters. Valid characters are digits, and for some SecurID cards, the letters "a" through z".
3. You are not allowed to make up your own pin number. The Security Dynamics ACE/Server can be configured in such a way that you cannot make up your own code. If this is the case, you will have to use one of the Security Dynamics tools, which will generate a new pin code for your card.
Log in When the SecurID Card is in "Next Code" Mode
As an additional safety step, the ACE/Server sometimes asks for the next card code, to ensure that the person who is trying to log in actually has the card in his or her possession. You can tell when this is the case, if you get the following error message when you try to log into Oracle:
ORA-12682, "Login failed: the SecurID card is in next PRN mode"
The next time you want to log in to Oracle, you will have to specify the next two card codes. The syntax you use to log into Oracle depends on the kind of SecurID card you have (Standard versus PINPAD) and is described below.
Log in with a Standard Card
If you have a standard card, specify the following:
3. a '+' character and the next card code.
Steps 1, 2, and 3 replace the password.
The '+' character is important, because it separates the first passcode from the second one.
Use the following syntax:
SQL>connect <username>/
"<pincode><passcode>+<next passcode>"@<service_name>
Note: You must enclose the pincode/passcode/next passcode combination in double quotes. Some Oracle tools such as Server Manager truncate the password combination just before the plus ("+") character. Surrounding the pincode and passcode in double quotes ("") prevents the password combination from being truncated.
For example, if the card is assigned to user king, the PIN number is "3511", and the card first shows the number "698244" and the next number is "563866", you would type:
% sqlplus king/"3511698244+563866"
@oracle_database
This connects you to the Oracle server and puts the card back into normal mode. The next time you want to log in to the Oracle server, use the procedure described in "Log into the Oracle Server."
Log in with a PINPAD Card
If you have a PINPAD card, to log into the Oracle server, do the following:
1. Type in your pincode on the card to generate the first PASSCODE.
2. Clear your card's memory by pressing P, then wait for the next PASSCODE.
3. Log into the Oracle server with these two passcodes, separated by a + character. Use the following syntax:
SQL>connect <username>/
"<first passcode>+<second passcode>"@service_name
For example, if the card is assigned to user king:
1. Type in the pincode on the PINPAD card to generate a passcode; for example, "231003".
2. Clear the card's memory. The next displayed number might be "831234".
3. To log in, use the following syntax, entering the two passcodes generated in steps 1 and 2:
% sqlplus king/"231003+831234"@oracle_dbname
This connects you to Oracle and puts the card back into normal mode. The next time you want to log in to Oracle, use the procedure described in "Log into the Oracle Server".