Using the Advanced Networking Option
This chapter describes the following platform-specific
Advanced Networking Option (ANO) configurations:
Setting Up Network Security and Single Sign-On for
Windows NT and Windows 95
This section describes platform-specific configuration
steps to perform for Network Security and Single Sign-On on the Windows
NT or Windows 95 operating systems.
Biometric (Identix) Authentication Adapter
This section describes the following:
General Configuration Instructions
See Chapter 8, "Configuring
and Using the Biometric Identix Authentication Adapter," of the Oracle
Advanced Networking Option Administrator's Guide.
Configuring the TouchSafe II Device Driver
If during the install of Oracle Enterprise Manager's
Biometrics Manager, you choose not to allow the Oracle Installer to set
up your Identix TouchSafe II Device Driver, then you can configure it manually
as follows.
| Note:
You need to know the IO Port that your Identix
TouchSafe II is using before doing this. Refer to the Identix TouchSafe
II Hardware documentation. |
To install the TouchSAFE II Encrypt device driver
for Windows NT:
-
Change directories to ORACLE_HOME\IDENTIX.
-
Modify the IoPortAddress parameter in ETSIINT.INI to the current TouchSafe
II Encrypt I/O port setting. For example:
IoPortAddress = REG_DWORD 0x00000360 for I/O port 0x360
-
Modify the Windows NT directory setting in ETSIINT.BAT.
For example:
COPY ETSIINT.SYS C:\WINNT35\SYSTEM32\DRIVERS
-> COPY ETSIINT.SYS C:\WINNT351\SYSTEM32\DRIVERS
-
Run batch file ETSIINT.BAT.
-
Use the SetKey utility in the Identix demo program to set a hash key in
Hex. Set the key to C001BABE, for example. (Do not use this value!). Make
sure the hash key matches exactly the one set in the DEFAULT Security policy.
-
Reboot the system, and the device driver starts to work.
-
To make sure the device driver is running, check the Control Panel's
Devices dialog box after reboot. The device ETSIINT should already be started.
Corrections to the Oracle Advanced Networking Option
Administrator's Guide
Please note the following corrections and additions
to Chapter 8, "Configuring and Using the
Biometric Authentication Adapter," in the Oracle
Advanced Networking Option Administrator's Guide.
Configuring the Biometric Authentication Service
(page 9)
The Biometric Authentication Service can be created on any 7.3 database
using the PL/SQL scripts located in the IDENTIX subdirectory of your Oracle
home.
If you plan to use your local Oracle database
for Windows NT as your Biometric Authentication Service, you can set up
your database using Server Manager as follows:
-
Change directories to ORACLE_HOME\IDENTIX.
-
Connect to your database as user SYSTEM from Server Manager. Enter:
C:\>SVRMGR23
SVRMGR>CONNECT SYSTEM/MANAGER
-
Enter @nauicat from within Server Manager. For example,
SVRMGR>@nauicat
If you plan to use a remote Oracle7 database, you
may either:
-
Set your TWO_TASK environment variable to be the SQL*Net alias of this
remote database, then carry out the steps above.
Or,
-
Copy all the PL/SQL files (*.SQL) in your ORACLE_HOME\IDENTIX directory
over to the machine on which the remote Oracle7 database is running and
then carry out the same steps.
-
Once you have configured the database server that is to become the authentication
server, test the connection by connecting as OFM_ADMIN/OFM_ADMIN.
SVRMGR>CONNECT OFM_ADMIN/OFM_ADMIN
Administering the Oracle Biometric Authentication
Service (page 11)
Before you add users, use the Identix SetKey utility
to configure a (hex) hash key on each of the clients (for example: 0001BABE).
The key must be the same for each client and match the DEFAULT policy hashkey.
See "Add Policy (page 19)".
Add Policy (page 19)
To add a new policy:
-
Click Policies.
-
Click the [+] sign (called the Create button) on the Tool Bar. The dialog
box appears.
-
Tab to or click the boxes in which the data is to be entered.
-
Type the policy's name and the three threshold levels. See the Identix
documentation for a detailed explanation of how to set these three levels.
-
Choose a hash key (hex) for this policy. For example: C001BABE.
-
Click the [Create] box.
Configuring the Kerberos Authentication Adapter
To use the Kerberos Authentication Adapter on an
Oracle7 database, you need to have the root drive :\TMP subdirectory present.
Configuring the SecurID Authentication Adapter
If you use the SecurID Authentication Adapter on
an Oracle7 database, you need the following from your SecurID administrator:
-
SDCONF.REC file present in the root drive :\TMP
-
port numbers and service names present in the Windows NT SERVICES file
Configuring the CyberSAFE Authentication Adapter
Before using the CyberSAFE Authentication Adapter,
you must:
-
install the CyberSAFE Application Security Toolkit
-
run the CyberSAFE Challenger Client to get your ticket-granting ticket
| Additional Information: See
the CyberSAFE Application Security Toolkit documentation. |
Setting Up for Network Security and Single Sign-On for Windows 3.1x
This section describes platform-specific configuration
steps to perform for Network Security and Single Sign-On on the Windows
3.1x operating systems.
Configuring the CyberSAFE Authentication Adapter
Before using the CyberSAFE Authentication Adapter,
you must:
-
install the CyberSAFE Application Security Toolkit
-
run the CyberSAFE Challenger Client to get your ticket-granting ticket
-
have the two configuration files in the directory specified by the CSFC5CONFIG
and CSFC5REALMS parameters in AUTOEXEC.BAT
For example:
SET CSFC5CONFIG=C:\CSFC5\KRB.CNF
SET CSFC5REALMS=C:\CSFC5\KRB.REA
set the credentials cache path and file name with the CSFC5CCNAME parameter
For example:
SET CSFC5CCNAME=C:\CSFC5\KRBCCNAME
Additional Information: To configure
SQL*Net for use with the CyberSAFE Adapter, refer to the CyberSAFE Application
Security Toolkit documentation and the Oracle
Advanced Networking Option Administrator's Guide for detailed information.
Configuring the Kerberos Authentication Adapter
Before using the Kerberos Authentication Adapter,
you must
Using the Oracle Kerberos Utility
The Oracle Kerberos Utility (OKU) allows you to obtain
and cache Kerberos tickets. After double-clicking the OKU icon in the Oracle
Program Group window, the OKU dialog box appears.
To complete configuration for Windows 3.1x:
-
Log on and select Get Ticket.
If you do not have a valid ticket-granting ticket,
request one by providing your user name and password to log in to a Kerberos
server. You can change the default attributes of the ticket by clicking
the Options button.
-
Select your Options.
-
Cache file-- By default, the cache file is C:\ORAWIN\BIN\KRB.TC,
where C represents the drive for your ORAWIN\BIN directory. You can also
specify the cache file in the SQLNET.ORA file.
For example:
SQLNET.KERBEROS5_CC_NAME=C:\ORAWIN\NETWORK\
ADMIN\KRB.TC
-
Lifetime-- By default, the ticket-granting ticket is valid for 8
hours. You may want shorter or longer-lived credentials. Note that the
Key Distribution Center can ignore this option or put site-configured limits
on what can be specified. The lifetime value is represented by a string
consisting of numbers qualified by w, d, h, m, or s. These letters
mean weeks, days, hours, minutes, or seconds, respectively.
For example:
2w1d6h20m30s
means ask for a ticket-granting ticket with a lifetime
of 2 weeks, 1 day, 6 hours, 20 minutes, and 30 seconds.
-
Forwardability-- Check this attribute box if a database link is
required later.
-
Choose OK to save changes.
-
Choose Browse to select the cache file you want to use.
You can view the ticket information by clicking
Show. To remove the cache file, click Remove.
You can leave the OKU by clicking Cancel/Close
at any time.
Configuring the SecurID Authentication Adapter
You need the following information from your SecurID
administrator if you use the SecurID Authentication Adapter on an Oracle7
database:
-
SCCONF.REC file present in the root directory drive :\TMP
-
port numbers and service names present in NT services file
| Note: The SecurID
Authentication Adapter does not support database roles and database links. |
