5
Configuring Oracle for Use with the SecurID Adapter

This chapter describes how to configure and use the SecurID authentication adapter with the Oracle server and clients. It assumes that you are familiar with the Security Dynamics ACE/Server and that the ACE/Server is installed and running. Refer to the "Preface" for a list of related publications to read.

The following topics are discussed:

5.1 System Requirements

To use the SecurID authentication adapter included in the Oracle Advanced Networking Option release 8.0.3, you need the following:

SQL*Net release 8.0.3 or higher
Oracle 8.0.3 or higher
ACE/Server 1.2.4 or higher
The Oracle server machine must be running UDP/IP and TCP/IP protocols, because Oracle needs to communicate with the ACE/Server. Even though the client uses SQL*Net or Net8 to connect to Oracle, Oracle needs UDP to connect to the ACE/Server.

5.2 Known Limitations

The SecurID authentication adapter does not support database links, also known as "proxy authentication." This is a direct consequence of the fact that the SecurID card codes can only be used once.

When using the SecurID authentication adapter, password encryption is disabled. This means that the SecurID card code (and, if you use standard cards, the PIN), are sent over to the Oracle server in clear text. This could be a security problem, so Oracle recommends that you turn on the Oracle Advanced Networking Option datastream encryption, which ensures that the PIN is encrypted when sent to the Oracle server. For information on how to use datastream encryption, see Chapter 2, "Configuring Encryption and Checksumming".

5.3 Steps to Perform to Enable SecurID Authentication

This section contains information on the following tasks:

5.3.1 Register Oracle as a SecurID Client (ACE/Server Release 1.2.4)

Register the machine on which the Oracle Server resides as a SecurID client with the ACE server. You can do this with the Security Dynamics tool sdadmin. From the Client menu, choose Create Client (ACE/Server 1.2.4) or Add Client (ACE/Server 2.0), to create a client.

Refer to the Security Dynamics ACE/Server Instruction manual, version 1.2.4, or to the Security Dynamics ACE/Server version 2.0 Administration manual for more detailed information.

5.3.2 Ensure that Oracle Can Find the Correct UDP Port (ACE/Server Release 1.2.4)

First verify that the ACE/Server, the Oracle server, and the Oracle Advanced Networking Option are installed.

Make sure that the Oracle server can discover what the correct UDP port for contacting the ACE/Server is. These port numbers are typically stored in a file called services. On the UNIX operating system, this file is typically in the /etc directory. If you are using NIS (Network Information Services) as a naming service, make sure that the services map contains the correct entries for SecurID.

Note:

You can verify which port the ACE server is using by running the Security Dynamics tool Kitconts (for ACE/Server 1.2.4) or sdinfo (for ACE/Server 2.0).

5.3.3 Install the Oracle Advanced Networking Option on the Oracle Server and Client

Install the Oracle Advanced Networking Option on the Oracle server and Oracle client using the Oracle Installer.

5.3.4 Configure Oracle as a SecurID Client (for ACE/Server Release 1.2.4)

5.3.4.1 Install the SecurID configuration files on the Oracle server machine.

You can obtain the SecurID configuration files from any other SecurID client or from the machine that runs the ACE/Server.

Note:

The information in the following sections is UNIX-specific.

These files are typically stored in /var/ace. On the Oracle server machine, create this directory and copy the configuration files to it. At the minimum, you need the file sdconf.rec. The configuration files are used by both Oracle and the standard SecurID tools. Because the SecurID tools run setuid root, there can be a problem with the access permissions on the directory /var/ace and the files in this directory. Make sure that the owner of the Oracle executable (for example, the user "oracle8") is able to read all the files in /var/ace and can create new files in this directory.

Attention:

Do not attempt to overcome this by running Oracle setuid root. It is not necessary, and it is dangerous to do so.

There are two ways to reach this goal without compromising security. Both ways work, but it is recommended that you use method #1. Both methods allow you to use Oracle with the SecurID authentication adapter and still continue using the other SecurID tools.

Method #1

The owner of the Oracle executable should also own the /var/ace directory and the files in /var/ace. For example, if the owner of the Oracle executable is the user "oracle8," perform the following steps, as root:

# chown oracle8 /var/ace
# chmod 0770 /var/ace
# chown oracle8 /var/ace/*
# chmod 0660 /var/ace/*

Method #2

The other option is to have root own the /var/ace directory and the files in /var/ace, but give the Oracle group read and write access. If the Oracle group is "dba", you need to perform the following steps, as root:

# chown root /var/ace
# chmod 0770 /var/ace
# chgrp dba /var/ace
# chown root /var/ace/*
# chmod 0660 /var/ace/*
# chgrp dba /var/ace/*

5.3.5 Configure Oracle as a SecurID Client (Release ACE/Server 2.0)

The Oracle process will act as an ACE server client. For this reason, you need to install the ACE client software on the Oracle server machine. For information on how to install an ACE client, refer to the ACE/Server Version 2.0 Client for UNIX manual.

Note the following:

The VAR_ACE environment variable is not supported. You have to store the configuration data in the /var/ace directory. If you currently have the ACE configuration data in a different location, you should create a symbolic link using the following command:
```
# ln -s $VAR_ACE /var/ace
```
Oracle needs to be able to read and write the ACE configuration data. This data is stored in the directory /var/ace (or $VAR_ACE if you use the symbolic link shown above).

Whether Oracle can read the configuration data depends on how you installed the ACE client software on the Oracle server. During the installation of the ACE client software, you can specify which administrator should own the configuration files.

Attention:

Whether you use Method 1 or Method 2, below, make sure that you do not install Oracle as root.

5.3.5.1 Method #1

If root is the owner of the ACE server configuration data files, you will have to change the UNIX file permissions so that the owner of the oracle executable can read and write to these files. For example, the following commands give Oracle access to the files, and all the Security Dynamics tools that run as setuid root will still be able to access the files.

# chown oracle8 /var/ace 
# chown oracle8 /var/ace/*
# chmod 0770 /var/ace
# chmod 0660 /var/ace/*

If the environment variable VAR_ACE is set to a different location than /var/ace, you should instead execute the following commands:

# ln -s $VAR_ACE /var/ace
# chown oracle8 $VAR_ACE
# chown oracle8 $VAR_ACE/*
# chmod 0770 $VAR_ACE
# chmod 0660 $VAR_ACE/*

5.3.5.2 Method #2

If the ACE files are not owned by root, you have two options:

Install the ACE client or server and Oracle under the same UNIX account. (You have to install the ACE software as root, but you can specify which administrator should own the files. Specify the same user as the owner of the Oracle executable, typically "oracle8").
Add the owner of the Oracle executable to the ACE administrators' group.

Note:

Make sure the owner of the oracle executable remains a member of the DBA group; otherwise you will not be able to control your database.

For the change to take effect, do the following:

Log out, and log in again as the Oracle owner.
Restart your Network listener.
Restart your Oracle server.

5.4 Configure the SecurID Authentication Adapter using the Net8 Assistant

The following steps show you how to use the Net8 Assistant to configure the
SECURID authentication adapter. Refer also to the Net8 Assistant online HELP
system for instructions on how to configure the SECURID Authentication adapter.

Configure Clients, and Servers, to use encryption as follows. Refer to Figure 5-1, "Oracle Net8 Assistant Profile Encryption Tab".

Click the Profile folder.
Select Advanced Networking Options from the drop-down list box.
Click the Encryption tab.
Click the Encryption drop-down list box, and click CLIENT or SERVER.
Click the Encryption Type drop-down list box, and click one of the following values: requested, required, accepted, rejected.
Type between 10 and 70 random characters for the Encyption Seed.
Move services to and from the Available Services and Selected Services lists by selecting a service and clicking the arrow keys.
Figure 5-1 Oracle Net8 Assistant Profile Encryption Tab

Next, you must configure an authentication service on your network. Refer to Figure 5-2, "Oracle Net8 Assistant Profile Authentication Tab".

Click the Profile folder.
Click the Authentication tab.
Click to select the authentication service you want from the Available Services list.
Click the [<] button to move the service over to the Selected Services list.
Repeat steps 4 and 5, above, until you have selected all of your required authentication services.
Arrange the selected services in order of desired use. Click on a service to select it, then click [Promote] or [Demote] to arrange the services in the list. For example, put SECURID at the top of the list if you want that service to be the first one used.
Figure 5-2 Oracle Net8 Assistant Profile Authentication Tab

You now must configure the authentication parameters. Refer to Figure 5-3, "Oracle Net8 Assistant Profile Parameter Tab". You do not provide any additional parameter for the SECURID authentication service.

Click the Profile folder.
Click the Parameter tab.
Click the Authentication Service drop-down list box, and select SECURID.
No additional parameters are required.
Figure 5-3 Oracle Net8 Assistant Profile Parameter Tab

5.5 Creating Users for the SecurID Adapter

To create users for the SecurID authentication adapter, perform the following steps:

Assign a card to a person, using the Security Dynamics sdadmin program. When the sdadmin tool asks for a login name when creating a new user, fill in the same name you will use later to create the Oracle user. Refer to the Security Dynamics documentation for information on how to do this.
If you want the user to be able to specify a new PIN to the card using the Oracle tools, choose the option that allows the user to make up his or her own PIN. If you do not allow this, the user will have to use the Security Dynamics tools to generate a PIN if the card is in new-PIN mode. Activate the user on the Oracle Server. (The Oracle Server should already be registered as a SecurID client.)

Create an Oracle Server account for this user. You can do this by using Server Manager connected as a user with the create user database role. Use the following syntax to create an account:

SVRMGRL> connect system/manager
SVRMGRL> create user os_authent_prefix username identified externally

The OS_AUTHENT_PREFIX is an Oracle Server initialization parameter (for example, in INIT.ORA). The OS_AUTHENT_PREFIX default value is OPS$. The username should be the same as the name you assigned to the card in step 1 above.

Note:

Because user names can be long and Oracle user names are limited to 30 characters, it is strongly recommended that OS_AUTHENT_PREFIX be set to a null value:

OS_AUTHENT_PREFIX=""

At this point, an Oracle user with username should not yet exist.

Example: Assuming you have assigned a card to the user "king", and assuming that os_authent_prefix has been set to a null value (""), at this point you should create an Oracle user account using the following syntax:

SQLDBA> create user king identified externally;

You may want to give this user some database privileges. At the minimum, the user should have the "create session" privilege.
```
SQLDBA> grant create session to king;
```
The user "king" can now connect to Oracle using his or her SecurID card.

For information on how to log into an Oracle server after the SecurID adapter has been installed and configured, see Section 6.1.1, "Log into the Oracle Server".

5.6 Troubleshooting the Configuration of the SecurID Authentication Adapter

This section lists some things to verify if you experience problems while configuring the SecurID Adapter.

The services map should have an entry for the Security Dynamics ACE server. The service name is typically securid, but the SecurID administrator can choose any name.
Use the SecurID tool kitconts (for ACE/Server 1.2.4) or sdinfo (for ACE/Server 2.0) to verify the name of the authentication service and the port numbers that SecurID is expecting to use. Verify that these port numbers match those in
/etc/services, or the services map if you are using NIS.

(Applies to ACE/Server release 1.2.4 only) Verify that the /var/ace/sdconf.rec file is present on the machine running the Oracle server. Also verify that the permissions on the /var/ace/sdconf.rec file and the directory /var/ace are set so that the Oracle process can read and write in the directory.

(Applies to ACE/Server release 2.0 only) Make sure the ACE configuration data is in the /var/ace directory. Use of the VAR_ACE environment variable is not supported. Also make sure that the owner of the oracle executable can read and write the files in this directory.
Check to see if the Oracle server machine is registered as a SecurID client. You can do this by using the Security Dynamics tool sdadmin.
The user who is trying to connect to Oracle should be activated on the Oracle Server, either as a direct user or as part of a group of users. Verify this using the SecurID tool sdadmin.
Security Dynamics has developed a few logging facilities that can help you find problems. By using sdadmin, you can see a log of the recent system activities, including failed authentication with the reason for the failure. You can also use sdlogmon to get a similar log listing.
Turn on tracing by adding the following line to the SQLNET.ORA file on the Oracle side:
```
trace_level_server = admin
```
Turning tracing on at the client side is less informative, because all interaction between the Oracle server and the ACE server happens at the Oracle server side of the SQL*Net connection. Be sure to turn off tracing when you have completed your check.
Make sure that the user has been created in the Oracle database as an externally-identified user with the correct prefix (which defaults to OPS$). When connected as system, enter:
```
SQL> select * from all_users;
```
to get a list of all database users.

When you connect to Oracle as a non-externally identified user, the SecurID log file will indicate a warning. For example, if you connect as 'system' using:

sqlplus system/manager@oracle_dbname

the SecurID log file displays:

03/24/95   10:04  User not on client machinename

This is not an error. Since the Oracle client and server negotiated to use SecurID because of the SQLNET.AUTHENTICATION_SERVICES line in SQLNET.ORA, Oracle will contact the ACE/Server to validate 'system'. When validation fails, Oracle will validate the password internally. If the password is valid, you will be able to connect.

The only way to eliminate the warning message is to disable the SecurID authentication adapter. To do so, change the SQLNET.ORA file on the Oracle client to:

SQLNET.AUTHENTICATION_SERVICES=(NONE)

Setting this parameter to this value disables the SecurID authentication adapter. You will no longer be able to connect to Oracle using the SecurID card.

5.7 Using the SecurID Authentication Adapter

This section describes how to use the Oracle SecurID authentication adapter with the Oracle client tools. This chapter assumes that you are already familiar with SecurID concepts, and that you have configured Oracle for use with the SecurID adapter. (See Section 5.4, "Configure the SecurID Authentication Adapter using the Net8 Assistant" for information.) Also refer to the "Preface" of this guide for a list of publications to read.

5.8 Configure the Oracle Client to Use the SecurID Authentication Adapter

Before you can use the SecurID authentication adapter to verify passwords, make sure the following things have been done:

The SecurID authentication adapter has been installed and linked into the SQL*Net configuration.
Oracle has been configured for use with the ACE/Server (that is, it can act as a SecurID client).
The client and server have been configured with the necessary parameters so that database passwords can be verified by the central SecurID authentication server.
Users have been configured for use with the SecurID adapter as described in Section 5.4, "Configure the SecurID Authentication Adapter using the Net8 Assistant".

5.8.1 Log into the Oracle Server

The SecurID authentication adapter allows you to log into the Oracle server with the PASSCODE that is generated by the SecurID card. The PASSCODE replaces the password in the Oracle connect statement.

There are two types of SecurID cards:

standard (model SD200)
PINPAD (model SD520)

Depending on the type of card, you type the PIN

directly onto the card

or as part of the Oracle connect statement.

5.8.1.1 Using Standard Cards

The standard cards generate and display a PASSCODE. When logging in to Oracle, you need to specify your username, your PIN and the current PASSCODE, using the following syntax:

SQL>connect <username>/<pin><passcode>@<service_name>

For example, if the card is assigned to user king, the PIN is "3511," and the card shows the number "698244," this is how you would log into Oracle using SQL*Plus:

% sqlplus king/3511698244@oracle_database

or,

% sqlplus king@oracle_database % password: 698244

Note:

The Security Dynamics tools support the following characters as delimeters between the PIN and the PASSCODE:

" " <tab> \ / ; :

You should not use these characters, because Oracle will interpret these characters differently.

5.8.1.2 Using PINPAD Cards

If you have a PINPAD card, you first have to type in your PIN on the card and generate a new PASSCODE. You would then use this PASSCODE to connect to Oracle using the following syntax:

SQL>connect <username>/<passcode>@<service_name>

For example, if the card is assigned to user "king", first generate a PASSCODE by typing the PIN on the PINPAD card. (Refer to the Security Dynamics documentation on how to do this.) For example, if the generated PASSCODE is "698244", to connect to Oracle using SQL*Plus, you would type:

	% sqlplus king/698244@oracle_dbname

5.8.2 Assign a New PIN to a SecurID Card

If you are logging in for the first time, or the administrator has put your card in the new-PIN mode, you have to assign a PIN to the card. You can tell that this is the case if, while trying to connect to Oracle, you get the following error message:

ORA-12681 "Login failed: the SecurID card does not have a pincode yet"

Assigning a PIN to a card is easy and can be done by connecting to the Oracle Server using a special syntax. First, you need to select a PIN, which is typically 4 to 8 digits long. Depending on the type of SecurID card you have, you may be able to use letters too.

The syntax while connecting to the Oracle database is:

SQL>connect <username>/"+<pincode>+<passcode>"@oracle_dbname
SQL>connect

For the passcode, enter the cardcode that is currently displayed on your SecurID card's LCD. If you have a PINPAD card, do not enter the PIN on the card.

Note:

You must add the two "+" characters in the connect string, because they tell Oracle that this is an attempt to assign a PIN to the card. Also, they separate the new PIN from the passcode.

You must also enclose the PIN/passcode combination in double quotes. Some Oracle tools such as Server Manager truncate the password string (PIN/passcode) just before the plus ("+") character. Surrounding the password string (PIN/passcode) in double
quotes ("") prevents the password string from being truncated.

For example, if the card is assigned to user "king", your new PIN is "45618", and the SecurID card currently displays number "564728", you would type:

	% sqlplus king/"+45618+564728"@oracle_dbname
% passwd:<passcode>

If the new PIN is accepted, you will be connected to Oracle. The next time you want to connect to Oracle you should use the procedure described in "Logging into the Oracle Server". If the new PIN is rejected, you will get the following error:

ORA-12688 "Login failed: the SecurID server rejected the new pincode"

5.8.2.1 Possible Reasons Why a PIN Would be Rejected

Following are some possible reasons why a PIN would be rejected:

The new PIN is less than 4 or more than 8 characters long.
The PIN contains invalid characters. Valid characters are numeric digits, and for some SecurID cards, the letters "a" through "z".
You are not allowed to make up your own PIN. The Security Dynamics ACE/Server can be configured in such a way that you cannot make up your own PIN. If this is the case, you will have to use one of the Security Dynamics tools to generate a new PIN for your card.

5.8.3 Log in When the SecurID Card is in "Next Code" Mode

As an additional safety step, the ACE/Server sometimes asks for the next card code, to ensure that the person who is trying to log in actually has the card in his or her possession. This is the case if you get the following error message when you try to log into Oracle:

ORA-12682, "Login failed: the SecurID card is in next PRN mode"

The next time you want to log in to Oracle, you will have to specify the next two card codes. The syntax you use to log into Oracle depends on the kind of SecurID card you have (Standard versus PINPAD).

5.8.3.1 Log in with a Standard Card

If you have a standard card, specify the following:

your PIN
the current card code
a "+" character and the next card code

Steps 1, 2, and 3 above replace the password. The "+" character is important, because it separates the first card code (passcode) from the second one. Use the following syntax:

SQL>connect <username>/ "<pincode><passcode>+<next passcode>"@<service_name>





Note:



You must enclose the PIN/passcode/next passcode combination in double quotes. Some Oracle tools such as Server Manager truncate the password combination just before the plus ("+") character. Surrounding the PIN and passcode in double quotes ("") prevents the password combination from being truncated.

For example, if the card is assigned to user "king", the PIN is "3511", and the card first shows the number "698244" and the next number is "563866", you would type:

	% sqlplus king/"3511698244+563866"@oracle_database

This connects you to the Oracle server and puts the card back into normal mode. The next time you want to log in to the Oracle server, use the procedure described in Section 5.8.1, "Log into the Oracle Server".

5.8.3.2 Log in with a PINPAD Card

If you have a PINPAD card, do the following to log on to the Oracle server:

Type in your PIN on the card to generate the first PASSCODE.
Clear your card's memory by pressing P, then wait for the next PASSCODE.
Log into the Oracle server with these two passcodes, separated by a "+" character. Use the following syntax:
```
SQL>connect <username>/ "<first passcode>+<second passcode>"@service_name
```

For example, if the card is assigned to user "king":

Type the PIN on the PINPAD card to generate a passcode: e.g., "231003".
Clear the card's memory. The next displayed number might be "831234".
To log in, use the following syntax, typing the two passcodes generated in steps 1 and 2:
```
	% sqlplus king/"231003+831234"@oracle_dbname
```

This connects you to Oracle and puts the card back into normal mode. The next time you want to log in to Oracle, use the procedure described in Section 5.8.1, "Log into the Oracle Server".

5Configuring Oracle for Use with the SecurID Adapter