Oracle Advanced Networking Option Administrator's Guide Release 8.0 A58229-01

Library Product Index

Contents

Title and Copyright Information

Preface

Part I Security and Single Sign-On

Part II DCE Integration

Appendices

Send Us Your Comments

Part I Oracle Advanced Networking Option Security and Single Sign-On

1 Network Security and Single Sign-On

What's Covered in this Chapter

Authentication Adapters Supported

System Requirements

CyberSAFE Challenger Authentication Adapter Requirements

Kerberos Authentication Adapter Requirements

SecurID Authentication Adapter Requirements

Identix TouchNet II

Protection from Tampering and Unauthorized Viewing

Verification of Data Integrity

High-Speed Global Data Encryption

Standards-Based Encryption

Data Security Across Protocols

The Oracle Advanced Networking Option is Not Yet Supported by Some Oracle Products

How Encryption and Checksumming are Activated

Encryption and Checksumming Configuration

The Oracle Advanced Networking Option Provides Enhanced Client/Server Authentication

Why Single Sign-On?

How Oracle Authentication Adapters Provide Enhanced Security

Network Authentication Services

Centralized Authentication

Kerberos and CyberSAFE Support

Token Cards

SecurID Token Card

Biometric Authentication Adapter

Oracle Parameters that Must be Configured for Network Authentication

Set REMOTE_OS_AUTHENT to False

Set OS_AUTHENT_PREFIX to a Null Value

2 Configuring Encryption and Checksumming

Where to Get Information on Installing the Oracle Advanced Networking Option

Benefits of the Oracle Advanced Networking Option Encryption and Checksum Algorithms

DES Algorithm Provides Standards-Based Encryption

DES40 Algorithm is Provided for International Use

RSA RC4 is a Highly Secure, High Speed Algorithm

RC4_56 and RC4_128 Can be Used by Domestic Customers

RC4_40 Can be Used by Customers Outside the US and Canada

Diffie-Hellman-Based Key Management

Overview of Site-Specific Diffie-Hellman Encryption Enhancement

How to Generate the Diffie-Hellman Parameters with naegen

Overview of Authentication Key Fold-in Encryption Enhancement

Authentication Key Fold-in Feature Requires no Configuration

The MD5 Message Digest Algorithm

Domestic and Export Versions

Overview of Encryption and Checksumming Configuration Parameters

Negotiating Encryption and Checksumming

What the Encryption and Checksumming Parameters Do

Server Encryption Level Setting

Client Encryption Level Setting

Server Encryption Selected List

Client Encryption Selected List

Server Checksum Level Setting

Client Checksum Level Setting

Server Checksum Selected List

Client Checksum Selected List

Client Profile Encryption

Using Oracle Net8 Assistant to Configure Servers and Clients to Use Encryption and Checksumming

Configure Servers and Clients to Use Encryption

Configure Servers and Clients to Use Checksumming

3 Configuring the CyberSAFE Authentication Adapter

Steps to Perform to Enable CyberSAFE Authentication

Install the CyberSAFE Server on the Machine that will Act as the Authentication Server

Install the CyberSAFE Challenger Client on the Same Machine that Runs the Oracle Server and the Client

Install the CyberSAFE Application Security Toolkit on the Client and on the Server

Configure a Service Principal for an Oracle Server

Extract the Service Table from CyberSAFE

Ensure that the Oracle Server Can Read the Service Table

Install an Oracle Server

Install the Oracle Advanced Networking Option

Configure Net8 and Oracle8 on your Server and Client

Configure the CyberSAFE Authentication Adapter using the Net8 Assistant

Create a CyberSAFE User on the Authentication Server

Create an Externally Authenticated Oracle User on the Oracle Server

Use kinit on the Client to Get the Initial Ticket for the Kerberos/Oracle User

Use klist on the Client to Display Credentials

Connect to an Oracle Server Authenticated by CyberSAFE

CyberSAFE Configuration Parameters Required on the Oracle Server and Client

Oracle Client Configuration Parameters

Required SQLNET.ORA Parameters

Oracle Server Configuration Parameters

Required SQLNET.ORA Parameters

Required INIT.ORA Parameters

Troubleshooting the Configuration of the CyberSAFE Authentication Adapter

4 Configuring the Kerberos Authentication Adapter

Steps to Perform to Enable Kerberos Authentication

Install Kerberos on the Machine that will Act as the Authentication Server

Configure a Service Principal for an Oracle Server

Extract a Service Table from Kerberos

Ensure that the Oracle Server Can Read the Service Table

Install an Oracle Server and an Oracle Client

Install Net8

Configure Net8 and Oracle on the Oracle Server and Client

Create a Kerberos User on the Kerberos Authentication Server

Create an Externally-Authenticated User on the Oracle Database

Get an Initial Ticket for the Kerberos/Oracle User

Utilities to Use with the Kerberos Authentication Adapter

Use okinit to Obtain the Initial Ticket

Use oklist to Display Credentials

Use okdstry to Remove Credentials from Cache File

Connecting to an Oracle Server Authenticated by Kerberos

Configure the Kerberos Authentication Adapter Using the Oracle Net8 Assistant

Description of Configuration File Parameters on Oracle Server and Client

Oracle Client Configuration Parameters

Required Profile Parameters

Oracle Server Configuration Parameters

Required Profile Parameters

Required Initialization Parameters

Optional Profile Parameters

Troubleshooting the Configuration of the Kerberos Authentication Adapter

5 Configuring Oracle for Use with the SecurID Adapter

System Requirements

Known Limitations

Steps to Perform to Enable SecurID Authentication

Register Oracle as a SecurID Client (ACE/Server Release 1.2.4)

Ensure that Oracle Can Find the Correct UDP Port (ACE/Server Release 1.2.4)

Install the Oracle Advanced Networking Option on the Oracle Server and Client

Configure Oracle as a SecurID Client (for ACE/Server Release 1.2.4)

Install the SecurID configuration files on the Oracle server machine.

Configure Oracle as a SecurID Client (Release ACE/Server 2.0)

Method #1

Method #2

Configure the SecurID Authentication Adapter using the Net8 Assistant

Creating Users for the SecurID Adapter

Troubleshooting the Configuration of the SecurID Authentication Adapter

Using the SecurID Authentication Adapter

Configure the Oracle Client to Use the SecurID Authentication Adapter

Log into the Oracle Server

Using Standard Cards

Using PINPAD Cards

Assign a New PIN to a SecurID Card

Possible Reasons Why a PIN Would be Rejected

Log in When the SecurID Card is in "Next Code" Mode

Log in with a Standard Card

Log in with a PINPAD Card

6 Configuring and Using the Identix Biometric Authentication Adapter

Overview

Architecture of the Biometric Authentication Service

Administration Architecture

Authentication Architecture

Prerequisites

Oracle Biometric Manager PC

Client PC

Database Server

Biometric Authentication Service

Configuring the Biometric Authentication Service

Configuring the Oracle Biometric Authentication Service using the Oracle Net8 Assistant

Administering the Oracle Biometric Authentication Service

Create a Hashkey on each of the Clients

Create Users for the Biometric Authentication Adapter

Authenticating Users With the Oracle Biometric Authentication Service

Using the Biometric Manager

Logging On

Displaying Oracle Biometric Authentication Service Data

The Object Tree Window

The Properties Window

Troubleshooting

7 Choosing and Combining Authentication Services

Connect with a Username/Password When Authentication Has Been Configured

Configure No Authentication

Set Up an Oracle Server With Multiple Authentication Services

Set Up an Oracle Client to Use Multiple Authentication Services

Use the Oracle Net8 Assistant to Set Up Multiple Authentication Services

8 Configuring the DCE GSSAPI Authentication Adapter

Create the DCE Principal

Set Up Parameters to Use the New DCE Principal, and Turn On DCE GSSAPI Authentication

Set Up the Account You Will Use to Authenticate to the Database

Connect to an Oracle Server Using DCE GSSAPI Authentication

Part II Oracle Advanced Networking Option and Oracle DCE Integration

9 Overview of Oracle DCE Integration

System Requirements

Backward Compatibility

Overview of Distributed Computing Environment (DCE)

Overview of Oracle DCE Integration

DCE Communication/Security Adapter

DCE CDS Native Naming Adapter

Flexible DCE Deployment

Limitations in This Release

10 Configuring DCE for Oracle DCE Integration

Overview

Create New Principals and Accounts

Install the Key of the Server into a Keytab File

Configuring DCE CDS for Use by Oracle DCE Integration

Create Oracle Directories in the CDS Namespace

Give Servers Permission to Create Objects in the CDS Namespace

Load Oracle Service Names Into CDS

11 Configuring Oracle for Oracle DCE Integration

DCE Address Parameters

Configuring the Server

LISTENER.ORA Parameters

Sample DCE Address in LISTENER.ORA

Creating and Naming Externally-Authenticated Accounts

Setting up DCE Integration External Roles

Configuring the Client

Description of Parameters in PROTOCOL.ORA

Configuring Clients to Use the DCE CDS Naming Adapter

Enable CDS for use in Performing Name Lookup

Modify the CDS Attributes File and Restart the CDS

Create a TNSNAMES.ORA For Loading Oracle Connect Descriptors into CDS

Load Oracle Connect Descriptors into CDS

Delete or Rename TNSNAMES.ORA File

Modify SQLNET.ORA Parameter File to Have Names Resolved in CDS

SQL*Net Release 2.2 or Earlier

SQL*Net Release 2.3 and Later

Connect to Oracle Servers in DCE

12 Connecting to an Oracle Database in DCE

Starting the Network Listener

Connecting to an Oracle Database Server in the DCE Environment

13 DCE and Non-DCE Interoperability

Connecting Clients Outside DCE to Oracle Servers in DCE

Sample Parameter Files

LISTENER.ORA

TNSNAMES.ORA

Using TNSNAMES.ORA for Name Lookup When CDS is Inaccessible

SQL*Net Release 2.2 and Earlier

SQL*Net Release 2.3 and Net8

A Encryption and Checksum Parameters

SQLNET.ORA for a Single Community Set of Clients and Servers

B Authentication Parameters

Configuration Files for Clients and Servers using CyberSAFE Authentication

Profile (SQLNET.ORA)

Database Initialization File (INIT.ORA)

Configuration Files for Clients and Servers using Kerberos Authentication

Profile (SQLNET.ORA)

Database Initialization File (INIT.ORA)

Configuration Files for Clients and Servers using SecurID Authentication

Profile (SQLNET.ORA)

Database Initialization File (INIT.ORA)

Glossary

Next

Copyright © 1997 Oracle Corporation. All Rights Reserved.

Library Product Index