This README contains information
on the following topics to supplement the Oracle Security Server
Guide (Part #A54088-02)
. Who should use Oracle Security Server Manager
. Logging in to Oracle Security Server Manager
. Creating and Deleting your Security Server Repository
. Enterprise Authorizations
. Known
bugs in Oracle Security Server Manager 2.0.5
Who should use Oracle
Security Server Manager
If you wish to create an Oracle Security Server to authenticate Oracle8 Global Users and authorize Oracle8 Global Roles on an enterprise of Oracle8 Servers then you require this application. It allows you to administer the information held in your Oracle Security Server.
Note : Oracle Security Server Manager uses a database repository to
store its authentication and authorization information. You must
own an Oracle Server that you are willing to use for this purpose,
however the
Oracle Server does not need to be dedicated to it.
Logging into Oracle
Security Server Manager
You must log into Oracle Security Server Manager as user, oracle_security_service_admin.
This user is created when
you run the Create Oracle Security Server utility and its password
is defined when you installed the product.
Oracle Security Server
Manager cannot operate under any other oracle user. Therefore
usernames like SYSTEM and INTERNAL etc are invalid.
Note : If you try to run Oracle Security Server Manager as any other
user you will not be able to access the data in your Security
Server Repository. Do not try to create a new Repository while
logged in as
any other user.
Creating and Deleting
your Security Server Repository
There is a utility named,
"Create Oracle Security Server" in your Oracle Security
Server Program Group. This utility when envoked allows you to
prepare a database for use as an Oracle Security Server Repository.
There is also a utility
named, "Delete Oracle Security Server" in your Oracle
Security Server Program Group. This utility when envoked allows
you to undo the changes made to your database by the Create utility.
This utility will completely erase the contents of your Oracle
Security Server Repository and should only be used if you are
absolutely sure that you wish to destroy all the Identities and
Authorizations held in it.
Note : The Create utility adds two users, "oracle_security_service"
and "oracle_security_service_admin" to your database. It
also adds a tablespace and datafile to your Oracle Server to
support these users. You may inspect the file nzdocrt.sql in your
OSS directory under the Oracle Home directory for the exact
SQL used in
these operations.
Note : Do not use these utilities against an Oracle Server that
has an existing oracle_security_service_admin user currently
logged on.
Both utilites ask you
to provide log-on details for the database you wish to configure.
You should supply the SYSTEM username, password and Net8 service
name details. If you are not using a remote database then you
need only supply the SYSTEM username and password.
Dropping the Oracle Security Server repository from your database may also be performed
manually. As with the
"Delete Oracle Security Server" utility, this operation
completely destroys your Oracle Security Server Repository data.
This may be done through
Server Manager (svrmgr30) by executing the nzdodrop sql script,
located in your $ORACLE_HOME/OSS directory.
ie. SVRMGR30> @nzdodrop
After this script has executed successfully you may safely delete the datafile used to
support the tablespace for your repository. This is the OSS.DBF file in your
$ORACLE_HOME/database
directory.
Known Problem :
If you use the "Create Oracle Security Server" utility against a database where this operation has already been performed, or you run the utility against a database where you have already used the "Delete Oracle Security Server" utility you may see the following
error :
XP-07016: A database error has occurred:
create tablespace oss
datafile 'oss.dbf' SIZE 10M
ORA-01119: error in creating database file 'oss.dbf'
ORA-27038: skgfrcre: file exists
XP-07031: An error occurred
while processing file C:\ORANT/OSS/nzdocrt.sql
This is because there
is still a datafile present on your Oracle Server from the last
time Oracle Security Server was installed. To remedy this problem
your Oracle DBA must delete the file, "oss.dbf" in the
DBS directory in the Oracle Server's Oracle Home directory.
Note : As a precaution, the DBA should issue the command,
"drop tablespace oss;" on the Oracle Server before deleting
this file. However, the tablespace, "oss" should already
have been dropped after using the Security Server Delete
utility.
Securing your Oracle
Security Server Repository
The database that you use to stage your Oracle8 Security Server Repository must be
given an identity and credentials by the Oracle Security Server Certificate Authority. This
ensures that when other Oracle8 Servers and Net8 clients communicate with this database,
they can authenticate that database as being the one that they trust to serve their
authentication and authorization
data.
Oracle Security Server Manager requires you to define an Approved Identity for the
Security Server Repository database after you have defined your Certificate Authority
(Root) Identity. You will see this by a radio button in the "Create New Identity" screen
of the tool marked 'Repository".
The Database Administrator of the Oracle8 Server where the Repository is to be staged
must download an Oracle Security Server Wallet for the Distinguished Name that has
been assigned for the Repository Identity. This must be performed at the Oracle Security
Server Repository before other Oracle8 Servers and Net8 clients attempt to download
their own Wallets from
the Repository.
Enterprise Authorizations
Oracle Security Server
Enterprise Authorizations may only be granted and revoked from
an Approved Identity using the Approved Identity Property Page
(on the right hand sideof the screen) if the "Advanced Mode"
toggle button is selected in your toolbar. You may also use "drag-and-drop"
to assign Enterprise Authorizations to your Oracle Security Server
Identities irrespective of the "Advanced Mode" toggle
button.
Known Bugs in Oracle
Security Server Manager 2.0.5
The following are three
known problems with this distribution of Oracle Security Server
Manager along with their present workarounds.
Creating circular dependancies
on Enterprise Authorizations
1. Enterprise Authorizations
may be defined recursively, in that they can contain other Enterprise
Authorizations that you may have defined already. If an Enterprise
Authorization, say E1, conatins another Enterprise Authorization,
say E2, Oracle Security Server Manager will not let you grant
E1 to E2. However if there were a third Enterprise Authorization,
E3, that already contained E1, then you may grant it to E2 and
thus set up a circular dependancy.
ie. E1 contains E2. E2
contains E3 and E3 contains E1 again.
Workaround : Take
care not to configure circular dependancies
If an Oracle Security
Server Identity conatins a tree of Enterprise Authorizations with
such a circular dependancy then the Oracle8 Servers that authenticate
this identity will fail to retrieve the Global Roles allowed on
the database for that Identity from Oracle Security Server.
2. Setting the Expiration
date for an Identity's Credentials
Oracle Security Server Manager allows you to specify the date on which credentials given to an Identity will expire. The default date will be calculated as 6 moths after the date of creation. If you choose to override this date with a different one then the date that you select must be a valid day, month and year combination. Otherwise Oracle Security Server Manager will fail to create a set of credentials for the Identity. Oracle Security Server Manager cannot set credential expiration dates for dates after the year 2035.
Workaround : Only
enter valid dates before Year 2035.
3. Replacing revoked
credentials
Oracle Security Server Manager allows you to mark an existing set of Identity Credentials as being "Revoked". Oracle Security Server will not authenticate an Identity with Revoked Credentials. However you may reset the Credential status using the "Restore" option to re-enable them. If you attempt to generate a new set of credentials for an Identity that currently has a revoked set of credentials then Oracle Security Server Manager will fail to create the credentials.
Workaround : Remove the Identity from Oracle Security Server then recreate it again
giving it a new set
of credentials in the process.