Oracle Security Server Manager 2.0.5 Production for Oracle

Enterprise Manager 1.6.0 Production.

README and Release Notes.

This README contains information on the following topics to supplement the Oracle Security Server Guide (Part #A54088-02)

. Who should use Oracle Security Server Manager

. Logging in to Oracle Security Server Manager

. Creating and Deleting your Security Server Repository

. Enterprise Authorizations

. Known bugs in Oracle Security Server Manager 2.0.5

Who should use Oracle Security Server Manager

If you wish to create an Oracle Security Server to authenticate Oracle8 Global Users and authorize Oracle8 Global Roles on an enterprise of Oracle8 Servers then you require this application. It allows you to administer the information held in your Oracle Security Server.

Note : Oracle Security Server Manager uses a database repository to

store its authentication and authorization information. You must

own an Oracle Server that you are willing to use for this purpose,

however the Oracle Server does not need to be dedicated to it.

Logging into Oracle Security Server Manager

You must log into Oracle Security Server Manager as user, oracle_security_service_admin.

This user is created when you run the Create Oracle Security Server utility and its password is defined when you installed the product.

Oracle Security Server Manager cannot operate under any other oracle user. Therefore usernames like SYSTEM and INTERNAL etc are invalid.

Note : If you try to run Oracle Security Server Manager as any other

user you will not be able to access the data in your Security

Server Repository. Do not try to create a new Repository while

logged in as any other user.

Creating and Deleting your Security Server Repository

There is a utility named, "Create Oracle Security Server" in your Oracle Security Server Program Group. This utility when envoked allows you to prepare a database for use as an Oracle Security Server Repository.

There is also a utility named, "Delete Oracle Security Server" in your Oracle Security Server Program Group. This utility when envoked allows you to undo the changes made to your database by the Create utility. This utility will completely erase the contents of your Oracle Security Server Repository and should only be used if you are absolutely sure that you wish to destroy all the Identities and Authorizations held in it.

Note : The Create utility adds two users, "oracle_security_service"

and "oracle_security_service_admin" to your database. It

also adds a tablespace and datafile to your Oracle Server to

support these users. You may inspect the file nzdocrt.sql in your

OSS directory under the Oracle Home directory for the exact

SQL used in these operations.

Note : Do not use these utilities against an Oracle Server that

has an existing oracle_security_service_admin user currently

logged on.

Both utilites ask you to provide log-on details for the database you wish to configure. You should supply the SYSTEM username, password and Net8 service name details. If you are not using a remote database then you need only supply the SYSTEM username and password.

Dropping the Oracle Security Server repository from your database may also be performed

manually. As with the "Delete Oracle Security Server" utility, this operation completely destroys your Oracle Security Server Repository data.

This may be done through Server Manager (svrmgr30) by executing the nzdodrop sql script, located in your $ORACLE_HOME/OSS directory.

ie. SVRMGR30> @nzdodrop

After this script has executed successfully you may safely delete the datafile used to

support the tablespace for your repository. This is the OSS.DBF file in your

$ORACLE_HOME/database directory.

Known Problem :

If you use the "Create Oracle Security Server" utility against a database where this operation has already been performed, or you run the utility against a database where you have already used the "Delete Oracle Security Server" utility you may see the following

error :

XP-07016: A database error has occurred:

create tablespace oss

datafile 'oss.dbf' SIZE 10M

ORA-01119: error in creating database file 'oss.dbf'

ORA-27038: skgfrcre: file exists

XP-07031: An error occurred while processing file C:\ORANT/OSS/nzdocrt.sql

This is because there is still a datafile present on your Oracle Server from the last time Oracle Security Server was installed. To remedy this problem your Oracle DBA must delete the file, "oss.dbf" in the DBS directory in the Oracle Server's Oracle Home directory.

Note : As a precaution, the DBA should issue the command,

"drop tablespace oss;" on the Oracle Server before deleting

this file. However, the tablespace, "oss" should already

have been dropped after using the Security Server Delete

utility.

Securing your Oracle Security Server Repository

The database that you use to stage your Oracle8 Security Server Repository must be

given an identity and credentials by the Oracle Security Server Certificate Authority. This

ensures that when other Oracle8 Servers and Net8 clients communicate with this database,

they can authenticate that database as being the one that they trust to serve their

authentication and authorization data.

Oracle Security Server Manager requires you to define an Approved Identity for the

Security Server Repository database after you have defined your Certificate Authority

(Root) Identity. You will see this by a radio button in the "Create New Identity" screen

of the tool marked 'Repository".

The Database Administrator of the Oracle8 Server where the Repository is to be staged

must download an Oracle Security Server Wallet for the Distinguished Name that has

been assigned for the Repository Identity. This must be performed at the Oracle Security

Server Repository before other Oracle8 Servers and Net8 clients attempt to download

their own Wallets from the Repository.

Enterprise Authorizations

Oracle Security Server Enterprise Authorizations may only be granted and revoked from an Approved Identity using the Approved Identity Property Page (on the right hand sideof the screen) if the "Advanced Mode" toggle button is selected in your toolbar. You may also use "drag-and-drop" to assign Enterprise Authorizations to your Oracle Security Server Identities irrespective of the "Advanced Mode" toggle button.

Known Bugs in Oracle Security Server Manager 2.0.5

The following are three known problems with this distribution of Oracle Security Server Manager along with their present workarounds.

Creating circular dependancies on Enterprise Authorizations

1. Enterprise Authorizations may be defined recursively, in that they can contain other Enterprise Authorizations that you may have defined already. If an Enterprise Authorization, say E1, conatins another Enterprise Authorization, say E2, Oracle Security Server Manager will not let you grant E1 to E2. However if there were a third Enterprise Authorization, E3, that already contained E1, then you may grant it to E2 and thus set up a circular dependancy.

ie. E1 contains E2. E2 contains E3 and E3 contains E1 again.

Workaround : Take care not to configure circular dependancies

If an Oracle Security Server Identity conatins a tree of Enterprise Authorizations with such a circular dependancy then the Oracle8 Servers that authenticate this identity will fail to retrieve the Global Roles allowed on the database for that Identity from Oracle Security Server.

2. Setting the Expiration date for an Identity's Credentials

Oracle Security Server Manager allows you to specify the date on which credentials given to an Identity will expire. The default date will be calculated as 6 moths after the date of creation. If you choose to override this date with a different one then the date that you select must be a valid day, month and year combination. Otherwise Oracle Security Server Manager will fail to create a set of credentials for the Identity. Oracle Security Server Manager cannot set credential expiration dates for dates after the year 2035.

Workaround : Only enter valid dates before Year 2035.

3. Replacing revoked credentials

Oracle Security Server Manager allows you to mark an existing set of Identity Credentials as being "Revoked". Oracle Security Server will not authenticate an Identity with Revoked Credentials. However you may reset the Credential status using the "Restore" option to re-enable them. If you attempt to generate a new set of credentials for an Identity that currently has a revoked set of credentials then Oracle Security Server Manager will fail to create the credentials.

Workaround : Remove the Identity from Oracle Security Server then recreate it again

giving it a new set of credentials in the process.