Oracle Security Server
Release 2.0.4
Release Notes
*******************************************
Copyright (C) 1997 Oracle Corporation
This software/documentation contains proprietary information of Oracle Corporation; it is
provided under a license agreement containing restrictions on use and disclosure and is
also protected by copyright law. Reverse engineering
of the software is prohibited.
If this software/documentation is delivered to a U.S. Government Agency of the Department
of Defense, then it is delivered with Restricted Rights and the following legend is
applicable:
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth
in subparagraph (c) (1) (ii) of DFARS 252.227-7013, Rights in Technical Data and Computer
Software (October 1988).
If this software/documentation is delivered to a U.S. Government Agency not within the
Department of Defense, then it is delivered with "Restricted Rights," as defined in FAR
52.227-14, Rights in Data - General, including Alternate
III (June 1987).
Oracle Corporation, 500 Oracle Parkway, Redwood City,
CA 94065.
This version supports International Security with RSA Public
Key Cryptography, MD2, MD5, and RC4.
This product contains encryption and/or authentication engines from RSA Data Security,
Inc. Copyright 1996 RSA Data Security, Inc. All rights
reserved.
Oracle and SQL*Net are registered trademarks of Oracle Corporation, Redwood City,
California. Oracle Security Server, Oracle Enterprise Manager, Net8, and Oracle8 are
trademarks of Oracle Corporation, Redwood City, California.
All other products or company names are used for identification purposes only, and may be
trademarks of their respective owners.
*********************************************
Overview
========
Oracle Security Server provides a global, centralized authentication framework based on
public key cryptography. Oracle Security Server uses certificates instead of passwords
for user authentication, significantly raising the level of assurance that users are
whom they claim to be. Oracle Security Server works with Oracle8 clients and servers,
connecting with SQL*Net v2 or Net8. It requires Net8
between its component parts.
For further information about the Oracle Security Server, see the Oracle Security Server
Guide.
Contents of This Read Me File
=============================
- Installing the Oracle Security Server Repository
- Oracle Security Server Manager Tool - Additional Information
- Global User and Global Role Administration
Installing the Oracle Security Server Repository
================================================
This section contains information on the following topics to supplement the
Oracle Security Server Guide (Part #A54088-01)
Oracle Security Server Repository Dependencies
----------------------------------------------
To use a given database as an Oracle Security Server Repository, that database
must be running an Oracle804 Server or greater.
Before proceeding with this installation, you must also make sure that
Net8 release 8.0.4 or higher, is running on the given database.
Configuring the Oracle Security Server Repository
-------------------------------------------------
In order for Oracle clients and servers to access information on the Oracle Security
Repository, the Repository must also be enabled for secure connections. Follow the
same steps as for any Oracle Security as outlined in the section "Configuring Oracle
Security Adapters on Clients and Servers". This includes setting up the Repository's
sqlnet.ora file correctly and installing the Repository's wallet via the osslogin
tool.
Oracle Security Server Manager, an Enterprise Manager Tool
==========================================================
Oracle Security Server Manager 2.0.4 for Oracle Enterprise Manager
1.5.0 Production.
This section contains information on the following topics to supplement the
Oracle Security Server Guide (Part #A54088-01)
. Logging in to Oracle Security Server Manager
. Creating and Deleting your Security Server Repository
. Enterprise Authorizations
Logging in to Oracle Security Server Manager
--------------------------------------------
You must log into Oracle Security Server Manager as user
"oracle_security_service_admin".
This user is created when you run the Create Oracle Security Server
utility and its password is defined when you install the product.
Oracle Security Server Manager cannot operate under any other Oracle
user. Therefore usernames like SYSTEM and INTERNAL are invalid.
Note : If you try to run Oracle Security Server Manager as any
other user, you will not be able to access the data in your Security
Server Repository. Do not try to create a new Security Server Repository
while logged in as any other user.
Creating and Deleting your Security Server Repository
-----------------------------------------------------
There is a utility named "Create Oracle Security Server" in the Oracle
Security Server Program Group. This utility allows you to
prepare a database for use as an Oracle Security
Server Repository.
Note : The Create utility adds two users, "oracle_security_service"
and "oracle_security_service_admin" to your database. It
also adds a tablespace and datafiles to your Oracle Server
to support these users. You may inspect the file nzdocrt.sql
in your OSS directory under the Oracle Home directory for the
exact SQL used in these operations.
There is also a utility named "Delete Oracle Security Server" in the
Oracle Security Server Program Group. This utility allows
you to undo the changes made to your database by
the Create utility.
WARNING: This utility will completely erase the contents of your
Oracle Security Server Repository and should only be used if you are
absolutely sure that you wish to destroy all the Identities and
Authorizations held in it.
Note : Do not use these utilities against an Oracle Server that
has an existing oracle_security_service_admin user
currently logged on.
Both utilites ask you to provide log-on details for the database you wish
to configure. You should supply the SYSTEM username, password and Net8
service name details. If you are not using a remote database then you need
only supply the SYSTEM username and password.
Known Problem :
If you use the "Create Oracle Security Server" utility against a database
where this operation has already been performed, or you run the utility
against a database where you have already used the "Delete Oracle Security
Server" utility, you may see the following error:
XP-07016: A database error has occurred:
create tablespace oss
datafile 'oss.dbf' SIZE 10M
ORA-01119: error in creating database file 'oss.dbf'
ORA-27038: skgfrcre: file exists
XP-07031: An error occurred while processing file C:\ORANT/OSS/nzdocrt.sql
This error occurs because there is still a datafile present on your Oracle
Server from the last time Oracle Security Server was installed. To remedy
this problem, the Oracle DBA must delete the file "oss.dbf" from the DBS
directory under the Oracle Server's Oracle Home directory.
Note : As a precaution, the DBA should issue the command
"drop tablespace oss;" on the Oracle Server before deleting
this file.
Creating an Identity for the Oracle Security Server Repository
--------------------------------------------------------------
When a Net8 client and Oracle8 Server authenticate to eachother using
Oracle Security Server, they do so by verifying eachother's certificates
against the Oracle Security Server Certificate Authority.
Since the database server used by the Oracle Security Server CA as a
Repository may be seperate from the Enterprise Manager Console on
which the Certificate Authroity is controled, Net8 clients and Oracle8
servers must authenticate this particular database as they authenticate
eachother.
Therfore, the Oracle Security Server Repository database must itself
be given an Identity by the Certificate Authority. Oracle Security Server
Manager version 2.0.4 requires you to define an Identity for your Security
Server Repository immediately after you have defined the Identity for the
Certificate Authority itself.
Before Oracle Net8 clients and Oracle8 Servers can use your Oracle Security
Server, you must ensure that that you have :
1. Created an Identity for your Oracle Security Server Repository with
Oracle Security Server Manager.
2. Created a certificate for this Identity with Oracle Security Server
Manager.
3. Created an Oracle Security Server Wallet at your Security Server
Repository database. This wallet must use the Identity given to the
Security Server Repository by the Certificate Authority at step 1.
Enterprise Authorizations
-------------------------
Security Server Enterprise Authorizations may only be granted and revoked
from an Approved Identity in the Approved Identity Property Page (on the
right hand side of the screen) if the "Advanced Mode" toggle button is
selected in the toolbar.
*************************************************************
Oracle Security Server 2.0.4 Production for Oracle
Server 8.0.4 Production
Global User and Global Role administration.
==========================================
This section contains information on the following topics to supplement the
Oracle Security Server Guide (Part #A54088-01). It does not relate to the
Oracle Security Server Manager tool but rather to the operations required
by an Oracle8 DBA to make use of the Security Server.
. Creating Global Users in the Oracle 8.0.4 Server
. Rules for defining distinguished names
. Example correct and incorrect distinguished names
. Securing a database where a Security Server is already running
. Ending a single sign-on session
Creating Global Users in the Oracle 8.0.4 Server
------------------------------------------------
Create Global Users in your database using the Oracle Security
Manager, as part of Enterprise Manager 1.5.0. You are advised to use this
tool in preference to creating Global Users manually with Server Manager.
If you do choose to use Server Manager to add Global Users to your
Oracle 8.0.4 Server you must be careful when specifying the
Distinguished Name that the Global User will use on your database.
The syntax for Global User creation is:
create user <username> identified globally as <distinguished name>;
For example,
create user LISTER identified globally as 'C=US,O=ORACLE,CN=LISTER';
The distinguished name used in this example would exist in your Oracle
Security Server as an Oracle Security Server Approved Identity with exactly
the same name. Furthermore, the distinguished name should be specifed
between two single quotes as in the above example.
Rules for defining distinguished names
--------------------------------------
When specifying the distinguished name in the above syntax, there are six
possible components: Country name, Organization name,
Organizational Unit name, State, Locality, and Common Name. Each of these
categories uses the following notation in the distinguished name
respectively:
C=, O=, OU=, ST=, L=, and CN=. This notation is known as X509, version 1.
These categories are known as "attributes" within a distinguished name.
1. Attribute Order
A distinguished name must have at least the Common Name and any or all of the
other attributes specified in the following order:
C=<Country>,O=<Org>,OU=<Org Unit>,ST=<State>,L=<Loc>,CN=<Common Name>
2. Case Sensitivity
The distinguished name used in a Global User definition must use upper case
for each of the attribute names: C=, O=, OU=, ST=, L=, CN=.
The values given to these attributes are case sensitive and must
match, character for character, the values used in an Oracle Security Server
Identity.
3. Separators
The attributes in a distinguished name are separated only by a ','. You
must not use spaces between the attributes.
Example correct and incorrect distinguished names
-------------------------------------------------
Assume there exists an Approved Identity in the Oracle Security Server named
'C=UK,CN=Chrissy Kochansky'
The following are examples of INCORRECTLY specified distinguished names for this
identity:
'CN=Chrissy Kochansky,C=UK' rule 1. Order
'cn=Chrissy Kochansky,c=UK' rule 2. Case Sensitivity
'C=UK, CN=Chrissy Kochansky' rule 3. Separators
'C=UK,CN=CHRISSY KOCHANSKY' rule 2. Case Sensitivity
The following are all valid Distinguished Names;
'C=US,ST=CA,L=Belmont,CN=Arnold Johnson'
'O=Obsidian Corporation,ST=CA,CN=Laurence Liverpool'
'ST=AZ,CN=Paul Lee'
'C=UK,CN=Holly'
Ending a single sign-on session
-------------------------------
The "osslogin" utility supplied with the Oracle Net8 client allows you to
download your wallet from the Oracle Security Server and decrypt your private
credentials in order to access multiple databases
as the same Global User.
There is no accompanying "logout" utility with this release of Net8. When
you are finished using your credentials, you are advised to delete the file
"clearkey.oss". This file is located in your Oracle Security Server Wallet
directory; it contains your private key.
You may regenerate your private key again when needed by re-running the
"osslogin" utility.