Oracle Security Server

Release 2.0.4

Release Notes

*******************************************

Copyright (C) 1997 Oracle Corporation

This software/documentation contains proprietary information of Oracle Corporation; it is

provided under a license agreement containing restrictions on use and disclosure and is

also protected by copyright law. Reverse engineering of the software is prohibited.

If this software/documentation is delivered to a U.S. Government Agency of the Department

of Defense, then it is delivered with Restricted Rights and the following legend is

applicable:

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth

in subparagraph (c) (1) (ii) of DFARS 252.227-7013, Rights in Technical Data and Computer

Software (October 1988).

If this software/documentation is delivered to a U.S. Government Agency not within the

Department of Defense, then it is delivered with "Restricted Rights," as defined in FAR

52.227-14, Rights in Data - General, including Alternate III (June 1987).

Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065.

This version supports International Security with RSA Public

Key Cryptography, MD2, MD5, and RC4.

This product contains encryption and/or authentication engines from RSA Data Security,

Inc. Copyright 1996 RSA Data Security, Inc. All rights reserved.

Oracle and SQL*Net are registered trademarks of Oracle Corporation, Redwood City,

California. Oracle Security Server, Oracle Enterprise Manager, Net8, and Oracle8 are

trademarks of Oracle Corporation, Redwood City, California.

All other products or company names are used for identification purposes only, and may be

trademarks of their respective owners.

*********************************************

Overview

========

Oracle Security Server provides a global, centralized authentication framework based on

public key cryptography. Oracle Security Server uses certificates instead of passwords

for user authentication, significantly raising the level of assurance that users are

whom they claim to be. Oracle Security Server works with Oracle8 clients and servers,

connecting with SQL*Net v2 or Net8. It requires Net8 between its component parts.

For further information about the Oracle Security Server, see the Oracle Security Server

Guide.

Contents of This Read Me File

=============================

- Installing the Oracle Security Server Repository

- Oracle Security Server Manager Tool - Additional Information

- Global User and Global Role Administration


Installing the Oracle Security Server Repository

================================================

This section contains information on the following topics to supplement the

Oracle Security Server Guide (Part #A54088-01)

Oracle Security Server Repository Dependencies

----------------------------------------------

To use a given database as an Oracle Security Server Repository, that database

must be running an Oracle804 Server or greater.

Before proceeding with this installation, you must also make sure that

Net8 release 8.0.4 or higher, is running on the given database.


Configuring the Oracle Security Server Repository

-------------------------------------------------

In order for Oracle clients and servers to access information on the Oracle Security

Repository, the Repository must also be enabled for secure connections. Follow the

same steps as for any Oracle Security as outlined in the section "Configuring Oracle

Security Adapters on Clients and Servers". This includes setting up the Repository's

sqlnet.ora file correctly and installing the Repository's wallet via the osslogin

tool.


Oracle Security Server Manager, an Enterprise Manager Tool

==========================================================

Oracle Security Server Manager 2.0.4 for Oracle Enterprise Manager

1.5.0 Production.

This section contains information on the following topics to supplement the

Oracle Security Server Guide (Part #A54088-01)

. Logging in to Oracle Security Server Manager

. Creating and Deleting your Security Server Repository

. Enterprise Authorizations

Logging in to Oracle Security Server Manager

--------------------------------------------

You must log into Oracle Security Server Manager as user

"oracle_security_service_admin".

This user is created when you run the Create Oracle Security Server

utility and its password is defined when you install the product.

Oracle Security Server Manager cannot operate under any other Oracle

user. Therefore usernames like SYSTEM and INTERNAL are invalid.

Note : If you try to run Oracle Security Server Manager as any

other user, you will not be able to access the data in your Security

Server Repository. Do not try to create a new Security Server Repository

while logged in as any other user.

Creating and Deleting your Security Server Repository

-----------------------------------------------------

There is a utility named "Create Oracle Security Server" in the Oracle

Security Server Program Group. This utility allows you to

prepare a database for use as an Oracle Security Server Repository.

Note : The Create utility adds two users, "oracle_security_service"

and "oracle_security_service_admin" to your database. It

also adds a tablespace and datafiles to your Oracle Server

to support these users. You may inspect the file nzdocrt.sql

in your OSS directory under the Oracle Home directory for the

exact SQL used in these operations.

There is also a utility named "Delete Oracle Security Server" in the

Oracle Security Server Program Group. This utility allows

you to undo the changes made to your database by the Create utility.

WARNING: This utility will completely erase the contents of your

Oracle Security Server Repository and should only be used if you are

absolutely sure that you wish to destroy all the Identities and

Authorizations held in it.

Note : Do not use these utilities against an Oracle Server that

has an existing oracle_security_service_admin user

currently logged on.

Both utilites ask you to provide log-on details for the database you wish

to configure. You should supply the SYSTEM username, password and Net8

service name details. If you are not using a remote database then you need

only supply the SYSTEM username and password.

Known Problem :

If you use the "Create Oracle Security Server" utility against a database

where this operation has already been performed, or you run the utility

against a database where you have already used the "Delete Oracle Security

Server" utility, you may see the following error:

XP-07016: A database error has occurred:

create tablespace oss

datafile 'oss.dbf' SIZE 10M

ORA-01119: error in creating database file 'oss.dbf'

ORA-27038: skgfrcre: file exists

XP-07031: An error occurred while processing file C:\ORANT/OSS/nzdocrt.sql

This error occurs because there is still a datafile present on your Oracle

Server from the last time Oracle Security Server was installed. To remedy

this problem, the Oracle DBA must delete the file "oss.dbf" from the DBS

directory under the Oracle Server's Oracle Home directory.

Note : As a precaution, the DBA should issue the command

"drop tablespace oss;" on the Oracle Server before deleting

this file.

Creating an Identity for the Oracle Security Server Repository

--------------------------------------------------------------

When a Net8 client and Oracle8 Server authenticate to eachother using

Oracle Security Server, they do so by verifying eachother's certificates

against the Oracle Security Server Certificate Authority.

Since the database server used by the Oracle Security Server CA as a

Repository may be seperate from the Enterprise Manager Console on

which the Certificate Authroity is controled, Net8 clients and Oracle8

servers must authenticate this particular database as they authenticate

eachother.

Therfore, the Oracle Security Server Repository database must itself

be given an Identity by the Certificate Authority. Oracle Security Server

Manager version 2.0.4 requires you to define an Identity for your Security

Server Repository immediately after you have defined the Identity for the

Certificate Authority itself.

Before Oracle Net8 clients and Oracle8 Servers can use your Oracle Security

Server, you must ensure that that you have :

1. Created an Identity for your Oracle Security Server Repository with

Oracle Security Server Manager.

2. Created a certificate for this Identity with Oracle Security Server

Manager.

3. Created an Oracle Security Server Wallet at your Security Server

Repository database. This wallet must use the Identity given to the

Security Server Repository by the Certificate Authority at step 1.

Enterprise Authorizations

-------------------------

Security Server Enterprise Authorizations may only be granted and revoked

from an Approved Identity in the Approved Identity Property Page (on the

right hand side of the screen) if the "Advanced Mode" toggle button is

selected in the toolbar.

*************************************************************

Oracle Security Server 2.0.4 Production for Oracle Server 8.0.4 Production

Global User and Global Role administration.

==========================================

This section contains information on the following topics to supplement the

Oracle Security Server Guide (Part #A54088-01). It does not relate to the

Oracle Security Server Manager tool but rather to the operations required

by an Oracle8 DBA to make use of the Security Server.

. Creating Global Users in the Oracle 8.0.4 Server

. Rules for defining distinguished names

. Example correct and incorrect distinguished names

. Securing a database where a Security Server is already running

. Ending a single sign-on session

Creating Global Users in the Oracle 8.0.4 Server

------------------------------------------------

Create Global Users in your database using the Oracle Security

Manager, as part of Enterprise Manager 1.5.0. You are advised to use this

tool in preference to creating Global Users manually with Server Manager.

If you do choose to use Server Manager to add Global Users to your

Oracle 8.0.4 Server you must be careful when specifying the

Distinguished Name that the Global User will use on your database.

The syntax for Global User creation is:

create user <username> identified globally as <distinguished name>;

For example,

create user LISTER identified globally as 'C=US,O=ORACLE,CN=LISTER';

The distinguished name used in this example would exist in your Oracle

Security Server as an Oracle Security Server Approved Identity with exactly

the same name. Furthermore, the distinguished name should be specifed

between two single quotes as in the above example.

Rules for defining distinguished names

--------------------------------------

When specifying the distinguished name in the above syntax, there are six

possible components: Country name, Organization name,

Organizational Unit name, State, Locality, and Common Name. Each of these

categories uses the following notation in the distinguished name

respectively:

C=, O=, OU=, ST=, L=, and CN=. This notation is known as X509, version 1.

These categories are known as "attributes" within a distinguished name.

1. Attribute Order

A distinguished name must have at least the Common Name and any or all of the

other attributes specified in the following order:

C=<Country>,O=<Org>,OU=<Org Unit>,ST=<State>,L=<Loc>,CN=<Common Name>

2. Case Sensitivity

The distinguished name used in a Global User definition must use upper case

for each of the attribute names: C=, O=, OU=, ST=, L=, CN=.

The values given to these attributes are case sensitive and must

match, character for character, the values used in an Oracle Security Server

Identity.

3. Separators

The attributes in a distinguished name are separated only by a ','. You

must not use spaces between the attributes.


Example correct and incorrect distinguished names

-------------------------------------------------

Assume there exists an Approved Identity in the Oracle Security Server named

'C=UK,CN=Chrissy Kochansky'

The following are examples of INCORRECTLY specified distinguished names for this

identity:

'CN=Chrissy Kochansky,C=UK' rule 1. Order

'cn=Chrissy Kochansky,c=UK' rule 2. Case Sensitivity

'C=UK, CN=Chrissy Kochansky' rule 3. Separators

'C=UK,CN=CHRISSY KOCHANSKY' rule 2. Case Sensitivity

The following are all valid Distinguished Names;

'C=US,ST=CA,L=Belmont,CN=Arnold Johnson'

'O=Obsidian Corporation,ST=CA,CN=Laurence Liverpool'

'ST=AZ,CN=Paul Lee'

'C=UK,CN=Holly'

Ending a single sign-on session

-------------------------------

The "osslogin" utility supplied with the Oracle Net8 client allows you to

download your wallet from the Oracle Security Server and decrypt your private

credentials in order to access multiple databases as the same Global User.

There is no accompanying "logout" utility with this release of Net8. When

you are finished using your credentials, you are advised to delete the file

"clearkey.oss". This file is located in your Oracle Security Server Wallet

directory; it contains your private key.

You may regenerate your private key again when needed by re-running the

"osslogin" utility.