2
Configuration and Administration Tools Overview

Configuring advanced security features for an Oracle database includes configuring encryption, integrity (checksumming), and strong authentication methods for Oracle Net Services. Strong authentication method configuration can include third-party software, as is the case for Kerberos or RADIUS, or it may entail configuring and managing a public key infrastructure, as is required for Secure Sockets Layer (SSL). In addition, an Oracle database can be configured to interoperate with an LDAP directory, such as Oracle Internet Directory, to enable Enterprise User Security, a feature that enables you to store and manage database users in a centralized directory.

Such diverse advanced security features require a diverse set of tools with which to configure and administer them. This chapter introduces the tools used to configure and administer advanced security features for an Oracle database in the following topics:

• Network Encryption and Strong Authentication Configuration Tools
• Public Key Infrastructure Credentials Management Tools
• Enterprise User Security Configuration and Management Tools
• Duties of a Security Administrator/DBA
• Duties of an Enterprise User Security Administrator/DBA

Network Encryption and Strong Authentication Configuration Tools

Oracle Net Services can be configured to encrypt data using standard encryption algorithms, and for strong authentication methods, such as Kerberos, RADIUS, and SSL. The following sections introduce the Oracle tools you can use to configure these advanced security features for an Oracle Database:

• Oracle Net Manager
• Oracle Advanced Security Kerberos Adapter Command-Line Utilities

Oracle Net Manager

Oracle Net Manager is a graphical user interface tool, primarily used to configure Oracle Net Services for an Oracle home on a local client or server host.

Although you can use Oracle Net Manager to configure Oracle Net Services, such as naming, listeners, and general network settings, it also enables you to configure the following Oracle Advanced Security features, which use the Oracle Net protocol:

• Strong authentication (Kerberos, RADIUS, and Secure Sockets Layer)
• Network encryption (RC4, DES, Triple-DES, and AES)
• Checksumming for data integrity (MD5, SHA-1)

This section introduces you to the features of Oracle Net Manager that are used to configure Oracle Advanced Security. It contains the following topics:

• Starting Oracle Net Manager
• Navigating to the Oracle Advanced Security Profile

  See Also: "Duties of a Security Administrator/DBA" for information about the tasks you can perform with this tool that configure advanced security features. Oracle Net Services Administrator's Guide and Oracle Net Manager online help for complete documentation of this tool.

Starting Oracle Net Manager

You can start Oracle Net Manager by using Oracle Enterprise Manager Console or as a standalone application. However, you must use the standalone application to access the Oracle Advanced Security Profile where you can configure Oracle Advanced Security features.

To start Oracle Net Manager as a standalone application:

• (UNIX) From $ORACLE_HOME/bin, enter the following at the command line:

  netmgr
  
  

• (Windows) Choose Start > Programs > Oracle - HOME_NAME > Configuration and Migration Tools > Net Manager

Navigating to the Oracle Advanced Security Profile

The Oracle Net Manager interface window contains two panes: the navigator pane and the right pane, which displays various property sheets that enable you to configure network components. When you select a network object in the navigator pane, its associated property sheets displays in the right pane. To configure Oracle Advanced Security features, choose the Profile object in the navigator pane, and then select Oracle Advanced Security from the list in the right pane, as shown in Figure 2-1.

Figure 2-1 Oracle Advanced Security Profile in Oracle Net Manager

Text description of the illustration ntmgrpro.gif

Oracle Advanced Security Profile Property Sheets

The Oracle Advanced Security Profile contains the following property sheets, which are described in the following sections:

• Authentication Property Sheet
• Other Params Property Sheet
• Integrity Property Sheet
• Encryption Property Sheet
• SSL Property Sheet

Authentication Property Sheet

Use this property sheet to select a strong authentication method, such as Kerberos Version 5 (KERBEROS5), Windows NT native authentication (NTS), or RADIUS.

Other Params Property Sheet

Use this property sheet to set other parameters for the authentication method you selected on the Authentication property sheet.

Integrity Property Sheet

Use this property sheet to enable checksumming on the client or the server and to select an encryption algorithm for generating secure message digests.

Encryption Property Sheet

Use this property sheet to select one or more cipher suites to encrypt client or server connections with native encryption algorithms.

SSL Property Sheet

Use this property sheet to configure Secure Sockets Layer (SSL), including the wallet location and cipher suite, on a client or server.

Oracle Advanced Security Kerberos Adapter Command-Line Utilities

The Oracle Advanced Security Kerberos adapter provides three command-line utilities that enable you to obtain, cache, display, and remove Kerberos credentials. The following table briefly describes these utilities:

Utility Name	Description
okinit	Obtains Kerberos tickets from the key distribution center (KDC) and caches them in the user's credential cache
oklist	Displays a list of Kerberos tickets in the specified credential cache
okdstry	Removes Kerberos credentials from the specified credential cache

Public Key Infrastructure Credentials Management Tools

The security provided by a public key infrastructure (PKI) depends on how effectively you store, manage, and validate your PKI credentials. The following Oracle tools are used to manage certificates, wallets, and certificate revocation lists so your PKI credentials can be stored securely and your certificate validation mechanisms kept current:

• Oracle Wallet Manager
• orapki Utility

Oracle Wallet Manager

Oracle Wallet Manager is an application that wallet owners and security administrators use to manage and edit the security credentials in their Oracle wallets. A wallet is a password-protected container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. You can use Oracle Wallet Manager to perform the following tasks:

Create public and private key pairs	Store and manage user credentials
Generate certificate requests	Store and manage certificate authority certificates (root key certificate and certificate chain)
Upload and download wallets to and from an LDAP directory	Create wallets to store hardware security module credentials

The following topics introduce the Oracle Wallet Manager user interface:

• Starting Oracle Wallet Manager
• Navigating the Oracle Wallet Manager User Interface
• Toolbar
• Menus

  See Also: Chapter 8, "Using Oracle Wallet Manager" for detailed information about using this application

Starting Oracle Wallet Manager

To start Oracle Wallet Manager:

• (UNIX) From $ORACLE_HOME/bin, enter the following at the command line:

  owm
  

• (Windows) Choose Start > Programs > Oracle - HOME_NAME > Integrated Management Tools > Wallet Manager

Navigating the Oracle Wallet Manager User Interface

The Oracle Wallet Manager interface includes two panes, a toolbar, and various menu items as shown in Figure 2-2.

Figure 2-2 Oracle Wallet Manager User Interface

Text description of the illustration owmntrfc.gif

Navigator Pane

The navigator pane provides a graphical tree view of the certificate requests and certificates stored in the Oracle home where Oracle Wallet Manager is installed. You can use the navigator pane to view, modify, add, or delete certificates and certificate requests.

The navigator pane functions the same way as it does in other Oracle graphical user interface tools, enabling you to

• Expand and contract wallet objects so that you can manage the user and trusted certificates they contain.
• Right-click a wallet, certificate, or certificate request to perform operations on it such as add, remove, import, or export.

When you expand a wallet, you see a nested list of user and trusted certificates. When you select a wallet or certificate in the navigator pane, details about your selection display in the adjacent right pane of Oracle Wallet Manager. Table 2-1 lists the main objects that display in the navigator pane.

Table 2-1  Oracle Wallet Manager Navigator Pane Objects

Object	Description
Wallet	Password-protected container that is used to store authentication and signing credentials
Certificate RequestFoot 1	A PKCS #10-encoded message containing the requester's distinguished name (DN), a public key, the key size, and key type. See also certificate request.
CertificateFootref 1	An X.509 data structure containing the entity's DN, public key, and is signed by a trusted identity (certificate authority). See certificate
Trusted CertificatesFootref 1	Sometimes called a root key certificate, is a certificate from a third party identity that is qualified with a level of trust. See trusted certificate

1 These objects display only after you create a wallet, generate a certificate request, and import a certificate into the wallet.

Right Pane

The right pane displays information about an object that is selected in the navigator pane. The right pane is read-only.

Figure 2-3 shows what is displayed in the right pane when a certificate request object is selected in the navigator pane. Information about the request and the requester's identity display in the Requested Identity, Key Size, and Key Type fields. The PKCS #10-encoded certificate request displays in the Certificate Request text box. To request a certificate from a certificate authority, you can copy this request into an e-mail or export it into a file.

Figure 2-3 Certificate Request Information Displayed in Oracle Wallet Manager Right Pane

Text description of the illustration owmrtpan.gif

Toolbar

The toolbar contains buttons that enable you to manage your wallets. Move the mouse cursor over a toolbar button to display a description of the button's function. The toolbar buttons are listed and described in Table 2-2.

Table 2-2  Oracle Wallet Manager Toolbar Buttons 

Toolbar Button	Description
New	Creates a new wallet
Open Wallet	Enables you to browse your file system to locate and open an existing wallet
Save Wallet	Saves the currently open wallet
Delete Wallet	Deletes wallet currently selected in the navigator pane
Help	Opens the Oracle Wallet Manager online help

Menus

You use Oracle Wallet Manager menus to manage your wallets and the credentials they contain. The following sections describe the options that are available under each menu.

Wallet Menu

Table 2-3 describes the contents of the Wallet menu.

Table 2-3  Oracle Wallet Manager Wallet Menu Options 

Option	Description
New	Creates a new wallet
Open	Opens an existing wallet
Close	Closes the currently open wallet
Upload Into The Directory Service	Uploads a wallet to a specified LDAP directory server. You must supply a directory password, hostname, and port information
Download From The Directory Service	Downloads a wallet from a specified LDAP directory server. You must supply a directory password, hostname, and port information.
Save	Saves the currently open wallet in the current working directory.
Save As	Enables you to browse your file system to choose a directory location in which to save the currently open wallet.
Save In System Default	Saves the currently open wallet in the system default location: (UNIX) /etc/ORACLE/WALLETS/<username> (Windows) %USERPROFILE%\<username>
Delete	Deletes the wallet in the current working directory. You must supply the wallet password.
Change Password	Changes the password for the currently open wallet. You must supply the old password before you can create a new one.
Auto Login	Sets the auto login feature for the currently open wallet. See auto login wallet
Exit	Exits the Oracle Wallet Manager application

Operations Menu

Table 2-4 describes the contents of the Operations menu.

Table 2-4  Oracle Wallet Manager Operations Menu Options 

Option	Description
Add Certificate Request	Generates a certificate request for the currently open wallet that you can use to request a certificate from a certificate authority (CA).
Import User Certificate	Imports the user certificate issued to you from the CA. You must import the issuing CA's certificate as a trusted certificate before you can import the user certificate.
Import Trusted Certificate	Imports the CA's trusted certificate.
Remove Certificate Request	Deletes the certificate request in the currently open wallet. You must remove the associated user certificate before you can delete a certificate request.
Remove User Certificate	Deletes the user certificate from the currently open wallet.
Remove Trusted Certificate	Removes the trusted certificate that is selected in the navigator pane from the currently open wallet. You must remove all user certificates that the trusted certificate signs before you can remove it.
Export User Certificate	Exports the user certificate in the currently open wallet to save in a file system directory.
Export Certificate Request	Exports the certificate request in the currently open wallet to save in a file.
Export Trusted Certificate	Exports the trusted certificate that is selected in the navigator pane to save in another location in your file system.
Export All Trusted Certificates	Exports all trusted certificates in the currently open wallet to save in another location in your file system.
Export Wallet	Exports the currently open wallet to save as a text file.

Help Menu

Table 2-5 describes the contents of the Help menu.

Table 2-5  Oracle Wallet Manager Help Menu Options

Option	Description
Contents	Opens Oracle Wallet Manager online help.
Search for Help on	Opens Oracle Wallet Manager online help and displays the Search tab.
About Oracle Wallet Manager	Opens a window that displays the Oracle Wallet Manager version number and copyright information.

orapki Utility

The orapki utility is a command line tool that you can use to manage certificate revocation lists (CRLs), create and manage Oracle wallets, and to create signed certificates for testing purposes.

The basic syntax for this utility is as follows:

orapki module command -option_1 argument ... -option_n argument

For example, the following command lists all CRLs in the CRL subtree in an instance of Oracle Internet Directory that is installed on machine1.us.acme.com and that uses port 389:

orapki crl list -ldap machine1.us.acme.com:389

Enterprise User Security Configuration and Management Tools

Enterprise users are database users who are stored and centrally managed in an LDAP directory, such as Oracle Internet Directory. Table 2-6 provides a summary of the tools that are used to configure and manage Enterprise User Security. The following subsections introduce and describe these tools.

Table 2-6 Enterprise User Security Tools Summary

Tool	Task
Database Configuration Assistant	Register and un-register databases in Oracle Internet Directory
Enterprise Security Manager and Enterprise Security Manager Console	Configure enterprise domains and databases in Oracle Internet Directory Create users and manage their passwords Manage identity management realm attributes and administrative groups that pertain to Enterprise User Security in Oracle Internet Directory
Oracle Internet Directory Self-Service Console (Delegated Administration Service)	Manage identity management realms in Oracle Internet Directory For information about this tool, refer to Oracle Internet Directory Administrator's Guide.
Oracle Net Configuration Assistant	Configure databases Oracle home for directory usage over the network
Oracle Wallet Manager	Manage Oracle wallets for Enterprise User Security
User Migration Utility	Perform bulk migrations of database users to Oracle Internet Directory

Database Configuration Assistant

Database Configuration Assistant is a wizard-based tool which is used to create and configure Oracle databases.

Use Database Configuration Assistant to register a database with the directory. When you register a database with the directory, Database Configuration Assistant creates a distinguished name (DN) for the database and the corresponding entry and subtree in Oracle Internet Directory

Starting Database Configuration Assistant

To start Database Configuration Assistant:

• (UNIX) From $ORACLE_HOME/bin, enter the following at the command line:

  dbca
  
  

• (Windows) Choose Start > Programs > Oracle - HOME_NAME > Database Administration > Database Configuration Assistant

  See Also: "To register a database in the directory:" for information about using this tool to register your database. Oracle Database Administrator's Guide for more information about this tool.

Enterprise Security Manager and Enterprise Security Manager Console

Oracle Advanced Security employs Enterprise Security Manager and Enterprise Security Manager Console to administer enterprise users, administrative groups, enterprise domains, and enterprise roles that are stored in Oracle Internet Directory. (Enterprise Security Manager Console can be accessed through the Enterprise Security Manager Operations menu. See "Enterprise Security Manager Console Overview" for details.)

Enterprise users are users who are provisioned and managed centrally in an LDAP-compliant directory, such as Oracle Internet Directory, for database access. Enterprise domains are directory constructs that contain databases and enterprise roles, the access privileges that are assigned to enterprise users.

This section discusses the following topics:

• Enterprise Security Manager Initial Installation and Configuration Overview
• Starting Enterprise Security Manager
• Navigating the Enterprise Security Manager User Interface
• Enterprise Security Manager Console Overview
• Logging in to Enterprise Security Manager Console
• Navigating Enterprise Security Manager Console User Interface

Enterprise Security Manager Initial Installation and Configuration Overview

The following tasks provide an overview of the initial Enterprise Security Manager installation and configuration:

• Task 1: Install Enterprise Security Manager
• Task 2: Configure an Oracle Identity Management Infrastructure

Task 1: Install Enterprise Security Manager

Enterprise Security Manager is automatically installed by the Oracle Database Enterprise Edition server installation process.

Task 2: Configure an Oracle Identity Management Infrastructure

Enterprise User Security uses Oracle Internet Directory in which to store enterprise users. Enterprise Security Manager uses Oracle Internet Directory Delegated Administration Services to provide an administrative GUI (Enterprise Security Manager Console), and OracleAS Single Sign-On server to authenticate administrators when they log in to the console. Consequently, Oracle Internet Directory and OracleAS Single Sign-On server, which are part of the Oracle Identity Management infrastructure, must be properly installed and configured before Enterprise Security Manager can be used to manage Enterprise User Security. The following elements of Oracle Identity Management infrastructure configuration must be completed before proceeding:

• Oracle Internet Directory 10g (9.0.4) must be installed, running, and accessible over standard LDAP or Secure Sockets Layer LDAP (LDAP/SSL).
• Oracle Internet Directory must include an identity management realm. You can use Oracle Internet Directory Configuration Assistant to configure this on the directory server.
• OracleAS Single Sign-On server must be installed and configured to authenticate enterprise user security administrators when they log in to the Enterprise Security Manager Console, an element of Enterprise Security Manager.

  See Also: Oracle Internet Directory Administrator's Guide for information about using Oracle Internet Directory Configuration Assistant to create or upgrade an identity management realm in the directory. This manual also contains general information about how to configure and use the directory. OracleAS Single Sign-On Administrator's Guide for information about configuring OracleAS Single Sign-On Server.

Starting Enterprise Security Manager

To launch Enterprise Security Manager, use the following steps:

1. Depending on your operating system, use one of the following options:
   • (UNIX) From $ORACLE_HOME/bin, enter the following at the command line:

     esm
     
     

   • (Windows)

     Choose Start > Programs > Oracle - HOME_NAME > Integrated Management Tools > Enterprise Security Manager

   The directory server login window appears:

Figure 2-4 Directory Server Login Window

Text description of the illustration esm0001.gif

2. Log in to Oracle Internet Directory by selecting the authentication method and providing the hostname and port number for your directory. Table 2-7 describes the two available Enterprise Security Manager authentication methods and what each method requires:

   Table 2-7  Enterprise Security Manager Authentication Methods

   Authentication Method	Description
   Password Authentication	Uses simple authentication requiring a distinguished name (DN) or a known directory user name and passwordFoot 1.
   SSL Client Authentication	Uses two-way SSL authentication in which both the client and server use Oracle Wallets containing digital certificates (that is, the user name and certificate). The subsequent connection is encrypted.

   1 Known directory user name and password can be used only for the default identity management realm in the directory.

3. After providing the directory login information, click OK. The main Enterprise Security Manager user interface appears.

Navigating the Enterprise Security Manager User Interface

The Enterprise Security Manager user interface includes two panes, a toolbar, and various menu items as shown in Figure 2-5.

Figure 2-5 Enterprise Security Manager User Interface

Text description of the illustration esmuintr.gif

Navigator Pane

The navigator pane provides a graphical tree view of your directory's identity management realms and the databases, enterprise domains, and users they contain. You can use the navigator pane to view, modify, add, or delete enterprise domains and the objects they contain.

The navigator pane enables you to

• Expand and contract identity management realms by clicking the plus and minus symbols (+ -) adjacent to the realm name in the navigation tree. This enables you to manage the enterprise domains that they contain.
• Right-click an enterprise domain to perform operations such as creating enterprise roles or deleting the domain from the identity management realm.

When you expand an identity management realm, you see a nested list of folders that contain enterprise user security objects. Expanding these folders enables you to view the individual objects as described in Table 2-8.

Table 2-8  Enterprise Security Manager Navigator Pane Folders

Folder	Description
Databases	When you expand this folder, you see the databases which are registered with this identity management realm. Databases are registered with a directory by using Database Configuration Assistant.
Enterprise Domains	When you expand this folder, you see the enterprise domains that this realm contains. You can also expand each enterprise domain to view the databases and enterprise roles that it contains.
Users, by Search Base	When you expand this folder, you see the users stored in the realm. The display of users is organized by search base, which is the node in the directory under which a collection of users resides.

Right Pane

The right pane displays read-only information about an object that is selected in the navigator pane, or it displays tabbed windows that enable you to configure enterprise domains, enterprise roles, and user-schema mappings. For example, when you select an enterprise domain in the navigator pane, you can add databases to it by using the Databases tabbed window that is shown in Figure 2-6.

Figure 2-6 Enterprise Security Manager Databases Tabbed Window

Text description of the illustration esmrtpan.gif

The Databases tabbed window also enables you to set security options for databases which are members of an enterprise domain. See "Defining Database Membership of an Enterprise Domain" for a discussion of configuring enterprise domains by using the Databases tabbed window.

Tool Bar

The toolbar contains two buttons that enable you to access the Enterprise Security Manager online help and to delete directory objects.

Menus

You use Enterprise Security Manager menus to create or remove enterprise domains and to manage objects within the domains, such as enterprise roles or database membership. The following sections describe the options that are available under each menu.

File Menu

Table 2-9 describes the contents of the File menu.

Table 2-9  Enterprise Security Manager File Menu Options

Option	Description
Change Directory Connection	Causes the Directory Server Login window to reappear (see Figure 2-4), enabling you to log in to another directory server.
Directory Search Options	For user searches in the directory, this menu option enables you to configure the maximum number of displayed search results, the maximum search duration, or an LDAP filter.
ESM Console URL	Enables you to specify the URL for your installation of Enterprise Security Manager Console. (See "Enterprise Security Manager Console Overview")
Exit	Exits the Enterprise Security Manager application.

Operations Menu

Table 2-10 describes the contents of the Operations menu.

Table 2-10  Enterprise Security Manager Operations Menu Options

Option	Description
Create Enterprise Domain	Creates an enterprise domain in the realm that is selected in the navigator pane.
Remove Enterprise Domain	Removes the enterprise domain that is selected in the navigator pane.
Create Enterprise Role	Creates an enterprise role in the enterprise domain that is selected in the navigator pane.
Remove Enterprise Role	Removes the enterprise role that is selected in the navigator pane.
Launch ESM Console	Brings up the Enterprise Security Manager Console in your default browser.

Help Menu

Table 2-11 describes the contents of the Help menu.

Table 2-11  Enterprise Security Manager Help Menu Options

Option	Description
Contents	Opens the online help and displays its table of contents.
Search for Help on	Displays the search window for the online help.
Using Help	Displays online help topics that describe how to use the online help system
About Enterprise Security Manager	Displays Enterprise Security Manager version number and copyright information

Enterprise Security Manager Console Overview

Enterprise Security Manager uses a directory management console, Enterprise Security Manager Console, to administer enterprise users and groups, and to configure an identity management realm for Enterprise User Security. By default, when you log in to a directory server with Enterprise Security Manager it uses port 7777 with the fully qualified domain name of that directory server to construct an Enterprise Security Manager Console URL. Then, when you need to launch the console, Enterprise Security Manager uses this URL to connect to it over HTTP.

For example, if an Acme Company administrator logs into an instance of Oracle Internet Directory that is hosted on a machine named machine123, then Enterprise Security Manager would use the following URL to connect to Enterprise Security Manager Console:

http://machine123.us.acme.com:7777/

After launching the console, administrators must log in by using their OracleAS Single Sign-On username and password pairs.

Logging in to Enterprise Security Manager Console

If you can use the URL that is constructed by default to access an instance of Enterprise Security Manager Console, then use the following steps to log in to the console.

To log in to Enterprise Security Manager Console:

1. From the Enterprise Security Manager main application window, choose Operations > Launch ESM Console.

   The Enterprise Security Manager Console login page appears, as shown in Figure 2-7.

Figure 2-7 Enterprise Security Manager Console Login Page

Text description of the illustration esmconso.gif

2. Click the Login icon in the upper right-corner of the page to log in with your OracleAS Single Sign-On username and password.

   After providing your OracleAS Single Sign-On credentials, you are returned to the console home page.

To change the default Enterprise Security Manager Console URL:

If you cannot use the default URL to connect to the Enterprise Security Manager Console, then you must enter the appropriate URL before you can launch the console.

1. In the Enterprise Security Manager main application, choose File > ESM Console URL. The ESM Console URL window appears as shown in Figure 2-8.

Figure 2-8 ESM Console URL Window

Text description of the illustration esmcnso2.gif

2. Enter the appropriate URL for connecting to Enterprise Security Manager Console, and click OK.

   This saves the URL information in Enterprise Security Manager so you can launch the console again without reconfiguring the URL.

Configuring Enterprise Security Manager Console for Kerberos-Authenticated Enterprise Users

By default, Enterprise Security Manager Console user interface does not display the field where you can configure Kerberos principal names. The first time you create Kerberos-authenticated users in the directory, you must configure this tool to display the krbPrincipalName attribute in its Create User window by using the following steps:

1. Log into the Oracle Internet Directory Self-Service Console and choose the Configuration tab. See: Oracle Internet Directory Administrator's Guide for information about logging in and using the Oracle Internet Directory Self-Service Console.
2. In the Configuration page, select the User Entry subtab and click Next until the Configure User Attributes page appears.
3. In the Configure User Attributes page, click Add New Attribute and the Add New Attribute page appears.
4. In the Add New Attribute page, select krbPrincipalName from the Directory Attribute Name list (or the attribute that you have configured for orclCommonKrbPrincipalAttribute in your identity management realm) and perform the following steps on this page:
   1. Enter Kerberos Principal Name for the user interface label.
   2. Check Searchable and Viewable.
   3. Select Single Line Text from the UI Type list
   4. Click Done.
5. Click Next to navigate to the Configure Attribute Categories page, and click Edit for Basic Information and perform the following steps on this page:
   1. Select krbPrincipalName in the left category list.
   2. Click Move > to move krbPrincipalName to the right-hand list.
   3. Click Done.
6. Click Next until you reach the last page, and then click Finish to save your work.

Navigating Enterprise Security Manager Console User Interface

The Enterprise Security Manager Console user interface is browser-based and uses tabbed windows instead of a navigator pane. Figure 2-9 shows the layout of the console user interface. The tabbed windows can be accessed by selecting one of the tabs at the top of the application or by selecting one of the links in the Tips box on the right. You can also access the tabbed windows by selecting one of the corresponding links at the bottom of the page.

Figure 2-9 Enterprise Security Manager Console User Interface

Text description of the illustration esmcnso3.gif

The tabbed windows are explained in the following sections:

Home Tabbed Window

The Home page is your entry point to the console. You can access each tabbed window and read a brief summary of what you can do with this tool. The Home tabbed window is shown in Figure 2-9.

Users and Groups Tabbed Window

This tabbed window contains two subtabs: the Users subtab (shown in Figure 2-10) and the Groups subtab (shown in Figure 2-11).

Figure 2-10 Enterprise Security Manager Console Users Subtab

Text description of the illustration usrssub.gif

The Users subtab (Figure 2-10) enables you to search for users in the directory by using the Search for user field at the top of the page. After you locate users that match your search criteria, you can select specific users and perform tasks with the buttons that are listed in Table 2-12. This subtab also enables you to create new users.

Table 2-12  Enterprise Security Manager Console User Subtab Buttons

Button Name	Description
Go	After entering user search criteria in the Search for user field, click Go to display users who match your search criteria in the Search Results table. This button is always available.
Create	Enables you to create new enterprise users in the directory. This button is always available.
Edit	Enables you to edit a user's information in the directory. This button is available only after you have entered search criteria in the Search for user field and clicked Go.
Delete	Enables you to delete a user from the directory. This button is available only after you have entered search criteria in the Search for user field and clicked Go.
Assign Privileges	Enables you to assign directory privileges to a specified user. For example, you can assign the privilege to create new users by using this button. This button is available only after you have entered search criteria in the Search for user field and clicked Go.

The Group subtab (shown in Figure 2-11) enables you to view, or to add new users or groups to the Enterprise User Security directory administrative groups. To view or edit an administrative group, select the adjacent radio button, and click Edit in the upper right corner of the page. When you click Edit, an Edit Group page for the specified group appears, displaying the following information:

• Members of the group
• Groups of which the specified administrative group is a member
• Edit history for the group

You can add members or other groups to a specified Enterprise User Security directory administrative group by clicking either Add User or Add Group in the Member region of the Edit Group page, which is shown in Figure 2-12.

Figure 2-11 Enterprise Security Manager Console Group Subtab

Text description of the illustration grpsbtab.gif

Figure 2-12 Enterprise Security Manager Console Edit Group Page

Text description of the illustration esmedusr.gif

Realm Configuration Tabbed Window

The Realm Configuration tabbed window, which is shown in Figure 2-13, enables you to configure identity management realm attributes that pertain to Enterprise User Security. The fields that you can edit on this page are described in Table 2-13.

Figure 2-13 Enterprise Security Manager Console Realm Configuration Tabbed Window

Text description of the illustration esmcorea.gif

Table 2-13  Realm Configuration Tabbed Window Fields

Field	Description
Attribute for Login Name	Name of the directory attribute used to store login names.
Attribute for Kerberos Principal Name	Name of the directory attribute used to store Kerberos principal names. See also: "Configuring Enterprise Security Manager Console for Kerberos-Authenticated Enterprise Users"
User Search Base	Full distinguished name (DN) for the node under which enterprise users are stored for this realm.
Group Search Base	Full DN for the node at which user groups (not Enterprise User Security administrative groups) are stored in the directory.

Enterprise Security Manager Command-Line Utility

Enterprise Security Manager provides a command-line utility, which can be used to perform the most common tasks that the graphical user interface tool performs. Enter all Enterprise Security Manager command-line utility commands from the Oracle Enterprise Manager Oracle home.

The basic syntax for this utility is as follows:

esm -cmd [operation] [-option_1 -option_2 -option_3 ... -option_n]

For example, the following command searches for users in a directory that is installed on a host machine named machine1.us.acme.com:

esm -cmd search -U SIMPLE -D orcladmin -w Y4ilbqve -h machine1.us.acme.com 

-p 3060 -dn dc=us,dc=acme,dc=com -objectType user

The following table describes each option used in this example:

Command Option	Description
-U	Specifies which authentication type used to log in to the directory. SIMPLE specifies password authentication.
-D	Specifies the username.
-w	Specifies the password.
-h	Specifies the directory host machine name.
-p	Specifies the directory port number.
-dn	Specifies the search base.
-objectType	Specifies the type of object for which to search.

Accessing Enterprise Security Manager Command-Line Utility Help

To view a full list of operations and options you can use with this utility, enter the following at the command line:

esm -cmd

To view help on a specific operation, enter the following at the command line:

esm -cmd help [operation]

Oracle Net Configuration Assistant

Oracle Net Configuration Assistant is a wizard-based tool that has a graphical user interface. It is primarily used to configure basic Oracle Net network components, such as listener names and protocol addresses. It also enables you to configure your Oracle home for directory server usage. The latter use is what makes this tool important for configuring Enterprise User Security.

If you use Domain Name System (DNS) discovery (automatic domain name lookup) to locate Oracle Internet Directory on your network, then this tool is not necessary. Note that using DNS discovery is the recommended configuration. See Oracle Internet Directory Administrator's Guide for information about this configuration.

If you have not configured DNS discovery of Oracle Internet Directory on your network, then you must use Oracle Net Configuration Assistant to create an ldap.ora file for your Oracle home before you can register a database with the directory. Your database uses the ldap.ora file to locate the correct Oracle Internet Directory server on your network. This configuration file contains the hostname, port number, and identity management realm information for your directory server.

Starting Oracle Net Configuration Assistant

To start Oracle Net Configuration Assistant:

• (UNIX) From $ORACLE_HOME/bin, enter the following at the command line:

  netca
  
  

• (Windows) Choose Start > Programs > Oracle-HOME_NAME > Configuration and Migration Tools > Net Configuration Assistant

After you start this tool, you will be presented with the opening page that is shown in Figure 2-14.

Choose the Directory Usage Configuration option on this page, click Next, and choose the directory server where you wish to store your enterprise users. Then click Finish to create a properly configured ldap.ora file for your Oracle home.

Figure 2-14 Opening Page of Oracle Net Configuration Assistant

Text description of the illustration netca1.gif

User Migration Utility

User Migration Utility is a command-line tool that enables you to perform bulk migrations of database users to Oracle Internet Directory where they are stored and managed as enterprise users. This tool performs a bulk migration in two phases: In phase one, it populates a table with database user information. During phase two, the database user information is migrated to the directory.

This tool is automatically installed in the following location when you install an Oracle Database client:

$ORACLE_HOME/rdbms/bin/umu

The basic syntax for this utility is as follows:

umu parameter_keyword_1=value1:value2

parameter_keyword_2=value
parameter_keyword_3=value1:value2:value3
.
.
.
parameter_keyword_n=value

Note that when a parameter takes multiple values, they are separated with colons (:).

Duties of a Security Administrator/DBA

Most of the tasks of a security administrator involve ensuring that the connections to and from Oracle databases are secure. Table 2-14 lists the primary tasks of security administrators, the tools used to perform the tasks, and links to where the tasks are documented.

Table 2-14  Common Security Administrator/DBA Configuration and Administrative Tasks

Task	Tools Used	See Also
Configure encrypted Oracle Net connections between database servers and clients	Oracle Net Manager	"Configuring Encryption on the Client and the Server"
Configure checksumming on Oracle Net connections between database servers and clients	Oracle Net Manager	"Configuring Integrity on the Client and the Server"
Configure database clients to accept RADIUS authentication	Oracle Net	"Step 1: Configure RADIUS on the Oracle Client"
Configure a database to accept RADIUS authentication	Oracle Net	"Step 2: Configure RADIUS on the Oracle Database Server"
Create a RADIUS user and grant them access to a database session	SQL*Plus	"Task 3: Create a User and Grant Access"
Configure Kerberos authentication on a database client and server	Oracle Net Manager	"Task 7: Configure Kerberos Authentication"
Create a Kerberos database user	kadmin.local Oracle Net Manager	"Task 8: Create a Kerberos User" "Task 9: Create an Externally Authenticated Oracle User"
Manage Kerberos credentials in the credential cache	okinit oklist okdstry	"Obtaining the Initial Ticket with the okinit Utility" "Displaying Credentials with the oklist Utility" "Removing Credentials from the Cache File with the okdstry Utility"
Create a wallet for a database client or server	Oracle Wallet Manager	"Creating a New Wallet"
Request a user certificate from a certificate authority (CA) for SSL authentication	Oracle Wallet Manager	"Adding a Certificate Request" "Importing the User Certificate into the Wallet"
Import a user certificate and its associated trusted certificate (CA certificate) into a wallet	Oracle Wallet Manager	"Importing a Trusted Certificate" "Importing the User Certificate into the Wallet"
Configuring SSL connections for a database client	Oracle Net Manager	"Task 3: Configure SSL on the Client"
Configuring SSL connections for a database server	Oracle Net Manager	"Task 2: Configure SSL on the Server"
Enabling certificate validation with certificate revocation lists	Oracle Net Manager	"Configuring Certificate Validation with Certificate Revocation Lists"

Duties of an Enterprise User Security Administrator/DBA

Enterprise User Security administrators plan, implement, and administer enterprise users. Table 2-15 lists the primary tasks of Enterprise User Security administrators, the tools used to perform the tasks, and links to where the tasks are documented.

Table 2-15  Common Enterprise User Security Administrator Configuration and Administrative Tasks

Task	Tools Used	See Also
Create an identity management realm in Oracle Internet Directory	Oracle Internet Directory Self-Service Console (Delegated Administration Service)	Oracle Internet Directory Administrator's Guide for information about how to perform this task
Upgrade an identity management realm in Oracle Internet Directory	Oracle Internet Directory Configuration Assistant	Oracle Internet Directory Administrator's Guide and the online help for this tool
Set up DNS to enable automatic discovery of Oracle Internet Directory over the network. Note that this is the recommended configuration.	Oracle Internet Directory Configuration Assistant	Oracle Internet Directory Administrator's Guide (Domain Name System server discovery) and the online help for this tool
Create an ldap.ora file to enable directory access	Oracle Net Configuration Assistant	"Task 5: (Optional) Configure your Oracle home for directory usage"
Register a database in the directory	Database Configuration Assistant	"Task 6: Register the database in the directory"
Configure password authentication for Enterprise User Security	Enterprise Security Manager Oracle Net Manager	"Configuring Enterprise User Security for Password Authentication"
Configure Kerberos authentication for Enterprise User Security	Oracle Net Manager Enterprise Security Manager Console Enterprise Security Manager	"Configuring Enterprise User Security for Kerberos Authentication"
Configure SSL authentication for Enterprise User Security	Oracle Net Manager Enterprise Security Manager text editor or SQL*Plus Oracle Wallet Manager	"Configuring Enterprise User Security for SSL Authentication"
Create or modify user entries and Oracle administrative groups in the directory	Enterprise Security Manager Console	"Administering Identity Management Realms" "Administering Enterprise Users"
Create or modify enterprise roles and domains in the directory	Enterprise Security Manager	"Administering Enterprise Domains" "Administering Enterprise Roles"
Create or modify wallets for directory, databases, and clients	Oracle Wallet Manager	Chapter 8, "Using Oracle Wallet Manager"
Change a user's database or directory password	Enterprise Security Manager Console	"Setting Enterprise User Passwords"
Change a database's directory password	Database Configuration Assistant	"To change the database's directory password:"
Manage user wallets on the local system or update database and directory user passwords	Oracle Wallet Manager	Chapter 8, "Using Oracle Wallet Manager"
Request initial Kerberos ticket when KDC is not part of the operating system, such as Kerberos V5 from MIT	okinit utility	"Task 10: Get an Initial Ticket for the Kerberos/Oracle User"
Migrate large numbers of local or external database users to the directory for Enterprise User Security	User Migration Utility	Appendix G, "Using the User Migration Utility"