Oracle Database B10772-01 Bedienungsanleitung Seite 1

OracleDatabaseAdvanced Security Administrator's Guide10g Release 1 (10.1)Part No. B10772-01December 2003

xOpening an Existing Wallet... 8-13Closing a Walle

Duties of an Enterprise User Security Administrator/DBA2-38 Oracle Database Advanced Security Administrator's Guide

Part II Network Data Encryption and IntegrityThis part describes how to configure data encryption and integrity for your existingOracle network, and fo

Configuring Network Data Encryption and Integrity for Oracle Servers and Clients 3-13Configuring Network Data Encryption andIntegrity for Oracle Server

Oracle Advanced Security Encryption3-2 Oracle Database Advanced Security Administrator's GuideAbout EncryptionThe purpose of a secure cryptosyste

Oracle Advanced Security Data IntegrityConfiguring Network Data Encryption and Integrity for Oracle Servers and Clients 3-3of message security, but wit

Diffie-Hellman Based Key Management3-4 Oracle Database Advanced Security Administrator's Guide Data modification attackThis type of attack occurs

How To Configure Data Encryption and IntegrityConfiguring Network Data Encryption and Integrity for Oracle Servers and Clients 3-5Oracle Advanced Secur

How To Configure Data Encryption and Integrity3-6 Oracle Database Advanced Security Administrator's GuideAbout Activating Encryption and Integrit

How To Configure Data Encryption and IntegrityConfiguring Network Data Encryption and Integrity for Oracle Servers and Clients 3-7 REQUESTED REQUIRED

xiTask 1: Create New Principals and Accounts... 10-5Task 2: Install the Key of t

How To Configure Data Encryption and Integrity3-8 Oracle Database Advanced Security Administrator's GuideIn this scenario, this side of the conne

How To Configure Data Encryption and IntegrityConfiguring Network Data Encryption and Integrity for Oracle Servers and Clients 3-9the sqlnet.crypto_see

How To Configure Data Encryption and Integrity3-10 Oracle Database Advanced Security Administrator's GuideFigure 3–1 Oracle Advanced Security Enc

How To Configure Data Encryption and IntegrityConfiguring Network Data Encryption and Integrity for Oracle Servers and Clients 3-118. Repeat this proce

How To Configure Data Encryption and Integrity3-12 Oracle Database Advanced Security Administrator's Guide1.Navigate to the Oracle Advanced Secur

How To Configure Data Encryption and IntegrityConfiguring Network Data Encryption and Integrity for Oracle Servers and Clients 3-136. Choose File >

How To Configure Data Encryption and Integrity3-14 Oracle Database Advanced Security Administrator's Guide

Configuring Network Data Encryption and Integrity for Thin JDBC Clients 4-14Configuring Network Data Encryption andIntegrity for Thin JDBC ClientsThis

About the Java Implementation4-2 Oracle Database Advanced Security Administrator's GuideMicrosystems defined the JDBC standard and Oracle Corporat

About the Java ImplementationConfiguring Network Data Encryption and Integrity for Thin JDBC Clients 4-3Oracle Advanced Security continues to encrypt a

xiiConsiderations for Choosing Authentication Types between Clients, Databases, andDirectories for Enterprise User Security...

Configuration Parameters4-4 Oracle Database Advanced Security Administrator's Guidethe code. The process leaves the original program structure in

Configuration ParametersConfiguring Network Data Encryption and Integrity for Thin JDBC Clients 4-5Client Encryption Selected List: ORACLE.NET.ENCRYPTI

Configuration Parameters4-6 Oracle Database Advanced Security Administrator's GuideClient Integrity Selected List: ORACLE.NET.CRYPTO_CHEKSUM_TYPE

Part III Oracle Advanced Security StrongAuthenticationThis part describes how to configure strong authentication methods for yourexisting Oracle networ

Configuring RADIUS Authentication 5-15Configuring RADIUS AuthenticationThis chapter describes how to configure an Oracle Database server for use withRAD

RADIUS Overview5-2 Oracle Database Advanced Security Administrator's Guidechange the authentication method without modifying either the Oracle cl

RADIUS Authentication ModesConfiguring RADIUS Authentication 5-3A RADIUS server vendor is often the authentication server vendor as well, in whichcase

RADIUS Authentication Modes5-4 Oracle Database Advanced Security Administrator's GuideFigure 5–2 Synchronous Authentication Sequence1.A user logs

RADIUS Authentication ModesConfiguring RADIUS Authentication 5-5Example: Synchronous Authentication with SecurID Token CardsWith SecurID authentication

xiiiBrowsing Users in the Directory... 13-12Administering Ent

RADIUS Authentication Modes5-6 Oracle Database Advanced Security Administrator's GuideFigure 5–3 Asynchronous Authentication Sequence1.A user see

RADIUS Authentication ModesConfiguring RADIUS Authentication 5-72. The Oracle database server, acting as the RADIUS client, passes the data fromthe Ora

Enabling RADIUS Authentication, Authorization, and Accounting5-8 Oracle Database Advanced Security Administrator's GuideThe Oracle client sends t

Enabling RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS Authentication 5-9 Task 9: Configure Mapping RolesTask 1: Install RADIU

Enabling RADIUS Authentication, Authorization, and Accounting5-10 Oracle Database Advanced Security Administrator's GuideFigure 5–4 Oracle Advanc

Enabling RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS Authentication 5-11Create the RADIUS Secret Key File on the Oracle Data

Enabling RADIUS Authentication, Authorization, and Accounting5-12 Oracle Database Advanced Security Administrator's GuideFigure 5–5 Oracle Advanc

Enabling RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS Authentication 5-13OS_AUTHENT_PREFIX=""Step 3: Configure Addi

Enabling RADIUS Authentication, Authorization, and Accounting5-14 Oracle Database Advanced Security Administrator's Guide5.Choose File > Save

Enabling RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS Authentication 5-15To configure challenge-response:1. If you are using J

xivC Integrating Authentication Devices Using RADIUSAbout the RADIUS Challenge-Response User Interface...

Enabling RADIUS Authentication, Authorization, and Accounting5-16 Oracle Database Advanced Security Administrator's Guide6.In the Interface Class

Enabling RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS Authentication 5-17Task 3: Create a User and Grant AccessTo grant user

Enabling RADIUS Authentication, Authorization, and Accounting5-18 Oracle Database Advanced Security Administrator's Guide3.Add externally identifi

Enabling RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS Authentication 5-19Ensure that RADIUS groups which map to Oracle roles

Enabling RADIUS Authentication, Authorization, and Accounting5-20 Oracle Database Advanced Security Administrator's GuideTask 6: Add the RADIUS C

Enabling RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS Authentication 5-21Task 9: Configure Mapping RolesIf the RADIUS server s

Using RADIUS to Log In to a Database5-22 Oracle Database Advanced Security Administrator's GuideUsing RADIUS to Log In to a DatabaseIf you are us

RSA ACE/Server Configuration ChecklistConfiguring RADIUS Authentication 5-23See Also: RSA ACE/Server documentation for specificinformation about trouble

RSA ACE/Server Configuration Checklist5-24 Oracle Database Advanced Security Administrator's Guide

Configuring Kerberos Authentication 6-16Configuring Kerberos AuthenticationThis chapter describes how to configure Oracle Advanced Security for OracleDa

xvorapki wallet create... E-13orapki

Enabling Kerberos Authentication6-2 Oracle Database Advanced Security Administrator's GuideEnabling Kerberos AuthenticationTo enable Kerberos aut

Enabling Kerberos AuthenticationConfiguring Kerberos Authentication 6-3For example, if kservice is oracle, the fully qualified name of the system onwhic

Enabling Kerberos Authentication6-4 Oracle Database Advanced Security Administrator's Guide1.Enter the following to extract the service table:kad

Enabling Kerberos AuthenticationConfiguring Kerberos Authentication 6-5Task 5: Install Oracle Net Services and Oracle Advanced SecurityInstall Oracle N

Enabling Kerberos Authentication6-6 Oracle Database Advanced Security Administrator's GuideFigure 6–1 Oracle Advanced Security Authentication Win

Enabling Kerberos AuthenticationConfiguring Kerberos Authentication 6-7Figure 6–2 Oracle Advanced Security Other Params Window (Kerberos)7.From the Aut

Enabling Kerberos Authentication6-8 Oracle Database Advanced Security Administrator's GuideThe sqlnet.ora file is updated with the following entri

Enabling Kerberos AuthenticationConfiguring Kerberos Authentication 6-9Parameter: SQLNET.KERBEROS5_CLOCKSKEW=number_of_seconds_accepted_as_network_dela

Enabling Kerberos Authentication6-10 Oracle Database Advanced Security Administrator's GuideTask 8: Create a Kerberos UserTo create Oracle users

Utilities for the Kerberos Authentication AdapterConfiguring Kerberos Authentication 6-11Task 10: Get an Initial Ticket for the Kerberos/Oracle UserBef

xviPrerequisites for Performing Migration... G-8Required Database

Utilities for the Kerberos Authentication Adapter6-12 Oracle Database Advanced Security Administrator's GuideDisplaying Credentials with the okli

Configuring Interoperability with a Windows 2000 Domain Controller KDCConfiguring Kerberos Authentication 6-13% oklist -f27-Jul-1999 21:57:51 28-Jul-

Configuring Interoperability with a Windows 2000 Domain Controller KDC6-14 Oracle Database Advanced Security Administrator's Guide Task 2: Config

Configuring Interoperability with a Windows 2000 Domain Controller KDCConfiguring Kerberos Authentication 6-15Step 2: Specifying Oracle Configuration P

Configuring Interoperability with a Windows 2000 Domain Controller KDC6-16 Oracle Database Advanced Security Administrator's GuideFor example, if

Configuring Interoperability with a Windows 2000 Domain Controller KDCConfiguring Kerberos Authentication 6-17Task 3: Configuring an Oracle Database to

Troubleshooting6-18 Oracle Database Advanced Security Administrator's GuideTroubleshootingThis section lists some common configuration problems an

Configuring Secure Sockets Layer Authentication 7-17Configuring Secure Sockets LayerAuthenticationThis chapter describes how to configure and use the Se

SSL and TLS in an Oracle Environment7-2 Oracle Database Advanced Security Administrator's GuideSSL and TLS in an Oracle EnvironmentSecure Sockets

SSL and TLS in an Oracle EnvironmentConfiguring Secure Sockets Layer Authentication 7-3About Using SSLOracle Advanced Security supports authentication

xvii

SSL and TLS in an Oracle Environment7-4 Oracle Database Advanced Security Administrator's GuideHow SSL Works in an Oracle Environment: The SSL Ha

Public Key Infrastructure in an Oracle EnvironmentConfiguring Secure Sockets Layer Authentication 7-5Public Key Infrastructure in an Oracle Environment

Public Key Infrastructure in an Oracle Environment7-6 Oracle Database Advanced Security Administrator's GuidePublic Key Infrastructure Components

Public Key Infrastructure in an Oracle EnvironmentConfiguring Secure Sockets Layer Authentication 7-7A certificate contains the entity's name, publ

Public Key Infrastructure in an Oracle Environment7-8 Oracle Database Advanced Security Administrator's GuideWalletsA wallet is a container that

Public Key Infrastructure in an Oracle EnvironmentConfiguring Secure Sockets Layer Authentication 7-9Note: Currently only nCipher devices are certified

SSL Combined with Other Authentication Methods7-10 Oracle Database Advanced Security Administrator's GuideSSL Combined with Other Authentication

SSL Combined with Other Authentication MethodsConfiguring Secure Sockets Layer Authentication 7-11Figure 7–1 SSL in Relation to Other Authentication Me

SSL and Firewalls7-12 Oracle Database Advanced Security Administrator's GuideSSL and FirewallsOracle Advanced Security supports two types of firew

SSL and FirewallsConfiguring Secure Sockets Layer Authentication 7-13Note: Although Oracle Connection Manager can be used to avoidopening up multiple S

xviiiList of Figures1–1 Encryption ...

SSL Usage Issues7-14 Oracle Database Advanced Security Administrator's GuideSSL Usage IssuesConsider the following issues when using SSL: SSL us

Enabling SSLConfiguring Secure Sockets Layer Authentication 7-15Enabling SSLTo enable SSL: Task 1: Install Oracle Advanced Security and Related Produc

Enabling SSL7-16 Oracle Database Advanced Security Administrator's GuideManager. The wallet should contain a certificate with a status of "Re

Enabling SSLConfiguring Secure Sockets Layer Authentication 7-17The sqlnet.ora and listener.ora files are updated with the followingentries:wallet_locat

Enabling SSL7-18 Oracle Database Advanced Security Administrator's Guide Prioritize cipher suites starting with the strongest and moving to the

Enabling SSLConfiguring Secure Sockets Layer Authentication 7-19To specify cipher suites for the server:1. Navigate to the SSL tab of the Oracle Advanc

Enabling SSL7-20 Oracle Database Advanced Security Administrator's GuideFigure 7–3 Oracle Advanced Security SSL Window (Server)4. Use the up and

Enabling SSLConfiguring Secure Sockets Layer Authentication 7-21To set the SSL version for the server:1. Navigate to the SSL tab of the Oracle Advanced

Enabling SSL7-22 Oracle Database Advanced Security Administrator's GuideFigure 7–4 Oracle Advanced Security SSL Window (Server)2.Uncheck Require

Enabling SSLConfiguring Secure Sockets Layer Authentication 7-23To set the SQLNET.AUTHENTICATION_SERVICES parameter on the server:Add TCP/IP with SSL (

xix11–3 Related Entries in a Realm Oracle Context... 11-1612–1 Enterprise User Securi

Enabling SSL7-24 Oracle Database Advanced Security Administrator's GuideStep 1: Confirm Client Wallet CreationBefore proceeding with the next ste

Enabling SSLConfiguring Secure Sockets Layer Authentication 7-25(SECURITY=(SSL_SERVER_CERT_DN="cn=finance,cn=OracleContext,c=us,o=acme"))The

Enabling SSL7-26 Oracle Database Advanced Security Administrator's Guide1.Navigate to the Oracle Advanced Security profile. (See "Navigating

Enabling SSLConfiguring Secure Sockets Layer Authentication 7-27 No (default): SSL checks for a match between the DN and the service name,but does not

Enabling SSL7-28 Oracle Database Advanced Security Administrator's GuideStep 4: Set the Client SSL Cipher Suites (Optional)A cipher suite is a se

Enabling SSLConfiguring Secure Sockets Layer Authentication 7-29To specify client cipher suites:1. Navigate to the SSL tab of the Oracle Advanced Secur

Enabling SSL7-30 Oracle Database Advanced Security Administrator's Guide4.Use the up and down arrows to prioritize the cipher suites.5. Choose Fi

Troubleshooting SSLConfiguring Secure Sockets Layer Authentication 7-31Oracle Advanced Security. For example, use this parameter if you want the server

Troubleshooting SSL7-32 Oracle Database Advanced Security Administrator's Guide Ensure that the correct wallet location is specified in the sqlne

Troubleshooting SSLConfiguring Secure Sockets Layer Authentication 7-33Action: Check the following: Ensure that the correct wallet location is specifie

Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1)Part No. B10772-01Copyright © 1996, 2003 Oracle Corporation. All ri

xx

Troubleshooting SSL7-34 Oracle Database Advanced Security Administrator's Guide A certificate authority for one of the certificates in the chain i

Certificate Validation with Certificate Revocation ListsConfiguring Secure Sockets Layer Authentication 7-35does not give the complete chain and you do

Certificate Validation with Certificate Revocation Lists7-36 Oracle Database Advanced Security Administrator's GuideHow CRL Checking WorksCertific

Certificate Validation with Certificate Revocation ListsConfiguring Secure Sockets Layer Authentication 7-37Configuring Certificate Validation with Certi

Certificate Validation with Certificate Revocation Lists7-38 Oracle Database Advanced Security Administrator's GuideFigure 7–7 Oracle Advanced Se

Certificate Validation with Certificate Revocation ListsConfiguring Secure Sockets Layer Authentication 7-393.(Optional) If CRLs are stored on your loc

Certificate Validation with Certificate Revocation Lists7-40 Oracle Database Advanced Security Administrator's Guide5.Choose File > Save Netwo

Certificate Validation with Certificate Revocation ListsConfiguring Secure Sockets Layer Authentication 7-41You can also use LDAP command-line tools to

Certificate Validation with Certificate Revocation Lists7-42 Oracle Database Advanced Security Administrator's Guideissuer's name. Then when

Certificate Validation with Certificate Revocation ListsConfiguring Secure Sockets Layer Authentication 7-43permission to add CRLs to the CRL subtree,

xxiList of Tables1–1 Authentication Methods and System Requirements ... 1-172–1 Oracle Wallet Manage

Certificate Validation with Certificate Revocation Lists7-44 Oracle Database Advanced Security Administrator's Guidefollowing at the command line

Certificate Validation with Certificate Revocation ListsConfiguring Secure Sockets Layer Authentication 7-45[-summary]where issuer_name is the name of

Certificate Validation with Certificate Revocation Lists7-46 Oracle Database Advanced Security Administrator's GuideOracle Net Tracing File Error

Certificate Validation with Certificate Revocation ListsConfiguring Secure Sockets Layer Authentication 7-472. If necessary, use the orapki utility to

Configuring Your System to Use Hardware Security Modules7-48 Oracle Database Advanced Security Administrator's GuideConfiguring Your System to Use

Configuring Your System to Use Hardware Security ModulesConfiguring Secure Sockets Layer Authentication 7-49Configuring Your System to Use nCipher Hardw

Configuring Your System to Use Hardware Security Modules7-50 Oracle Database Advanced Security Administrator's Guide (UNIX) /opt/nfast (Windows

Configuring Your System to Use Hardware Security ModulesConfiguring Secure Sockets Layer Authentication 7-51Error Messages Associated with Using Hardwa

Configuring Your System to Use Hardware Security Modules7-52 Oracle Database Advanced Security Administrator's GuideNote: The nCipher log file is

Using Oracle Wallet Manager 8-18Using Oracle Wallet ManagerSecurity administrators use Oracle Wallet ManagerOracle Wallet Manager tomanage public key

xxii11–3 Enterprise User Security: Supported Authentication Types for Connections betweenClients, Databases, and Directories ...

Oracle Wallet Manager Overview8-2 Oracle Database Advanced Security Administrator's GuideOracle Wallet Manager OverviewOracle Wallet Manager is a

Oracle Wallet Manager OverviewUsing Oracle Wallet Manager 8-3Strong Wallet EncryptionOracle Wallet Manager stores private keys associated with X.509 c

Oracle Wallet Manager Overview8-4 Oracle Database Advanced Security Administrator's Guidecryptography standards called Public-Key Cryptography St

Oracle Wallet Manager OverviewUsing Oracle Wallet Manager 8-5legal usage combinations). There must be a one-to-one mapping between certificaterequests

Oracle Wallet Manager Overview8-6 Oracle Database Advanced Security Administrator's GuideYou should obtain certificates from the certificate author

Starting Oracle Wallet ManagerUsing Oracle Wallet Manager 8-7LDAP Directory SupportOracle Wallet Manager can upload wallets to and retrieve them from

How To Create a Complete Wallet: Process Overview8-8 Oracle Database Advanced Security Administrator's GuideHow To Create a Complete Wallet: Proc

Managing WalletsUsing Oracle Wallet Manager 8-9client wallets. It is only optional for products that take the wallet password atthe time of startup.Af

Managing Wallets8-10 Oracle Database Advanced Security Administrator's GuidePasswords must contain at least eight characters that consist of alph

Managing WalletsUsing Oracle Wallet Manager 8-115. Click OK to continue. If the entered password does not conform to the requiredguidelines, then the

xxiiiSend Us Your CommentsOracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1)Part No. B10772-01Oracle Corporation welc

Managing Wallets8-12 Oracle Database Advanced Security Administrator's Guide6.In the PKCS11 library filename field, enter the path to the directory

Managing WalletsUsing Oracle Wallet Manager 8-13Opening an Existing WalletOpen a wallet that already exists in the file system directory as follows:1.

Managing Wallets8-14 Oracle Database Advanced Security Administrator's GuideFor other operating systems, see the Oracle documentation for that sp

Managing WalletsUsing Oracle Wallet Manager 8-151. Choose Operations > Export Wallet... The Export Wallet dialog box appears.2. Enter the destinat

Managing Wallets8-16 Oracle Database Advanced Security Administrator's Guide If no certificates have SSL key usage: When prompted, enter the user

Managing WalletsUsing Oracle Wallet Manager 8-17If Oracle Wallet Manager cannot open the target wallet using the walletpassword, then check to make su

Managing Wallets8-18 Oracle Database Advanced Security Administrator's Guide (UNIX) ORACLE_HOME/admin/ORACLE_SID (Windows) ORACLE_BASE\ORACLE_H

Managing WalletsUsing Oracle Wallet Manager 8-19To change the password for the current open wallet:1. Choose Wallet > Change Password. The Change W

Managing Certificates8-20 Oracle Database Advanced Security Administrator's Guide1.Choose Wallet from the menu bar.2. Uncheck Auto Login. A messa

Managing CertificatesUsing Oracle Wallet Manager 8-21 Importing the User Certificate into the Wallet Removing a User Certificate from a Wallet Removi

xxiv

Managing Certificates8-22 Oracle Database Advanced Security Administrator's GuideTable 8–6 lists the available key sizes and the relative securit

Managing CertificatesUsing Oracle Wallet Manager 8-23certificates, including the user's certificate and all of the supporting CA and subCAcertificat

Managing Certificates8-24 Oracle Database Advanced Security Administrator's GuideManager main panel, and the status of the corresponding entry in

Managing CertificatesUsing Oracle Wallet Manager 8-25Exporting a User Certificate RequestTo save the certificate request in a file system directory, exp

Managing Certificates8-26 Oracle Database Advanced Security Administrator's Guide3.Choose Paste the Certificate, and click OK. Another Import Trus

Managing CertificatesUsing Oracle Wallet Manager 8-27A dialog panel warns you that your user certificate will no longer beverifiable by its recipients i

Managing Certificates8-28 Oracle Database Advanced Security Administrator's Guide

Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security 9-19Configuring Multiple AuthenticationMethods and Disabling Oracle

Disabling Oracle Advanced Security Authentication9-2 Oracle Database Advanced Security Administrator's GuideFor example:% sqlplus scott/tiger@emp

Disabling Oracle Advanced Security AuthenticationConfiguring Multiple Authentication Methods and Disabling Oracle Advanced Security 9-3Figure 9–1 Oracl

xxvPrefaceWelcome to the Oracle Database Advanced Security Administrator's Guide for the10g Release 1 (10.1) of Oracle Advanced Security.Oracle A

Configuring Multiple Authentication Methods9-4 Oracle Database Advanced Security Administrator's GuideConfiguring Multiple Authentication MethodsM

Configuring Oracle Database for External AuthenticationConfiguring Multiple Authentication Methods and Disabling Oracle Advanced Security 9-5Configuring

Configuring Oracle Database for External Authentication9-6 Oracle Database Advanced Security Administrator's GuideIf REMOTE_OS_AUTHENT is set to

Configuring Oracle Database for External AuthenticationConfiguring Multiple Authentication Methods and Disabling Oracle Advanced Security 9-7See Also:

Configuring Oracle Database for External Authentication9-8 Oracle Database Advanced Security Administrator's Guide

Configuring Oracle DCE Integration 10-110Configuring Oracle DCE IntegrationOracle DCE Integration enables Oracle applications and tools to access Oracl

Introduction to Oracle DCE Integration10-2 Oracle Database Advanced Security Administrator's GuideIntroduction to Oracle DCE IntegrationThe Distr

Introduction to Oracle DCE IntegrationConfiguring Oracle DCE Integration 10-3DCE Communication/SecurityThis component has three principal features:Auth

Introduction to Oracle DCE Integration10-4 Oracle Database Advanced Security Administrator's GuideThe DCE CDS offers a distributed, replicated re

Configuring DCE for Oracle DCE IntegrationConfiguring Oracle DCE Integration 10-5 Only one listener address that uses the DCE protocol is permitted fo

xxviAudienceThe Oracle Database Advanced Security Administrator's Guide is intended forusers and systems professionals involved with the implemen

Configuring DCE for Oracle DCE Integration10-6 Oracle Database Advanced Security Administrator's GuideTask 2: Install the Key of the Server into

Configuring DCE for Oracle DCE IntegrationConfiguring Oracle DCE Integration 10-7cdscp> create dir /.:/subsys/oraclecdscp> create dir /.:/subsys/

Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration10-8 Oracle Database Advanced Security Administrator's GuideConfigur

Configuring Oracle Database and Oracle Net Services for Oracle DCE IntegrationConfiguring Oracle DCE Integration 10-9You can specify a service as follo

Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration10-10 Oracle Database Advanced Security Administrator's Guide2.For

Configuring Oracle Database and Oracle Net Services for Oracle DCE IntegrationConfiguring Oracle DCE Integration 10-111. Verify that these lines are in

Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration10-12 Oracle Database Advanced Security Administrator's GuideIf con

Configuring Oracle Database and Oracle Net Services for Oracle DCE IntegrationConfiguring Oracle DCE Integration 10-133. Ensure that the DCE groups tha

Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration10-14 Oracle Database Advanced Security Administrator's GuideLocal

Configuring Oracle Database and Oracle Net Services for Oracle DCE IntegrationConfiguring Oracle DCE Integration 10-15Task 4: Configure DCE for SYSDBA a

xxviiPart III, "Oracle Advanced Security Strong Authentication"Chapter 5, "Configuring RADIUS Authentication"This chapter describes

Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration10-16 Oracle Database Advanced Security Administrator's Guide

Configuring Oracle Database and Oracle Net Services for Oracle DCE IntegrationConfiguring Oracle DCE Integration 10-17 protocol.ora sqlnet.oraTypical

Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration10-18 Oracle Database Advanced Security Administrator's Guidegreate

Configuring Oracle Database and Oracle Net Services for Oracle DCE IntegrationConfiguring Oracle DCE Integration 10-19Task 6: Configure Clients to Use D

Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration10-20 Oracle Database Advanced Security Administrator's GuideFor ex

Configuring Oracle Database and Oracle Net Services for Oracle DCE IntegrationConfiguring Oracle DCE Integration 10-212. Restart CDS on the system.The

Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration10-22 Oracle Database Advanced Security Administrator's GuideStep 4

Connecting to an Oracle Database Server in the DCE EnvironmentConfiguring Oracle DCE Integration 10-23For a client or server to use DCE CDS Naming, the

Connecting to an Oracle Database Server in the DCE Environment10-24 Oracle Database Advanced Security Administrator's Guide3.Verify that the serv

Connecting Clients Outside DCE to Oracle Servers in DCEConfiguring Oracle DCE Integration 10-25For example:% sqlplus /@ORADCEConnecting to an Oracle Da

xxviiiparameters, and how clients outside of DCE can access Oracle databases usinganother protocol such as TCP/IP.Part IV, "Enterprise User Secur

Connecting Clients Outside DCE to Oracle Servers in DCE10-26 Oracle Database Advanced Security Administrator's Guide The listener.ora File The

Connecting Clients Outside DCE to Oracle Servers in DCEConfiguring Oracle DCE Integration 10-27 (SID_NAME=ORASID) (ORACLE_HOME=/usr/prod/or

Connecting Clients Outside DCE to Oracle Servers in DCE10-28 Oracle Database Advanced Security Administrator's GuideTo access the DB1 database, a

Part IV Enterprise User SecurityThis part describes Oracle Database directory and security integration functionality,which enables single sign-on in a

Getting Started with Enterprise User Security 11-111Getting Started with Enterprise UserSecurityEnterprise User Security, a critical component of Orac

Introduction to Enterprise User Security11-2 Oracle Database Advanced Security Administrator's GuideIntroduction to Enterprise User SecurityThis

Introduction to Enterprise User SecurityGetting Started with Enterprise User Security 11-3Enterprise User Security: The Big PictureEnterprise User Sec

Introduction to Enterprise User Security11-4 Oracle Database Advanced Security Administrator's GuideFigure 11–1 Enterprise User Security and the

Introduction to Enterprise User SecurityGetting Started with Enterprise User Security 11-5Single password authentication lets users authenticate to mu

xxixAppendix D, "Oracle Advanced Security FIPS 140-1 Settings"This appendix describes the sqlnet.ora configuration parameters required tocomp

Introduction to Enterprise User Security11-6 Oracle Database Advanced Security Administrator's GuideAbout Identity Management Realms An identity

Introduction to Enterprise User SecurityGetting Started with Enterprise User Security 11-7name (DN). When enterprise users log on to a database, the d

Introduction to Enterprise User Security11-8 Oracle Database Advanced Security Administrator's GuideAbout Enterprise User SchemasEnterprise users

Introduction to Enterprise User SecurityGetting Started with Enterprise User Security 11-9How Enterprise Users Access Database Resources with Database

Introduction to Enterprise User Security11-10 Oracle Database Advanced Security Administrator's GuideTable 11–1 Enterprise User Security Authenti

Introduction to Enterprise User SecurityGetting Started with Enterprise User Security 11-11About Enterprise User Security Directory EntriesIn a direct

Introduction to Enterprise User Security11-12 Oracle Database Advanced Security Administrator's GuideThe entries described in the following secti

Introduction to Enterprise User SecurityGetting Started with Enterprise User Security 11-13Figure 11–2 Example of Enterprise RolesAcme Widgets(Enterpr

Introduction to Enterprise User Security11-14 Oracle Database Advanced Security Administrator's GuideAn enterprise role can be assigned to one or

Introduction to Enterprise User SecurityGetting Started with Enterprise User Security 11-15Database Server EntriesA database server entry (represented

responsible for the performance of the Kerberos software, does not provide technical support for thesoftware, and shall not be liable for any damages

xxxPrinted documentation is available for sale in the Oracle Store athttp://oraclestore.oracle.com/To download free release notes, installation docume

Introduction to Enterprise User Security11-16 Oracle Database Advanced Security Administrator's GuideFigure 11–3 Related Entries in a Realm Oracl

Introduction to Enterprise User SecurityGetting Started with Enterprise User Security 11-17Administrative GroupsAn identity management realm contains

Introduction to Enterprise User Security11-18 Oracle Database Advanced Security Administrator's GuideTable 11–2 Administrative Groups in a Realm

About Using Shared Schemas for Enterprise User SecurityGetting Started with Enterprise User Security 11-19About Using Shared Schemas for Enterprise Us

About Using Shared Schemas for Enterprise User Security11-20 Oracle Database Advanced Security Administrator's Guide Each enterprise user can be

About Using Shared Schemas for Enterprise User SecurityGetting Started with Enterprise User Security 11-21multiple enterprise users (shared schema). T

About Using Shared Schemas for Enterprise User Security11-22 Oracle Database Advanced Security Administrator's GuideFor example, suppose that Har

About Using Current User Database Links for Enterprise User SecurityGetting Started with Enterprise User Security 11-23About Using Current User Databa

About Using Current User Database Links for Enterprise User Security11-24 Oracle Database Advanced Security Administrator's GuideSSL to authentic

Enterprise User Security Deployment ConsiderationsGetting Started with Enterprise User Security 11-25Enterprise User Security Deployment Consideration

xxxi Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code inC by Bruce Schneier. New York: John Wiley & Sons, 1996. SSL

Enterprise User Security Deployment Considerations11-26 Oracle Database Advanced Security Administrator's GuideSecurity of Password-Authenticated

Enterprise User Security Deployment ConsiderationsGetting Started with Enterprise User Security 11-27Protecting Database Password VerifiersThe OracleP

Enterprise User Security Deployment Considerations11-28 Oracle Database Advanced Security Administrator's GuideConsiderations for Choosing Authen

Enterprise User Security Configuration Tasks and Troubleshooting 12-112Enterprise User Security ConfigurationTasks and TroubleshootingThis chapter desc

Enterprise User Security Configuration Overview12-2 Oracle Database Advanced Security Administrator's GuideRegardless of the authentication metho

Enterprise User Security Configuration OverviewEnterprise User Security Configuration Tasks and Troubleshooting 12-3Figure 12–1 Enterprise User Securit

Enterprise User Security Configuration Roadmap12-4 Oracle Database Advanced Security Administrator's GuideFor brevity, some product names and fea

Preparing the Directory for Enterprise User SecurityEnterprise User Security Configuration Tasks and Troubleshooting 12-5– "Configuring Enterprise

Preparing the Directory for Enterprise User Security12-6 Oracle Database Advanced Security Administrator's GuideTask 3: Identity administrative u

Preparing the Directory for Enterprise User SecurityEnterprise User Security Configuration Tasks and Troubleshooting 12-7Task 5: (Optional) Configure yo

xxxiiConventions in Code ExamplesCode examples illustrate SQL, PL/SQL, SQL*Plus, or other command-linestatements. They are displayed in a monospace (fi

Preparing the Directory for Enterprise User Security12-8 Oracle Database Advanced Security Administrator's GuideTask 6: Register the database in

Preparing the Directory for Enterprise User SecurityEnterprise User Security Configuration Tasks and Troubleshooting 12-9 After creating the wallet, D

Preparing the Directory for Enterprise User Security12-10 Oracle Database Advanced Security Administrator's Guide4.Choose Finish if you are only

Configuring Enterprise User Security Objects in the Database and the DirectoryEnterprise User Security Configuration Tasks and Troubleshooting 12-11Aft

Configuring Enterprise User Security Objects in the Database and the Directory12-12 Oracle Database Advanced Security Administrator's GuideTo con

Configuring Enterprise User Security Objects in the Database and the DirectoryEnterprise User Security Configuration Tasks and Troubleshooting 12-13Alt

Configuring Enterprise User Security Objects in the Database and the Directory12-14 Oracle Database Advanced Security Administrator's GuideTask 3

Configuring Enterprise User Security Objects in the Database and the DirectoryEnterprise User Security Configuration Tasks and Troubleshooting 12-154.

Configuring Enterprise User Security for Password Authentication12-16 Oracle Database Advanced Security Administrator's GuideFor more information

Configuring Enterprise User Security for Password AuthenticationEnterprise User Security Configuration Tasks and Troubleshooting 12-17 Task 1: (Option

xxxiiiConvention Meaning Example[ ] Brackets enclose one or more optionalitems. Do not enter the brackets.DECIMAL (digits [ , precision ]){ } Braces e

Configuring Enterprise User Security for Kerberos Authentication12-18 Oracle Database Advanced Security Administrator's GuideTask 3: Connect as a

Configuring Enterprise User Security for Kerberos AuthenticationEnterprise User Security Configuration Tasks and Troubleshooting 12-19 You have prepar

Configuring Enterprise User Security for Kerberos Authentication12-20 Oracle Database Advanced Security Administrator's GuideKerberos Principal N

Configuring Enterprise User Security for SSL AuthenticationEnterprise User Security Configuration Tasks and Troubleshooting 12-21If the KDC is part of

Configuring Enterprise User Security for SSL Authentication12-22 Oracle Database Advanced Security Administrator's Guide– Database certificate DN

Configuring Enterprise User Security for SSL AuthenticationEnterprise User Security Configuration Tasks and Troubleshooting 12-233. Click Apply.For mor

Configuring Enterprise User Security for SSL Authentication12-24 Oracle Database Advanced Security Administrator's Guideclient cannot have a wall

Enabling Current User Database LinksEnterprise User Security Configuration Tasks and Troubleshooting 12-25To view the database DN so you can request a

Troubleshooting Enterprise User Security12-26 Oracle Database Advanced Security Administrator's GuideTroubleshooting Enterprise User SecurityThis

Troubleshooting Enterprise User SecurityEnterprise User Security Configuration Tasks and Troubleshooting 12-275. Use Database Configuration Assistant to

xxxivConventions for Windows Operating SystemsThe following table describes conventions for Windows operating systems andprovides examples of their us

Troubleshooting Enterprise User Security12-28 Oracle Database Advanced Security Administrator's GuideORA-28272: Domain policy does not allow pass

Troubleshooting Enterprise User SecurityEnterprise User Security Configuration Tasks and Troubleshooting 12-293. Use Enterprise Security Manager to che

Troubleshooting Enterprise User Security12-30 Oracle Database Advanced Security Administrator's GuideCause: Indicates a problem with the connecti

Troubleshooting Enterprise User SecurityEnterprise User Security Configuration Tasks and Troubleshooting 12-312. Check that there is a value for the at

Troubleshooting Enterprise User Security12-32 Oracle Database Advanced Security Administrator's Guide2.If these values are incorrect, reset the d

Troubleshooting Enterprise User SecurityEnterprise User Security Configuration Tasks and Troubleshooting 12-334. Check that the LDAP_DIRECTORY_ACCESS p

Troubleshooting Enterprise User Security12-34 Oracle Database Advanced Security Administrator's Guide1.Check that the global role has been create

Troubleshooting Enterprise User SecurityEnterprise User Security Configuration Tasks and Troubleshooting 12-35Use the following syntax to view the DN t

Troubleshooting Enterprise User Security12-36 Oracle Database Advanced Security Administrator's Guide1.Use Enterprise Security Manager to check t

Troubleshooting Enterprise User SecurityEnterprise User Security Configuration Tasks and Troubleshooting 12-37– If the database connects to the directo

xxxvSpecial characters The backslash (\) special character issometimes required as an escapecharacter for the double quotation mark(") special ch

Troubleshooting Enterprise User Security12-38 Oracle Database Advanced Security Administrator's Guide

Administering Enterprise User Security 13-113 Administering Enterprise User SecurityThis chapter describes how to use Enterprise Security Manager to a

Enterprise User Security Administration Tools Overview13-2 Oracle Database Advanced Security Administrator's GuideEnterprise User Security Admini

Administering Identity Management RealmsAdministering Enterprise User Security 13-3Administering Identity Management RealmsAn identity management real

Administering Identity Management Realms13-4 Oracle Database Advanced Security Administrator's GuideIdentity Management Realm VersionsEnterprise

Administering Identity Management RealmsAdministering Enterprise User Security 13-5Setting Properties of an Identity Management RealmAn identity manag

Administering Identity Management Realms13-6 Oracle Database Advanced Security Administrator's Guide3.In the Realm Information window, enter the

Administering Identity Management RealmsAdministering Enterprise User Security 13-7Managing Identity Management Realm AdministratorsAn identity manage

Administering Enterprise Users13-8 Oracle Database Advanced Security Administrator's GuideAdministering Enterprise UsersEnterprise Security Manag

Administering Enterprise UsersAdministering Enterprise User Security 13-9Creating New Enterprise UsersUse Enterprise Security Manager to create users

xxxviDocumentation AccessibilityOur goal is to make Oracle products, services, and supporting documentationaccessible, with good usability, to the dis

Administering Enterprise Users13-10 Oracle Database Advanced Security Administrator's Guide2.Choose the Users and Groups tab.3. In the Users and

Administering Enterprise UsersAdministering Enterprise User Security 13-11The enterprise user password is used for: Directory logon Database logon,

Administering Enterprise Users13-12 Oracle Database Advanced Security Administrator's GuideFigure 13–3 Enterprise Security Manager: Add Enterpris

Administering Enterprise UsersAdministering Enterprise User Security 13-13A list of all users that match your search criteria displays. You can browse

Administering Enterprise Users13-14 Oracle Database Advanced Security Administrator's GuideNote that you can also browse enterprise users in the

Administering Enterprise DomainsAdministering Enterprise User Security 13-15Administering Enterprise DomainsAn identity management realm contains an e

Administering Enterprise Domains13-16 Oracle Database Advanced Security Administrator's GuideCreating a New Enterprise DomainIf you do not want t

Administering Enterprise DomainsAdministering Enterprise User Security 13-17 Select Remove Enterprise Domain from the Operations menu. Select an ent

Administering Enterprise Domains13-18 Oracle Database Advanced Security Administrator's GuideTo remove a database from an enterprise domain:1. Se

Administering Enterprise DomainsAdministering Enterprise User Security 13-192. Select a new database to be added to the enterprise domain.3. Choose OK

xxxviiWhat's New in Oracle Advanced Security?This section describes new features of Oracle Advanced Security 10g Release 1(10.1) and provides poi

Administering Enterprise Domains13-20 Oracle Database Advanced Security Administrator's GuideManaging Enterprise Domain AdministratorsAn Enterpri

Administering Enterprise DomainsAdministering Enterprise User Security 13-21A database can use a schema mapping to share one database schema betweenmu

Administering Enterprise Domains13-22 Oracle Database Advanced Security Administrator's GuideTo add a new mapping to the list of database schema

Administering Enterprise DomainsAdministering Enterprise User Security 13-234. Enter the name of the database schema for which this Mapping will be ma

Administering Enterprise Domains13-24 Oracle Database Advanced Security Administrator's Guide2.Choose the Accessible Domains tabbed window and cl

Administering Enterprise DomainsAdministering Enterprise User Security 13-25To remove an enterprise domain from the password-accessible domains list:1

Administering Enterprise Domains13-26 Oracle Database Advanced Security Administrator's GuideSee Also: "Creating New Enterprise Users"

Administering Enterprise RolesAdministering Enterprise User Security 13-27Administering Enterprise RolesAn enterprise domain within an identity manage

Administering Enterprise Roles13-28 Oracle Database Advanced Security Administrator's Guide2.Select the appropriate enterprise domain for the new

Administering Enterprise RolesAdministering Enterprise User Security 13-29Figure 13–12 Enterprise Security Manager: Database Global Roles TabWhen popu

xxxviiiEngineering Task Force (IETF) to be the successor to SSL version 3.0. TLS is aconfigurable option provided in Oracle Net Manager. Support for H

Administering Enterprise Roles13-30 Oracle Database Advanced Security Administrator's Guideenabled as its Oracle Net naming method, or if this na

Administering Enterprise RolesAdministering Enterprise User Security 13-31Granting Enterprise Roles to UsersYou can grant an enterprise role to users

Administering Enterprise Roles13-32 Oracle Database Advanced Security Administrator's GuideTo remove a user from the list of enterprise role gran

Part VAppendixesThis part contains the following reference appendixes: Appendix A, "Data Encryption and Integrity Parameters" Appendix B,

Data Encryption and Integrity Parameters A-1AData Encryption and Integrity ParametersThis appendix describes encryption and data integrity parameters

Sample sqlnet.ora FileA-2 Oracle Database Advanced Security Administrator's GuideOracle Advanced Security Encryption#ASO Encryptionsqlnet.encrypt

Data Encryption and Integrity ParametersData Encryption and Integrity Parameters A-3RADIUS#Radiussqlnet.authentication_services = (beq, RADIUS )sqlnet

Data Encryption and Integrity ParametersA-4 Oracle Database Advanced Security Administrator's GuideThere are three classes of parameters used to

Data Encryption and Integrity ParametersData Encryption and Integrity Parameters A-5on the value set for SQLNET.ENCRYPTION_SERVER at the other end of

xxxixNew Features in Enterprise User Security Kerberos Authenticated Enterprise UsersKerberos-based authentication to the database is available for u

Data Encryption and Integrity ParametersA-6 Oracle Database Advanced Security Administrator's GuideSQLNET.ENCRYPTION_TYPES_SERVERThis parameter s

Data Encryption and Integrity ParametersData Encryption and Integrity Parameters A-7SQLNET.ENCRYPTION_TYPES_CLIENTThis parameter specifies a list of en

Data Encryption and Integrity ParametersA-8 Oracle Database Advanced Security Administrator's GuideSQLNET.CRYPTO_CHECKSUM_TYPES_CLIENTThis parame

Data Encryption and Integrity ParametersData Encryption and Integrity Parameters A-9If you do not use this parameter, the system uses various sources

Data Encryption and Integrity ParametersA-10 Oracle Database Advanced Security Administrator's Guide

Authentication Parameters B-1BAuthentication ParametersThis appendix illustrates some sample configuration files with the profile file(sqlnet.ora) and the

Parameters for Clients and Servers using RADIUS AuthenticationB-2 Oracle Database Advanced Security Administrator's GuideParameters for Clients a

Parameters for Clients and Servers using RADIUS AuthenticationAuthentication Parameters B-3SQLNET.RADIUS_AUTHENTICATION_TIMEOUTThis parameter sets the

Parameters for Clients and Servers using RADIUS AuthenticationB-4 Oracle Database Advanced Security Administrator's GuideSQLNET.RADIUS_SECRETThis

Parameters for Clients and Servers using RADIUS AuthenticationAuthentication Parameters B-5SQLNET.RADIUS_ALTERNATE_TIMEOUTThis parameter sets the time

derivative works of the Source Code, whether created by OpenVision or by athird party. The OpenVisioncopyright notice must be preserved if derivative

xl– Oracle Database recognition of standard password verifiers, which is alsonew in this release. Tool Changes– New Tool: Enterprise Security Manager

Parameters for Clients and Servers using RADIUS AuthenticationB-6 Oracle Database Advanced Security Administrator's GuideSQLNET.RADIUS_AUTHENTICA

Parameters for Clients and Servers using SSLAuthentication Parameters B-7Initialization File ParametersREMOTE_OS_AUTHENT=FALSEOS_AUTHENT_PREFIX="

Parameters for Clients and Servers using SSLB-8 Oracle Database Advanced Security Administrator's GuideCipher Suite ParametersThis section descri

Parameters for Clients and Servers using SSLAuthentication Parameters B-9 SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_DES_CBC_SHA SSL_DH_anon_WITH_3DES_E

Parameters for Clients and Servers using SSLB-10 Oracle Database Advanced Security Administrator's GuideSSL Client Authentication ParametersThis

Parameters for Clients and Servers using SSLAuthentication Parameters B-11SSL_SERVER_CERT_DNPurpose Use this parameter to force the server's dist

Parameters for Clients and Servers using SSLB-12 Oracle Database Advanced Security Administrator's GuideWallet LocationFor any application that m

Integrating Authentication Devices Using RADIUS C-1CIntegrating Authentication Devices UsingRADIUSThis appendix describes how third party authenticati

Customizing the RADIUS Challenge-Response User InterfaceC-2 Oracle Database Advanced Security Administrator's GuideCustomizing the RADIUS Challen

Oracle Advanced Security FIPS 140-1 Settings D-1DOracle Advanced Security FIPS 140-1SettingsOracle Advanced Security Release 8.1.6 has been validated

xliOracle9i Release 2 (9.2) New Features in Oracle Advanced SecurityThe new features for Oracle Advanced Security in release 2 (9.2) include thefollow

Configuration ParametersD-2 Oracle Database Advanced Security Administrator's Guide Configuration parameters are contained in the sqlnet.ora file t

Configuration ParametersOracle Advanced Security FIPS 140-1 Settings D-3The specified algorithm must be installed or the connection terminates. For FIP

Post Installation ChecksD-4 Oracle Database Advanced Security Administrator's GuidePost Installation ChecksAfter the installation, the following

Physical SecurityOracle Advanced Security FIPS 140-1 Settings D-5Physical SecurityTo comply with FIPS 140-1 Level 2 requirements, tamper-evident seals

Physical SecurityD-6 Oracle Database Advanced Security Administrator's Guide

orapki Utility E-1Eorapki UtilityThe orapki utility is provided to manage public key infrastructure (PKI) elements,such as wallets and certificate revo

orapki Utility OverviewE-2 Oracle Database Advanced Security Administrator's Guideorapki Utility OverviewThis command line utility can be used to

Creating Signed Certificates for Testing Purposesorapki Utility E-3Creating Signed Certificates for Testing PurposesThis command line utility provides

Managing Oracle Wallets with orapki UtilityE-4 Oracle Database Advanced Security Administrator's GuideManaging Oracle Wallets with orapki Utility

Managing Oracle Wallets with orapki Utilityorapki Utility E-5Adding Certificates and Certificate Requests to Oracle Wallets with orapkiTo add a certifica

xlii

Managing Certificate Revocation Lists (CRLs) with orapki UtilityE-6 Oracle Database Advanced Security Administrator's GuideExporting Certificates

orapki Utility Commands Summaryorapki Utility E-7orapki Utility Commands SummaryThis section lists and describes the following orapki commands: orapk

orapki Utility Commands SummaryE-8 Oracle Database Advanced Security Administrator's Guideorapki cert displayPurposeUse this command to display d

orapki Utility Commands Summaryorapki Utility E-9with no authentication. See "Uploading CRLs to Oracle Internet Directory" onpage 7-42 for m

orapki Utility Commands SummaryE-10 Oracle Database Advanced Security Administrator's Guideorapki crl hashPurposeUse this command to generate a h

orapki Utility Commands Summaryorapki Utility E-11The -ldap parameter specifies the hostname and SSL port for the directory serverfrom where you want t

orapki Utility Commands SummaryE-12 Oracle Database Advanced Security Administrator's Guideorapki wallet addPurposeUse this command to add certifi

orapki Utility Commands Summaryorapki Utility E-13user certificate to a wallet, you must add all the trusted certificates that make upthe certificate cha

orapki Utility Commands SummaryE-14 Oracle Database Advanced Security Administrator's GuideSyntaxTo export a certificate from an Oracle wallet:ora

Entrust-Enabled SSL Authentication F-1FEntrust-Enabled SSL AuthenticationEntrust Authority (formerly known as Entrust/PKI) is a suite of PKI productsp

Part I Getting Started with Oracle AdvancedSecurityThis part introduces Oracle Advanced Security, describing the security solutions itprovides, its fe

Benefits of Entrust-Enabled Oracle Advanced SecurityF-2 Oracle Database Advanced Security Administrator's GuideBenefits of Entrust-Enabled Oracle

Required System Components for Entrust-Enabled Oracle Advanced SecurityEntrust-Enabled SSL Authentication F-3Required System Components for Entrust-En

Required System Components for Entrust-Enabled Oracle Advanced SecurityF-4 Oracle Database Advanced Security Administrator's GuideEntrust Authori

Entrust Authentication ProcessEntrust-Enabled SSL Authentication F-5Entrust Authority Server Login Feature provides single sign-on by enabling OracleD

Enabling Entrust AuthenticationF-6 Oracle Database Advanced Security Administrator's GuideFigure F–1 Entrust Authentication ProcessEnabling Entru

Enabling Entrust AuthenticationEntrust-Enabled SSL Authentication F-7Administrator-Created Entrust ProfilesAdministrators create Entrust profiles as fo

Enabling Entrust AuthenticationF-8 Oracle Database Advanced Security Administrator's GuideInstalling Oracle Advanced Security and Related Product

Enabling Entrust AuthenticationEntrust-Enabled SSL Authentication F-9))Configuring Entrust on a Windows ClientIf the client resides on a Windows platf

Enabling Entrust AuthenticationF-10 Oracle Database Advanced Security Administrator's Guide2.Set the WALLET_LOCATION parameter in the sqlnet.ora

Enabling Entrust AuthenticationEntrust-Enabled SSL Authentication F-115.Start the Oracle database instance.Configuring Entrust on a Windows ServerIf t

Issues and Restrictions that Apply to Entrust-Enabled SSLF-12 Oracle Database Advanced Security Administrator's GuideCreating Entrust-Enabled Dat

Troubleshooting Entrust In Oracle Advanced SecurityEntrust-Enabled SSL Authentication F-13In addition, the following restrictions apply: The use of E

Troubleshooting Entrust In Oracle Advanced SecurityF-14 Oracle Database Advanced Security Administrator's Guide Invalid Entrust initialization fi

Troubleshooting Entrust In Oracle Advanced SecurityEntrust-Enabled SSL Authentication F-15Action: Ensure that the location of the Entrust initializati

Troubleshooting Entrust In Oracle Advanced SecurityF-16 Oracle Database Advanced Security Administrator's GuideAction: Perform the following task

Troubleshooting Entrust In Oracle Advanced SecurityEntrust-Enabled SSL Authentication F-17Search for and locate the string "fail" or "n

Troubleshooting Entrust In Oracle Advanced SecurityF-18 Oracle Database Advanced Security Administrator's GuideChecklist for Entrust Installation

Using the User Migration Utility G-1GUsing the User Migration UtilityThis chapter describes the User Migration Utility, which can be used to performbu

Introduction to the User Migration UtilityG-2 Oracle Database Advanced Security Administrator's Guide Provides the infrastructure to enable sing

Introduction to the User Migration UtilityUsing the User Migration Utility G-3Bulk User Migration Process OverviewBulk user migration is a two-phase p

Introduction to Oracle Advanced Security 1-11Introduction to Oracle Advanced SecurityThis chapter introduces Oracle Advanced Security, summarizing the

Introduction to the User Migration UtilityG-4 Oracle Database Advanced Security Administrator's GuideStep 3: Phase Two Completing the MigrationAf

Introduction to the User Migration UtilityUsing the User Migration Utility G-5Table G–1 ORCL_GLOBAL_USR_MIGRATION_DATA Table SchemaColumn Name DataTyp

Introduction to the User Migration UtilityG-6 Oracle Database Advanced Security Administrator's GuideWhich Interface Table Column Values Can Be M

Introduction to the User Migration UtilityUsing the User Migration Utility G-7If some users want to retain the objects in their local database schemas

Prerequisites for Performing MigrationG-8 Oracle Database Advanced Security Administrator's Guide5.Drops or alters the migrating users' loca

Prerequisites for Performing MigrationUsing the User Migration Utility G-9Required Directory PrivilegesIn addition to the required database privileges

User Migration Utility Command Line SyntaxG-10 Oracle Database Advanced Security Administrator's GuideUser Migration Utility Command Line SyntaxT

Accessing Help for the User Migration UtilityUsing the User Migration Utility G-11DIRLOCATION=ldap_directory_host:ldap_directory_portUSERSLIST=usernam

User Migration Utility ParametersG-12 Oracle Database Advanced Security Administrator's GuideUser Migration Utility ParametersThe following secti

User Migration Utility ParametersUsing the User Migration Utility G-13Keyword: DIRLOCATIONKeyword: DBADMINSyntax Examples: DBLOCATION=my_oracle.us.ora

Security Challenges in an Enterprise Environment1-2 Oracle Database Advanced Security Administrator's Guide Security in Enterprise Grid Computin

User Migration Utility ParametersG-14 Oracle Database Advanced Security Administrator's GuideKeyword: ENTADMINKeyword: USERSValid Values: userDN:

User Migration Utility ParametersUsing the User Migration Utility G-15Keyword: USERSLISTKeyword: USERSFILEDescription: Specifies which users are to be

User Migration Utility ParametersG-16 Oracle Database Advanced Security Administrator's GuideKeyword: MAPSCHEMAValid Values: schema_type:schema_n

User Migration Utility ParametersUsing the User Migration Utility G-17Keyword: MAPTYPEValid Values: mapping_type:mapping_levelMapping type can be: DB

User Migration Utility ParametersG-18 Oracle Database Advanced Security Administrator's GuideKeyword: CASCADEKeyword: CONTEXTValid Values: NOWh

User Migration Utility ParametersUsing the User Migration Utility G-19Keyword: LOGFILEKeyword: PARFILEDefault Setting: This value is automatically pop

User Migration Utility Usage ExamplesG-20 Oracle Database Advanced Security Administrator's GuideUser Migration Utility Usage ExamplesThe followi

User Migration Utility Usage ExamplesUsing the User Migration Utility G-21parameter, the utility runs phase one using the default value, PRIVATE, so a

User Migration Utility Usage ExamplesG-22 Oracle Database Advanced Security Administrator's GuideMapping Users to a Shared Schema Using Different

User Migration Utility Usage ExamplesUsing the User Migration Utility G-23DBADMIN=system:managerDIRLOCATION=machine2:636ENTADMIN="cn=janeadmin&qu

Security Challenges in an Enterprise EnvironmentIntroduction to Oracle Advanced Security 1-3the amount of information that organizations place on comp

User Migration Utility Usage ExamplesG-24 Oracle Database Advanced Security Administrator's GuideExample G–3 Migrating Users with Shared Schema M

User Migration Utility Usage ExamplesUsing the User Migration Utility G-25Migrating Users Using the PARFILE, USERSFILE, and LOGFILE ParametersIt is po

Troubleshooting Using the User Migration UtilityG-26 Oracle Database Advanced Security Administrator's GuideExample G–6 Migrating Users Using the

Troubleshooting Using the User Migration UtilityUsing the User Migration Utility G-27 Database connection failure Database error: < database_erro

Troubleshooting Using the User Migration UtilityG-28 Oracle Database Advanced Security Administrator's GuideCause: There is no entry for the data

Troubleshooting Using the User Migration UtilityUsing the User Migration Utility G-29 Getting local host name failed Interface table creation in SYS

Troubleshooting Using the User Migration UtilityG-30 Oracle Database Advanced Security Administrator's Guide2.Check to ensure that the file has th

Troubleshooting Using the User Migration UtilityUsing the User Migration Utility G-31Invalid value : : < user > [ USERSFILE ]Cause: Syntax error

Troubleshooting Using the User Migration UtilityG-32 Oracle Database Advanced Security Administrator's GuideResolving Error Messages Displayed fo

Troubleshooting Using the User Migration UtilityUsing the User Migration Utility G-33Action: Specify a different DN for the user.Common Log Messages f

Solving Security Challenges with Oracle Advanced Security1-4 Oracle Database Advanced Security Administrator's GuidePassword-Related ThreatsIn la

Troubleshooting Using the User Migration UtilityG-34 Oracle Database Advanced Security Administrator's GuideSCHEMA column of the interface table

Troubleshooting Using the User Migration UtilityUsing the User Migration Utility G-35Database error: < database_error_message > on page G-27 Bot

Troubleshooting Using the User Migration UtilityG-36 Oracle Database Advanced Security Administrator's GuideInvalid value : : <interface_table

Glossary-1Glossaryaccess controlThe ability of a system to grant or limit access to specific data for specific clients orgroups of clients.Access Contro

Glossary-2authenticationThe process of verifying the identity of a user, device, or other entity in a computersystem, often as a prerequisite to grant

Glossary-3CDSSee Cell Directory Services (CDS)Cell Directory Services (CDS)An external naming method that enablesusers to use Oracle tools transparent

Glossary-4provide additional information about the subject identity, such as postal address, ora challenge password by which the subject entity may la

Glossary-5clientA client relies on a service. A client can sometimes be a user, sometimes a processacting on behalf of the user during a database link

Glossary-6form of a URL. CRL DPs allow revocation information within a single certificateauthority domain to be posted in multiple CRLs. CRL DPs subdiv

Glossary-7A public or private database link from one database to another is created on thelocal database by a DBA or user.A global database link is cr

Solving Security Challenges with Oracle Advanced SecurityIntroduction to Oracle Advanced Security 1-5Data EncryptionSensitive information that travels

Glossary-8Diffie-Hellman key negotiation algorithmThis is a method that lets two parties communicating over an insecure channel toagree upon a random n

Glossary-9domainAny tree or subtree within the Domain Name System (DNS) namespace. Domainmost commonly refers to a group of computers whose host names

Glossary-10enterprise userA user defined and managed in a directory. Each enterprise user has a uniqueidentify across an enterprise.entryThe building b

Glossary-11Global Directory Service (GDS)GDS is the DCE directory service that acts as an agent between DCE CDS and anyX.500 directory service. Both G

Glossary-12identity management realmA subtree in Oracle Internet Directory, including not only an Oracle Context, butalso additional subtrees for user

Glossary-13KDCKey Distribution Center. In Kerberos authentication, the KDC maintains a list ofuser principals and is contacted through the kinit (okin

Glossary-14kserviceAn arbitrary name of a Kerberos service object.LDAPSee Lightweight Directory Access Protocol (LDAP)ldap.ora fileA file created by Ora

Glossary-15man-in-the-middleA security attack characterized by the third-party, surreptitious interception of amessage, wherein the third-party, the m

Glossary-16client requests a directory lookup of a net service alias, the directory determines thatthe entry is a net service alias and completes the

Glossary-17object classA named group of attributes. When you want to assign attributes to an entry, youdo so by assigning to that entry the object cla

vContentsList of FiguresList of TablesSend Us Your Comments ...

Solving Security Challenges with Oracle Advanced Security1-6 Oracle Database Advanced Security Administrator's GuideSelecting the network encrypt

Glossary-18peer identitySSL connect sessions are between a particular client and a particular server. Theidentity of the peer may have been establishe

Glossary-19principalA string that uniquely identifies a client or server to which a set of Kerberoscredentials is assigned. It generally has three part

Glossary-20mathematically related, it is generally viewed as computationally infeasible toderive the private key from the public key. Public and priva

Glossary-21schema mappingSee user-schema mappingSecure Hash Algorithm (SHA)An algorithm that assures data integrity by generating a 160-bit cryptograp

Glossary-22service ticketTrusted information used to authenticate the client. A ticket-granting ticket, whichis also known as the initial ticket, is o

Glossary-23single sign-on (SSO)The ability of a user to authenticate once, combined with strong authenticationoccurring transparently in subsequent co

Glossary-24System Global Area (SGA)A group of shared memory structures that contain data and control information foran Oracle instance.system identifie

Glossary-25is being validated as the entity it claims to be. Typically, the certificate authoritiesyou trust are called trusted certificates. If there a

Glossary-26Wallet Resource LocatorA wallet resource locator (WRL) provides all necessary information to locate awallet. It is a path to an operating s

Index-1IndexAaccounting, RADIUS, 5-19activating checksumming and encryption, 3-6adapters, 1-15asynchronous authentication mode inRADIUS, 5-5ATTENTION_

Solving Security Challenges with Oracle Advanced SecurityIntroduction to Oracle Advanced Security 1-7197, Advanced Encryption Standard (AES) is a new

Index-2on the server, 7-15thin JDBC support, 4-1connectingacross cells, 10-12to an Oracle databaseto verify roles, 10-14to an Oracle server in DCE, 10

Index-3enterprise user securitycomponents, 11-25configuration flow chart, 12-3configuration roadmap, 12-4directory entries, 11-11enterprise domains, 1

Index-4Oracle O3LOGON, 4-2thin driver features, 4-2Java Database connectivity (JDBC)implementation of Oracle AdvancedSecurity, 4-1JDBC. See Java Datab

Index-5Oracle service names, 10-3loading into CDS, 10-22Oracle Wallet Managerimporting PKCS #7 certificate chains, 8-22OracleContextAdmins group, 11-1

Index-6challenge-responseauthentication, 5-5user interface, C-1, C-2configuring, 5-9database links not supported, 5-2, 11-24location of secret key, 5-

Index-7SQLNET.KERBEROS5_CONF parameter, 6-9SQLNET.KERBEROS5_CONF_MIT parameter, 6-9SQLNET.KERBEROS5_KEYTAB parameter, 6-9SQLNET.KERBEROS5_REALMS param

Index-8TLS See Secure Sockets Layer (SSL)tnsnames.ora fileloading into CDS using tnnfg, 10-22modifying to load connect descriptors intoCDS, 10-21renam

Index-9managing certificates, 8-20managing trusted certificates, 8-25opening, 8-13Oracle Applications wallet location, 8-18saving, 8-17setting locatio

Index-10

Solving Security Challenges with Oracle Advanced Security1-8 Oracle Database Advanced Security Administrator's GuideStrong AuthenticationAuthenti

Solving Security Challenges with Oracle Advanced SecurityIntroduction to Oracle Advanced Security 1-9How Centralized Network Authentication Works Figu

Solving Security Challenges with Oracle Advanced Security1-10 Oracle Database Advanced Security Administrator's Guide3.The client passes these cr

Solving Security Challenges with Oracle Advanced SecurityIntroduction to Oracle Advanced Security 1-11protocol. RADIUS can be used with a variety of a

Solving Security Challenges with Oracle Advanced Security1-12 Oracle Database Advanced Security Administrator's GuideOracle Advanced Security SSL

Solving Security Challenges with Oracle Advanced SecurityIntroduction to Oracle Advanced Security 1-13Enterprise User ManagementEnterprise user manage

Solving Security Challenges with Oracle Advanced Security1-14 Oracle Database Advanced Security Administrator's Guide Passwords Kerberos Secur

Oracle Advanced Security ArchitectureIntroduction to Oracle Advanced Security 1-15Oracle Advanced Security ArchitectureOracle Advanced Security comple

vi2 Configuration and Administration Tools OverviewNetwork Encryption and Strong Authentication Configuration Tools...

Secure Data Transfer Across Network Protocol Boundaries1-16 Oracle Database Advanced Security Administrator's GuideFigure 1–6 Oracle Net with Aut

Oracle Advanced Security RestrictionsIntroduction to Oracle Advanced Security 1-17Oracle Advanced Security RestrictionsOracle Applications support Ora

Oracle Advanced Security Restrictions1-18 Oracle Database Advanced Security Administrator's Guide

Configuration and Administration Tools Overview 2-12Configuration and Administration ToolsOverviewConfiguring advanced security features for an Oracle d

Network Encryption and Strong Authentication Configuration Tools2-2 Oracle Database Advanced Security Administrator's GuideNetwork Encryption and

Network Encryption and Strong Authentication Configuration ToolsConfiguration and Administration Tools Overview 2-3To start Oracle Net Manager as a sta

Network Encryption and Strong Authentication Configuration Tools2-4 Oracle Database Advanced Security Administrator's GuideFigure 2–1 Oracle Adva

Network Encryption and Strong Authentication Configuration ToolsConfiguration and Administration Tools Overview 2-5Authentication Property Sheet Use th

Public Key Infrastructure Credentials Management Tools2-6 Oracle Database Advanced Security Administrator's GuidePublic Key Infrastructure Creden

Public Key Infrastructure Credentials Management ToolsConfiguration and Administration Tools Overview 2-7 (UNIX) From $ORACLE_HOME/bin, enter the foll

vii4 Configuring Network Data Encryption and Integrity for Thin JDBC ClientsAbout the Java Implementation...

Public Key Infrastructure Credentials Management Tools2-8 Oracle Database Advanced Security Administrator's GuideNavigator Pane The navigator pan

Public Key Infrastructure Credentials Management ToolsConfiguration and Administration Tools Overview 2-9text box. To request a certificate from a certi

Public Key Infrastructure Credentials Management Tools2-10 Oracle Database Advanced Security Administrator's GuideMenusYou use Oracle Wallet Mana

Public Key Infrastructure Credentials Management ToolsConfiguration and Administration Tools Overview 2-11Operations Menu Table 2–4 describes the conte

Public Key Infrastructure Credentials Management Tools2-12 Oracle Database Advanced Security Administrator's GuideHelp Menu Table 2–5 describes t

Enterprise User Security Configuration and Management ToolsConfiguration and Administration Tools Overview 2-13Enterprise User Security Configuration an

Enterprise User Security Configuration and Management Tools2-14 Oracle Database Advanced Security Administrator's GuideStarting Database Configur

Enterprise User Security Configuration and Management ToolsConfiguration and Administration Tools Overview 2-15 Logging in to Enterprise Security Mana

Enterprise User Security Configuration and Management Tools2-16 Oracle Database Advanced Security Administrator's Guide OracleAS Single Sign-On

Enterprise User Security Configuration and Management ToolsConfiguration and Administration Tools Overview 2-17Figure 2–4 Directory Server Login Window

viiiTask 1: Install Kerberos... 6-2Task 2

Enterprise User Security Configuration and Management Tools2-18 Oracle Database Advanced Security Administrator's GuideFigure 2–5 Enterprise Secu

Enterprise User Security Configuration and Management ToolsConfiguration and Administration Tools Overview 2-19 Right-click an enterprise domain to pe

Enterprise User Security Configuration and Management Tools2-20 Oracle Database Advanced Security Administrator's GuideFigure 2–6 Enterprise Secu

Enterprise User Security Configuration and Management ToolsConfiguration and Administration Tools Overview 2-21File Menu Table 2–9 describes the conten

Enterprise User Security Configuration and Management Tools2-22 Oracle Database Advanced Security Administrator's GuideEnterprise Security Manage

Enterprise User Security Configuration and Management ToolsConfiguration and Administration Tools Overview 2-23Figure 2–7 Enterprise Security Manager C

Enterprise User Security Configuration and Management Tools2-24 Oracle Database Advanced Security Administrator's GuideFigure 2–8 ESM Console URL

Enterprise User Security Configuration and Management ToolsConfiguration and Administration Tools Overview 2-25a. Select krbPrincipalName in the left c

Enterprise User Security Configuration and Management Tools2-26 Oracle Database Advanced Security Administrator's GuideHome Tabbed Window The Hom

Enterprise User Security Configuration and Management ToolsConfiguration and Administration Tools Overview 2-27The Group subtab (shown in Figure 2–11 o

ixHow SSL Works with Other Authentication Methods... 7-10SSL and Firewalls...

Enterprise User Security Configuration and Management Tools2-28 Oracle Database Advanced Security Administrator's GuideFigure 2–11 Enterprise Sec

Enterprise User Security Configuration and Management ToolsConfiguration and Administration Tools Overview 2-29Figure 2–12 Enterprise Security Manager

Enterprise User Security Configuration and Management Tools2-30 Oracle Database Advanced Security Administrator's GuideRealm Configuration Tabbed

Enterprise User Security Configuration and Management ToolsConfiguration and Administration Tools Overview 2-31Enterprise Security Manager Command-Line

Enterprise User Security Configuration and Management Tools2-32 Oracle Database Advanced Security Administrator's GuideOracle Net Configuration As

Enterprise User Security Configuration and Management ToolsConfiguration and Administration Tools Overview 2-33After you start this tool, you will be p

Duties of a Security Administrator/DBA2-34 Oracle Database Advanced Security Administrator's Guidephase one, it populates a table with database u

Duties of an Enterprise User Security Administrator/DBAConfiguration and Administration Tools Overview 2-35Duties of an Enterprise User Security Admini

Duties of an Enterprise User Security Administrator/DBA2-36 Oracle Database Advanced Security Administrator's GuideTable 2–15 Common Enterprise U

Duties of an Enterprise User Security Administrator/DBAConfiguration and Administration Tools Overview 2-37Manage user wallets on the local system orup