Oracle Advanced Security Administrator’s Guide

Free Download

Authors:

Edition: release 9.0.1

Size: 3 MB (3467818 bytes)

Pages: 486/486

File format:

Language:

Publishing Year:

Category:

Cowan M.

Welcome to the Oracle Advanced Security Administrator’s Guide for Release 9.0.1 of Oracle Advanced Security.Oracle Advanced Security contains a comprehensive suite of security features that protect enterprise networks and securely extend them to the Internet. It provides a single source of integration with multiple network encryption and authentication solutions, single sign-on services, and security protocols.The Oracle Advanced Security Administrator’s Guide describes how to implement, configure and administer Oracle Advanced Security. The Oracle Advanced Security Administrator’s Guide is intended for users and systems professionals involved with the implementation, configuration, and administration of Oracle Advanced Security including:■ Implementation consultants■ System administrators■ Security administrators”

Table of contents :
Contents……Page 3
Send Us Your Comments……Page 19
Preface……Page 21
Part I Introduction……Page 35
1 Introduction to Oracle Advanced Security……Page 37
Eavesdropping and Data Theft……Page 38
Password-Related Threats……Page 39
Data Privacy……Page 41
Federal Information Processing Standard……Page 42
Data Integrity……Page 43
How Centralized Network Authentication Works……Page 44
Remote Authentication Dial-In User Service……Page 47
Smart Cards……Page 48
Single Sign-On……Page 49
Authorization……Page 50
Oracle Advanced Security Architecture……Page 51
Secure Data Transfer Across Network Protocol Boundaries……Page 53
System Requirements……Page 54
Oracle Advanced Security Restrictions……Page 55
Part II Encryption, Integrity, and JDBC……Page 57
2 Configuring Data Encryption and Integrity……Page 59
Triple-DES Support……Page 60
RSA RC4 Algorithm for High Speed Encryption……Page 61
Data Integrity Algorithms Supported……Page 62
Authentication Key Fold-in……Page 63
Activating Encryption and Integrity……Page 64
ACCEPTED……Page 66
Setting the Encryption Seed……Page 67
Configuring Encryption on the Client and the Server……Page 68
Configuring Integrity on the Client and the Server……Page 70
3 Thin JDBC Support……Page 73
Java Database Connectivity Support……Page 74
Securing Thin JDBC……Page 75
Obfuscation……Page 76
Client Encryption Level……Page 77
Client Integrity Level……Page 78
Client Integrity Selected List……Page 79
Part III Configuring Authentication Methods……Page 81
4 Configuring RADIUS Authentication……Page 83
RADIUS Overview……Page 84
Synchronous Authentication Mode……Page 86
Challenge-Response (Asynchronous) Authentication Mode……Page 87
Step 1: Configure RADIUS on the Oracle Client……Page 92
Step 2: Configure RADIUS on the Oracle Database Server……Page 94
Step 3: Configure Additional RADIUS Features……Page 97
Task 4: Configure RADIUS Accounting……Page 101
Task 5: Add the RADIUS Client Name to the RADIUS Server Database……Page 102
Task 8: Configure Mapping Roles……Page 103
Using RADIUS to Log In to a Database……Page 105
5 Configuring CyberSafe Authentication……Page 107
Task 3: Install the CyberSafe Application Security Toolkit……Page 108
Task 4: Configure a Service Principal for an Oracle Database Server……Page 109
Task 5: Extract the Service Table from CyberSafe……Page 110
Task 9: Configure CyberSafe Authentication……Page 111
Configure CyberSafe on both the Client and the Oracle Database Server……Page 112
Task 10: Create a CyberSafe User on the Authentication Server……Page 114
Task 11: Create an Externally Authenticated Oracle User on the Oracle Database Server……Page 115
Task 13: Connect to an Oracle Database Server Authenticated by CyberSafe……Page 116
If everything seems to work fine, but then you issue another query and it fails:……Page 117
6 Configuring Kerberos Authentication……Page 119
Task 1: Install Kerberos……Page 120
Task 2: Configure a Service Principal for an Oracle Database Server……Page 121
Task 3: Extract a Service Table from Kerberos……Page 122
Step 1: Configure Kerberos on the Client and on the Database Server……Page 123
Step 2: Set the Initialization Parameters……Page 126
Step 3: Set sqlnet.ora Parameters (optional)……Page 127
Task 8: Create a Kerberos User……Page 128
Task 10: Get an Initial Ticket for the Kerberos/Oracle User……Page 129
Use okinit to Obtain the Initial Ticket……Page 130
Use OKLIST to Display Credentials……Page 131
Connecting to an Oracle Database Server Authenticated by Kerberos……Page 132
If everything seems to work fine, but then you issue another query and it fails:……Page 133
7 Configuring Secure Sockets Layer Authentication……Page 135
What You Can Do with SSL……Page 136
Architecture of SSL in an Oracle Environment……Page 137
Certificate……Page 138
Wallet……Page 139
How SSL Works in an Oracle Environment: The SSL Handshake……Page 140
SSL Beyond an Oracle Environment……Page 141
SSL Combined with Other Authentication Methods……Page 142
Architecture: Oracle Advanced Security and SSL……Page 143
Using SSL with Other Authentication Methods……Page 144
SSL and Firewalls……Page 145
SSL Usage Issues……Page 147
Step 1: Confirm Wallet Creation……Page 148
Step 2: Configure Service Name……Page 149
Step 3: Specify Required Client Configuration (Wallet Location)……Page 150
Step 4: Set the SSL Cipher Suites on the Client (Optional)……Page 152
To specify cipher suites for the client:……Page 154
To set the SSL version for the client:……Page 156
Step 7: Create a Net Service Name that Uses TCP/IP with SSL in the Connect Descriptor……Page 157
Step 2: Specify Required Server Configuration (Wallet Location)……Page 158
Step 3: Set the SSL Cipher Suites on the Server (Optional)……Page 160
To specify cipher suites for the server:……Page 161
To set the SSL version for the server:……Page 162
Step 5: Set SSL Client Authentication (Optional)……Page 163
Step 6: Set SSL as an Authentication Service (Optional)……Page 164
Task 4: Log on to the Database……Page 165
8 Configuring Entrust-Enabled SSL Authentication……Page 167
Entrust/PKI……Page 168
Integration with Entrust/PKI Certificate Revocation……Page 169
Entrust/PKI 5.0.2 for Oracle……Page 170
Entrust/Toolkit Server Login 5.0.2……Page 171
Entrust IPSEC Negotiator Toolkit 5.0.2……Page 172
Entrust Authentication Process……Page 173
Administrator-Created Entrust Profiles……Page 174
Configuring SSL on the Client and Server……Page 175
Configuring Entrust on a Windows NT Client……Page 176
Configuring Entrust on a UNIX Server……Page 177
Configuring Entrust on a Windows NT Server……Page 178
Issues and Restrictions……Page 179
Checklist……Page 181
General Problems and Guidelines……Page 182
9 Configuring Multiple Authentication Methods……Page 185
Connecting with User Name and Password……Page 186
Disabling Oracle Advanced Security Authentication……Page 187
Configuring Multiple Authentication Methods……Page 189
Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE……Page 191
Setting OS_AUTHENT_PREFIX to a Null Value……Page 192
Part IV Oracle DCE Integration……Page 195
10 Overview of Oracle DCE Integration……Page 197
Backward Compatibility……Page 198
The Distributed Computing Environment……Page 199
Data Privacy and Integrity……Page 200
DCE Cell Directory Services Native Naming……Page 201
Flexible DCE Deployment……Page 203
Release Limitations……Page 204
11 Configuring DCE for Oracle DCE Integration……Page 205
Task 2: Install the Key of the Server into a Keytab File……Page 206
Step 1: Create Oracle Directories in the CDS Namespace……Page 207
Step 3: Load Oracle Service Names into CDS……Page 208
12 Configuring Oracle9i for Oracle DCE Integration……Page 209
DCE Address Parameters……Page 210
Task 1: Configure the Server……Page 212
Task 2: Create and Name Externally-Authenticated Accounts……Page 213
Task 3: Set up DCE Integration External Roles……Page 215
Task 4: Configure DCE for SYSDBA and SYSOPER Connections to Oracle Databases……Page 217
DCE.AUTHENTICATION……Page 219
DCE.TNS_ADDRESS_OID……Page 220
Task 6: Configure Clients to Use DCE CDS Naming……Page 221
Step 2: Modify the CDS Attributes File and Restart the CDS……Page 222
Step 3: Create a tnsnames.ora File for Loading Oracle Connect Descriptors into CDS……Page 223
Step 4: Load Oracle Connect Descriptors into CDS……Page 224
Step 6: Modify the sqlnet.ora File to Resolve Names in CDS……Page 225
13 Connecting to an Oracle Database in DCE……Page 227
Starting the Listener……Page 228
Method 2……Page 229
14 DCE and Non-DCE Interoperability……Page 231
Connecting Clients Outside DCE to Oracle Servers in DCE……Page 232
The listener.ora File……Page 233
The tnsnames.ora File……Page 234
SQL*Net Release 2.3 and Oracle Net……Page 236
Part V Oracle9i Enterprise User Security……Page 237
15 Managing Enterprise User Security……Page 239
Part I: Overview / Concepts……Page 240
Introduction to Enterprise User Security……Page 241
Enterprise Users and Authentication Methods……Page 242
Enterprise Users and Password Authentication……Page 244
Enterprise Roles……Page 245
User-Schema Mappings……Page 246
Database Server Entries……Page 247
Administrative Groups……Page 248
Overview……Page 249
Setting Up ACLs……Page 250
Enterprise User Security Elements……Page 251
The Enterprise User Security Process with SSL……Page 254
The Enterprise User Security Process with Passwords……Page 255
Overview……Page 257
Shared Schema Functionality and SSL……Page 258
Mapping an Enterprise User to a Shared Schema……Page 261
Current User Database Links……Page 263
Oracle Enterprise Login Assistant……Page 265
Oracle Wallet Manager……Page 266
Database Membership in Enterprise Domains……Page 267
Part II: Initial Configuration for SSL and Password Authentication……Page 269
Task 2: Install and Configure a Directory Service……Page 270
Step 2: Prepare the Directory for Enterprise User Support……Page 271
Step 3: Create Administrative Users……Page 272
Step 1: Install Oracle9i Release 9.0.1 Database Software……Page 273
Step 2: Set Up Directory Access for ORACLE_HOME……Page 274
Step 3: Authorize Users for Administrative Functions……Page 275
Step 4: Use Oracle Database Configuration Assistant to Register the Database in the Directory……Page 276
Task 4: Configure the Database for SSL……Page 277
Step 2: Configure SSL Service Name……Page 278
Step 3: Configure the Listener……Page 279
Example: The SQLNET.ORA File……Page 280
Example: The LISTENER.ORA File:……Page 281
Step 1: Create a Database Wallet……Page 282
Step 2: Enable Autologin……Page 283
Step 3: Start the Listener……Page 285
Task 6: Verify Database Installation……Page 286
Step 2: Grant a Create Session Privilege……Page 287
Step 4: Associate Privileges……Page 288
Part III: Final Configuration for SSL Authentication……Page 289
Task 8: Configure Database Clients……Page 290
Task 9: Configure an Enterprise Domain……Page 291
Step 1: Add a New Enterprise User to the Directory……Page 292
Step 3: Authorize the User……Page 293
Step 4: Map the User to a Schema……Page 294
Step 3: Connect to the Database……Page 295
Part IV: Final Configuration for Password Authentication……Page 297
Task 13: Configure the Enterprise Domain……Page 298
Step 1: Configure User Search Bases……Page 301
Step 4: Configure Password-Accessible Domains……Page 302
Step 1: Create Enterprise Users……Page 303
Step 2: Authorize Users……Page 304
Step 3: Create Enterprise User Ids……Page 305
Step 4: Create Enterprise User Passwords……Page 306
Step 5: Enable Database Access……Page 307
Task 16: Connect as Password Authenticated Enterprise User……Page 308
Part V: TroubleShooting Enterprise User Login……Page 309
No Global Roles……Page 310
ORA-1017: Invalid username/password……Page 311
ORA-28030……Page 312
Oracle Internet Directory……Page 313
16 Using Oracle Wallet Manager……Page 315
Overview……Page 316
Microsoft Windows Registry……Page 317
Oracle Wallet Functions……Page 318
Backward Compatibility……Page 319
Importing Third-Party Wallets……Page 320
Exporting Oracle Wallets……Page 321
Multiple Certificate Support……Page 322
LDAP Directory Support……Page 325
Creating a New Wallet……Page 326
Opening an Existing Wallet……Page 327
Uploading a Wallet to an LDAP Directory……Page 328
Downloading a Wallet from an LDAP Directory……Page 329
Saving the Open Wallet to a New Location……Page 330
Deleting the Wallet……Page 331
Enabling Auto Login……Page 332
Disabling Auto Login……Page 333
Adding a Certificate Request……Page 334
Selecting a File that Contains the Certificate……Page 336
Exporting a User Certificate……Page 337
Importing a Trusted Certificate……Page 338
Removing a Trusted Certificate……Page 339
Exporting All Trusted Certificates……Page 340
Exporting a Wallet……Page 341
17 Using Oracle Enterprise Login Assistant……Page 343
About Oracle Enterprise Login Assistant……Page 344
Starting Oracle Enterprise Login Assistant……Page 345
Opening Existing Wallet on Local System……Page 346
Connecting to LDAP Directory and Downloading New Wallet……Page 348
Changing Wallet Passwords……Page 350
Uploading Wallet to LDAP Directory……Page 352
Logging Out and Disabling SSL Connection……Page 353
18 Using Oracle Enterprise Security Manager……Page 355
Introduction……Page 356
Task 2: Install Oracle Enterprise Manager……Page 357
Task 4: Start Oracle Enterprise Security Manager……Page 358
Task 5: Log On to the Directory……Page 359
Administering a Directory for Enterprise User Security……Page 360
Creating New Enterprise Users……Page 361
Defining a Directory Base……Page 363
Defining a New Enterprise User Password……Page 364
Defining an Initial Enterprise Role Assignment……Page 365
Browsing Users in the Directory……Page 367
Enabling Database Access……Page 370
Defining Properties of an Oracle Context……Page 372
Defining User Search Bases……Page 374
Defining Oracle Context Administrators……Page 375
Managing Password Accessible Domains……Page 379
Managing Database Security……Page 380
Managing Database Administrators……Page 381
Managing Database Schema Mappings……Page 382
Administering Enterprise Domains……Page 384
Defining Database Membership of an Enterprise Domain……Page 386
Managing Enterprise Domain Administrators……Page 388
Managing Enterprise Domain Database Schema Mappings……Page 389
Administering Enterprise Roles……Page 390
Assigning Database Global Role Membership to an Enterprise Role……Page 392
Managing Enterprise Role Grantees……Page 394
Part VI Appendixes……Page 397
A Data Encryption and Integrity Parameters……Page 399
Sample sqlnet.ora File……Page 400
Data Encryption and Integrity Parameters……Page 402
Encryption and Integrity Level Settings……Page 403
Encryption and Integrity Selected Lists……Page 405
Seeding the Random Key Generator……Page 408
B Authentication Parameters……Page 409
Parameters for Clients and Servers using CyberSafe Authentication……Page 410
Parameters for Clients and Servers using Kerberos Authentication……Page 411
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT……Page 412
SQLNET.RADIUS_ALTERNATE……Page 413
SQLNET.RADIUS_CHALLENGE_KEYWORD……Page 414
SQLNET.RADIUS_CLASSPATH……Page 415
Initialization File (init.ora) Parameters……Page 416
Authentication Parameters……Page 417
Supported SSL Cipher Suites……Page 418
SSLClient Authentication……Page 419
Wallet Location……Page 421
C Integrating Authentication Devices Using RADIUS……Page 423
About the RADIUS Challenge-Response User Interface……Page 424
Customizing the RADIUS Challenge-Response User Interface……Page 425
D Oracle Advanced Security FIPS 140-1 Settings……Page 427
Client Encryption Level Setting……Page 428
FIPS Parameter……Page 429
Post Installation Checks……Page 430
Status Information……Page 431
Physical Security……Page 432
E Oracle Implementation of Java SSL……Page 433
Prerequisites……Page 434
SSL Cipher Suites Supported by Oracle Java SSL……Page 435
Security-Aware Applications Support……Page 436
SSLServerExample Program……Page 438
Initializing Server Socket:……Page 441
SSLClientExample Program……Page 442
Initializing the Credentials:……Page 445
Viewing Peer Credentials:……Page 446
SSLProxyClientExample Program……Page 447
Initializing and Connecting the Client Socket:……Page 448
Solution……Page 449
Solution……Page 450
Methods……Page 451
Public Class: OracleSSLServerSocketFactoryImpl……Page 453
Public Class: OracleSSLSession……Page 454
Methods……Page 455
F Abbreviations and Acronyms……Page 457
Glossary……Page 461
Index……Page 479

Reviews

There are no reviews yet.

Be the first to review “Oracle Advanced Security Administrator’s Guide”
Shopping Cart
Scroll to Top