Oracle Database Advanced Security Administrator's Guide 10g Release 1 (10.1) Part No. B10772-01 December 2003 Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1) Part No. B10772-01 Copyright © 1996, 2003 Oracle Corporation. All rights reserved. Primary Author: Laurel P. Hale Contributors: Rajbir Chahal, Min-Hank Ho, Michael Hwa, Sudha Iyer, Adam Lindsey Jacobs, Supriya Kalyanasundaram, Lakshmi Kethana, Andrew Koyfman, Van Le, Nina Lewis, Stella Li, Janaki Narasinghanallur, Vikram Pesati, Andy Philips, Richard Smith, Deborah Steiner, Philip Thornton, Ramana Turlapati Graphic Designer: Valarie Moore The Programs (which include both the software and documentation) contain proprietary information of Oracle Corporation; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent and other intellectual and industrial property laws. Reverse engineering, disassembly or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this document is error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Oracle Corporation. If the Programs are delivered to the U.S. Government or anyone licensing or using the programs on behalf of the U.S. Government, the following notice is applicable: Restricted Rights Notice Programs delivered subject to the DOD FAR Supplement are "commercial computer software" and use, duplication, and disclosure of the Programs, including documentation, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement. Otherwise, Programs delivered subject to the Federal Acquisition Regulations are "restricted computer software" and use, duplication, and disclosure of the Programs shall be subject to the restrictions in FAR 52.227-19, Commercial Computer Software - Restricted Rights (June, 1987). Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065. The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and Oracle Corporation disclaims liability for any damages caused by such use of the Programs. Oracle is a registered trademark, and Oracle Store, Oracle8i, Oracle9i, PL/SQL, SQL*Net, SQL*Plus, and Secure Network Services are trademarks or registered trademarks of Oracle Corporation. Other names may be trademarks of their respective owners. Portions of Oracle Advanced Security have been licensed by Oracle Corporation from RSA Data Security. This program contains third-party code from Massachusetts Institute of Technology (M.I.T.), OpenVision Technologies, Inc., and the Regents of the University of California. Under the terms of the Kerberos license, Oracle is required to license the Kerberos software to you under the following terms. Note that the terms contained in the Oracle program license that accompanied this product do not apply to the Kerberos software, and your rights to use the software are solely as set forth below. Oracle is not responsible for the performance of the Kerberos software, does not provide technical support for the software, and shall not be liable for any damages arising out of any use of the Kerberos software. Copyright © 1985-2002 by the Massachusetts Institute of Technology. All rights reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore, if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. Individual source code files are copyright M.I.T., Cygnus Support, OpenVision, Oracle, Sun Soft, FundsXpress, and others. Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachusetts Institute of Technology (M.I.T.). No commercial use of these trademarks may be made without prior written permission of M.I.T. "Commercial use" means use of a name in a product or other for-profit manner. It does NOT prevent a commercial firm from referring to the M.I.T. trademarks in order to convey information (although in doing so, recognition of their trademark status should be given). The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc: Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON. OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code. OpenVision Technologies, Inc., has donated this Kerberos Administration system to M.I.T. for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by M.I.T. and the Kerberos community. Portions contributed by Matt Crawford <crawdad@fnal.gov> were work performed at Fermi National Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract DE-AC02-76CHO3000 with the U. S. Department of Energy. v Contents List of Figures List of Tables Send Us Your Comments xxiii Preface xxv What's New in Oracle Advanced Security? xxxvii Part I Getting Started with Oracle Advanced Security 1 Introduction to Oracle Advanced Security Security Challenges in an Enterprise Environment 1-1 Security in Enterprise Grid Computing Environments 1-2 Security in an Intranet or Internet Environment 1-2 Common Security Threats 1-3 Solving Security Challenges with Oracle Advanced Security 1-4 Data Encryption 1-5 Strong Authentication 1-8 Enterprise User Management 1-13 Oracle Advanced Security Architecture 1-15 Secure Data Transfer Across Network Protocol Boundaries 1-16 System Requirements 1-16 Oracle Advanced Security Restrictions 1-17 vi 2 Configuration and Administration Tools Overview Network Encryption and Strong Authentication Configuration Tools 2-2 Oracle Net Manager 2-2 Oracle Advanced Security Kerberos Adapter Command-Line Utilities 2-5 Public Key Infrastructure Credentials Management Tools 2-6 Oracle Wallet Manager 2-6 orapki Utility 2-12 Enterprise User Security Configuration and Management Tools 2-13 Database Configuration Assistant 2-13 Enterprise Security Manager and Enterprise Security Manager Console 2-14 Oracle Net Configuration Assistant 2-32 User Migration Utility 2-33 Duties of a Security Administrator/DBA 2-34 Duties of an Enterprise User Security Administrator/DBA 2-35 Part II Network Data Encryption and Integrity 3 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients Oracle Advanced Security Encryption 3-1 About Encryption 3-2 Advanced Encryption Standard 3-2 DES Algorithm Support 3-2 Triple-DES Support 3-2 RSA RC4 Algorithm for High Speed Encryption 3-3 Oracle Advanced Security Data Integrity 3-3 Data Integrity Algorithms Supported 3-4 Diffie-Hellman Based Key Management 3-4 Authentication Key Fold-in 3-5 How To Configure Data Encryption and Integrity 3-5 About Activating Encryption and Integrity 3-6 About Negotiating Encryption and Integrity 3-6 Setting the Encryption Seed (Optional) 3-8 Configuring Encryption and Integrity Parameters Using Oracle Net Manager 3-9 vii 4 Configuring Network Data Encryption and Integrity for Thin JDBC Clients About the Java Implementation 4-1 Java Database Connectivity Support 4-1 Securing Thin JDBC 4-2 Implementation Overview 4-3 Obfuscation 4-3 Configuration Parameters 4-4 Client Encryption Level: ORACLE.NET.ENCRYPTION_CLIENT 4-4 Client Encryption Selected List: ORACLE.NET.ENCRYPTION_TYPES_CLIENT 4-5 Client Integrity Level: ORACLE.NET.CRYPTO_CHECKSUM_CLIENT 4-5 Client Integrity Selected List: ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT 4-6 Part III Oracle Advanced Security Strong Authentication 5 Configuring RADIUS Authentication RADIUS Overview 5-1 RADIUS Authentication Modes 5-3 Synchronous Authentication Mode 5-3 Challenge-Response (Asynchronous) Authentication Mode 5-5 Enabling RADIUS Authentication, Authorization, and Accounting 5-8 Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client 5-9 Task 2: Configure RADIUS Authentication 5-9 Task 3: Create a User and Grant Access 5-17 Task 4: Configure External RADIUS Authorization (optional) 5-17 Task 5: Configure RADIUS Accounting 5-19 Task 6: Add the RADIUS Client Name to the RADIUS Server Database 5-20 Task 7: Configure the Authentication Server for Use with RADIUS 5-20 Task 8: Configure the RADIUS Server for Use with the Authentication Server 5-20 Task 9: Configure Mapping Roles 5-21 Using RADIUS to Log In to a Database 5-22 RSA ACE/Server Configuration Checklist 5-22 6 Configuring Kerberos Authentication Enabling Kerberos Authentication 6-2 viii Task 1: Install Kerberos 6-2 Task 2: Configure a Service Principal for an Oracle Database Server 6-2 Task 3: Extract a Service Table from Kerberos 6-3 Task 4: Install an Oracle Database Server and an Oracle Client 6-4 Task 5: Install Oracle Net Services and Oracle Advanced Security 6-5 Task 6: Configure Oracle Net Services and Oracle Database 6-5 Task 7: Configure Kerberos Authentication 6-5 Task 8: Create a Kerberos User 6-10 Task 9: Create an Externally Authenticated Oracle User 6-10 Task 10: Get an Initial Ticket for the Kerberos/Oracle User 6-11 Utilities for the Kerberos Authentication Adapter 6-11 Obtaining the Initial Ticket with the okinit Utility 6-11 Displaying Credentials with the oklist Utility 6-12 Removing Credentials from the Cache File with the okdstry Utility 6-13 Connecting to an Oracle Database Server Authenticated by Kerberos 6-13 Configuring Interoperability with a Windows 2000 Domain Controller KDC 6-13 Task 1: Configuring an Oracle Kerberos Client to Interoperate with a Windows 2000 Domain Controller KDC 6-14 Task 2: Configuring a Windows 2000 Domain Controller KDC to Interoperate with an Oracle Client 6-15 Task 3: Configuring an Oracle Database to Interoperate with a Windows 2000 Domain Controller KDC 6-17 Task 4: Getting an Initial Ticket for the Kerberos/Oracle User 6-17 Troubleshooting 6-18 7 Configuring Secure Sockets Layer Authentication SSL and TLS in an Oracle Environment 7-2 Difference between SSL and TLS 7-2 About Using SSL 7-3 How SSL Works in an Oracle Environment: The SSL Handshake 7-4 Public Key Infrastructure in an Oracle Environment 7-5 About Public Key Cryptography 7-5 Public Key Infrastructure Components in an Oracle Environment 7-6 SSL Combined with Other Authentication Methods 7-10 Architecture: Oracle Advanced Security and SSL 7-10 ix How SSL Works with Other Authentication Methods 7-10 SSL and Firewalls 7-12 SSL Usage Issues 7-14 Enabling SSL 7-15 Task 1: Install Oracle Advanced Security and Related Products 7-15 Task 2: Configure SSL on the Server 7-15 Task 3: Configure SSL on the Client 7-23 Task 4: Log on to the Database 7-31 Troubleshooting SSL 7-31 Certificate Validation with Certificate Revocation Lists 7-35 What CRLs Should You Use? 7-35 How CRL Checking Works 7-36 Configuring Certificate Validation with Certificate Revocation Lists 7-37 Certificate Revocation List Management 7-40 Troubleshooting Certificate Validation 7-45 Configuring Your System to Use Hardware Security Modules 7-48 General Guidelines for Using Hardware Security Modules with Oracle Advanced Security 7-48 Configuring Your System to Use nCipher Hardware Security Modules 7-49 Troubleshooting Using Hardware Security Modules 7-50 8 Using Oracle Wallet Manager Oracle Wallet Manager Overview 8-2 Wallet Password Management 8-2 Strong Wallet Encryption 8-3 Microsoft Windows Registry Wallet Storage 8-3 Backward Compatibility 8-3 Public-Key Cryptography Standards (PKCS) Support 8-3 Multiple Certificate Support 8-4 LDAP Directory Support 8-7 Starting Oracle Wallet Manager 8-7 How To Create a Complete Wallet: Process Overview 8-8 Managing Wallets 8-9 Required Guidelines for Creating Wallet Passwords 8-9 Creating a New Wallet 8-10 x Opening an Existing Wallet 8-13 Closing a Wallet 8-13 Importing Third-Party Wallets 8-13 Exporting Oracle Wallets to Third-Party Environments 8-14 Exporting Oracle Wallets to Tools that Do Not Support PKCS #12 8-14 Uploading a Wallet to an LDAP Directory 8-15 Downloading a Wallet from an LDAP Directory 8-16 Saving Changes 8-17 Saving the Open Wallet to a New Location 8-17 Saving in System Default 8-17 Deleting the Wallet 8-18 Changing the Password 8-18 Using Auto Login 8-19 Managing Certificates 8-20 Managing User Certificates 8-20 Managing Trusted Certificates 8-25 9 Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security Connecting with User Name and Password 9-1 Disabling Oracle Advanced Security Authentication 9-2 Configuring Multiple Authentication Methods 9-4 Configuring Oracle Database for External Authentication 9-5 Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora 9-5 Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE 9-5 Setting OS_AUTHENT_PREFIX to a Null Value 9-6 10 Configuring Oracle DCE Integration Introduction to Oracle DCE Integration 10-2 System Requirements 10-2 Backward Compatibility 10-2 Components of Oracle DCE Integration 10-2 Flexible DCE Deployment 10-4 Release Limitations 10-4 Configuring DCE for Oracle DCE Integration 10-5 [...]... 7-20 Oracle Advanced Security SSL Window (Server) 7-22 Oracle Advanced Security SSL Window (Client) 7-26 Oracle Advanced Security SSL Window (Client) 7-29 Oracle Advanced Security SSL Window with Certificate Revocation Checking Selected 7-38 Oracle Advanced Security Authentication Window 9-3 Enterprise User Security and the Oracle Security Architecture... single sign-on services, and security protocols The Oracle Database Advanced Security Administrator's Guide describes how to implement, configure and administer Oracle Advanced Security This preface contains these topics: s Audience s Organization s Related Documentation s Conventions s Documentation Accessibility xxv Audience The Oracle Database Advanced Security Administrator's Guide is intended for users... Sequence 5-6 Oracle Advanced Security Authentication Window 5-10 Oracle Advanced Security Other Params Window 5-12 Oracle Advanced Security Authentication Window (Kerberos) 6-6 Oracle Advanced Security Other Params Window (Kerberos) 6-7 SSL in Relation to Other Authentication Methods 7-11 SSL Cipher Suites Window 7-19 Oracle Advanced Security SSL Window... administration of Oracle Advanced Security including: s Implementation consultants s System administrators s Security administrators s Database administrators (DBAs) Organization This document contains the following chapters: Part I, "Getting Started with Oracle Advanced Security" Chapter 1, "Introduction to Oracle Advanced Security" This chapter provides an overview of Oracle Advanced Security features... Reference s Oracle Internet Directory Administrator's Guide s Oracle Database Administrator's Guide s Oracle Database Security Guide Many books in the documentation set use the sample schemas of the seed database, which is installed by default when you install Oracle Refer to Oracle Database Sample Schemas for information on how these schemas were created and how you can use them yourself xxix Printed documentation... hardware security module support features of Oracle Advanced Security Chapter 8, "Using Oracle Wallet Manager" This chapter describes how to use Oracle Wallet Manager to manage Oracle wallets and PKI credentials Chapter 9, "Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security" This chapter describes the authentication methods that can be used with Oracle Advanced Security, ... electronic mail address If you have problems with the software, please contact your local Oracle Support Services xxiii xxiv Preface Welcome to the Oracle Database Advanced Security Administrator's Guide for the 10g Release 1 (10.1) of Oracle Advanced Security Oracle Advanced Security contains a comprehensive suite of security features that protect enterprise networks and securely extend them to the Internet... Authentication with Oracle Authentication Adapters 1-8 How a Network Authentication Service Authenticates a User 1-9 Centralized User Management with Enterprise User Security 1-13 Oracle Advanced Security in an Oracle Networking Environment 1-15 Oracle Net with Authentication Adapters 1-16 Oracle Advanced Security Profile in Oracle Net Manager 2-4 Oracle Wallet Manager... This chapter provides an overview of the Java implementation of Oracle Advanced Security, which lets Thin Java Database Connectivity (JDBC) clients securely connect to Oracle Database databases xxvi Part III, "Oracle Advanced Security Strong Authentication" Chapter 5, "Configuring RADIUS Authentication" This chapter describes how to configure Oracle for use with RADIUS (Remote Authentication Dial-In User... Window 13-16 Enterprise Security Manager: Databases Tab (Database Membership) 13-17 Enterprise Security Manager: Add Databases Window 13-18 Enterprise Security Manager: Database Schema Mappings Tab 13-21 Enterprise Security Manager: Add Database Schema Mappings Window 13-22 Enterprise Security Manager: Add Accessible Enterprise Domains Dialog Box 13-24 Enterprise Security Manager: Create . xxv What's New in Oracle Advanced Security? xxxvii Part I Getting Started with Oracle Advanced Security 1 Introduction to Oracle Advanced Security Security Challenges. Oracle Database Advanced Security Administrator's Guide 10g Release 1 (10.1) Part No. B10772-01 December 2003 Oracle Database Advanced Security