Thông tin tài liệu
Oracle
Database
Advanced Security Administrator's Guide
10g Release 1 (10.1)
Part No. B10772-01
December 2003
Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1)
Part No. B10772-01
Copyright © 1996, 2003 Oracle Corporation. All rights reserved.
Primary Author: Laurel P. Hale
Contributors: Rajbir Chahal, Min-Hank Ho, Michael Hwa, Sudha Iyer, Adam Lindsey Jacobs, Supriya
Kalyanasundaram, Lakshmi Kethana, Andrew Koyfman, Van Le, Nina Lewis, Stella Li, Janaki
Narasinghanallur, Vikram Pesati, Andy Philips, Richard Smith, Deborah Steiner, Philip Thornton,
Ramana Turlapati
Graphic Designer: Valarie Moore
The Programs (which include both the software and documentation) contain proprietary information of
Oracle Corporation; they are provided under a license agreement containing restrictions on use and
disclosure and are also protected by copyright, patent and other intellectual and industrial property
laws. Reverse engineering, disassembly or decompilation of the Programs, except to the extent required
to obtain interoperability with other independently created software or as specified by law, is prohibited.
The information contained in this document is subject to change without notice. If you find any problems
in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this
document is error-free. Except as may be expressly permitted in your license agreement for these
Programs, no part of these Programs may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of Oracle Corporation.
If the Programs are delivered to the U.S. Government or anyone licensing or using the programs on
behalf of the U.S. Government, the following notice is applicable:
Restricted Rights Notice Programs delivered subject to the DOD FAR Supplement are "commercial
computer software" and use, duplication, and disclosure of the Programs, including documentation,
shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement.
Otherwise, Programs delivered subject to the Federal Acquisition Regulations are "restricted computer
software" and use, duplication, and disclosure of the Programs shall be subject to the restrictions in FAR
52.227-19, Commercial Computer Software - Restricted Rights (June, 1987). Oracle Corporation, 500
Oracle Parkway, Redwood City, CA 94065.
The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently
dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup,
redundancy, and other measures to ensure the safe use of such applications if the Programs are used for
such purposes, and Oracle Corporation disclaims liability for any damages caused by such use of the
Programs.
Oracle is a registered trademark, and Oracle Store, Oracle8i, Oracle9i, PL/SQL, SQL*Net, SQL*Plus, and
Secure Network Services are trademarks or registered trademarks of Oracle Corporation. Other names
may be trademarks of their respective owners.
Portions of Oracle Advanced Security have been licensed by Oracle
Corporation from RSA Data Security.
This program contains third-party code from Massachusetts Institute of Technology (M.I.T.), OpenVision
Technologies, Inc., and the Regents of the University of California. Under the terms of the Kerberos
license, Oracle is required to license the Kerberos software to you under the following terms. Note that
the terms contained in the Oracle program license that accompanied this product do not apply to the
Kerberos software, and your rights to use the software are solely as set forth below. Oracle is not
responsible for the performance of the Kerberos software, does not provide technical support for the
software, and shall not be liable for any damages arising out of any use of the Kerberos software.
Copyright © 1985-2002 by the Massachusetts Institute of Technology.
All rights reserved.
Export of this software from the United States of America may require a specific license from the United
States Government. It is the responsibility of any person or organization contemplating export to obtain
such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and this permission notice appear in
supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining
to distribution of the software without specific, written prior permission. Furthermore, if you modify this
software you must label your software as modified software and not distribute it in such a fashion that it
might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability
of this software for any purpose. It is provided "as is" without express or implied warranty.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND
FITNESS FOR A PARTICULAR PURPOSE.
Individual source code files are copyright M.I.T., Cygnus Support, OpenVision, Oracle, Sun Soft,
FundsXpress, and others.
Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of
the Massachusetts Institute of Technology (M.I.T.). No commercial use of these trademarks may be made
without prior written permission of M.I.T.
"Commercial use" means use of a name in a product or other for-profit manner. It does NOT prevent a
commercial firm from referring to the M.I.T. trademarks in order to convey information (although in
doing so, recognition of their trademark status should be given).
The following copyright and permission notice applies to the OpenVision Kerberos Administration
system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and
portions of lib/rpc:
Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described
below, indicates your acceptance of the following terms. If you do not agree to the following terms, do
not retrieve the OpenVision Kerberos administration system.
You may freely use and distribute the Source Code and Object Code compiled from it, with or without
modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED.
IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF
DATA, OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY
SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT,
INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON.
OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to
derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision
copyright notice must be preserved if derivative works are made based on the donated Source Code.
OpenVision Technologies, Inc., has donated this Kerberos Administration system to M.I.T. for inclusion
in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing
Kerberos technology development and our gratitude for the valuable work which has been performed by
M.I.T. and the Kerberos community.
Portions contributed by Matt Crawford <crawdad@fnal.gov> were work performed at Fermi National
Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract
DE-AC02-76CHO3000 with the U. S. Department of Energy.
v
Contents
List of Figures
List of Tables
Send Us Your Comments xxiii
Preface xxv
What's New in Oracle Advanced Security? xxxvii
Part I Getting Started with Oracle Advanced Security
1 Introduction to Oracle Advanced Security
Security Challenges in an Enterprise Environment 1-1
Security in Enterprise Grid Computing Environments 1-2
Security in an Intranet or Internet Environment 1-2
Common Security Threats 1-3
Solving Security Challenges with Oracle Advanced Security 1-4
Data Encryption 1-5
Strong Authentication 1-8
Enterprise User Management 1-13
Oracle Advanced Security Architecture 1-15
Secure Data Transfer Across Network Protocol Boundaries 1-16
System Requirements 1-16
Oracle Advanced Security Restrictions 1-17
vi
2 Configuration and Administration Tools Overview
Network Encryption and Strong Authentication Configuration Tools 2-2
Oracle Net Manager 2-2
Oracle Advanced Security Kerberos Adapter Command-Line Utilities 2-5
Public Key Infrastructure Credentials Management Tools 2-6
Oracle Wallet Manager 2-6
orapki Utility 2-12
Enterprise User Security Configuration and Management Tools 2-13
Database Configuration Assistant 2-13
Enterprise Security Manager and Enterprise Security Manager Console 2-14
Oracle Net Configuration Assistant 2-32
User Migration Utility 2-33
Duties of a Security Administrator/DBA 2-34
Duties of an Enterprise User Security Administrator/DBA 2-35
Part II Network Data Encryption and Integrity
3 Configuring Network Data Encryption and Integrity for Oracle Servers and
Clients
Oracle Advanced Security Encryption 3-1
About Encryption 3-2
Advanced Encryption Standard 3-2
DES Algorithm Support 3-2
Triple-DES Support 3-2
RSA RC4 Algorithm for High Speed Encryption 3-3
Oracle Advanced Security Data Integrity 3-3
Data Integrity Algorithms Supported 3-4
Diffie-Hellman Based Key Management 3-4
Authentication Key Fold-in 3-5
How To Configure Data Encryption and Integrity 3-5
About Activating Encryption and Integrity 3-6
About Negotiating Encryption and Integrity 3-6
Setting the Encryption Seed (Optional) 3-8
Configuring Encryption and Integrity Parameters Using Oracle Net Manager 3-9
vii
4 Configuring Network Data Encryption and Integrity for Thin JDBC Clients
About the Java Implementation 4-1
Java Database Connectivity Support 4-1
Securing Thin JDBC 4-2
Implementation Overview 4-3
Obfuscation 4-3
Configuration Parameters 4-4
Client Encryption Level: ORACLE.NET.ENCRYPTION_CLIENT 4-4
Client Encryption Selected List: ORACLE.NET.ENCRYPTION_TYPES_CLIENT 4-5
Client Integrity Level: ORACLE.NET.CRYPTO_CHECKSUM_CLIENT 4-5
Client Integrity Selected List: ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT 4-6
Part III Oracle Advanced Security Strong Authentication
5 Configuring RADIUS Authentication
RADIUS Overview 5-1
RADIUS Authentication Modes 5-3
Synchronous Authentication Mode 5-3
Challenge-Response (Asynchronous) Authentication Mode 5-5
Enabling RADIUS Authentication, Authorization, and Accounting 5-8
Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client 5-9
Task 2: Configure RADIUS Authentication 5-9
Task 3: Create a User and Grant Access 5-17
Task 4: Configure External RADIUS Authorization (optional) 5-17
Task 5: Configure RADIUS Accounting 5-19
Task 6: Add the RADIUS Client Name to the RADIUS Server Database 5-20
Task 7: Configure the Authentication Server for Use with RADIUS 5-20
Task 8: Configure the RADIUS Server for Use with the Authentication Server 5-20
Task 9: Configure Mapping Roles 5-21
Using RADIUS to Log In to a Database 5-22
RSA ACE/Server Configuration Checklist 5-22
6 Configuring Kerberos Authentication
Enabling Kerberos Authentication 6-2
viii
Task 1: Install Kerberos 6-2
Task 2: Configure a Service Principal for an Oracle Database Server 6-2
Task 3: Extract a Service Table from Kerberos 6-3
Task 4: Install an Oracle Database Server and an Oracle Client 6-4
Task 5: Install Oracle Net Services and Oracle Advanced Security 6-5
Task 6: Configure Oracle Net Services and Oracle Database 6-5
Task 7: Configure Kerberos Authentication 6-5
Task 8: Create a Kerberos User 6-10
Task 9: Create an Externally Authenticated Oracle User 6-10
Task 10: Get an Initial Ticket for the Kerberos/Oracle User 6-11
Utilities for the Kerberos Authentication Adapter 6-11
Obtaining the Initial Ticket with the okinit Utility 6-11
Displaying Credentials with the oklist Utility 6-12
Removing Credentials from the Cache File with the okdstry Utility 6-13
Connecting to an Oracle Database Server Authenticated by Kerberos 6-13
Configuring Interoperability with a Windows 2000 Domain Controller KDC 6-13
Task 1: Configuring an Oracle Kerberos Client to Interoperate with a Windows 2000
Domain Controller KDC 6-14
Task 2: Configuring a Windows 2000 Domain Controller KDC to Interoperate with an
Oracle Client 6-15
Task 3: Configuring an Oracle Database to Interoperate with a Windows 2000 Domain
Controller KDC 6-17
Task 4: Getting an Initial Ticket for the Kerberos/Oracle User 6-17
Troubleshooting 6-18
7 Configuring Secure Sockets Layer Authentication
SSL and TLS in an Oracle Environment 7-2
Difference between SSL and TLS 7-2
About Using SSL 7-3
How SSL Works in an Oracle Environment: The SSL Handshake 7-4
Public Key Infrastructure in an Oracle Environment 7-5
About Public Key Cryptography 7-5
Public Key Infrastructure Components in an Oracle Environment 7-6
SSL Combined with Other Authentication Methods 7-10
Architecture: Oracle Advanced Security and SSL 7-10
ix
How SSL Works with Other Authentication Methods 7-10
SSL and Firewalls 7-12
SSL Usage Issues 7-14
Enabling SSL 7-15
Task 1: Install Oracle Advanced Security and Related Products 7-15
Task 2: Configure SSL on the Server 7-15
Task 3: Configure SSL on the Client 7-23
Task 4: Log on to the Database 7-31
Troubleshooting SSL 7-31
Certificate Validation with Certificate Revocation Lists 7-35
What CRLs Should You Use? 7-35
How CRL Checking Works 7-36
Configuring Certificate Validation with Certificate Revocation Lists 7-37
Certificate Revocation List Management 7-40
Troubleshooting Certificate Validation 7-45
Configuring Your System to Use Hardware Security Modules 7-48
General Guidelines for Using Hardware Security Modules with Oracle Advanced Security
7-48
Configuring Your System to Use nCipher Hardware Security Modules 7-49
Troubleshooting Using Hardware Security Modules 7-50
8 Using Oracle Wallet Manager
Oracle Wallet Manager Overview 8-2
Wallet Password Management 8-2
Strong Wallet Encryption 8-3
Microsoft Windows Registry Wallet Storage 8-3
Backward Compatibility 8-3
Public-Key Cryptography Standards (PKCS) Support 8-3
Multiple Certificate Support 8-4
LDAP Directory Support 8-7
Starting Oracle Wallet Manager 8-7
How To Create a Complete Wallet: Process Overview 8-8
Managing Wallets 8-9
Required Guidelines for Creating Wallet Passwords 8-9
Creating a New Wallet 8-10
x
Opening an Existing Wallet 8-13
Closing a Wallet 8-13
Importing Third-Party Wallets 8-13
Exporting Oracle Wallets to Third-Party Environments 8-14
Exporting Oracle Wallets to Tools that Do Not Support PKCS #12 8-14
Uploading a Wallet to an LDAP Directory 8-15
Downloading a Wallet from an LDAP Directory 8-16
Saving Changes 8-17
Saving the Open Wallet to a New Location 8-17
Saving in System Default 8-17
Deleting the Wallet 8-18
Changing the Password 8-18
Using Auto Login 8-19
Managing Certificates 8-20
Managing User Certificates 8-20
Managing Trusted Certificates 8-25
9 Configuring Multiple Authentication Methods and Disabling Oracle
Advanced Security
Connecting with User Name and Password 9-1
Disabling Oracle Advanced Security Authentication 9-2
Configuring Multiple Authentication Methods 9-4
Configuring Oracle Database for External Authentication 9-5
Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora 9-5
Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE 9-5
Setting OS_AUTHENT_PREFIX to a Null Value 9-6
10 Configuring Oracle DCE Integration
Introduction to Oracle DCE Integration 10-2
System Requirements 10-2
Backward Compatibility 10-2
Components of Oracle DCE Integration 10-2
Flexible DCE Deployment 10-4
Release Limitations 10-4
Configuring DCE for Oracle DCE Integration 10-5
[...]... 7-20 Oracle Advanced Security SSL Window (Server) 7-22 Oracle Advanced Security SSL Window (Client) 7-26 Oracle Advanced Security SSL Window (Client) 7-29 Oracle Advanced Security SSL Window with Certificate Revocation Checking Selected 7-38 Oracle Advanced Security Authentication Window 9-3 Enterprise User Security and the Oracle Security Architecture... single sign-on services, and security protocols The Oracle Database Advanced Security Administrator's Guide describes how to implement, configure and administer Oracle Advanced Security This preface contains these topics: s Audience s Organization s Related Documentation s Conventions s Documentation Accessibility xxv Audience The Oracle Database Advanced Security Administrator's Guide is intended for users... Sequence 5-6 Oracle Advanced Security Authentication Window 5-10 Oracle Advanced Security Other Params Window 5-12 Oracle Advanced Security Authentication Window (Kerberos) 6-6 Oracle Advanced Security Other Params Window (Kerberos) 6-7 SSL in Relation to Other Authentication Methods 7-11 SSL Cipher Suites Window 7-19 Oracle Advanced Security SSL Window... administration of Oracle Advanced Security including: s Implementation consultants s System administrators s Security administrators s Database administrators (DBAs) Organization This document contains the following chapters: Part I, "Getting Started with Oracle Advanced Security" Chapter 1, "Introduction to Oracle Advanced Security" This chapter provides an overview of Oracle Advanced Security features... Reference s Oracle Internet Directory Administrator's Guide s Oracle Database Administrator's Guide s Oracle Database Security Guide Many books in the documentation set use the sample schemas of the seed database, which is installed by default when you install Oracle Refer to Oracle Database Sample Schemas for information on how these schemas were created and how you can use them yourself xxix Printed documentation... hardware security module support features of Oracle Advanced Security Chapter 8, "Using Oracle Wallet Manager" This chapter describes how to use Oracle Wallet Manager to manage Oracle wallets and PKI credentials Chapter 9, "Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security" This chapter describes the authentication methods that can be used with Oracle Advanced Security, ... electronic mail address If you have problems with the software, please contact your local Oracle Support Services xxiii xxiv Preface Welcome to the Oracle Database Advanced Security Administrator's Guide for the 10g Release 1 (10.1) of Oracle Advanced Security Oracle Advanced Security contains a comprehensive suite of security features that protect enterprise networks and securely extend them to the Internet... Authentication with Oracle Authentication Adapters 1-8 How a Network Authentication Service Authenticates a User 1-9 Centralized User Management with Enterprise User Security 1-13 Oracle Advanced Security in an Oracle Networking Environment 1-15 Oracle Net with Authentication Adapters 1-16 Oracle Advanced Security Profile in Oracle Net Manager 2-4 Oracle Wallet Manager... This chapter provides an overview of the Java implementation of Oracle Advanced Security, which lets Thin Java Database Connectivity (JDBC) clients securely connect to Oracle Database databases xxvi Part III, "Oracle Advanced Security Strong Authentication" Chapter 5, "Configuring RADIUS Authentication" This chapter describes how to configure Oracle for use with RADIUS (Remote Authentication Dial-In User... Window 13-16 Enterprise Security Manager: Databases Tab (Database Membership) 13-17 Enterprise Security Manager: Add Databases Window 13-18 Enterprise Security Manager: Database Schema Mappings Tab 13-21 Enterprise Security Manager: Add Database Schema Mappings Window 13-22 Enterprise Security Manager: Add Accessible Enterprise Domains Dialog Box 13-24 Enterprise Security Manager: Create . xxv
What's New in Oracle Advanced Security? xxxvii
Part I Getting Started with Oracle Advanced Security
1 Introduction to Oracle Advanced Security
Security Challenges. Oracle
Database
Advanced Security Administrator's Guide
10g Release 1 (10.1)
Part No. B10772-01
December 2003
Oracle Database Advanced Security
Ngày đăng: 24/01/2014, 08:20
Xem thêm: Tài liệu Oracle Database Advanced Security Administrator''''s Guide doc, Tài liệu Oracle Database Advanced Security Administrator''''s Guide doc, Oracle Database 10g Release 1 (10.1) New Features in Oracle Advanced Security, Oracle9i Release 2 (9.2) New Features in Oracle Advanced Security, Step 3: Set sqlnet.ora Parameters (optional), Step 1: Setting Configuration Parameters in the sqlnet.ora File, Step 6: Modify the sqlnet.ora File to Resolve Names in CDS, SQL*Net Release 2.3 and Oracle Net Services