Oracle

Database
Advanced Security Administrator's Guide
10g Release 1 (10.1)
Part No. B10772-01
December 2003
Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1)
Part No. B10772-01
Copyright © 1996, 2003 Oracle Corporation. All rights reserved.
Primary Author: Laurel P. Hale
Contributors: Rajbir Chahal, Min-Hank Ho, Michael Hwa, Sudha Iyer, Adam Lindsey Jacobs, Supriya
Kalyanasundaram, Lakshmi Kethana, Andrew Koyfman, Van Le, Nina Lewis, Stella Li, Janaki
Narasinghanallur, Vikram Pesati, Andy Philips, Richard Smith, Deborah Steiner, Philip Thornton,
Ramana Turlapati
Graphic Designer: Valarie Moore
The Programs (which include both the software and documentation) contain proprietary information of
Oracle Corporation; they are provided under a license agreement containing restrictions on use and
disclosure and are also protected by copyright, patent and other intellectual and industrial property
laws. Reverse engineering, disassembly or decompilation of the Programs, except to the extent required
to obtain interoperability with other independently created software or as specified by law, is prohibited.
The information contained in this document is subject to change without notice. If you find any problems
in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this
document is error-free. Except as may be expressly permitted in your license agreement for these
Programs, no part of these Programs may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of Oracle Corporation.
If the Programs are delivered to the U.S. Government or anyone licensing or using the programs on
behalf of the U.S. Government, the following notice is applicable:
Restricted Rights Notice Programs delivered subject to the DOD FAR Supplement are "commercial
computer software" and use, duplication, and disclosure of the Programs, including documentation,
shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement.

to distribution of the software without specific, written prior permission. Furthermore, if you modify this
software you must label your software as modified software and not distribute it in such a fashion that it
might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability
of this software for any purpose. It is provided "as is" without express or implied warranty.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND
FITNESS FOR A PARTICULAR PURPOSE.
Individual source code files are copyright M.I.T., Cygnus Support, OpenVision, Oracle, Sun Soft,
FundsXpress, and others.
Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of
the Massachusetts Institute of Technology (M.I.T.). No commercial use of these trademarks may be made
without prior written permission of M.I.T.
"Commercial use" means use of a name in a product or other for-profit manner. It does NOT prevent a
commercial firm from referring to the M.I.T. trademarks in order to convey information (although in
doing so, recognition of their trademark status should be given).
----
The following copyright and permission notice applies to the OpenVision Kerberos Administration
system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and
portions of lib/rpc:
Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described
below, indicates your acceptance of the following terms. If you do not agree to the following terms, do
not retrieve the OpenVision Kerberos administration system.
You may freely use and distribute the Source Code and Object Code compiled from it, with or without
modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED.
IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF
DATA, OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY
SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT,

Data Encryption............................................................................................................................ 1-5
Strong Authentication.................................................................................................................. 1-8
Enterprise User Management ................................................................................................... 1-13
Oracle Advanced Security Architecture ....................................................................................... 1-15
Secure Data Transfer Across Network Protocol Boundaries.................................................... 1-16
System Requirements ...................................................................................................................... 1-16
Oracle Advanced Security Restrictions........................................................................................ 1-17
vi
2 Configuration and Administration Tools Overview
Network Encryption and Strong Authentication Configuration Tools .................................... 2-2
Oracle Net Manager ..................................................................................................................... 2-2
Oracle Advanced Security Kerberos Adapter Command-Line Utilities .............................. 2-5
Public Key Infrastructure Credentials Management Tools ........................................................ 2-6
Oracle Wallet Manager ................................................................................................................ 2-6
orapki Utility ............................................................................................................................... 2-12
Enterprise User Security Configuration and Management Tools............................................ 2-13
Database Configuration Assistant............................................................................................ 2-13
Enterprise Security Manager and Enterprise Security Manager Console.......................... 2-14
Oracle Net Configuration Assistant......................................................................................... 2-32
User Migration Utility................................................................................................................ 2-33
Duties of a Security Administrator/DBA ..................................................................................... 2-34
Duties of an Enterprise User Security Administrator/DBA ..................................................... 2-35
Part II Network Data Encryption and Integrity
3 Configuring Network Data Encryption and Integrity for Oracle Servers and
Clients
Oracle Advanced Security Encryption............................................................................................ 3-1
About Encryption ......................................................................................................................... 3-2
Advanced Encryption Standard ................................................................................................. 3-2
DES Algorithm Support............................................................................................................... 3-2
Triple-DES Support ..................................................................................................................... 3-2

Task 2: Configure RADIUS Authentication.............................................................................. 5-9
Task 3: Create a User and Grant Access.................................................................................. 5-17
Task 4: Configure External RADIUS Authorization (optional)........................................... 5-17
Task 5: Configure RADIUS Accounting.................................................................................. 5-19
Task 6: Add the RADIUS Client Name to the RADIUS Server Database .......................... 5-20
Task 7: Configure the Authentication Server for Use with RADIUS.................................. 5-20
Task 8: Configure the RADIUS Server for Use with the Authentication Server............... 5-20
Task 9: Configure Mapping Roles............................................................................................ 5-21
Using RADIUS to Log In to a Database....................................................................................... 5-22
RSA ACE/Server Configuration Checklist................................................................................... 5-22
6 Configuring Kerberos Authentication
Enabling Kerberos Authentication ................................................................................................. 6-2
viii
Task 1: Install Kerberos................................................................................................................ 6-2
Task 2: Configure a Service Principal for an Oracle Database Server................................... 6-2
Task 3: Extract a Service Table from Kerberos ......................................................................... 6-3
Task 4: Install an Oracle Database Server and an Oracle Client............................................ 6-4
Task 5: Install Oracle Net Services and Oracle Advanced Security ...................................... 6-5
Task 6: Configure Oracle Net Services and Oracle Database................................................. 6-5
Task 7: Configure Kerberos Authentication ............................................................................. 6-5
Task 8: Create a Kerberos User ................................................................................................. 6-10
Task 9: Create an Externally Authenticated Oracle User...................................................... 6-10
Task 10: Get an Initial Ticket for the Kerberos/Oracle User ................................................ 6-11
Utilities for the Kerberos Authentication Adapter .................................................................... 6-11
Obtaining the Initial Ticket with the okinit Utility ................................................................ 6-11
Displaying Credentials with the oklist Utility........................................................................ 6-12
Removing Credentials from the Cache File with the okdstry Utility ................................. 6-13
Connecting to an Oracle Database Server Authenticated by Kerberos .............................. 6-13
Configuring Interoperability with a Windows 2000 Domain Controller KDC .................... 6-13
Task 1: Configuring an Oracle Kerberos Client to Interoperate with a Windows 2000

Configuring Certificate Validation with Certificate Revocation Lists................................ 7-37
Certificate Revocation List Management ................................................................................ 7-40
Troubleshooting Certificate Validation................................................................................... 7-45
Configuring Your System to Use Hardware Security Modules ............................................... 7-48
General Guidelines for Using Hardware Security Modules with Oracle Advanced Security
....................................................................................................................................................... 7-48
Configuring Your System to Use nCipher Hardware Security Modules........................... 7-49
Troubleshooting Using Hardware Security Modules........................................................... 7-50
8 Using Oracle Wallet Manager
Oracle Wallet Manager Overview ................................................................................................... 8-2
Wallet Password Management................................................................................................... 8-2
Strong Wallet Encryption ............................................................................................................ 8-3
Microsoft Windows Registry Wallet Storage ........................................................................... 8-3
Backward Compatibility.............................................................................................................. 8-3
Public-Key Cryptography Standards (PKCS) Support ........................................................... 8-3
Multiple Certificate Support ....................................................................................................... 8-4
LDAP Directory Support............................................................................................................. 8-7
Starting Oracle Wallet Manager....................................................................................................... 8-7
How To Create a Complete Wallet: Process Overview ................................................................ 8-8
Managing Wallets ............................................................................................................................... 8-9
Required Guidelines for Creating Wallet Passwords ............................................................. 8-9
Creating a New Wallet............................................................................................................... 8-10
x
Opening an Existing Wallet....................................................................................................... 8-13
Closing a Wallet .......................................................................................................................... 8-13
Importing Third-Party Wallets ................................................................................................. 8-13
Exporting Oracle Wallets to Third-Party Environments ...................................................... 8-14
Exporting Oracle Wallets to Tools that Do Not Support PKCS #12.................................... 8-14
Uploading a Wallet to an LDAP Directory............................................................................. 8-15
Downloading a Wallet from an LDAP Directory .................................................................. 8-16

Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration ......... 10-8
DCE Address Parameters.......................................................................................................... 10-8
Task 1: Configure the Server..................................................................................................... 10-9
Task 2: Create and Name Externally Authenticated Accounts.......................................... 10-10
Task 3: Set up DCE Integration External Roles .................................................................... 10-12
Task 4: Configure DCE for SYSDBA and SYSOPER Connections to Oracle Databases 10-15
Task 5: Configure the Client ................................................................................................... 10-16
Task 6: Configure Clients to Use DCE CDS Naming .......................................................... 10-19
Connecting to an Oracle Database Server in the DCE Environment ................................... 10-23
Starting the Listener ................................................................................................................. 10-23
Connecting to an Oracle Database by Using DCE Authentication for Single Sign-On.. 10-24
Connecting to an Oracle Database by Using Password Authentication .......................... 10-25
Connecting Clients Outside DCE to Oracle Servers in DCE ................................................. 10-25
Sample Parameter Files............................................................................................................ 10-25
Using tnsnames.ora for Name Lookup When CDS Is Inaccessible................................... 10-28
Part IV Enterprise User Security
11 Getting Started with Enterprise User Security
Introduction to Enterprise User Security ..................................................................................... 11-2
The Challenges of User Management...................................................................................... 11-2
Enterprise User Security: The Big Picture............................................................................... 11-3
About Enterprise User Security Directory Entries............................................................... 11-11
About Using Shared Schemas for Enterprise User Security .................................................. 11-19
Overview of Shared Schemas Used in Enterprise User Security....................................... 11-19
How Shared Schemas Are Configured for Enterprise Users ............................................. 11-20
How Enterprise Users Are Mapped to Schemas.................................................................. 11-20
About Using Current User Database Links for Enterprise User Security ........................... 11-23
Enterprise User Security Deployment Considerations ........................................................... 11-25
Security Aspects of Centralizing Security Credentials ....................................................... 11-25
Security of Password-Authenticated Enterprise User Database Login Information...... 11-26
Considerations for Defining Database Membership in Enterprise Domains.................. 11-27

Administering Enterprise Users..................................................................................................... 13-8
Creating New Enterprise Users................................................................................................ 13-9
Setting Enterprise User Passwords ........................................................................................ 13-10
Defining an Initial Enterprise Role Assignment .................................................................. 13-11
xiii
Browsing Users in the Directory ............................................................................................ 13-12
Administering Enterprise Domains............................................................................................ 13-15
Creating a New Enterprise Domain....................................................................................... 13-16
Defining Database Membership of an Enterprise Domain ................................................ 13-17
Managing Database Security Options for an Enterprise Domain..................................... 13-19
Managing Enterprise Domain Administrators .................................................................... 13-20
Managing Enterprise Domain Database Schema Mappings.............................................. 13-20
Managing Password Accessible Domains ............................................................................ 13-23
Managing Database Administrators...................................................................................... 13-25
Administering Enterprise Roles .................................................................................................. 13-27
Creating a New Enterprise Role............................................................................................. 13-27
Assigning Database Global Role Membership to an Enterprise Role............................... 13-28
Granting Enterprise Roles to Users........................................................................................ 13-31
Part V Appendixes
A Data Encryption and Integrity Parameters
Sample sqlnet.ora File........................................................................................................................ A-1
Data Encryption and Integrity Parameters .................................................................................... A-3
Encryption and Integrity Parameters ........................................................................................ A-4
Seeding the Random Key Generator (Optional)...................................................................... A-8
B Authentication Parameters
Parameters for Clients and Servers using Kerberos Authentication........................................ B-1
Parameters for Clients and Servers using RADIUS Authentication........................................ B-2
sqlnet.ora File Parameters ........................................................................................................... B-2
Minimum RADIUS Parameters.................................................................................................. B-6
Initialization File Parameters...................................................................................................... B-7

orapki Utility Commands Summary............................................................................................... E-7
orapki cert create........................................................................................................................... E-7
orapki cert display........................................................................................................................ E-8
orapki crl delete............................................................................................................................. E-8
orapki crl display .......................................................................................................................... E-9
orapki crl hash............................................................................................................................ E-10
orapki crl list............................................................................................................................... E-10
orapki crl upload........................................................................................................................ E-11
orapki wallet add....................................................................................................................... E-12
xv
orapki wallet create .................................................................................................................... E-13
orapki wallet display.................................................................................................................. E-13
orapki wallet export ................................................................................................................... E-13
F Entrust-Enabled SSL Authentication
Benefits of Entrust-Enabled Oracle Advanced Security.............................................................. F-2
Enhanced X.509-Based Authentication and Single Sign-On .................................................. F-2
Integration with Entrust Authority Key Management ........................................................... F-2
Integration with Entrust Authority Certificate Revocation.................................................... F-2
Required System Components for Entrust-Enabled Oracle Advanced Security................... F-3
Entrust Authority for Oracle....................................................................................................... F-3
Entrust Authority Server Login Feature ................................................................................... F-4
Entrust Authority IPSec Negotiator Toolkit............................................................................. F-5
Entrust Authentication Process........................................................................................................ F-5
Enabling Entrust Authentication..................................................................................................... F-6
Creating Entrust Profiles ............................................................................................................. F-6
Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL ...... F-8
Configuring SSL on the Client and Server for Entrust-Enabled SSL .................................... F-8
Configuring Entrust on the Client ............................................................................................. F-8
Configuring Entrust on the Server............................................................................................. F-9
Creating Entrust-Enabled Database Users.............................................................................. F-12

Index
xvii
xviii
List of Figures
1–1 Encryption .............................................................................................................................. 1-5
1–2 Strong Authentication with Oracle Authentication Adapters........................................ 1-8
1–3 How a Network Authentication Service Authenticates a User ...................................... 1-9
1–4 Centralized User Management with Enterprise User Security..................................... 1-13
1–5 Oracle Advanced Security in an Oracle Networking Environment ............................ 1-15
1–6 Oracle Net with Authentication Adapters....................................................................... 1-16
2–1 Oracle Advanced Security Profile in Oracle Net Manager.............................................. 2-4
2–2 Oracle Wallet Manager User Interface ............................................................................... 2-7
2–3 Certificate Request Information Displayed in Oracle Wallet Manager Right Pane .... 2-9
2–4 Directory Server Login Window ....................................................................................... 2-17
2–5 Enterprise Security Manager User Interface.................................................................... 2-18
2–6 Enterprise Security Manager Databases Tabbed Window............................................ 2-20
2–7 Enterprise Security Manager Console Login Page ......................................................... 2-23
2–8 ESM Console URL Window............................................................................................... 2-24
2–9 Enterprise Security Manager Console User Interface .................................................... 2-25
2–10 Enterprise Security Manager Console Users Subtab...................................................... 2-26
2–11 Enterprise Security Manager Console Group Subtab .................................................... 2-28
2–12 Enterprise Security Manager Console Edit Group Page................................................ 2-29
2–13 Enterprise Security Manager Console Realm Configuration Tabbed Window ......... 2-30
2–14 Opening Page of Oracle Net Configuration Assistant................................................... 2-33
3–1 Oracle Advanced Security Encryption Window............................................................. 3-10
3–2 Oracle Advanced Security Integrity Window................................................................. 3-12
5–1 RADIUS in an Oracle Environment.................................................................................... 5-2
5–2 Synchronous Authentication Sequence.............................................................................. 5-4
5–3 Asynchronous Authentication Sequence........................................................................... 5-6
5–4 Oracle Advanced Security Authentication Window...................................................... 5-10

13–14 Enterprise Security Manager: Add Enterprise Users Window .................................. 13-31
F–1 Entrust Authentication Process........................................................................................... F-6
xx
xxi
List of Tables
1–1 Authentication Methods and System Requirements ..................................................... 1-17
2–1 Oracle Wallet Manager Navigator Pane Objects ............................................................. 2-8
2–2 Oracle Wallet Manager Toolbar Buttons ........................................................................ 2-10
2–3 Oracle Wallet Manager Wallet Menu Options............................................................... 2-10
2–4 Oracle Wallet Manager Operations Menu Options....................................................... 2-11
2–5 Oracle Wallet Manager Help Menu Options ................................................................. 2-12
2–6 Enterprise User Security Tools Summary........................................................................ 2-13
2–7 Enterprise Security Manager Authentication Methods................................................ 2-17
2–8 Enterprise Security Manager Navigator Pane Folders ................................................. 2-19
2–9 Enterprise Security Manager File Menu Options .......................................................... 2-21
2–10 Enterprise Security Manager Operations Menu Options............................................. 2-21
2–11 Enterprise Security Manager Help Menu Options........................................................ 2-21
2–12 Enterprise Security Manager Console User Subtab Buttons........................................ 2-27
2–13 Realm Configuration Tabbed Window Fields ............................................................... 2-30
2–14 Common Security Administrator/DBA Configuration and Administrative Tasks. 2-34
2–15 Common Enterprise User Security Administrator Configuration and Administrative
Tasks...................................................................................................................................... 2-36
3–1 Encryption and Data Integrity Negotiations..................................................................... 3-8
3–2 Valid Encryption Algorithms ............................................................................................ 3-11
3–3 Valid Integrity Algorithms................................................................................................. 3-13
4–1 ORACLE.NET.ENCRYPTION_CLIENT Parameter Attributes ..................................... 4-4
4–2 ORACLE.NET.ENCRYPTION_TYPES_CLIENT Parameter Attributes ....................... 4-5
4–3 ORACLE.NET.CRYPTO_CHECKSUM_CLIENT Parameter Attributes ...................... 4-5
4–4 ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT Parameter Attributes ........... 4-6
5–1 RADIUS Authentication Components .............................................................................. 5-3

B–1 Kerberos Authentication Parameters................................................................................. B-1
B–2 SQLNET.AUTHENTICATION_SERVICES Parameter Attributes ............................... B-2
B–3 SQLNET.RADIUS_AUTHENTICATION Parameter Attributes.................................... B-2
B–4 SQLNET.RADIUS_AUTHENTICATION_PORT Parameter Attributes....................... B-3
B–5 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter Attributes............... B-3
B–6 SQLNET.RADIUS_AUTHENTICATION_RETRIES Parameter Attributes.................. B-3
B–7 SQLNET.RADIUS_SEND_ACCOUNTING Parameter Attributes................................ B-4
B–8 SQLNET.RADIUS_SECRET Parameter Attributes........................................................... B-4
B–9 SQLNET.RADIUS_ALTERNATE Parameter Attributes................................................. B-4
B–10 SQLNET.RADIUS_ALTERNATE_PORT Parameter Attributes .................................... B-4
B–11 SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter Attributes ............................ B-5
B–12 SQLNET.RADIUS_ALTERNATE_RETRIES Parameter Attributes............................... B-5
B–13 SQLNET.RADIUS_CHALLENGE_RESPONSE Parameter Attributes ......................... B-5
B–14 SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter Attributes ......................... B-6
B–15 SQLNET.RADIUS_AUTHENTICATION_INTERFACE Parameter Attributes........... B-6
B–16 SQLNET.RADIUS_CLASSPATH Parameter Attributes.................................................. B-6
B–17 Wallet Location Parameters .............................................................................................. B-12
C–1 Server Encryption Level Setting......................................................................................... C-2
D–1 Sample Output from v$session_connect_info.................................................................. D-4
G–1 ORCL_GLOBAL_USR_MIGRATION_DATA Table Schema ....................................... G-5
G–2 Interface Table Column Values That Can Be Modified between Phase One and Phase
Two ......................................................................................................................................... G-6
G–3 Effects of Choosing Shared Schema Mapping with CASCADE Options..................... G-7
G–4 Alphabetical Listing of User Migration Utility Error Messages................................. G-34
G–5 Alphabetical Listing of User Migration Utility Log Messages .................................... G-35
xxiii
Send Us Your Comments
Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1)
Part No. B10772-01
Oracle Corporation welcomes your comments and suggestions on the quality and usefulness of this

Preface
Welcome to the Oracle Database Advanced Security Administrator's Guide for the
10g Release 1 (10.1) of Oracle Advanced Security.
Oracle Advanced Security contains a comprehensive suite of security features that
protect enterprise networks and securely extend them to the Internet. It provides a
single source of integration with multiple network encryption and authentication
solutions, single sign-on services, and security protocols.
The Oracle Database Advanced Security Administrator's Guide describes how to
implement, configure and administer Oracle Advanced Security.
This preface contains these topics:
■
Audience
■
Organization
■
Related Documentation
■
Conventions
■
Documentation Accessibility