- Oracle Database Advanced Security Administrator's Guide 10g Release 1 (10.1) Part No. 
- Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1) Part No. B10772-01 Copyright © 1996, 2003 Oracle Corporation. All rights reserved. Primary Author: Laurel P. 
- responsible for the performance of the Kerberos software, does not provide technical support for the software, and shall not be liable for any damages arising out of any use of the Kerberos software. Copyright © 1985-2002 by the Massachusetts Institute of Technology. All rights reserved. Export of this software from the United States of America may require a specific license from the United States Government. 
- derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code. OpenVision Technologies, Inc., has donated this Kerberos Administration system to M.I.T. for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by M.I.T. 
- Contents Figures List of Tables Send Us Your Comments ............................................................................................................... xxiii Preface......................................................................................................................................................... xxv What's New in Oracle Advanced Security? ...................................................................... 
- 2 Configuration and Administration Tools Overview Network Encryption and Strong Authentication Configuration Tools .................................... Oracle Net Manager ..................................................................................................................... Oracle Advanced Security Kerberos Adapter Command-Line Utilities .............................. Public Key Infrastructure Credentials Management Tools ........................................................ 
- 4 Configuring Network Data Encryption and Integrity for Thin JDBC Clients About the Java Implementation....................................................................................................... Java Database Connectivity Support ......................................................................................... Securing Thin JDBC...................................................................................................................... Implementation Overview ................... 
- Task 1: Install Kerberos ................................................................................................................ Task 2: Configure a Service Principal for an Oracle Database Server................................... Task 3: Extract a Service Table from Kerberos ......................................................................... Task 4: Install an Oracle Database Server and an Oracle Client ............................................ 
- How SSL Works with Other Authentication Methods ......................................................... 7-10 SSL and Firewalls ............................................................................................................................. 7-12 SSL Usage Issues............................................................................................................................... 7-14 Enabling SSL .......................................................................................... 
- Opening an Existing Wallet....................................................................................................... Closing a Wallet .......................................................................................................................... Importing Third-Party Wallets ................................................................................................. Exporting Oracle Wallets to Third-Party Environments ...................................................... 
- Task 1: Create New Principals and Accounts......................................................................... Task 2: Install the Key of the Server into a Keytab File......................................................... Task 3: Configure DCE CDS for Use by Oracle DCE Integration ....................................... Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration ......... DCE Address Parameters....................................................................... 
- Considerations for Choosing Authentication Types between Clients, Databases, and Directories for Enterprise User Security................................................................................ 11-28 12 Enterprise User Security Configuration Tasks and Troubleshooting Enterprise User Security Configuration Overview..................................................................... 12-1 Enterprise User Security Configuration Roadmap ................................................................. 
- Browsing Users in the Directory ............................................................................................ Administering Enterprise Domains............................................................................................ Creating a New Enterprise Domain....................................................................................... Defining Database Membership of an Enterprise Domain ................................................ 
- C Integrating Authentication Devices Using RADIUS About the RADIUS Challenge-Response User Interface........................................................... C-1 Customizing the RADIUS Challenge-Response User Interface............................................... C-2 D Oracle Advanced Security FIPS 140-1 Settings Configuration Parameters................................................................................................................. Server Encryption Level Setting .................... 
- orapki wallet create .................................................................................................................... E-13 orapki wallet display.................................................................................................................. E-13 orapki wallet export ................................................................................................................... 
- Prerequisites for Performing Migration........................................................................................ Required Database Privileges .................................................................................................... Required Directory Privileges.................................................................................................... Required Setup to Run the User Migration Utility ................................................................. 
- xvii 
- List of Figures 1–1 1–2 1–3 1–4 1–5 1–6 2–1 2–2 2–3 2–4 2–5 2–6 2–7 2–8 2–9 2–10 2–11 2–12 2–13 2–14 3–1 3–2 5–1 5–2 5–3 5–4 5–5 6–1 6–2 7–1 7–2 7–3 7–4 7–5 7–6 7–7 9–1 11–1 11–2 xviii Encryption .............................................................................................................................. 1-5 Strong Authentication with Oracle Authentication Adapters ........................................ 1-8 How a Network Authentication Service Authenticates a User ...................... 
- 11–3 12–1 13–1 13–2 13–3 13–4 13–5 13–6 13–7 13–8 13–9 13–10 13–11 13–12 13–13 13–14 F–1 Related Entries in a Realm Oracle Context.................................................................... 11-16 Enterprise User Security Configuration Flow Chart...................................................... 12-3 Enterprise Security Manager Console Home Page ........................................................ 13-9 Enterprise Security Manager Console Edit User Window: Basic Information ........ 
- xx 
- List of Tables 1–1 2–1 2–2 2–3 2–4 2–5 2–6 2–7 2–8 2–9 2–10 2–11 2–12 2–13 2–14 2–15 3–1 3–2 3–3 4–1 4–2 4–3 4–4 5–1 5–2 6–1 6–2 7–1 8–1 8–2 8–3 8–4 8–5 8–6 10–1 10–2 11–1 11–2 Authentication Methods and System Requirements ..................................................... 1-17 Oracle Wallet Manager Navigator Pane Objects ............................................................. 2-8 Oracle Wallet Manager Toolbar Buttons ........................................................................ 
- 11–3 13–1 13–2 13–3 13–4 A–1 A–2 A–3 A–4 A–5 A–6 A–7 A–8 A–9 B–1 B–2 B–3 B–4 B–5 B–6 B–7 B–8 B–9 B–10 B–11 B–12 B–13 B–14 B–15 B–16 B–17 C–1 D–1 G–1 G–2 G–3 G–4 G–5 xxii Enterprise User Security: Supported Authentication Types for Connections between Clients, Databases, and Directories ................................................................................. 11-28 Identity Management Realm Properties .......................................................................... 
- Send Us Your Comments Oracle Database Advanced Security Administrator's Guide, 10g Release 1 (10.1) Part No. B10772-01 Oracle Corporation welcomes your comments and suggestions on the quality and usefulness of this document. Your input is an important part of the information used for revision. 
- xxiv 
- Preface Welcome to the Oracle Database Advanced Security Administrator's Guide for the 10g Release 1 (10.1) of Oracle Advanced Security. Oracle Advanced Security contains a comprehensive suite of security features that protect enterprise networks and securely extend them to the Internet. It provides a single source of integration with multiple network encryption and authentication solutions, single sign-on services, and security protocols. 
- Audience The Oracle Database Advanced Security Administrator's Guide is intended for users and systems professionals involved with the implementation, configuration, and administration of Oracle Advanced Security including: ■ Implementation consultants ■ System administrators ■ Security administrators ■ Database administrators (DBAs) Organization This document contains the following chapters: Part I, "Getting Started with Oracle Advanced Security" Chapter 1, "Introduction to Oracle Advanced Securit 
- Part III, "Oracle Advanced Security Strong Authentication" Chapter 5, "Configuring RADIUS Authentication" This chapter describes how to configure Oracle for use with RADIUS (Remote Authentication Dial-In User Service). It provides an overview of how RADIUS works within an Oracle environment, and describes how to enable RADIUS authentication and accounting. It also introduces the challenge-response user interface that third party vendors can customize to integrate with third party authentication devices. 
- parameters, and how clients outside of DCE can access Oracle databases using another protocol such as TCP/IP. Part IV, "Enterprise User Security" Chapter 11, "Getting Started with Enterprise User Security" This chapter describes the Oracle LDAP directory and database integration that enables you to store and manage users' authentication information in Oracle Internet Directory. 
- Appendix D, "Oracle Advanced Security FIPS 140-1 Settings" This appendix describes the sqlnet.ora configuration parameters required to comply with the FIPS 140-1 Level 2 evaluated configuration. Appendix E, "orapki Utility" This appendix provides the syntax for the orapki command line utility. This utility must be used to manage certificate revocation lists (CRLs). 
- Printed documentation is available for sale in the Oracle Store at http://oraclestore.oracle.com/ To download free release notes, installation documentation, white papers, or other collateral, please visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free and can be done at http://otn.oracle.com/membership/ If you already have a username and password for OTN, then you can go directly to the documentation section of the OTN Web site at http://otn.oracle. 
- ■ ■ ■ ■ Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C by Bruce Schneier. New York: John Wiley & Sons, 1996. SSL & TLS Essentials: Securing the Web by Stephen A. Thomas. New York: John Wiley & Sons, 2000. Understanding and Deploying LDAP Directory Services by Timothy A. Howes, Ph.D., Mark C. Smith, and Gordon S. Good . Indianapolis: New Riders Publishing, 1999. 
- Convention Meaning Example UPPERCASE monospace (fixed-width) font Uppercase monospace typeface indicates elements supplied by the system. Such elements include parameters, privileges, datatypes, RMAN keywords, SQL keywords, SQL*Plus or utility commands, packages and methods, as well as system-supplied column names, database objects and structures, usernames, and roles. You can specify this clause only for a NUMBER column. 
- Convention Meaning Example [ ] Brackets enclose one or more optional items. Do not enter the brackets. DECIMAL (digits [ , precision ]) { } Braces enclose two or more items, one of {ENABLE | DISABLE} which is required. Do not enter the braces. | A vertical bar represents a choice of two {ENABLE | DISABLE} or more options within brackets or braces. [COMPRESS | NOCOMPRESS] Enter one of the options. Do not enter the vertical bar. ... Horizontal ellipsis points indicate either: ■ ■ . . . 
- Convention Meaning Example lowercase Lowercase typeface indicates programmatic elements that you supply. For example, lowercase indicates names of tables, columns, or files. SELECT last_name, employee_id FROM employees; sqlplus hr/hr CREATE USER mjones IDENTIFIED BY ty3MU9; Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown. 
- Convention Meaning Special characters The backslash (\) special character is sometimes required as an escape character for the double quotation mark (") special character at the Windows command prompt. Parentheses and the single quotation mark (') do not require an escape character. Refer to your Windows operating system documentation for more information on escape and special characters. 
- Documentation Accessibility Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. 
- What's New in Oracle Advanced Security? This section describes new features of Oracle Advanced Security 10g Release 1 (10.1) and provides pointers to additional information. New features information from the previous release is also retained to help those users migrating to the current release. The following sections describe the new features in Oracle Advanced Security: ■ Oracle Database 10g Release 1 (10.1) New Features in Oracle Advanced Security ■ Oracle9i Release 2 (9. 
- Engineering Task Force (IETF) to be the successor to SSL version 3.0. TLS is a configurable option provided in Oracle Net Manager. See Also: Chapter 7, "Configuring Secure Sockets Layer Authentication" for configuration details ■ Support for Hardware Security Modules, including Oracle Wallet Manager Integration In this release, Oracle Advanced Security supports hardware security modules which use APIs that conform to the RSA Security, Inc., Public-Key Cryptography Standards (PKCS) #11. 
- See Also: ■ ■ "Certificate Validation with Certificate Revocation Lists" on page 7-35 for details Appendix E, "orapki Utility" for details about orapki command line utility New Features in Enterprise User Security ■ Kerberos Authenticated Enterprise Users Kerberos-based authentication to the database is available for users managed in an LDAP directory. 
- – ■ Oracle Database recognition of standard password verifiers, which is also new in this release. Tool Changes – New Tool: Enterprise Security Manager Console The Enterprise Security Manager Console, which is based on the Oracle Internet Directory Delegated Administration Service (DAS), is new in this release. 
- Oracle9i Release 2 (9.2) New Features in Oracle Advanced Security The new features for Oracle Advanced Security in release 2 (9.2) include the following: ■ Support for Advanced Encryption Standard (AES) AES is a new cryptographic algorithm standard developed to replace Data Encryption Standard (DES). 
- xlii 
- Part I Getting Started with Oracle Advanced Security This part introduces Oracle Advanced Security, describing the security solutions it provides, its features, and its tools. 
- 1 Introduction to Oracle Advanced Security This chapter introduces Oracle Advanced Security, summarizing the security risks it addresses, and describing its features. These features are available to database and related products that interface with Oracle Net Services, including Oracle Database, Oracle Application Server, and Oracle Identity Management infrastructure. 
- Security Challenges in an Enterprise Environment ■ Security in Enterprise Grid Computing Environments ■ Security in an Intranet or Internet Environment ■ Common Security Threats Security in Enterprise Grid Computing Environments Grid computing is a computing architecture that coordinates large numbers of servers and storage to act as a single large computer. 
- Security Challenges in an Enterprise Environment the amount of information that organizations place on computers. Employee and financial records, customer orders, product information, and other sensitive data have moved from filing cabinets to file structures. The volume of sensitive information on the Web has thus increased the value of data that can be compromised. 
- Solving Security Challenges with Oracle Advanced Security Password-Related Threats In large systems, users typically must remember multiple passwords for the different applications and services that they use. For example, a developer can have access to a development application on a workstation, a PC for sending e-mail, and several computers or intranet sites for testing, reporting bugs, and managing configurations. 
- Solving Security Challenges with Oracle Advanced Security Data Encryption Sensitive information that travels over enterprise networks and the Internet can be protected by encryption algorithms. An encryption algorithm transforms information into a form that can be deciphered with a decryption key. Figure 1–1 shows how encryption works to ensure the security of a transaction. For example, if a manager approves a bonus, this data should be encrypted when sent over the network to avoid eavesdropping. 
- Solving Security Challenges with Oracle Advanced Security Selecting the network encryption algorithm is a user configuration option, providing varying levels of security and performance for different types of data transfers. Prior versions of Oracle Advanced Security provided three editions: Domestic, Upgrade, and Export—each with different key lengths. 10g Release 1 (10. 
- Solving Security Challenges with Oracle Advanced Security 197, Advanced Encryption Standard (AES) is a new cryptographic algorithm standard developed to replace DES. AES is a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits, which are referred to as AES-128, AES-192, and AES-256, respectively. All three versions operate in outer-CBC mode. 
- Solving Security Challenges with Oracle Advanced Security Strong Authentication Authentication is used to prove the identity of the user. Authenticating user identity is imperative in distributed environments, without which there can be little confidence in network security. Passwords are the most common means of authentication. 
- Solving Security Challenges with Oracle Advanced Security How Centralized Network Authentication Works Figure 1–3 shows how a centralized network authentication service typically operates: Figure 1–3 User How a Network Authentication Service Authenticates a User Authentication Server Oracle Server 1 2 3 4 5 6 ... 1. A user (client) requests authentication services and provides identifying information, such as a token or password. 2. 
- Solving Security Challenges with Oracle Advanced Security 3. The client passes these credentials to the Oracle server concurrent with a service request, such as connection to a database. 4. The server sends the credentials back to the authentication server for authentication. 5. If the authentication server accepts the credentials, then it notifies the Oracle Server, and the user is authenticated. 6. 
- Solving Security Challenges with Oracle Advanced Security protocol. RADIUS can be used with a variety of authentication mechanisms, including token cards and smart cards. See Chapter 5, "Configuring RADIUS Authentication" for information about configuring and using this adapter. ■ Smart Cards A RADIUS-compliant smart card is a credit card-like hardware device. It has memory and a processor and is read by a smart card reader located at the client workstation. 
- Solving Security Challenges with Oracle Advanced Security Oracle Advanced Security SSL can be used to secure communications between any client and any server. You can configure SSL to provide authentication for the server only, the client only, or both client and server. You can also configure SSL features in combination with other authentication methods supported by Oracle Advanced Security (database usernames and passwords, RADIUS, and Kerberos). 
- Solving Security Challenges with Oracle Advanced Security Enterprise User Management Enterprise user management is provided by the Enterprise User Security feature of Oracle Advanced Security. Enterprise User Security enables storing database users and their corresponding administrative and security information in a centralized directory server. Figure 1–4 shows how a directory server can be used to provide centralized storage and management of user account, user role, and authentication information. 1. 
- Solving Security Challenges with Oracle Advanced Security ■ Passwords ■ Kerberos ■ Secure Sockets Layer (SSL) with digital certificates See Also: For detailed discussions of Enterprise User Security concepts, configuration, and management, refer to the following chapters in this manual: ■ ■ ■ 1-14 Chapter 11, "Getting Started with Enterprise User Security" Chapter 12, "Enterprise User Security Configuration Tasks and Troubleshooting" Chapter 13, "Administering Enterprise User Security" Oracle Dat 
- Oracle Advanced Security Architecture Oracle Advanced Security Architecture Oracle Advanced Security complements an Oracle server or client installation with advanced security features. Figure 1–5 shows the Oracle Advanced Security architecture within an Oracle networking environment. 
- Secure Data Transfer Across Network Protocol Boundaries Figure 1–6 Oracle Forms and Oracle Reports Oracle Net with Authentication Adapters 3rd Party Tools 3GL Tools Oracle Server Oracle Call Interface Oracle Advanced Security Oracle Net Kerberos Adapter SSL Adapter DCE Adapter RADIUS Adapter Kerberos SSL DCE RADIUS See Also: Oracle Net Services Administrator's Guide, for more information about stack communications in an Oracle networking environment Secure Data Transfer Across Network Pro 
- Oracle Advanced Security Restrictions Note: Oracle Advanced Security is not available with Oracle Database Standard Edition. Table 1–1 Authentication Methods and System Requirements Authentication Method System Requirements Kerberos ■ ■ RADIUS ■ ■ MIT Kerberos Version 5, release 1.1 The Kerberos authentication server must be installed on a physically secure machine. 
- Oracle Advanced Security Restrictions 1-18 Oracle Database Advanced Security Administrator's Guide 
- 2 Configuration and Administration Tools Overview Configuring advanced security features for an Oracle database includes configuring encryption, integrity (checksumming), and strong authentication methods for Oracle Net Services. Strong authentication method configuration can include third-party software, as is the case for Kerberos or RADIUS, or it may entail configuring and managing a public key infrastructure, as is required for Secure Sockets Layer (SSL). 
- Network Encryption and Strong Authentication Configuration Tools Network Encryption and Strong Authentication Configuration Tools Oracle Net Services can be configured to encrypt data using standard encryption algorithms, and for strong authentication methods, such as Kerberos, RADIUS, and SSL. 
- Network Encryption and Strong Authentication Configuration Tools To start Oracle Net Manager as a standalone application: ■ (UNIX) From $ORACLE_HOME/bin, enter the following at the command line: netmgr ■ (Windows) Choose Start > Programs > Oracle - HOME_NAME > Configuration and Migration Tools > Net Manager Navigating to the Oracle Advanced Security Profile The Oracle Net Manager interface window contains two panes: the navigator pane and the right pane, which displays various property sheets that enab 
- Network Encryption and Strong Authentication Configuration Tools Figure 2–1 Oracle Advanced Security Profile in Oracle Net Manager Oracle Advanced Security Profile Property Sheets The Oracle Advanced Security Profile contains the following property sheets, which are described in the following sections: 2-4 ■ Authentication Property Sheet ■ Other Params Property Sheet ■ Integrity Property Sheet ■ Encryption Property Sheet ■ SSL Property Sheet Oracle Database Advanced Security Administrator's G 
- Network Encryption and Strong Authentication Configuration Tools Authentication Property Sheet Use this property sheet to select a strong authentication method, such as Kerberos Version 5 (KERBEROS5), Windows NT native authentication (NTS), or RADIUS. Other Params Property Sheet Use this property sheet to set other parameters for the authentication method you selected on the Authentication property sheet. 
- Public Key Infrastructure Credentials Management Tools Public Key Infrastructure Credentials Management Tools The security provided by a public key infrastructure (PKI) depends on how effectively you store, manage, and validate your PKI credentials. 
- Public Key Infrastructure Credentials Management Tools ■ (UNIX) From $ORACLE_HOME/bin, enter the following at the command line: owm ■ (Windows) Choose Start > Programs > Oracle - HOME_NAME > Integrated Management Tools > Wallet Manager Navigating the Oracle Wallet Manager User Interface The Oracle Wallet Manager interface includes two panes, a toolbar, and various menu items as shown in Figure 2–2. 
- Public Key Infrastructure Credentials Management Tools Navigator Pane The navigator pane provides a graphical tree view of the certificate requests and certificates stored in the Oracle home where Oracle Wallet Manager is installed. You can use the navigator pane to view, modify, add, or delete certificates and certificate requests. 
- Public Key Infrastructure Credentials Management Tools text box. To request a certificate from a certificate authority, you can copy this request into an e-mail or export it into a file. Figure 2–3 Certificate Request Information Displayed in Oracle Wallet Manager Right Pane Toolbar The toolbar contains buttons that enable you to manage your wallets. Move the mouse cursor over a toolbar button to display a description of the button's function. The toolbar buttons are listed and described in Table 2–2. 
- Public Key Infrastructure Credentials Management Tools Table 2–2 Oracle Wallet Manager Toolbar Buttons Toolbar Button Description New Creates a new wallet Open Wallet Enables you to browse your file system to locate and open an existing wallet Save Wallet Saves the currently open wallet Delete Wallet Deletes wallet currently selected in the navigator pane Help Opens the Oracle Wallet Manager online help Menus You use Oracle Wallet Manager menus to manage your wallets and the credentials they 
- Public Key Infrastructure Credentials Management Tools Table 2–3 (Cont.) Oracle Wallet Manager Wallet Menu Options(Cont.) Option Description Change Password Changes the password for the currently open wallet. You must supply the old password before you can create a new one. Auto Login Sets the auto login feature for the currently open wallet. See auto login wallet Exit Exits the Oracle Wallet Manager application Operations Menu Table 2–4 describes the contents of the Operations menu. 
- Public Key Infrastructure Credentials Management Tools Help Menu Table 2–5 describes the contents of the Help menu. Table 2–5 Oracle Wallet Manager Help Menu Options Option Description Contents Opens Oracle Wallet Manager online help. Search for Help on Opens Oracle Wallet Manager online help and displays the Search tab. About Oracle Wallet Manager Opens a window that displays the Oracle Wallet Manager version number and copyright information. 
- Enterprise User Security Configuration and Management Tools Enterprise User Security Configuration and Management Tools Enterprise users are database users who are stored and centrally managed in an LDAP directory, such as Oracle Internet Directory. Table 2–6 provides a summary of the tools that are used to configure and manage Enterprise User Security. The following subsections introduce and describe these tools. 
- Enterprise User Security Configuration and Management Tools Starting Database Configuration Assistant To start Database Configuration Assistant: ■ (UNIX) From $ORACLE_HOME/bin, enter the following at the command line: dbca ■ (Windows) Choose Start > Programs > Oracle - HOME_NAME > Database Administration > Database Configuration Assistant See Also: ■ ■ "To register a database in the directory:" on page 12-9 for information about using this tool to register your database. 
- Enterprise User Security Configuration and Management Tools ■ Logging in to Enterprise Security Manager Console ■ Navigating Enterprise Security Manager Console User Interface Enterprise Security Manager Initial Installation and Configuration Overview The following tasks provide an overview of the initial Enterprise Security Manager installation and configuration: ■ Task 1: Install Enterprise Security Manager ■ Task 2: Configure an Oracle Identity Management Infrastructure Task 1: Install Enterpris 
- Enterprise User Security Configuration and Management Tools ■ OracleAS Single Sign-On server must be installed and configured to authenticate enterprise user security administrators when they log in to the Enterprise Security Manager Console, an element of Enterprise Security Manager. See Also: ■ ■ Oracle Internet Directory Administrator's Guide for information about using Oracle Internet Directory Configuration Assistant to create or upgrade an identity management realm in the directory. 
- Enterprise User Security Configuration and Management Tools Figure 2–4 2. Directory Server Login Window Log in to Oracle Internet Directory by selecting the authentication method and providing the hostname and port number for your directory. 
- Enterprise User Security Configuration and Management Tools Figure 2–5 Enterprise Security Manager User Interface Navigator Pane The navigator pane provides a graphical tree view of your directory's identity management realms and the databases, enterprise domains, and users they contain. You can use the navigator pane to view, modify, add, or delete enterprise domains and the objects they contain. 
- Enterprise User Security Configuration and Management Tools ■ Right-click an enterprise domain to perform operations such as creating enterprise roles or deleting the domain from the identity management realm. When you expand an identity management realm, you see a nested list of folders that contain enterprise user security objects. Expanding these folders enables you to view the individual objects as described in Table 2–8. 
- Enterprise User Security Configuration and Management Tools Figure 2–6 Enterprise Security Manager Databases Tabbed Window The Databases tabbed window also enables you to set security options for databases which are members of an enterprise domain. See "Defining Database Membership of an Enterprise Domain" on page 13-17 for a discussion of configuring enterprise domains by using the Databases tabbed window. 
- Enterprise User Security Configuration and Management Tools File Menu Table 2–9 describes the contents of the File menu. Table 2–9 Enterprise Security Manager File Menu Options Option Description Change Directory Connection Causes the Directory Server Login window to reappear (see Figure 2–4 on page 2-17), enabling you to log in to another directory server. 
- Enterprise User Security Configuration and Management Tools Table 2–11 (Cont.) Enterprise Security Manager Help Menu Options Option Description Search for Help on Displays the search window for the online help. 
- Enterprise User Security Configuration and Management Tools Figure 2–7 Enterprise Security Manager Console Login Page 2. Click the Login icon in the upper right-corner of the page to log in with your OracleAS Single Sign-On username and password. After providing your OracleAS Single Sign-On credentials, you are returned to the console home page. 
- Enterprise User Security Configuration and Management Tools Figure 2–8 2. ESM Console URL Window Enter the appropriate URL for connecting to Enterprise Security Manager Console, and click OK. This saves the URL information in Enterprise Security Manager so you can launch the console again without reconfiguring the URL. 
- Enterprise User Security Configuration and Management Tools 6. a. Select krbPrincipalName in the left category list. b. Click Move > to move krbPrincipalName to the right-hand list. c. Click Done. Click Next until you reach the last page, and then click Finish to save your work. Navigating Enterprise Security Manager Console User Interface The Enterprise Security Manager Console user interface is browser-based and uses tabbed windows instead of a navigator pane. 
- Enterprise User Security Configuration and Management Tools Home Tabbed Window The Home page is your entry point to the console. You can access each tabbed window and read a brief summary of what you can do with this tool. The Home tabbed window is shown in Figure 2–9 on page 2-25. Users and Groups Tabbed Window This tabbed window contains two subtabs: the Users subtab (shown in Figure 2–10) and the Groups subtab (shown in Figure 2–11 on page 2-28). 
- Enterprise User Security Configuration and Management Tools Table 2–12 Enterprise Security Manager Console User Subtab Buttons Button Name Description Go After entering user search criteria in the Search for user field, click Go to display users who match your search criteria in the Search Results table. This button is always available. Create Enables you to create new enterprise users in the directory. This button is always available. 
- Enterprise User Security Configuration and Management Tools Figure 2–11 2-28 Enterprise Security Manager Console Group Subtab Oracle Database Advanced Security Administrator's Guide 
- Enterprise User Security Configuration and Management Tools Figure 2–12 Enterprise Security Manager Console Edit Group Page Configuration and Administration Tools Overview 2-29 
- Enterprise User Security Configuration and Management Tools Realm Configuration Tabbed Window The Realm Configuration tabbed window, which is shown in Figure 2–13, enables you to configure identity management realm attributes that pertain to Enterprise User Security. The fields that you can edit on this page are described in Table 2–13 on page 2-30. 
- Enterprise User Security Configuration and Management Tools Enterprise Security Manager Command-Line Utility Enterprise Security Manager provides a command-line utility, which can be used to perform the most common tasks that the graphical user interface tool performs. Enter all Enterprise Security Manager command-line utility commands from the Oracle Enterprise Manager Oracle home. The basic syntax for this utility is as follows: esm -cmd [operation] [-option_1 -option_2 -option_3 ... 
- Enterprise User Security Configuration and Management Tools See Also: ■ ■ "Duties of an Enterprise User Security Administrator/DBA" on page 2-35 for a list of tasks that can be performed with Enterprise Security Manager and Enterprise Security Manager Console. Chapter 13, "Administering Enterprise User Security" for detailed information about how to use Enterprise Security Manager and Enterprise Security Manager Console to administer enterprise users. 
- Enterprise User Security Configuration and Management Tools After you start this tool, you will be presented with the opening page that is shown in Figure 2–14 on page 2-33. Choose the Directory Usage Configuration option on this page, click Next, and choose the directory server where you wish to store your enterprise users. Then click Finish to create a properly configured ldap.ora file for your Oracle home. 
- Duties of a Security Administrator/DBA phase one, it populates a table with database user information. During phase two, the database user information is migrated to the directory. This tool is automatically installed in the following location when you install an Oracle Database client: $ORACLE_HOME/rdbms/bin/umu The basic syntax for this utility is as follows: umu parameter_keyword_1=value1:value2 parameter_keyword_2=value parameter_keyword_3=value1:value2:value3 . . . 
- Duties of an Enterprise User Security Administrator/DBA Table 2–14 (Cont. 
- Duties of an Enterprise User Security Administrator/DBA Table 2–15 Common Enterprise User Security Administrator Configuration and Administrative Tasks Task Tools Used See Also Create an identity management realm in Oracle Internet Directory Oracle Internet Directory Self-Service Console (Delegated Administration Service) Oracle Internet Directory Administrator's Guide for information about how to perform this task Upgrade an identity management realm in Oracle Internet Directory Oracle Internet D 
- Duties of an Enterprise User Security Administrator/DBA Table 2–15 (Cont. 
- Duties of an Enterprise User Security Administrator/DBA 2-38 Oracle Database Advanced Security Administrator's Guide 
- Part II Network Data Encryption and Integrity This part describes how to configure data encryption and integrity for your existing Oracle network, and for thin JDBC connections to the database by using the encryption features of Oracle Advanced Security. 
- 3 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients This chapter describes how to configure native Oracle Net Services data encryption and integrity for Oracle Advanced Security. 
- Oracle Advanced Security Encryption Note: Prior to Release 8.1.7, Oracle Advanced Security provided three editions: Domestic, Upgrade, and Export—each with different key lengths. This release now contains a complete complement of the available encryption algorithms and key lengths, previously only available in the Domestic edition. Users deploying prior versions of the product can obtain the Domestic edition for a specific product release. 
- Oracle Advanced Security Data Integrity of message security, but with a performance penalty. The magnitude of the performance penalty depends on the speed of the processor performing the encryption. 3DES typically takes three times as long to encrypt a data block when compared to the standard DES algorithm. 3DES is available in two-key and three-key versions, with effective key lengths of 112-bits and 168-bits, respectively. Both versions operate in outer Cipher Block Chaining (CBC) mode. 
- Diffie-Hellman Based Key Management ■ Data modification attack This type of attack occurs when an unauthorized party intercepts data in transit, alters it, and retransmits it. For example, if a bank deposit of $100 is intercepted, the monetary amount is changed to $10,000, and then the higher amount is retransmitted, then that is a data modification attack. ■ Replay attack This type of attack occurs when an entire set of valid data is repetitively retransmitted. 
- How To Configure Data Encryption and Integrity Oracle Advanced Security key management function changes the session key with every session. Authentication Key Fold-in The purpose of Authentication Key Fold-in is to defeat a possible third party attack (historically called the man-in-the-middle attack) on the Diffie-Hellman key negotiation. 
- How To Configure Data Encryption and Integrity About Activating Encryption and Integrity In any network connection, it is possible for both the client and server to each support more than one encryption algorithm and more than one integrity algorithm. When a connection is made, the server selects which algorithm to use, if any, from those algorithms specified in the sqlnet.ora files. 
- How To Configure Data Encryption and Integrity ■ REQUESTED ■ REQUIRED The default value for each of the parameters is ACCEPTED. REJECTED Select this value if you do not elect to enable the security service, even if required by the other side. In this scenario, this side of the connection specifies that the security service is not permitted. If the other side is set to REQUIRED, the connection terminates with error message ORA-12650. 
- How To Configure Data Encryption and Integrity In this scenario, this side of the connection specifies that the security service must be enabled. The connection fails if the other side specifies REJECTED or if there is no compatible algorithm on the other side. Table 3–1 shows whether the security service is enabled, based on a combination of client and server configuration parameters. If either the server or client has specified REQUIRED, the lack of a common algorithm causes the connection to fail. 
- How To Configure Data Encryption and Integrity the sqlnet.crypto_seed parameter in the sqlnet.ora file. It can be 10 to 70 characters in length and changed at any time. The Diffie-Hellman key exchange uses the random numbers to generate unique session keys for every connect session. Configuring Encryption and Integrity Parameters Using Oracle Net Manager You can set up or change encryption and integrity parameter settings using Oracle Net Manager. 
- How To Configure Data Encryption and Integrity Figure 3–1 3-10 Oracle Advanced Security Encryption Window 2. Choose the Encryption tab. 3. Depending upon which system you are configuring, select CLIENT or SERVER from the pull-down list. 4. From the Encryption Type list, select one of the following: ■ REQUESTED ■ REQUIRED ■ ACCEPTED ■ REJECTED 5. 
- How To Configure Data Encryption and Integrity 8. Repeat this procedure to configure encryption on the other system. The sqlnet.ora file on the two systems should contain the following entries: ■ On the server: SQLNET.ENCRYPTION_SERVER = [accepted | rejected | requested | required] SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_algorithm [,valid_ encryption_algorithm]) ■ On the client: SQLNET.ENCRYPTION_CLIENT = [accepted | rejected | requested | required] SQLNET. 
- How To Configure Data Encryption and Integrity 1. Navigate to the Oracle Advanced Security profile. (See "Navigating to the Oracle Advanced Security Profile" on page 2-3) The Oracle Advanced Security tabbed window appears (Figure 3–2): Figure 3–2 2. Choose the Integrity tab. 3. Depending upon which system you are configuring, choose the Server or Client check box. 4. From the Checksum Level list, select one of the following checksum level values: 5. 
- How To Configure Data Encryption and Integrity 6. Choose File > Save Network Configuration. The sqlnet.ora file is updated. 7. Repeat this procedure to configure integrity on the other system. The sqlnet.ora file on the two systems should contain the following entries: ■ On the server: SQLNET.CRYPTO_CHECKSUM_SERVER = [accepted | rejected | requested | required] SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (valid_crypto_checksum_algorithm [,valid_crypto_checksum_algorithm]) ■ On the client: SQLNET. 
- How To Configure Data Encryption and Integrity 3-14 Oracle Database Advanced Security Administrator's Guide 
- 4 Configuring Network Data Encryption and Integrity for Thin JDBC Clients This chapter describes the Java implementation of Oracle Advanced Security, which lets thin Java Database Connectivity (JDBC) clients securely connect to Oracle Databases. 
- About the Java Implementation Microsystems defined the JDBC standard and Oracle Corporation implements and extends the standard with its own JDBC drivers. Oracle JDBC drivers are used to create JDBC applications to communicate with Oracle databases. Oracle implements two types of JDBC drivers: Thick JDBC drivers built on top of the C-based Oracle Net client, as well as a Thin (Pure Java) JDBC driver to support downloadable applets. 
- About the Java Implementation Oracle Advanced Security continues to encrypt and provide integrity checking of Oracle Net Services traffic between Oracle Net clients and Oracle servers using algorithms written in C. The Oracle Advanced Security Java implementation provides Java versions of the following encryption algorithms: ■ RC4_256 ■ RC4_128 ■ RC4_56 ■ RC4_40 ■ DES56 ■ DES40 Note: In Oracle Advanced Security, DES runs in Cipher Block Chaining (CBC) mode. 
- Configuration Parameters the code. The process leaves the original program structure intact, letting the program run correctly while changing the names of the classes, methods, and variables in order to hide the intended behavior. Although it is possible to decompile and read non-obfuscated Java code, obfuscated Java code is sufficiently difficult to decompile to satisfy U.S. government export controls. 
- Configuration Parameters Client Encryption Selected List: ORACLE.NET.ENCRYPTION_TYPES_CLIENT This parameter defines the encryption algorithm to be used. Table 4–2 describes this parameter's attributes. Table 4–2 ORACLE.NET.ENCRYPTION_TYPES_CLIENT Parameter Attributes Attribute Description Parameter Type String Parameter Class Static Permitted Values RC4_256; RC4_128; RC4_56; RC4_40; DES56C; DES40C Syntax up.put("oracle.net.encryption_types_ client",alg) Example up.put("oracle.net. 
- Configuration Parameters Client Integrity Selected List: ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT This parameter defines the data integrity algorithm to be used. Table 4–4 describes this parameter's attributes. Table 4–4 4-6 ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT Parameter Attributes Attribute Description Parameter Type String Parameter Class Static Permitted Values MD5 Syntax up.put("oracle.net.crypto_checksum_types_ client",alg) Example up.put("oracle.net. 
- Part III Oracle Advanced Security Strong Authentication This part describes how to configure strong authentication methods for your existing Oracle network. 
- 5 Configuring RADIUS Authentication This chapter describes how to configure an Oracle Database server for use with RADIUS (Remote Authentication Dial-In User Service). This chapter contains the following topics: ■ RADIUS Overview ■ RADIUS Authentication Modes ■ Enabling RADIUS Authentication, Authorization, and Accounting ■ Using RADIUS to Log In to a Database ■ RSA ACE/Server Configuration Checklist Note: SecurID, an authentication product of RSA Security, Inc. 
- RADIUS Overview change the authentication method without modifying either the Oracle client or the Oracle database server. From the user's perspective, the entire authentication process is transparent. When the user seeks access to an Oracle database server, the Oracle database server, acting as the RADIUS client, notifies the RADIUS server. The RADIUS server: ■ ■ ■ ■ Looks up the user's security information. 
- RADIUS Authentication Modes Table 5–1 RADIUS Authentication Components Component Stored Information Oracle client Configuration setting for communicating through RADIUS. Oracle database server/RADIUS client Configuration settings for passing information between the Oracle client and the RADIUS server. RADIUS server Authentication and authorization information for all users. The secret key file. Each client's name or IP address. Each client's shared secret. 
- RADIUS Authentication Modes Figure 5–2 Client 1 Synchronous Authentication Sequence Oracle server/ RADIUS client RADIUS Server Authentication Server 2 3 4 5 ... 5-4 6 1. A user logs in by entering a connect string, pass code, or other value. The client system passes this data to the Oracle database server. 2. The Oracle database server, acting as the RADIUS client, passes the data from the Oracle client to the RADIUS server. 3. 
- RADIUS Authentication Modes Example: Synchronous Authentication with SecurID Token Cards With SecurID authentication, each user has a token card that displays a dynamic number that changes every sixty seconds. To gain access to the Oracle database server/RADIUS client, the user enters a valid pass code that includes both a personal identification number (PIN) and the dynamic number currently displayed on the user's SecurID card. 
- RADIUS Authentication Modes Figure 5–3 Client 1 Asynchronous Authentication Sequence Oracle server/ RADIUS client RADIUS Server Authentication Server 2 3 4 5 6 7 8 9 10 11 ... 1. 5-6 12 A user seeks a connection to an Oracle database server. The client system passes the data to the Oracle database server. 
- RADIUS Authentication Modes 2. The Oracle database server, acting as the RADIUS client, passes the data from the Oracle client to the RADIUS server. 3. The RADIUS server passes the data to the appropriate authentication server, such as a Smart Card, SecurID ACE, or token card server. 4. The authentication server sends a challenge, such as a random number, to the RADIUS server. 5. The RADIUS server passes the challenge to the Oracle database server / RADIUS client. 6. 
- Enabling RADIUS Authentication, Authorization, and Accounting The Oracle client sends the user's response to the authentication server by way of the Oracle database server and the RADIUS server. If the user has entered a valid number, the authentication server sends an "accept" packet back to the Oracle client by way of the RADIUS server and the Oracle database server. The user is now authenticated and authorized to access the appropriate tables and applications. 
- Enabling RADIUS Authentication, Authorization, and Accounting ■ Task 9: Configure Mapping Roles Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client RADIUS is installed with Oracle Advanced Security during a typical installation of Oracle Database. 
- Enabling RADIUS Authentication, Authorization, and Accounting Figure 5–4 Oracle Advanced Security Authentication Window 2. Choose the Authentication tab. 3. From the Available Methods list, select RADIUS. 4. Choose the right-arrow [>] to move RADIUS to the Selected Methods list. Move any other methods you want to use in the same way. 5. 
- Enabling RADIUS Authentication, Authorization, and Accounting Create the RADIUS Secret Key File on the Oracle Database Server 1. Obtain the RADIUS secret key from the RADIUS server. For each RADIUS client, the administrator of the RADIUS server creates a shared secret key, which must be longer than 16-characters. 2. On the Oracle database server, create a directory: ■ (UNIX) $ORACLE_HOME/network/security ■ (Windows) ORACLE_HOME\network\security 3. Create the file radius. 
- Enabling RADIUS Authentication, Authorization, and Accounting Figure 5–5 Oracle Advanced Security Other Params Window 7. From the Authentication Service list, select RADIUS. 8. In the Host Name field, accept the localhost as the default primary RADIUS server, or enter another host name. 9. Ensure that the default value of the Secret File field is valid. 10. Choose File > Save Network Configuration. The sqlnet.ora file is updated with the following entries: SQLNET. 
- Enabling RADIUS Authentication, Authorization, and Accounting OS_AUTHENT_PREFIX="" Caution: Setting REMOTE_OS_AUTHENT to TRUE can enable a security breach because it lets someone using a non-secure protocol, such as TCP, perform an operating system-authorized login (formerly called an OPS$ login). 
- Enabling RADIUS Authentication, Authorization, and Accounting Field Description Number of Retries Specifies the number of times the Oracle database server resends messages to the primary RADIUS server. The default is three retries. For instructions on configuring RADIUS accounting, see: Task 5: Configure RADIUS Accounting on page 5-19. Secret File Specifies the location of the secret key on the Oracle database server. The field specifies the location of the secret key file, not the secret key itself. 
- Enabling RADIUS Authentication, Authorization, and Accounting See Also: Appendix C, "Integrating Authentication Devices Using RADIUS", for information about how to customize the challenge-response user interface To configure challenge-response: 1. If you are using JDK 1.1.7 or JRE 1.1.7, set the JAVA_HOME environment variable to the JRE or JDK location on the system where the Oracle client is run: ■ On UNIX, enter this command at the prompt: % setenv JAVA_HOME /usr/local/packages/jre1.1. 
- Enabling RADIUS Authentication, Authorization, and Accounting Note: The keyword feature is provided by Oracle and supported by some, but not all, RADIUS servers. You can use this feature only if your RADIUS server supports it. By setting a keyword, you let the user avoid using a password to verify identity. If the user does not enter a password, the keyword you set here is passed to the RADIUS server which responds with a challenge requesting, for example, a driver's license number or birth date. 
- Enabling RADIUS Authentication, Authorization, and Accounting Task 3: Create a User and Grant Access To grant user access: 1. Launch SQL*Plus and execute these commands to create and grant access to a user identified externally on the Oracle database server. SQL> SQL> SQL> SQL> CONNECT system/manager@database_name; CREATE USER username IDENTIFIED EXTERNALLY; GRANT CREATE SESSION TO USER username; EXIT If you are using Windows, you can use the Security Manager tool in the Oracle Enterprise Manager. 
- Enabling RADIUS Authentication, Authorization, and Accounting 3. Add externally identified users and roles. To configure the Oracle client (where users log in): Set the RADIUS challenge-response mode to ON for the client if you have not already done so by following the steps listed in "Configure Challenge-Response" on page 5-14. To configure the RADIUS server: 1. 
- Enabling RADIUS Authentication, Authorization, and Accounting Ensure that RADIUS groups which map to Oracle roles adhere to the ORACLE_ ROLE syntax. For example: USERNAME USERPASSWD="user_password", SERVICE_TYPE=login_user, VENDOR_SPECIFIC=ORACLE, ORACLE_ROLE=ORA_ora920_sysdba See Also: The RADIUS server administration documentation for information about configuring the server. 
- Enabling RADIUS Authentication, Authorization, and Accounting Task 6: Add the RADIUS Client Name to the RADIUS Server Database You can use virtually any RADIUS server that complies with the standards in the Internet Engineering Task Force (IETF) RFC #2138, Remote Authentication Dial In User Service (RADIUS) and RFC #2139 RADIUS Accounting. Because RADIUS servers vary, consult the documentation for your particular RADIUS server for any unique interoperability requirements. 
- Enabling RADIUS Authentication, Authorization, and Accounting Task 9: Configure Mapping Roles If the RADIUS server supports vendor type attributes, you can manage roles by storing them in the RADIUS server. The Oracle database server downloads the roles when there is a CONNECT request using RADIUS. To use this feature, configure roles on both the Oracle database server and the RADIUS server. Perform these steps to configure roles on the Oracle database server: 1. 
- Using RADIUS to Log In to a Database See Also: ■ ■ Challenge-Response (Asynchronous) Authentication Mode on page 5-5 Configure Challenge-Response on page 5-14 These sections describe how to configure challenge-response mode. 
- RSA ACE/Server Configuration Checklist See Also: RSA ACE/Server documentation for specific information about troubleshooting. 
- RSA ACE/Server Configuration Checklist 5-24 Oracle Database Advanced Security Administrator's Guide 
- 6 Configuring Kerberos Authentication This chapter describes how to configure Oracle Advanced Security for Oracle Database for use with Kerberos authentication—and how to configure Kerberos to authenticate Oracle database users. 
- Enabling Kerberos Authentication Enabling Kerberos Authentication To enable Kerberos authentication: ■ Task 1: Install Kerberos ■ Task 2: Configure a Service Principal for an Oracle Database Server ■ Task 3: Extract a Service Table from Kerberos ■ Task 4: Install an Oracle Database Server and an Oracle Client ■ Task 5: Install Oracle Net Services and Oracle Advanced Security ■ Task 6: Configure Oracle Net Services and Oracle Database ■ Task 7: Configure Kerberos Authentication ■ Task 8: Crea 
- Enabling Kerberos Authentication Service Principal Field Description kservice A case-sensitive string that represents the Oracle service; this can be the same as the database service name. kinstance This is typically the fully qualified name of the system on which Oracle Database is running. REALM The domain name of the database server. REALM must always be uppercase and is typically the DNS domain name. Note: The utility names in this section are executable programs. 
- Enabling Kerberos Authentication 1. Enter the following to extract the service table: kadmin.local: ktadd -k /tmp/keytab oracle/dbserver.someco.com Entry for principal oracle/dbserver.someco.com with kvno 2, encryption DES-CBC-CRC added to the keytab WRFILE: 'WRFILE:/tmp/keytab kadmin.local: exit oklist -k -t /tmp/keytab 2. After the service table has been extracted, verify that the new entries are in the table in addition to the old ones. If they are not, or you need to add more, use kadmin. 
- Enabling Kerberos Authentication Task 5: Install Oracle Net Services and Oracle Advanced Security Install Oracle Net Services and Oracle Advanced Security on the Oracle database server and Oracle client systems. See Also: Oracle Database operating system-specific installation documentation Task 6: Configure Oracle Net Services and Oracle Database Configure Oracle Net Services on the Oracle database server and client. 
- Enabling Kerberos Authentication Figure 6–1 6-6 Oracle Advanced Security Authentication Window (Kerberos) 2. Choose the Authentication tab. 3. From the Available Methods list, select KERBEROS5. 4. Move KERBEROS5 to the Selected Methods list by clicking the right arrow (>). 5. Arrange the selected methods in order of use. To do this, select a method in the Selected Methods list, then click Promote or Demote to position it in the list. 
- Enabling Kerberos Authentication Figure 6–2 Oracle Advanced Security Other Params Window (Kerberos) 7. From the Authentication Service list, select KERBEROS(V5). 8. Type Kerberos into the Service field. This field defines the name of the service Oracle Database uses to obtain a Kerberos service ticket. When you provide the value for this field, the other fields are enabled. 9. 
- Enabling Kerberos Authentication The sqlnet.ora file is updated with the following entries: SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=kservice Step 2: Set the Initialization Parameters To set parameters in the initialization parameter file: 1. 
- Enabling Kerberos Authentication Parameter: SQLNET.KERBEROS5_CLOCKSKEW=number_of_seconds_ accepted_as_network_delay Description: This parameter specifies how many seconds can pass before a Kerberos credential is considered out-of-date. It is used when a credential is actually received by either a client or a database server. An Oracle database server also uses it to decide if a credential needs to be stored to protect against a replay attack. The default is 300 seconds. Example: SQLNET. 
- Enabling Kerberos Authentication Description: This parameter specifies the complete path name to the Kerberos realm translation file. The translation file provides a mapping from a host name or domain name to a realm. The default is operating system-dependent. For UNIX, it is /etc/krb.realms. Example: SQLNET.KERBEROS5_REALMS=/krb5/krb. 
- Utilities for the Kerberos Authentication Adapter Task 10: Get an Initial Ticket for the Kerberos/Oracle User Before you can connect to the database, you must ask the Key Distribution Center (KDC) for an initial ticket. 
- Utilities for the Kerberos Authentication Adapter Table 6–1 (Cont.) Options for the okinit Utility Option Description -l Specify the lifetime of the ticket-granting ticket and all subsequent tickets. By default, the ticket-granting ticket is good for eight (8) hours, but shorter or longer-lived credentials may be desired. Note that the KDC can ignore this option or put site-configured limits on what can be specified. 
- Configuring Interoperability with a Windows 2000 Domain Controller KDC % oklist -f 27-Jul-1999 21:57:51 28-Jul-1999 05:58:14 krbtgt/SOMECO.COM@SOMECO.COM Flags: FI Removing Credentials from the Cache File with the okdstry Utility Use the okdstry utility to remove credentials from the credentials cache file: $ okdstry -f where the -f command option lets you specify an alternative credential cache. For UNIX, the default is /tmp/krb5cc_uid. 
- Configuring Interoperability with a Windows 2000 Domain Controller KDC ■ ■ ■ Task 2: Configuring a Windows 2000 Domain Controller KDC to Interoperate with an Oracle Client Task 3: Configuring an Oracle Database to Interoperate with a Windows 2000 Domain Controller KDC Task 4: Getting an Initial Ticket for the Kerberos/Oracle User Task 1: Configuring an Oracle Kerberos Client to Interoperate with a Windows 2000 Domain Controller KDC The following steps must be performed on the Oracle Kerberos client. 
- Configuring Interoperability with a Windows 2000 Domain Controller KDC Step 2: Specifying Oracle Configuration Parameters in the sqlnet.ora File Configuring an Oracle client to interoperate with a Windows 2000 domain controller KDC uses the same sqlnet.ora file parameters that are listed in "Step 1: Configure Kerberos on the Client and on the Database Server" on page 6-5. Set the following parameters in the sqlnet.ora file on the client: SQLNET.KERBEROS5_CONF=pathname_to_Kerberos_configuration_file SQLNET. 
- Configuring Interoperability with a Windows 2000 Domain Controller KDC For example, if the Oracle database runs on the host sales3854.us.acme.com, then use Active Directory to create a user with the username sales3854.us.acme.com and the password oracle. Note: Do not create a user as host/hostname.dns.com, such as oracle/sales3854.us.acme.com, in Active Directory. Microsoft's KDC does not support multipart names like an MIT KDC does. 
- Configuring Interoperability with a Windows 2000 Domain Controller KDC Task 3: Configuring an Oracle Database to Interoperate with a Windows 2000 Domain Controller KDC The following steps must be performed on the host computer where the Oracle database is installed. Step 1: Setting Configuration Parameters in the sqlnet.ora File Specify values for the following parameters in the sqlnet.ora file for the database server: SQLNET.KERBEROS5_CONF=pathname_to_Kerberos_configuration_file SQLNET. 
- Troubleshooting Troubleshooting This section lists some common configuration problems and explains how to resolve them. ■ ■ ■ ■ 6-18 If you cannot get your ticket-granting ticket using OKINIT: – Ensure that the default realm is correct by examining the krb.conf file. – Ensure that the KDC is running on the host specified for the realm. – Ensure that the KDC has an entry for the user principal and that the passwords match. – Ensure that the krb.conf and krb.realms files are readable by Oracle. 
- 7 Configuring Secure Sockets Layer Authentication This chapter describes how to configure and use the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols which are supported by Oracle Advanced Security. 
- SSL and TLS in an Oracle Environment SSL and TLS in an Oracle Environment Secure Sockets Layer (SSL) is an industry standard protocol originally designed by Netscape Communications Corporation for securing network connections. SSL uses RSA public key cryptography in conjunction with symmetric key cryptography to provide authentication, encryption, and data integrity. 
- SSL and TLS in an Oracle Environment About Using SSL Oracle Advanced Security supports authentication by using digital certificates over SSL in addition to the native encryption and data integrity capabilities of these protocols. 
- SSL and TLS in an Oracle Environment How SSL Works in an Oracle Environment: The SSL Handshake When a network connection over SSL is initiated, the client and server perform an SSL handshake that includes the following steps: ■ ■ ■ ■ The client and server establish which cipher suites to use. This includes which encryption algorithms are used for data transfers. The server sends its certificate to the client, and the client verifies that the server's certificate was signed by a trusted CA. 
- Public Key Infrastructure in an Oracle Environment Public Key Infrastructure in an Oracle Environment A public key infrastructure (PKI) is a substrate of network components that provide a security underpinning, based on trust assertions, for an entire organization. A PKI exists so that disparate network entities can access its security services, which use public-key cryptography, on an as-needed basis. Oracle provides a complete PKI that is based on RSA Security, Inc. 
- Public Key Infrastructure in an Oracle Environment Public Key Infrastructure Components in an Oracle Environment Public key infrastructure (PKI) components in an Oracle environment include the following: ■ Certificate Authority ■ Certificates ■ Certificate Revocation Lists ■ Wallets ■ Hardware security modules Certificate Authority A certificate authority (CA) is a trusted third party that certifies the identity of entities, such as users, databases, administrators, clients, and servers. 
- Public Key Infrastructure in an Oracle Environment A certificate contains the entity's name, public key, and an expiration date—as well as a serial number and certificate chain information. It can also contain information about the privileges associated with the certificate. When a network entity receives a certificate, it verifies that it is a trusted certificate, that is, one that has been issued and signed by a trusted certificate authority. 
- Public Key Infrastructure in an Oracle Environment Wallets A wallet is a container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. In an Oracle environment, every entity that communicates over SSL must have a wallet containing an X.509 version 3 certificate, private key, and list of trusted certificates (with the exception of Diffie-Hellman). 
- Public Key Infrastructure in an Oracle Environment Note: Currently only nCipher devices are certified with Oracle Advanced Security. Certificate with other vendors is in progress. See Also: "Configuring Your System to Use Hardware Security Modules" on page 7-48 for details configuration details. 
- SSL Combined with Other Authentication Methods SSL Combined with Other Authentication Methods You can configure Oracle Advanced Security to use SSL concurrently with database usernames and passwords, RADIUS, and Kerberos, which are discussed in the following sections: ■ Architecture: Oracle Advanced Security and SSL ■ How SSL Works with Other Authentication Methods See Also: Appendix A, "Data Encryption and Integrity Parameters" for information about how to configure SSL with other supported authenticat 
- SSL Combined with Other Authentication Methods Figure 7–1 SSL in Relation to Other Authentication Methods Wallet 1 4 2 3 Oracle Client 5 Oracle Server Authentication Server 1. The client seeks to connect to the Oracle database server. 2. SSL performs a handshake during which the server authenticates itself to the client and both the client and server establish which cipher suite to use. 3. Once the SSL handshake is successfully completed, the user seeks access to the database. 4. 
- SSL and Firewalls SSL and Firewalls Oracle Advanced Security supports two types of firewalls: ■ ■ Application proxy-based firewalls, such as Network Associates Gauntlet, or Axent Raptor. Stateful packet inspection firewalls, such as Check Point Firewall-1, or Cisco PIX Firewall. When you enable SSL, stateful inspection firewalls behave like application proxy firewalls because they do not decrypt encrypted packets. Firewalls do not inspect encrypted traffic. 
- SSL and Firewalls Note: Although Oracle Connection Manager can be used to avoid opening up multiple SSL ports through the firewall, consider the following: ■ ■ The internal connection, between Oracle Connection Manager and the database, is not an SSL connection. You should encrypt such connections, using Oracle Advanced Security native encryption. Because such connections do not use SSL, clients cannot use certificate-based authentication. 
- SSL Usage Issues SSL Usage Issues Consider the following issues when using SSL: ■ ■ ■ SSL use enables secure communication with other Oracle products, such as Oracle Internet Directory. Because SSL supports both authentication and encryption, the client/server connection is somewhat slower than the standard Oracle Net TCP/IP transport (using native encryption). Each SSL authentication mode requires configuration settings. Note: ■ ■ U.S. government regulations prohibit double encryption. 
- Enabling SSL Enabling SSL To enable SSL: ■ Task 1: Install Oracle Advanced Security and Related Products ■ Task 2: Configure SSL on the Server ■ Task 3: Configure SSL on the Client ■ Task 4: Log on to the Database Task 1: Install Oracle Advanced Security and Related Products Install Oracle Advanced Security on both the client and server. When you do this, the Oracle Universal Installer automatically installs SSL libraries and Oracle Wallet Manager on your system. 
- Enabling SSL Manager. The wallet should contain a certificate with a status of "Ready" and auto login turned on. If auto login is not on, then select it from the Wallet menu and re-save the wallet. This turns auto login on. 
- Enabling SSL The sqlnet.ora and listener.ora files are updated with the following entries: wallet_location = (SOURCE= (METHOD=File) (METHOD_DATA= (DIRECTORY=wallet_location))) Note: The listener uses the wallet defined in listener.ora (it can use any database wallet). When SSL is configured for a server using Net Manager, the wallet location is entered into the listener.ora and the sqlnet.ora files. The listener.ora file is not relevant to the Oracle client. 
- Enabling SSL ■ Prioritize cipher suites starting with the strongest and moving to the weakest to ensure the highest level of security possible. Note: If you set a cipher suite employing Diffie-Hellman anonymous authentication on the server, then you must also set the same cipher suite on the client. Otherwise, the connection fails. If you use a cipher suite employing Diffie-Hellman anonymous, then you must set the SSL_CLIENT_AUTHENTICATION parameter to FALSE. 
- Enabling SSL To specify cipher suites for the server: 1. Navigate to the SSL tab of the Oracle Advanced Security window in Oracle Net Manager, and select Configure SSL for: Server. 2. Click Add. A dialog box displays available cipher suites (Figure 7–2). Figure 7–2 3. SSL Cipher Suites Window Select a suite and click OK. 
- Enabling SSL Figure 7–3 Oracle Advanced Security SSL Window (Server) 4. Use the up and down arrows to prioritize the cipher suites. 5. Choose File > Save Network Configuration. The sqlnet.ora file is updated with the following entry: SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2]) Step 4: Set the Required SSL Version on the Server (Optional) You can set the SSL_VERSION parameter in the sqlnet.ora file. 
- Enabling SSL To set the SSL version for the server: 1. Navigate to the SSL tab of the Oracle Advanced Security window in Oracle Net Manager, and select Configure SSL for: Server. 2. In the Require SSL Version: list, the default is Any. Accept this default or select the SSL version you want to use. 3. Choose File > Save Network Configuration. If you chose Any, then the sqlnet.ora file is updated with the following entry: SSL_VERSION=UNDETERMINED Note: SSL 2.0 is not supported on the server side. 
- Enabling SSL Figure 7–4 Oracle Advanced Security SSL Window (Server) 2. Uncheck Require Client Authentication. 3. Choose File > Save Network Configuration. The sqlnet.ora file is updated with the following entry: SSL_CLIENT_AUTHENTICATION=FALSE Step 6: Set SSL as an Authentication Service on the Server (Optional) The SQLNET.AUTHENTICATION_SERVICES parameter in the sqlnet.ora file sets the SSL authentication service. 
- Enabling SSL To set the SQLNET.AUTHENTICATION_SERVICES parameter on the server: Add TCP/IP with SSL (TCPS) to this parameter in the sqlnet.ora file by using a text editor. For example, if you want to use SSL authentication in conjunction with RADIUS authentication, set this parameter as follows: SQLNET.AUTHENTICATION_SERVICES = (TCPS, radius) If you do not want to use SSL authentication in conjunction with another authentication method, then do not set this parameter. 
- Enabling SSL Step 1: Confirm Client Wallet Creation Before proceeding with the next step, you must confirm that a wallet has been created on the client and that the client has a valid certificate. Note: Oracle Corporation recommends that you use Oracle Wallet Manager to remove the trusted certificate in your Oracle wallet associated with each certificate authority that you do not use. 
- Enabling SSL (SECURITY= (SSL_SERVER_CERT_DN="cn=finance,cn=OracleContext,c=us,o=acme")) The client uses this information to obtain the list of DNs it expects for each of the servers, enforcing the server's DN to match its service name. Example 7–1 shows an entry for the Finance database in the tnsnames.ora file. Alternatively, the administrator can ensure that the common name (CN) portion of the server's DN matches the service name. 2. Also in the client tnsnames. 
- Enabling SSL 1. Navigate to the Oracle Advanced Security profile. (See "Navigating to the Oracle Advanced Security Profile" on page 2-3) The Oracle Advanced Security SSL window appears (Figure 7–5): Figure 7–5 2. Choose the SSL tab. 3. Select Configure SSL for: Client. 4. In the Wallet Directory box, enter the directory in which the Oracle wallet is located, or click Browse to find it by searching the file system. 5. From the Match server X. 
- Enabling SSL Note: This check can be made only when RSA ciphers are selected, which is the default setting. ■ ■ No (default): SSL checks for a match between the DN and the service name, but does not enforce it. Connections succeed regardless of the outcome, but an error is logged if the match fails. Let Client Decide: Enables the default. Note: The following alert appears when you select No: Security Alert Not enforcing the server X.509 name match allows a server to potentially fake its identity. 
- Enabling SSL Step 4: Set the Client SSL Cipher Suites (Optional) A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth. When you install Oracle Advanced Security,the SSL cipher suites listed in Table 7–1 are set for you by default. 
- Enabling SSL Note: If the SSL_CLIENT_AUTHENTICATION parameter is set to true in the sqlnet.ora file, then disable all cipher suites that use Diffie-Hellman anonymous authentication. Otherwise, the connection fails. To specify client cipher suites: 1. Navigate to the SSL tab of the Oracle Advanced Security window in Oracle Net Manager, and select Configure SSL for Client. 2. In the Cipher Suite Configuration region, click Add. A dialog box displays available cipher suites (Figure 7–2). 3. 
- Enabling SSL 4. Use the up and down arrows to prioritize the cipher suites. 5. Choose File > Save Network Configuration. The sqlnet.ora file is updated with the following entry: SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2]) Step 5: Set the Required SSL Version on the Client (Optional) You can set the SSL_VERSION parameter in the sqlnet.ora file. This parameter defines the version of SSL that must run on the systems with which the client communicates. 
- Troubleshooting SSL Oracle Advanced Security. For example, use this parameter if you want the server to authenticate itself to the client by using SSL and the client to authenticate itself to the server by using RADIUS. To set the client SQLNET.AUTHENTICATION_SERVICES parameter: Add TCP/IP with SSL (TCPS) to this parameter in the sqlnet.ora file by using a text editor. For example, if you want to use SSL authentication in conjunction with RADIUS authentication, set this parameter as follows: SQLNET. 
- Troubleshooting SSL ■ ■ ■ Ensure that the correct wallet location is specified in the sqlnet.ora file. Note: this should be the same directory location where you saved the wallet. Enable Oracle Net tracing to determine the name of the file that cannot be opened and the reason. Ensure that auto login was enabled when you saved the wallet. See "Using Auto Login" on page 8-19 ORA-28786: Decryption of Encrypted Private Key Failure Cause: An incorrect password was used to decrypt an encrypted private key. 
- Troubleshooting SSL Action: Check the following: ■ ■ ■ ■ Ensure that the correct wallet location is specified in the sqlnet.ora file so the system can find the wallet. Use Oracle Net Manager to ensure that cipher suites are set correctly in the sqlnet.ora file. (Sometimes this error occurs because the sqlnet.ora has been manually edited and the cipher suite names are misspelled. Note that case sensitive string matching is used with cipher suite names. 
- Troubleshooting SSL ■ ■ A certificate authority for one of the certificates in the chain is not recognized as a trust point. The signature in one of the certificates cannot be verified. Action: See "Opening an Existing Wallet" on page 8-13 to use Oracle Wallet Manager to open your wallet and check the following: ■ ■ Ensure that all of the certificates installed in your wallet are current (not expired). 
- Certificate Validation with Certificate Revocation Lists does not give the complete chain and you do not have the appropriate trust points to complete it. Action: Use Oracle Wallet Manager to install the trust points that are required to complete the chain. See "Importing a Trusted Certificate" on page 8-25 Certificate Validation with Certificate Revocation Lists The process of determining whether a given certificate can be used in a given context is referred to as certificate validation. 
- Certificate Validation with Certificate Revocation Lists How CRL Checking Works Certificate revocation status is checked against CRLs which are located in file system directories, Oracle Internet Directory, or downloaded from the location specified in the CRL Distribution Point (CRL DP) extension on the certificate. Typically, CRL definitions are valid for a few days. If you store your CRLs on the local file system or in the directory, then you must update them regularly. 
- Certificate Validation with Certificate Revocation Lists Note: ■ ■ For performance reasons, only user certificates are checked. Oracle recommends that you store CRLs in the directory rather than the local file system. Configuring Certificate Validation with Certificate Revocation Lists The SSL_CERT_REVOCATION parameter must be set to REQUIRED or REQUESTED in the sqlnet.ora file to enable certificate revocation status checking. 
- Certificate Validation with Certificate Revocation Lists Figure 7–7 Oracle Advanced Security SSL Window with Certificate Revocation Checking Selected 2. Choose one of the following options from the Revocation Check list (see Figure 7–7): ■ REQUIRED Requires certificate revocation status checking. The SSL connection is rejected if a certificate is revoked or no CRL is found. SSL connections are accepted only if it can be verified that the certificate has not been revoked. 
- Certificate Validation with Certificate Revocation Lists Note: For performance reasons, only user certificates are checked for revocation. 3. (Optional) If CRLs are stored on your local file system, then set one or both of the following fields that specify where they are stored. These fields are available only when Revocation Check is set to REQUIRED or REQUESTED. 
- Certificate Validation with Certificate Revocation Lists Note: When configuring your ldap.ora file, you should specify only a non-SSL port for the directory. CRL download is done as part of the SSL protocol, and making an SSL connection within an SSL connection is not supported. Oracle Advanced Security CRL functionality will not work if the Oracle Internet Directory non-SSL port is disabled. 5. Choose File > Save Network Configuration. The sqlnet.ora file is updated. 
- Certificate Validation with Certificate Revocation Lists Note: CRLs must be updated at regular intervals (before they expire) for successful validation. You can automate this task by using orapki commands in a script. You can also use LDAP command-line tools to manage CRLs in Oracle Internet Directory. See Also: Appendix A, "Syntax for Command-Line Tools" in Oracle Internet Directory Application Developer's Guide for information about LDAP command-line tools and their syntax. 
- Certificate Validation with Certificate Revocation Lists issuer's name. Then when the system validates a certificate, the same hash function is used to calculate the link (or copy) name so the appropriate CRL can be loaded. Depending on your operating system, enter one of the following commands to rename CRLs stored in the file system. 
- Certificate Validation with Certificate Revocation Lists permission to add CRLs to the CRL subtree, and wallet_location is the location of a wallet that contains the certificate of the CA that issued the CRL. Using -wallet and -summary are optional. Specifying -wallet causes the tool to verify the validity of the CRL against the CA's certificate prior to uploading it to the directory. 
- Certificate Validation with Certificate Revocation Lists following at the command line: orapki crl display -crl crl_location [-wallet wallet_location] -summary where crl_location is the location of the CRL in the directory. It is convenient to paste the CRL location from the list that displays when you use the orapki crl list command. See: "Listing CRLs Stored in Oracle Internet Directory" on page 7-43. 
- Certificate Validation with Certificate Revocation Lists [-summary] where issuer_name is the name of the CA who issued the CRL, the hostname and ssl_port are for the system on which your directory is installed, and username is the directory user who has permission to delete CRLs from the CRL subtree. Note that this must be a directory SSL port with no authentication. See "Uploading CRLs to Oracle Internet Directory" on page 7-42 for more information about this port. 
- Certificate Validation with Certificate Revocation Lists See Also: Oracle Net Services Administrator's Guide for information about setting tracing parameters to enable Oracle Net tracing Oracle Net Tracing File Error Messages Associated with Certificate Validation The following trace messages, relevant to certificate validation, may be logged between the entry and exit entries in the Oracle Net tracing file. Oracle SSL looks for CRLs in multiple locations, so there may be multiple errors in the trace. 
- Certificate Validation with Certificate Revocation Lists 2. If necessary, use the orapki utility to configure CRLs for system use as follows: – For CRLs stored on your local file system, see "Renaming CRLs with a Hash Value for Certificate Validation" on page 7-41 – CRLs stored in the directory, see "Uploading CRLs to Oracle Internet Directory" on page 7-42 OID hostname or port number not set Cause: Oracle Internet Directory (OID) connection information is not set. Note that this is not a fatal error. 
- Configuring Your System to Use Hardware Security Modules Configuring Your System to Use Hardware Security Modules Oracle Advanced Security supports hardware security modules that use APIs which conform to the RSA Security, Inc., PKCS #11 specification. Typically, these hardware devices are used to securely store and manage private keys in tokens or smart cards, or to accelerate cryptographic processing. 
- Configuring Your System to Use Hardware Security Modules Configuring Your System to Use nCipher Hardware Security Modules Hardware security modules made by nCipher Corporation are certified to operate with Oracle Advanced Security. These modules provide a secure way to store keys and off load cryptographic processing. 
- Configuring Your System to Use Hardware Security Modules ■ (UNIX) /opt/nfast ■ (Windows) C:\nfast The nCipher PKCS #11 library is located at the following file system directory locations for typical installations: ■ (UNIX 32 bit): /opt/nfast/toolkits/pkcs11/libcknfast.so ■ (UNIX 64 bit): /opt/nfast/toolkits/pkcs11/libcknfast-64.so ■ (Windows): C:\nfast\toolkits\pkcs11\cknfast. 
- Configuring Your System to Use Hardware Security Modules Error Messages Associated with Using Hardware Security Modules The following errors are associated with using PKCS #11 hardware security modules: ORA-43000: PKCS11: library not found Cause: The system cannot locate the PKCS #11 library at the location specified when the wallet was created. This happens only when the library is moved after the wallet is created. 
- Configuring Your System to Use Hardware Security Modules Note: The nCipher log file is in the directory where the module is installed at the following location: /log/logfile See Also: nCipher documentation for further information about troubleshooting. 
- 8 Using Oracle Wallet Manager Security administrators use Oracle Wallet ManagerOracle Wallet Manager to manage public key security credentials on Oracle clients and servers. The wallets it creates can be read by Oracle Database, Oracle Application Server 10g, and the Oracle Identity Management infrastructure. 
- Oracle Wallet Manager Overview Oracle Wallet Manager Overview Oracle Wallet Manager is an application that wallet owners use to manage and edit the security credentials in their Oracle wallets. A wallet is a password-protected container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. 
- Oracle Wallet Manager Overview Strong Wallet Encryption Oracle Wallet Manager stores private keys associated with X.509 certificates and uses Triple-DES encryption. Microsoft Windows Registry Wallet Storage Oracle Wallet Manager lets you optionally store multiple Oracle wallets in the user profile area of the Microsoft Windows system registry or in a Windows file management system. Storing your wallets in the registry provides the following benefits: ■ ■ Better Access Control. 
- Oracle Wallet Manager Overview cryptography standards called Public-Key Cryptography Standards, or PKCS for short. These standards have been developed to establish interoperability between computer systems that use public-key technology to secure data across intranets and the Internet. Oracle Wallet Manager stores X.509 certificates and private keys in PKCS #12 format, and generates certificate requests according to the PKCS #10 specification. 
- Oracle Wallet Manager Overview legal usage combinations). There must be a one-to-one mapping between certificate requests and certificates. The same certificate request can be used to obtain multiple certificates; however, more than one certificate for each certificate request cannot be installed in the same wallet at the same time. Oracle Wallet Manager uses the X. 
- Oracle Wallet Manager Overview Table 8–2 1 KeyUsage Value Critical?1 Usage 2 alone, or 2 + any combination excluding 5 na Accept certificate for SSL or S/MIME encryption use. 5 alone, or any combination including 5 na Accept certificate for CA certificate signing use. Any settings not listed previously Yes Not importable. No Certificate is importable for SSL or S/MIME encryption use. If the KeyUsage extension is critical, the certificate cannot be used for other purposes. 
- Starting Oracle Wallet Manager LDAP Directory Support Oracle Wallet Manager can upload wallets to and retrieve them from an LDAP-compliant directory. Storing wallets in a centralized LDAP-compliant directory lets users access them from multiple locations or devices, ensuring consistent and reliable user authentication while providing centralized wallet management throughout the wallet life cycle. 
- How To Create a Complete Wallet: Process Overview How To Create a Complete Wallet: Process Overview Wallets provide a necessary repository in which you can securely store your user certificates and the trust points you need to validate the certificates of your peers. The following steps provide an overview of the complete wallet creation process: 1. 
- Managing Wallets client wallets. It is only optional for products that take the wallet password at the time of startup. After completing the preceding process, you have a wallet that contains a user certificate and its associated trust points. 
- Managing Wallets Passwords must contain at least eight characters that consist of alphabetic characters combined with numbers or special characters. Caution: It is strongly recommended that users avoid choosing easily guessed passwords based on user names, phone numbers, or government identification numbers, such as "admin0," "oracle1," or "2135551212A." This prevents a potential attacker from using personal information to deduce the users' passwords. 
- Managing Wallets 5. Click OK to continue. If the entered password does not conform to the required guidelines, then the following message appears: Password must have a minimum length of eight characters, and contain alphabetic characters combined with numbers or special characters. Do you want to try again? 6. An alert is displayed, and informs you that a new empty wallet has been created. It prompts you to decide whether you want to add a certificate request. 
- Managing Wallets 6. In the PKCS11 library filename field, enter the path to the directory where the PKCS11 library is stored, or click Browse to find it by searching the file system. 7. Enter the SmartCard password, and choose OK. The smart card password, which is different from the wallet password, is stored in the wallet. 8. An alert is displayed, and informs you that a new empty wallet has been created. It prompts you to decide whether you want to add a certificate request. 
- Managing Wallets Opening an Existing Wallet Open a wallet that already exists in the file system directory as follows: 1. Choose Wallet > Open from the menu bar. The Select Directory dialog box appears. 2. Navigate to the directory location in which the wallet is located, and select the directory. 3. Choose OK. The Open Wallet dialog box appears. 4. Enter the wallet password in the Wallet Password field. 5. Choose OK. 
- Managing Wallets For other operating systems, see the Oracle documentation for that specific operating system. Note: Because browsers typically do not export trusted certificates under PKCS #12 (other than the signer's own certificate), you may need to add trust points to authenticate the other party in the SSL connection. You can use Oracle Wallet Manager to import trusted certificates. 
- Managing Wallets 1. Choose Operations > Export Wallet.... The Export Wallet dialog box appears. 2. Enter the destination file system directory for the wallet, or navigate to the directory structure under Folders. 3. Enter the destination file name for the wallet. 4. Choose OK to return to the main window. 
- Managing Wallets ■ If no certificates have SSL key usage: When prompted, enter the user's distinguished name (DN), the LDAP server hostname and port information, and click OK. Oracle Wallet Manager attempts connection to the LDAP directory server using simple password authentication mode, assuming that the wallet password is the same as the directory password. If the connection fails, a dialog box prompts for the directory password of the specified DN. 
- Managing Wallets If Oracle Wallet Manager cannot open the target wallet using the wallet password, then check to make sure you entered the correct password. Otherwise a message displays at the bottom of the window, indicating that the wallet was downloaded successfully. Saving Changes To save your changes to the current open wallet: Choose Wallet > Save. A message at the bottom of the window confirms that the wallet changes were successfully saved to the wallet in the selected directory location. 
- Managing Wallets ■ (UNIX) ORACLE_HOME/admin/ORACLE_SID ■ (Windows) ORACLE_BASE\ORACLE_HOME\rdbms\admin Note: ■ ■ SSL uses the wallet that is saved in the system default directory location. Some Oracle applications are not able to use the wallet if it is not in the system default location. Check the Oracle documentation for your specific application to determine whether wallets must be placed in the default wallet directory location. Deleting the Wallet To delete the current open wallet: 1. 
- Managing Wallets To change the password for the current open wallet: 1. Choose Wallet > Change Password. The Change Wallet Password dialog box appears. 2. Enter the existing wallet password. 3. Enter the new password. 4. Re-enter the new password. 5. Choose OK. A message at the bottom of the window confirms that the password was successfully changed. 
- Managing Certificates 1. Choose Wallet from the menu bar. 2. Uncheck Auto Login. A message at the bottom of the window indicates that auto login is disabled. Managing Certificates Oracle Wallet Manager uses two kinds of certificates: user certificates and trusted certificates. All certificates are signed data structures that bind a network identity with a corresponding public key. 
- Managing Certificates ■ Importing the User Certificate into the Wallet ■ Removing a User Certificate from a Wallet ■ Removing a Certificate Request ■ Exporting a User Certificate ■ Exporting a User Certificate Request Adding a Certificate Request You can add multiple certificate requests with Oracle Wallet Manager. When adding multiple requests, Oracle Wallet Manager automatically populates each subsequent request dialog box with the content of the initial request that you can then edit. 
- Managing Certificates Table 8–5 (Cont.) Certificate Request: Fields and Descriptions Field Name Description Organization Optional.Enter the name of the identity's organization. Example: XYZ Corp. Locality/City Optional. Enter the name of the locality or city in which the identity resides. State/Province Optional. Enter the full name of the state or province in which the identity resides. Enter the full state name, because some certificate authorities do not accept two–letter abbreviations. 
- Managing Certificates certificates, including the user's certificate and all of the supporting CA and subCA certificates. In contrast, an X.509 certificate file contains an individual certificate without the supporting certificate chain. To copy and paste the text only (BASE64) user certificate from the certificate authority's e-mail: 1. Copy the certificate text from the e-mail message or file you receive from the certificate authority. Include the lines Begin Certificate and End Certificate. 2. 
- Managing Certificates Manager main panel, and the status of the corresponding entry in the left panel subtree changes to [Ready]. Removing a User Certificate from a Wallet To remove a user certificate from a wallet: 1. In the left panel subtree, select the certificate that you want to remove. 2. Choose Operations > Remove User Certificate.... A dialog panel appears and prompts you to verify that you want to remove the user certificate from the wallet. 3. 
- Managing Certificates Exporting a User Certificate Request To save the certificate request in a file system directory, export the certificate request by using the following steps: 1. In the left panel subtree, select the certificate request that you want to export. 2. Choose Operations > Export Certificate Request.... The Export Certificate Request dialog box appears. 3. 
- Managing Certificates 3. Choose Paste the Certificate, and click OK. Another Import Trusted Certificate dialog panel appears with the following message: Please provide a base64 format certificate and paste it below. 4. Paste the certificate into the window, and click OK. A message at the bottom of the window informs you that the trusted certificate was successfully installed. 5. Choose OK. 
- Managing Certificates A dialog panel warns you that your user certificate will no longer be verifiable by its recipients if you remove the trusted certificate that was used to sign it. 3. Choose Yes. The selected trusted certificate is removed from the Trusted Certificates tree. Exporting a Trusted Certificate To export a trusted certificate to another file system location: 1. In the left panel subtree, select the trusted certificate that you want to export. 2. 
- Managing Certificates 8-28 Oracle Database Advanced Security Administrator's Guide 
- 9 Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security This chapter describes how to configure multiple authentication methods under Oracle Advanced Security, and how to use conventional user name and password authentication, even if you have configured another authentication method. This also chapter describes how to configure your network so that Oracle clients can use a specific authentication method, and Oracle servers can accept any method specified. 
- Disabling Oracle Advanced Security Authentication For example: % sqlplus scott/tiger@emp Note: You can configure multiple authentication methods, including both externally authenticated users and password authenticated users, on a single database. Disabling Oracle Advanced Security Authentication Use Oracle Net Manager to disable authentication methods (See "Starting Oracle Net Manager" on page 2-2): 1. 9-2 Navigate to the Oracle Advanced Security profile. 
- Disabling Oracle Advanced Security Authentication Figure 9–1 Oracle Advanced Security Authentication Window 2. Choose the Authentication tab. 3. Sequentially move all authentication methods from the Selected Method list to the Available Methods list by selecting a method and choosing the left arrow [<]. 4. Choose File > Save Network Configuration. The sqlnet.ora file is updated with the following entry: SQLNET. 
- Configuring Multiple Authentication Methods Configuring Multiple Authentication Methods Many networks use more than one authentication method on a single security server. Accordingly, Oracle Advanced Security lets you configure your network so that Oracle clients can use a specific authentication method, and Oracle database servers can accept any method specified. 
- Configuring Oracle Database for External Authentication Configuring Oracle Database for External Authentication This section describes the parameters you must set to configure Oracle Database for network authentication, using the following tasks: ■ Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet. 
- Configuring Oracle Database for External Authentication If REMOTE_OS_AUTHENT is set to FALSE, and the server cannot support any of the authentication methods requested by the client, the authentication service negotiation fails and the connection terminates. If the parameter is set as follows in the sqlnet.ora file on either the client or server, the database attempts to use the supplied user name and password to login the user: SQLNET. 
- Configuring Oracle Database for External Authentication See Also: ■ ■ Oracle Database Administrator's Guide Oracle Database Heterogeneous Connectivity Administrator's Guide Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security 9-7 
- Configuring Oracle Database for External Authentication 9-8 Oracle Database Advanced Security Administrator's Guide 
- 10 Configuring Oracle DCE Integration Oracle DCE Integration enables Oracle applications and tools to access Oracle Database servers in a distributed computing environment. This chapter briefly describes the Distributed Computing Environment (DCE), the Oracle DCE Integration product, and how to configure it. 
- Introduction to Oracle DCE Integration Introduction to Oracle DCE Integration The Distributed Computing Environment (DCE) from the Open Group is a set of integrated network services that works across multiple systems to provide a distributed environment. The network services include remote procedure calls (RPCs), directory service, security service, threads, distributed file service, diskless support, and distributed time service. 
- Introduction to Oracle DCE Integration DCE Communication/Security This component has three principal features: Authenticated RPC Oracle DCE Integration provides authenticated Remote Procedure Call (RPC) as the transport mechanism that enables multi-vendor interoperability. RPC also uses some of the other DCE services, including directory and security services, to provide location transparency and secure distributed computing. 
- Introduction to Oracle DCE Integration The DCE CDS offers a distributed, replicated repository service for name, address, and attributes of objects across the network. Because servers register their name and address information in the CDS, Oracle clients can make location-independent connections to Oracle Database servers. Services can be relocated without any changes to the client configuration. An Oracle utility is provided to load the Oracle service names with corresponding connect descriptors into CDS. 
- Configuring DCE for Oracle DCE Integration ■ ■ ■ ■ Only one listener address that uses the DCE protocol is permitted for each node. Database links must specify a user name and password to connect. This release of DCE Integration does not support the Oracle Multi-Protocol Interchange. This release does not work with the Oracle shared server. 
- Configuring DCE for Oracle DCE Integration Note: Perform this task on the server only once after DCE Integration has been installed. Do not perform this task on client systems. Task 2: Install the Key of the Server into a Keytab File Install the key of the server into a keytab file, dcepa.key. This file contains the password of the principal under which the Oracle Net listener starts. The Oracle Net listener reads this file to authenticate itself to DCE. 
- Configuring DCE for Oracle DCE Integration cdscp> cdscp> cdscp> cdscp> create dir /.:/subsys/oracle create dir /.:/subsys/oracle/names create dir /.:/subsys/oracle/service_registry exit Note: ■ ■ 2. The directory /.:/subsys/oracle/names contains objects that map Oracle Net service names to connect descriptors, which are used by the CDS naming adapter. The directory /. 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration This section describes how to configure an Oracle database server and Oracle Net Services to use Oracle DCE Integration after it has been successfully installed. 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Table 10–1 (Cont.) DCE Address Parameters and Definitions Component Description CELL_NAME An optional parameter. If present, it specifies the DCE cell name of the database. If this parameter is not set, the cell name defaults to the local cell (useful for single-cell environments). 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration 2. For servers in distributed systems that require database link connections to other servers, configure the sqlnet.ora and protocol.ora files with DCE address information. Note: In this release, the configuration files listener.ora, sqlnet.ora, tnsnames.ora, and protocol.ora are located in the $ORACLE_HOME/network/admin directory. 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration 1. Verify that these lines are in the initialization parameter file: REMOTE_OS_AUTHENT=FALSE OS_AUTHENT_PREFIX="" 2. Verify that the initialization parameter file does not have a multi-threaded server (MTS) entry for DCE. For example, an entry such as the following is not permitted: mts_dispatchers="(PROTOCOL=dce)(DISPATCHERS=3)" Note: The MTS_DISPATCHERS initialization parameter is obsolete in 10g Release 1 (10.1). 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration If connecting to the database across multiple cells, specify both the cell_name and the server_principal, as illustrated in the following: SQL> CREATE USER "CELL_NAME/SERVER_PRINCIPAL" IDENTIFIED EXTERNALLY; SQL> GRANT CREATE SESSION TO "CELL_NAME/SERVER_PRINCIPAL"; You must enclose the externally-identified account name in double quotation marks, because the slash is a reserved character. 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration 3. 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Local Groups: 0000000c-01f5-2f72-ba01-02608c2c84f3 0000006a-0204-2f72-b901-02608c2c84f3 00000078-daf4-2fe1-a201-02608c2c84f3 00000084-89c8-2fe8-a201-02608c2c84f3 00000087-8a13-2fe8-a201-02608c2c84f3 00000080-f681-2fe1-a201-02608c2c84f3 . . . 5. none subsys/dce/cds-server ora_dce222_dba ora_dce222_connect_d ora_dce222_resource_d ora_dce222_role1_ad Connect to the database as usual. 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Task 4: Configure DCE for SYSDBA and SYSOPER Connections to Oracle Databases To configure DCE so that you can connect to an Oracle database as SYSOPER or SYSDBA with DCE credentials, do the following: 1. Create DCE groups that map to Oracle DBA and OPERATOR roles. DCE group names should adhere to the syntax described by Task 3: Set up DCE Integration External Roles on page 10-12. 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Group: 0000000c-7e94-21d2-b201-9019b88baa77 none Local Groups: 0000000c-7e94-21d2-b201-9019b88baa77 none 0000006a-7e94-21d2-ad01-9019b88baa77 subsys/dce/cds-server 00000076-8b53-21d2-9301-9019b88baa77 ora_dce222_dba_ad 00000077-8b53-21d2-9301-9019b88baa77 ora_dce222_operator_ad Identity Info Expires: 1999-12-04-10:28:22 Account Expires: never Passwd Expires: never Kerberos Ticket Information: Ticket cache: /opt/dcelocal/var/secu 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration ■ protocol.ora ■ sqlnet.ora Typically, CDS is used for name resolution. Thus, a local naming configuration file (tnsnames.ora) is not used, except when loading names and addresses into CDS. Parameters in protocol.ora There are four DCE parameters located in the protocol.ora file. Each parameter begins with the prefix DCE. to distinguish it from parameters relevant to other protocols. 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration greater than the server DCE_PROTECTION level. If this entry is not specified, cell-wide default protection is used. 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Option Description TRUE The default value. Select TRUE if using just the SERVER_ PRINCIPAL format, without the CELL_NAME. An example of a user specified in this format is as follows: oracle TRUE is an appropriate option if users are making connections within a single cell, or if naming conventions in the network assure that users in different cells do not have duplicate names. 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration See Also: DCE Integration installation instructions, and "Task 3: Configure DCE CDS for Use by Oracle DCE Integration" on page 10-6. For example, a service name such as ORADCE and its network address can be stored in DCE CDS. 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration 2. Restart CDS on the system. The command to restart CDS varies between different operating systems. On the Solaris platform, for example, you can use the following command to restart CDS: /opt/dcelocal/etc/rc.dce restart Step 3: Create a tnsnames.ora File for Loading Oracle Connect Descriptors into CDS To load the Oracle service names and addresses into CDS, create or modify a local naming configuration file, tnsnames.ora. 
- Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration Parameter Name Type Mandatory? Description SID Oracle Parameter Yes Identifies the Oracle system ID; each SID value must be unique on a node. This parameter is used locally only, and is not used in DCE CDS. Oracle Net Services Administrator's Guide, for information about tnsnames.ora, the local naming configuration file. 
- Connecting to an Oracle Database Server in the DCE Environment For a client or server to use DCE CDS Naming, the administrator must do the following: 1. Ensure that the CDS Naming Adapter has been installed on that node. 2. Add the following parameter to the sqlnet.ora file: NAMES.DIRECTORY_PATH=(cds, tnsnames, onames) The first name resolution service listed as a value for this parameter is used. If it is unavailable for any reason, the next name resolution service is used, and so forth. 
- Connecting to an Oracle Database Server in the DCE Environment 3. Verify that the service has been created by searching for the dce_service_ name as follows: % cdscp show object "/.:/subsys/oracle/service_registry/dce_service_name" For example: The following command shows you the mapping in the CDS namespace that the listener has chosen for the endpoint: % cdscp show object "/. 
- Connecting Clients Outside DCE to Oracle Servers in DCE For example: % sqlplus /@ORADCE Connecting to an Oracle Database by Using Password Authentication From a client, you can still connect with a user name and password: % sqlplus username/password@net_service_name where net_service_name is the Oracle Net service name. 
- Connecting Clients Outside DCE to Oracle Servers in DCE ■ The listener.ora File ■ The tnsnames.ora File The listener.ora File The listener.ora file resides on the listener node. It defines listener characteristics and the addresses at which the listener listens. In the following example, each element is displayed on a separate line, to show the file's structure. This is the recommended format, but you do not have to put each element on a separate line. 
- Connecting Clients Outside DCE to Oracle Servers in DCE (SID_NAME=ORASID) (ORACLE_HOME=/usr/prod/oracle8)) #For all listeners, the following parameters list sample #default values. PASSWORDS_LISTENER= STARTUP_WAIT_TIME_LISTENER=0 CONNECT_TIMEOUT_LISTENER=10 TRACE_LEVEL_LISTENER=OFF TRACE_DIRECTORY_LISTENER=/usr/prod/Oracle Database/network/trace TRACE File_LISTENER=listener.trc LOG_DIRECTORY_LISTENER=/usr/prod/Oracle Database/network/log LOG_FILE_LISTENER=listener.log The tnsnames. 
- Connecting Clients Outside DCE to Oracle Servers in DCE To access the DB1 database, a user can use ORATCP to identify the appropriate connect descriptor. For example: sqlplus scott/tiger@oratcp Using tnsnames.ora for Name Lookup When CDS Is Inaccessible Typically, names are resolved into network addresses by CDS. Although the main purpose of the tnsnames. 
- Part IV Enterprise User Security This part describes Oracle Database directory and security integration functionality, which enables single sign-on in a client/server environment. 
- 11 Getting Started with Enterprise User Security Enterprise User Security, a critical component of Oracle Identity Management, lets you create and administer large numbers of users in a secure, LDAP-compliant directory service. 
- Introduction to Enterprise User Security Introduction to Enterprise User Security This section provides an overview of Enterprise User Security, explaining the benefits, how enterprise users access resources across a distributed database system, and how they are authenticated. 
- Introduction to Enterprise User Security Enterprise User Security: The Big Picture Enterprise User Security addresses user, administrative, and security challenges by relying on the identity management services supplied by Oracle Internet Directory, an LDAP-compliant directory service. Identity management is the process by which the complete security life cycle for network entities is managed in an organization. 
- Introduction to Enterprise User Security Figure 11–1 Enterprise User Security and the Oracle Security Architecture ·Authorization ·Auditing ·Responsibilities ·Roles ·S-MIME ·Interpersonal Rights ·File Privileges ·Roles ·Privilege Groups Third-Party Applications Oracle E-Business Suite Oracle Collaboration Suite OracleAS Portal OracleAS Wireless Application Security Oracle Platform Security External Security Services Access Management ·JAAS Roles ·Web Services Security ·Java 2 Permissions ·Ente 
- Introduction to Enterprise User Security Single password authentication lets users authenticate to multiple databases with a single global password although each connection requires a unique authentication. The password is securely stored in the centrally located, LDAP-compliant directory, and protected with security mechanisms including encryption and Access Control Lists (ACLs). 
- Introduction to Enterprise User Security About Identity Management Realms An identity management realm is a subtree of directory entries, all of which are governed by the same administrative policies. For example, all employees in an enterprise who have access to the intranet may belong to one realm, while all external users who access the public applications of the enterprise may belong to another realm. 
- Introduction to Enterprise User Security name (DN). When enterprise users log on to a database, the database authenticates those users by using their DN. Enterprise users are defined in the database as global users. Global users can have their own schemas, or they can share a global schema in the databases they access. You can create enterprise users by using the GLOBALLY clause in the CREATE USER statement in two different ways. 
- Introduction to Enterprise User Security See Also: ■ ■ ■ "Creating New Enterprise Users" on page 13-9 Oracle Database Security Guide for more information about global users. Oracle Internet Directory Administrator's Guide for information about defining users in the directory. About Enterprise User Schemas Enterprise users can retain their individual database schemas (exclusive schemas) or share schemas if the enterprise security administrator maps them to a shared schema. 
- Introduction to Enterprise User Security See Also: "About Using Shared Schemas for Enterprise User Security" on page 11-19 for more information about creating and using shared schemas for enterprise users. How Enterprise Users Access Database Resources with Database Links Database links are network objects stored in the local database or in the network definition that identify a remote database, a communication path to that database, and optionally, a username and password. 
- Introduction to Enterprise User Security Table 11–1 Enterprise User Security Authentication: Selection Criteria Password Authentication SSL Authentication Kerberos Authentication Password-based authentication. Provides strong authentication over Provides strong authentication by SSL. using Kerberos, version 5 tickets. Provides centralized user and password management. Provides centralized user and PKI credential/wallet management. Provides centralized user and Kerberos credential management. 
- Introduction to Enterprise User Security Note: Enterprise User Security supports three-tier environments. Oracle Database 10g proxy authentication features enable (i) proxy of user names and passwords through multiple tiers, and (ii) proxy of X.509 certificates and distinguished names through multiple tiers. See Also: ■ ■ Chapter 12, "Enterprise User Security Configuration Tasks and Troubleshooting" for information about configuring the various authentication types for enterprise user security. 
- Introduction to Enterprise User Security The entries described in the following sections can only reside within a realm Oracle Context. Enterprise Roles Enterprise users can be assigned an enterprise role, which determines their access privileges on databases. These enterprise roles are stored and managed in a directory. Figure 11–3 shows an example of an enterprise role called Manager under the OracleDefaultDomain. 
- Introduction to Enterprise User Security Figure 11–2 Example of Enterprise Roles Eastern Region (Identity Management Realm) Oracle Context Acme Widgets (Enterprise Domain) Registered as members of . . . Registered as members of . . . 
- Introduction to Enterprise User Security An enterprise role can be assigned to one or more enterprise users. For example, you could assign the enterprise role sales_manager to a number of enterprise users who hold the same job. This information is protected in the directory, and only a directory administrator can manage users and assign their roles. A user can be granted local roles and privileges in a database in addition to enterprise roles. 
- Introduction to Enterprise User Security See Also: "Administering Enterprise Domains" on page 13-15 Database Server Entries A database server entry (represented as "Sales" in Figure 11–3) contains information about one database server. It is created by the Database Configuration Assistant during database registration. 
- Introduction to Enterprise User Security Figure 11–3 Related Entries in a Realm Oracle Context realm DN Oracle Context Products User Search Base Group Search Base Groups OracleDBCreators OracleContextAdmins OracleDBSecurityAdmins OracleUserSecurityAdmins OraclePasswordAccessibleDomains OracleDBAdmins Group OracleDBSecurity Services (Example Enterprise Domain) Domain Admins (for Services Domain) Users Groups Sales (Example Database) User-Schema Mapping (Example) Networking OracleDefaultDomain 
- Introduction to Enterprise User Security See Also: ■ ■ "How Enterprise Users Are Mapped to Schemas" on page 11-20 "Managing Enterprise Domain Database Schema Mappings" on page 13-20 Administrative Groups An identity management realm contains administrative groups that are related to Enterprise User Security. Figure 11–3 shows these administrative groups in a realm in the triangle labeled "Groups." Each administrative group includes an Access Control Lists (ACLs) that controls access to the group itself. 
- Introduction to Enterprise User Security Table 11–2 Administrative Groups in a Realm Oracle Context Administrative Group Description OracleDBCreators DN: (cn=OracleDBCreators,cn=OracleContext...) (Called "Database Registration Admins" in Release 9. 
- About Using Shared Schemas for Enterprise User Security About Using Shared Schemas for Enterprise User Security The following sections describe shared schemas, and how to set them up: ■ Overview of Shared Schemas Used in Enterprise User Security ■ How Shared Schemas Are Configured for Enterprise Users ■ How Enterprise Users Are Mapped to Schemas Overview of Shared Schemas Used in Enterprise User Security Users do not necessarily require individual accounts or schemas set up in each database. 
- About Using Shared Schemas for Enterprise User Security ■ ■ Each enterprise user can be mapped to a shared schema on each database the user needs to access. The user connects to the shared schema when the user connects to a database. Shared schemas lower the cost of managing users in an enterprise. How Shared Schemas Are Configured for Enterprise Users To configure shared schemas, the local database administrator (DBA) must create at least one database schema in a database. 
- About Using Shared Schemas for Enterprise User Security multiple enterprise users (shared schema). The mapping between a single enterprise user and his or her exclusive schema is stored in the database as an association between the user DN and the schema name. The mapping between enterprise users and a shared schema is done in the directory by means of one or more mapping objects. A mapping object is used to map the distinguished name (DN) of a user to a database schema that the user will access. 
- About Using Shared Schemas for Enterprise User Security For example, suppose that Harriet is trying to connect to the HR database, but the database does not find Harriet's exclusive schema (in the database). In this case, the following steps occur: 1. The HR database looks up a user schema mapping with Harriet's DN in the directory. The directory has a mapping of Harriet to the shared schema EMPLOYEE and returns this schema. 2. The database logs Harriet in and connects her to the EMPLOYEE schema. 3. 
- About Using Current User Database Links for Enterprise User Security See Also: "Task 1: Create Global Schemas and Global Roles in the Database" on page 12-12 for detailed information about how to create shared schemas for enterprise users. About Using Current User Database Links for Enterprise User Security Oracle Database supports current user database links over an SSL-authenticated network connection. 
- About Using Current User Database Links for Enterprise User Security SSL to authenticate to the other databases. To specify a database as untrusted that is part of a trusted enterprise domain, use the PL/SQL package DBMS_ DISTRIBUTED_TRUST_ADMIN. To obtain a list of trusted servers, use the TRUSTED_SERVERS view. Note: Oracle Advanced Security does not support RADIUS authentication over database links. 
- Enterprise User Security Deployment Considerations Enterprise User Security Deployment Considerations Consider the following issues before deploying Enterprise User Security: ■ ■ ■ ■ Security Aspects of Centralizing Security Credentials Security of Password-Authenticated Enterprise User Database Login Information Considerations for Defining Database Membership in Enterprise Domains Considerations for Choosing Authentication Types between Clients, Databases, and Directories for Enterprise User Security 
- Enterprise User Security Deployment Considerations Security of Password-Authenticated Enterprise User Database Login Information In all secure password-based authentication methods, a server authenticates a client with a password verifier, typically a hashed version of the password that must be rigorously protected. Password-based authentication to an Oracle database is no different. There is a password verifier, and it must be protected as well. 
- Enterprise User Security Deployment Considerations Protecting Database Password Verifiers The OraclePasswordAccessibleDomains group in each identity management realm is created automatically when the realm is created, and can be managed by using Enterprise Security Manager. Enterprise domains with member databases that must view users' database password verifiers in the directory are placed into this group. For a selected realm, determine which databases can accept password-authenticated connections. 
- Enterprise User Security Deployment Considerations Considerations for Choosing Authentication Types between Clients, Databases, and Directories for Enterprise User Security Enterprise User Security supports the authentication types listed in Table 11–3 for connections between clients, databases, and directories. 
- 12 Enterprise User Security Configuration Tasks and Troubleshooting This chapter describes the sequence of steps involved to configure Enterprise User Security from the initial database and directory preparation through connecting to the database as either a password-, Kerberos-, or SSL-authenticated enterprise user. In addition, a troubleshooting section is also included that will help you when testing your Enterprise User Security implementation. 
- Enterprise User Security Configuration Overview Regardless of the authentication method you choose—password, SSL, or Kerberos—you must still create the global database objects and configure the identity management realm as described. The primary difference between configuration for the various authentication types lies with network connection configuration. 
- Enterprise User Security Configuration Overview Figure 12–1 Enterprise User Security Configuration Flow Chart Configuration Started What OID version and realm Oracle Context version Are you do you using DNS have? 9.0.4 or discovery? Yes later 9.2 or earlier ESM: Set Login Name attribute, user and group search bases for the IM Realm. 
- Enterprise User Security Configuration Roadmap For brevity, some product names and features have been abbreviated in this flow chart. 
- Preparing the Directory for Enterprise User Security – "Configuring Enterprise User Security for SSL Authentication" on page 12-21 Preparing the Directory for Enterprise User Security This is the first phase in configuring Enterprise User Security and must be performed before you can configure any other part of this feature. Enterprise User Security, 10g Release 1 (10.1) requires Oracle Internet Directory, Release 9.0.4, or later, which installs with the required version of the Oracle schema. 
- Preparing the Directory for Enterprise User Security Note: By default in a version 9.0.4 identity management realm, the user search base is set to cn=Users,cn=realm_name, the group search base is set to cn=Groups,cn=realm_name, and the attribute for login name is set to the user's id (uid). In previous releases, this used to be cn. 
- Preparing the Directory for Enterprise User Security Note: ■ ■ This default realm-wide setting can be overridden on a database by setting the LDAP_DIRECTORY_ACCESS initialization parameter. See Oracle Database Reference for more information about this parameter. If you are using SSL, then see Oracle Internet Directory Administrator's Guide for information about setting up SSL with two-way authentication for Oracle Internet Directory. 
- Preparing the Directory for Enterprise User Security Note: ■ ■ If you are using SSL authentication for your database-to-directory connection, then the SSL port entered in the ldap.ora file must support two-way authentication. This requires a PKI digital certificate and wallet for Oracle Internet Directory. If you are using password authentication for your database-to-directory connection, then the SSL port entered in the ldap.ora file must support SSL with no authentication. 
- Preparing the Directory for Enterprise User Security ■ ■ ■ After creating the wallet, Database Configuration Assistant stores it at ORACLE_ HOME/admin/Oracle_SID/wallet in UNIX environments and at ORACLE_ BASE\ORACLE_HOME\admin\Oracle_SID\wallet in Windows environments. If a database wallet already exists, then Database Configuration Assistant uses it and updates the wallet password. Enables auto login for the database wallet. 
- Preparing the Directory for Enterprise User Security 4. Choose Finish if you are only registering a database. Choose Next if you want to configure additional database features. To cancel database registration: Note: Depending on user permissions, Database Configuration Assistant may be unable to remove a database from its domain in the directory. If it cannot, then use Enterprise Security Manager to remove it from the enterprise domain. 
- Configuring Enterprise User Security Objects in the Database and the Directory After you have prepared the directory for Enterprise User Security, then you can create the Enterprise User Security database and directory objects as described in "Configuring Enterprise User Security Objects in the Database and the Directory" on page 12-11. See Also: ■ ■ Oracle Internet Directory Administrator's Guide for information about configuring an identity management realm in the directory. 
- Configuring Enterprise User Security Objects in the Database and the Directory If you do not use the OracleDefaultDomain or store your users in an identity management realm Users subtree, then see the following documentation: ■ ■ Oracle Internet Directory Administrator's Guide for information about creating a new identity management realm or modifying an existing one, and for information about setting access control lists on directory objects. 
- Configuring Enterprise User Security Objects in the Database and the Directory Alternatively, you can grant the CREATE SESSION privilege to a global role, which you grant to specific users through an enterprise role. See Step 3. 3. Create global roles for the database to hold relevant privileges. 
- Configuring Enterprise User Security Objects in the Database and the Directory Task 3: Create Enterprise Roles in the Enterprise Domain Use Enterprise Security Manager to create enterprise roles in the OracleDefaultDomain by using the following steps: 1. Right-click the OracleDefaultDomain in the navigator pane and choose Create Enterprise Role.... The Create Enterprise Role dialog box appears with the appropriate realm Oracle Context and enterprise domain displayed. 2. 
- Configuring Enterprise User Security Objects in the Database and the Directory 4. Click OK. Enterprise Security Manager connects to the selected database, fetches the global roles supported on that database, and displays them in the Add Global Database Roles dialog box. 5. Select one or more global roles and click OK. The selected global roles appear in the Database Global Roles window. 6. Click Apply. The new global roles are added to the enterprise role. 
- Configuring Enterprise User Security for Password Authentication For more information about this task, see "Granting Enterprise Roles to Users" on page 13-31. 
- Configuring Enterprise User Security for Password Authentication ■ Task 1: (Optional) Enable the Enterprise Domain to Accept Password Authentication ■ Task 2: Add the Enterprise Domain to the Password-Accessible Domains List ■ Task 3: Connect as a Password-Authenticated Enterprise User Task 1: (Optional) Enable the Enterprise Domain to Accept Password Authentication By default, the OracleDefaultDomain is configured to accept password authentication. 
- Configuring Enterprise User Security for Kerberos Authentication Task 3: Connect as a Password-Authenticated Enterprise User For an enterprise user whose directory login name is hscortea and whose password is welcome, enter the following to connect to the database by using SQL*Plus: SQL> connect hscortea/welcome@ The database authenticates the enterprise user (hscortea) by verifying the username/password combination against the directory entry associated with this user. 
- Configuring Enterprise User Security for Kerberos Authentication ■ ■ ■ You have prepared your directory by completing the tasks described in "Preparing the Directory for Enterprise User Security" on page 12-5. You have configured your Enterprise User Security objects in the database and the directory by completing the tasks described in "Configuring Enterprise User Security Objects in the Database and the Directory" on page 12-11. 
- Configuring Enterprise User Security for Kerberos Authentication Kerberos Principal Name, User Search Base, and Group Search Base Identity Management Realm Attributes" on page 13-5. Note: By default, Enterprise Security Manager Console user interface does not display the field where you can configure Kerberos principal names. The first time you create Kerberos-authenticated users in the directory, you must configure the console to display the krbPrincipalName attribute in its Create User window. 
- Configuring Enterprise User Security for SSL Authentication If the KDC is part of the operating system, such as Windows 2000 or some versions of Linux or UNIX, then the operating system automatically picks up the user's ticket (with the FORWARDABLE flag set) from the cache when the user logs in. The user connects to the database by launching SQL*Plus and entering the following at the command line: SQL> connect /@ The database uses Kerberos to authenticate the user. 
- Configuring Enterprise User Security for SSL Authentication – Database certificate DN (stored in the database wallet) – Database directory entry DN – Database wallet DN (not the certificate) See "Viewing the Database DN in the Wallet and in the Directory" on page 12-24. Note that Database Configuration Assistant sets the database directory entry DN and the database wallet DN to be identical when registering the database in the directory. 
- Configuring Enterprise User Security for SSL Authentication 3. Click Apply. For more information about this task, see "Managing Database Security Options for an Enterprise Domain" on page 13-19. Task 2: Set the LDAP_DIRECTORY_ACCESS Initialization Parameter to SSL You can change this initialization parameter either by editing your database initialization parameter file, or by issuing an ALTER SYSTEM SQL command with the SET clause. 
- Configuring Enterprise User Security for SSL Authentication client cannot have a wallet location specified there, the server and client cannot share sqlnet.ora files.) If you have a separate client Oracle home, then you do not need to set the TNS_ ADMIN environment variable. 4. Launch SQL*Plus and enter the following at the command line: SQL> /@connect_identifier where connect_identifer is the Oracle Net service name you set up when you configured SSL for the database client. 
- Enabling Current User Database Links To view the database DN so you can request a certificate with the appropriate DN use one of the following options: ■ ■ Use Oracle Directory Manager to look in the directory under the realm Oracle Context for cn=,cn=OracleContext, where short_database_name is the first part of the fully qualified domain name for a database. For example, if you have a database named db1.us.oracle.com, then the short database name is db1. 
- Troubleshooting Enterprise User Security Troubleshooting Enterprise User Security This section describes potential problems and associated corrective actions in the following topics: ■ ORA-# Errors for Password-Authenticated Enterprise Users ■ ORA-# Errors for Kerberos-Authenticated Enterprise Users ■ ORA-# Errors for SSL-Authenticated Enterprise Users ■ NO-GLOBAL-ROLES Checklist ■ USER-SCHEMA ERROR Checklist ■ DOMAIN-READ-ERROR Checklist ORA-# Errors for Password-Authenticated Enterprise Users 
- Troubleshooting Enterprise User Security 5. Use Database Configuration Assistant to reset the database password used to authenticate the database to Oracle Internet Directory. This resets it both locally in the database wallet, and remotely in the database entry in Oracle Internet Directory. 6. Check that the database wallet has auto login enabled. Either use Oracle Wallet Manager, or check that there is a cwallet.sso file in $ORACLE_ HOME/admin//wallet/. 7. 
- Troubleshooting Enterprise User Security ORA-28272: Domain policy does not allow password-authenticated GLOBAL users Action: Use Enterprise Security Manager to set the user authentication policy for this enterprise domain to Password or ALL. ORA-28273: No mapping for user login name to LDAP distinguished name exists Action: Check the following: 1. Check that a user entry exists in Oracle Internet Directory for your user. 2. 
- Troubleshooting Enterprise User Security 3. Use Enterprise Security Manager to check that the user search base containing this user is listed in the user search base attribute of the realm that you are using. 4. Use Enterprise Security Manager to check that the enterprise domain is in the password accessible domains group. 5. Check that the ACL on the user search base attribute allows read and search access to the orclpassword attributes by the verifierServices group. 
- Troubleshooting Enterprise User Security Cause: Indicates a problem with the connection between the database and the directory. Action: See the actions listed for resolving "ORA-28030: Problem accessing LDAP directory service" on page 12-26 in the troubleshooting section for password-authenticated enterprise users. 
- Troubleshooting Enterprise User Security 2. Check that there is a value for the attribute krbprincipalname in the user entry. If there is no value, then use Oracle Internet Directory Self-Service Console to enter one. 3. Use Enterprise Security Manager to check that the user search base containing this user is listed in the realm Oracle Context that you are using. 4. 
- Troubleshooting Enterprise User Security 2. If these values are incorrect, reset the database wallet by using Database Configuration Assistant. 3. Use the DN and the password returned by mkstore in the following ldapbind: ldapbind -h  -p  -D "" -w  Note: The mkstore utility is for troubleshooting purposes only. The name and functionality of this tool may change in the future. In 10g Release 1 (10. 
- Troubleshooting Enterprise User Security 4. Check that the LDAP_DIRECTORY_ACCESS parameter is set to SSL in the database initialization parameters file. 5. Check that the database wallet has auto login enabled. Either use Oracle Wallet Manager, or check that there is a cwallet.sso file in $ORACLE_ HOME/admin//wallet/. 6. 
- Troubleshooting Enterprise User Security 1. Check that the global role has been created in the database. To create global roles, use the following syntax: CREATE ROLE  IDENTIFIED GLOBALLY; 2. Use Enterprise Security Manager to check that the global role is included in an enterprise role in the directory. 3. Use Enterprise Security Manager to check that the enterprise role is assigned to the user in the directory. 4. 
- Troubleshooting Enterprise User Security Use the following syntax to view the DN that was used with the CREATE USER statement: SELECT EXTERNAL_NAME FROM DBA_USERS WHERE USERNAME=''; 4. If you are using a shared schema, then check the following: – Use Enterprise Security Manager to ensure that you have created a user-schema mapping either for the entire enterprise domain, or for the database. 
- Troubleshooting Enterprise User Security 1. Use Enterprise Security Manager to check that the database is a member of exactly one enterprise domain, and add it to one if it is not. 2. 
- Troubleshooting Enterprise User Security – If the database connects to the directory by using password authentication, then use ldapsearch -h  -p  -D  -w  -b "cn=OracleContext, " "objectclass=orclDBEnterpriseRole" where  is the password in the database wallet, which is the database's password to Oracle Internet Directory. 
- Troubleshooting Enterprise User Security 12-38 Oracle Database Advanced Security Administrator's Guide 
- 13 Administering Enterprise User Security This chapter describes how to use Enterprise Security Manager to administer Enterprise User Security in Oracle Databases. 
- Enterprise User Security Administration Tools Overview Enterprise User Security Administration Tools Overview Enterprise Security Manager and Enterprise Security Manager Console are the two main tools provided for administering Enterprise User Security. 
- Administering Identity Management Realms Administering Identity Management Realms An identity management realm is a subtree of directory entries, all of which are governed by the same administrative policies. A realm Oracle Context is a subtree in a directory identity management realm that contains the data used by any installed Oracle product that uses the directory. Enterprise Security Manager is one such product. 
- Administering Identity Management Realms Identity Management Realm Versions Enterprise User Security can only use an identity management realm supplied by Oracle Internet Directory 10g (9.0.4) or later, which ships with Oracle Application Server 10g (9.0.4). You can manage Enterprise User Security directory entries in a version 9.0.4 identity management realm by using Enterprise Security Manager for Oracle Database 10g. Enterprise Security Manager displays all existing version 9.0. 
- Administering Identity Management Realms Setting Properties of an Identity Management Realm An identity management realm has a number of properties that can be viewed and managed by using Enterprise Security Manager. These properties are described in Table 13–1. Table 13–1 Identity Management Realm Properties Property Description Attribute for Login Name Name of the directory attribute used to store login names. 
- Administering Identity Management Realms 3. In the Realm Information window, enter the appropriate information into the available fields. 4. Click Submit to save your changes to the directory. Setting the Default Database-to-Directory Authentication Type for an Identity Management Realm Setting the default database-to-directory authentication type, enters a value for the LDAP_DIRECTORY_ACCESS initialization parameter. 
- Administering Identity Management Realms Managing Identity Management Realm Administrators An identity management realm contains administrative groups that have varying levels of privileges. The administrative groups for an identity management realm, which pertain to Enterprise User Security, are defined in Table 13–2. For more information about these groups, see "Administrative Groups" on page 11-17. 
- Administering Enterprise Users Administering Enterprise Users Enterprise Security Manager manages one directory server at a time, identified at the top of the main application tree. It lets you manage enterprise users and data that is relevant to Enterprise User Security in the identity management. This section describes how to use Enterprise Security Manager to administer enterprise users. 
- Administering Enterprise Users Creating New Enterprise Users Use Enterprise Security Manager to create users in the directory. Note: Before creating new enterprise users, you must define the user search base in the directory. See "Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base Identity Management Realm Attributes" on page 13-5 To create new enterprise users: 1. Select Launch Enterprise Security Manager Console from the Operations menu. 
- Administering Enterprise Users 2. Choose the Users and Groups tab. 3. In the Users and Groups tabbed window, choose the User subtab, if it is not already displayed. 4. In the User subtab window, click Create (located on the upper right corner of the Search Results table). 
- Administering Enterprise Users The enterprise user password is used for: ■ ■ Directory logon Database logon, to databases that support password authentication for global users To set the password for an enterprise user: 1. Navigate to the Enterprise Security Manager Console home page. (Choose Launch Enterprise Security Manager Console from the Operations menu and log in using your OracleAS Single Sign-On username and password.) 2. Choose the Users and Groups tab. 3. 
- Administering Enterprise Users Figure 13–3 4. Enterprise Security Manager: Add Enterprise Roles Window Select the correct identity management realm, then select any enterprise roles in your realm to assign to the new user, and choose OK. Browsing Users in the Directory Enterprise Security Manager lets you browse the directory for all users currently stored there in two ways—by using Enterprise Security Manager Console, or by using the All Users tab in the main application window. 
- Administering Enterprise Users A list of all users that match your search criteria displays. You can browse through the displayed users and select one to Edit, Delete, or Assign Privileges. If you need to create a new user, click Create. To browse enterprise users in the directory by using the All Users tab in the main application window: 1. Select the directory in the left navigator pane. 2. Choose the All Users tab in the right main window (Figure 13–4): Figure 13–4 3. 
- Administering Enterprise Users Table 13–3 Directory Search Criteria Search Criteria Effect on the Search Base This is the base entry point in the directory where the search is performed. Only users under this base are returned by the search. Include Subtrees This determines whether to show all users found in the entire subtree under the selected base, or to only show only those users that exist directly under that base location (one level only). 
- Administering Enterprise Domains Administering Enterprise Domains An identity management realm contains an enterprise domain called OracleDefaultDomain. The OracleDefaultDomain is part of the realm when it is first created in the directory. When a new database is registered into a realm, it automatically becomes a member of the OracleDefaultDomain in that realm. You can create and remove your own enterprise domains but you must not remove the OracleDefaultDomain from a realm. 
- Administering Enterprise Domains Creating a New Enterprise Domain If you do not want to use the OracleDefaultDomain, then you can create a new enterprise domain in your identity management realm. To create a new enterprise domain in an identity management realm: 1. Start by using one of the following methods: ■ Select Create Enterprise Domain from the Operations menu. ■ Select a realm from the main application tree with a right mouse-click. 
- Administering Enterprise Domains ■ ■ 3. Select Remove Enterprise Domain from the Operations menu. Select an enterprise domain from the main application tree with a right mouse-click. Enterprise Security Manager asks you to confirm removal of the enterprise domain from the realm. Choose OK to remove it. Note: You cannot remove an enterprise domain from an identity management realm if that enterprise domain contains any enterprise roles. 
- Administering Enterprise Domains To remove a database from an enterprise domain: 1. Select a specific database for removal, and choose Remove.... The database is removed from the list. 2. Choose Apply. The database is removed from the enterprise domain. To add a database to an enterprise domain: Note: The following restrictions apply to adding databases to an enterprise domain: ■ ■ ■ 1. A database must be in an enterprise domain for enterprise users to be able to connect to it. 
- Administering Enterprise Domains 2. Select a new database to be added to the enterprise domain. 3. Choose OK. The selected database is added to the list of databases in the Databases tabbed window (Figure 13–6). 4. Choose Apply (Figure 13–6). The new database is added to the enterprise domain. 
- Administering Enterprise Domains Managing Enterprise Domain Administrators An Enterprise Domain Administrator is a directory user with privileges to modify the content of that domain. You can use the Administrators tabbed window to manage Enterprise Domain Administrators when an enterprise domain is selected under an realm in the main application tree. To add a new user to the list of Enterprise Domain Administrators: 1. 
- Administering Enterprise Domains A database can use a schema mapping to share one database schema between multiple directory users. The schema mapping is a pair of values: the base in the directory at which users exist, and the name of the database schema they will use. You can use the Database Schema Mappings tabbed window to manage database schema mappings—when a database is selected under a realm in the main application tree or when a domain is selected. 
- Administering Enterprise Domains To add a new mapping to the list of database schema mappings in the enterprise domain: 1. In the Database Schema Mapping tabbed window, choose Add.... The Add Database Schema Mappings window appears (Figure 13–9). Use this window to locate and select a base in the directory and pair it with a database schema name, to make a database schema mapping. 
- Administering Enterprise Domains 4. Enter the name of the database schema for which this Mapping will be made into the Schema field, and choose OK. This must be a valid name, for a schema that already exists on that database.The new database schema mapping appears in the database schema mappings window (Figure 13–8). 5. Choose Apply. The new database schema mapping is added to the selected database or domain in the realm. 
- Administering Enterprise Domains 2. Choose the Accessible Domains tabbed window and click Add. The Add Accessible Enterprise Domains dialog box appears. See Figure 13–10 on page 13-24. Figure 13–10 Dialog Box 3. Enterprise Security Manager: Add Accessible Enterprise Domains Select the OracleDefaultDomain from the list of enterprise domains, and click OK. The OracleDefaultDomain is added to the password-accessible domains list. 
- Administering Enterprise Domains To remove an enterprise domain from the password-accessible domains list: 1. Select the identity management realm in the left navigator pane. 2. Choose the Accessible Domains tabbed window and select the enterprise domain that you want to remove from the list. 3. Click Remove. 
- Administering Enterprise Domains See Also: ■ "Creating New Enterprise Users" on page 13-9 ■ "Browsing Users in the Directory" on page 13-12 13-26 Oracle Database Advanced Security Administrator's Guide 
- Administering Enterprise Roles Administering Enterprise Roles An enterprise domain within an identity management realm can contain multiple enterprise roles. An enterprise role is a set of Oracle role-based authorizations across one or more databases in an enterprise domain. This section describes how to use Enterprise Security Manager to administer enterprise roles in the directory. 
- Administering Enterprise Roles Note: If you invoked the Create Enterprise Role window by right-clicking an enterprise domain, the name of the identity management realm is already selected. 2. Select the appropriate enterprise domain for the new enterprise role, from the Enterprise Domain list. Note: If you invoked the Create Enterprise Role window by right-clicking an enterprise domain, the name of the enterprise domain is already selected. 3. 
- Administering Enterprise Roles Figure 13–12 Enterprise Security Manager: Database Global Roles Tab When populating an enterprise role with different database roles it is only possible to reference roles on databases that are configured to be global roles on those databases. A global role on a database is identical to a normal role, except that the Database Administrator has defined it to be authorized only through the directory. 
- Administering Enterprise Roles enabled as its Oracle Net naming method, or if this name appears as a TNS alias in your local Oracle Net configuration. Otherwise, you can overwrite the content of the Service field with any other TNS alias configured for that database, or by a connect string in the format ::. For example, cartman:1521:broncos. Figure 13–13 Window Enterprise Security Manager: Database Authentication Required 3. Choose OK. 
- Administering Enterprise Roles Granting Enterprise Roles to Users You can grant an enterprise role to users in two ways: you can select a user and add a role (see "Defining an Initial Enterprise Role Assignment" on page 13-11), or you can select a role and add a user. When you grant an enterprise role to a user, it includes all database global roles contained within that enterprise role. Use the Users tabbed window. To grant an enterprise role to users: 1. 
- Administering Enterprise Roles To remove a user from the list of enterprise role grantees: 1. Select a user from the list of grantees in the Users tabbed window. 2. Choose Remove. The selected user is removed from the list. 3. Choose Apply. The user is removed as a grantee for that enterprise role in the enterprise domain. 
- Part V Appendixes This part contains the following reference appendixes: ■ Appendix A, "Data Encryption and Integrity Parameters" ■ Appendix B, "Authentication Parameters" ■ Appendix C, "Integrating Authentication Devices Using RADIUS" ■ Appendix D, "Oracle Advanced Security FIPS 140-1 Settings" ■ Appendix E, "orapki Utility" ■ Appendix F, "Entrust-Enabled SSL Authentication" ■ Appendix G, "Using the User Migration Utility" 
- A Data Encryption and Integrity Parameters This appendix describes encryption and data integrity parameters supported by Oracle Advanced Security. It also includes an example of a sqlnet.ora file generated by performing the network configuration described in Chapter 3, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" and Chapter 7, "Configuring Secure Sockets Layer Authentication". This appendix contains the following topics: ■ Sample sqlnet. 
- Sample sqlnet.ora File Oracle Advanced Security Encryption #ASO Encryption sqlnet.encryption_server=accepted sqlnet.encryption_client=requested sqlnet.encryption_types_server=(RC4_40) sqlnet.encryption_types_client=(RC4_40) Oracle Advanced Security Integrity #ASO Checksum sqlnet.crypto_checksum_server=requested sqlnet.crypto_checksum_client=requested sqlnet.crypto_checksum_types_server = (MD5) sqlnet. 
- Data Encryption and Integrity Parameters RADIUS #Radius sqlnet.authentication_services = (beq, RADIUS ) sqlnet.radius_authentication_timeout = (10) sqlnet.radius_authentication_retries = (2) sqlnet.radius_authentication_port = (1645) sqlnet.radius_send_accounting = OFF sqlnet.radius_secret = /orant/network/admin/radius.key sqlnet.radius_authentication = radius.us.oracle.com sqlnet.radius_challenge_response = OFF sqlnet.radius_challenge_keyword = challenge sqlnet. 
- Data Encryption and Integrity Parameters Table A–1 Algorithm Type Selection Encryption Selected? Integrity Selected? No No There are three classes of parameters used to enable data encryption and integrity. 
- Data Encryption and Integrity Parameters on the value set for SQLNET.ENCRYPTION_SERVER at the other end of the connection. Table A–3 SQLNET.ENCRYPTION_CLIENT Parameter Attributes Attribute Description Syntax SQLNET.ENCRYPTION_CLIENT = valid_value Valid Values ACCEPTED, REJECTED, REQUESTED, REQUIRED Default Setting ACCEPTED SQLNET.CRYPTO_CHECKSUM_SERVER This parameter specifies the desired data integrity behavior when a client or another server acting as a client connects to this server. 
- Data Encryption and Integrity Parameters SQLNET.ENCRYPTION_TYPES_SERVER This parameter specifies a list of encryption algorithms used by this server, in the order of intended use. This list is used to negotiate a mutually acceptable algorithm with the client end of the connection. Each algorithm is checked against the list of available client algorithm types until a match is found. If an algorithm that is not installed is specified on this side, the connection terminates with error message ORA-12650. 
- Data Encryption and Integrity Parameters SQLNET.ENCRYPTION_TYPES_CLIENT This parameter specifies a list of encryption algorithms used by this client or server acting as a client. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. If an algorithm that is not installed is specified on this side, the connection terminates with error message ORA-12650. Table A–7 SQLNET.ENCRYPTION_TYPES_CLIENT Parameter Attributes Attribute Description Syntax SQLNET. 
- Data Encryption and Integrity Parameters Table A–8 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter Attributes Attribute Description Syntax SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (valid_crypto_ checksum_algorithm [,valid_crypto_checksum_algorithm]) Valid Values Default Setting ■ SHA-1: Secure Hash Algorithm ■ MD5: Message Digest 5 If no algorithms are defined in the local sqlnet.ora file, all installed algorithms are used in a negotiation in the preceding sequence. SQLNET. 
- Data Encryption and Integrity Parameters Note: If you use this parameter to seed the random number generator, then Oracle recommends that you enter as many characters as possible, up to 70, to make the resulting key more random and therefore stronger. If you do not use this parameter, the system uses various sources of random numbers, depending on your operating system, to seed the random number generator. 
- Data Encryption and Integrity Parameters A-10 Oracle Database Advanced Security Administrator's Guide 
- B Authentication Parameters This appendix illustrates some sample configuration files with the profile file (sqlnet.ora) and the database initialization file authentication parameters, when using Kerberos, RADIUS, or SSL authentication. 
- Parameters for Clients and Servers using RADIUS Authentication Parameters for Clients and Servers using RADIUS Authentication The following sections describe the parameters for RADIUS authentication ■ sqlnet.ora File Parameters ■ Minimum RADIUS Parameters ■ Initialization File Parameters sqlnet.ora File Parameters SQLNET.AUTHENTICATION_SERVICES This parameter configures the client or the server to use the RADIUS adapter. Table B–2 describes this parameter's attributes. Table B–2 SQLNET. 
- Parameters for Clients and Servers using RADIUS Authentication Table B–4 SQLNET.RADIUS_AUTHENTICATION_PORT Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_AUTHENTICATION_PORT=port_number Default setting 1645 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT This parameter sets the time to wait for response. Table B–5 describes this parameter's attributes. Table B–5 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter Attributes Attribute Description Syntax SQLNET. 
- Parameters for Clients and Servers using RADIUS Authentication Table B–7 SQLNET.RADIUS_SEND_ACCOUNTING Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_SEND_ACCOUNTING=on Default setting off SQLNET.RADIUS_SECRET This parameter specifies the file name and location of the RADIUS secret key. Table B–8 describes this parameter's attributes. Table B–8 SQLNET.RADIUS_SECRET Parameter Attributes Attribute Description Syntax SQLNET. 
- Parameters for Clients and Servers using RADIUS Authentication SQLNET.RADIUS_ALTERNATE_TIMEOUT This parameter sets the time to wait for response for the alternate RADIUS server. Table B–11 describes this parameter's attributes. Table B–11 SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_ALTERNATE_TIMEOUT=time_in_seconds Default setting 5 SQLNET. 
- Parameters for Clients and Servers using RADIUS Authentication Table B–14 SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_CHALLENGE_KEYWORD=keyword Default setting challenge SQLNET.RADIUS_AUTHENTICATION_INTERFACE This parameter sets the name of the Java class that contains the graphical user interface when RADIUS is in the challenge-response (asynchronous) mode. Table B–15 describes this parameter's attributes. Table B–15 SQLNET. 
- Parameters for Clients and Servers using SSL Initialization File Parameters REMOTE_OS_AUTHENT=FALSE OS_AUTHENT_PREFIX="" Parameters for Clients and Servers using SSL There are two ways to configure a parameter: ■ ■ Static: The name of the parameter that exists in the sqlnet.ora file. Dynamic: The name of the parameter used in the security subsection of the Oracle Net address. SSL Authentication Parameters This section describes the static and dynamic parameters for configuring SSL on the server. 
- Parameters for Clients and Servers using SSL Example (dynamic): AUTHENTICATION = (TCPS) Cipher Suite Parameters This section describes the static and dynamic parameters for configuring cipher suites. Parameter Name (static): SSL_CIPHER_SUITES Parameter Name (dynamic): SSL_CIPHER_SUITES Parameter Type: String LIST Parameter Class: Static Permitted Values: Any known SSL cipher suite Default Value: No default Description: Controls the combination of encryption and data integrity used by SSL. 
- Parameters for Clients and Servers using SSL ■ SSL_RSA_WITH_RC4_128_MD5 ■ SSL_RSA_WITH_DES_CBC_SHA ■ SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ■ SSL_DH_anon_WITH_RC4_128_MD5 ■ SSL_DH_anon_WITH_DES_CBC_SHA ■ SSL_RSA_EXPORT_WITH_RC4_40_MD5 ■ SSL_RSA_EXPORT_WITH_DES40_CBC_SHA ■ SSL_RSA_WITH_AES_128_CBC_SHA ■ SSL_RSA_WITH_AES_256_CBC_SHA Note that the cipher suites that use Advanced Encryption Standard (AES) work with Transport Layer Security (TLS 1.0) only. 
- Parameters for Clients and Servers using SSL Example (dynamic): SSL_VERSION=3.0 SSL Client Authentication Parameters This section describes the static and dynamic parameters for configuring SSL on the client. 
- Parameters for Clients and Servers using SSL Purpose Use this parameter to force the server's distinguished name (DN) to match its service name. If you force the match verifications, SSL ensures that the certificate is from the server. If you choose to not enforce the match verification, SSL performs the check but permits the connection, regardless if there is a match. Not forcing the match lets the server potentially fake its identity. Values yes|on|true—Specify to enforce a match. 
- Parameters for Clients and Servers using SSL Example dbalias=(description=address_ list=(address=(protocol=tcps)(host=hostname)( port=portnum)))(connect_ data=(sid=Finance))(security=(SSL_SERVER_ DN="CN=Finance,CN=OracleContext,C=US,O=Acme")) Wallet Location For any application that must access a wallet for loading the security credentials into the process space, you must specify the wallet location parameters defined by Table B–17 in each of the following configuration files: ■ sqlnet.ora ■ listener. 
- C Integrating Authentication Devices Using RADIUS This appendix describes how third party authentication vendors customize the RADIUS challenge-response user interface to fit their particular device. 
- Customizing the RADIUS Challenge-Response User Interface Customizing the RADIUS Challenge-Response User Interface You can customize this interface by creating your own class to support the functionality described in Table C–1. You can then open the sqlnet.ora file, look up the SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameter, and replace the name of the class listed there (DefaultRadiusInterface), with the name of the new class you have just created. When you make this change in the sqlnet. 
- D Oracle Advanced Security FIPS 140-1 Settings Oracle Advanced Security Release 8.1.6 has been validated under Federal Information Processing Standard (FIPS) 140-1 at the Level 2 security level. This appendix describes the formal configuration required for Oracle Advanced Security to comply with the FIPS 140-1 standard. Refer to the NIST Cryptographic Modules Validation list at the following Web site address: http://csrc.nist.gov/cryptval/140-1/1401val. 
- Configuration Parameters Configuration parameters are contained in the sqlnet.ora file that is held locally for each of the client and server processes. The protection placed on these files should be equivalent to the level of a DBA. 
- Configuration Parameters The specified algorithm must be installed or the connection terminates. For FIPS 140-1 compliance, only DES encryption is permitted and therefore the following parameter setting is mandatory: SQLNET.ENCRYPTION_TYPES_SERVER=(DES|DES40) Client Encryption Selection List The ENCRYPTION_TYPES_CLIENT parameter specifies the list of encryption algorithms which the client is prepared to use for the connection with the server. 
- Post Installation Checks Post Installation Checks After the installation, the following permissions must be verified in the operating system: ■ ■ Execute permissions must be set on all Oracle Advanced Security executable files so as to prevent execution of Oracle Advanced Security by users who are unauthorized to do so in accordance with the system security policy. 
- Physical Security Physical Security To comply with FIPS 140-1 Level 2 requirements, tamper-evident seals must be applied to the cover of each machine—to ensure that removal of the cover is detectable. 
- Physical Security D-6 Oracle Database Advanced Security Administrator's Guide 
- E orapki Utility The orapki utility is provided to manage public key infrastructure (PKI) elements, such as wallets and certificate revocation lists, on the command line so the tasks it performs can be incorporated into scripts. Providing a way to incorporate the management of PKI elements into scripts makes it possible to automate many of the routine tasks of maintaining a PKI. 
- orapki Utility Overview orapki Utility Overview This command line utility can be used to perform the following tasks: ■ Creating and viewing signed certificates for testing purposes ■ Manage Oracle wallets: ■ – Create and display Oracle wallets – Add and remove certificate requests – Add and remove certificates – Add and remove trusted certificates Manage certificate revocation lists (CRLs): – Renaming CRLs with a hash value for certificate validation – Uploading, listing, viewing, and dele 
- Creating Signed Certificates for Testing Purposes Creating Signed Certificates for Testing Purposes This command line utility provides a convenient, lightweight way to create signed certificates for testing purposes. 
- Managing Oracle Wallets with orapki Utility Managing Oracle Wallets with orapki Utility The following sections describe the syntax used to create and manage Oracle wallets with the orapki command line utility. You can use these orapki utility wallet module commands in scripts to automate the wallet creation process. 
- Managing Oracle Wallets with orapki Utility Adding Certificates and Certificate Requests to Oracle Wallets with orapki To add a certificate request to an Oracle wallet: orapki wallet add -wallet  -dn  -keySize <512|1024|2048> This command adds a certificate request to a wallet for the user with the specified distinguished name (user_dn). The request also specifies the requested certificate's key size (512, 1024, or 2048 bits). 
- Managing Certificate Revocation Lists (CRLs) with orapki Utility Exporting Certificates and Certificate Requests from Oracle Wallets with orapki To export a certificate from an Oracle wallet: orapki wallet export -wallet  -dn  -cert  This command exports a certificate with the subject's distinguished name (-dn) from a wallet to a file that is specified by -cert. 
- orapki Utility Commands Summary orapki Utility Commands Summary This section lists and describes the following orapki commands: ■ orapki cert create ■ orapki cert display ■ orapki crl delete ■ orapki crl display ■ orapki crl hash ■ orapki crl list ■ orapki crl upload ■ orapki wallet add ■ orapki wallet create ■ orapki wallet display ■ orapki wallet export orapki cert create Purpose Use this command to create a signed certificate for testing purposes. 
- orapki Utility Commands Summary orapki cert display Purpose Use this command to display details of a specific certificate. Syntax orapki cert display -cert  [-summary|-complete] ■ ■ The -cert parameter specifies the location of the certificate you want to display. 
- orapki Utility Commands Summary with no authentication. See "Uploading CRLs to Oracle Internet Directory" on page 7-42 for more information about this port. ■ ■ ■ The -user parameter specifies the username of the directory user who has permission to delete CRLs from the CRL subtree in the directory. The -wallet parameter (optional) specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL. 
- orapki Utility Commands Summary orapki crl hash Purpose Use this command to generate a hash value of the certificate revocation list (CRL) issuer to identify the location of the CRL in your file system for certificate validation. Syntax orapki crl hash -crl  [-wallet ] [-symlink|-copy]  [-summary] ■ ■ ■ ■ The -crl parameter specifies the filename that contains the CRL or the URL where it can be found. 
- orapki Utility Commands Summary The -ldap parameter specifies the hostname and SSL port for the directory server from where you want to list CRLs. Note that this must be a directory SSL port with no authentication. See "Uploading CRLs to Oracle Internet Directory" on page 7-42 for more information about this port. orapki crl upload Purpose Use this command to upload certificate revocation lists (CRLs) to the CRL subtree in Oracle Internet Directory. 
- orapki Utility Commands Summary orapki wallet add Purpose Use this command to add certificate requests and certificates to an Oracle wallet. Syntax To add certificate requests: orapki wallet add -wallet  -dn  -keySize <512|1024|2048> ■ The -wallet parameter specifies the location of the wallet to which you want to add a certificate request. ■ The -dn parameter specifies the distinguished name of the certificate owner. 
- orapki Utility Commands Summary user certificate to a wallet, you must add all the trusted certificates that make up the certificate chain. If all trusted certificates are not installed in the wallet before you add the user certificate, then adding the user certificate will fail. orapki wallet create Purpose Use this command to create an Oracle wallet or to set auto login on for an Oracle wallet. 
- orapki Utility Commands Summary Syntax To export a certificate from an Oracle wallet: orapki wallet export -wallet  -dn  -cert  ■ ■ ■ The -wallet parameter specifies the location of the wallet from which you want to export the certificate. The -dn parameter specifies the distinguished name of the certificate. The -cert parameter specifies the name of the file that contains the exported certificate. 
- F Entrust-Enabled SSL Authentication Entrust Authority (formerly known as Entrust/PKI) is a suite of PKI products provided by Entrust, Inc., that provides certificate generation, certificate revocation, and key and certificate management. Oracle Advanced Security is integrated with Entrust Authority so both Entrust and Oracle users can enhance their Oracle environment security. 
- Benefits of Entrust-Enabled Oracle Advanced Security Benefits of Entrust-Enabled Oracle Advanced Security Entrust-enabled Oracle Advanced Security provides: ■ Enhanced X.509-Based Authentication and Single Sign-On ■ Integration with Entrust Authority Key Management ■ Integration with Entrust Authority Certificate Revocation Note: ■ ■ Oracle Advanced Security has been certified as Entrust-Ready by Entrust, Inc., as of Release 8.1.7. See Also: http://www.entrust.com Enhanced X. 
- Required System Components for Entrust-Enabled Oracle Advanced Security Required System Components for Entrust-Enabled Oracle Advanced Security To implement Entrust-enabled Oracle Advanced Security, the following system components are required: ■ Entrust Authority for Oracle ■ Entrust Authority Server Login Feature ■ Entrust Authority IPSec Negotiator Toolkit Note: In the following sections, the term client refers to a client connecting to an Oracle database, and the term server refers to the host on 
- Required System Components for Entrust-Enabled Oracle Advanced Security Entrust Authority Security Manager Entrust Authority Security Manager is the centerpiece of Entrust's PKI technology. It performs core certificate authority, certificate, and user management functions, such as creating users and user profiles containing the user's credentials. Note: Oracle only supports the use of Entrust-enabled Oracle Advanced Security with versions of Entrust Authority Security Manager that run on Oracle Database. 
- Entrust Authentication Process Entrust Authority Server Login Feature provides single sign-on by enabling Oracle Database server process access to incoming SSL connections. Without this capability, a database administrator or other privileged user would have to enter the password for the Entrust profile on the server for every incoming connection. Contact your Entrust representative to get Entrust Authority Server Login Feature. 
- Enabling Entrust Authentication Figure F–1 Entrust Authentication Process Entrust Authority and Administration User's Entrust Profile (Entrust Entelligence) Server's Entrust Profile (unattended login) 2 Oracle Client 1 SSL Oracle Oracle Recovery Server Catalog See Also: "How SSL Works in an Oracle Environment: The SSL Handshake" on page 7-4 Enabling Entrust Authentication This section describes the following tasks, which are required to configure Entrust-enabled Oracle Advanced Security SSL authent 
- Enabling Entrust Authentication Administrator-Created Entrust Profiles Administrators create Entrust profiles as follows: 1. The Entrust administrator adds the Entrust user using the Entrust Authority Self-Administration Server. See Also: The Entrust administration documentation for information about creating Entrust Users 2. The administrator enters the user's name and password. 3. The Entrust Authority creates the profile, or.epf file. 4. 
- Enabling Entrust Authentication Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL For Oracle Advanced Security 10g Release 1 (10.1), Entrust support installs in Typical mode. A single Oracle installation supports the use of both Oracle Wallets and Entrust profiles. See Also: Oracle Database operating system-specific installation documentation Configuring SSL on the Client and Server for Entrust-Enabled SSL Configure SSL on the client and server. 
- Enabling Entrust Authentication ) ) Configuring Entrust on a Windows Client If the client resides on a Windows platform, ensure that the Entrust Entelligence Desktop Manager component is installed on the client and perform the following steps to set up the Entrust credentials. 1. Set the WALLET_LOCATION parameter in the sqlnet.ora file. For example: WALLET_LOCATION= (SOURCE= (METHOD=entr) (METHOD_DATA= (INIFILE=initialization_file_location) ) ) where initialization_file_location is the path to the . 
- Enabling Entrust Authentication 2. Set the WALLET_LOCATION parameter in the sqlnet.ora and listener.ora files to specify the paths to the server's profile and the Entrust initialization file: WALLET_LOCATION = (SOURCE = (METHOD = ENTR) (METHOD_DATA = (PROFILE = profile_location) (INIFILE = initialization_file_location) ) ) 3. Set the CLASSPATH environment variable to include the following paths: $ORACLE_HOME/JRE/lib/rt.jar $ORACLE_HOME/JRE/lib/i18n.jar $ORACLE_HOME/jlib/ewt*.jar $ORACLE_HOME/jlib/help*. 
- Enabling Entrust Authentication Note: Ensure that the listener has a TCPS listening endpoint, then start the listener. 5. Start the Oracle database instance. Configuring Entrust on a Windows Server If the server is on a Windows platform, perform the following steps: See Also: "Required System Components for Entrust-Enabled Oracle Advanced Security" for information about downloading Entrust Entelligence Desktop Manager. 1. Stop the Oracle database instance. 2. 
- Issues and Restrictions that Apply to Entrust-Enabled SSL Note: For all Windows environments, Oracle Corporation recommends that you do not install Entrust Entelligence Desktop Manager on the server computer. Creating Entrust-Enabled Database Users Create global users in the database based on the distinguished name (DN) of each Entrust user. For example: SQL> create user jdoe identified globally as 'cn=jdoe,o=oracle,c=us'; where "cn=jdoe, o=oracle, c=us" is the Entrust distinguished name of the user. 
- Troubleshooting Entrust In Oracle Advanced Security In addition, the following restrictions apply: ■ ■ ■ ■ ■ The use of Entrust components for digital signatures in applications based on Oracle is not supported. The Entrust-enabled Oracle Advanced Security integration is only supported with versions of Entrust Authority Release 6.0 and later running on Oracle Database. The use of earlier releases of Entrust Authority with Entrust-enabled Oracle Advanced Security is not supported. 
- Troubleshooting Entrust In Oracle Advanced Security ■ Invalid Entrust initialization file specified ■ Entrust Server Login program has not executed on the server Action: To get more detail on the Entrust error, turn on tracing for SQL*Plus and the trace output should indicate the Entrust failure code. Enable tracing by specifying the following parameters in the sqlnet. 
- Troubleshooting Entrust In Oracle Advanced Security Action: Ensure that the location of the Entrust initialization file is specified in the WALLET_LOCATION parameter in the sqlnet.ora file on the client. See Also: ■ "Configuring Entrust on a UNIX Client" on page F-8 ■ "Configuring Entrust on a Windows Client" on page F-9 Error Messages Returned When Running Entrust on Windows Platforms You may encounter the following error messages if you are running Entrust on a Windows platform. 
- Troubleshooting Entrust In Oracle Advanced Security Action: Perform the following tasks to enable tracing on the server: 1. Choose Control Panel > Services. 2. In the Services dialog box, double click OracleTNSListener and change the Log On As from the System Account to the account that is currently logged in. This enables the server process to read the .ual file. Click OK to make the change and you are returned to the Services dialog box. 
- Troubleshooting Entrust In Oracle Advanced Security Search for and locate the string "fail" or "ntz*" function calls. Adjacent to these, error messages are listed that provide details about the problem you are encountering. General Checklist for Running Entrust on Any Platform The following items apply to all platforms: 1. Confirm that the Entrust Authority is online. 2. Confirm that the .ual file is generated. These files are created for unattended login credentials. 
- Troubleshooting Entrust In Oracle Advanced Security Checklist for Entrust Installations on Windows The following checklist items apply only to Entrust installations on the Windows platform. 1. Ensure that you are logged into Entrust Entelligence Desktop Manager and retry. 2. Choose Windows > Control Panel > Services to confirm that the Entrust Login Interface service has started and is running. 3. 
- G Using the User Migration Utility This chapter describes the User Migration Utility, which can be used to perform bulk migrations of database users to an LDAP directory where they are stored and managed as enterprise users. 
- Introduction to the User Migration Utility ■ ■ Provides the infrastructure to enable single sign-on using X.509v3-compliant certificates, which is typically deployed where end-to-end SSL is required Enhanced security Because an enterprise user model is easier to manage, security administrators can perform necessary maintenance changes to user information immediately so they have better control over access to critical network resources. 
- Introduction to the User Migration Utility Note: After external users are migrated, their external authentication and authorization mechanisms are replaced by directory-based mechanisms. New passwords are randomly generated for migrated users if they are mapped to newly created directory entries. Bulk User Migration Process Overview Bulk user migration is a two-phase process. 
- Introduction to the User Migration Utility Step 3: Phase Two Completing the Migration After the interface table user information is checked, then in phase two the utility retrieves the information from the table and updates the directory and the database. 
- Introduction to the User Migration Utility Table G–1 ORCL_GLOBAL_USR_MIGRATION_DATA Table Schema Column Name DataType Null Description USERNAME (Primary Key) VARCHAR2(30) NOT NULL Database user name. OLD_SCHEMA_TYPE VARCHAR2(10) - Old schema type in the database before migration. PASSWORD_VERIFIER VARCHAR2(30) - Not used USERDN VARCHAR2(4000) - Distinguished Name (DN) of the user in the directory (new or existing). 
- Introduction to the User Migration Utility Which Interface Table Column Values Can Be Modified between Phase One and Phase Two? After running phase one of the utility, if necessary, enterprise user administrators can change the interface table columns that are listed in Table G–2. 
- Introduction to the User Migration Utility If some users want to retain the objects in their local database schemas and be mapped to a shared schema, then the administrator can manually migrate those objects to the shared schema before performing the bulk user migration. However, when objects are migrated to a shared schema, they are shared among all users who share that new schema. Table G–3 summarizes the effects of setting the MAPSCHEMA and CASCADE parameters. 
- Prerequisites for Performing Migration 5. Drops or alters the migrating users' local database schemas. (optional) Note: In the current release, the utility migrates users with certificate-based authentication and makes them ready for password authentication. Previously SSL-based authenticated users should reset their Oracle database passwords. User wallets are not created as part of this process. 
- Prerequisites for Performing Migration Required Directory Privileges In addition to the required database privileges, enterprise user administrators must have the directory privileges which allow them to perform the following tasks: ■ ■ Create entries in the directory under the specified user base and Oracle context location Browse the user entries under the search bases Required Setup to Run the User Migration Utility Perform the following steps before using the User Migration Utility: 1. 
- User Migration Utility Command Line Syntax Note: ■ ■ If you plan to use shared schema mapping when migrating users, then you must create the shared schema before running this utility. The same ldap.ora file must be used for both phase one and phase two of a user migration. 
- Accessing Help for the User Migration Utility DIRLOCATION=ldap_directory_host:ldap_directory_port USERSLIST=username1:username2:username3:... 
- User Migration Utility Parameters User Migration Utility Parameters The following sections list the available parameter keywords and the values that can be used with them when running this utility. The keywords are not case-sensitive. Keyword: HELP Valid Values: YES or NO (These values are not case-sensitive.) Default Setting: NO Syntax Examples: HELP=YES Description: This keyword is used to display help for the utility. YES displays the complete command-line syntax. 
- User Migration Utility Parameters Syntax Examples: DBLOCATION=my_oracle.us.oracle.com:7777:ora902 Description: Provides the host name, port number, and SID for the database instance. Restrictions: ■ ■ ■ This parameter is mandatory. The value for this parameter must be the same for both phase one and phase two. The database should be configured for encryption and integrity. Keyword: DIRLOCATION Valid Values: host:port Default Setting: This value is automatically populated from the ldap. 
- User Migration Utility Parameters Keyword: ENTADMIN Valid Values: userDN:password Default Setting: No default setting. Syntax Examples: ENTADMIN=cn=janeadmin,dc=acme,dc=com:welcome Description: User Distinguished Name (UserDN) and the directory password for the enterprise directory administrator with the required privileges for logging in to the directory. UserDN can also be specified within double quotation marks ("..."). Restrictions: This parameter is mandatory. 
- User Migration Utility Parameters Description: Specifies which users are to be migrated. If multiple values are specified for this parameter, then the utility uses the union of these sets of users. Restrictions: This parameter is mandatory for phase one only, and it is ignored in phase two. Keyword: USERSLIST Valid Values: user1:user2:... Separate user names with a colon (:). Default Setting: No default setting. 
- User Migration Utility Parameters Keyword: MAPSCHEMA Valid Values: schema_type:schema_name Schema type can be: ■ PRIVATE Retains users' old local schemas. Schema name is ignored when schema type is PRIVATE. No mapping entries are created in the directory. ■ SHARED Maps users to a shared schema. Mapping entries are created in the directory. Schema name specifies the shared schema name. 
- User Migration Utility Parameters Keyword: MAPTYPE Valid Values: mapping_type:mapping_level Mapping type can be: ■ DB ■ DOMAIN Mapping level can be: ■ ENTRY ■ SUBTREE Separate mapping type from mapping level with a colon (:). (These values are not case-sensitive.) Default Setting: DB:ENTRY Syntax Examples: MAPTYPE=DOMAIN:SUBTREE Description: Specifies the type of schema mapping that is to be applied when "Keyword: MAPSCHEMA" is set to SHARED. 
- User Migration Utility Parameters Keyword: CASCADE Valid Values: ■ NO When users are mapped to a shared schema, the utility tries to drop their local schemas from the database. If this parameter is set to NO, then users are migrated only if they do not own objects in their local schema. Users who own objects in their old local schemas do not migrate and produce an error message in the migration log file. 
- User Migration Utility Parameters Default Setting: This value is automatically populated from the DEFAULT_ ADMIN_CONTEXT setting in the ldap.ora file by default. This places new user entries directly under the Oracle Context's parent entry. In 10g Release 1 (10.1), this is not the preferred location for user entries, so do not use the default setting for this parameter unless it is specifically desired. Instead, Oracle recommends that you use "cn=Users, " as your default. 
- User Migration Utility Usage Examples Description: Specifies a text file which contains a list of these parameters that are intended to be used in a user migration. Each parameter must be listed on a separate line in the file. If a parameter is specified in both the parameter file and on the command line, then the one specified on the command line takes precedence. 
- User Migration Utility Usage Examples parameter, the utility runs phase one using the default value, PRIVATE, so all users' old database schemas and objects are retained. Migrating Users and Mapping to a Shared Schema To migrate users and map them to a new shared schema, dropping their old database schemas, set the MAPSCHEMA parameter to SHARED. The shared schema must already exist or the enterprise user administrator must create it before running the utility with this parameter setting. 
- User Migration Utility Usage Examples Mapping Users to a Shared Schema Using Different CASCADE Options The CASCADE parameter setting determines whether users' old database schemas are automatically dropped when mapping to a shared schema during migration. CASCADE can be used only when MAPSCHEMA is set to SHARED. Mapping Users to a Shared Schema with CASCADE=NO By default, the CASCADE parameter is set to NO. 
- User Migration Utility Usage Examples DBADMIN=system:manager DIRLOCATION=machine2:636 ENTADMIN="cn=janeadmin":welcome After phase one completes successfully, the interface table is populated with the user migration information. Then the administrator can review the table to confirm its contents. Because the CASCADE parameter is set to YES, all migrated users' old database schemas are automatically dropped, including those who own database objects. 
- User Migration Utility Usage Examples Example G–3 Parameter Migrating Users with Shared Schema Mapping Using the MAPTYPE umu PHASE=ONE DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager USERS=ALL_EXTERNAL:LIST USERSLIST=scott1:scott2 MAPSCHEMA=SHARED:schema_32 MAPTYPE=DOMAIN:ENTRY DIRLOCATION=machine2:636 CONTEXT="c=Users, c=us" ENTADMIN="cn=janeadmin":welcome umu PHASE=TWO DBLOCATION=machine1:1521:ora_sid DBADMIN=system:manager DIRLOCATION=machine2:636 ENTADMIN="cn=janeadmin":welcome About Using t 
- User Migration Utility Usage Examples Migrating Users Using the PARFILE, USERSFILE, and LOGFILE Parameters It is possible to enter user information and User Migration Utility parameters into a text file and pass the information and parameters to the utility using the PARFILE and USERSFILE parameters. The LOGFILE parameter sets the directory path for the log file where details about the migration for each user are written. 
- Troubleshooting Using the User Migration Utility Example G–6 Parameters Migrating Users Using the PARFILE, USERSFILE, and LOGFILE umu PHASE=ONE DBADMIN=system:manager PARFILE=par.txt LOGFILE=errorfile2 Note: Although the LOGFILE parameter is specified twice, once in the parameter text file as errorfile1 (shown in Example G–4) and once on the command line as errorfile2 (show in Example G–6), command-line parameters take precedence over those specified inside the parameter file. 
- Troubleshooting Using the User Migration Utility ■ Database connection failure ■ Database error: < database_error_message > ■ Database not in any domain : : DB-NAME = < database_name > ■ Database not registered with the directory : : DB-NAME = < dbName > ■ Directory connection failure ■ Directory error : : < directory_error_message > ■ Multiple entries found : : uniqueMember = < database_DN > Attribute value missing : : orclCommonNicknameAttribute Cause: The nickname attribute is not set in t 
- Troubleshooting Using the User Migration Utility Cause: There is no entry for the database in the Oracle context that the ldap.ora file points to. Action: Use Database Configuration Assistant or Enterprise Security Manager to register the database in the directory. Directory connection failure Cause: The utility was unable to connect to the directory. Action: Perform these steps: 1. 
- Troubleshooting Using the User Migration Utility ■ Getting local host name failed ■ Interface table creation in SYS schema not allowed ■ Invalid argument or value : : < argument > ■ Invalid arguments for the phase ■ Invalid value : : < user > [ USERSFILE ] ■ Invalid value : : < user > [ USERSFILE ] { = = DBADMIN } ■ Invalid value : : < user > [ USERSLIST ] ■ Invalid value : : < user > [ USERSLIST ] { = = DBADMIN } ■ Logging failure : : < io_error_message > ■ No entry found : : CONTEXT = 
- Troubleshooting Using the User Migration Utility 2. Check to ensure that the file has the correct permissions so the utility can read it. Getting local host name failed Cause: Syntax error. The utility is unable to read the local host name for the database location or the directory location. Action: Explicitly enter the hostname information with the DBLOCATION and DIRLOCATION parameters. 
- Troubleshooting Using the User Migration Utility Invalid value : : < user > [ USERSFILE ] Cause: Syntax error. The user that is specified in this error message is invalid because they are not a user in the database that is specified in the DBLOCATION parameter. Action: Remove the invalid user from the file that is specified with the USERSFILE parameter. Invalid value : : < user > [ USERSFILE ] { = = DBADMIN } Cause: Syntax error. 
- Troubleshooting Using the User Migration Utility Resolving Error Messages Displayed for Phase Two Most of the error messages that you encounter while running this utility occur in phase one. After phase one has completed successfully, and while phase two is running, the following error may occur: Database object missing : : TABLE = ORCL_GLOBAL_USR_MIGRATION_ DATA Cause: The utility cannot find the interface table. 
- Troubleshooting Using the User Migration Utility Action: Specify a different DN for the user. Common Log Messages for Phase Two While the utility is running phase two of the migration, messages that indicate a user has not successfully migrated may be written to the log file. 
- Troubleshooting Using the User Migration Utility SCHEMA column of the interface table and run phase two of the utility for this user again. ■ Create the shared schema in the database and run phase two of the utility for this user again. Entry found : : DN = < user_DN > This message typically occurs with the message Invalid value::=. Cause: An entry already exists for the specified user DN. 
- Troubleshooting Using the User Migration Utility Table G–4 (Cont. 
- Troubleshooting Using the User Migration Utility Table G–5 Alphabetical Listing of User Migration Utility Log Messages User Migration Utility Log Message Phase Invalid value : :  = < interface_table_column_value > on page G-34 2 Multiple entries found : : < nickname_attribute > = < username > on page G-32 1 No entry found : : DN = < user_DN > on page G-34 2 No entry found : : < nickname_attribute > = < username > : : Entry found : DN = < dn > on page G-32 1 G-36 Or 
- Glossary access control The ability of a system to grant or limit access to specific data for specific clients or groups of clients. Access Control Lists (ACLs) The group of access directives that you define. The directives grant levels of access to specific data for specific clients, or groups of clients, or both. 
- authentication The process of verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to granting access to resources in a system. A recipient of an authenticated message can be certain of the message's origin (its sender). Authentication is presumed to preclude the possibility that another party has impersonated the sender. authentication method A security method that verifies a user's, client's, or server's identity in distributed environments. 
- CDS See Cell Directory Services (CDS) Cell Directory Services (CDS) An external naming method that enables users to use Oracle tools transparently and applications to access Oracle Database databases in a Distributed Computing Environment (DCE). certificate An ITU x.509 v3 standard data structure that securely binds an identify to a public key. A certificate is created when an entity's public key is signed by a trusted identity, a certificate authority. 
- provide additional information about the subject identity, such as postal address, or a challenge password by which the subject entity may later request certificate revocation. See PKCS #10 certificate revocation lists (CRLs) Signed data structures that contain a list of revoked certificates. The authenticity and integrity of the CRL is provided by a digital signature appended to it. Usually, the CRL signer is the same entity that signed the issued certificate. 
- client A client relies on a service. A client can sometimes be a user, sometimes a process acting on behalf of the user during a database link (sometimes called a proxy). confidentiality A function of cryptography. Confidentiality guarantees that only the intended recipient(s) of a message can view the message (decrypt the ciphertext). connect descriptor A specially formatted description of the destination for a network connection. 
- form of a URL. CRL DPs allow revocation information within a single certificate authority domain to be posted in multiple CRLs. CRL DPs subdivide revocation information into more manageable pieces to avoid proliferating voluminous CRLs, thereby providing performance benefits. For example, a CRL DP is specified in the certificate and can point to a file on a Web server from which that certificate's revocation information can be downloaded. 
- A public or private database link from one database to another is created on the local database by a DBA or user. A global database link is created automatically from each database to every other database in a network with Oracle Names. Global database links are stored in the network definition. database method See Oracle database method database password verifier A database password verifier is an irreversible value that is derived from the user's database password. 
- Diffie-Hellman key negotiation algorithm This is a method that lets two parties communicating over an insecure channel to agree upon a random number known only to them. Though the parties exchange information over the insecure channel during execution of the Diffie-Hellman key negotiation algorithm, it is computationally infeasible for an attacker to deduce the random number they agree upon by analyzing their network communications. 
- domain Any tree or subtree within the Domain Name System (DNS) namespace. Domain most commonly refers to a group of computers whose host names share a common suffix, the domain name. Domain Name System (DNS) A system for naming computers and network services that is organized into a hierarchy of domains. DNS is used in TCP/IP networks to locate computers through user-friendly names. DNS resolves a friendly name into an IP address, which is understood by computers. 
- enterprise user A user defined and managed in a directory. Each enterprise user has a unique identify across an enterprise. entry The building block of a directory, it contains information about an object of interest to directory users. external authentication Verification of a user identity by a third party authentication service, such as Kerberos or RADIUS. file system method Storing fingerprint templates in files when configuring Identix Biometric authentication. 
- Global Directory Service (GDS) GDS is the DCE directory service that acts as an agent between DCE CDS and any X.500 directory service. Both GDS and CDS are obsolete; they are only used by DCE. global role A role managed in a directory, but its privileges are contained within a single database. 
- identity management realm A subtree in Oracle Internet Directory, including not only an Oracle Context, but also additional subtrees for users and groups, each of which are protected with access control lists. initial ticket In Kerberos authentication, an initial ticket or ticket granting ticket (TGT) identifies the user as having the right to ask for additional service tickets. No tickets can be obtained without an initial ticket. 
- KDC Key Distribution Center. In Kerberos authentication, the KDC maintains a list of user principals and is contacted through the kinit (okinit is the Oracle version) program for the user's initial ticket. Frequently, the KDC and the Ticket Granting Service are combined into the same entity and are simply referred to as the KDC. The Ticket Granting Service maintains a list of service principals and is contacted when a user wants to authenticate to a server providing such a service. 
- kservice An arbitrary name of a Kerberos service object. LDAP See Lightweight Directory Access Protocol (LDAP) ldap.ora file A file created by Oracle Net Configuration Assistant that contains the following directory server access information: ■ Type of directory server ■ Location of the directory server ■ Default identity management realm or Oracle Context (including ports) that the client or server will use Lightweight Directory Access Protocol (LDAP) A standard, extensible directory access protocol. 
- man-in-the-middle A security attack characterized by the third-party, surreptitious interception of a message, wherein the third-party, the man-in-the-middle, decrypts the message, re-encrypts it (with or without alteration of the original message), and re-transmits it to the originally-intended recipient—all without the knowledge of the legitimate sender and receiver. This type of security attack works only in the absence of authentication. 
- client requests a directory lookup of a net service alias, the directory determines that the entry is a net service alias and completes the lookup as if it was actually the entry it is referencing. net service name The name used by clients to identify a database server. A net service name is mapped to a port number and protocol. Also known as a connect string, or database alias. 
- object class A named group of attributes. When you want to assign attributes to an entry, you do so by assigning to that entry the object classes that hold those attributes. All objects associated with the same object class share the same attributes. Oracle Context 1. An entry in an LDAP-compliant internet directory called cn=OracleContext, under which all Oracle software relevant information is kept, including entries for Oracle Net Services directory naming and enterprise user security. 
- peer identity SSL connect sessions are between a particular client and a particular server. The identity of the peer may have been established as part of session setup. Peers are identified by X.509 certificate chains. PEM The Internet Privacy-Enhanced Mail protocols standard, adopted by the Internet Architecture Board to provide secure electronic mail over the Internet. The PEM protocols provide for encryption, authentication, message integrity, and key management. 
- principal A string that uniquely identifies a client or server to which a set of Kerberos credentials is assigned. It generally has three parts: kservice/kinstance@REALM. In the case of a user, kservice is the username. See also kservice, kinstance, and realm private key In public-key cryptography, this key is the secret key. It is primarily used for decryption but is also used for encryption with digital signatures. 
- mathematically related, it is generally viewed as computationally infeasible to derive the private key from the public key. Public and private keys are used only with asymmetric encryption algorithms, also called public-key encryption algorithms, or public-key cryptosystems. Data encrypted with either a public key or a private key from a key pair can be decrypted with its associated key from the key-pair. 
- schema mapping See user-schema mapping Secure Hash Algorithm (SHA) An algorithm that assures data integrity by generating a 160-bit cryptographic message digest value from given data. If as little as a single bit in the data is modified, the Secure Hash Algorithm checksum for the data changes. Forgery of a given data set in a way that will cause the Secure Hash Algorithm to generate the same result as that for the original data is considered computationally infeasible. 
- service ticket Trusted information used to authenticate the client. A ticket-granting ticket, which is also known as the initial ticket, is obtained by directly or indirectly running okinit and providing a password, and is used by the client to ask for service tickets. A service ticket is used by a client to authenticate to a service. session key A key shared by at least two parties (usually a client and a server) that is used for data encryption for the duration of a single communication session. 
- single sign-on (SSO) The ability of a user to authenticate once, combined with strong authentication occurring transparently in subsequent connections to other databases or applications. Single sign-on lets a user access multiple accounts and applications with a single password, entered during a single connection. Single password, single authentication. Oracle Advanced Security supports Kerberos, DCE, and SSL-based single sign-on. 
- System Global Area (SGA) A group of shared memory structures that contain data and control information for an Oracle instance. system identifier (SID) A unique name for an Oracle instance. To switch between Oracle databases, users must specify the desired SID. The SID is included in the CONNECT DATA parts of the connect descriptor in a tnsnames.ora file, and in the definition of the network listener in a listener.ora file. ticket A piece of information that helps identify who the owner is. 
- is being validated as the entity it claims to be. Typically, the certificate authorities you trust are called trusted certificates. If there are several levels of trusted certificates, a trusted certificate at a lower level in the certificate chain does not need to have all its higher level certificates reverified. trusted certificate authority See certificate authority trust point See trusted certificate username A name that can connect to and access objects in a database. 
- Wallet Resource Locator A wallet resource locator (WRL) provides all necessary information to locate a wallet. It is a path to an operating system directory that contains a wallet. Windows NT native authentication An authentication method that enables a client single login access to a Windows server and a database running on that server. WRL See Wallet Resource Locator X.509 An industry-standard specification for digital certificates. 
- Index A accounting, RADIUS, 5-19 activating checksumming and encryption, 3-6 adapters, 1-15 asynchronous authentication mode in RADIUS, 5-5 ATTENTION_DESCRIPTION column, G-5 authenticated RPC protocol adapter includes, 10-3 authentication, 1-15 configuring multiple methods, 9-4 methods, 1-10 modes in RADIUS, 5-3 B benefits of Oracle Advanced Security, 1-4 C CASCADE parameter, G-6 CASCADE_FLAG column, G-5, G-6 CDS. 
- on the server, 7-15 thin JDBC support, 4-1 connecting across cells, 10-12 to an Oracle database to verify roles, 10-14 to an Oracle server in DCE, 10-23 with username and password, 10-25 without username and password, 10-24 with username and password, 9-1 creating Oracle directories in CDS, 10-6 principals and accounts, 10-5 CRL, 7-7 CRLAdmins directory administrative group, E-11 CRLs disabling on server, 7-40 where to store them, 7-37 cryptographic hardware devices, 7-8 D Data Encryption Standard (DES), 3 
- enterprise user security components, 11-25 configuration flow chart, 12-3 configuration roadmap, 12-4 directory entries, 11-11 enterprise domains, 11-14 enterprise roles, 11-12 enterprise users, 11-11 mapping, 11-20 global roles, 11-12 groups OracleContextAdmins, 11-18 OracleDBCreators, 11-18 OracleDBSecurityAdmins, 11-18 OraclePasswordAccessibleDomains, OracleUserSecurityAdmins, 11-18 overview, 11-2 shared schemas, 11-19 configuring, 11-20 tools summary, 2-13 using third-party directories, 11-5 Entrust Aut 
- Oracle O3LOGON, 4-2 thin driver features, 4-2 Java Database connectivity (JDBC) implementation of Oracle Advanced Security, 4-1 JDBC. See Java Database Connectivity K Kerberos, 1-10 authentication adapter utilities, 6-11 configuring authentication, 6-2, 6-5 kinstance, 6-3 kservice, 6-3 realm, 6-3 sqlnet.ora file sample, A-2 system requirements, 1-17 kinstance (Kerberos), 6-3 kservice (Kerberos), 6-3 L LAN environments vulnerabilities of, 1-3 ldap. 
- Oracle service names, 10-3 loading into CDS, 10-22 Oracle Wallet Manager importing PKCS #7 certificate chains, 8-22 OracleContextAdmins group, 11-18 OracleDBCreators group, 11-18 OracleDBSecurityAdmins group, 11-18 OraclePasswordAccessibleDomains group, 11-18 OracleUserSecurityAdmins group, 11-18 orapki adding a certificate request to a wallet with, E-5 adding a root certificate to a wallet with, E-5 adding a trusted certificate to a wallet with, E-5 adding user certificates to a wallet with, E-5 creating a 
- challenge-response authentication, 5-5 user interface, C-1, C-2 configuring, 5-9 database links not supported, 5-2, 11-24 location of secret key, 5-14 smartcards and, 1-11, 5-7, 5-14, C-1 sqlnet.ora file sample, A-3 synchronous authentication mode, 5-3 system requirements, 1-17 RC4 encryption algorithm, 1-6, 3-3 realm (Kerberos), 6-3 restrictions, 1-17 revocation, F-2 roles managing with RADIUS server, 5-21 roles, external, mapping to DCE groups, 10-12 RSA Security, Inc. 
- SQLNET.KERBEROS5_CONF parameter, 6-9 SQLNET.KERBEROS5_CONF_MIT parameter, 6-9 SQLNET.KERBEROS5_KEYTAB parameter, 6-9 SQLNET.KERBEROS5_REALMS parameter, 6-9 sqlnet.ora file Common sample, A-2 FIPS 140-1 parameters, D-1 Kerberos sample, A-2 modifying so CDS can resolve names, 10-22 NAMES.DIRECTORY_PATH parameter, 10-23 Oracle Advanced Security checksum sample, A-2 Oracle Advanced Security encryption sample, A-2 OSS.SOURCE. 
- TLS See Secure Sockets Layer (SSL) tnsnames.ora file loading into CDS using tnnfg, 10-22 modifying to load connect descriptors into CDS, 10-21 renaming, 10-22 token cards, 1-11 trace file set up sample for sqlnet. 
- managing certificates, 8-20 managing trusted certificates, 8-25 opening, 8-13 Oracle Applications wallet location, 8-18 saving, 8-17 setting location, 7-16 SSL wallet location, 8-11, 8-18 SSO wallets, 8-19 X X.509 certificate difference from PKCS #7 certificate chain, X. 
- Index-10