Skip Headers
Oracle® Database Advanced Security Administrator's Guide
10g Release 2 (10.2)

Part Number B14268-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to next page
Next
PDF · Mobi · ePub

Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

Audience
Documentation Accessibility
Organization
Related Documentation
Conventions

What's New in Oracle Advanced Security?

Oracle Database 10g Release 2 (10.2) New Features in Oracle Advanced Security
Oracle Database 10g Release 1 (10.1) New Features in Oracle Advanced Security

Part I Getting Started with Oracle Advanced Security

1 Introduction to Oracle Advanced Security

1.1 Security Challenges in an Enterprise Environment
1.1.1 Security in Enterprise Grid Computing Environments
1.1.2 Security in an Intranet or Internet Environment
1.1.3 Common Security Threats
1.1.3.1 Eavesdropping and Data Theft
1.1.3.2 Data Tampering
1.1.3.3 Falsifying User Identities
1.1.3.4 Password-Related Threats
1.2 Solving Security Challenges with Oracle Advanced Security
1.2.1 Data Encryption
1.2.1.1 Supported Encryption Algorithms
1.2.1.2 Data Integrity
1.2.1.3 Federal Information Processing Standard
1.2.2 Strong Authentication
1.2.2.1 Centralized Authentication and Single Sign-On
1.2.2.2 Supported Authentication Methods
1.3 Oracle Advanced Security Architecture
1.4 Secure Data Transfer Across Network Protocol Boundaries
1.5 System Requirements
1.6 Oracle Advanced Security Restrictions

2 Configuration and Administration Tools Overview

2.1 Network Encryption and Strong Authentication Configuration Tools
2.1.1 Oracle Net Manager
2.1.1.1 Starting Oracle Net Manager
2.1.1.2 Navigating to the Oracle Advanced Security Profile
2.1.1.3 Oracle Advanced Security Profile Property Sheets
2.1.2 Oracle Advanced Security Kerberos Adapter Command-Line Utilities
2.2 Public Key Infrastructure Credentials Management Tools
2.2.1 Oracle Wallet Manager
2.2.1.1 Starting Oracle Wallet Manager
2.2.1.2 Navigating the Oracle Wallet Manager User Interface
2.2.1.3 Toolbar
2.2.1.4 Menus
2.2.2 orapki Utility
2.3 Duties of a Security Administrator/DBA

Part II Data Encryption and Integrity

3 Transparent Data Encryption

3.1 About Transparent Data Encryption
3.1.1 Benefits of Using Transparent Data Encryption
3.1.2 When to Use Transparent Data Encryption
3.1.3 How Transparent Data Encryption Works
3.1.4 Overview of Basic Transparent Data Encryption Operations
3.2 Using Transparent Data Encryption
3.2.1 Enabling Transparent Data Encryption
3.2.2 Opening the Encrypted Wallet for Database Access to Encryption Keys
3.2.2.1 Using Wallets with Automatic Login Enabled for Transparent Data Encryption
3.2.2.2 Specifying an Additional Wallet Location in SQLNET.ORA
3.2.3 Setting and Resetting the Master Key
3.2.3.1 Setting the Master Key for First Time Use of Transparent Data Encryption
3.2.3.2 Resetting the Master Key
3.2.4 Adding or Removing Salt from an Encrypted Column
3.2.5 Creating Tables That Contain Encrypted Columns
3.2.5.1 Creating a Table with an Encrypted Column That Uses the Default Algorithm
3.2.5.2 Creating a Table with an Encrypted Column Using a Non-Default Algorithm and No Salt
3.2.5.3 Creating an Encrypted Column on an External Table
3.2.6 Specifying Columns for Encryption in Existing Tables
3.2.6.1 Adding Encrypted Columns to Existing Tables
3.2.6.2 Encrypting Unencrypted Columns
3.2.6.3 Disabling Encryption on a Column
3.2.7 Creating an Index on an Encrypted Column
3.2.8 Changing the Encryption Key or Algorithm on Tables Containing Encrypted Columns
3.2.9 Supported Encryption and Integrity Algorithms
3.2.10 Datatypes That Can Be Encrypted with the Transparent Data Encryption Feature
3.2.11 Quick Reference: Transparent Data Encryption SQL Commands
3.3 Managing Transparent Data Encryption
3.3.1 Oracle Wallet Management for Transparent Data Encryption
3.3.1.1 Creating Wallets
3.3.1.2 Using an Autologin Wallet
3.3.1.3 Specifying a Separate Wallet for Transparent Data Encryption
3.3.2 Backup and Recovery of Master Keys
3.3.2.1 Backup and Recovery of Oracle Wallet
3.3.2.2 Backup and Recovery of PKI Key Pair
3.3.3 Export and Import of Tables with Encrypted Columns
3.3.4 Performance Effects of Transparent Data Encryption
3.3.5 Security Considerations for Using Transparent Data Encryption
3.3.6 Transparent Data Encryption and Replication in Distributed Environments
3.3.7 Transparent Data Encryption with OCI
3.3.8 Transparent Data Encryption Data Dictionary Views

4 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients

4.1 Oracle Advanced Security Encryption
4.1.1 About Encryption
4.1.2 Advanced Encryption Standard
4.1.3 DES Algorithm Support
4.1.4 Triple-DES Support
4.1.4.1 DES40 Algorithm
4.1.5 RSA RC4 Algorithm for High Speed Encryption
4.2 Oracle Advanced Security Data Integrity
4.2.1 Data Integrity Algorithms Supported
4.3 Diffie-Hellman Based Key Management
4.3.1 Authentication Key Fold-in
4.4 How To Configure Data Encryption and Integrity
4.4.1 About Activating Encryption and Integrity
4.4.2 About Negotiating Encryption and Integrity
4.4.2.1 REJECTED
4.4.2.2 ACCEPTED
4.4.2.3 REQUESTED
4.4.2.4 REQUIRED
4.4.3 Setting the Encryption Seed (Optional)
4.4.4 Configuring Encryption and Integrity Parameters Using Oracle Net Manager
4.4.4.1 Configuring Encryption on the Client and the Server
4.4.4.2 Configuring Integrity on the Client and the Server

5 Configuring Network Data Encryption and Integrity for Thin JDBC Clients

5.1 About the Java Implementation
5.1.1 Java Database Connectivity Support
5.1.2 Securing Thin JDBC
5.1.3 Implementation Overview
5.1.4 Obfuscation
5.2 Configuration Parameters
5.2.1 Client Encryption Level: ORACLE.NET.ENCRYPTION_CLIENT
5.2.2 Client Encryption Selected List: ORACLE.NET.ENCRYPTION_TYPES_CLIENT
5.2.3 Client Integrity Level: ORACLE.NET.CRYPTO_CHECKSUM_CLIENT
5.2.4 Client Integrity Selected List: ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT

Part III Oracle Advanced Security Strong Authentication

6 Configuring RADIUS Authentication

6.1 RADIUS Overview
6.2 RADIUS Authentication Modes
6.2.1 Synchronous Authentication Mode
6.2.2 Challenge-Response (Asynchronous) Authentication Mode
6.3 Enabling RADIUS Authentication, Authorization, and Accounting
6.3.1 Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client
6.3.2 Task 2: Configure RADIUS Authentication
6.3.2.1 Step 1: Configure RADIUS on the Oracle Client
6.3.2.2 Step 2: Configure RADIUS on the Oracle Database Server
6.3.2.3 Step 3: Configure Additional RADIUS Features
6.3.3 Task 3: Create a User and Grant Access
6.3.4 Task 4: Configure External RADIUS Authorization (optional)
6.3.5 Task 5: Configure RADIUS Accounting
6.3.5.1 Set RADIUS Accounting on the Oracle Database Server
6.3.5.2 Configure the RADIUS Accounting Server
6.3.6 Task 6: Add the RADIUS Client Name to the RADIUS Server Database
6.3.7 Task 7: Configure the Authentication Server for Use with RADIUS
6.3.8 Task 8: Configure the RADIUS Server for Use with the Authentication Server
6.3.9 Task 9: Configure Mapping Roles
6.4 Using RADIUS to Log In to a Database
6.5 RSA ACE/Server Configuration Checklist

7 Configuring Kerberos Authentication

7.1 Enabling Kerberos Authentication
7.1.1 Task 1: Install Kerberos
7.1.2 Task 2: Configure a Service Principal for an Oracle Database Server
7.1.3 Task 3: Extract a Service Table from Kerberos
7.1.4 Task 4: Install an Oracle Database Server and an Oracle Client
7.1.5 Task 5: Install Oracle Net Services and Oracle Advanced Security
7.1.6 Task 6: Configure Oracle Net Services and Oracle Database
7.1.7 Task 7: Configure Kerberos Authentication
7.1.7.1 Step 1: Configure Kerberos on the Client and on the Database Server
7.1.7.2 Step 2: Set the Initialization Parameters
7.1.7.3 Step 3: Set sqlnet.ora Parameters (optional)
7.1.8 Task 8: Create a Kerberos User
7.1.9 Task 9: Create an Externally Authenticated Oracle User
7.1.10 Task 10: Get an Initial Ticket for the Kerberos/Oracle User
7.2 Utilities for the Kerberos Authentication Adapter
7.2.1 Obtaining the Initial Ticket with the okinit Utility
7.2.2 Displaying Credentials with the oklist Utility
7.2.3 Removing Credentials from the Cache File with the okdstry Utility
7.2.4 Connecting to an Oracle Database Server Authenticated by Kerberos
7.3 Configuring Interoperability with a Windows 2000 Domain Controller KDC
7.3.1 Task 1: Configure an Oracle Kerberos Client to Interoperate with a Windows 2000 Domain Controller KDC
7.3.1.1 Step 1: Create the Client Kerberos Configuration Files to Use a Windows Domain Controller KDC
7.3.1.2 Step 2: Specify the Oracle Configuration Parameters in the sqlnet.ora File
7.3.1.3 Step 3: Specify the Listening Port Number
7.3.2 Task 2: Configure a Windows 2000 Domain Controller KDC to Interoperate with an Oracle Client
7.3.2.1 Step 1: Create the User
7.3.2.2 Step 2: Create the Oracle Database Principal
7.3.3 Task 3: Configure an Oracle Database to Interoperate with a Windows 2000 Domain Controller KDC
7.3.3.1 Step 1: Set Configuration Parameters in the sqlnet.ora File
7.3.3.2 Step 2: Create an Externally Authenticated Oracle User
7.3.4 Task 4: Obtain an Initial Ticket for the Kerberos/Oracle User
7.4 Troubleshooting

8 Configuring Secure Sockets Layer Authentication

8.1 SSL and TLS in an Oracle Environment
8.1.1 Difference between SSL and TLS
8.1.2 Using SSL
8.1.3 How SSL Works in an Oracle Environment: The SSL Handshake
8.2 Public Key Infrastructure in an Oracle Environment
8.2.1 About Public Key Cryptography
8.2.2 Public Key Infrastructure Components in an Oracle Environment
8.2.2.1 Certificate Authority
8.2.2.2 Certificates
8.2.2.3 Certificate Revocation Lists
8.2.2.4 Wallets
8.2.2.5 Hardware Security Modules
8.3 SSL Combined with Other Authentication Methods
8.3.1 Architecture: Oracle Advanced Security and SSL
8.3.2 How SSL Works with Other Authentication Methods
8.4 SSL and Firewalls
8.5 SSL Usage Issues
8.6 Enabling SSL
8.6.1 Task 1: Install Oracle Advanced Security and Related Products
8.6.2 Task 2: Configure SSL on the Server
8.6.2.1 Step 1: Confirm Wallet Creation on the Server
8.6.2.2 Step 2: Specify the Database Wallet Location on the Server
8.6.2.3 Step 3: Set the SSL Cipher Suites on the Server (Optional)
8.6.2.4 Step 4: Set the Required SSL Version on the Server (Optional)
8.6.2.5 Step 5: Set SSL Client Authentication on the Server (Optional)
8.6.2.6 Step 6: Set SSL as an Authentication Service on the Server (Optional)
8.6.2.7 Step 7: Create a Listening Endpoint that Uses TCP/IP with SSL on the Server
8.6.3 Task 3: Configure SSL on the Client
8.6.3.1 Step 1: Confirm Client Wallet Creation
8.6.3.2 Step 2: Configure Oracle Net Service Name to Include Server DNs and Use TCP/IP with SSL on the Client
8.6.3.3 Step 3: Specify Required Client SSL Configuration (Wallet Location)
8.6.3.4 Step 4: Set the Client SSL Cipher Suites (Optional)
8.6.3.5 Step 5: Set the Required SSL Version on the Client (Optional)
8.6.3.6 Step 6: Set SSL as an Authentication Service on the Client (Optional)
8.6.4 Task 4: Log on to the Database
8.7 Troubleshooting SSL
8.8 Certificate Validation with Certificate Revocation Lists
8.8.1 What CRLs Should You Use?
8.8.2 How CRL Checking Works
8.8.3 Configuring Certificate Validation with Certificate Revocation Lists
8.8.4 Certificate Revocation List Management
8.8.4.1 Displaying orapki Help
8.8.4.2 Renaming CRLs with a Hash Value for Certificate Validation
8.8.4.3 Uploading CRLs to Oracle Internet Directory
8.8.4.4 Listing CRLs Stored in Oracle Internet Directory
8.8.4.5 Viewing CRLs in Oracle Internet Directory
8.8.4.6 Deleting CRLs from Oracle Internet Directory
8.8.5 Troubleshooting Certificate Validation
8.8.5.1 Oracle Net Tracing File Error Messages Associated with Certificate Validation
8.9 Configuring Your System to Use Hardware Security Modules
8.9.1 General Guidelines for Using Hardware Security Modules with Oracle Advanced Security
8.9.2 Configuring Your System to Use nCipher Hardware Security Modules
8.9.2.1 Oracle Components Required To Use an nCipher Hardware Security Module
8.9.2.2 About Installing an nCipher Hardware Security Module
8.9.3 Troubleshooting Using Hardware Security Modules
8.9.3.1 Error Messages Associated with Using Hardware Security Modules

9 Using Oracle Wallet Manager

9.1 Oracle Wallet Manager Overview
9.1.1 Wallet Password Management
9.1.2 Strong Wallet Encryption
9.1.3 Microsoft Windows Registry Wallet Storage
9.1.3.1 Options Supported:
9.1.4 Backward Compatibility
9.1.5 Public-Key Cryptography Standards (PKCS) Support
9.1.6 Multiple Certificate Support
9.1.7 LDAP Directory Support
9.2 Starting Oracle Wallet Manager
9.3 How to Create a Complete Wallet: Process Overview
9.4 Managing Wallets
9.4.1 Required Guidelines for Creating Wallet Passwords
9.4.2 Creating a New Wallet
9.4.2.1 Creating a Standard Wallet
9.4.2.2 Creating a Wallet to Store Hardware Security Module Credentials
9.4.3 Opening an Existing Wallet
9.4.4 Closing a Wallet
9.4.5 Exporting Oracle Wallets to Third-Party Environments
9.4.6 Exporting Oracle Wallets to Tools that Do Not Support PKCS #12
9.4.7 Uploading a Wallet to an LDAP Directory
9.4.8 Downloading a Wallet from an LDAP Directory
9.4.9 Saving Changes
9.4.10 Saving the Open Wallet to a New Location
9.4.11 Saving in System Default
9.4.12 Deleting the Wallet
9.4.13 Changing the Password
9.4.14 Using Auto Login
9.4.14.1 Enabling Auto Login
9.4.14.2 Disabling Auto Login
9.5 Managing Certificates
9.5.1 Managing User Certificates
9.5.1.1 Adding a Certificate Request
9.5.1.2 Importing the User Certificate into the Wallet
9.5.1.3 Importing Certificates and Wallets Created by Third Parties
9.5.1.4 Removing a User Certificate from a Wallet
9.5.1.5 Removing a Certificate Request
9.5.1.6 Exporting a User Certificate
9.5.1.7 Exporting a User Certificate Request
9.5.2 Managing Trusted Certificates
9.5.2.1 Importing a Trusted Certificate
9.5.2.2 Removing a Trusted Certificate
9.5.2.3 Exporting a Trusted Certificate
9.5.2.4 Exporting All Trusted Certificates

10 Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security

10.1 Connecting with User Name and Password
10.2 Disabling Oracle Advanced Security Authentication
10.3 Configuring Multiple Authentication Methods
10.4 Configuring Oracle Database for External Authentication
10.4.1 Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora
10.4.2 Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE
10.4.3 Setting OS_AUTHENT_PREFIX to a Null Value

Part IV Appendixes

A Data Encryption and Integrity Parameters

A.1 Sample sqlnet.ora File
A.2 Data Encryption and Integrity Parameters
A.2.1 Encryption and Integrity Parameters
A.2.1.1 SQLNET.ENCRYPTION_SERVER Parameter
A.2.1.2 SQLNET.ENCRYPTION_CLIENT Parameter
A.2.1.3 SQLNET.CRYPTO_CHECKSUM_SERVER Parameter
A.2.1.4 SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter
A.2.1.5 SQLNET.ENCRYPTION_TYPES_SERVER Parameter
A.2.1.6 SQLNET.ENCRYPTION_TYPES_CLIENT Parameter
A.2.1.7 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter
A.2.1.8 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter
A.2.2 Seeding the Random Key Generator (Optional)

B Authentication Parameters

B.1 Parameters for Clients and Servers using Kerberos Authentication
B.2 Parameters for Clients and Servers using RADIUS Authentication
B.2.1 sqlnet.ora File Parameters
B.2.1.1 SQLNET.AUTHENTICATION_SERVICES
B.2.1.2 SQLNET.RADIUS_AUTHENTICATION
B.2.1.3 SQLNET.RADIUS_AUTHENTICATION_PORT
B.2.1.4 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
B.2.1.5 SQLNET.RADIUS_AUTHENTICATION_RETRIES
B.2.1.6 SQLNET.RADIUS_SEND_ACCOUNTING
B.2.1.7 SQLNET.RADIUS_SECRET
B.2.1.8 SQLNET.RADIUS_ALTERNATE
B.2.1.9 SQLNET.RADIUS_ALTERNATE_PORT
B.2.1.10 SQLNET.RADIUS_ALTERNATE_TIMEOUT
B.2.1.11 SQLNET.RADIUS_ALTERNATE_RETRIES
B.2.1.12 SQLNET.RADIUS_CHALLENGE_RESPONSE
B.2.1.13 SQLNET.RADIUS_CHALLENGE_KEYWORD
B.2.1.14 SQLNET.RADIUS_AUTHENTICATION_INTERFACE
B.2.1.15 SQLNET.RADIUS_CLASSPATH
B.2.2 Minimum RADIUS Parameters
B.2.3 Initialization File Parameters
B.3 Parameters for Clients and Servers using SSL
B.3.1 SSL Authentication Parameters
B.3.2 Cipher Suite Parameters
B.3.2.1 Supported SSL Cipher Suites
B.3.3 SSL Version Parameters
B.3.4 SSL Client Authentication Parameters
B.3.4.1 SSL X.509 Server Match Parameters
B.3.5 Wallet Location

C Integrating Authentication Devices Using RADIUS

C.1 About the RADIUS Challenge-Response User Interface
C.2 Customizing the RADIUS Challenge-Response User Interface

D Oracle Advanced Security FIPS 140-1 Settings

D.1 Configuration Parameters
D.1.1 Server Encryption Level Setting
D.1.2 Client Encryption Level Setting
D.1.3 Server Encryption Selection List
D.1.4 Client Encryption Selection List
D.1.5 Cryptographic Seed Value
D.1.6 FIPS Parameter
D.2 Post Installation Checks
D.3 Status Information
D.4 Physical Security

E Oracle Advanced Security FIPS 140-2 Settings

E.1 Configuring FIPS Parameter
E.2 Selecting Cipher Suites
E.3 Post-Installation Checks
E.4 Verifying FIPS Connections

F orapki Utility

F.1 orapki Utility Overview
F.1.1 orapki Utility Syntax
F.2 Creating Signed Certificates for Testing Purposes
F.3 Managing Oracle Wallets with orapki Utility
F.3.1 Creating and Viewing Oracle Wallets with orapki
F.3.2 Adding Certificates and Certificate Requests to Oracle Wallets with orapki
F.3.3 Exporting Certificates and Certificate Requests from Oracle Wallets with orapki
F.4 Managing Certificate Revocation Lists (CRLs) with orapki Utility
F.5 orapki Usage Examples
F.6 orapki Utility Commands Summary
F.6.1 orapki cert create
F.6.1.1 Purpose
F.6.1.2 Syntax
F.6.2 orapki cert display
F.6.2.1 Purpose
F.6.2.2 Syntax
F.6.3 orapki crl delete
F.6.3.1 Purpose
F.6.3.2 Prerequisites
F.6.3.3 Syntax
F.6.4 orapki crl display
F.6.4.1 Purpose
F.6.4.2 Syntax
F.6.5 orapki crl hash
F.6.5.1 Purpose
F.6.5.2 Syntax
F.6.6 orapki crl list
F.6.6.1 Purpose
F.6.6.2 Syntax
F.6.7 orapki crl upload
F.6.7.1 Purpose
F.6.7.2 Syntax
F.6.8 orapki wallet add
F.6.8.1 Purpose
F.6.8.2 Syntax
F.6.9 orapki wallet create
F.6.9.1 Purpose
F.6.9.2 Syntax
F.6.10 orapki wallet display
F.6.10.1 Purpose
F.6.10.2 Syntax
F.6.11 orapki wallet export
F.6.11.1 Purpose
F.6.11.2 Syntax

G Entrust-Enabled SSL Authentication

G.1 Benefits of Entrust-Enabled Oracle Advanced Security
G.1.1 Enhanced X.509-Based Authentication and Single Sign-On
G.1.2 Integration with Entrust Authority Key Management
G.1.3 Integration with Entrust Authority Certificate Revocation
G.2 Required System Components for Entrust-Enabled Oracle Advanced Security
G.2.1 Entrust Authority for Oracle
G.2.1.1 Entrust Authority Security Manager
G.2.1.2 Entrust Authority Self-Administration Server
G.2.1.3 Entrust Entelligence Desktop Manager
G.2.2 Entrust Authority Server Login Feature
G.2.3 Entrust Authority IPSec Negotiator Toolkit
G.3 Entrust Authentication Process
G.4 Enabling Entrust Authentication
G.4.1 Creating Entrust Profiles
G.4.1.1 Administrator-Created Entrust Profiles
G.4.1.2 User-Created Entrust Profiles
G.4.2 Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL
G.4.3 Configuring SSL on the Client and Server for Entrust-Enabled SSL
G.4.4 Configuring Entrust on the Client
G.4.4.1 Configuring Entrust on a UNIX Client
G.4.4.2 Configuring Entrust on a Windows Client
G.4.5 Configuring Entrust on the Server
G.4.5.1 Configuring Entrust on a UNIX Server
G.4.5.2 Configuring Entrust on a Windows Server
G.4.6 Creating Entrust-Enabled Database Users
G.4.7 Logging Into the Database Using Entrust-Enabled SSL
G.5 Issues and Restrictions that Apply to Entrust-Enabled SSL
G.6 Troubleshooting Entrust In Oracle Advanced Security
G.6.1 Error Messages Returned When Running Entrust on Any Platform
G.6.2 Error Messages Returned When Running Entrust on Windows Platforms
G.6.3 General Checklist for Running Entrust on Any Platform
G.6.3.1 Checklist for Entrust Installations on Windows

Glossary

Index