Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documentation
• Conventions

What's New in Oracle Advanced Security?

• Oracle Database 11g Release 2 (11.2.0.4) New Features in Oracle Advanced Security
• Oracle Database 11g Release 2 (11.2.0.3) New Features in Oracle Advanced Security
• Oracle Database 11g Release 2 (11.2) New Features in Oracle Advanced Security
• Oracle Database 11g Release 1 (11.1) New Features in Oracle Advanced Security

Part I Getting Started with Oracle Advanced Security

1 Introduction to Oracle Advanced Security

• 1.1 Security Challenges in an Enterprise Environment
  • 1.1.1 Security in Enterprise Grid Computing Environments
  • 1.1.2 Security in an Intranet or Internet Environment
  • 1.1.3 Common Security Threats
    • 1.1.3.1 Eavesdropping and Data Theft
    • 1.1.3.2 Data Tampering
    • 1.1.3.3 Falsifying User Identities
    • 1.1.3.4 Password-Related Threats
• 1.2 Solving Security Challenges with Oracle Advanced Security
  • 1.2.1 Data Encryption
    • 1.2.1.1 Supported Encryption Algorithms
    • 1.2.1.2 Data Integrity
    • 1.2.1.3 Federal Information Processing Standard
  • 1.2.2 Strong Authentication
    • 1.2.2.1 Centralized Authentication and Single Sign-On
    • 1.2.2.2 Supported Authentication Methods
• 1.3 Oracle Advanced Security Architecture
• 1.4 System Requirements
• 1.5 Oracle Advanced Security Restrictions

2 Configuration and Administration Tools Overview

• 2.1 Network Encryption and Strong Authentication Configuration Tools
  • 2.1.1 Oracle Net Manager
    • 2.1.1.1 Starting Oracle Net Manager
    • 2.1.1.2 Navigating to the Oracle Advanced Security Profile
    • 2.1.1.3 Oracle Advanced Security Profile Property Sheets
  • 2.1.2 Oracle Advanced Security Kerberos Adapter Command-Line Utilities
• 2.2 Public Key Infrastructure Credentials Management Tools
  • 2.2.1 Oracle Wallet Manager
    • 2.2.1.1 Starting Oracle Wallet Manager
    • 2.2.1.2 Navigating the Oracle Wallet Manager User Interface
    • 2.2.1.3 Toolbar
    • 2.2.1.4 Menus
  • 2.2.2 orapki Utility
• 2.3 Duties of a Security Administrator/DBA

Part II Oracle Data Redaction

3 Introduction to Oracle Data Redaction

• 3.1 What Is Oracle Data Redaction?
• 3.2 Who Can Create Oracle Data Redaction Policies?
• 3.3 When to Use Oracle Data Redaction
• 3.4 Benefits of Using Oracle Data Redaction
• 3.5 How Oracle Data Redaction Affects the SYS and SYSTEM Schemas
• 3.6 How Data Redaction Works with Nested Functions, Inline Views, and the WHERE Clause
• 3.7 Using SQL Expressions to Build Reports That Contain Redacted Values
• 3.8 Target Use Cases for Oracle Data Redaction
  • 3.8.1 Using Oracle Data Redaction with Database Applications
  • 3.8.2 Considerations When Using Oracle Data Redaction with Ad Hoc Database Queries
• 3.9 Oracle Data Redaction Features and Capabilities
  • 3.9.1 Using Full Data Redaction to Redact All Data
  • 3.9.2 Using Partial Data Redaction to Redact Sections of Data
  • 3.9.3 Using Regular Expressions to Redact Patterns of Data
  • 3.9.4 Using Random Data Redaction to Generate Random Values
  • 3.9.5 Comparison of Full, Partial, and Random Redaction Based on Data Types
  • 3.9.6 Using No Redaction for Testing Purposes
• 3.10 Using Oracle Data Redaction with Other Oracle Database Features
  • 3.10.1 Using Oracle Data Redaction with Editions
  • 3.10.2 Using Oracle Data Redaction with Aggregate Functions
  • 3.10.3 Oracle Data Redaction and Object Types

4 Configuring Oracle Data Redaction Policies

• 4.1 About Oracle Data Redaction Policies
• 4.2 Planning the Creation of an Oracle Data Redaction Policy
• 4.3 General Syntax of the DBMS_REDACT.ADD_POLICY Procedure
• 4.4 Creating a Full Redaction Policy
  • 4.4.1 About Creating Full Data Redaction Policies
  • 4.4.2 Syntax for Creating a Full Redaction Policy
  • 4.4.3 Examples of Full Data Redaction Policies
• 4.5 Creating a Partial Redaction Policy
  • 4.5.1 About Creating Partial Redaction Policies
  • 4.5.2 Syntax for Creating a Partial Redaction Policy
  • 4.5.3 Creating Partial Redaction Policies Using Fixed Character Shortcuts
    • 4.5.3.1 Settings for Fixed Character Shortcuts
    • 4.5.3.2 Example of a Partial Redaction Policy Using a Fixed Character Shortcut
  • 4.5.4 Creating Partial Redaction Policies Using Character Data Types
    • 4.5.4.1 Settings for Character Data Types
    • 4.5.4.2 Example of a Partial Redaction Policy Using Character a Data Type
  • 4.5.5 Creating Partial Redaction Policies Using Number Data Types
    • 4.5.5.1 Settings for Number Data Types
    • 4.5.5.2 Example of a Partial Redaction Policy Using a Number Data Type
  • 4.5.6 Creating Partial Redaction Policies Using Date-Time Data Types
    • 4.5.6.1 Settings for Date-Time Data Types
    • 4.5.6.2 Example of a Partial Redaction Policy Using Date-Time Data Type
• 4.6 Creating a Regular Expression-Based Redaction Policy
  • 4.6.1 About Creating Regular Expression-Based Redaction Policies
  • 4.6.2 Syntax for Creating a Regular Expression-Based Redaction Policy
  • 4.6.3 Creating Regular Expression-Based Redaction Policies Using Shortcuts
    • 4.6.3.1 Regular Expression Shortcuts
    • 4.6.3.2 Example of a Regular Expression Redaction Policy Using Shortcuts
  • 4.6.4 Creating Custom Regular Expression Redaction Policies
    • 4.6.4.1 Settings for Custom Regular Expressions
    • 4.6.4.2 Example of a Custom Regular Expression Redaction Policy
• 4.7 Creating a Random Redaction Policy
  • 4.7.1 About Creating Random Redaction Policies
  • 4.7.2 Syntax for Creating a Random Redaction Policy
  • 4.7.3 Example of a Random Redaction Policy
• 4.8 Creating a Policy That Uses No Redaction
  • 4.8.1 About Creating Policies That Use No Redaction
  • 4.8.2 Syntax for Creating a Policy with No Redaction
  • 4.8.3 Example of Performing No Redaction
• 4.9 Exempting Users from Oracle Data Redaction Policies
• 4.10 Altering an Oracle Data Redaction Policy
  • 4.10.1 About Altering an Oracle Data Redaction Policy
  • 4.10.2 Syntax for the DBMS_REDACT.ALTER_POLICY Procedure
  • 4.10.3 Parameters Required for Various DBMS_REDACT.ALTER_POLICY Actions
  • 4.10.4 Example of Altering an Oracle Data Redaction Policy
• 4.11 Redacting Multiple Columns in an Oracle Data Redaction Policy
• 4.12 Altering the Default Full Data Redaction Value
  • 4.12.1 About Altering the Default Full Data Redaction Value
  • 4.12.2 Altering the Default Full Data Redaction Value for Non-LOB Data Type Columns
  • 4.12.3 Altering the Default Full Data Redaction Value for LOB Data Type Columns
• 4.13 Disabling an Oracle Data Redaction Policy
• 4.14 Enabling an Oracle Data Redaction Policy
• 4.15 Dropping an Oracle Data Redaction Policy
• 4.16 How Oracle Data Redaction Policies Affect Tables and Views
• 4.17 Restricting Administrative Access to Oracle Data Redaction Policies
• 4.18 Finding Information About Oracle Data Redaction Policies

5 Using Oracle Data Redaction with Other Oracle Products

• 5.1 Using Oracle Data Redaction with Oracle Virtual Private Database
• 5.2 Using Oracle Data Redaction with Oracle Enterprise Manager Data Masking Pack
• 5.3 Using Oracle Data Redaction with Oracle Database Vault
• 5.4 Using Oracle Data Redaction with Oracle Data Pump
  • 5.4.1 Oracle Data Pump Security Model for Oracle Data Redaction
  • 5.4.2 Exporting Data Using the EXPDP Utility access_method Parameter

6 Guidelines for Using Oracle Data Redaction

• 6.1 General Usage Guidelines
• 6.2 Writing Policy Expressions That Depend on SYS_CONTEXT Attributes
• 6.3 Creating Policies on Materialized Views
• 6.4 Dropping Policies When the Recycle Bin Is Enabled

Part III Data Encryption and Integrity

7 Securing Stored Data Using Transparent Data Encryption

• 7.1 About Transparent Data Encryption
  • 7.1.1 Benefits of Using Transparent Data Encryption
  • 7.1.2 Types of Transparent Data Encryption
    • 7.1.2.1 TDE Column Encryption
    • 7.1.2.2 TDE Tablespace Encryption
• 7.2 Using Transparent Data Encryption
  • 7.2.1 Enabling Transparent Data Encryption
    • 7.2.1.1 Specifying a Wallet Location for Transparent Data Encryption
    • 7.2.1.2 Using Wallets with Automatic Login Enabled
  • 7.2.2 Setting and Resetting the Master Encryption Key
    • 7.2.2.1 Setting the Master Encryption Key
    • 7.2.2.2 Resetting the Master Encryption Key
  • 7.2.3 Opening and Closing the Encrypted Wallet
  • 7.2.4 Encrypting Columns in Tables
    • 7.2.4.1 Creating Tables with Encrypted Columns
    • 7.2.4.2 Encrypting Columns in Existing Tables
    • 7.2.4.3 Creating an Index on an Encrypted Column
    • 7.2.4.4 Adding or Removing Salt from an Encrypted Column
    • 7.2.4.5 Changing the Encryption Key or Algorithm for Tables with Encrypted Columns
    • 7.2.4.6 Data Types That Can Be Encrypted with TDE Column Encryption
    • 7.2.4.7 Restrictions on Using TDE Column Encryption
  • 7.2.5 Encrypting Entire Tablespaces
    • 7.2.5.1 Setting the Tablespace Master Encryption Key
    • 7.2.5.2 Opening the Oracle Wallet
    • 7.2.5.3 Creating an Encrypted Tablespace
    • 7.2.5.4 Restrictions on Using TDE Tablespace Encryption
  • 7.2.6 Using Hardware Security Modules with TDE
    • 7.2.6.1 Set the ENCRYPTION_WALLET_LOCATION Parameter in the sqlnet.ora File
    • 7.2.6.2 Copy the PKCS#11 Library to Its Correct Path
    • 7.2.6.3 Set Up the HSM
    • 7.2.6.4 Generate a Master Encryption Key for HSM-Based Encryption
    • 7.2.6.5 Reconfigure the Software Wallet (Optional)
    • 7.2.6.6 Ensure that the HSM Is Accessible
    • 7.2.6.7 Encrypt and Decrypt Data
  • 7.2.7 Using Transparent Data Encryption with Oracle RAC
    • 7.2.7.1 Using a Non-Shared File System to Store the Wallet
• 7.3 Managing Transparent Data Encryption
  • 7.3.1 Oracle Wallet Management
    • 7.3.1.1 Specifying a Separate Wallet for Transparent Data Encryption
    • 7.3.1.2 Using an Auto Login Wallet
    • 7.3.1.3 Creating Wallets
  • 7.3.2 Backup and Recovery of Master Encryption Keys
    • 7.3.2.1 Backup and Recovery of Oracle Wallet
    • 7.3.2.2 Backup and Recovery of PKI Key Pair
  • 7.3.3 Export and Import of Tables with Encrypted Columns
  • 7.3.4 Performance and Storage Overheads
    • 7.3.4.1 Performance Overheads
    • 7.3.4.2 Storage Overheads
  • 7.3.5 Security Considerations
  • 7.3.6 Using Transparent Data Encryption in a Multi-Database Environment
  • 7.3.7 Replication in Distributed Environments
  • 7.3.8 Compression and Data Deduplication of Encrypted Data
  • 7.3.9 Transparent Data Encryption with OCI
  • 7.3.10 Transparent Data Encryption in a Multi-Database Environment
  • 7.3.11 Transparent Data Encryption Data Dictionary Views
• 7.4 Example: Getting Started with TDE Column Encryption and TDE Tablespace Encryption
  • 7.4.1 Prepare the Database for Transparent Data Encryption
    • 7.4.1.1 Specify an Oracle Wallet Location in the sqlnet.ora File
    • 7.4.1.2 Create the Master Encryption Key
    • 7.4.1.3 Open the Oracle Wallet
  • 7.4.2 Create a Table with an Encrypted Column
  • 7.4.3 Create an Index on an Encrypted Column
  • 7.4.4 Alter a Table to Encrypt an Existing Column
  • 7.4.5 Create an Encrypted Tablespace
  • 7.4.6 Create a Table in an Encrypted Tablespace
• 7.5 Troubleshooting Transparent Data Encryption
• 7.6 Transparent Data Encryption Reference Information
  • 7.6.1 Supported Encryption and Integrity Algorithms
  • 7.6.2 Quick Reference: Transparent Data Encryption SQL Commands

8 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients

• 8.1 Oracle Advanced Security Encryption
  • 8.1.1 Advanced Encryption Standard
  • 8.1.2 Triple-DES Support
• 8.2 Oracle Advanced Security Data Integrity
  • 8.2.1 Data Integrity Algorithms Supported
• 8.3 Diffie-Hellman Based Key Negotiation
  • 8.3.1 Authentication Key Fold-in
• 8.4 How To Configure Data Encryption and Integrity
  • 8.4.1 About Activating Encryption and Integrity
  • 8.4.2 About Negotiating Encryption and Integrity
    • 8.4.2.1 REJECTED
    • 8.4.2.2 ACCEPTED
    • 8.4.2.3 REQUESTED
    • 8.4.2.4 REQUIRED
  • 8.4.3 Configuring Encryption and Integrity Parameters Using Oracle Net Manager
    • 8.4.3.1 Configuring Encryption on the Client and the Server
    • 8.4.3.2 Configuring Integrity on the Client and the Server

9 Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients

• 9.1 About the Java Implementation
  • 9.1.1 Java Database Connectivity Support
  • 9.1.2 Securing Thin JDBC
  • 9.1.3 Implementation Overview
  • 9.1.4 Obfuscation
• 9.2 Configuration Parameters
  • 9.2.1 CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL Parameter
  • 9.2.2 CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES Parameter
  • 9.2.3 CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL Parameter
  • 9.2.4 CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES Parameter
  • 9.2.5 CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_SERVICES Parameter
  • 9.2.6 AnoServices Constants

Part IV Oracle Advanced Security Strong Authentication

10 Configuring RADIUS Authentication

• 10.1 About RADIUS
• 10.2 RADIUS Authentication Modes
  • 10.2.1 Synchronous Authentication Mode
  • 10.2.2 Challenge-Response (Asynchronous) Authentication Mode
• 10.3 Enabling RADIUS Authentication, Authorization, and Accounting
  • 10.3.1 Step 1: Install RADIUS on the Oracle Database Server and on the Oracle Client
  • 10.3.2 Step 2: Configure RADIUS Authentication
    • 10.3.2.1 Step 2A: Configure RADIUS on the Oracle Client
    • 10.3.2.2 Step 2B: Configure RADIUS on the Oracle Database Server
    • 10.3.2.3 Step 2C: Configure Additional RADIUS Features
  • 10.3.3 Step 3: Create a User and Grant Access
  • 10.3.4 Step 4: Configure External RADIUS Authorization (optional)
    • 10.3.4.1 Step 4A: Configure the Oracle Server (RADIUS Client)
    • 10.3.4.2 Step 4B: Configure the Oracle Client Where Users Log In
    • 10.3.4.3 Step 4C: Configure the RADIUS Server
  • 10.3.5 Step 5: Configure RADIUS Accounting
    • 10.3.5.1 Step 5A: Set RADIUS Accounting on the Oracle Database Server
    • 10.3.5.2 Step 5B: Configure the RADIUS Accounting Server
  • 10.3.6 Step 6: Add the RADIUS Client Name to the RADIUS Server Database
  • 10.3.7 Step 7: Configure the Authentication Server for Use with RADIUS
  • 10.3.8 Step 8: Configure the RADIUS Server for Use with the Authentication Server
  • 10.3.9 Step 9: Configure Mapping Roles
• 10.4 Using RADIUS to Log In to a Database
• 10.5 RSA ACE/Server Configuration Checklist

11 Configuring Kerberos Authentication

• 11.1 Enabling Kerberos Authentication
  • 11.1.1 Step 1: Install Kerberos
  • 11.1.2 Step 2: Configure a Service Principal for an Oracle Database Server
  • 11.1.3 Step 3: Extract a Service Key Table from Kerberos
  • 11.1.4 Step 4: Install an Oracle Database Server and an Oracle Client
  • 11.1.5 Step 5: Install Oracle Net Services and Oracle Advanced Security
  • 11.1.6 Step 6: Configure Oracle Net Services and Oracle Database
  • 11.1.7 Step 7: Configure Kerberos Authentication
    • 11.1.7.1 Step 7A: Configure Kerberos on the Client and on the Database Server
    • 11.1.7.2 Step 7B: Set the Initialization Parameters
    • 11.1.7.3 Step 7C: Set sqlnet.ora Parameters (Optional)
  • 11.1.8 Step 8: Create a Kerberos User
  • 11.1.9 Step 9: Create an Externally Authenticated Oracle User
  • 11.1.10 Step 10: Get an Initial Ticket for the Kerberos/Oracle User
• 11.2 Utilities for the Kerberos Authentication Adapter
  • 11.2.1 Obtaining the Initial Ticket with the okinit Utility
  • 11.2.2 Displaying Credentials with the oklist Utility
  • 11.2.3 Removing Credentials from the Cache File with the okdstry Utility
  • 11.2.4 Connecting to an Oracle Database Server Authenticated by Kerberos
• 11.3 Configuring Interoperability with a Windows 2000 Domain Controller KDC
  • 11.3.1 Step 1: Configure Oracle Kerberos Client for a Windows 2000 Domain Controller KDC
    • 11.3.1.1 Step 1A: Create the Client Kerberos Configuration Files
    • 11.3.1.2 Step 2A: Specify the Oracle Configuration Parameters in the sqlnet.ora File
    • 11.3.1.3 Step 3A: Specify the Listening Port Number
  • 11.3.2 Step 2: Configure a Windows 2000 Domain Controller KDC for the Oracle Client
    • 11.3.2.1 Step 2A: Create the User
    • 11.3.2.2 Step 2B: Create the Oracle Database Principal
  • 11.3.3 Step 3: Configure Oracle Database for a Windows 2000 Domain Controller KDC
    • 11.3.3.1 Step 3A: Set Configuration Parameters in the sqlnet.ora File
    • 11.3.3.2 Step 3B: Create an Externally Authenticated Oracle User
  • 11.3.4 Step 4: Obtain an Initial Ticket for the Kerberos/Oracle User
• 11.4 Troubleshooting the Oracle Kerberos Authentication Configuration

12 Configuring Secure Sockets Layer Authentication

• 12.1 Secure Sockets Layer and Transport Layer Security
  • 12.1.1 The Difference Between Secure Sockets Layer and Transport Layer Security
  • 12.1.2 How Oracle Database Uses Secure Sockets Layer for Authentication
  • 12.1.3 How Secure Sockets Layer Works in an Oracle Environment: The SSL Handshake
• 12.2 Public Key Infrastructure in an Oracle Environment
  • 12.2.1 About Public Key Infrastructure in an Oracle Environment
  • 12.2.2 About Public Key Cryptography
  • 12.2.3 Public Key Infrastructure Components in an Oracle Environment
    • 12.2.3.1 Certificate Authority
    • 12.2.3.2 Certificates
    • 12.2.3.3 Certificate Revocation Lists
    • 12.2.3.4 Wallets
    • 12.2.3.5 Hardware Security Modules
• 12.3 Secure Sockets Layer Combined with Other Authentication Methods
  • 12.3.1 Architecture: Oracle Advanced Security and Secure Sockets Layer
  • 12.3.2 How Secure Sockets Layer Works with Other Authentication Methods
• 12.4 Secure Sockets Layer and Firewalls
• 12.5 Secure Sockets Layer Usage Issues
• 12.6 Enabling Secure Sockets Layer
  • 12.6.1 Step 1: Install Oracle Advanced Security and Related Products
  • 12.6.2 Step 2: Configure Secure Sockets Layer on the Server
    • 12.6.2.1 Step 2A: Confirm Wallet Creation on the Server
    • 12.6.2.2 Step 2B: Specify the Database Wallet Location on the Server
    • 12.6.2.3 Step 2C: Set the Secure Sockets Layer Cipher Suites on the Server (Optional)
    • 12.6.2.4 Step 2D: Set the Required SSL Version on the Server (Optional)
    • 12.6.2.5 Step 2E: Set SSL Client Authentication on the Server (Optional)
    • 12.6.2.6 Step 2F: Set SSL as an Authentication Service on the Server (Optional)
    • 12.6.2.7 Step 2G: Create a Listening Endpoint that Uses TCP/IP with SSL on the Server
  • 12.6.3 Step 3: Configure SSL on the Client
    • 12.6.3.1 Step 3A: Confirm Client Wallet Creation
    • 12.6.3.2 Step 3B: Configure the Server DNs and Use TCP/IP with SSL on the Client
    • 12.6.3.3 Step 3C: Specify Required Client SSL Configuration (Wallet Location)
    • 12.6.3.4 Step 3D: Set the Client Secure Sockets Layer Cipher Suites (Optional)
    • 12.6.3.5 Step 3E: Set the Required SSL Version on the Client (Optional)
    • 12.6.3.6 Step 3F: Set SSL as an Authentication Service on the Client (Optional)
    • 12.6.3.7 Step 3G: Specify the Certificate to Use for Authentication on the Client (Optional)
  • 12.6.4 Step 4: Log on to the Database Instance
• 12.7 Troubleshooting Secure Sockets Layer
• 12.8 Certificate Validation with Certificate Revocation Lists
  • 12.8.1 About Certificate Validation with Certificate Revocation Lists
  • 12.8.2 What CRLs Should You Use?
  • 12.8.3 How CRL Checking Works
  • 12.8.4 Configuring Certificate Validation with Certificate Revocation Lists
    • 12.8.4.1 About Configuring Certificate Validation with Certificate Revocation Lists
    • 12.8.4.2 Enabling Certificate Revocation Status Checking for the Client or Server
    • 12.8.4.3 Disabling Certificate Revocation Status Checking
  • 12.8.5 Certificate Revocation List Management
    • 12.8.5.1 About Certificate Revocation Management
    • 12.8.5.2 Displaying orapki Help for Commands That Manage CRLs
    • 12.8.5.3 Renaming CRLs with a Hash Value for Certificate Validation
    • 12.8.5.4 Uploading CRLs to Oracle Internet Directory
    • 12.8.5.5 Listing CRLs Stored in Oracle Internet Directory
    • 12.8.5.6 Viewing CRLs in Oracle Internet Directory
    • 12.8.5.7 Deleting CRLs from Oracle Internet Directory
  • 12.8.6 Troubleshooting Certificate Validation
    • 12.8.6.1 Oracle Net Tracing File Error Messages Associated with Certificate Validation
• 12.9 Configuring Your System to Use Hardware Security Modules
  • 12.9.1 About Configuring Your System to Use Hardware Security Modules
  • 12.9.2 Guidelines for Using Hardware Security Modules with Oracle Advanced Security
  • 12.9.3 Configuring Your System to Use nCipher Hardware Security Modules
    • 12.9.3.1 About Configuring Your System to Use nCipher Hardware Security Modules
    • 12.9.3.2 Oracle Components Required To Use an nCipher Hardware Security Module
    • 12.9.3.3 About Installing an nCipher Hardware Security Module
  • 12.9.4 Configuring Your System to Use SafeNET Hardware Security Modules
    • 12.9.4.1 About Configuring Your System to Use SafeNet Hardware Security Modules
    • 12.9.4.2 Oracle Components for the SafeNET Luna SA Hardware Security Module
    • 12.9.4.3 About Installing a SafeNET Hardware Security Module
  • 12.9.5 Troubleshooting Using Hardware Security Modules
    • 12.9.5.1 Errors in the Oracle Net Trace Files
    • 12.9.5.2 Error Messages Associated with Using Hardware Security Modules
• 12.10 Configuring SSL in an Oracle Real Application Clusters Environment
  • 12.10.1 Step 1: Configure the TCPS Protocol Endpoints
  • 12.10.2 Step 2: Update the Local Listener Parameter on Each Oracle RAC Node
  • 12.10.3 Step 3: Create SSL Certificates and Wallets for the Cluster and for the Clients
    • 12.10.3.1 Creating the SSL Certificate for Each Cluster and for the Test Client
    • 12.10.3.2 Signing Each User Certificate
  • 12.10.4 Step 4: Copy the Wallet to Each Cluster Node and Create an Obfuscated Wallet
  • 12.10.5 Step 5: Define Wallet Locations in the listener.ora and sqlnet.ora Files
  • 12.10.6 Step 6: Restart the Database Instances and Listeners
  • 12.10.7 Step 7: Test the Configuration from a Cluster Node
  • 12.10.8 Step 8: Test the Configuration from a Remote Client

13 Using Oracle Wallet Manager

• 13.1 Oracle Wallet Manager Overview
  • 13.1.1 Wallet Password Management
  • 13.1.2 Strong Wallet Encryption
  • 13.1.3 Microsoft Windows Registry Wallet Storage
    • 13.1.3.1 Options Supported:
  • 13.1.4 Backward Compatibility
  • 13.1.5 Public-Key Cryptography Standards (PKCS) Support
  • 13.1.6 Multiple Certificate Support
  • 13.1.7 LDAP Directory Support
• 13.2 Starting Oracle Wallet Manager
• 13.3 How to Create a Complete Wallet: Process Overview
• 13.4 Managing Wallets
  • 13.4.1 Required Guidelines for Creating Wallet Passwords
  • 13.4.2 Creating a New Wallet
    • 13.4.2.1 Creating a Standard Wallet
    • 13.4.2.2 Creating a Wallet to Store Hardware Security Module Credentials
  • 13.4.3 Opening an Existing Wallet
  • 13.4.4 Closing a Wallet
  • 13.4.5 Exporting Oracle Wallets to Third-Party Environments
  • 13.4.6 Exporting Oracle Wallets to Tools that Do Not Support PKCS #12
  • 13.4.7 Uploading a Wallet to an LDAP Directory
  • 13.4.8 Downloading a Wallet from an LDAP Directory
  • 13.4.9 Saving Changes
  • 13.4.10 Saving the Open Wallet to a New Location
  • 13.4.11 Saving in System Default
  • 13.4.12 Deleting the Wallet
  • 13.4.13 Changing the Password
  • 13.4.14 Using Auto Login
    • 13.4.14.1 Enabling Auto Login
    • 13.4.14.2 Disabling Auto Login
• 13.5 Managing Certificates
  • 13.5.1 Managing User Certificates
    • 13.5.1.1 Adding a Certificate Request
    • 13.5.1.2 Importing the User Certificate into the Wallet
    • 13.5.1.3 Importing Certificates and Wallets Created by Third Parties
    • 13.5.1.4 Removing a User Certificate from a Wallet
    • 13.5.1.5 Removing a Certificate Request
    • 13.5.1.6 Exporting a User Certificate
    • 13.5.1.7 Exporting a User Certificate Request
  • 13.5.2 Managing Trusted Certificates
    • 13.5.2.1 Importing a Trusted Certificate
    • 13.5.2.2 Removing a Trusted Certificate
    • 13.5.2.3 Exporting a Trusted Certificate
    • 13.5.2.4 Exporting All Trusted Certificates

14 Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security

• 14.1 Connecting with User Name and Password
• 14.2 Disabling Oracle Advanced Security Authentication
• 14.3 Configuring Multiple Authentication Methods
• 14.4 Configuring Oracle Database for External Authentication
  • 14.4.1 Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora
  • 14.4.2 Setting OS_AUTHENT_PREFIX to a Null Value

Part V Appendixes

A Data Encryption and Integrity Parameters

• A.1 Sample sqlnet.ora File
• A.2 Data Encryption and Integrity Parameters
  • A.2.1 SQLNET.ENCRYPTION_SERVER Parameter
  • A.2.2 SQLNET.ENCRYPTION_CLIENT Parameter
  • A.2.3 SQLNET.SSL_EXTENDED_KEY_USAGE Parameter
  • A.2.4 SQLNET.CRYPTO_CHECKSUM_SERVER Parameter
  • A.2.5 SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter
  • A.2.6 SQLNET.ENCRYPTION_TYPES_SERVER Parameter
  • A.2.7 SQLNET.ENCRYPTION_TYPES_CLIENT Parameter
  • A.2.8 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter
  • A.2.9 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter

B Authentication Parameters

• B.1 Parameters for Clients and Servers using Kerberos Authentication
• B.2 Parameters for Clients and Servers using RADIUS Authentication
  • B.2.1 sqlnet.ora File Parameters
    • B.2.1.1 SQLNET.AUTHENTICATION_SERVICES Parameter
    • B.2.1.2 SQLNET.RADIUS_AUTHENTICATION Parameter
    • B.2.1.3 SQLNET.RADIUS_AUTHENTICATION_PORT Parameter
    • B.2.1.4 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter
    • B.2.1.5 SQLNET.RADIUS_AUTHENTICATION_RETRIES Parameter
    • B.2.1.6 SQLNET.RADIUS_SEND_ACCOUNTING Parameter
    • B.2.1.7 SQLNET.RADIUS_SECRET Parameter
    • B.2.1.8 SQLNET.RADIUS_ALTERNATE Parameter
    • B.2.1.9 SQLNET.RADIUS_ALTERNATE_PORT Parameter
    • B.2.1.10 SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter
    • B.2.1.11 SQLNET.RADIUS_ALTERNATE_RETRIES Parameter
    • B.2.1.12 SQLNET.RADIUS_CHALLENGE_RESPONSE Parameter
    • B.2.1.13 SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter
    • B.2.1.14 SQLNET.RADIUS_AUTHENTICATION_INTERFACE Parameter
    • B.2.1.15 SQLNET.RADIUS_CLASSPATH Parameter
  • B.2.2 Minimum RADIUS Parameters
  • B.2.3 Initialization File Parameters
• B.3 Parameters for Clients and Servers Using Secure Sockets Layer
  • B.3.1 Secure Sockets Layer Authentication Parameters
  • B.3.2 Cipher Suite Parameters
    • B.3.2.1 Supported SSL Cipher Suites
  • B.3.3 Secure Sockets Layer Version Parameters
  • B.3.4 Secure Sockets Layer Client Authentication Parameters
    • B.3.4.1 SSL X.509 Server Match Parameters
  • B.3.5 Wallet Location

C Integrating Authentication Devices Using RADIUS

• C.1 About the RADIUS Challenge-Response User Interface
• C.2 Customizing the RADIUS Challenge-Response User Interface

D Oracle Advanced Security FIPS 140-1 Settings

• D.1 Configuration Parameters
  • D.1.1 Server Encryption Level Setting
  • D.1.2 Client Encryption Level Setting
  • D.1.3 Server Encryption Selection List
  • D.1.4 Client Encryption Selection List
  • D.1.5 FIPS Parameter
• D.2 Post Installation Checks
• D.3 Status Information
• D.4 Physical Security

E Oracle Advanced Security FIPS 140-2 Settings

• E.1 Configuring FIPS Parameter
• E.2 Selecting Cipher Suites
• E.3 Post-Installation Checks
• E.4 Verifying FIPS Connections

F orapki Utility

• F.1 orapki Utility Overview
  • F.1.1 orapki Utility Syntax
• F.2 Creating Signed Certificates for Testing Purposes
• F.3 Managing Oracle Wallets with orapki Utility
  • F.3.1 Creating, Viewing, and Modifying Wallets with orapki
    • F.3.1.1 Creating a PKCS#12 Wallet
    • F.3.1.2 Creating an Auto Login Wallet
    • F.3.1.3 Viewing a Wallet
    • F.3.1.4 Modifying the Password for a Wallet
  • F.3.2 Adding Certificates and Certificate Requests to Oracle Wallets with orapki
  • F.3.3 Exporting Certificates and Certificate Requests from Oracle Wallets with orapki
• F.4 Managing Certificate Revocation Lists (CRLs) with orapki Utility
• F.5 orapki Usage Examples
• F.6 orapki Utility Commands Summary
  • F.6.1 orapki cert create
    • F.6.1.1 Purpose
    • F.6.1.2 Syntax
  • F.6.2 orapki cert display
    • F.6.2.1 Purpose
    • F.6.2.2 Syntax
  • F.6.3 orapki crl delete
    • F.6.3.1 Purpose
    • F.6.3.2 Prerequisites
    • F.6.3.3 Syntax
  • F.6.4 orapki crl display
    • F.6.4.1 Purpose
    • F.6.4.2 Syntax
  • F.6.5 orapki crl hash
    • F.6.5.1 Purpose
    • F.6.5.2 Syntax
  • F.6.6 orapki crl list
    • F.6.6.1 Purpose
    • F.6.6.2 Syntax
  • F.6.7 orapki crl upload
    • F.6.7.1 Purpose
    • F.6.7.2 Syntax
  • F.6.8 orapki wallet add
    • F.6.8.1 Purpose
    • F.6.8.2 Syntax
  • F.6.9 orapki wallet create
    • F.6.9.1 Purpose
    • F.6.9.2 Syntax
  • F.6.10 orapki wallet display
    • F.6.10.1 Purpose
    • F.6.10.2 Syntax
  • F.6.11 orapki wallet export
    • F.6.11.1 Purpose
    • F.6.11.2 Syntax

G Entrust-Enabled Secure Sockets Layer Authentication

• G.1 Benefits of Entrust-Enabled Oracle Advanced Security
  • G.1.1 Enhanced X.509-Based Authentication and Single Sign-On
  • G.1.2 Integration with Entrust Authority Key Management
  • G.1.3 Integration with Entrust Authority Certificate Revocation
• G.2 Required System Components for Entrust-Enabled Oracle Advanced Security
  • G.2.1 Entrust Authority for Oracle
    • G.2.1.1 Entrust Authority Security Manager
    • G.2.1.2 Entrust Authority Self-Administration Server
    • G.2.1.3 Entrust Entelligence Desktop Manager
  • G.2.2 Entrust Authority Server Login Feature
  • G.2.3 Entrust Authority IPSec Negotiator Toolkit
• G.3 Entrust Authentication Process
• G.4 Enabling Entrust Authentication
  • G.4.1 Creating Entrust Profiles
    • G.4.1.1 Administrator-Created Entrust Profiles
    • G.4.1.2 User-Created Entrust Profiles
  • G.4.2 Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL
  • G.4.3 Configuring SSL on the Client and Server for Entrust-Enabled SSL
  • G.4.4 Configuring Entrust on the Client
    • G.4.4.1 Configuring Entrust on a UNIX Client
    • G.4.4.2 Configuring Entrust on a Windows Client
  • G.4.5 Configuring Entrust on the Server
    • G.4.5.1 Configuring Entrust on a UNIX Server
    • G.4.5.2 Configuring Entrust on a Windows Server
  • G.4.6 Creating Entrust-Enabled Database Users
  • G.4.7 Logging Into the Database Using Entrust-Enabled SSL
• G.5 Issues and Restrictions that Apply to Entrust-Enabled SSL
• G.6 Troubleshooting Entrust In Oracle Advanced Security
  • G.6.1 Error Messages Returned When Running Entrust on Any Platform
  • G.6.2 Error Messages Returned When Running Entrust on Windows Platforms
  • G.6.3 General Checklist for Running Entrust on Any Platform
    • G.6.3.1 Checklist for Entrust Installations on Windows

Glossary

Index