|
|
 Copyright © 2002 Oracle Corporation. All Rights Reserved. |
|
| Oracle Advanced Security README Release 2 (9.2) |
|
The Programs (which include both the software and documentation) contain proprietary information of Oracle Corporation; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent and other intellectual and industrial property laws. Reverse engineering, disassembly or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited.
The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this document is error free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Oracle Corporation.
If the Programs are delivered to the US Government or anyone licensing or using the Programs on behalf of the US Government, the following notice is applicable:
Programs delivered subject to the DOD FAR Supplement are commercial computer software and use, duplication and disclosure of the Programs including documentation, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement. Otherwise, Programs delivered subject to the Federal Acquisition Regulations are 'restricted computer software' and use, duplication, and disclosure of the Programs shall be subject to the restrictions in FAR 52.227-19, Commercial Computer Software - Restricted Rights (June, 1987). Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065.
The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be licensee's responsibility to take all appropriate fail-safe, back up, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and Oracle Corporation disclaims liability for any damages caused by such use of the Programs.
Oracle is a registered trademark, and SQL*Plus, Oracle8i, and Oracle9i are trademarks or registered trademarks of Oracle Corporation. Other names may be trademarks of their respective owners.
All trade names referenced are the service mark, trademark, or registered trademark of the respective manufacturer.
Portions of Oracle Advanced Security have been licensed by Oracle Corporation from RSA Data Security.
Documentation Accessibility:
Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle Corporation is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at
http://www.oracle.com/accessibility/Accessibility of Code Examples in Documentation:
JAWS, a Windows screen reader, may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, JAWS may not always read a line of text that consists solely of a bracket or brace.
Accessibility of Links to External Web Sites in Documentation:
This documentation may contain links to Web sites of other companies or organizations that Oracle Corporation does not own or control. Oracle Corporation neither evaluates nor makes any representations regarding the accessibility of these Web sites.
-----------------------------------------------
CONTENTS
This README file is relevant only to the delivered Oracle Advanced Security release 2 (9.2) product. This README documents any differences between the product and its documented functionality, as well as known problems and workarounds. Operating system releases, such as UNIX, Windows NT, OpenVMS, and so on, often provide an operating system specific README document.
Oracle Advanced Security release 2 (9.2) bundles security services for Oracle9i. It secures connections over all protocols into Oracle9i and integrates a Public Key Infrastructure (PKI). Oracle Advanced Security provides data encryption and integrity for all network protocols into the database, including Oracle Net with native encryption, Oracle Net/SSL, IIOP/SSL, and Java-based encryption for thin JDBC clients. It integrates with third-party authentication, authorization and single sign-on services. It supports public key solutions including Secure Sockets Layer (SSL) and X.509 Version 3 certificates (provided by third-party certificate servers) and bundles related tools, Oracle Wallet Manager 3.0 and Oracle Enterprise Login Assistant 9.0. It also enables SSL-based single sign-on and enables certificate-based server-to-server authentication and database links. Oracle Advanced Security integrates with Entrust PKI in this release.
Oracle Advanced Security utilizes LDAP v3-compliant directory servers to centralize user management, and it bundles Oracle Enterprise Security Manager 3.0 to manage enterprise users and enterprise roles. Oracle Advanced Security provides restricted use of Oracle Internet Directory release 3.0 for storage of users and authorizations. It also integrates with Microsoft Active Directory for role management. In future releases we will integrate directly only with Oracle Internet Directory, which acts as a gateway to integrate with all other LDAP-compliant directories, including Microsoft Active Directory.
In this release, Oracle Advanced Security installs automatically during Typical Install. In order to use it, you must purchase appropriate licenses, install it either automatically in Typical Install or manually using Custom Install, then configure it on the servers and clients. All components install in Typical Install except DCE, which installs in Custom Install.
Although installed by default, Oracle Advanced Security is an extra cost option to Oracle9i Enterprise Edition and must be purchased when used. This licensing requirement also affects customers wishing to use security features in combination with Java Beans (EJB over IIOP/SSL) or database enterprise users (over Oracle Net/SSL). The exclusive exception is an HTTPS (HTTP/SSL) connection to the RDBMS, which does not require an Oracle Advanced Security license.
The following features are new in this release:
See Also:
During Oracle Advanced Security installation, three .bak files are created: naeet.o.bak, naect.o.bak, and naedhs.o.bak. They are located in $ORACLE_HOME/lib. Do not delete these files because they are required when executables are relinked during the de-installation of Oracle Advanced Security.
If using Oracle Advanced Security on a "client only" machine (that is, with no database present), then it is mandatory to set the TWO_TASK environment variable before starting the installation. The TWO_TASK variable points to an alias representing the database on a server machine. Setting the TWO_TASK environment variable enables Oracle Advanced Security to be installed in "Client Only" mode.
In this release, the configuration tool, Oracle Net Manager, does not provide a default seed for generating cryptographic keys. You must manually enter an arbitrary string between 10 and 70 characters in length. Enter different seeds on every client and every server. The seed is one of the elements used to generate random numbers used in the Diffie-Hellman key exchange.
In this release, the NS features of Multiplexing and Connection Pooling do not work if SSL transport is being used.
There is a known problem in which Oracle clients (sqlplus or svrmgrl) fail when the RADIUS adapter is configured for CHAP (challenge-response) mode.
To workaround this problem, set the LD_LIBRARY_PATH environment variable to include $ORACLE_HOME/JRE/lib/sparc/native_threads.
In order to require external authentication and disable username/ password authentication, set the sqlnet.ora parameter to SQLNET.AUTHENTICATION_REQUIRED=TRUE. The default is false.
The Identix adapter is desupported as of Oracle Advanced Security 9.0.1.
Since the previous release of Oracle Advanced Security 9.0.1, the RSA ACE/Server and tokens can authenticate Oracle users only through the RADIUS adapter. Using the RADIUS plug-in to the ACE/Server, the ACE/Server acts as the RADIUS server and authentication server. Functionality remains the same as in previous releases.
Oracle Advanced Security supports RADIUS-compliant servers and authentication devices. To use the Java-based client interface for RADIUS, you must include $ORACLE_HOME/JRE/lib/sparc/native_threads in LD_LIBRARY_PATH. To use RADIUS, you must use native threads. Set the variable THREADS_FLAG to "native" within the Java runtime environment (JRE).
During installation on a Windows platform, if you configured the RADIUS adapter, then please reboot the machine to get the JRE location. [Reference Bug 2212844]
In this release, Oracle extends support for RADIUS authorizations in Challenge-Response mode for servers brought up in either Dedicated or MTS mode.
In this release, if external authentication (using Kerberos, Cybersafe, or RADIUS) is not enabled, then please verify that you have issued the startup command with a PFILE option so that the parameters from your init<SID>.ora are picked up.
With Oracle 9.0.1, we introduced the server managed parameter file (SPFILE). The SPFILE can be used to store parameters that are automatically tuned by the server. When a startup command is issued without a PFILE option, the client requests that the server starts up using an SPFILE. The server looks for the SPFILE (?/dbs/spfile.ora) and reads parameters from it. If the SPFILE is not found, the server tries to use a default PFILE (?/dbs/init@.ora) on the server side.
If the startup command is issued with a PFILE option, then the existing behavior is retained.
This release supports Entrust version 5.0.2, 5.1, and 6.0 components including IPSEC Negotiator Toolkit, Entrust/Authority, and Server Login. On HP-UX 64-bit, Solaris 64-bit, and Compaq Tru 64 platforms, Oracle Advanced Security supports Entrust 6.0 PKI.
On Windows, you must install Entrust Entelligence on the client.
You must have the same version of Entrust tool kits and the Entrust Authority if you are using 5.x versions of Entrust. For example, you can use 5.1 version everywhere or 5.0.2 version for the tool kits and the Entrust/Authority.
However, you can have Entrust 6.0 IPSEC Negotiator and Server Login tool kit with 5.1 Entrust/Authority.
In this release (just as in 9.0.1), you do not have to choose between Entrust or SSL upon installation. You can use both together since this release allows SSL and Entrust on the same machine without relinking.
You must set the CLASSPATH environment variable on the client (Windows or UNIX) to include the following jar files in the order they are listed:
$ORACLE_HOME/JRE/lib/i18n.jar $ORACLE_HOME/JRE/lib/rt.jar $ORACLE_HOME/network/jlib/netentrust.jar $ORACLE_HOME/jlib/swingall-1_1_1.jar $ORACLE_HOME/jlib/ewt-3_3_18.jar $ORACLE_HOME/jlib/share-1_1_9.jar
[Reference Bug 1794800]
Entrust users can now be managed centrally in Oracle Internet Directory. The database and Oracle Internet Directory must have Entrust UAL files to permit unattended login when configuring for enterprise user security. You cannot have a mixed environment such as X.509v3 certificates for some clients/servers and entrust profiles for the others. The configuration set used to set up LDAP for SSL should specify a WRL to locate the entrust UAL file. The WRL should have the following format:
entr:<UAL directory path>/*.ual::<ini file directory path>/*.ini::1
Because the Oracle Internet Directory server and the database communicate on the SSL port, the specific SSL configuration set has to be configured to use client and server authentication for orclauthentication. If you do not do this, then the database distinguished name (DN) will bind as NULL.
For the SSL adapter, dynamic specification of sqlnet.ora parameters such as SSL_VERSION, SSL_CIPHER_SUITES, and SSL_CLIENT_AUTHENTICATION, as part of TNS aliases, do not have any effect on the redirected connections made to the database server.
An OCI client requires a wallet even when using a cipher suite with DH_anon, which does not authenticate the client. Such cipher suites are known to be vulnerable to person-in-the-middle attacks. If you use a cipher suite with DH_anon, then you should use Oracle Advanced Security native encryption and checksumming to protect against the attack.
Certificate size limits.
In this release (as in the previous release 9.0.1), the SSL client matches the server's global database name against the distinguished name (DN) from the server certificate. This check protects against the threat of connections to a server potentially faking its identity, in which the server has a valid X.509 v3 certificate, but not the proper certificate for this database.
Setting the sqlnet.ora parameter SSL_SERVER_DN_MATCH to ON or OFF controls the system's behavior when there is a mismatch between the service name and the DN. When set to OFF, if the DN matches the service name, then the connection succeeds. If the DN does not match the service name, then the connection succeeds but an error is written to sqlnet.log. When the parameter is set to ON, if the DN matches the service name, the connection succeeds. If it does not match, then the connection fails. ON, OFF, TRUE, FALSE, YES, NO are all acceptable values.
The corresponding Oracle Net Manager parameter "Match server X.509 name" can be set to Yes, No, or Let the Client Decide. Yes and No correspond to the sqlnet.ora parameter described above, while Let the Client Decide bases the behavior on the version of the client.
The following describes the two ways to properly set up the system. Oracle Corporation recommends the first.
SSL_SERVER_CERT_DN. A sample tnsnames.ora for this check is as follows:
dbalias = (description = address_list = (address = (protocol = tcps) (host = hostname) (port = portnum))) (connect_data = (service_name = Finance)) (security=(SSL_SERVER_ DN="CN=Finance,CN=OracleContext,C=US,O=Acme"))
Oracle Corporation recommends using Oracle Wallet Manager to remove the trusted certificates in your Oracle wallet for all of the certificate authorities that you do not use.
Certificate request creation fails with some multibyte character sets.
Oracle Wallet Manager Online Help becomes unresponsive when modal dialog boxes, such as the one to enter Certificate Request Information, pop up. The Online Help becomes responsive once the modal dialog box is closed.
When trying to copy or paste certificates in Oracle Wallet Manager you need to use Shift+Insert and Ctrl+Insert respectively. The extended Sun keyboard keys ("Cut, Copy, Paste") will not work on Solaris.
If the jsse.jar provided by your platform vendor and jcert.jar are present in the classpath, then javax-ssl-1*.jar should not be present in the classpath. Further, Oracle Corporation recommends that you use jssl-1_1.jar because jssl-1_2.jar may cause problems.
To use Oracle JavaSSL, the following Java security properties must be set:
ssl.SocketFactory.provider=oracle.security.ssl.OracleSSLSocketFactoryImpl ssl.ServerSocketFactory.provider=oracle.security.ssl.OracleSSLServerSocketFactoryImpl
If jsse.jar and jcert.jar are installed as extensions (located in $JAVA_HOME/jre/lib/ext), then jssl-1_1.jar must be installed in the same directory.
Enterprise Security Manager 9i, Release 2 has the capability of automatically creating a wallet for the database and users. Please note that these wallets are only intended for ease of building a demo or for rapid testing purposes.
Oracle Corporation does not recommend using these wallets for your production operations. We recommend, instead, that you use certificates generated by the certificate authority vendor of your choice and associate that certificate with the database or user wallet.
The administrator for the user search base, is not able to create users. For example, cn=admuser cannot create users under cn=users,c=us.
Using the example listed above, add cn=admuser to OracleUserSecurityAdmins.
A user who belongs to both OracleUserSecurityAdmins and OracleDBSecurityAdmins (or indirectly to OraclePasswordAccessibleDomains) is not able to change passwords.
Cannot view the Oracle Context version with Enterprise Security Manager.
You can use Enterprise Security Manager to check whether it is an Oracle8i or 9i context. An ldapsearch allows you to distinguish between an Oracle9i, Release 1 or Release2 context (9iR1 or 9iR2, respectively).
Enterprise Security Manager does not show search bases if the distinguished name (DN) matches beyond two levels.
Do not use multiple Oracle Contexts in a directory tree with DNs that match beyond two levels.
Changing the database password from Enterprise Login Assistant does not generate the correct database password verifier.
Do not use DNs to log onto Enterprise Login Assistant. The user should use their "User ID" to connect to the database using Enterprise Login Assistant.
Enterprise Security Manager creates the role but displays an error "Permission Denied: Your login doesn't have the correct privileges for this operation".
Ignore this error.
Enterprise Security Manager crashes when Oracle Internet Directory is shutdown.
Restart Enterprise Security Manager.
In this release, customers are provided the option to use the Enterprise Security Manager command line tool. This tool includes the functionality to create new enterprise users and to provision or enable existing directory user entries to participate in enterprise user security.
To start the tool, type esm -cmd, which displays the full tool syntax (help).
Some of the less frequently used options displayed in the help description that are not supported in this release are: addGlobalRole, addPasswordAccessibleDomains, addDomainDatabase and removeMapping.
These administrative actions can be performed with the Enterprise Security Manager GUI interface.
When DNs are required as input for the various commands, spaces within attribute values in the DNs are not supported. For example, "cn=john doe,c=us" is not supported due to the space between john and doe, but "cn=john,c=us" is supported.
Do not use DNs that include spaces within attribute values.
When creating a new enterprise domain with createDomain, the default domain administrator is set incorrectly to be the DN of the Oracle Context.
Use the Enterprise Security Manager GUI tool to remove the Oracle Context as a domain administrator, and add an appropriate user instead.
When using the Enterprise Security Manager command line tool to modify attributes relevant to an entire Oracle Context, such as User Search Bases and userIDAttribute, values for both attributes need to be included on the command line, even if only one of them is being modified.
There is no input verification when adding a new context administrator. Ensure that the DN being added is a valid user entry in the directory.
For the various role operations (for example, grantRole), the full DN of the enterprise role is required as input. The syntax for enterprise role DNs is:
"cn=<role name>,cn=<enterprise domain name>,cn=OracleDBSecurity,cn=Products, cn=OracleContext,<context location>".
New in the 9i Release 2 release is the User migration command line utility. This tool allows administrators to migrate database users to the directory to participate in enterprise user security. Using this tool allows exclusive schema users to be mapped to a shared schema during the migration process. Additionally, the user migration utility provisions/enables existing directory users for use with Oracle Advanced Security's Enterprise User Security feature.
The tool has a JRE 1.3.1 dependency. You should set JAVA_HOME or CLASSPATH to point to the JRE 1.3.1 file.
|
|
Copyright © 2002 Oracle Corporation. All Rights Reserved. |
|