Oracle® Database Advanced Security Administrator's Guide 11g Release 1 (11.1) Part Number B28530-01 |
|
|
View PDF |
Welcome to the Oracle Database Advanced Security Administrator's Guide for the 11g Release 1 (11.1) of Oracle Advanced Security.
Oracle Advanced Security contains a comprehensive suite of security features that protect enterprise networks and securely extend them to the Internet. It provides a single source of integration with multiple network encryption and authentication solutions, single sign-on services, and security protocols.
The Oracle Database Advanced Security Administrator's Guide describes how to implement, configure and administer Oracle Advanced Security.
This preface contains these topics:
The Oracle Database Advanced Security Administrator's Guide is intended for users and systems professionals involved with the implementation, configuration, and administration of Oracle Advanced Security including:
Implementation consultants
System administrators
Security administrators
Database administrators (DBAs)
Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more information, visit the Oracle Accessibility Program Web site at
http://www.oracle.com/accessibility/
Accessibility of Code Examples in Documentation
Screen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace.
Accessibility of Links to External Web Sites in Documentation
This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.
TTY Access to Oracle Support Services
Oracle provides dedicated Text Telephone (TTY) access to Oracle Support Services within the United States of America 24 hours a day, seven days a week. For TTY support, call 800.446.2398.
This document contains the following chapters:
Part I, "Getting Started with Oracle Advanced Security"
Chapter 1, "Introduction to Oracle Advanced Security"
This chapter provides an overview of Oracle Advanced Security features provided with this release.
Chapter 2, "Configuration and Administration Tools Overview"
This chapter provides an introduction and overview of Oracle Advanced Security GUI and command-line tools.
Part II, "Data Encryption and Integrity"
Chapter 3, "Transparent Data Encryption"
This chapter provides an overview of the transparent data encryption feature introduced in Oracle Advanced Security 11g Release 1 (11.1). It describes how to configure and use transparent data encryption services.
Chapter 4, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients"
This chapter describes how to configure data encryption and integrity within an existing Oracle Net Services 11g Release 1 (11.1) network.
Chapter 5, "Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients"
This chapter provides an overview of the Java implementation of Oracle Advanced Security, which lets Thin Java Database Connectivity (JDBC) clients securely connect to Oracle Database databases.
Part III, "Oracle Advanced Security Strong Authentication"
Chapter 6, "Configuring RADIUS Authentication"
This chapter describes how to configure Oracle for use with RADIUS (Remote Authentication Dial-In User Service). It provides an overview of how RADIUS works within an Oracle environment, and describes how to enable RADIUS authentication and accounting. It also introduces the challenge-response user interface that third party vendors can customize to integrate with third party authentication devices.
Chapter 7, "Configuring Kerberos Authentication"
This chapter describes how to configure Oracle for use with MIT Kerberos and provides a brief overview of steps to configure Kerberos to authenticate Oracle users. It also includes a brief section that discusses interoperability between the Oracle Advanced Security Kerberos adapter and a Microsoft KDC.
Chapter 8, "Configuring Secure Sockets Layer Authentication"
This chapter describes how Oracle Advanced Security supports a public key infrastructure (PKI). It includes a discussion of configuring and using the Secure Sockets Layer (SSL), certificate validation, and hardware security module support features of Oracle Advanced Security.
Chapter 9, "Using Oracle Wallet Manager"
This chapter describes how to use Oracle Wallet Manager to manage Oracle wallets and PKI credentials.
Chapter 10, "Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security"
This chapter describes the authentication methods that can be used with Oracle Advanced Security, and how to use conventional user name and password authentication. It also describes how to configure the network so that Oracle clients can use a specific authentication method, and Oracle servers can accept any method specified.
Appendix A, "Data Encryption and Integrity Parameters"
This appendix describes Oracle Advanced Security data encryption and integrity configuration parameters.
Appendix B, "Authentication Parameters"
This appendix describes Oracle Advanced Security authentication configuration file parameters.
Appendix C, "Integrating Authentication Devices Using RADIUS"
This appendix explains how third party authentication device vendors can integrate their devices and customize the graphical user interface used in RADIUS challenge-response authentication.
Appendix D, "Oracle Advanced Security FIPS 140-1 Settings"
This appendix describes the sqlnet.ora
configuration parameters required to comply with the FIPS 140-1 Level 2 evaluated configuration.
Appendix E, "Oracle Advanced Security FIPS 140-2 Settings"
This appendix describes the configuration parameters required to comply with the FIPS 140-2 Level 2 evaluated configuration.
This appendix provides the syntax for the orapki
command line utility. This utility must be used to manage certificate revocation lists (CRLs). You can also use this utility to create and manage Oracle wallets; create certificate requests, signed certificates, and user certificates for testing purposes; and to export certificates and certificate requests from Oracle wallets.
Appendix G, "Entrust-Enabled SSL Authentication"
This appendix describes how to configure and use Entrust-enabled Oracle Advanced Security for Secure Sockets Layer (SSL) authentication.
For more information, refer to these Oracle resources:
Many books in the documentation set use the sample schemas of the seed database, which is installed by default when you install Oracle. Refer to Oracle Database Sample Schemas for information on how these schemas were created and how you can use them yourself.
Printed documentation is available for sale in the Oracle Store at
http://oraclestore.oracle.com/
To download free release notes, installation documentation, white papers, or other collateral, please visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free and can be done at
http://www.oracle.com/technology/membership/index.html
If you already have a user name and password for OTN, then you can go directly to the documentation section of the OTN Web site at
http://www.oracle.com/technology/documentation/index.html
For information from third-party vendors, refer to:
ACE/Server Administration Manual, from Security Dynamics
ACE/Server Client for UNIX, from Security Dynamics
ACE/Server Installation Manual, from Security Dynamics
RADIUS Administrator's Guide
Notes about building and installing Kerberos from Kerberos version 5 source distribution
Entrust/PKI for Oracle
Administering Entrust/PKI on UNIX
Application Environment Specification/Distributed Computing
For conceptual information about the network security technologies supported by Oracle Advanced Security, you can refer to the following third-party publications:
Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C by Bruce Schneier. New York: John Wiley & Sons, 1996.
SSL & TLS Essentials: Securing the Web by Stephen A. Thomas. New York: John Wiley & Sons, 2000.
Understanding and Deploying LDAP Directory Services by Timothy A. Howes, Ph.D., Mark C. Smith, and Gordon S. Good . Indianapolis: New Riders Publishing, 1999.
Understanding Public-Key Infrastructure: Concepts, Standards, and Deployment Considerations by Carlisle Adams and Steve Lloyd. Indianapolis: New Riders Publishing, 1999.
This section describes the conventions used in the text and code examples of this documentation set. It describes:
Conventions in Text
We use various conventions in text to help you more quickly identify special terms. The following table describes those conventions and provides examples of their use.
Convention | Meaning | Example |
---|---|---|
Bold | Bold typeface indicates terms that are defined in the text or terms that appear in a glossary, or both. | When you specify this clause, you create an index-organized table. |
Italics | Italic typeface indicates book titles or emphasis. | Oracle Database Concepts
Ensure that the recovery catalog and target database do not reside on the same disk. |
UPPERCASE monospace (fixed-width) font |
Uppercase monospace typeface indicates elements supplied by the system. Such elements include parameters, privileges, data types, RMAN keywords, SQL keywords, SQL*Plus or utility commands, packages and methods, as well as system-supplied column names, database objects and structures, user names, and roles. | You can specify this clause only for a NUMBER column.
You can back up the database by using the Query the Use the |
lowercase monospace (fixed-width) font |
Lowercase monospace typeface indicates executables, filenames, directory names, and sample user-supplied elements. Such elements include computer and database names, net service names, and connect identifiers, as well as user-supplied database objects and structures, column names, packages and classes, user names and roles, program units, and parameter values.
Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown. |
Enter sqlplus to open SQL*Plus.
The password is specified in the Back up the data files and control files in the The Set the Connect as The |
lowercase italic monospace (fixed-width) font |
Lowercase italic monospace font represents placeholders or variables. | You can specify the parallel_clause .
Run |
Conventions in Code Examples
Code examples illustrate SQL, PL/SQL, SQL*Plus, or other command-line statements. They are displayed in a monospace (fixed-width) font and separated from normal text as shown in this example:
SELECT username FROM dba_users WHERE username = 'MIGRATE';
The following table describes typographic conventions used in code examples and provides examples of their use.
Convention | Meaning | Example |
---|---|---|
[ ] |
Brackets enclose one or more optional items. Do not enter the brackets. |
DECIMAL (digits [ , precision ]) |
{ } |
Braces enclose two or more items, one of which is required. Do not enter the braces. |
{ENABLE | DISABLE} |
| |
A vertical bar represents a choice of two or more options within brackets or braces. Enter one of the options. Do not enter the vertical bar. |
{ENABLE | DISABLE} [COMPRESS | NOCOMPRESS] |
... |
Horizontal ellipsis points indicate either:
|
CREATE TABLE ... AS subquery; SELECT col1, col2, ... , coln FROM employees; |
. . . |
Vertical ellipsis points indicate that we have omitted several lines of code not directly related to the example. |
SQL> SELECT NAME FROM V$DATAFILE; NAME ------------------------------------ /fsl/dbs/tbs_01.dbf /fs1/dbs/tbs_02.dbf . . . /fsl/dbs/tbs_09.dbf 9 rows selected. |
Other notation | You must enter symbols other than brackets, braces, vertical bars, and ellipsis points as shown. |
acctbal NUMBER(11,2); acct CONSTANT NUMBER(4) := 3; |
Italics
|
Italicized text indicates placeholders or variables for which you must supply particular values. |
CONNECT SYSTEM/system_password DB_NAME = database_name |
UPPERCASE |
Uppercase typeface indicates elements supplied by the system. We show these terms in uppercase in order to distinguish them from terms you define. Unless terms appear in brackets, enter them in the order and with the spelling shown. However, because these terms are not case sensitive, you can enter them in lowercase. |
SELECT last_name, employee_id FROM employees; SELECT * FROM USER_TABLES; DROP TABLE hr.employees; |
lowercase |
Lowercase typeface indicates programmatic elements that you supply. For example, lowercase indicates names of tables, columns, or files.
Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown. |
SELECT last_name, employee_id FROM employees; sqlplus hr/hr CREATE USER mjones IDENTIFIED BY ty3MU9; |
Conventions for Windows Operating Systems
The following table describes conventions for Windows operating systems and provides examples of their use.
Convention | Meaning | Example |
---|---|---|
Select Start | How to start a program. | To start the Database Configuration Assistant, Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, Database Configuration Assistant. |
File and directory names | File and directory names are not case sensitive. The following special characters are not allowed: left angle bracket (<), right angle bracket (>), colon (:), double quotation marks ("), slash (/), pipe (|), and dash (-). The special character backslash (\) is treated as an element separator, even when it appears in quotes. If the file name begins with \\, then Windows assumes it uses the Universal Naming Convention. |
c:\winnt"\"system32 is the same as C:\WINNT\SYSTEM32 |
C:\> |
Represents the Windows command prompt of the current hard disk drive. The escape character in a command prompt is the caret (^). Your prompt reflects the subdirectory in which you are working. Referred to as the command prompt in this manual. |
C:\oracle\oradata> |
Special characters | The backslash (\) special character is sometimes required as an escape character for the double quotation mark (") special character at the Windows command prompt. Parentheses and the single quotation mark (') do not require an escape character. Refer to your Windows operating system documentation for more information on escape and special characters. |
C:\>exp scott/tiger TABLES=emp QUERY=\"WHERE job='SALESMAN' and sal<1600\"
C:\>imp SYSTEM/password FROMUSER=scott TABLES=(emp, dept)
|
HOME_NAME
|
Represents the Oracle home name. The home name can be up to 16 alphanumeric characters. The only special character allowed in the home name is the underscore. |
C:\> net start OracleHOME_NAMETNSListener
|
ORACLE_HOME and ORACLE_BASE |
In releases prior to Oracle8i release 8.1.3, when you installed Oracle components, all subdirectories were located under a top level ORACLE_HOME directory. For Windows, the default location was C:\orant .
This release complies with Optimal Flexible Architecture (OFA) guidelines. All subdirectories are not under a top level All directory path examples in this guide follow OFA conventions. Refer to Oracle Database Platform Guide for Windows for additional information about OFA compliances and for information about installing Oracle products in non-OFA compliant directories. |
Go to the ORACLE_BASE \ ORACLE_HOME \rdbms\admin directory. |