Oracle® Database Advanced Security Administrator's Guide 11g Release 1 (11.1) Part Number B28530-01 |
|
|
View PDF |
This appendix illustrates some sample configuration files with the profile file (sqlnet.ora
) and the database initialization file authentication parameters, when using Kerberos, RADIUS, or SSL authentication.
This appendix contains the following topics:
Parameters for Clients and Servers using Kerberos Authentication
Parameters for Clients and Servers using RADIUS Authentication
Following is a list of parameters to insert into the configuration files for clients and servers using Kerberos.
Table B-1 Kerberos Authentication Parameters
File Name | Configuration Parameters |
---|---|
|
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle SQLNET.KERBEROS5_CC_NAME=/usr/tmp/DCE-CC SQLNET.KERBEROS5_CLOCKSKEW=1200 SQLNET.KERBEROS5_CONF=/krb5/krb.conf SQLNET.KERBEROS5_CONF_MIT=(FALSE) SQLNET.KERBEROS5_REALMS=/krb5/krb.realms SQLNET.KERBEROS5_KEYTAB=/krb5/v5srvtab |
|
REMOTE_OS_AUTHENT=FALSE OS_AUTHENT_PREFIX="" |
The following sections describe the parameters for RADIUS authentication
The following sections describe the sqlnet.ora
parameters that are used to specify RADIUS authentication.
This parameter configures the client or the server to use the RADIUS adapter. Table B-2 describes this parameter's attributes.
This parameter sets the location of the primary RADIUS server, either host name or dotted decimal format. If the RADIUS server is on a different computer from the Oracle server, you must specify either the host name or the IP address of that computer. Table B-3 describes this parameter's attributes.
This parameter sets the listening port of the primary RADIUS server. Table B-4 describes this parameter's attributes.
This parameter sets the time to wait for response. Table B-5 describes this parameter's attributes.
This parameter sets the number of times to resend authentication information. Table B-6 describes this parameter's attributes.
This parameter turns accounting on and off. If you enable accounting, packets will be sent to the active RADIUS server at the listening port plus one. By default, packets are sent to port 1646. You need to turn this feature on only when your RADIUS server supports accounting and you want to keep track of the number of times the user is logging on to the system. Table B-7 describes this parameter's attributes.
This parameter specifies the file name and location of the RADIUS secret key. Table B-8 describes this parameter's attributes.
This parameter sets the location of an alternate RADIUS server to be used in case the primary server becomes unavailable for fault tolerance. Table B-9 describes this parameter's attributes.
This parameter sets the listening port for the alternate RADIUS server. Table B-10 describes this parameter's attributes.
This parameter sets the time to wait for response for the alternate RADIUS server. Table B-11 describes this parameter's attributes.
This parameter sets the number of times that the alternate RADIUS server resends messages. Table B-12 describes this parameter's attributes.
This parameter turns on or turns off the challenge-response or asynchronous mode support. Table B-13 describes this parameter's attributes.
This parameter sets the keyword to request a challenge from the RADIUS server. User types no password on the client. Table B-14 describes this parameter's attributes.
This parameter sets the name of the Java class that contains the graphical user interface when RADIUS is in the challenge-response (asynchronous) mode. Table B-15 describes this parameter's attributes.
If you decide to use the challenge-response authentication mode, RADIUS presents the user with a Java-based graphical interface requesting first a password, then additional information, for example, a dynamic password that the user obtains from a token card. Add the SQLNET.RADIUS_CLASSPATH
parameter in the sqlnet.ora
file to set the path for the Java classes for that graphical interface, and to set the path to the JDK Java libraries. Table B-16 describes this parameter's attributes.
sqlnet.authentication_services = (radius) sqlnet.radius.authentication = IP-address-of-RADIUS-server sqlnet.radius_challenge_response = ON
There are two ways to configure a parameter:
Static: The name of the parameter that exists in the sqlnet.ora
file.
Dynamic: The name of the parameter used in the security subsection of the Oracle Net address.
This section describes the static and dynamic parameters for configuring SSL on the server.
Attribute | Description |
---|---|
Parameter Name (static) | SQLNET.AUTHENTICATION_SERVICES |
Parameter Name (dynamic) | AUTHENTICATION |
Parameter Type | String LIST |
Parameter Class | Static |
Permitted Values | Add TCPS to the list of available authentication services. |
Default Value | No default value. |
Description | To control which authentication services a user wants to use.
Note: The dynamic version supports only the setting of one type. |
Existing/New Parameter |
Existing |
Syntax (static) | SQLNET.AUTHENTICATION_SERVICES = (TCPS, selected_method_1, selected_method_2) |
Example (static) | SQLNET.AUTHENTICATION_SERVICES = (TCPS, radius) |
Syntax (dynamic) | AUTHENTICATION = string |
Example (dynamic) |
AUTHENTICATION = (TCPS) |
This section describes the static and dynamic parameters for configuring cipher suites.
Attribute | Description |
---|---|
Parameter Name (static) | SSL_CIPHER_SUITES |
Parameter Name (dynamic) | SSL_CIPHER_SUITES |
Parameter Type | String LIST |
Parameter Class | Static |
Permitted Values | Any known SSL cipher suite |
Default Value | No default |
Description | Controls the combination of encryption and data integrity used by SSL. |
Existing/New Parameter | Existing |
Syntax (static) | SSL_CIPHER_SUITES=(SSL_cipher_suite1[, SSL_cipher_suite2, ... SSL_cipher_suiteN]) |
Example (static) | SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA) |
Syntax (dynamic) | SSL_CIPHER_SUITES=(SSL_cipher_suite1
[, SSL_cipher_suite2, ...SSL_cipher_suiteN]) |
Example (dynamic) | SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA) |
Oracle Advanced Security supports the following cipher suites:
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
Note that the cipher suites that use Advanced Encryption Standard (AES
) work with Transport Layer Security (TLS 1.0) only.
This section describes the static and dynamic parameters for configuring the version of SSL to be used.
Attribute | Description |
---|---|
Parameter Name (static) | SSL_VERSION |
Parameter Name (dynamic) | SSL_VERSION |
Parameter Type | string |
Parameter Class | Static |
Permitted Values | Any version which is valid to SSL. (0, 3.0) |
Default Value | "0" |
Description | To force the version of the SSL connection. |
Existing/New Parameter | New |
Syntax (static) | SSL_VERSION=version |
Example (static) | SSL_VERSION=3.0 |
Syntax (dynamic) | SSL_VERSION=version |
Example (dynamic) | SSL_VERSION=3.0 |
This section describes the static and dynamic parameters for configuring SSL on the client.
Attribute | Description |
---|---|
Parameter Name (static) | SSL_CLIENT_AUTHENTICATION |
Parameter Name (dynamic) | SSL_CLIENT_AUTHENTICATION |
Parameter Type | Boolean |
Parameter Class | Static |
Permitted Values | TRUE/FALSE |
Default Value | TRUE |
Description | To control whether a client, in addition to the server, is authenticated using SSL. |
Existing/New Parameter | New |
Syntax (static) | SSL_CLIENT_AUTHENTICATION={TRUE | FALSE} |
Example (static) | SSL_CLIENT_AUTHENTICATION=FALSE |
Syntax (dynamic) | SSL_CLIENT_AUTHENTICATION={TRUE | FALSE} |
Example (dynamic) | SSL_CLIENT_AUTHENTICATION=FALSE |
This section describes the parameters that are used to validate the identity of a server that the client connects to.
Attribute | Description |
---|---|
Parameter Name | SSL_SERVER_DN_MATCH |
Where stored | sqlnet.ora |
Purpose | Use this parameter to force the server's distinguished name (DN) to match its service name. If you force the match verifications, SSL ensures that the certificate is from the server. If you choose not to enforce the match verification, SSL performs the check but permits the connection, regardless of whether there is a match. Not forcing the match lets the server potentially fake its identity. |
Values | yes|on|true . Specify to enforce a match. If the DN matches the service name, the connection succeeds; otherwise, the connection fails.
|
Default | Oracle8i, or later:.FALSE. SSL client (always) checks server DN. If it does not match the service name, the connection succeeds but an error is logged to sqlnet.log file. |
Usage Notes | Additionally configure the tnsnames.ora parameter SSL_SERVER_CERT_DN to enable server DN matching. |
Attribute | Description |
---|---|
Parameter Name | SSL_SERVER_CERT_DN |
Where stored | tnsnames.ora . It can be stored on the client, for every server it connects to, or it can be stored in the LDAP directory, for every server it connects to, updated centrally. |
Purpose | This parameter specifies the distinguished name (DN) of the server. The client uses this information to obtain the list of DNs it expects for each of the servers to force the server's DN to match its service name. |
Values | Set equal to distinguished name (DN) of the server. |
Default | n/a |
Usage Notes | Additionally configure the sqlnet.ora parameter SSL_SERVER_DN_MATCH to enable server DN matching. |
Example | dbalias=(description=address_list=(address=(protocol=tcps)(host=hostname)(port=portnum)))(connect_data=(sid=Finance))(security=(SSL_SERVER_CERT_DN="CN=Finance,CN=OracleContext,C=US,O=Acme")) |
For any application that must access a wallet for loading the security credentials into the process space, you must specify the wallet location parameters defined by Table B-17 in each of the following configuration files:
sqlnet.ora
listener.ora
Table B-17 Wallet Location Parameters
Static Configuration | Dynamic Configuration |
---|---|
|
|
The default wallet location is the ORACLE_HOME
directory.