Oracle Database Advanced Security Administrator’s Guide Adv Sec 01 PDF 112 E40393 10
User Manual:
Open the PDF directly: View PDF .
Page Count: 366
Download | |
Open PDF In Browser | View PDF |
Oracle® Database Advanced Security Administrator’s Guide 11g Release 2 (11.2) E40393-10 March 2016 Oracle Database Advanced Security Administrator's Guide 11g Release 2 (11.2) E40393-10 Copyright © 1996, 2016, Oracle and/or its affiliates. All rights reserved. Primary Author: Sumit Jeloka Contributors: Min-Hank Ho, Peter Knaggs, Adam Lee, Dah-Yoh Lim, Rahil Mir, Gopal Mulagund, Paul Needham, Vikram Pesati, Paul Youn, Peter Wahl This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services. Contents Preface ............................................................................................................................................................... xxi Audience..................................................................................................................................................... xxi Documentation Accessibility ................................................................................................................... xxi Related Documentation ........................................................................................................................... xxii Conventions ............................................................................................................................................. xxiii What's New in Oracle Advanced Security? .............................................................................. xxv Oracle Database 11g Release 2 (11.2.0.4) New Features in Oracle Advanced Security................. xxv Oracle Database 11g Release 2 (11.2.0.3) New Features in Oracle Advanced Security ................ xxvi Oracle Database 11g Release 2 (11.2) New Features in Oracle Advanced Security...................... xxvii Oracle Database 11g Release 1 (11.1) New Features in Oracle Advanced Security..................... xxviii Part I 1 Getting Started with Oracle Advanced Security Introduction to Oracle Advanced Security Security Challenges in an Enterprise Environment .......................................................................... 1-1 Security in Enterprise Grid Computing Environments................................................................ 1-1 Security in an Intranet or Internet Environment ........................................................................... 1-2 Common Security Threats ................................................................................................................ 1-2 Eavesdropping and Data Theft ................................................................................................. 1-2 Data Tampering .......................................................................................................................... 1-2 Falsifying User Identities ........................................................................................................... 1-3 Password-Related Threats ......................................................................................................... 1-3 Solving Security Challenges with Oracle Advanced Security ........................................................ 1-3 Data Encryption.................................................................................................................................. 1-3 Supported Encryption Algorithms........................................................................................... 1-4 Data Integrity............................................................................................................................... 1-5 Federal Information Processing Standard............................................................................... 1-5 Strong Authentication ....................................................................................................................... 1-5 Centralized Authentication and Single Sign-On .................................................................... 1-6 Supported Authentication Methods ........................................................................................ 1-8 Oracle Advanced Security Architecture............................................................................................... 1-9 System Requirements........................................................................................................................... 1-10 Oracle Advanced Security Restrictions............................................................................................. 1-11 iii 2 Configuration and Administration Tools Overview Network Encryption and Strong Authentication Configuration Tools......................................... Oracle Net Manager........................................................................................................................... Starting Oracle Net Manager..................................................................................................... Navigating to the Oracle Advanced Security Profile ............................................................ Oracle Advanced Security Profile Property Sheets................................................................ Oracle Advanced Security Kerberos Adapter Command-Line Utilities.................................... Public Key Infrastructure Credentials Management Tools ............................................................. Oracle Wallet Manager...................................................................................................................... Starting Oracle Wallet Manager................................................................................................ Navigating the Oracle Wallet Manager User Interface ......................................................... Toolbar.......................................................................................................................................... Menus ........................................................................................................................................... orapki Utility....................................................................................................................................... Duties of a Security Administrator/DBA ............................................................................................ Part II 2-1 2-1 2-2 2-2 2-3 2-4 2-4 2-4 2-5 2-5 2-7 2-7 2-9 2-9 Oracle Data Redaction 3 Introduction to Oracle Data Redaction What Is Oracle Data Redaction? ............................................................................................................ When to Use Oracle Data Redaction .................................................................................................... Benefits of Using Oracle Data Redaction ............................................................................................ Target Use Cases for Oracle Data Redaction ...................................................................................... Using Oracle Data Redaction with Database Applications ......................................................... Considerations When Using Oracle Data Redaction with Ad Hoc Database Queries ............ 3-1 3-2 3-2 3-2 3-2 3-3 4 Oracle Data Redaction Features and Capabilities Using Full Data Redaction to Redact All Data ................................................................................... Using Partial Data Redaction to Redact Sections of Data ................................................................ Using Regular Expressions to Redact Patterns of Data .................................................................... Using Random Data Redaction to Generate Random Values......................................................... Comparison of Full, Partial, and Random Redaction Based on Data Types ................................ Redaction Capabilities for Oracle Built-in Data Types................................................................. Redaction Capabilities for the ANSI Data Types .......................................................................... Redaction Capabilities for the User Defined Data Types or Oracle Supplied Types............... Using No Redaction for Testing Purposes .......................................................................................... 4-1 4-2 4-3 4-4 4-4 4-5 4-5 4-6 4-6 5 Configuring Oracle Data Redaction Policies About Oracle Data Redaction Policies ................................................................................................. Who Can Create Oracle Data Redaction Policies? ............................................................................. Planning the Creation of an Oracle Data Redaction Policy ............................................................. General Syntax of the DBMS_REDACT.ADD_POLICY Procedure.............................................. Using Expressions to Define Conditions for Data Redaction Policies .......................................... About Using Expressions in Data Redaction Policies................................................................... Applying the Redaction Policy Based on User Environment...................................................... Applying the Redaction Policy Based on Database Role ............................................................. iv 5-1 5-2 5-2 5-3 5-5 5-5 5-6 5-6 Applying the Redaction Policy Based on Oracle Application Express Session States............. 5-6 Applying the Redaction Policy with No Filtering......................................................................... 5-7 Creating a Full Redaction Policy and Altering the Default Full Redaction Value ..................... 5-7 Creating a Full Redaction Policy...................................................................................................... 5-7 About Creating Full Data Redaction Policies ......................................................................... 5-7 Syntax for Creating a Full Redaction Policy ........................................................................... 5-8 Examples of Full Data Redaction Policies ............................................................................... 5-8 Altering the Default Full Data Redaction Value............................................................................ 5-9 About Altering the Default Full Data Redaction Value ........................................................ 5-9 Altering the Default Full Data Redaction Value for Non-LOB Data Type Columns..... 5-10 Altering the Default Full Data Redaction Value for LOB Data Type Columns.............. 5-11 Creating a Partial Redaction Policy ................................................................................................... 5-12 About Creating Partial Redaction Policies .................................................................................. 5-12 Syntax for Creating a Partial Redaction Policy........................................................................... 5-12 Creating Partial Redaction Policies Using Fixed Character Shortcuts .................................... 5-13 Settings for Fixed Character Shortcuts.................................................................................. 5-13 Example of a Partial Redaction Policy Using a Fixed Character Shortcut ...................... 5-14 Creating Partial Redaction Policies Using Character Data Types ........................................... 5-15 Settings for Character Data Types ......................................................................................... 5-15 Example of a Partial Redaction Policy Using Character a Data Type.............................. 5-16 Creating Partial Redaction Policies Using Number Data Types.............................................. 5-16 Settings for Number Data Types ........................................................................................... 5-16 Example of a Partial Redaction Policy Using a Number Data Type ................................ 5-17 Creating Partial Redaction Policies Using Date-Time Data Types .......................................... 5-17 Settings for Date-Time Data Types........................................................................................ 5-17 Example of a Partial Redaction Policy Using Date-Time Data Type ............................... 5-18 Creating a Regular Expression-Based Redaction Policy................................................................ 5-18 About Creating Regular Expression-Based Redaction Policies................................................ 5-19 Syntax for Creating a Regular Expression-Based Redaction Policy ........................................ 5-19 Creating Regular Expression-Based Redaction Policies Using Shortcuts............................... 5-20 Regular Expression Shortcuts ................................................................................................ 5-20 Example of a Regular Expression Redaction Policy Using Shortcuts .............................. 5-22 Creating Custom Regular Expression Redaction Policies......................................................... 5-23 Settings for Custom Regular Expressions ............................................................................ 5-23 Example of a Custom Regular Expression Redaction Policy ............................................ 5-24 Creating a Random Redaction Policy................................................................................................ 5-24 About Creating Random Redaction Policies............................................................................... 5-24 Syntax for Creating a Random Redaction Policy ....................................................................... 5-24 Example of a Random Redaction Policy...................................................................................... 5-25 Creating a Policy That Uses No Redaction....................................................................................... 5-25 About Creating Policies That Use No Redaction........................................................................ 5-25 Syntax for Creating a Policy with No Redaction........................................................................ 5-26 Example of Performing No Redaction ......................................................................................... 5-26 Exempting Users from Oracle Data Redaction Policies................................................................. 5-26 Altering an Oracle Data Redaction Policy........................................................................................ 5-27 About Altering an Oracle Data Redaction Policy....................................................................... 5-27 Syntax for the DBMS_REDACT.ALTER_POLICY Procedure.................................................. 5-28 v Parameters Required for Various DBMS_REDACT.ALTER_POLICY Actions..................... Example of Altering an Oracle Data Redaction Policy.............................................................. Redacting Multiple Columns.............................................................................................................. Disabling and Enabling an Oracle Data Redaction Policy ........................................................... Disabling an Oracle Data Redaction Policy................................................................................. Enabling an Oracle Data Redaction Policy.................................................................................. Dropping an Oracle Data Redaction Policy ..................................................................................... Example: How Oracle Data Redaction Affects Tables and Views .............................................. Example: Using SQL Expressions to Build Reports with Redacted Values .............................. Finding Information About Oracle Data Redaction Policies ....................................................... 5-28 5-29 5-30 5-31 5-31 5-32 5-32 5-33 5-36 5-37 6 Oracle Data Redaction Use with Oracle Database Features Oracle Data Redaction and DML and DDL Operations................................................................... Oracle Data Redaction and Nested Functions, Inline Views, and the WHERE Clause ............. Oracle Data Redaction and Aggregate Functions .............................................................................. Oracle Data Redaction and Object Types............................................................................................ Oracle Data Redaction and Editions..................................................................................................... Oracle Data Redaction and Oracle Virtual Private Database .......................................................... Oracle Data Redaction and Oracle Database Vault........................................................................... Oracle Data Redaction and the EXPDP Utility access_method Parameter ................................... Oracle Data Redaction and Data Masking and Subsetting Pack.................................................... 6-1 6-2 6-2 6-2 6-2 6-2 6-3 6-3 6-3 7 Security Guidelines for Oracle Data Redaction General Usage Guidelines...................................................................................................................... Restricting Administrative Access to Oracle Data Redaction Policies .......................................... How Oracle Data Redaction Affects the SYS, SYSTEM and Default Schemas........................... Writing Policy Expressions That Depend on SYS_CONTEXT Attributes.................................... Creating Policies on Materialized Views ............................................................................................ Dropping Policies When the Recycle Bin Is Enabled ....................................................................... Part III 8 Data Encryption and Integrity Securing Stored Data Using Transparent Data Encryption About Transparent Data Encryption .................................................................................................... Benefits of Using Transparent Data Encryption............................................................................ Types of Transparent Data Encryption........................................................................................... TDE Column Encryption ........................................................................................................... TDE Tablespace Encryption ...................................................................................................... Using Transparent Data Encryption ..................................................................................................... Enabling Transparent Data Encryption .......................................................................................... Specifying a Wallet Location for Transparent Data Encryption .......................................... Using Wallets with Automatic Login Enabled ....................................................................... Setting and Resetting the Master Encryption Key ........................................................................ Setting the Master Encryption Key........................................................................................... Resetting the Master Encryption Key ...................................................................................... Opening and Closing the Encrypted Wallet .................................................................................. vi 7-1 7-2 7-2 7-2 7-3 7-3 8-1 8-1 8-2 8-2 8-3 8-5 8-5 8-5 8-5 8-6 8-6 8-7 8-7 Encrypting Columns in Tables......................................................................................................... 8-8 Creating Tables with Encrypted Columns .............................................................................. 8-9 Encrypting Columns in Existing Tables ............................................................................... 8-12 Creating an Index on an Encrypted Column ....................................................................... 8-13 Adding or Removing Salt from an Encrypted Column ..................................................... 8-13 Changing the Encryption Key or Algorithm for Tables with Encrypted Columns ....... 8-14 Data Types That Can Be Encrypted with TDE Column Encryption ................................ 8-14 Restrictions on Using TDE Column Encryption ................................................................. 8-15 Encrypting Entire Tablespaces ...................................................................................................... 8-15 Setting the Tablespace Master Encryption Key ................................................................... 8-16 Opening the Oracle Wallet ..................................................................................................... 8-16 Creating an Encrypted Tablespace........................................................................................ 8-17 Restrictions on Using TDE Tablespace Encryption ............................................................ 8-19 Using Hardware Security Modules with TDE............................................................................ 8-19 Set the ENCRYPTION_WALLET_LOCATION Parameter in the sqlnet.ora File .......... 8-19 Copy the PKCS#11 Library to Its Correct Path.................................................................... 8-20 Set Up the HSM........................................................................................................................ 8-20 Generate a Master Encryption Key for HSM-Based Encryption....................................... 8-21 Reconfigure the Software Wallet (Optional)........................................................................ 8-21 Ensure that the HSM Is Accessible ........................................................................................ 8-22 Encrypt and Decrypt Data ...................................................................................................... 8-23 Using Transparent Data Encryption with Oracle RAC ............................................................. 8-23 Using a Non-Shared File System to Store the Wallet ......................................................... 8-23 Managing Transparent Data Encryption .......................................................................................... 8-23 Oracle Wallet Management ........................................................................................................... 8-24 Specifying a Separate Wallet for Transparent Data Encryption ....................................... 8-24 Using an Auto Login Wallet................................................................................................... 8-24 Creating Wallets....................................................................................................................... 8-25 Backup and Recovery of Master Encryption Keys..................................................................... 8-25 Backup and Recovery of Oracle Wallet ................................................................................ 8-25 Backup and Recovery of PKI Key Pair.................................................................................. 8-26 Export and Import of Tables with Encrypted Columns ............................................................ 8-26 Performance and Storage Overheads........................................................................................... 8-28 Performance Overheads.......................................................................................................... 8-28 Storage Overheads................................................................................................................... 8-29 Security Considerations ................................................................................................................. 8-29 Using Transparent Data Encryption in a Multi-Database Environment ................................ 8-30 Replication in Distributed Environments.................................................................................... 8-30 Compression and Data Deduplication of Encrypted Data ....................................................... 8-31 Transparent Data Encryption with OCI ...................................................................................... 8-31 Transparent Data Encryption in a Multi-Database Environment............................................ 8-31 Transparent Data Encryption Data Dictionary Views............................................................... 8-32 Example: Getting Started with TDE Column Encryption and TDE Tablespace Encryption . 8-34 Prepare the Database for Transparent Data Encryption ........................................................... 8-35 Specify an Oracle Wallet Location in the sqlnet.ora File.................................................... 8-35 Create the Master Encryption Key ........................................................................................ 8-35 Open the Oracle Wallet ........................................................................................................... 8-35 vii Create a Table with an Encrypted Column ................................................................................. Create an Index on an Encrypted Column .................................................................................. Alter a Table to Encrypt an Existing Column ............................................................................. Create an Encrypted Tablespace................................................................................................... Create a Table in an Encrypted Tablespace................................................................................. Troubleshooting Transparent Data Encryption .............................................................................. Transparent Data Encryption Reference Information ................................................................... Supported Encryption and Integrity Algorithms....................................................................... Quick Reference: Transparent Data Encryption SQL Commands........................................... 8-36 8-36 8-37 8-37 8-37 8-38 8-42 8-43 8-43 9 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients Oracle Advanced Security Encryption ................................................................................................. Advanced Encryption Standard ...................................................................................................... Triple-DES Support ........................................................................................................................... Oracle Advanced Security Data Integrity............................................................................................ Data Integrity Algorithms Supported............................................................................................. Diffie-Hellman Based Key Negotiation .............................................................................................. Authentication Key Fold-in .............................................................................................................. How To Configure Data Encryption and Integrity............................................................................ About Activating Encryption and Integrity ................................................................................... About Negotiating Encryption and Integrity ................................................................................ REJECTED.................................................................................................................................... ACCEPTED.................................................................................................................................. REQUESTED................................................................................................................................ REQUIRED................................................................................................................................... Configuring Encryption and Integrity Parameters Using Oracle Net Manager....................... Configuring Encryption on the Client and the Server........................................................... Configuring Integrity on the Client and the Server............................................................... 9-1 9-1 9-2 9-2 9-2 9-2 9-3 9-3 9-3 9-4 9-4 9-4 9-5 9-5 9-6 9-6 9-7 10 Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients About the Java Implementation ......................................................................................................... Java Database Connectivity Support............................................................................................ Securing Thin JDBC ........................................................................................................................ Implementation Overview............................................................................................................. Obfuscation ...................................................................................................................................... Configuration Parameters.................................................................................................................... CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL Parameter ................... CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES Parameter .................... CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL Parameter....................... CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES Parameter ....................... CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_SERVICES Parameter .. AnoServices Constants ................................................................................................................... Part IV viii Oracle Advanced Security Strong Authentication 10-1 10-1 10-2 10-3 10-3 10-3 10-3 10-4 10-4 10-5 10-5 10-5 11 Configuring RADIUS Authentication About RADIUS...................................................................................................................................... RADIUS Authentication Modes ........................................................................................................ Synchronous Authentication Mode.............................................................................................. Challenge-Response (Asynchronous) Authentication Mode ................................................... Enabling RADIUS Authentication, Authorization, and Accounting ......................................... Step 1: Install RADIUS on the Oracle Database Server and on the Oracle Client ................. Step 2: Configure RADIUS Authentication ................................................................................. Step 2A: Configure RADIUS on the Oracle Client.............................................................. Step 2B: Configure RADIUS on the Oracle Database Server............................................. Step 2C: Configure Additional RADIUS Features ............................................................ Step 3: Create a User and Grant Access ..................................................................................... Step 4: Configure External RADIUS Authorization (optional) .............................................. Step 4A: Configure the Oracle Server (RADIUS Client) .................................................. Step 4B: Configure the Oracle Client Where Users Log In .............................................. Step 4C: Configure the RADIUS Server.............................................................................. Step 5: Configure RADIUS Accounting ..................................................................................... Step 5A: Set RADIUS Accounting on the Oracle Database Server ................................. Step 5B: Configure the RADIUS Accounting Server ........................................................ Step 6: Add the RADIUS Client Name to the RADIUS Server Database ............................. Step 7: Configure the Authentication Server for Use with RADIUS ..................................... Step 8: Configure the RADIUS Server for Use with the Authentication Server .................. Step 9: Configure Mapping Roles ............................................................................................... Using RADIUS to Log In to a Database.......................................................................................... RSA ACE/Server Configuration Checklist..................................................................................... 12 11-1 11-2 11-3 11-4 11-7 11-7 11-7 11-7 11-8 11-10 11-12 11-13 11-13 11-13 11-13 11-14 11-14 11-15 11-15 11-15 11-16 11-16 11-17 11-17 Configuring Kerberos Authentication Enabling Kerberos Authentication ................................................................................................... Step 1: Install Kerberos ................................................................................................................... Step 2: Configure a Service Principal for an Oracle Database Server...................................... Step 3: Extract a Service Key Table from Kerberos .................................................................... Step 4: Install an Oracle Database Server and an Oracle Client ............................................... Step 5: Install Oracle Net Services and Oracle Advanced Security ......................................... Step 6: Configure Oracle Net Services and Oracle Database.................................................... Step 7: Configure Kerberos Authentication ................................................................................ Step 7A: Configure Kerberos on the Client and on the Database Server ........................ Step 7B: Set the Initialization Parameters............................................................................. Step 7C: Set sqlnet.ora Parameters (Optional)..................................................................... Step 8: Create a Kerberos User ...................................................................................................... Step 9: Create an Externally Authenticated Oracle User........................................................... Step 10: Get an Initial Ticket for the Kerberos/Oracle User ..................................................... Utilities for the Kerberos Authentication Adapter......................................................................... Obtaining the Initial Ticket with the okinit Utility .................................................................... Displaying Credentials with the oklist Utility ............................................................................ Removing Credentials from the Cache File with the okdstry Utility ................................... Connecting to an Oracle Database Server Authenticated by Kerberos................................. 12-1 12-1 12-2 12-2 12-3 12-3 12-3 12-4 12-4 12-5 12-6 12-7 12-8 12-8 12-8 12-9 12-9 12-10 12-10 ix Configuring Interoperability with a Windows 2000 Domain Controller KDC ...................... Step 1: Configure Oracle Kerberos Client for a Windows 2000 Domain Controller KDC . Step 1A: Create the Client Kerberos Configuration Files................................................. Step 2A: Specify the Oracle Configuration Parameters in the sqlnet.ora File............... Step 3A: Specify the Listening Port Number ..................................................................... Step 2: Configure a Windows 2000 Domain Controller KDC for the Oracle Client............ Step 2A: Create the User ....................................................................................................... Step 2B: Create the Oracle Database Principal .................................................................. Step 3: Configure Oracle Database for a Windows 2000 Domain Controller KDC............. Step 3A: Set Configuration Parameters in the sqlnet.ora File ......................................... Step 3B: Create an Externally Authenticated Oracle User ............................................... Step 4: Obtain an Initial Ticket for the Kerberos/Oracle User ............................................... Configuring Kerberos Authentication Fallback Behavior .......................................................... Troubleshooting the Oracle Kerberos Authentication Configuration ..................................... 13 Configuring Secure Sockets Layer Authentication Secure Sockets Layer and Transport Layer Security ...................................................................... The Difference Between Secure Sockets Layer and Transport Layer Security ...................... How Oracle Database Uses Secure Sockets Layer for Authentication.................................... How Secure Sockets Layer Works in an Oracle Environment: The SSL Handshake............ Public Key Infrastructure in an Oracle Environment .................................................................... About Public Key Infrastructure in an Oracle Environment .................................................... About Public Key Cryptography .................................................................................................. Public Key Infrastructure Components in an Oracle Environment ........................................ Certificate Authority................................................................................................................ Certificates ................................................................................................................................ Certificate Revocation Lists .................................................................................................... Wallets ....................................................................................................................................... Hardware Security Modules .................................................................................................. Secure Sockets Layer Combined with Other Authentication Methods ..................................... Architecture: Oracle Advanced Security and Secure Sockets Layer ....................................... How Secure Sockets Layer Works with Other Authentication Methods ............................... Secure Sockets Layer and Firewalls................................................................................................... Secure Sockets Layer Usage Issues .................................................................................................... Enabling Secure Sockets Layer........................................................................................................... Step 1: Install Oracle Advanced Security and Related Products.............................................. Step 2: Configure Secure Sockets Layer on the Server............................................................... Step 2A: Confirm Wallet Creation on the Server ................................................................ Step 2B: Specify the Database Wallet Location on the Server ........................................... Step 2C: Set the Secure Sockets Layer Cipher Suites on the Server (Optional) ............ Step 2D: Set the Required SSL Version on the Server (Optional) ................................... Step 2E: Set SSL Client Authentication on the Server (Optional) ................................... Step 2F: Set SSL as an Authentication Service on the Server (Optional) ....................... Step 2G: Create a Listening Endpoint that Uses TCP/IP with SSL on the Server........ Step 3: Configure Secure Sockets Layer on the Client ............................................................. Step 3A: Confirm Client Wallet Creation ........................................................................... Step 3B: Configure the Server DNs and Use TCP/IP with SSL on the Client .............. x 12-10 12-11 12-11 12-11 12-12 12-12 12-12 12-12 12-13 12-13 12-13 12-13 12-13 12-14 13-1 13-1 13-2 13-3 13-3 13-3 13-3 13-4 13-4 13-5 13-5 13-5 13-6 13-6 13-7 13-7 13-7 13-8 13-8 13-9 13-9 13-9 13-9 13-10 13-12 13-13 13-14 13-14 13-14 13-14 13-15 Step 3C: Specify Required Client SSL Configuration (Wallet Location)........................ Step 3D: Set the Client Secure Sockets Layer Cipher Suites (Optional)......................... Step 3E: Set the Required SSL Version on the Client (Optional)..................................... Step 3F: Set SSL as an Authentication Service on the Client (Optional) ........................ Step 3G: Specify the Certificate to Use for Authentication on the Client (Optional)... Step 4: Log on to the Database Instance..................................................................................... Troubleshooting Secure Sockets Layer........................................................................................... Certificate Validation with Certificate Revocation Lists............................................................. About Certificate Validation with Certificate Revocation Lists ............................................. What CRLs Should You Use? ...................................................................................................... How CRL Checking Works ......................................................................................................... Configuring Certificate Validation with Certificate Revocation Lists .................................. About Configuring Certificate Validation with Certificate Revocation Lists ............... Enabling Certificate Revocation Status Checking for the Client or Server ................... Disabling Certificate Revocation Status Checking............................................................ Certificate Revocation List Management................................................................................... About Certificate Revocation Management....................................................................... Displaying orapki Help for Commands That Manage CRLs .......................................... Renaming CRLs with a Hash Value for Certificate Validation....................................... Uploading CRLs to Oracle Internet Directory................................................................... Listing CRLs Stored in Oracle Internet Directory ............................................................. Viewing CRLs in Oracle Internet Directory ....................................................................... Deleting CRLs from Oracle Internet Directory.................................................................. Troubleshooting Certificate Validation ..................................................................................... Oracle Net Tracing File Error Messages Associated with Certificate Validation......... Configuring Your System to Use Hardware Security Modules ................................................. About Configuring Your System to Use Hardware Security Modules................................. Guidelines for Using Hardware Security Modules with Oracle Advanced Security ......... Configuring Your System to Use nCipher Hardware Security Modules ............................. About Configuring Your System to Use nCipher Hardware Security Modules.......... Oracle Components Required To Use an nCipher Hardware Security Module .......... About Installing an nCipher Hardware Security Module ............................................... Configuring Your System to Use SafeNET Hardware Security Modules ............................ About Configuring Your System to Use SafeNet Hardware Security Modules .......... Oracle Components for the SafeNET Luna SA Hardware Security Module ................ About Installing a SafeNET Hardware Security Module ................................................ Troubleshooting Using Hardware Security Modules.............................................................. Errors in the Oracle Net Trace Files .................................................................................... Error Messages Associated with Using Hardware Security Modules ........................... Configuring SSL in an Oracle Real Application Clusters Environment.................................. Step 1: Configure the TCPS Protocol Endpoints....................................................................... Step 2: Update the Local Listener Parameter on Each Oracle RAC Node ............................ Step 3: Create SSL Certificates and Wallets for the Cluster and for the Clients .................. Creating the SSL Certificate for Each Cluster and for the Test Client............................ Signing Each User Certificate............................................................................................... Step 4: Copy the Wallet to Each Cluster Node and Create an Obfuscated Wallet .............. Step 5: Define Wallet Locations in the listener.ora and sqlnet.ora Files ............................... 13-16 13-18 13-20 13-20 13-20 13-21 13-21 13-24 13-24 13-25 13-25 13-26 13-26 13-26 13-28 13-28 13-28 13-29 13-29 13-30 13-30 13-31 13-31 13-32 13-32 13-34 13-34 13-34 13-35 13-35 13-35 13-35 13-36 13-36 13-36 13-37 13-37 13-37 13-37 13-38 13-39 13-40 13-42 13-42 13-43 13-44 13-45 xi Step 6: Restart the Database Instances and Listeners............................................................... 13-46 Step 7: Test the Configuration from a Cluster Node................................................................ 13-46 Step 8: Test the Configuration from a Remote Client .............................................................. 13-47 14 Using Oracle Wallet Manager Oracle Wallet Manager Overview...................................................................................................... Wallet Password Management ..................................................................................................... Strong Wallet Encryption............................................................................................................... Microsoft Windows Registry Wallet Storage.............................................................................. Options Supported:.................................................................................................................. Backward Compatibility ................................................................................................................ Public-Key Cryptography Standards (PKCS) Support.............................................................. Multiple Certificate Support.......................................................................................................... LDAP Directory Support ............................................................................................................... Starting Oracle Wallet Manager ......................................................................................................... How to Create a Complete Wallet: Process Overview ................................................................... Managing Wallets ................................................................................................................................. Required Guidelines for Creating Wallet Passwords ................................................................ Creating a New Wallet ................................................................................................................... Creating a Standard Wallet .................................................................................................... Creating a Wallet to Store Hardware Security Module Credentials ................................ Opening an Existing Wallet ........................................................................................................... Closing a Wallet............................................................................................................................. Exporting Oracle Wallets to Third-Party Environments......................................................... Exporting Oracle Wallets to Tools that Do Not Support PKCS #12 ...................................... Uploading a Wallet to an LDAP Directory ............................................................................... Downloading a Wallet from an LDAP Directory..................................................................... Saving Changes ............................................................................................................................. Saving the Open Wallet to a New Location .............................................................................. Saving in System Default ............................................................................................................. Deleting the Wallet ....................................................................................................................... Changing the Password ............................................................................................................... Using Auto Login.......................................................................................................................... Enabling Auto Login ............................................................................................................. Disabling Auto Login ............................................................................................................ Managing Certificates ........................................................................................................................ Managing User Certificates ......................................................................................................... Adding a Certificate Request ............................................................................................... Importing the User Certificate into the Wallet .................................................................. Importing Certificates and Wallets Created by Third Parties ........................................ Removing a User Certificate from a Wallet ....................................................................... Removing a Certificate Request........................................................................................... Exporting a User Certificate ................................................................................................. Exporting a User Certificate Request .................................................................................. Managing Trusted Certificates.................................................................................................... Importing a Trusted Certificate ........................................................................................... Removing a Trusted Certificate ........................................................................................... xii 14-1 14-2 14-2 14-2 14-2 14-3 14-3 14-3 14-5 14-6 14-6 14-7 14-7 14-8 14-8 14-8 14-9 14-10 14-10 14-10 14-11 14-11 14-12 14-12 14-13 14-13 14-13 14-14 14-14 14-14 14-14 14-15 14-15 14-17 14-18 14-19 14-20 14-20 14-20 14-20 14-21 14-21 Exporting a Trusted Certificate............................................................................................ 14-22 Exporting All Trusted Certificates....................................................................................... 14-22 15 Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security Connecting with User Name and Password..................................................................................... Disabling Oracle Advanced Security Authentication.................................................................... Configuring Multiple Authentication Methods ............................................................................. Configuring Oracle Database for External Authentication ......................................................... Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora .................. Setting OS_AUTHENT_PREFIX to a Null Value ....................................................................... Part V A Appendixes Data Encryption and Integrity Parameters Sample sqlnet.ora File ............................................................................................................................ Data Encryption and Integrity Parameters......................................................................................... SQLNET.ENCRYPTION_SERVER Parameter.............................................................................. SQLNET.ENCRYPTION_CLIENT Parameter .............................................................................. SQLNET.SSL_EXTENDED_KEY_USAGE Parameter ................................................................. SQLNET.CRYPTO_CHECKSUM_SERVER Parameter............................................................... SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter ............................................................... SQLNET.ENCRYPTION_TYPES_SERVER Parameter................................................................ SQLNET.ENCRYPTION_TYPES_CLIENT Parameter ................................................................ SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter................................................. SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter ................................................. B 15-1 15-1 15-2 15-3 15-3 15-3 A-1 A-2 A-3 A-4 A-4 A-4 A-4 A-5 A-5 A-6 A-6 Authentication Parameters Parameters for Clients and Servers using Kerberos Authentication ........................................... Parameters for Clients and Servers using RADIUS Authentication............................................. sqlnet.ora File Parameters................................................................................................................ SQLNET.AUTHENTICATION_SERVICES Parameter........................................................ SQLNET.RADIUS_AUTHENTICATION Parameter ........................................................... SQLNET.RADIUS_AUTHENTICATION_PORT Parameter .............................................. SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter ...................................... SQLNET.RADIUS_AUTHENTICATION_RETRIES Parameter ......................................... SQLNET.RADIUS_SEND_ACCOUNTING Parameter ....................................................... SQLNET.RADIUS_SECRET Parameter .................................................................................. SQLNET.RADIUS_ALTERNATE Parameter ........................................................................ SQLNET.RADIUS_ALTERNATE_PORT Parameter............................................................ SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter.................................................... SQLNET.RADIUS_ALTERNATE_RETRIES Parameter ...................................................... SQLNET.RADIUS_CHALLENGE_RESPONSE Parameter................................................. SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter................................................. SQLNET.RADIUS_AUTHENTICATION_INTERFACE Parameter .................................. SQLNET.RADIUS_CLASSPATH Parameter ......................................................................... B-1 B-1 B-2 B-2 B-2 B-2 B-2 B-2 B-3 B-3 B-3 B-3 B-4 B-4 B-4 B-4 B-4 B-5 xiii Minimum RADIUS Parameters ...................................................................................................... Initialization File Parameters........................................................................................................... Parameters for Clients and Servers Using Secure Sockets Layer .................................................. Secure Sockets Layer Authentication Parameters ........................................................................ Cipher Suite Parameters................................................................................................................... Supported SSL Cipher Suites ................................................................................................... Secure Sockets Layer Version Parameters ..................................................................................... Secure Sockets Layer Client Authentication Parameters ............................................................ SSL X.509 Server Match Parameters........................................................................................ Wallet Location.................................................................................................................................. C B-5 B-5 B-5 B-5 B-6 B-6 B-7 B-7 B-8 B-9 Integrating Authentication Devices Using RADIUS About the RADIUS Challenge-Response User Interface ................................................................ C-1 Customizing the RADIUS Challenge-Response User Interface .................................................... C-1 D Oracle Advanced Security FIPS 140 Settings About the FIPS 140 Settings .................................................................................................................. Configuring Oracle Database for FIPS 140-2 ..................................................................................... About the FIPS 140-2 Settings ......................................................................................................... Configuring the SSLFIPS_140 Parameter ...................................................................................... Selecting Cipher Suites ..................................................................................................................... Post-Installation Checks ................................................................................................................... Verifying FIPS Connections............................................................................................................. Configuring Oracle Database for FIPS 140-1 ..................................................................................... About the FIPS 140-1 Settings ......................................................................................................... sqlnet.ora FIPS 140-1 Configuration Parameters.......................................................................... Server Encryption Level Setting .............................................................................................. Client Encryption Level Setting ............................................................................................... Server Encryption Selection List .............................................................................................. Client Encryption Selection List............................................................................................... FIPS Parameter ........................................................................................................................... Post Installation Checks ................................................................................................................... Status Information............................................................................................................................. Physical Security ............................................................................................................................... E orapki Utility orapki Utility Overview......................................................................................................................... orapki Utility Syntax......................................................................................................................... Creating Signed Certificates for Testing Purposes........................................................................... Managing Oracle Wallets with orapki Utility ................................................................................... Creating, Viewing, and Modifying Wallets with orapki............................................................. Creating a PKCS#12 Wallet ...................................................................................................... Creating an Auto Login Wallet................................................................................................ Viewing a Wallet ........................................................................................................................ Modifying the Password for a Wallet ..................................................................................... Adding Certificates and Certificate Requests to Oracle Wallets with orapki .......................... xiv D-1 D-1 D-1 D-2 D-2 D-2 D-3 D-3 D-3 D-3 D-4 D-4 D-4 D-4 D-5 D-5 D-5 D-6 E-1 E-1 E-2 E-2 E-2 E-3 E-3 E-4 E-4 E-4 Exporting Certificates and Certificate Requests from Oracle Wallets with orapki ................. Managing Certificate Revocation Lists (CRLs) with orapki Utility .............................................. orapki Usage Examples .......................................................................................................................... orapki Utility Commands Summary ................................................................................................... orapki cert create ............................................................................................................................... Purpose........................................................................................................................................ Syntax .......................................................................................................................................... orapki cert display ............................................................................................................................ Purpose........................................................................................................................................ Syntax .......................................................................................................................................... orapki crl delete ................................................................................................................................. Purpose........................................................................................................................................ Prerequisites ............................................................................................................................... Syntax .......................................................................................................................................... orapki crl display ............................................................................................................................ Purpose...................................................................................................................................... Syntax ........................................................................................................................................ orapki crl hash ................................................................................................................................. Purpose...................................................................................................................................... Syntax ........................................................................................................................................ orapki crl list .................................................................................................................................... Purpose...................................................................................................................................... Syntax ........................................................................................................................................ orapki crl upload ............................................................................................................................. Purpose...................................................................................................................................... Syntax ........................................................................................................................................ orapki wallet add ............................................................................................................................ Purpose...................................................................................................................................... Syntax ........................................................................................................................................ orapki wallet create......................................................................................................................... Purpose...................................................................................................................................... Syntax ........................................................................................................................................ orapki wallet display ...................................................................................................................... Purpose...................................................................................................................................... Syntax ........................................................................................................................................ orapki wallet export........................................................................................................................ Purpose...................................................................................................................................... Syntax ........................................................................................................................................ F E-6 E-6 E-6 E-8 E-8 E-8 E-8 E-9 E-9 E-9 E-9 E-9 E-9 E-9 E-10 E-10 E-10 E-10 E-10 E-10 E-11 E-11 E-11 E-11 E-11 E-11 E-12 E-12 E-12 E-13 E-13 E-13 E-13 E-13 E-13 E-13 E-13 E-13 Entrust-Enabled Secure Sockets Layer Authentication Benefits of Entrust-Enabled Oracle Advanced Security.................................................................. Enhanced X.509-Based Authentication and Single Sign-On....................................................... Integration with Entrust Authority Key Management................................................................ Integration with Entrust Authority Certificate Revocation ........................................................ Required System Components for Entrust-Enabled Oracle Advanced Security ....................... Entrust Authority for Oracle ........................................................................................................... Entrust Authority Security Manager ...................................................................................... F-1 F-1 F-2 F-2 F-2 F-2 F-3 xv Entrust Authority Self-Administration Server ...................................................................... Entrust Entelligence Desktop Manager .................................................................................. Entrust Authority Server Login Feature ........................................................................................ Entrust Authority IPSec Negotiator Toolkit.................................................................................. Entrust Authentication Process ............................................................................................................ Enabling Entrust Authentication ......................................................................................................... Creating Entrust Profiles.................................................................................................................. Administrator-Created Entrust Profiles ................................................................................. User-Created Entrust Profiles .................................................................................................. Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL ........... Configuring SSL on the Client and Server for Entrust-Enabled SSL......................................... Configuring Entrust on the Client .................................................................................................. Configuring Entrust on a UNIX Client ................................................................................... Configuring Entrust on a Windows Client ............................................................................ Configuring Entrust on the Server ................................................................................................. Configuring Entrust on a UNIX Server .................................................................................. Configuring Entrust on a Windows Server............................................................................ Creating Entrust-Enabled Database Users .................................................................................... Logging Into the Database Using Entrust-Enabled SSL.............................................................. Issues and Restrictions that Apply to Entrust-Enabled SSL.......................................................... Troubleshooting Entrust In Oracle Advanced Security .................................................................. Error Messages Returned When Running Entrust on Any Platform ........................................ Error Messages Returned When Running Entrust on Windows Platforms........................... General Checklist for Running Entrust on Any Platform ......................................................... Checklist for Entrust Installations on Windows.................................................................. Glossary Index xvi F-3 F-3 F-3 F-3 F-4 F-4 F-4 F-4 F-5 F-5 F-5 F-5 F-6 F-6 F-6 F-6 F-7 F-8 F-8 F-9 F-9 F-9 F-10 F-12 F-12 List of Figures 1–1 1–2 1–3 1–4 1–5 2–1 2–2 2–3 5–1 8–1 8–2 11–1 11–2 11–3 13–1 15–1 F–1 Encryption.................................................................................................................................... 1-4 Strong Authentication with Oracle Authentication Adapters ............................................. 1-6 How a Network Authentication Service Authenticates a User............................................ 1-7 Oracle Advanced Security in an Oracle Networking Environment................................. 1-10 Oracle Net Services with Authentication Adapters............................................................ 1-10 Oracle Advanced Security Profile in Oracle Net Manager ................................................... 2-3 Oracle Wallet Manager User Interface..................................................................................... 2-5 Certificate Request Information Displayed in Oracle Wallet Manager Right Pane.......... 2-7 How Oracle Data Redaction Policies Work in a Chain of Views...................................... 5-36 TDE Column Encryption Overview......................................................................................... 8-3 TDE Tablespace Encryption ...................................................................................................... 8-4 RADIUS in an Oracle Environment ...................................................................................... 11-2 Synchronous Authentication Sequence ................................................................................ 11-3 Asynchronous Authentication Sequence ............................................................................. 11-5 SSL in Relation to Other Authentication Methods.............................................................. 13-7 Oracle Advanced Security Authentication Window .......................................................... 15-2 Entrust Authentication Process................................................................................................ F-4 xvii List of Tables 1–1 2–1 2–2 2–3 2–4 2–5 2–6 4–1 4–2 4–3 5–1 5–2 5–3 5–4 5–5 5–6 8–1 8–2 8–3 8–4 8–5 8–6 8–7 9–1 9–2 9–3 10–1 10–2 10–3 10–4 10–5 11–1 12–1 12–2 13–1 14–1 14–2 14–3 14–4 14–5 14–6 14–7 A–1 A–2 A–3 A–4 A–5 A–6 A–7 A–8 A–9 A–10 xviii Authentication Methods and System Requirements ......................................................... 1-11 Oracle Wallet Manager Navigator Pane Objects................................................................... 2-6 Oracle Wallet Manager Toolbar Buttons ................................................................................ 2-7 Oracle Wallet Manager Wallet Menu Options ...................................................................... 2-8 Oracle Wallet Manager Operations Menu Options .............................................................. 2-8 Oracle Wallet Manager Help Menu Options ......................................................................... 2-9 Common Security Administrator/DBA Configuration and Administrative Tasks ..... 2-10 Redaction Capabilities for Oracle Built-in Data Types......................................................... 4-5 Redaction Capabilities for the ANSI Data Types .................................................................. 4-6 Redaction Capabilities for the User Defined Data Types or Oracle Supplied Types ...... 4-6 DBMS_REDACT Procedures.................................................................................................... 5-2 Partial Fixed Character Redaction Shortcuts ...................................................................... 5-13 Shortcuts for the regexp_pattern Parameter ....................................................................... 5-21 Shortcuts for the regexp_replace_string Parameter........................................................... 5-22 Parameters Required for Various DBMS_REDACT.ALTER_POLICY Actions............. 5-29 Data Redaction Views ............................................................................................................ 5-38 Maximum Allowable Size for Data Types .......................................................................... 8-14 Description of the ALL_ENCRYPTED_COLUMNS Data Dictionary View .................. 8-32 Description of the V$ENCRYPTED_TABLESPACES View ............................................. 8-33 Description of the V$WALLET View................................................................................... 8-33 Description of the V$ENCRYPTION_WALLET View ...................................................... 8-34 Supported Encryption Algorithms for Transparent Data Encryption............................ 8-43 Transparent Data Encryption SQL Commands Quick Reference ................................... 8-43 Two Forms of Attack ................................................................................................................. 9-2 Encryption and Data Integrity Negotiations ......................................................................... 9-5 Valid Encryption Algorithms................................................................................................... 9-7 CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL Attributes ........... 10-3 CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES Attributes ............ 10-4 CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL Attributes............... 10-4 CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES Attributes ............... 10-5 CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_SERVICES Attributes ..... 10-5 RADIUS Authentication Components................................................................................. 11-2 Options for the okinit Utility................................................................................................. 12-9 Options for the oklist Utility ............................................................................................... 12-10 SSL Cipher Suites .................................................................................................................. 13-11 KeyUsage Values .................................................................................................................... 14-4 Oracle Wallet Manager Import of User Certificates to an Oracle Wallet ....................... 14-4 Oracle Wallet Manager Import of Trusted Certificates to an Oracle Wallet.................. 14-5 PKI Wallet Encoding Standards ......................................................................................... 14-10 Types of Certificates ............................................................................................................. 14-15 Certificate Request: Fields and Descriptions .................................................................... 14-16 Available Key Sizes............................................................................................................... 14-17 Algorithm Type Selection ........................................................................................................ A-3 SQLNET.ENCRYPTION_SERVER Parameter Attributes .................................................. A-3 SQLNET.ENCRYPTION_CLIENT Parameter Attributes................................................... A-4 SQLNET.EXTENDED_KEY_USAGE Parameter Attributes............................................... A-4 SQLNET.CRYPTO_CHECKSUM_SERVER Parameter Attributes.................................... A-4 SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter Attributes .................................... A-4 SQLNET.ENCRYPTION_TYPES_SERVER Parameter Attributes .................................... A-5 SQLNET.ENCRYPTION_TYPES_CLIENT Parameter Attributes..................................... A-5 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter Attributes ..................... A-6 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter Attributes...................... A-6 B–1 B–2 B–3 B–4 B–5 B–6 B–7 B–8 B–9 B–10 B–11 B–12 B–13 B–14 B–15 B–16 B–17 C–1 D–1 Kerberos Authentication Parameters .................................................................................... SQLNET.AUTHENTICATION_SERVICES Parameter Attributes.................................... SQLNET.RADIUS_AUTHENTICATION Parameter Attributes ....................................... SQLNET.RADIUS_AUTHENTICATION_PORT Parameter Attributes .......................... SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter Attributes .................. SQLNET.RADIUS_AUTHENTICATION_RETRIES Parameter Attributes ..................... SQLNET.RADIUS_SEND_ACCOUNTING Parameter Attributes ................................... SQLNET.RADIUS_SECRET Parameter Attributes .............................................................. SQLNET.RADIUS_ALTERNATE Parameter Attributes .................................................... SQLNET.RADIUS_ALTERNATE_PORT Parameter Attributes........................................ SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter Attributes................................ SQLNET.RADIUS_ALTERNATE_RETRIES Parameter Attributes .................................. SQLNET.RADIUS_CHALLENGE_RESPONSE Parameter Attributes............................. SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter Attributes............................. SQLNET.RADIUS_AUTHENTICATION_INTERFACE Parameter Attributes .............. SQLNET.RADIUS_CLASSPATH Parameter Attributes ..................................................... Wallet Location Parameters..................................................................................................... Server Encryption Level Setting ............................................................................................. Sample Output from v$session_connect_info ...................................................................... B-1 B-2 B-2 B-2 B-2 B-3 B-3 B-3 B-3 B-3 B-4 B-4 B-4 B-4 B-4 B-5 B-9 C-2 D-5 xix xx Preface Welcome to the Oracle Database Advanced Security Administrator's Guide for the 11g Release 2 (11.2) of Oracle Advanced Security. Oracle Advanced Security contains a comprehensive suite of security features that protect enterprise networks and securely extend them to the Internet. It provides a single source of integration with multiple network encryption and authentication solutions, single sign-on services, and security protocols. The Oracle Database Advanced Security Administrator's Guide describes how to implement, configure and administer Oracle Advanced Security. This preface contains these topics: ■ Audience ■ Documentation Accessibility ■ Related Documentation ■ Conventions Audience The Oracle Database Advanced Security Administrator's Guide is intended for users and systems professionals involved with the implementation, configuration, and administration of Oracle Advanced Security including: ■ Implementation consultants ■ System administrators ■ Security administrators ■ Database administrators (DBAs) Documentation Accessibility For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc. Access to Oracle Support Oracle customers have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired. xxi Related Documentation For more information, refer to these Oracle resources: ■ Oracle Database Net Services Administrator's Guide ■ Oracle Database Heterogeneous Connectivity User's Guide ■ Oracle Database JDBC Developer's Guide and Reference ■ Oracle Internet Directory Administrator's Guide ■ Oracle Database Administrator's Guide ■ Oracle Database Security Guide Many books in the documentation set use the sample schemas of the seed database, which is installed by default when you install Oracle. Refer to Oracle Database Sample Schemas for information on how these schemas were created and how you can use them yourself. To download free release notes, installation documentation, white papers, or other collateral, please visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free and can be done at http://www.oracle.com/technetwork/index.html If you already have a user name and password for OTN, then you can go directly to the documentation section of the OTN Web site at http://www.oracle.com/technetwork/documentation/index.html For information from third-party vendors, refer to: ■ ACE/Server Administration Manual, from Security Dynamics ■ ACE/Server Client for UNIX, from Security Dynamics ■ ACE/Server Installation Manual, from Security Dynamics ■ RADIUS Administrator's Guide ■ Notes about building and installing Kerberos from Kerberos version 5 source distribution ■ Entrust/PKI for Oracle ■ Administering Entrust/PKI on UNIX ■ Application Environment Specification/Distributed Computing For conceptual information about the network security technologies supported by Oracle Advanced Security, you can refer to the following third-party publications: ■ ■ ■ ■ xxii Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C by Bruce Schneier. New York: John Wiley & Sons, 1996. SSL & TLS Essentials: Securing the Web by Stephen A. Thomas. New York: John Wiley & Sons, 2000. Understanding and Deploying LDAP Directory Services by Timothy A. Howes, Ph.D., Mark C. Smith, and Gordon S. Good . Indianapolis: New Riders Publishing, 1999. Understanding Public-Key Infrastructure: Concepts, Standards, and Deployment Considerations by Carlisle Adams and Steve Lloyd. Indianapolis: New Riders Publishing, 1999. Conventions The following text conventions are used in this document: Convention Meaning boldface Boldface type indicates graphical user interface elements associated with an action, or terms defined in text or the glossary. italic Italic type indicates book titles, emphasis, or placeholder variables for which you supply particular values. monospace Monospace type indicates commands within a paragraph, URLs, code in examples, text that appears on the screen, or text that you enter. xxiii xxiv What's New in Oracle Advanced Security? This section describes new features of Oracle Advanced Security 11g Release 2 (11.2) and provides pointers to additional information. ■ ■ Oracle Database 11g Release 2 (11.2.0.4) New Features in Oracle Advanced Security Oracle Database 11g Release 2 (11.2.0.3) New Features in Oracle Advanced Security ■ Oracle Database 11g Release 2 (11.2) New Features in Oracle Advanced Security ■ Oracle Database 11g Release 1 (11.1) New Features in Oracle Advanced Security Oracle Database 11g Release 2 (11.2.0.4) New Features in Oracle Advanced Security This release includes the following new features: ■ Oracle Data Redaction for Masking Data ■ Filtering for Secure Sockets Layer Certificates Oracle Data Redaction for Masking Data This release includes Oracle Data Redaction, which gives you the ability to disguise (mask) data from low-privileged users or applications. For example, suppose you have the following credit card numbers: ■ 5105 1051 0510 5100 ■ 5111 1111 1111 1118 ■ 5454 5454 5454 5454 You can use Data Redaction to disguise the last four digits as follows: ■ 5105 1051 0510 **** ■ 5111 1111 1111 **** ■ 5454 5454 5454 **** The data is redacted at run time, that is, it is hidden when the user accesses the page containing the data, but it is not hidden in the database. This enables the sensitive data to be processed normally, and it preserves the back-end referential integrity and constraints for the data. You have the option of redacting the data partially so that some of the original data is preserved (such as the last four digits of a credit card number), entirely by replacing it with a fixed value, or by replacing the data with an xxv encrypted value. You also can easily apply Oracle Data Redaction policies throughout the databases in your enterprise. See Part II, "Oracle Data Redaction" for more information. Filtering for Secure Sockets Layer Certificates Starting with this release, you can use the SQLNET.SSL_EXTENDED_KEY_USAGE parameter in the sqlnet.ora file to select a Secure Sockets Layer certificate to be used automatically to authenticate clients. For example, suppose you have multiple certificates for a smart card but only one of the certificates has an extended key usage field of client authentication. In the application, a certificate chooser dialog box would appear, prompting the user to select the type of authentication. Because the type of authentication would always be for clients, the SQLNET.SSL_EXTENDED_KEY_ USAGE parameter can enable the application to bypass this dialog box and automatically choose client authentication. As a result, the user has fewer steps to perform in a task, thereby making the user’s job easier and more efficient. See "Step 3G: Specify the Certificate to Use for Authentication on the Client (Optional)" on page 13-20 for more information. Oracle Database 11g Release 2 (11.2.0.3) New Features in Oracle Advanced Security This release includes the following new features: ■ Support for SHA-2 Certificate Signatures ■ Support for PIN and Multiple Certificates on Smart Card ■ TDE Hardware Acceleration for Solaris Support for SHA-2 Certificate Signatures This feature introduces support for SHA-2 (256-bit) signed certificates that are used by the database for network encryption and authentication. These certificates are issued by a separate certificate authority (CA), and are exchanged between the database and a client when a secure database connection is being established. Support for PIN and Multiple Certificates on Smart Card This feature introduces support for authenticating to the database using Common Access Cards (CAC, HSPD-12) that contain multiple certificates. When a database user inserts a card containing one or more digital certificates into a card reader, the database attempts to intelligently select which certificate to read. If the database cannot determine which certificate to read, a selection box is presented on Windows clients. The user also must manually enter the correct PIN. TDE Hardware Acceleration for Solaris Transparent Data Encryption (TDE) can automatically detect whether the database host machine includes specialized cryptographic silicon that accelerates the encryption and decryption processing. When detected, TDE uses the specialized silicon for cryptographic processing, accelerating the overall cryptographic performance significantly. xxvi In prior releases, cryptographic hardware acceleration for TDE was only available on Intel Xeon, and only for Linux. Starting with release 11.2.0.3, it works with the current versions of Solaris 11 running on both SPARC T-Series and Intel Xeon. Oracle Database 11g Release 2 (11.2) New Features in Oracle Advanced Security This release includes the following new features: ■ ■ Enhanced TDE Tablespace Encryption TDE Supports Intel Advanced Encryption Standard New Instructions (Intel AES-NI) ■ Internet Protocol Version 6 (IPv6) Support ■ Kerberos Enhancements Enhanced TDE Tablespace Encryption Oracle Database 11g Release 2 (11.2) implements the following enhancements to TDE Tablespace Encryption: ■ ■ ■ A unified master encryption key is used for both Transparent Data Encryption (TDE) Column Encryption and TDE Tablespace Encryption. The unified master encryption key can optionally be stored in a hardware security module. This enables you to use the TDE Tablespace Encryption feature along with hardware security modules. You can reset (rekey) the unified master encryption key. This provides enhanced security and helps meet security and compliance requirements. See Also: "Encrypting Entire Tablespaces" on page 8-15 TDE Supports Intel Advanced Encryption Standard New Instructions (Intel AES-NI) Transparent Data Encryption (TDE) now supports Intel AES-NI. Oracle Database 11g Release 2 (11.2) running on Intel Xeon 5600 series processor-based servers with Intel AES-NI shows a multifold increase in TDE encryption and decryption speed. According to benchmark results, TDE shows a 10x speedup of AES encryption processing rate and an 8x speedup of decryption processing rate, using 256 bit keys, on Intel Xeon X5680 processor utilizing AES-NI as compared to Intel Xeon X5560 processor without AES-NI. Internet Protocol Version 6 (IPv6) Support Oracle Advanced Security fully supports Internet Protocol Version 6 (IPv6) networks. Kerberos Enhancements The Oracle Kerberos authentication mechanism now supports the Microsoft Windows Server 2003 constrained delegation feature. The middle tier can use the Kerberos adapter to authenticate to the Oracle Database without providing the user's forwarded Kerberos credentials. A user can authenticate to the middle tier using a non-Kerberos authentication mechanism. The middle tier authenticates to the backend Oracle Database using the Kerberos authentication mechanism on behalf of the user. xxvii See Also: Microsoft documentation for more information on the Microsoft Windows Server 2003 constrained delegation feature Oracle Database 11g Release 1 (11.1) New Features in Oracle Advanced Security This release includes the following new features: ■ Enhanced Transparent Data Encryption ■ Kerberos Authentication More Secure and Manageable Enhanced Transparent Data Encryption Transparent Data Encryption enables you to encrypt data in columns without having to manage the encryption key. Businesses can protect sensitive data in their databases without having to make changes to their applications. Oracle Advanced Security uses industry standard encryption algorithms including AES and 3DES to encrypt columns that have been marked for encryption. Key Management is handled by the database. SQL interfaces to Key Management hide the complexity of encryption. You can now encrypt entire tablespaces using Tablespace Encryption. All objects created in the encrypted tablespace are automatically encrypted. See "TDE Tablespace Encryption" in on page 8-3 for more information. Transparent Data Encryption now enables you to use a hardware security module (HSM) to store the master encryption key. This allows for enhanced security. See "Using Hardware Security Modules with TDE" on page 8-19 for more information. "Supported Encryption Algorithms" on page 1-4 for more information on the encryption algorithms that are supported. See Also: Chapter 8, "Securing Stored Data Using Transparent Data Encryption" for more information on implementing and using Transparent Data Encryption. Kerberos Authentication More Secure and Manageable The Kerberos implementation now makes use of secure encryption algorithms like 3DES and AES in place of DES. This makes using Kerberos more secure. The Kerberos authentication mechanism in Oracle Database now supports the following encryption types: ■ ■ ■ DES3-CBC-SHA (DES3 algorithm in CBC mode with HMAC-SHA1 as checksum) AES128-CTS (AES algorithm with 128-bit key in CTS mode with HMAC-SHA1 as checksum) AES256-CTS (AES algorithm with 256-bit key in CTS mode with HMAC-SHA1 as checksum) The Kerberos implementation has been enhanced to interoperate smoothly with Microsoft and MIT Key Distribution Centers. The Kerberos prinicipal name can now contain more than 30 characters. It is no longer restricted by the number of characters allowed in a database user name. See Also: xxviii Chapter 12, "Configuring Kerberos Authentication" In this release, the features of Multiplexing and Connection Pooling do not work with SSL transport. Refer to Oracle Database JDBC Developer's Guide and Reference for details of encryption support available in JDBC. Note: xxix xxx Part I Getting Started with Oracle Advanced Security Part I This part introduces Oracle Advanced Security, describing security solutions it provides, its features, and its tools. Part I contains the following chapters: ■ Chapter 1, "Introduction to Oracle Advanced Security" ■ Chapter 2, "Configuration and Administration Tools Overview" 1 1 Introduction to Oracle Advanced Security This chapter introduces Oracle Advanced Security, summarizes the security risks it addresses, and describes its features. These features are available to database and related products that interface with Oracle Net Services, including Oracle Database, Oracle Application Server, and Oracle Identity Management infrastructure. This chapter contains the following topics: ■ Security Challenges in an Enterprise Environment ■ Solving Security Challenges with Oracle Advanced Security ■ Oracle Advanced Security Architecture ■ System Requirements ■ Oracle Advanced Security Restrictions Security Challenges in an Enterprise Environment To increase efficiency and lower costs, companies adopt strategies to automate business processes. One such strategy is to conduct more business on the Web, but that requires greater computing power, translating to higher IT costs. In response to rising IT costs, more and more businesses are considering enterprise grid computing architecture where inexpensive computers act as one powerful system. While such strategies improve the bottom line, they introduce risks, which are associated with securing data, in rest and motion, and managing an ever increasing number of user identities. This section examines the security challenges of today's enterprise computing environments in the following topics: ■ Security in Enterprise Grid Computing Environments ■ Security in an Intranet or Internet Environment ■ Common Security Threats Security in Enterprise Grid Computing Environments Grid computing is a computing architecture that coordinates large numbers of servers and storage to act as a single large computer. It provides flexibility, lower costs, and IT investment protection because inexpensive, off-the-shelf components can be added to the grid as business needs change. While providing significant benefits, grid computing environments present unique security requirements because their computing resources are distributed and often heterogeneous. The following sections discuss these requirements: Introduction to Oracle Advanced Security 1-1 Security Challenges in an Enterprise Environment Distributed Environment Security Requirements Enterprise grid computing pools distributed business computing resources to cost effectively harness the power of clustered servers and storage. A distributed environment requires secure network connections. Even more critical in grid environments, it is necessary to have a uniform definition of "who is the user" and "what is the user allowed to do." Without such uniform definitions, administrators frequently must assign, manage, and revoke authorizations for every user on different software applications to protect employee, customer, and partner information. This is expensive because it takes time, which drives up costs. Consequently, the cost savings gained with grid computing are lost. Heterogeneous Environment Security Requirements Because grid computing environments often grow as business needs change, computing resources are added over time, resulting in diverse collections of hardware and software. Such heterogeneous environments require support for different types of authentication mechanisms which adhere to industry standards. Without strict adherence to industry standards, integrating heterogeneous components becomes costly and time consuming. Once again the benefits of grid computing are squandered when the appropriate infrastructure is not present. Security in an Intranet or Internet Environment Oracle databases power the largest and most popular Web sites on the Internet. In record numbers, organizations throughout the world are deploying distributed databases and client/server applications based on Oracle Database and Oracle Net Services. This proliferation of distributed computing is matched by an increase in the amount of information that organizations place on computers. Employee and financial records, customer orders, product information, and other sensitive data have moved from filing cabinets to file structures. The volume of sensitive information on the Web has thus increased the value of data that can be compromised. Common Security Threats The increased volume of data in distributed, heterogeneous environments exposes users to a variety of security threats, including the following: ■ Eavesdropping and Data Theft ■ Data Tampering ■ Falsifying User Identities ■ Password-Related Threats Eavesdropping and Data Theft Over the Internet and in wide area network environments, both public carriers and private networks route portions of their network through insecure land lines, vulnerable microwave and satellite links, or a number of servers— exposing valuable data to interested third parties. In local area network environments within a building or campus, the potential exists for insiders with access to the physical wiring to view data not intended for them, and network sniffers can be installed to eavesdrop on network traffic. Data Tampering Distributed environments bring with them the possibility that a malicious third party can compromise integrity by tampering with data as it moves between sites. 1-2 Oracle Database Advanced Security Administrator's Guide Solving Security Challenges with Oracle Advanced Security Falsifying User Identities In a distributed environment, it is more feasible for a user to falsify an identity to gain access to sensitive information. How can you be sure that user Pat connecting to Server A from Client B really is user Pat? Moreover, in distributed environments, malefactors can hijack connections. How can you be sure that Client B and Server A are what they claim to be? A transaction that should go from the Personnel system on Server A to the Payroll system on Server B could be intercepted in transit and re-routed to a terminal masquerading as Server B. Password-Related Threats In large systems, users typically must remember multiple passwords for the different applications and services that they use. For example, a developer can have access to a development application on a workstation, a PC for sending e-mail, and several computers or intranet sites for testing, reporting bugs, and managing configurations. Users typically respond to the problem of managing multiple passwords in several ways: ■ ■ ■ They may select easy-to-guess passwords, such as a name, a fictional character, or a word found in a dictionary. All of these passwords are vulnerable to dictionary attacks. They may also choose to standardize passwords so that they are the same on all systems or Web sites. This results in a potentially large exposure in the event of a compromised password. They can also use passwords with slight variations that can be easily derived from known passwords. Users with complex passwords may write them down where an attacker can easily find them, or they may just forget them, requiring costly administration and support efforts. All of these strategies compromise password secrecy and service availability. Moreover, administration of multiple user accounts and passwords is complex, time-consuming, and expensive. Solving Security Challenges with Oracle Advanced Security To solve enterprise computing security problems, Oracle Advanced Security provides industry standards-based data privacy, integrity, authentication, single sign-on, and access authorization in a variety of ways. For example, you can configure either Oracle Net native encryption or Secure Sockets Layer (SSL) for data privacy. Oracle Advanced Security also provides the choice of several strong authentication methods, including Kerberos, smart cards, and digital certificates. Oracle Advanced Security provides the following security features: ■ Data Encryption ■ Strong Authentication Data Encryption Sensitive information that is stored in your database or that travels over enterprise networks and the Internet can be protected by encryption algorithms. An encryption algorithm transforms information into a form that cannot be deciphered without a decryption key. Introduction to Oracle Advanced Security 1-3 Solving Security Challenges with Oracle Advanced Security Figure 1–1 shows how encryption works to ensure the security of a transaction sent over the network. For example, if a manager approves a bonus, this data should be encrypted when sent over the network to avoid eavesdropping. If all communication between the client, the database, and the application server is encrypted, then when the manager sends the bonus amount to the database, it is protected. Figure 1–1 Encryption This section discusses the following topics: ■ Supported Encryption Algorithms ■ Data Integrity ■ Federal Information Processing Standard Supported Encryption Algorithms Oracle Advanced Security provides the following encryption algorithms to protect the privacy of network data transmissions: ■ Triple-DES Encryption ■ Advanced Encryption Standard Selecting the network encryption algorithm is a user configuration option, providing varying levels of security and performance for different types of data transfers. Prior versions of Oracle Advanced Security provided three editions: Domestic, Upgrade, and Export, each with different key lengths. Oracle Advanced Security 11g Release 2 (11.2) contains a complete complement of the available encryption algorithms and key lengths, previously only available in the Domestic edition. Users deploying prior versions of the product can obtain the Domestic edition for a specific product release. The U.S. government has relaxed its export guidelines for encryption products. Accordingly, Oracle can ship Oracle Advanced Security with its strongest encryption features to all of its customers. Note: Triple-DES Encryption Oracle Advanced Security also supports Triple-DES encryption (3DES), which encrypts message data with three passes of the DES algorithm. 3DES provides a high degree of message security, but with a performance penalty. The magnitude of penalty depends on the speed of the processor performing the encryption. 3DES typically takes three times as long to encrypt a data block as compared with the standard DES algorithm. 1-4 Oracle Database Advanced Security Administrator's Guide Solving Security Challenges with Oracle Advanced Security 3DES is available in two-key and three-key versions, with effective key lengths of 112-bits and 168-bits, respectively. Both versions operate in outer Cipher Block Chaining (CBC) mode. Advanced Encryption Standard Approved by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standards (FIPS) Publication 197, Advanced Encryption Standard (AES) is a cryptographic algorithm standard developed to replace DES. AES is a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits, which are referred to as AES-128, AES-192, and AES-256, respectively. All three versions operate in outer-CBC mode. See Also: ■ ■ Chapter 9, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" Appendix A, "Data Encryption and Integrity Parameters" Data Integrity To ensure the integrity of data packets during transmission, Oracle Advanced Security can generate a cryptographically secure message digest using the SHA-1 hashing algorithm and include it with each message sent across a network. Data integrity algorithms add little overhead and protect against the following attacks: ■ Data modification ■ Deleted packets ■ Replay attacks SHA-1 produces a larger message digest than the previously supported MD5, making it more secure against brute-force collision and inversion attacks. Note: Chapter 9, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients", for information about SHA-1 See Also: Federal Information Processing Standard Oracle Advanced Security Release 8.1.6 has been validated under U.S. Federal Information Processing Standard 140-1 (FIPS) at the Level 2 security level. This provides independent confirmation that Oracle Advanced Security conforms to federal government standards. The cryptographic libraries for SSL included in Oracle Database 10g have been validated under FIPS 140-2 at the Level 2 security level. Both FIPS 140-1 and FIPS 140-2 related configuration settings are described in Appendix D, "Oracle Advanced Security FIPS 140 Settings". Strong Authentication Authentication is used to prove the identity of the user. Authenticating user identity is imperative in distributed environments, without which there can be little confidence in network security. Passwords are the most common means of authentication. Oracle Advanced Security enables strong authentication with Oracle authentication adapters Introduction to Oracle Advanced Security 1-5 Solving Security Challenges with Oracle Advanced Security that support various third-party authentication services, including SSL with digital certificates. Figure 1–2 shows user authentication with an Oracle database instance configured to use a third-party authentication server. Having a central facility to authenticate all members of the network (clients to servers, servers to servers, users to both clients and servers) is one effective way to address the threat of network nodes falsifying their identities. Figure 1–2 Strong Authentication with Oracle Authentication Adapters This section contains the following topics: ■ Centralized Authentication and Single Sign-On ■ Supported Authentication Methods Centralized Authentication and Single Sign-On Centralized authentication also provides the benefit of single sign-on (SSO) for users. Single sign-on enables users to access multiple accounts and applications with a single password. A user only needs to login once and can then automatically connect to any other service without having to giving user name and password again. Single sign-on eliminates the need for the user to remember and administer multiple passwords, reducing the time spent logging into multiple services. How Centralized Network Authentication Works Figure 1–3 shows how a centralized network authentication service typically operates. 1-6 Oracle Database Advanced Security Administrator's Guide Solving Security Challenges with Oracle Advanced Security Figure 1–3 How a Network Authentication Service Authenticates a User The following steps describe how centralized Network Authentication Process works. 1. A user (client) requests authentication services and provides identifying information, such as a token or password. 2. The authentication server validates the user's identity and passes a ticket or credentials back to the client, which may include an expiration time. 3. The client passes these credentials to the Oracle server concurrent with a service request, such as connection to a database. 4. The server sends the credentials back to the authentication server for authentication. 5. The authentication server checks the credentials and notifies the Oracle server. 6. If the credentials were accepted by the authentication server, then the Oracle server authenticates the user. If the authentication server rejected the credentials, then authentication fails, and the service request is denied. Introduction to Oracle Advanced Security 1-7 Solving Security Challenges with Oracle Advanced Security Supported Authentication Methods Oracle Advanced Security supports the following industry-standard authentication methods: ■ Kerberos ■ Remote Authentication Dial-In User Service (RADIUS) : ■ Secure Sockets Layer (with digital certificates) ■ Entrust/PKI Kerberos Oracle Advanced Security support for Kerberos provides the benefits of single sign-on and centralized authentication of Oracle users. Kerberos is a trusted third-party authentication system that relies on shared secrets. It presumes that the third party is secure, and provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. It does this through a Kerberos authentication server. Refer to Chapter 12, "Configuring Kerberos Authentication" for information about configuring and using this adapter. Note: Oracle authentication for Kerberos provides database link authentication (also called proxy authentication). Kerberos is also an authentication method that is supported with Enterprise User Security. Remote Authentication Dial-In User Service (RADIUS) : RADIUS is a client/server security protocol that is most widely known for enabling remote authentication and access. Oracle Advanced Security uses this standard in a client/server network environment to enable use of any authentication method that supports the RADIUS protocol. RADIUS can be used with a variety of authentication mechanisms, including token cards and smart cards. Chapter 11, "Configuring RADIUS Authentication" for information about configuring and using RADIUS See Also: ■ Smart Cards A RADIUS-compliant smart card is a credit card-like hardware device which has memory and a processor. It is read by a smart card reader located at the client workstation. ■ Token Cards Token cards (Secure ID or RADIUS-compliant) can improve ease of use through several different mechanisms. Some token cards dynamically display one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the token card at any given time by contacting the authentication service. Other token cards have a keypad and operate on a challenge-response basis. In this case, the server offers a challenge (a number) that the user enters into a token card. The token card provides a response (another number cryptographically derived from the challenge) that the user enters and sends to the server. You can use SecurID tokens through the RADIUS adapter. Secure Sockets Layer Secure Sockets Layer (SSL) is an industry standard protocol for securing network connections. SSL provides authentication, data encryption, and data integrity. 1-8 Oracle Database Advanced Security Administrator's Guide Oracle Advanced Security Architecture The SSL protocol is the foundation of a public key infrastructure (PKI). For authentication, SSL uses digital certificates that comply with the X.509v3 standard and a public and private key pair. Oracle Advanced Security SSL can be used to secure communications between any client and any server. You can configure SSL to provide authentication for the server only, the client only, or both client and server. You can also configure SSL features in combination with other authentication methods supported by Oracle Advanced Security (database user names and passwords, RADIUS, and Kerberos). To support your PKI implementation, Oracle Advanced Security includes the following features in addition to SSL: ■ Oracle wallets, where you can store PKI credentials ■ Oracle Wallet Manager, which you can use to manage your Oracle wallets ■ Certificate validation with certificate revocation lists (CRLs) ■ Hardware security module support See Also: ■ ■ ■ Chapter 13, "Configuring Secure Sockets Layer Authentication" for conceptual, configuration, and usage information about SSL, certificate validation, and hardware security modules Chapter 14, "Using Oracle Wallet Manager" for information about using this tool to manage Oracle wallets Chapter 15, "Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security" for information about configuring SSL in combination with other authentication methods Entrust/PKI Oracle Advanced Security supports the public key infrastructure provided by the Entrust/PKI software from Entrust Technologies, Inc. Entrust-enabled Oracle Advanced Security lets Entrust users incorporate Entrust single sign-on into their Oracle applications, and it lets Oracle users incorporate Entrust-based single sign-on into Oracle applications. Appendix F, "Entrust-Enabled Secure Sockets Layer Authentication" for more information about this feature See Also: Oracle Advanced Security Architecture Oracle Advanced Security complements an Oracle server or client installation with advanced security features. Figure 1–4 shows the Oracle Advanced Security architecture within an Oracle networking environment. Introduction to Oracle Advanced Security 1-9 System Requirements Figure 1–4 Oracle Advanced Security in an Oracle Networking Environment Oracle Advanced Security supports authentication through adapters that are similar to the existing Oracle protocol adapters. As shown in Figure 1–5, authentication adapters integrate the Oracle Net interface, and allow existing applications to take advantage of new authentication systems transparently, without any changes to the application. Figure 1–5 Oracle Net Services with Authentication Adapters See Also: Oracle Database Net Services Administrator's Guide for more information about stack communications in an Oracle networking environment System Requirements Oracle Advanced Security 11g Release 2 (11.2) requires Oracle Net 11g Release 2 (11.2) and supports Oracle Database Enterprise Edition. Table 1–1 lists additional system requirements. Oracle Advanced Security is not available with Oracle Database Standard Edition. Note: 1-10 Oracle Database Advanced Security Administrator's Guide Oracle Advanced Security Restrictions Table 1–1 Authentication Methods and System Requirements Authentication Method System Requirements Kerberos ■ ■ RADIUS ■ ■ MIT Kerberos Version 5, release 1.1 or above. The Kerberos authentication server must be installed on a physically secure system. A RADIUS server that is compliant with the standards in the Internet Engineering Task Force (IETF) RFC #2138, Remote Authentication Dial In User Service (RADIUS) and RFC #2139 RADIUS Accounting. To enable challenge-response authentication, you must run RADIUS on an operating system that supports the Java Native Interface as specified in release 1.1 of the Java Development Kit from JavaSoft. SSL ■ A wallet that is compatible with the Oracle Wallet Manager 10g release. Wallets created in earlier releases of the Oracle Wallet Manager are not forward compatible. Entrust/PKI ■ Entrust IPSEC Negotiator Toolkit Release 6.0 ■ Entrust/PKI 6.0 Oracle Advanced Security Restrictions Oracle Applications support Oracle Advanced Security encryption and data integrity. However, because Oracle Advanced Security requires Oracle Net Services to transmit data securely, Oracle Advanced Security external authentication features are not supported by some parts of Oracle Financial, Human Resource, and Manufacturing Applications when they are running on Microsoft Windows. The portions of these products that use Oracle Display Manager (ODM) do not take advantage of Oracle Advanced Security, because ODM does not use Oracle Net Services. Introduction to Oracle Advanced Security 1-11 Oracle Advanced Security Restrictions 1-12 Oracle Database Advanced Security Administrator's Guide 2 2 Configuration and Administration Tools Overview Configuring advanced security features for an Oracle database instance includes configuring encryption, integrity (checksumming), and strong authentication methods for Oracle Net Services. Strong authentication method configuration can include third-party software, as is the case for Kerberos or RADIUS, or it may entail configuring and managing a public key infrastructure for using digital certificates with Secure Sockets Layer (SSL). Such diverse advanced security features require a diverse set of tools with which to configure and administer them. This chapter introduces the tools used to configure and administer advanced security features for an Oracle database in the following topics: ■ Network Encryption and Strong Authentication Configuration Tools ■ Public Key Infrastructure Credentials Management Tools ■ Duties of a Security Administrator/DBA Network Encryption and Strong Authentication Configuration Tools Oracle Net Services can be configured to encrypt data using standard encryption algorithms, and for strong authentication methods, such as Kerberos, RADIUS, and SSL. The following sections introduce the Oracle tools you can use to configure these advanced security features for an Oracle Database: ■ Oracle Net Manager ■ Oracle Advanced Security Kerberos Adapter Command-Line Utilities Oracle Net Manager Oracle Net Manager is a graphical user interface tool, primarily used to configure Oracle Net Services for an Oracle home on a local client or server host. Although you can use Oracle Net Manager to configure Oracle Net Services, such as naming, listeners, and general network settings, it also enables you to configure the following Oracle Advanced Security features, which use the Oracle Net protocol: ■ Strong authentication (Kerberos, RADIUS, and Secure Sockets Layer) ■ Network encryption (Triple-DES and AES) ■ Checksumming for data integrity (SHA-1) Configuration and Administration Tools Overview 2-1 Network Encryption and Strong Authentication Configuration Tools This section introduces you to the features of Oracle Net Manager that are used to configure Oracle Advanced Security. It contains the following topics: ■ Starting Oracle Net Manager ■ Navigating to the Oracle Advanced Security Profile See Also: ■ ■ "Duties of a Security Administrator/DBA" on page 2-9 for information about the tasks you can perform with this tool that configure advanced security features Oracle Database Net Services Administrator's Guide and Oracle Net Manager online Help for complete documentation of this tool Starting Oracle Net Manager You can start Oracle Net Manager by using Oracle Enterprise Manager Console or as a standalone application. However, you must use the standalone application to access the Oracle Advanced Security Profile where you can configure Oracle Advanced Security features. To start Oracle Net Manager as a standalone application: ■ (UNIX) From $ORACLE_HOME/bin, enter the following at the command line: netmgr ■ (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, Net Manager Navigating to the Oracle Advanced Security Profile The Oracle Net Manager interface window contains two panes: the navigator pane and the right pane.The interface displays various property sheets that enable you to configure network components. When you select a network object in the navigator pane, its associated property sheets displays in the right pane. To configure Oracle Advanced Security features, select the Profile object in the navigator pane, and then select Oracle Advanced Security from the list in the right pane, as shown in Figure 2–1. 2-2 Oracle Database Advanced Security Administrator's Guide Network Encryption and Strong Authentication Configuration Tools Figure 2–1 Oracle Advanced Security Profile in Oracle Net Manager Oracle Advanced Security Profile Property Sheets The Oracle Advanced Security Profile contains the following property sheets: ■ Authentication Property Sheet ■ Other Params Property Sheet ■ Integrity Property Sheet ■ Encryption Property Sheet ■ SSL Property Sheet Authentication Property Sheet Use this property sheet to select a strong authentication method, such as Kerberos Version 5 (KERBEROS5), Windows native authentication (NTS), or RADIUS. Other Params Property Sheet Use this property sheet to set other parameters for the authentication method you selected on the Authentication property sheet. Integrity Property Sheet Use this property sheet to enable checksumming on the client or the server and to select an encryption algorithm for generating secure message digests. Encryption Property Sheet Use this property sheet to select one or more cipher suites to encrypt client or server connections with native encryption algorithms. SSL Property Sheet Use this property sheet to configure Secure Sockets Layer (SSL), including the wallet location and cipher suite, on a client or server. Configuration and Administration Tools Overview 2-3 Public Key Infrastructure Credentials Management Tools Oracle Advanced Security Kerberos Adapter Command-Line Utilities The Oracle Advanced Security Kerberos adapter provides three command-line utilities that enable you to obtain, cache, display, and remove Kerberos credentials. The following table briefly describes these utilities: Utility Name Description okinit Obtains Kerberos tickets from the key distribution center (KDC) and caches them in the user's credential cache oklist Displays a list of Kerberos tickets in the specified credential cache okdstry Removes Kerberos credentials from the specified credential cache "Utilities for the Kerberos Authentication Adapter" on page 12-8 for complete descriptions of these utilities, their syntax, and available options See Also: Note: The Cybersafe adapter is not supported beginning with this release. You should use Oracle's Kerberos adapter in its place. Kerberos authentication with the Cybersafe KDC (Trust Broker) continues to be supported when using the Kerberos adapter. Public Key Infrastructure Credentials Management Tools The security provided by a public key infrastructure (PKI) depends on how effectively you store, manage, and validate your PKI credentials. The following Oracle tools are used to manage certificates, wallets, and certificate revocation lists so your PKI credentials can be stored securely and your certificate validation mechanisms kept current: ■ Oracle Wallet Manager ■ orapki Utility Oracle Wallet Manager Oracle Wallet Manager is an application that wallet owners and security administrators use to manage and edit the security credentials in their Oracle wallets. A wallet is a password-protected container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. You can use Oracle Wallet Manager to perform the following tasks: ■ Create public and private key pairs ■ Store and manage user credentials ■ Generate certificate requests ■ Store and manage certificate authority certificates (root key certificate and certificate chain) ■ Upload and download wallets to and from an LDAP directory ■ Create wallets to store hardware security module credentials The following topics introduce the Oracle Wallet Manager user interface: 2-4 Oracle Database Advanced Security Administrator's Guide Public Key Infrastructure Credentials Management Tools ■ Starting Oracle Wallet Manager ■ Navigating the Oracle Wallet Manager User Interface ■ Toolbar ■ Menus Chapter 14, "Using Oracle Wallet Manager" for detailed information about using this application See Also: Starting Oracle Wallet Manager To start Oracle Wallet Manager: ■ (UNIX) From $ORACLE_HOME/bin, enter the following at the command line: owm ■ (Windows) Select Start, Programs, Oracle HOME_NAME, Integrated Management Tools, Wallet Manager Navigating the Oracle Wallet Manager User Interface The Oracle Wallet Manager interface includes two panes, a toolbar, and various menu items as shown in Figure 2–2. Figure 2–2 Oracle Wallet Manager User Interface Navigator Pane The navigator pane provides a graphical navigation tree view of the certificate requests and certificates stored in the Oracle home where Oracle Wallet Configuration and Administration Tools Overview 2-5 Public Key Infrastructure Credentials Management Tools Manager is installed. You can use the navigator pane to view, modify, add, or delete certificates and certificate requests. The navigator pane functions the same way as it does in other Oracle graphical user interface tools, enabling you to ■ ■ Expand and contract wallet objects so that you can manage the user and trusted certificates they contain. Right-click a wallet, certificate, or certificate request to perform operations on it such as add, remove, import, or export. When you expand a wallet, you see a nested list of user and trusted certificates. When you select a wallet or certificate in the navigator pane, details about your selection display in the adjacent right pane of Oracle Wallet Manager. Table 2–1 lists the main objects that display in the navigator pane. Table 2–1 Oracle Wallet Manager Navigator Pane Objects Object Description Wallet Password-protected container that is used to store authentication and signing credentials Certificate Request1 A PKCS #10-encoded message containing the requester's distinguished name (DN), a public key, the key size, and key type. Certificate1 An X.509 data structure containing the entity's DN, public key, and is signed by a trusted identity (certificate authority). Trusted Certificates1 Sometimes called a root key certificate, is a certificate from a third party identity that is qualified with a level of trust. 1 These objects display only after you create a wallet, generate a certificate request, and import a certificate into the wallet. Right Pane The right pane displays information about an object that is selected in the navigator pane. The right pane is read-only. Figure 2–3 shows what is displayed in the right pane when a certificate request object is selected in the navigator pane. Information about the request and the requester's identity display in the Requested Identity, Key Size, and Key Type fields. The PKCS #10-encoded certificate request displays in the Certificate Request text box. To request a certificate from a certificate authority, you can copy this request into an e-mail or export it into a file. Figure 2–3 shows a certificate request for a user. A certificate can also be requested for a server in which case the CN attribute will contain the name of the server in place of the user name. Note: 2-6 Oracle Database Advanced Security Administrator's Guide Public Key Infrastructure Credentials Management Tools Figure 2–3 Certificate Request Information Displayed in Oracle Wallet Manager Right Pane Toolbar The toolbar contains buttons that enable you to manage your wallets. Move the mouse cursor over a toolbar button to display a description of the button's function. The toolbar buttons are listed and described in Table 2–2. Table 2–2 Oracle Wallet Manager Toolbar Buttons Toolbar Button Description New Creates a new wallet Open Wallet Enables you to browse your file system to locate and open an existing wallet Save Wallet Saves the currently open wallet Delete Wallet Deletes the wallet that is currently selected in the navigator pane Help Opens the Oracle Wallet Manager online Help Menus You use Oracle Wallet Manager menus to manage your wallets and the credentials they contain. The following sections describe the options that are available under each menu. Wallet Menu Table 2–3 describes the contents of the Wallet menu. Configuration and Administration Tools Overview 2-7 Public Key Infrastructure Credentials Management Tools Table 2–3 Oracle Wallet Manager Wallet Menu Options Option Description New Creates a new wallet Open Opens an existing wallet Close Closes the currently open wallet Upload Into The Directory Service Uploads a wallet to a specified LDAP directory server. Download From The Directory Service Downloads a wallet from a specified LDAP directory server. You must supply a directory password, host name, and port information. Save Saves the currently open wallet in the current working directory Save As Enables you to browse your file system to choose a directory location in which to save the currently open wallet Save In System Default Saves the currently open wallet in the system default location: You must supply a directory password, host name, and port information. ■ (UNIX) /etc/ORACLE/WALLETS/username ■ (Windows) %USERPROFILE%\ORACLE\WALLETS Deletes the wallet in the current working directory. Delete You must supply the wallet password. Change Password Changes the password for the currently open wallet. You must supply the old password before you can create a new one. Auto Login Sets the auto login feature for the currently open wallet. Exit Exits the Oracle Wallet Manager application Operations Menu Table 2–4 describes the contents of the Operations menu. Table 2–4 Oracle Wallet Manager Operations Menu Options Option Description Add Certificate Request Generates a certificate request for the currently open wallet that you can use to request a certificate from a certificate authority (CA) Import User Certificate Imports the user certificate issued to you from the CA. You must import the issuing CA's certificate as a trusted certificate before you can import the user certificate. Import Trusted Certificate Imports the CA's trusted certificate Remove Certificate Request Deletes the certificate request in the currently open wallet. You must remove the associated user certificate before you can delete a certificate request. Remove User Certificate Deletes the user certificate from the currently open wallet. Remove Trusted Certificate Removes the trusted certificate that is selected in the navigator pane from the currently open wallet. You must remove all user certificates that the trusted certificate signs before you can remove it. Export User Certificate Exports the user certificate in the currently open wallet to save in a file system directory Export Certificate Request Exports the certificate request in the currently open wallet to save in a file 2-8 Oracle Database Advanced Security Administrator's Guide Duties of a Security Administrator/DBA Table 2–4 (Cont.) Oracle Wallet Manager Operations Menu Options Option Description Export Trusted Certificate Exports the trusted certificate that is selected in the navigator pane to save in another location in your file system Export All Trusted Certificates Exports all trusted certificates in the currently open wallet to save in another location in your file system Export Wallet Exports the currently open wallet to save as a text file Help Menu Table 2–5 describes the contents of the Help menu. Table 2–5 Oracle Wallet Manager Help Menu Options Option Description Contents Opens Oracle Wallet Manager online Help Search for Help on Opens Oracle Wallet Manager online Help and displays the Search tab About Oracle Wallet Manager Opens a window that displays the Oracle Wallet Manager version number and copyright information orapki Utility The orapki utility is a command line tool that you can use to manage certificate revocation lists (CRLs), create and manage Oracle wallets, and to create signed certificates for testing purposes. The basic syntax for this utility is as follows: orapki module command -option_1 argument ... -option_n argument For example, the following command lists all CRLs in the CRL subtree in an instance of Oracle Internet Directory that is installed on machine1.us.example.com and that uses port 389: orapki crl list -ldap machine1.us.example.com:389 See Also: ■ ■ "Certificate Revocation List Management" on page 13-28 for information about how to use orapki to manage CRLs in the directory Appendix E, "orapki Utility" for reference information on all available orapki commands Duties of a Security Administrator/DBA Most of the tasks of a security administrator involve ensuring that the connections to and from Oracle databases are secure. Table 2–6 lists the primary tasks of security administrators, the tools used to perform the tasks, and links to where the tasks are documented. Configuration and Administration Tools Overview 2-9 Duties of a Security Administrator/DBA Table 2–6 Common Security Administrator/DBA Configuration and Administrative Tasks Task Tools Used See Also Configure encrypted Oracle Net connections between database servers and clients Oracle Net Manager "Configuring Encryption on the Client and the Server" on page 9-6 Configure checksumming on Oracle Net connections between database servers and clients Oracle Net Manager "Configuring Integrity on the Client and the Server" on page 9-7 Configure database clients to accept RADIUS authentication Oracle Net "Step 2A: Configure RADIUS on the Oracle Client" on page 11-7 Configure a database to accept RADIUS authentication Oracle Net "Step 2B: Configure RADIUS on the Oracle Database Server" on page 11-8 Create a RADIUS user and grant them access to a database session SQL*Plus "Step 3: Create a User and Grant Access" on page 11-12 Configure Kerberos authentication on a database client and server Oracle Net Manager "Step 7: Configure Kerberos Authentication" on page 12-4 Create a Kerberos database user ■ kadmin.local ■ Oracle Net Manager ■ ■ Manage Kerberos credentials in the credential cache ■ okinit ■ oklist ■ okdstry ■ ■ ■ Create a wallet for a database client or server Request a user certificate from a certificate authority (CA) for SSL authentication Configuring SSL connections for a database client Configuring SSL connections for a database server Enabling certificate validation with certificate revocation lists "Step 9: Create an Externally Authenticated Oracle User" on page 12-8 "Obtaining the Initial Ticket with the okinit Utility" on page 12-9 "Displaying Credentials with the oklist Utility" on page 12-9 "Removing Credentials from the Cache File with the okdstry Utility" on page 12-10 ■ Oracle Wallet Manager "Creating a New Wallet" on page 14-8 ■ Oracle Wallet Manager ■ ■ Import a user certificate and its associated trusted certificate (CA certificate) into a wallet "Step 8: Create a Kerberos User" on page 12-7 ■ Oracle Wallet Manager ■ ■ "Adding a Certificate Request" on page 14-15 "Importing the User Certificate into the Wallet" on page 14-17 "Importing a Trusted Certificate" on page 14-21 "Importing the User Certificate into the Wallet" on page 14-17 ■ Oracle Net Manager "Step 3: Configure Secure Sockets Layer on the Client" on page 13-14 ■ Oracle Net Manager "Step 2: Configure Secure Sockets Layer on the Server" on page 13-9 ■ Oracle Net Manager 2-10 Oracle Database Advanced Security Administrator's Guide ■ "Configuring Certificate Validation with Certificate Revocation Lists" on page 13-26 Part II Part II Oracle Data Redaction This part describes how to use Oracle Data Redaction. Part II contains the following chapters: ■ Chapter 3, "Introduction to Oracle Data Redaction" ■ Chapter 4, "Oracle Data Redaction Features and Capabilities" ■ Chapter 5, "Configuring Oracle Data Redaction Policies" ■ Chapter 6, "Oracle Data Redaction Use with Oracle Database Features" ■ Chapter 7, "Security Guidelines for Oracle Data Redaction" 3 Introduction to Oracle Data Redaction 3 Oracle Data Redaction provides the ability to redact data, typically sensitive data in real time. This chapter contains the following topics: ■ What Is Oracle Data Redaction? ■ When to Use Oracle Data Redaction ■ Benefits of Using Oracle Data Redaction ■ Target Use Cases for Oracle Data Redaction What Is Oracle Data Redaction? Oracle Data Redaction enables you to mask (redact) data that is returned from queries issued by applications. You can redact column data by using one of the following methods: ■ ■ ■ ■ ■ Full redaction. You redact all of the contents of the column data. The redacted value returned to the querying application user depends on the data type of the column. For example, columns of the NUMBER data type are redacted with a zero (0), and character data types are redacted with a single space. Partial redaction. You redact a portion of the column data. For example, you can redact a Social Security number with asterisks (*), except for the last 4 digits. Regular expressions. You can use regular expressions to look for patterns of data to redact. For example, you can use regular expressions to redact email addresses, which can have varying character lengths. It is designed for use with character data only. Random redaction. The redacted data presented to the querying application user appears as randomly generated values each time it is displayed, depending on the data type of the column. No redaction. The None redaction type option enables you to test the internal operation of your redaction policies, with no effect on the results of queries against tables with policies defined on them. You can use this option to test the redaction policy definitions before applying them to a production environment. Oracle Database applies the redaction at runtime, when users access the data (that is, at query-execution time). This solution works well in a production system. During the time that the data is being redacted, all of the data processing is performed normally, and the back-end referential integrity constraints are preserved. Introduction to Oracle Data Redaction 3-1 When to Use Oracle Data Redaction Data redaction can help you to comply with industry regulations such as Payment Card Industry Data Security Standard (PCI DSS) and the Sarbanes-Oxley Act. When to Use Oracle Data Redaction Use Oracle Data Redaction when you must disguise sensitive data that your applications and application users must access. Data Redaction enables you to easily disguise the data using several different redaction styles. Oracle Data Redaction is ideal for situations in which you must redact specific characters out of the result set of queries of Personally Identifiable Information (PII) returned to certain application users. For example, you may want to present a U.S. Social Security number that ends with the numbers 4320 as ***-**-4320. Oracle Data Redaction is particularly suited for call center applications and other applications that are read-only. Take care when using Oracle Data Redaction with applications that perform updates back to the database, because redacted data can be written back to this database. Benefits of Using Oracle Data Redaction The benefits of using Oracle Data Redaction to protect your data are as follows: ■ ■ ■ ■ You have different styles of redaction from which to choose. Because the data is redacted at runtime, Data Redaction is well suited to environments in which data is constantly changing. You can create the Data Redaction policies in one central location and easily manage them from there. The Data Redaction policies enable you to create a wide variety of function conditions based on SYS_CONTEXT values, which can be used at runtime to decide when the Data Redaction policies will apply to the results of the application user’s query. Target Use Cases for Oracle Data Redaction Oracle Data Redaction fulfils common use case scenarios. This section contains: ■ ■ Using Oracle Data Redaction with Database Applications Considerations When Using Oracle Data Redaction with Ad Hoc Database Queries Using Oracle Data Redaction with Database Applications Oracle Data Redaction protects sensitive data that is displayed in database applications. Data Redaction is transparent to application users because it preserves the original data type and (optionally) the formatting. It is highly transparent to the database because the data remains the same in buffers, caches, and storage—only being changed at the last minute just before SQL query results are returned to the caller. The redaction is enforced consistently across all of the applications that use the same underlying database. You can specify which application users should see only redacted data by checking application user information that is passed into the database through the SYS_CONTEXT function; you can redact data based on attributes of the current database or application user; and you can implement multiple logical 3-2 Oracle Database Advanced Security Administrator's Guide Target Use Cases for Oracle Data Redaction conditions within a given redaction policy. In addition, Data Redaction is implemented in a way that minimizes performance overhead. These characteristics make Oracle Data Redaction particularly well suited for usage by a range of applications, analytics tools, reporting tools, and monitoring tools that share common production databases. Although its primary target is redaction of production data for applications, Oracle Data Redaction also can be used in combination with Oracle Enterprise Manager Data Masking and Subsetting Pack for protecting sensitive data in testing and development environments. See Also: ■ ■ Oracle Database Real Application Testing User's Guide for more information about data masking "Oracle Data Redaction and Data Masking and Subsetting Pack" on page 6-3 Considerations When Using Oracle Data Redaction with Ad Hoc Database Queries You may encounter situations where it is convenient to redact sensitive data for ad hoc queries that are performed by database users. For example, in the course of supporting a production application, a user may need to run ad hoc database queries to troubleshoot and fix an urgent problem with the application. This is different from the application-based scenarios described in "Using Oracle Data Redaction with Database Applications" on page 3-2, which typically generate a bounded set of SQL queries, use defined database accounts, and have fixed privileges. Even though Oracle Data Redaction is not designed to prevent data exposure to database users who run ad hoc queries directly against the database, it can provide an additional layer to reduce the chances of accidental data exposure. Because such users may have rights to change data, alter the database schema, and circumvent the SQL query interface entirely, it is possible for a malicious user to bypass Data Redaction policies in certain circumstances. Remember that the Oracle Database security tools are designed to be used together to improve overall security. By deploying one or more of these tools as a complement to Oracle Data Redaction, you can securely increase your overall security posture. "General Usage Guidelines" on page 7-1 for additional general usage guidelines See Also: Introduction to Oracle Data Redaction 3-3 Target Use Cases for Oracle Data Redaction 3-4 Oracle Database Advanced Security Administrator's Guide 4 Oracle Data Redaction Features and Capabilities 4 Oracle Data Redaction provides a variety of ways to redact different types of data. This chapter contains the following topics: ■ Using Full Data Redaction to Redact All Data ■ Using Partial Data Redaction to Redact Sections of Data ■ Using Regular Expressions to Redact Patterns of Data ■ Using Random Data Redaction to Generate Random Values ■ Comparison of Full, Partial, and Random Redaction Based on Data Types ■ Using No Redaction for Testing Purposes Using Full Data Redaction to Redact All Data When an Oracle Data Redaction policy that specifies full data redaction is applied to a table or view, the entire contents of the column are redacted. By default the output is displayed as follows: ■ Character data types: The output text is a single space. ■ Number data types: The output text is a zero (0). ■ Date-time data types: The output text is set to the first day of January, 2001, which appears as 01-JAN-01. Full redaction is the default and is used whenever a Data Redaction policy specifies the column but omits the function_type parameter setting. When you run the DBMS_ REDACT.ADD_POLICY procedure, to set the function_type parameter setting for full redaction, you enter the following setting: function_type => DBMS_REDACT.FULL You can use the DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES procedure to change the full redaction output to different values. See Also: ■ "Syntax for Creating a Full Redaction Policy" on page 5-8 ■ "Altering the Default Full Data Redaction Value" on page 5-9 Oracle Data Redaction Features and Capabilities 4-1 Using Partial Data Redaction to Redact Sections of Data Using Partial Data Redaction to Redact Sections of Data In partial data redaction, you redact portions of the displayed output. You can set the position within the actual data at which to begin the redaction, the number of characters to redact starting from that position, and the redaction character to use. This type of redaction is useful for situations where you want it to be obvious to the person viewing the data that it was redacted in some way. Typically, you use this type of redaction for credit cards or ID numbers. Be aware that partial data redaction requires that your data width remain fixed. If you want to redact columns containing string values of variable length, then you must use regular expressions, as described in "Using Regular Expressions to Redact Patterns of Data" on page 4-3. To specify partial redaction, you must set the DBMS_REDACT.ADD_POLICY procedure function_type parameter to DBMS_REDACT.PARTIAL and use the function_parameters parameter to define the partial redaction behavior. The displayed output for partial data redaction can be as follows: ■ ■ ■ Character data types: When partially redacted, a Social Security number (represented as a hyphenated string within a character data type) with value 987-65-4320 could be redacted so that it is displayed as shown in the following examples. The code on the right specifies how to redact the character data: it specifies the expected input format of the actual data, the format to use for the display of the redacted output, the start position at which to begin the redaction, the character to use for the redaction, and how many characters to redact. The first example uses a predefined shortcut for character data type Social Security numbers, and the second example replaces the first five numbers with an asterisk (*) while preserving the hyphens (-) in between the numbers. XXX-XX-4320 function_parameters => DBMS_REDACT.REDACT_US_SSN_F5, ***-**-4320 function_parameters => 'VVVFVVFVVVV,VVV-VV-VVVV,*,1,5', Number data types: The partially redacted NUMBER data type Social Security number 987654328 could appear as follows. Both redact the first five digits. The first example uses a predefined shortcut that is designed for Social Security numbers in the NUMBER data type, and the second replaces the first five numbers with the number 9, starting from the first digit. XXXXX4328 function_parameters => DBMS_REDACT.REDACT_NUM_US_SSN_F5, 999994328 function_parameters => '9,1,5', Date-time data types: Partially redacted datetime values can appear simply as different dates. For example, the date 29-AUG-11 10.20.50.000000 AM could appear as follows. In the first example, the day of the month is redacted to 02 (using the setting d02) and in the second example, the month is redacted to DEC (using m12). The uppercase values show the actual month (M), year (Y), hour (H), minute (M), and second (S). 02-AUG-11 10.20.50.000000 AM function_parameters => 'Md02YHMS', 29-DEC-11 10.20.50.000000 AM function_parameters => 'm12DYHMS', 4-2 Oracle Database Advanced Security Administrator's Guide Using Regular Expressions to Redact Patterns of Data See Also: ■ ■ "Syntax for Creating a Partial Redaction Policy" on page 5-12 "Syntax for Creating a Regular Expression-Based Redaction Policy" on page 5-19 Using Regular Expressions to Redact Patterns of Data You can use regular expressions to redact specific data within a column data value, based on a pattern search. For example, you can redact the user name of email addresses, so that only the domain shows (for example, replacing hpreston in the email address hpreston@example.com with [redacted] so that it appears as [redacted]@example.com). To perform the redaction, set the DBMS_REDACT.ADD_POLICY procedure function_type parameter to DBMS_REDACT.REGEXP, and then use the following parameters to build the regular expression: ■ A string search pattern (that is, the values to search for), such as: regexp_pattern => '(.+)@(.+\.[A-Za-z]{2,4})' This setting looks for a pattern of the following form: one_or_more_characters@one_or_more_characters.2-4_characters_in_range_A-Z_or_ a-z ■ A replacement string, which replaces the value matched by the regexp_pattern setting. The replacement string can include back references to sub-expressions of the main regular expression pattern. The following example replaces the data before the @ symbol (from the regexp_pattern setting) with the text [redacted]. The \2 setting refers to the second match group, which is (.+\.[A-Za-z]{2,4}) from the regexp_pattern setting. regexp_replace_string ■ The starting position for the string search string, such as the first character of the data, such as: regexp_position ■ => DBMS_REDACT.RE_BEGINNING The kind of search and replace operation to perform, such as the first occurrence, every fifth occurrence, or all of the occurrences, such as: regexp_occurrence ■ => '[redacted]@\2' => DBMS_REDACT.RE_ALL The default matching behavior for the search and replace operation, such as whether the search is case-sensitive (i sets it to be not case-sensitive): regexp_match_parameter => 'i In addition to the default parameters, you can use a set of predefined shortcuts that enable you to use commonly used regular expressions for telephone numbers, email addresses, and credit card numbers. "About Creating Regular Expression-Based Redaction Policies" on page 5-19 See Also: Oracle Data Redaction Features and Capabilities 4-3 Using Random Data Redaction to Generate Random Values Using Random Data Redaction to Generate Random Values In random data redaction, the entire value is redacted by replacing it with a random value. The redacted values displayed in the result set of the query change randomly each time application users run the query. This type of redaction is useful in cases where you do not want it to be obvious that the data was redacted. It works especially well for number and datetime data types, where it is difficult to distinguish between random and real data. The displayed output for random values changes based on the data type of the redacted column, as follows: ■ ■ Character data types: The random output is a mixture of characters (for example, HTU[G{\pjkEWcK). It behaves differently for the CHAR and VARCHAR2 data types, as follows: – CHAR data type: The redacted output is always in the same character set as the character set of the column. The byte length of the redacted output is always the same as the column definition length (that is, the column length that was provided at the time of table creation). For example, if the column is CHAR(20), then a string of 20 random characters is provided in the redacted output of the user’s query. – VARCHAR2 data type: For random redaction of a VARCHAR data type, the redacted output is always in the same character set as the character set of the column. The length of the redacted output is limited based on the length of the actual data in the column. No characters in excess of the length of the actual data are displayed. For example, if the column is VARCHAR2(20) and the row being redacted contains actual data with a length of 12, then a string of 12 random characters (not 20) is provided in the redacted output of the user’s query for that row. Number data types: Each actual number value is redacted by replacing it with a random, non-negative number modulo the absolute value of the actual data. This redaction results in random numbers that do not exceed the precision of the actual data. For example, the number 987654321 can be redacted by replacing it with any of the numbers 12345678, 13579, 0, or 987654320, but not by replacing it with any of the numbers 987654321, 99987654321, or -1. The number -123 could be redacted by replacing it with the numbers 122, 0, or 83, but not by replacing it with any of the numbers 123, 1123, or -2. The only exception to the above is when the actual value is an integer between -1 and 9. In this case, the actual data is redacted by replacing it with a random, non-negative integer modulo ten (10). ■ Date-time data types: When values of the date data type are redacted using random Data Redaction, Oracle Database displays them with random dates that are always different from those of the actual data. The setting for using random redaction is as follows: function_type => DBMS_REDACT.RANDOM See Also: "Syntax for Creating a Random Redaction Policy" on page 5-24 Comparison of Full, Partial, and Random Redaction Based on Data Types The full, partial, and random data redaction styles affect the Oracle built-in, ANSI, user-defined, and Oracle supplied types in different ways. 4-4 Oracle Database Advanced Security Administrator's Guide Comparison of Full, Partial, and Random Redaction Based on Data Types This section contains: ■ Redaction Capabilities for Oracle Built-in Data Types ■ Redaction Capabilities for the ANSI Data Types ■ Redaction Capabilities for the User Defined Data Types or Oracle Supplied Types Redaction Capabilities for Oracle Built-in Data Types Table 4–1 compares how the full, partial, and random redaction styles work for Oracle built-in data types. Table 4–1 Redaction Capabilities for Oracle Built-in Data Types Data Type Notes Full Redaction Partial Redaction Random Redaction Character: CHAR, VARCHAR2 (including long VARCHAR2, for example, VARCHAR2(20000)), NCHAR, NVARCHAR2 None Default redacted value is a single blank space Supported data type Supported data type Number: NUMBER, FLOAT, BINARY_FLOAT, BINARY_DOUBLE None Default redacted value is zero (0). Supported data type Supported data type Raw: LONG RAW, RAW None Not a supported data type Not a supported data type Not a supported data type Date-time: DATE, TIMESTAMP, TIMESTAMP WITH TIME ZONE, TIMESTAMP WITH LOCAL TIME ZONE None Default redacted value is 01-01-01 or 01-01-01 01:00:00. Supported data type Supported data type Interval: INTERVAL YEAR TO MONTH, INTERVAL DAY TO SECOND None Not a supported data type Not a supported data type Not a supported data type Large Object: BFILE None Not a supported data type Not a supported data type Not a supported data type Large Object: BLOB The No Redaction type (DBMS_REDACT.NONE) does not support LOB data types. Oracle's raw representation of [redacted] Not a supported data type Not a supported data type Large Object: CLOB, NCLOB The No Redaction type (DBMS_REDACT.NONE) does not support LOB data types. Default redacted value is [redacted]. Not a supported data type Not a supported data type Rowid: ROWID, UROWID None Not a supported data type Not a supported data type Not a supported data type Redaction Capabilities for the ANSI Data Types Table 4–2 compares how the full, partial, and random redaction styles work for ANSI data types. Oracle Data Redaction Features and Capabilities 4-5 Using No Redaction for Testing Purposes Table 4–2 Redaction Capabilities for the ANSI Data Types Data Type How Converted Full Redaction Partial Redaction Random Redaction Converted to CHAR(n) Default redacted value is a single blank space. Supported data type Supported data type Converted to VARCHAR2(n) Default redacted value is a single blank space. Supported data type Supported data type Converted to NCHAR(n) Default redacted value is a single blank space. Supported data type Supported data type Converted to NVARCHAR2(n) Default redacted value is a single blank space. Supported data type Supported data type Converted to NUMBER(p,s) Default redacted value is zero (0). Supported data type Supported data type Converted to NUMBER(38) Default redacted value is zero (0). Supported data type Supported data type Converted to FLOAT(126) Default redacted value is zero (0) Supported data type Supported data type REAL Converted to FLOAT(63) Default redacted value is zero (0). Supported data type Supported data type GRAPHIC None Not a supported data type Not a supported data type Not a supported data type CHARACTER(n), CHAR(n) CHARACTER VARYING(n), CHAR VARYING(n) NATIONAL CHARACTER(n), NATIONAL CHAR(n), NCHAR(n) NATIONAL CHARACTER VARYING(n), NATIONAL CHAR VARYING(n), NCHAR VARYING(n) NUMERIC[(p,s)] DECIMAL[(p,s)] INTEGER INT SMALLINT FLOAT DOUBLE PRECISION LONG VARGRAPHIC VARGRAPHIC TIME Redaction Capabilities for the User Defined Data Types or Oracle Supplied Types Table 4–3 compares how the full, partial, and random redaction styles work for user defined and Oracle supplied types. Table 4–3 Redaction Capabilities for the User Defined Data Types or Oracle Supplied Types Data Type or Type Full Redaction Partial Redaction Random Redaction User-defined data types Not a supported data type Not a supported data type Not a supported data type Any types, XML types, Oracle Spatial types, Oracle Media types Not a supported data type Not a supported data type Not a supported data type Using No Redaction for Testing Purposes You can create a Data Redaction policy that does not perform redaction. This is useful for cases in which you have a redacted base table, yet you want a specific application user to have a view that always shows the actual data. You can create a new view of 4-6 Oracle Database Advanced Security Administrator's Guide Using No Redaction for Testing Purposes the redacted table and then define a Data Redaction policy for this view. The policy still exists on the base table, but no redaction is performed when the application queries using the view as long as the DBMS_REDACT.NONE function_type setting was used to create a policy on the view. Oracle Data Redaction Features and Capabilities 4-7 Using No Redaction for Testing Purposes 4-8 Oracle Database Advanced Security Administrator's Guide 5 Configuring Oracle Data Redaction Policies 5 An Oracle Data Redaction policy defines how to redact data in a column based on the table column type and the type of redaction you want to use. You can enable and disable policies as necessary. This section contains the following topics: ■ About Oracle Data Redaction Policies ■ Who Can Create Oracle Data Redaction Policies? ■ Planning the Creation of an Oracle Data Redaction Policy ■ General Syntax of the DBMS_REDACT.ADD_POLICY Procedure ■ Using Expressions to Define Conditions for Data Redaction Policies ■ Creating a Full Redaction Policy and Altering the Default Full Redaction Value ■ Creating a Partial Redaction Policy ■ Creating a Regular Expression-Based Redaction Policy ■ Creating a Random Redaction Policy ■ Creating a Policy That Uses No Redaction ■ Exempting Users from Oracle Data Redaction Policies ■ Altering an Oracle Data Redaction Policy ■ Redacting Multiple Columns ■ Disabling and Enabling an Oracle Data Redaction Policy ■ Dropping an Oracle Data Redaction Policy ■ Example: How Oracle Data Redaction Affects Tables and Views ■ Example: Using SQL Expressions to Build Reports with Redacted Values ■ Finding Information About Oracle Data Redaction Policies About Oracle Data Redaction Policies An Oracle Data Redaction policy defines the conditions in which redaction must occur for a table or view. A Data Redaction policy has the following characteristics: ■ The Data Redaction policy defines the following: What kind of redaction to perform, how the redaction should occur, and when the redaction takes place. Configuring Oracle Data Redaction Policies 5-1 Who Can Create Oracle Data Redaction Policies? Oracle Database performs the redaction at execution time, just before the data is returned to the application. ■ ■ A Data Redaction policy can fully redact values, partially redact values, or randomly redact values. In addition, you can define a Data Redaction policy to not redact any data at all, for when you want to test your policies in a test environment. A Data Redaction policy can be defined with a policy expression which allows for different application users to be presented with either redacted data or actual data, based on whether the policy expression returns TRUE or FALSE. Redaction takes place when the boolean result of evaluating the policy expression is TRUE. For security reasons, the functions and operators that can be used in the policy expression are limited to SYS_CONTEXT and a few others. User-created functions are not allowed. Policy expressions can make use of the SYS_SESSION_ROLES namespace with the SYS_CONTEXT function to check for enabled roles. Table 5–1 lists the procedures in the DBMS_REDACT package. Table 5–1 DBMS_REDACT Procedures Procedure Description DBMS_REDACT.ADD_POLICY Adds a Data Redaction policy to a table or view DBMS_REDACT.ALTER_POLICY Modifies a Data Redaction policy DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES Globally updates the full redaction value for a given data type. You must restart the database instance before the updated values can be used. DBMS_REDACT.ENABLE_POLICY Enables a Data Redaction policy DBMS_REDACT.DISABLE_POLICY Disables a Data Redaction policy DBMS_REDACT.DROP_POLICY Drops a Data Redaction policy See Also: Oracle Database PL/SQL Packages and Types Reference for detailed information about the DBMS_REDACT PL/SQL package Who Can Create Oracle Data Redaction Policies? To create redaction policies, you must have the EXECUTE privilege on the DBMS_REDACT PL/SQL package. You do not need any privileges to access the underlying tables or views that will be protected by the policy. Planning the Creation of an Oracle Data Redaction Policy Before you create an Oracle Data Redaction policy, it is important to plan the data redaction process that best suits your data. 1. Ensure that you have been granted the EXECUTE privilege on the DBMS_REDACT PL/SQL package. 2. Determine the data type of the table or view column that you want to redact. 3. Ensure that this column is not used in an Oracle Virtual Private Database (VPD) row filtering condition. That is, it must not be part of the VPD predicate generated by the VPD policy function. 5-2 Oracle Database Advanced Security Administrator's Guide General Syntax of the DBMS_REDACT.ADD_POLICY Procedure 4. Decide on the type of redaction that you want to perform: full, random, partial, regular expressions, or none. 5. Decide which users to apply the Data Redaction policy to. 6. Based on this information, create the Data Redaction policy by using the DBMS_ REDACT.ADD_POLICY procedure. 7. Configure the policy to have additional columns to be redacted, as described in "Redacting Multiple Columns" on page 5-30. After you create the Data Redaction policy, it is automatically enabled and ready to redact data. General Syntax of the DBMS_REDACT.ADD_POLICY Procedure To create a Data Redaction policy, use the DBMS_REDACT.ADD_POLICY procedure. The complete syntax is as follows: DBMS_REDACT.ADD_POLICY ( DBMS_REDACT.ADD_POLICY ( object_schema object_name policy_name policy_description column_name column_description function_type function_parameters expression enable regexp_pattern regexp_replace_string regexp_position regexp_occurrence regexp_match_parameter IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN VARCHAR2 := NULL, VARCHAR2 := NULL, VARCHAR2, VARCHAR2 := NULL, VARCHAR2 := NULL, VARCHAR2 := NULL, BINARY_INTEGER := DBMS_REDACT.FULL, VARCHAR2 := NULL, VARCHAR2, BOOLEAN := TRUE, VARCHAR2 := NULL, VARCHAR2 := NULL, BINARY_INTEGER :=1, BINARY_INTEGER :=0, VARCHAR2 := NULL); In this specification: ■ object_schema: Specifies the schema of the object on which the Data Redaction policy will be applied. If you omit this setting (or enter NULL), then Oracle Database uses the current user’s name. Be aware that the meaning of "current user" here can change, depending on where you invoke the DBMS_REDACT.ADD_ POLICY procedure. For example, suppose user mpike grants user fbrown the EXECUTE privilege on a definer’s rights PL/SQL package called mpike.protect_data in mpike’s schema. From within this package, mpike has coded a procedure called protect_cust_ data, which invokes the DBMS_REDACT.ADD_POLICY procedure. User mpike has set the object_schema parameter to NULL. When fbrown invokes the protect_cust_data procedure in the mpike.protect_ data package, Oracle Database attempts to define the Data Redaction policy around the object cust_data in the mpike schema, not the cust_data object in the schema that belongs to fbrown. ■ ■ object_name: Specifies the name of the table or view to which the Data Redaction policy applies. policy_name: Specifies the name of the policy to be created. Ensure that this name is unique in the database instance. You can find a list of existing Data Redaction Configuring Oracle Data Redaction Policies 5-3 General Syntax of the DBMS_REDACT.ADD_POLICY Procedure policies by querying the POLICY_NAME column of the REDACTION_POLICIES data dictionary view. ■ ■ ■ ■ policy_description: Specifies a brief description of the purpose of the policy. column_name: Specifies the column whose data you want to redact. Note the following: – You can apply the Data Redaction policy to multiple columns. If you want to apply the Data Redaction policy to multiple columns, then after you use DBMS_ REDACT.ADD_POLICY to create the policy, run the DBMS_REDACT.ALTER_POLICY procedure as many times as necessary to add each of the remaining required columns to the policy. See "Altering an Oracle Data Redaction Policy" on page 5-27. – Only one policy can be defined on a table or view. You can, however, create a new view on the table, and by defining a second redaction policy on this new view, you can choose to redact the columns in a different way when a query is issued against this new view. When deciding how to redact a given column, Oracle Database uses the policy of the earliest view in a view chain. See "Example: How Oracle Data Redaction Affects Tables and Views" on page 5-33 for more information about using Data Redaction policies with views. – If you do not specify a column (for example, by entering NULL), then no columns are redacted by the policy. This enables you to create your policies so that they are in place, and then later on, you can add the column specification when you are ready. – Do not use a column that is currently used in an Oracle Virtual Private Database (VPD) row filtering condition. In other words, the column should not be part of the VPD predicate generated by the VPD policy function. See "Oracle Data Redaction and Oracle Virtual Private Database" on page 6-2 for more information about using Data Redaction with VPD.s – You cannot define a Data Redaction policy on a virtual column. In addition, you cannot define a Data Redaction policy on a column that is involved in the SQL expression of any virtual column. column_description: Specifies a brief description of the column that you are redacting. function_type: Specifies a function that sets the type of redaction. See the following sections for more information: – "Syntax for Creating a Full Redaction Policy" on page 5-8 – "Syntax for Creating a Partial Redaction Policy" on page 5-12 – "Syntax for Creating a Regular Expression-Based Redaction Policy" on page 5-19 – "Syntax for Creating a Random Redaction Policy" on page 5-24 – "Syntax for Creating a Policy with No Redaction" on page 5-26 If you omit the function_type parameter, then the default redaction function_ type setting is DBMS_REDACT.FULL. ■ ■ function_parameters: Specifies how the column redaction should appear for partial redaction. See "Syntax for Creating a Partial Redaction Policy" on page 5-12. expression: Specifies a Boolean SQL expression to determine how the policy is applied. Redaction takes place only if this policy expression evaluates to TRUE. See "Using Expressions to Define Conditions for Data Redaction Policies" on page 5-5. 5-4 Oracle Database Advanced Security Administrator's Guide Using Expressions to Define Conditions for Data Redaction Policies ■ ■ enable: When set to TRUE, enables the policy upon creation. When set to FALSE, it creates the policy as a disabled policy. The default is TRUE. After you create the policy, you can disable or enable it. See the following sections: – "Disabling an Oracle Data Redaction Policy" on page 5-31 – "Enabling an Oracle Data Redaction Policy" on page 5-32 regexp_pattern, regexp_replace_string, regexp_position, regexp_position, regexp_occurrence, regexp_match_parameter: Enable you to use regular expressions to redact data, either fully or partially. If the regexp_pattern does not match anything in the actual data, then full redaction will take place, so be careful when specifying the regexp_pattern. Ensure that all of the values in the column conform to the semantics of the regular expression you are using. See "Syntax for Creating a Regular Expression-Based Redaction Policy" on page 5-19 for more information. Using Expressions to Define Conditions for Data Redaction Policies When you create any Oracle Data Redaction policy, you must use the expression parameter in the DBMS_REDACT.ADD_POLICY procedure to specify the conditions in which the policy applies. This section contains: ■ About Using Expressions in Data Redaction Policies ■ Applying the Redaction Policy Based on User Environment ■ Applying the Redaction Policy Based on Database Role ■ Applying the Redaction Policy Based on Oracle Application Express Session States ■ Applying the Redaction Policy with No Filtering About Using Expressions in Data Redaction Policies The expression parameter of the DBMS_REDACT.ADD_POLICY procedure defines a Boolean expression that must evaluate to TRUE before the redaction can table place. This expression must be based on one of the following functions: ■ ■ SYS_CONTEXT, using a specified namespace. The default namespace for SYS_ CONTEXT is USERENV, which includes values such as SESSION_USER and CLIENT_ IDENTIFIER. (See Oracle Database SQL Language Reference for detailed information about this function.) Another namespace that you can use is the SYS_SESSION_ ROLES namespace, which contains attributes for each role. The following Oracle Application Express functions: – V, which is a wrapper for the APEX_UTIL.GET_SESSION_STATE function – NV, which is a wrapper for the APEX_UTIL.GET_NUMERIC_SESSION_STATE function See Oracle Application Express API Reference for more information about these APEX_ UTIL package functions. ■ The OLS_LABEL_DOMINATES function, described in Oracle Label Security Administrator's Guide, which is a wrapper for the LBACSYS.OLS_LABEL_DOMINATES function. Follow these guidelines when you write the expression: Configuring Oracle Data Redaction Policies 5-5 Using Expressions to Define Conditions for Data Redaction Policies ■ ■ ■ Use only the following operators: =, !=, >, <, >=, <= Because the expression must evaluate to TRUE for redaction, be careful when making comparisons with NULL. Remember that in SQL the value NULL is undefined, so comparisons with NULL tend to return FALSE. Do not use user-created functions in the expression parameter; this is not permitted. Remember that for user SYS and users who have the EXEMPT REDACTION POLICY privilege, all of the Data Redaction policies are bypassed, so the results of their queries are not redacted. See for more information about users who are exempted from Data Redaction policies. Remember that for user SYS and users who have the EXEMPT REDACTION POLICY privilege, all of the Data Redaction policies are bypassed, so the results of their queries are not redacted. See "Exempting Users from Oracle Data Redaction Policies" on page 5-26 for more information about users who are exempted from Data Redaction policies. Applying the Redaction Policy Based on User Environment To apply a Data Redaction policy based on the user’s environment (such as the session user name or client identifier), you can use the USERENV namespace of the SYS_CONTEXT function in the DBMS_REDACT.ADD_POLICY expression parameter. Example 5–1 shows how to apply the policy only to the session user name psmith. Example 5–1 Filtering Users by Session User Name expression => 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''PSMITH''' See Also: Oracle Database SQL Language Reference for information about more namespaces that you can use with the SYS_CONTEXT function Applying the Redaction Policy Based on Database Role To apply a Data Redaction policy based on database roles, you can use the SYS_ SESSION_ROLES namespace in the SYS_CONTEXT function, which contains attributes for each role. The value of the attribute is TRUE if the specified role is enabled for the querying application user; the value is FALSE if the role is not enabled. For example, suppose you wanted only supervisors to be allowed to see the actual data. Example 5–2 shows how to use the DBMS_REDACT.ADD_POLICY expression parameter to set the policy to show the actual data to any application user who has the supervisor role enabled, but redact the data for all of the other application users. Example 5–2 Applying a Data Redaction Policy by Database Role expression => 'SYS_CONTEXT(''SYS_SESSION_ROLES'',''SUPERVISOR'') = ''FALSE''' Applying the Redaction Policy Based on Oracle Application Express Session States To apply a Data Redaction policy based on an Oracle Application Express (APEX) session state, you can use either of the following public Application Express APIs in the DBMS_REDACT.ADD_POLICY expression parameter: ■ V, which is a synonym for the APEX_UTIL.GET_SESSION_STATE function ■ NV, which is a synonym for the APEX_UTIL.GET_NUMERIC_SESSION_STATE function 5-6 Oracle Database Advanced Security Administrator's Guide Creating a Full Redaction Policy and Altering the Default Full Redaction Value You can, for example, use these functions to redact data based on a job or a privilege role that is stored in a session state in an APEX application. Example 5–3 shows how to set the DBMS_REDACT.ADD_POLICY expression parameter if you wanted redaction to take place when the application item called G_JOB has the value CLERK. Example 5–3 Filtering Users by Oracle Application Express Session State expression => 'V'(''G_JOB'') = ''CLERK''' If you want redaction to take place when the querying user is not within the context of an APEX application (when the query is issued from outside the APEX framework, for example directly through SQL*Plus), then use an IS NULL clause as follows. This policy expression causes actual data to be shown to user mavis only when her query comes from within an APEX application. Otherwise, the query result is redacted. expression => 'V(''APP_USER'') != ''mavis@example.com'' or V(''APP_USER'') is null' See Also: Oracle Application Express API Reference Applying the Redaction Policy with No Filtering You can apply the policy irrespective of the context to any user, with no filtering. However, be aware that user SYS and users who have the EXEMPT REDACTION POLICY privilege are always except from Oracle Data Redaction policies. To apply the policy to users who are not SYS or have been granted the EXEMPT REDACTION POLICY privilege, write the DBMS_REDACT.ADD_POLICY expression parameter to evaluate to TRUE, as shown Example 5–4. Example 5–4 Applying the Redaction Policy with No Filtering expression => '1=1' See Also: "Exempting Users from Oracle Data Redaction Policies" on page 5-26 Creating a Full Redaction Policy and Altering the Default Full Redaction Value This section contains: ■ Creating a Full Redaction Policy ■ Altering the Default Full Data Redaction Value Creating a Full Redaction Policy This section contains: ■ About Creating Full Data Redaction Policies ■ Syntax for Creating a Full Redaction Policy ■ Examples of Full Data Redaction Policies About Creating Full Data Redaction Policies A full data redaction policy redacts all the contents of a data column. To set the redaction policy to be full, you must set the function_type parameter to DBMS_ Configuring Oracle Data Redaction Policies 5-7 Creating a Full Redaction Policy and Altering the Default Full Redaction Value REDACT.FULL. By default, NUMBER data type columns are replaced with zero (0) and character data type columns are replaced with a single space ( ). You can modify this default by using the DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES procedure. "Altering the Default Full Data Redaction Value" on page 5-9 if you want to modify the default full redaction value See Also: Syntax for Creating a Full Redaction Policy The fields used for creating a full data redaction policy are as follows: DBMS_REDACT.ADD_POLICY ( object_schema object_name column_name policy_name function_type expression enable IN IN IN IN IN IN IN VARCHAR2 := NULL, VARCHAR2, VARCHAR2 := NULL, VARCHAR2, BINARY_INTEGER := NULL, VARCHAR2, BOOLEAN := TRUE); In this specification: ■ ■ object_schema, object_name, column_name, policy_name, expression, enable: See "General Syntax of the DBMS_REDACT.ADD_POLICY Procedure" on page 5-3. function_type: Specifies the function used to set the type of redaction. Enter DBMS_REDACT.FULL. If you omit the function_type parameter, then the default redaction function_ type setting is DBMS_REDACT.FULL. Remember that the data type of the column determines which function_type settings that you are permitted to use. See "Comparison of Full, Partial, and Random Redaction Based on Data Types" on page 4-4. Examples of Full Data Redaction Policies Example 5–5 shows how to use full redaction for all the values in the HR.EMPLOYEES table COMMISSION_PCT column. The expression parameter applies the policy to any user querying the table, except for users who have been granted the EXEMPT REDACTION POLICY system privilege. (See "Exempting Users from Oracle Data Redaction Policies" on page 5-26 for more information about the EXEMPT REDACTION POLICY system privilege.) Example 5–5 Full Data Redaction Policy BEGIN DBMS_REDACT.ADD_POLICY( object_schema => 'hr', object_name => 'employees', column_name => 'commission_pct', policy_name => 'redact_com_pct', function_type => DBMS_REDACT.FULL, expression => '1=1'); END; / Query and redacted result: SELECT COMMISSION_PCT FROM HR.EMPLOYEES; COMMISSION_PCT -------------- 5-8 Oracle Database Advanced Security Administrator's Guide Creating a Full Redaction Policy and Altering the Default Full Redaction Value 0 0 0 Example 5–6 shows how to redact fully the user IDs of the user_id column in the mavis.cust_info table. The user_id column is of the VARCHAR2 data type. The output is a blank string. The expression setting enables users who have the MGR role to view the user IDs. Example 5–6 Fully Redacted Data Redaction Character Values BEGIN DBMS_REDACT.ADD_POLICY( object_schema => 'mavis', object_name => 'cust_info', column_name => 'user_id', policy_name => 'redact_cust_user_ids', function_type => DBMS_REDACT.FULL, expression => 'SYS_CONTEXT(''SYS_SESSION_ROLES'',''MGR'') = ''FALSE'''); END; / Query and redacted result: SELECT user_id FROM mavis.cust_info; USER_ID -----------0 0 0 Altering the Default Full Data Redaction Value To alter the default full data redaction value, you use the DBMS_REDACT.UPDATE_FULL_ REDACTION_VALUES procedure to modify this value. This section contains: ■ About Altering the Default Full Data Redaction Value ■ Altering the Default Full Data Redaction Value for Non-LOB Data Type Columns ■ Altering the Default Full Data Redaction Value for LOB Data Type Columns About Altering the Default Full Data Redaction Value You can alter the default displayed values for Data Redaction policies that use full data redaction. If you want to change any of the default full redaction values for any of the data types to another value, then you can use the method that applies to that data type, as shown in the following list: ■ ■ If the data type of the column is a non-LOB data type (BINARY_FLOAT, BINARY_ DOUBLE, CHAR, VARCHAR2, NCHAR, NVARCHAR2, DATE, TIMESTAMP, or TIMESTAMP WITH TIME ZONE), then you must use the DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES procedure, as described in "Altering the Default Full Data Redaction Value for Non-LOB Data Type Columns" on page 5-10. If the data type of the column is a LOB data type (BLOB, CLOB, or NCLOB), then you must run the UPDATE statement, as described in "Altering the Default Full Data Redaction Value for LOB Data Type Columns" on page 5-11. Configuring Oracle Data Redaction Policies 5-9 Creating a Full Redaction Policy and Altering the Default Full Redaction Value After you modify a value, you must restart the database for it to take effect. You can find the current values by querying the REDACTION_VALUES_FOR_TYPE_FULL data dictionary view. Be aware that this change affects all Data Redaction policies in the database that use full data redaction. Before you alter the default full data redaction value, examine the affect that this change would have on existing full Data Redaction policies. Altering the Default Full Data Redaction Value for Non-LOB Data Type Columns To alter the default full data redaction value for non-LOB data type columns, use the DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES procedure. 1. Log in to the database instance as a user who has been granted the EXECUTE privilege on the DBMS_REDACT PL/SQL package. 2. (Optional) Check the value that you want to change. For example, to check the current value for columns that use the NUMBER data type: SELECT NUMBER_VALUE FROM REDACTION_VALUES_FOR_TYPE_FULL; NUMBER_VALUE -----------0 3. Run the DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES procedure to modify the value. Use the following syntax: EXEC DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES (datatype_value => new_value); For example, to modify a NUMBER column to use 7 as the default: EXEC DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES (number_val => 7); For other data types, replace datatype_value with the following settings, and new_value with the value that you want to use: 4. Data Type new_value Setting BINARY_FLOAT binfloat_val BINARY_DOUBLE bindouble_val CHAR char_val VARCHAR2 varchar_val NCHAR nchar_val NVARCHAR2 nvarchar_val DATE date_val TIMESTAMP ts_val TIMESTAMP WITH TIME ZONE tswtz_val Restart the database instance. For example: SHUTDOWN IMMEDIATE STARTUP 5-10 Oracle Database Advanced Security Administrator's Guide Creating a Full Redaction Policy and Altering the Default Full Redaction Value See Also: ■ ■ Oracle Database PL/SQL Packages and Types Reference for more information about the DBMS_REDACT.UPDATE_FULL_REDACTION_ VALUES procedure Oracle Database Reference for more information about the REDACTION_VALUES_FOR_TYPE_FULL view Altering the Default Full Data Redaction Value for LOB Data Type Columns To alter the default full data redaction value for LOB data type columns: 1. Log in to the database instance as a user who has privileges to update the RADM_ FPTM_LOB$ data dictionary table. 2. (Optional) Check the value that you want to change by querying the REDACTION_ VALUES_FOR_TYPE_FULL data dictionary view. 3. Update the LOB value. ■ For the BLOB data type, initialize a variable (for example, blob_val) with the new full Data Redaction value for the BLOB data type. Then run an UPDATE statement on the BLOBVAL column of the RADM_FPTM_LOB$ table to set the new default value for full redaction of columns of the BLOB data type. DECLARE blob_val BLOB; BEGIN DBMS_LOB.CREATETEMPORARY(blob_val, TRUE); DBMS_LOB.WRITE(blob_val, 8, 1, UTL_RAW.CAST_TO_RAW('newvalue')); UPDATE RADM_FPTM_LOB$ SET BLOBCOL = BLOB_VAL WHERE FPVER = 1; DBMS_LOB.FREETEMPORARY(blob_val); END; / ■ For the CLOB data type, initialize a variable (for example, clob_val) with the new full Data Redaction value for the CLOB data type. Then run an UPDATE statement on the CLOBVAL column of the RADM_FPTM_LOB$ table to set the new default value for full redaction of columns of the CLOB data type. DECLARE clob_val CLOB; BEGIN DBMS_LOB.CREATETEMPORARY(clob_val, TRUE); DBMS_LOB.WRITE(clob_val, 8, 1, 'newvalue'); UPDATE RADM_FPTM_LOB$ SET CLOBCOL = CLOB_VAL WHERE FPVER = 1; DBMS_LOB.FREETEMPORARY(clob_val); END; / ■ For the NCLOB data type, initialize a variable (for example, nclob_val) with the new full Data Redaction value for the NCLOB data type. Then run an UPDATE statement on the NCLOBVAL column of the RADM_FPTM_LOB$ table to set the new default value for full redaction of columns of the NCLOB data type. Configuring Oracle Data Redaction Policies 5-11 Creating a Partial Redaction Policy DECLARE nclob_val NCLOB; BEGIN DBMS_LOB.CREATETEMPORARY(nclob_val, TRUE); DBMS_LOB.WRITE(nclob_val, 8, 1, N'newvalue'); UPDATE RADM_FPTM_LOB$ SET NCLOBCOL = NCLOB_VAL WHERE FPVER = 1; DBMS_LOB.FREETEMPORARY(nclob_val); END; / 4. Restart the database instance. For example: SHUTDOWN IMMEDIATE STARTUP Oracle Database Reference for more information about the REDACTION_VALUES_FOR_TYPE_FULL view See Also: Creating a Partial Redaction Policy This section contains: ■ About Creating Partial Redaction Policies ■ Syntax for Creating a Partial Redaction Policy ■ Creating Partial Redaction Policies Using Fixed Character Shortcuts ■ Creating Partial Redaction Policies Using Character Data Types ■ Creating Partial Redaction Policies Using Number Data Types ■ Creating Partial Redaction Policies Using Date-Time Data Types About Creating Partial Redaction Policies In partial data redaction, only a portion of the data, such as the first five digits of an identification number, are redacted. For example, you can redact most of a credit card number with asterisks (*), except for the last 4 digits. You can create policies for columns that use character, number, or date-time data types. For policies that redact character data types, you can use fixed character redaction shortcuts. Syntax for Creating a Partial Redaction Policy The DBMS_REDACT.ADD_POLICY fields for creating a partial redaction policy are as follows: DBMS_REDACT.ADD_POLICY ( object_schema object_name column_name policy_name function_type function_parameters expression enable IN IN IN IN IN IN IN IN VARCHAR2 := NULL, VARCHAR2, VARCHAR2 := NULL, VARCHAR2, BINARY_INTEGER := NULL, VARCHAR2 := NULL, VARCHAR2, BOOLEAN := TRUE); 5-12 Oracle Database Advanced Security Administrator's Guide Creating a Partial Redaction Policy In this specification: ■ ■ ■ object_schema, object_name, column_name, policy_name, expression, enable: See "General Syntax of the DBMS_REDACT.ADD_POLICY Procedure" on page 5-3 function_type: Specifies the function used to set the type of redaction. Enter DBMS_REDACT.PARTIAL. function_parameters: The parameters that you set here depend on the data type of the column specified for the column_name parameter. See the following sections for details: – "Creating Partial Redaction Policies Using Fixed Character Shortcuts" on page 5-13 – "Creating Partial Redaction Policies Using Character Data Types" on page 5-15 – "Creating Partial Redaction Policies Using Number Data Types" on page 5-16 – "Creating Partial Redaction Policies Using Date-Time Data Types" on page 5-17 Creating Partial Redaction Policies Using Fixed Character Shortcuts The DBMS_REDACT.ADD_POLICY function_parameters parameter enables you to use fixed character shortcuts. This section contains: ■ Settings for Fixed Character Shortcuts ■ Example of a Partial Redaction Policy Using a Fixed Character Shortcut Settings for Fixed Character Shortcuts Table 5–2 describes DBMS_REDACT.ADD_POLICY function_parameters parameter shortcuts that you can use for commonly redacted Social Security numbers, postal codes, and credit cards that use either the VARCHAR2 or NUMBER data types for their columns. Table 5–2 Partial Fixed Character Redaction Shortcuts Shortcut Description DBMS_REDACT.REDACT_US_SSN_F5 Redacts the first 5 numbers of Social Security numbers when the column is a VARCHAR2 data type. For example, the number 987-65-4320 becomes XXX-XX-4320. DBMS_REDACT.REDACT_US_SSN_L4 Redacts the last 4 numbers of Social Security numbers when the column is a VARCHAR2 data type. For example, the number 987-65-4320 becomes 987-65-XXXX. DBMS_REDACT.REDACT_US_SSN_ENTIRE Redacts the entire Social Security number when the column is a VARCHAR2 data type. For example, the number 987-65-4320 becomes XXX-XX-XXXX. DBMS_REDACT.REDACT_NUM_US_SSN_F5 Redacts the first 5 numbers of Social Security numbers when the column is a NUMBER data type. For example, the number 987654320 becomes XXXXX4320. Configuring Oracle Data Redaction Policies 5-13 Creating a Partial Redaction Policy Table 5–2 (Cont.) Partial Fixed Character Redaction Shortcuts Shortcut Description DBMS_REDACT.REDACT_NUM_US_SSN_L4 Redacts the last 4 numbers of Social Security numbers when the column is a NUMBER data type. For example, the number 987654320 becomes 98765XXXX. DBMS_REDACT.REDACT_NUM_US_SSN_ENTIRE Redacts the entire Social Security number when the column is a NUMBER data type. For example, the number 987654320 becomes XXXXXXXXX. DBMS_REDACT.REDACT_ZIP_CODE Redacts a 5-digit postal code when the column is a VARCHAR2 data type. For example, 95476 becomes XXXXX. DBMS_REDACT.REDACT_NUM_ZIP_CODE Redacts a 5-digit postal code when the column is a NUMBER data type. For example, 95476 becomes XXXXX. DBMS_REDACT.REDACT_DATE_MILLENNIUM Redacts dates that are in the DD-MON-YY format to 01-JAN-00 (January 1, 2000). DBMS_REDACT.REDACT_DATE_EPOCH Redacts all dates to 01-JAN-70. DBMS_REDACT.REDACT_CCN16_F12 Redacts a 16-digit credit card number, leaving the last 4 digits displayed. For example, 5105 1051 0510 5100 becomes ****-****-****-5100. "General Syntax of the DBMS_REDACT.ADD_POLICY Procedure" on page 5-3 for information about other DBMS_REDACT.ADD_ POLICY parameters See Also: Example of a Partial Redaction Policy Using a Fixed Character Shortcut Example 5–7 shows how Social Security numbers in a VARCHAR2 data type column and can be redacted using the REDACT_US_SSN_F5 shortcut. Example 5–7 Partially Redacted Character Values BEGIN DBMS_REDACT.ADD_POLICY( object_schema => object_name => column_name => policy_name => function_type => function_parameters => expression => policy_description => column_description => END; / 'mavis', 'cust_info', 'ssn', 'redact_cust_ssns3', DBMS_REDACT.PARTIAL, DBMS_REDACT.REDACT_US_SSN_F5, '1=1', 'Partially redacts 1st 5 digits in SS numbers', 'ssn contains Social Security numbers'); Query and redacted result: SELECT ssn FROM mavis.cust_info; SSN ------XXX-XX-4320 XXX-XX-4323 XXX-XX-4325 5-14 Oracle Database Advanced Security Administrator's Guide Creating a Partial Redaction Policy XXX-XX-4329 Creating Partial Redaction Policies Using Character Data Types The DBMS_REDACT.ADD_POLICY function_parameters parameter enables you to redact character data types. This section contains: ■ Settings for Character Data Types ■ Example of a Partial Redaction Policy Using Character a Data Type Settings for Character Data Types When you set the DBMS_REDACT.ADD_POLICY function_parameters parameter to define partial redaction of character data types, enter values for the following settings in the order shown. Separate each value with a comma. Be aware that you must use a fixed width character set for the partial redaction. In other words, each character redacted must be replaced by another of equal byte length. If you want to use a variable-length character set (for example, UTF-8), then you must use a regular expression-based redaction. See "Syntax for Creating a Regular Expression-Based Redaction Policy" on page 5-19 for more information. Note: The settings are as follows: 1. Input format: Defines how the data is currently formatted. Enter V for each character that potentially can be redacted, such as all of the digits in a credit card number. Enter F for each character that you want to format using a formatting character, such as hyphens or blank spaces in the credit card number. Ensure that each character has a corresponding V or F value. (The input format values are not case-sensitive.) 2. Output format: Defines how the displayed data should be formatted. Enter V for each character to be potentially redacted. Replace each F character in the input format with the character that you want to use for the displayed output, such as a hyphen. (The output format values are not case-sensitive.) 3. Mask character: Specifies the character to be used for the redaction. Enter a single character to use for the redaction, such as an asterisk (*). 4. Starting digit position: Specifies the starting V digit position for the redaction. 5. Ending digit position: Specifies the ending V digit position for the redaction. Do not include the F positions when you decide on the ending position value. For example, the following setting redacts the first 12 V digits of the credit card number 5105 1051 0510 5100, and replaces the F positions (which are blank spaces) with hyphens to format it in a style normally used for credit card numbers, resulting in ****-****-****-4320. function_parameters => 'VVVVFVVVVFVVVVFVVVV,VVVV-VVVV-VVVV-VVVV,*,1,12', "General Syntax of the DBMS_REDACT.ADD_POLICY Procedure" on page 5-3 for information about other DBMS_REDACT.ADD_ POLICY parameters See Also: Configuring Oracle Data Redaction Policies 5-15 Creating a Partial Redaction Policy Example of a Partial Redaction Policy Using Character a Data Type Example 5–8 shows how to redact Social Security numbers that are in a VARCHAR2 data type column and to preserve the character hyphens in the Social Security number. Example 5–8 Partially Redacted Data Redaction Character Values BEGIN DBMS_REDACT.ADD_POLICY( object_schema => object_name => column_name => policy_name => function_type => function_parameters => expression => policy_description => column_description => END; / 'mavis', 'cust_info', 'ssn', 'redact_cust_ssns2', DBMS_REDACT.PARTIAL, 'VVVFVVFVVVV,VVV-VV-VVVV,*,1,5', '1=1', 'Partially redacts Social Security numbers', 'ssn contains character Social Security numbers'); Query and redacted result: SELECT ssn FROM mavis.cust_info; SSN ----------***-**-4320 ***-**-4323 ***-**-4325 ***-**-4329 Creating Partial Redaction Policies Using Number Data Types The DBMS_REDACT.ADD_POLICY function_parameters parameter enables you to redact number data types. This section contains: ■ Settings for Number Data Types ■ Example of a Partial Redaction Policy Using a Number Data Type Settings for Number Data Types For partial redaction of number data types, enter values for the following settings for the function_parameters parameter of the DBMS_REDACT.ADD_POLICY procedure, in the order shown. 1. Mask character: Specifies the character to display. Enter a number from 0 to 9. 2. Starting digit position: Specifies the starting digit position for the redaction, such as 1 for the first digit. 3. Ending digit position: Specifies the ending digit position for the redaction. For example, the following setting redacts the first five digits of the Social Security number 987654321, resulting in 999994321. function_parameters => '9,1,5', 5-16 Oracle Database Advanced Security Administrator's Guide Creating a Partial Redaction Policy "General Syntax of the DBMS_REDACT.ADD_POLICY Procedure" on page 5-3 for information about other DBMS_REDACT.ADD_ POLICY parameters See Also: Example of a Partial Redaction Policy Using a Number Data Type Example 5–9 shows how to partially redact a set of Social Security numbers in the mavis.cust_info table, for any application user who logs in. (Hence, the expression parameter evaluates to TRUE.) In this scenario, the Social Security numbers are in a column of the data type NUMBER. In other words, the ssn column contains numbers only, not other characters such as hyphens or blank spaces. Example 5–9 Partially Redacted Data Redaction Numeric Values BEGIN DBMS_REDACT.ADD_POLICY( object_schema => object_name => column_name => policy_name => function_type => function_parameters => expression => policy_description => column_description => END; / 'mavis', 'cust_info', 'ssn', 'redact_cust_ssns1', DBMS_REDACT.PARTIAL, '7,1,5', '1=1', 'Partially redacts Social Security numbers', 'ssn contains numeric Social Security numbers'); Query and redacted result: SELECT ssn FROM mavis.cust_info; SSN --------777774320 777774323 777774325 777774329 Creating Partial Redaction Policies Using Date-Time Data Types The DBMS_REDACT.ADD_POLICY function_parameters parameter enables you to redact date-time data types. This section contains: ■ Settings for Date-Time Data Types ■ Example of a Partial Redaction Policy Using Date-Time Data Type Settings for Date-Time Data Types For partial redaction of date-time data types, enter values for the following DBMS_ REDACT.ADD_POLICY function_parameters parameter settings, in the order shown: 1. m: Redacts the month. To redact with a month name, append 1–12 to lowercase m. For example, m5 displays as MAY. To omit redaction, enter an uppercase M. 2. d: Redacts the day of the month. To redact with a day of the month, append 1–31 to a lowercase d. For example, d7 displays as 07. If you enter a higher number than the days of the month (for example, 31 for the month of February), then the last Configuring Oracle Data Redaction Policies 5-17 Creating a Regular Expression-Based Redaction Policy day of the month is displayed (for example, 28). To omit redaction, enter an uppercase D. 3. y: Redacts the year. To redact with a year, append 1–9999 to a lowercase y. For example, y1984 displays as 84. To omit redaction, enter an uppercase Y. 4. h: Redacts the hour. To redact with an hour, append 0–23 to a lowercase h. For example, h20 displays as 20. To omit redaction, enter an uppercase H. 5. m: Redacts the minute. To redact with a minute, append 0–59 to a lowercase m. For example, m30 displays as 30. To omit redaction, enter an uppercase M. 6. s: Redacts the second. To redact with a second, append 0–59 to a lowercase s. For example, s45 displays as 45. To omit redaction, enter an uppercase S. "General Syntax of the DBMS_REDACT.ADD_POLICY Procedure" on page 5-3 for information about other DBMS_REDACT.ADD_ POLICY parameters See Also: Example of a Partial Redaction Policy Using Date-Time Data Type Example 5–10 shows how to partially redact a date. This example redacts the birth year of customers; replacing it with 13, but retaining the remaining values. Example 5–10 Partially Redacted Data Redaction Using Date-Time Values BEGIN DBMS_REDACT.ADD_POLICY( object_schema => object_name => column_name => policy_name => function_type => function_parameters => expression => policy_description => column_description => END; / 'mavis', 'cust_info', 'birth_date', 'redact_cust_bdate', DBMS_REDACT.PARTIAL, 'mdy2013HMS', '1=1', 'Replaces birth year with 2013', 'birth_date contains customer’s birthdate'); Query and redacted result: SELECT birth_date FROM mavis.cust_info; BIRTH_DATE 07-DEC-13 09.45.40.000000 AM 12-OCT-13 04.23.29.000000 AM Creating a Regular Expression-Based Redaction Policy This section contains: ■ About Creating Regular Expression-Based Redaction Policies ■ Syntax for Creating a Regular Expression-Based Redaction Policy ■ Creating Regular Expression-Based Redaction Policies Using Shortcuts ■ Creating Custom Regular Expression Redaction Policies 5-18 Oracle Database Advanced Security Administrator's Guide Creating a Regular Expression-Based Redaction Policy About Creating Regular Expression-Based Redaction Policies Regular expression-based redaction enables you to search for patterns of data to redact. For example, you can use regular expressions to redact email addresses, which can have varying character lengths. It is designed for use with character data only. You can use shortcuts for the search and replace operation, or you can create custom patterns. You cannot use regular expressions to redact a subset of the values in a column. The REGEXP_PATTERN (regular expression pattern) must match all of the values in order for the REGEXP_REPLACE_STRING setting to take effect, and the REGEXP_REPLACE_STRING must change the value. For rows where the REGEXP_PATTERN fails to match, Data Redaction performs DBMS_ REDACT.FULL redaction. This mitigates the risk of a mistake in the REGEXP_PATTERN which causes the regular expression to fail to match all of the values in the column, from showing the actual data for those rows which it failed to match. In addition, if no change to the value occurs as a result of the REGEXP_REPLACE_STRING setting during regular expression replacement operation, Data Redaction performs DBMS_REDACT.FULL redaction. Syntax for Creating a Regular Expression-Based Redaction Policy The DBMS_REDACT.ADD_POLICY fields for creating a regular expression-based data redaction policy are as follows: DBMS_REDACT.ADD_POLICY ( object_schema object_name column_name policy_name function_type expression enable regexp_pattern regexp_replace_string regexp_position regexp_occurrence regexp_match_parameter IN IN IN IN IN IN IN IN IN IN IN IN VARCHAR2 := NULL, VARCHAR2, VARCHAR2 := NULL, VARCHAR2, BINARY_INTEGER := NULL, VARCHAR2, BOOLEAN := TRUE, VARCHAR2 := NULL, VARCHAR2 := NULL, BINARY_INTEGER := 1, BINARY_INTEGER := 0, VARCHAR2 := NULL); In this specification: ■ ■ object_schema, object_name, column_name, policy_name, expression, enable: See "General Syntax of the DBMS_REDACT.ADD_POLICY Procedure" on page 5-3. function_type: Specifies the function used to set the type of redaction. Enter DBMS_REDACT.REGEXP. Note the following: – When you set the function_type parameter to DBMS_REDACT.REGEXP, omit the function_parameters parameter. – Specify the regular expressions—regexp_pattern, regexp_replace, regexp_ position, regexp_occurrence, and regexp_match_parameter—in much the same way that you specify the pattern, replace, position, occurrence, and match_parameter arguments to the REGEXP_REPLACE SQL function. See Oracle Database SQL Language Reference for information about the REGEXP_REPLACE SQL function. Configuring Oracle Data Redaction Policies 5-19 Creating a Regular Expression-Based Redaction Policy ■ ■ ■ ■ regexp_pattern: Describes the search pattern for data that must be matched. If it finds a match, then Oracle Database replaces the data as specified by the regexp_ replace_string setting. See the following sections for more information: – "Creating Regular Expression-Based Redaction Policies Using Shortcuts" on page 5-20 – "Creating Custom Regular Expression Redaction Policies" on page 5-23 regexp_replace_string: Specifies how you want to replace the data to be redacted. See the following sections for more information: – "Creating Regular Expression-Based Redaction Policies Using Shortcuts" on page 5-20 – "Creating Custom Regular Expression Redaction Policies" on page 5-23 regexp_position: Specifies the starting position for the string search. The value that you enter must be a positive integer indicating the character of the column_ name data where Oracle Database should begin the search. The default is 1 or the RE_BEGINNING shortcut, meaning that Oracle Database begins the search at the first character of the column_name data. regexp_occurrence: Specifies how to perform the search and replace operation. The value that you enter must be a nonnegative integer indicating the occurrence of the replace operation: – If you specify 0 or the RE_ALL shortcut, then Oracle Database replaces all of the occurrences of the match. – If you specify the RE_FIRST shortcut, then Oracle Database replaces the first occurrence of the match. – If you specify a positive integer n, then Oracle Database replaces the nth occurrence of the first match. If the occurrence is greater than 1, then the database searches for the second occurrence beginning with the first character following the first occurrence of pattern, and so forth. ■ regexp_match_parameter: Specifies a text literal that lets you change the default matching behavior of the function. The behavior of this parameter is the same for this function as for the REGEXP_REPLACE SQL function. See Oracle Database SQL Language Reference for detailed information. To filter the search so that it is not case sensitive, specify the RE_MATCH_CASE_ INSENSITIVE shortcut. Creating Regular Expression-Based Redaction Policies Using Shortcuts You can use shortcuts for both the regexp_pattern and regexp_replace_string parameters in the DBMS_REDACT.ADD_POLICY procedure. This section contains: ■ Regular Expression Shortcuts ■ Example of a Regular Expression Redaction Policy Using Shortcuts Regular Expression Shortcuts Table 5–3 describes the shortcuts that you can use with the regexp_pattern parameter in the DBMS_REDACT.ADD_POLICY procedure. 5-20 Oracle Database Advanced Security Administrator's Guide Creating a Regular Expression-Based Redaction Policy Table 5–3 Shortcuts for the regexp_pattern Parameter Shortcut Description DBMS_REDACT.RE_PATTERN_ANY_DIGIT Matches any digit. The DBMS_REDACT.RE_PATTERN_ ANY_DIGIT is commonly used with the following values of the regexp_replace_string parameter: regexp_replace_string => DBMS_REDACT.RE_ REDACT_WITH_SINGLE_X, This setting replaces any matched digit with the X character. The following setting replaces any matched digit with the 1 character. regexp_replace_string => DBMS_REDACT.RE_ REDACT_WITH_SINGLE_1, DBMS_REDACT.RE_PATTERN_CC_L6_T4 Searches for the middle digits of any credit card that has 6 leading digits and 4 trailing digits with the characters specified by the regexp_replace_string parameter. The appropriate regexp_replace_string setting to use with this shortcut is DBMS_REDACT.RE_REDACT_CC_ MIDDLE_DIGITS, which finds any credit card that could have 6 leading and 4 trailing digits left asactual data. It then redacts the middle digits. DBMS_REDACT.RE_PATTERN_US_PHONE Searches for any U.S. telephone number with the characters specified by the regexp_replace_string parameter. The appropriate regexp_replace_string setting to use with this shortcut is DBMS_REDACT.RE_REDACT_US_ PHONE_L7, which finds United States phone numbers and then redacts the last 7 digits. DBMS_REDACT.RE_PATTERN_EMAIL_ ADDRESS Searches for any email address with the characters specified by the regexp_replace_string parameter. The appropriate regexp_replace_string settings that you can use with this shortcut are as follows: RE_REDACT_EMAIL_NAME, which finds any email address and redacts the email user name RE_REDACT_EMAIL_DOMAIN, which finds any email address and redacts the email domain RE_REDACT_EMAIL_ENTIRE, which finds any email address and redacts the entire email address DBMS_REDACT.RE_PATTERN_IP_ADDRESS Searches for an IP address with the characters specified by the regexp_replace_string parameter. The appropriate regexp_replace_string setting to use with this shortcut is DBMS_REDACT.RE_REDACT_IP_ L3, which replaces the last section of the dotted decimal string representation of an IP address with the characters 999 to indicate that it was redacted. Table 5–4 describes shortcuts that you can use with the regexp_replace_string parameter in the DBMS_REDACT.ADD_POLICY procedure. Configuring Oracle Data Redaction Policies 5-21 Creating a Regular Expression-Based Redaction Policy Table 5–4 Shortcuts for the regexp_replace_string Parameter Shortcut Description DBMS_REDACT.RE_REDACT_WITH_SINGLE_X Replaces the data with a single X character for each of the actual data characters. For example, the credit card number 5105 1051 0510 5100 could be replaced with XXXX XXXX XXXX XXXX. DBMS_REDACT.RE_REDACT_WITH_SINGLE_1 Replaces the data with a single 1 digit for each of the actual data digits. For example, the credit card number 5105 1051 0510 5100 could be replaced with 1111 1111 1111 1111. DBMS_REDACT.RE_REDACT_CC_MIDDLE_ DIGITS Redacts the middle digits in credit card numbers, as specified by setting the regexp_pattern parameter with the RE_PATTERN_CC_L6_T4 shortcut. The redaction replaces each redacted character with an X. For example, the credit card number 5105 1051 0510 5100 could be replaced with 5105 10XX XXXX 5100. DBMS_REDACT.RE_REDACT_PHONE_L7 Redacts the last 7 digits of U.S. telephone numbers, as specified by setting the regexp_pattern parameter with the RE_PATTERN_US_PHONE shortcut. The redaction replaces each redacted character with an X. This setting only applies to hyphenated phone numbers, not phone numbers with spaces. For example, the telephone number 415-555-0100 could be replaced with 415-XXX-XXXX. DBMS_REDACT.RE_REDACT_EMAIL_NAME Redacts the email name as specified by setting the regexp_pattern parameter with the RE_PATTERN_ EMAIL_ADDRESS shortcut. The redaction replaces the email user name with four x characters. For example, the email address psmith@example.com could be replaced with xxxx@example.com. DBMS_REDACT.RE_REDACT_EMAIL_DOMAIN Redacts the email domain name as specified by setting the regexp_pattern parameter with the RE_ PATTERN_EMAIL_ADDRESS shortcut. The redaction replaces the domain with five x characters. For example, the email address psmith@example.com could be replaced with psmith@xxxxx.com. DBMS_REDACT.RE_REDACT_IP_L3 Redacts the last three digits of the IP address as specified by setting the regexp_pattern parameter with the RE_PATTERN_IP_ADDRESS shortcut. For example, the IP address 192.0.2.254 could be replaced with 192.0.2.999, which is an invalid IP address. Example of a Regular Expression Redaction Policy Using Shortcuts Example 5–11 shows how to use regular expression shortcuts to redact credit card numbers. Example 5–11 Regular Expression Data Redaction Character Values BEGIN DBMS_REDACT.ADD_POLICY( object_schema object_name column_name policy_name function_type function_parameters => => => => => => 'mavis', 'cust_info', 'cc_num', 'redact_cust_cc_nums', DBMS_REDACT.REGEXP, NULL, 5-22 Oracle Database Advanced Security Administrator's Guide Creating a Regular Expression-Based Redaction Policy expression regexp_pattern regexp_replace_string regexp_position regexp_occurrence regexp_match_parameter policy_description column_description END; / => => => => => => => => '1=1', DBMS_REDACT.RE_PATTERN_CC_L6_T4, DBMS_REDACT.RE_REDACT_CC_MIDDLE_DIGITS, DBMS_REDACT.RE_BEGINNING, DBMS_REDACT.RE_FIRST, DBMS_REDACT.RE_MATCH_CASE_INSENSITIVE, 'Regular expressions to redact credit card numbers', 'cc_num contains customer credit card numbers'); Query and redacted result: SELECT cc_num FROM mavis.cust_info; CC_NUM ------401288XXXXXX1881 411111XXXXXX1111 555555XXXXXX1111 511111XXXXXX1118 Creating Custom Regular Expression Redaction Policies You can customize regular expressions in Data Redaction policies. This section contains: ■ Settings for Custom Regular Expressions ■ Example of a Custom Regular Expression Redaction Policy Settings for Custom Regular Expressions To create custom regular expression redaction policies, you use the following parameters in the DBMS_REDACT.ADD_POLICY procedure: ■ ■ regexp_pattern: This pattern is usually a text literal and can be of any of the data types CHAR, VARCHAR2, NCHAR, or NVARCHAR2. The pattern can contain up to 512 bytes. For further information about writing the regular expression for the regexp_ pattern parameter, see the description of the pattern argument of the REGEXP_ REPLACE SQL function in Oracle Database SQL Language Reference, because the support that Data Redaction provides for regular expression matching is similar to that of the REGEXP_REPLACE SQL function. regexp_replace_string: This data can be of any of the data types CHAR, VARCHAR2, NCHAR, or NVARCHAR2. The regexp_replace_string can contain up to 500 back references to subexpressions in the form \n, where n is a number from 1 to 9. If you want to include a backslash (\) in the regexp_replace_string setting, then you must precede it with the escape character, which is also a backslash. For example, to literally replace the matched pattern with \2 (rather than replace it with the second matched subexpression of the matched pattern), you enter \\2 in the regexp_replace_string setting. For more information, see Oracle Database SQL Language Reference. "General Syntax of the DBMS_REDACT.ADD_POLICY Procedure" on page 5-3 for information about other DBMS_REDACT.ADD_ POLICY parameters See Also: Configuring Oracle Data Redaction Policies 5-23 Creating a Random Redaction Policy Example of a Custom Regular Expression Redaction Policy Example 5–12 shows how to use regular expressions to redact the emp_id column data. In this example, taken together, the regexp_pattern and regexp_replace_string parameters do the following: first, find the pattern of 9 digits. For reference, break them into three groups that contain the first 3, the next 2, and then the last 4 digits. Then, replace all 9 digits with XXXXX concatenated with the third group (the last 4 digits) as found in the original pattern. Example 5–12 Partially Redacted Data Redaction Using Regular Expressions BEGIN DBMS_REDACT.ADD_POLICY( object_schema object_name column_name policy_name function_type expression regexp_pattern regexp_replace_string regexp_position regexp_occurrence regexp_match_parameter policy_description column_description END; / => => => => => => => => => => => => => 'mavis', 'cust_info', 'emp_id', 'redact_cust_ids', DBMS_REDACT.REGEXP, '1=1', '(\d\d\d)(\d\d)(\d\d\d\d)', 'XXXXX\3', 1, 0, 'i', 'Redacts customer IDs using regular expression', 'emp_id contains employee ID numbers'); Query and redacted result: SELECT emp_id FROM mavis.cust_info; EMP_ID -----------XXXXX1234 XXXXX5678 Creating a Random Redaction Policy This section contains: ■ About Creating Random Redaction Policies ■ Syntax for Creating a Random Redaction Policy ■ Example of a Random Redaction Policy About Creating Random Redaction Policies A random redaction policy presents the redacted data to the querying application user as randomly generated values each time it is displayed, depending on the data type of the column. Be aware that LOB columns are not supported. Syntax for Creating a Random Redaction Policy The DBMS_REDACT.ADD_POLICY fields for creating a random redaction policy are as follows: DBMS_REDACT.ADD_POLICY ( object_schema IN VARCHAR2 := NULL, 5-24 Oracle Database Advanced Security Administrator's Guide Creating a Policy That Uses No Redaction object_name column_name policy_name function_type expression enable IN IN IN IN IN IN VARCHAR2, VARCHAR2 := NULL, VARCHAR2, BINARY_INTEGER := NULL, VARCHAR2, BOOLEAN := TRUE); In this specification: ■ ■ object_schema, object_name, column_name, policy_name, expression, enable: See "General Syntax of the DBMS_REDACT.ADD_POLICY Procedure" on page 5-3. function_type: Specifies the function used to set the type of redaction. Enter DBMS_REDACT.RANDOM. If you omit the function_type parameter, then the default redaction function_ type setting is DBMS_REDACT.FULL. Remember that the data type of the column determines which function_type settings that you are permitted to use. See "Comparison of Full, Partial, and Random Redaction Based on Data Types" on page 4-4. Example of a Random Redaction Policy Example 5–13 shows how to generate random values. Each time you run the SELECT statement, the output will be different. Example 5–13 Randomly Redacted Data Redaction Values BEGIN DBMS_REDACT.ADD_POLICY( object_schema => 'mavis', object_name => 'cust_info', column_name => 'login_username', policy_name => 'redact_cust_rand_username', function_type => DBMS_REDACT.RANDOM, expression => 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''APP_USER'''); END; / Query and redacted result: SELECT login_username FROM mavis.cust_info; LOGIN_USERNAME ---------N[CG{\pTVcK Creating a Policy That Uses No Redaction This section contains: ■ About Creating Policies That Use No Redaction ■ Syntax for Creating a Policy with No Redaction ■ Example of Performing No Redaction About Creating Policies That Use No Redaction The None redaction type option enables you to test the internal operation of your redaction policies, with no effect on the results of queries against tables with policies Configuring Oracle Data Redaction Policies 5-25 Exempting Users from Oracle Data Redaction Policies defined on them. You can use this option to test the redaction policy definitions before applying them to a production environment. Be aware that LOB columns are not supported. Syntax for Creating a Policy with No Redaction The DBMS_REDACT.ADD_POLICY fields for creating a policy with no redaction are as follows: DBMS_REDACT.ADD_POLICY ( object_schema object_name column_name policy_name function_type expression enable IN IN IN IN IN IN IN VARCHAR2 := NULL, VARCHAR2, VARCHAR2 := NULL, VARCHAR2, BINARY_INTEGER := NULL, VARCHAR2, BOOLEAN := TRUE); In this specification: ■ ■ object_schema, object_name, column_name, policy_name, expression, enable: See "General Syntax of the DBMS_REDACT.ADD_POLICY Procedure" on page 5-3. function_type: Specifies the functions used to set the type of data redaction. Enter DBMS_REDACT.NONE. If you omit the function_type parameter, then the default redaction function_ type setting is DBMS_REDACT.FULL. Example of Performing No Redaction Example 5–14 shows how to create a Data Redaction policy that does not redact any of the displayed values. Example 5–14 No Redacted Data Redaction Values BEGIN DBMS_REDACT.ADD_POLICY( object_schema => 'mavis', object_name => 'cust_info', column_name => 'user_name', policy_name => 'redact_cust_no_vals', function_type => DBMS_REDACT.NONE, expression => '1=1'); END; / Query and redacted result: SELECT user_name FROM mavis.cust_info; USER_NAME ---------IDA NEAU Exempting Users from Oracle Data Redaction Policies You can exempt users from having Oracle Data Redaction policies applied to the data they access. To do so, grant the users the EXEMPT REDACTION POLICY system privilege. Grant this privilege to trusted users only. 5-26 Oracle Database Advanced Security Administrator's Guide Altering an Oracle Data Redaction Policy In addition to users who were granted this privilege, user SYS is also exempt from all Data Redaction policies. The person who creates the Data Redaction policy is by default not exempt from it, unless this person is user SYS or has the EXEMPT REDACTION POLICY system privilege. Note the following: ■ ■ ■ Users who have the INSERT privilege on a table can insert values into a redacted column, regardless of whether a Data Redaction policy exists on the table. Data Redaction only affects SQL SELECT statements (that is, queries) issued by a user, and has no effect on any other SQL issued by a user, including INSERT, UPDATE, or DELETE statements. (See the next bullet for exceptions to this rule.) Users cannot perform a CREATE TABLE AS SELECT where any of the columns being selected (source columns) is protected by a Data Redaction policy (and similarly, any DML operation where the source is a redacted column), unless the user was granted the EXEMPT REDACTION POLICY system privilege. The EXEMPT REDACTION POLICY system privilege is included in the DBA role, but this privilege must be granted explicitly to users because it is not included in the WITH ADMIN OPTION for DBA role grants. Users who were granted the DBA role are exempt from redaction policies because the DBA role contains the EXP_FULL_ DATABASE role, which is granted the EXEMPT REDACTION POLICY system privilege. "Restricting Administrative Access to Oracle Data Redaction Policies" on page 7-2 See Also: Altering an Oracle Data Redaction Policy You can use the DBMS_REDACT.ALTER_POLICY procedure to modify Oracle Data Redaction policies. In addition to changing current settings, this procedure enables you to add columns to a policy, if you want to redact more than one column in a database table. This section contains the following topics: ■ About Altering an Oracle Data Redaction Policy ■ Syntax for the DBMS_REDACT.ALTER_POLICY Procedure ■ Parameters Required for Various DBMS_REDACT.ALTER_POLICY Actions ■ Example of Altering an Oracle Data Redaction Policy About Altering an Oracle Data Redaction Policy To alter a Data Redaction policy, use the DBMS_REDACT.ALTER_POLICY procedure. If the policy is already enabled, then you do not need to disable it first, and after you alter the policy, it remains enabled. You can find the names of existing Data Redaction policies by querying the POLICY_ NAME column of the REDACTION_POLICIES data dictionary view, and information about the columns, functions, and parameters specified in a policy by querying the REDACTION_COLUMNS view. To find the current value for policies that use full data redaction, you can query the REDACTION_VALUES_FOR_TYPE_FULL data dictionary view. The action parameter specifies the type of modification that you want to perform. At a minimum, you must include the object_name and policy_name parameters when you run this procedure. Configuring Oracle Data Redaction Policies 5-27 Altering an Oracle Data Redaction Policy Syntax for the DBMS_REDACT.ALTER_POLICY Procedure The syntax for the DBMS_REDACT.ALTER_POLICY procedure is as follows: DBMS_REDACT.ALTER_POLICY ( object_schema IN object_name IN policy_name IN action IN column_name IN function_type IN function_parameters IN expression IN regexp_pattern IN regexp_replace_string IN regexp_position IN regexp_occurrence IN regexp_match_parameter IN policy_description IN column_description IN VARCHAR2 := NULL, VARCHAR2 := NULL, VARCHAR2, BINARY_INTEGER := DBMS_REDACT.ADD_COLUMN, VARCHAR2 := NULL, BINARY_INTEGER := DBMS_REDACT.FULL, VARCHAR2 := NULL, VARCHAR2 := NULL, VARCHAR2 := NULL, VARCHAR2 := NULL, BINARY_INTEGER := NULL, BINARY_INTEGER := NULL, VARCHAR2 := NULL, VARCHAR2 := NULL, VARCHAR2 := NULL); In this specification: ■ action: Enter one of the following values to define the kind of action to use: – DBMS_REDACT.MODIFY_COLUMN if you plan to change the column_name value. – DBMS_REDACT.ADD_COLUMN if you plan to add a new column (in addition to columns that are already protected by the policy) for redaction. This setting is the default for the action parameter. – DBMS_REDACT.DROP_COLUMN if you want to remove redaction from a column. – DBMS_REDACT.MODIFY_EXPRESSION if you plan to change the expression value. Each policy can have only one policy expression. In other words, when you modify the policy expression, you are replacing the existing policy expression with a new policy expression. – DBMS_REDACT.SET_POLICY_DESCRIPTION if you want to change the description of the policy. – DBMS_REDACT.SET_COLUMN_DESCRIPTION if you want to change the description of the column. See Also: ■ ■ "Parameters Required for Various DBMS_REDACT.ALTER_ POLICY Actions" on page 5-28 "General Syntax of the DBMS_REDACT.ADD_POLICY Procedure" on page 5-3 for information about the remaining parameters Parameters Required for Various DBMS_REDACT.ALTER_POLICY Actions Table 5–5 shows the combinations of parameters that you must use to perform various DBMS_REDACT.ALTER_POLICY actions. 5-28 Oracle Database Advanced Security Administrator's Guide Altering an Oracle Data Redaction Policy Table 5–5 Parameters Required for Various DBMS_REDACT.ALTER_POLICY Actions Desired Alteration Parameters to Set Add or modify a column ■ action (DBMS_REDACT.MODIFY_COLUMN) ■ column_name ■ function_type ■ function_parameters (if necessary) ■ regexp* (if necessary) ■ action (DBMS_REDACT.MODIFY_EXPRESSION) ■ expression ■ action (DBMS_REDACT.SET_POLICY_DESCRIPTION) ■ policy_description ■ action (DBMS_REDACT.SET_COLUMN_DESCRIPTION) ■ column_description ■ action (DBMS_REDACT.DROP_COLUMN) ■ column_name Change the policy expression Change the description of the policy Change the description of the column Drop a column Example of Altering an Oracle Data Redaction Policy The exercise in this section shows how to modify a Data Redaction policy so that multiple columns are redacted. It also shows how to change the expression setting for the policy. To accomplish this, you must run the DBMS_REDACT.ALTER_POLICY procedure in stages. 1. Create the policy. BEGIN DBMS_REDACT.ADD_POLICY( object_schema => 'hr', object_name => 'employees', column_name => 'email', policy_name => 'hr_employees_pol', function_type => DBMS_REDACT.FULL, expression => '1=1'); END; / At this point, when application users (including HR) query the email column, the email addresses are redacted to show a single space. CONNECT HR Enter password: password SELECT EMAIL FROM HR.EMPLOYEES; EMAIL ------ 2. Alter this policy to redact the hire_date column to show 01-JAN-70. BEGIN DBMS_REDACT.ALTER_POLICY( object_schema => 'hr', object_name => 'employees', policy_name => 'hr_employees_pol', Configuring Oracle Data Redaction Policies 5-29 Redacting Multiple Columns action column_name function_type function_parameters END; / => => => => DBMS_REDACT.ADD_COLUMN, 'hire_date', DBMS_REDACT.PARTIAL, DBMS_REDACT.REDACT_DATE_EPOCH); To redact the hire_date column, you must change the function_type parameter to use partial redaction, and you must include the function_parameters parameter to specify the DBMS_REDACT.REDACT_DATE_EPOCH shortcut. The expression parameter is omitted because for this particular alteration, it does not need to change. The email column is still redacted, so a query shows the following: SELECT EMAIL, HIRE_DATE FROM HR.EMPLOYEES; EMAIL ------ 3. HIRE_DATE ---------01-JAN-70 Change the expression parameter so that user HR is the only user who can see the actual data for the EMAIL and HIRE_DATE columns. BEGIN DBMS_REDACT.ALTER_POLICY( object_schema => 'hr', object_name => 'employees', policy_name => 'hr_employees_pol', action => DBMS_REDACT.MODIFY_EXPRESSION, expression => 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') != ''HR'''); END; / To change the expression setting, you set the action parameter to DBMS_ REDACT.MODIFY_EXPRESSION, and then enter the new expression in the expression parameter. At this stage, when user HR queries the EMAIL and HIRE_DATE columns, he or she can see the actual data. SELECT EMAIL, HIRE_DATE FROM HR.EMPLOYEES; EMAIL -----SKING ... 4. HIRE_DATE ---------17-JUN-03 To drop the policy, enter the following procedure. BEGIN DBMS_REDACT.DROP_POLICY ( object_schema => 'hr', object_name => 'employees', policy_name => 'hr_employees_pol'); END; / Redacting Multiple Columns You can redact more than one column in a Data Redaction policy. To do so, create the policy for the first column that you want to redact. Afterward, use the DBMS_ REDACT.ALTER_POLICY procedure to add the next column. As necessary, set the action, 5-30 Oracle Database Advanced Security Administrator's Guide Disabling and Enabling an Oracle Data Redaction Policy column_name, function_type, and function_parameters (or the parameters that begin with regexp_) parameters to define the redaction for the new column, but do not change the object_schema, object_name, policy_name, or expression parameters. Each redacted column continues to have the same redaction parameters that were used to create it. Example 5–15 shows how to add a column to an existing Data Redaction policy. In this example, the action parameter specifies that a new column must be added, using DBMS_REDACT.ADD_COLUMN. The name of the new column, card_num, is set by the column_name parameter. Example 5–15 Adding a Column to a Data Redaction Policy BEGIN DBMS_REDACT.ALTER_POLICY( object_schema => 'mavis', object_name => 'cust_info', policy_name => 'redact_cust_user_ids', action => DBMS_REDACT.ADD_COLUMN, column_name => 'card_num', function_type => DBMS_REDACT.FULL, function_parameters => '', expression => 'SYS_CONTEXT(''SYS_SESSION_ROLES'',''ADM'') = ''TRUE'''); END; / Disabling and Enabling an Oracle Data Redaction Policy After you create a Data Redaction policy, you can disable it and then reenable it as necessary. This section contains: ■ Disabling an Oracle Data Redaction Policy ■ Enabling an Oracle Data Redaction Policy Disabling an Oracle Data Redaction Policy To disable a Data Redaction policy, use the DBMS_REDACT.DISABLE_POLICY procedure. You can find the names of existing Data Redaction policies and whether they are enabled by querying the POLICY_NAME and ENABLE columns of the REDACTION_POLICIES view. However, as long as the policy still exists, you cannot create another policy for that table or view, even if the original policy is disabled. In other words, if you want to create a different policy on the same table column, then you must drop the first policy before you can create and use the new policy. The syntax is as follows: DBMS_REDACT.DISABLE_POLICY ( object_schema IN VARCHAR2 DEFAULT NULL, object_name IN VARCHAR2, policy_name IN VARCHAR2); In this specification: ■ object_schema: Specifies the schema of the object on which the Data Redaction policy will be applied. If you omit this setting (or enter NULL), then Oracle Database uses the name of the current schema. Configuring Oracle Data Redaction Policies 5-31 Dropping an Oracle Data Redaction Policy ■ ■ object_name: Specifies the name of the table or view to be used for the Data Redaction policy. policy_name: Specifies the name of the policy to be disabled. Example 5–16 shows how to disable a Data Redaction policy. Example 5–16 Disabling a Data Redaction Policy BEGIN DBMS_REDACT.DISABLE_POLICY ( object_schema => 'mavis', object_name => 'cust_info', policy_name => 'redact_cust_user_ids'); END; / Enabling an Oracle Data Redaction Policy To enable a Data Redaction policy, use the DBMS_REDACT.ENABLE_POLICY procedure. Remember that immediately after you create a new policy, you do not need to enable it; the creation process handles that for you. To find the names of existing Data Redaction policies and whether they are enabled, query the POLICY_NAME and ENABLE columns of the REDACTION_POLICIES view. After you run the procedure, the enablement takes effect immediately. The syntax is as follows: DBMS_REDACT.ENABLE_POLICY object_schema IN object_name IN policy_name IN ( VARCHAR2 DEFAULT NULL, VARCHAR2, VARCHAR2); In this specification: ■ ■ ■ object_schema: Specifies the schema of the object on which the Data Redaction policy will be applied. If you omit this setting (or enter NULL), then Oracle Database uses the name of the current schema. object_name: Specifies the name of the table or view to be used for the Data Redaction policy. policy_name: Specifies the name of the policy to be enabled. Example 5–17 shows how to enable a Data Redaction policy. Example 5–17 Enabling a Data Redaction Policy BEGIN DBMS_REDACT.ENABLE_POLICY ( object_schema => 'mavis', object_name => 'cust_info', policy_name => 'redact_cust_user_ids'); END; / Dropping an Oracle Data Redaction Policy To drop a Data Redaction policy, use the DBMS_REDACT.DROP_POLICY procedure. To find the names of existing Data Redaction policies, query the POLICY_NAME column of the 5-32 Oracle Database Advanced Security Administrator's Guide Example: How Oracle Data Redaction Affects Tables and Views REDACTION_POLICIES view. The policy can be either enabled or disabled when you drop it. After you run the procedure, the drop takes effect immediately. When you drop a table or view that is associated with an Oracle Data Redaction policy, the policy is automatically dropped. As a best practice, drop the policy first, and then drop the table or view afterward. See "Dropping Policies When the Recycle Bin Is Enabled" on page 7-3 for more information. The syntax for dropping a Data Redaction policy is as follows: DBMS_REDACT.DROP_POLICY ( object_schema IN VARCHAR2 DEFAULT NULL, object_name IN VARCHAR2, policy_name IN VARCHAR2); In this specification: ■ ■ ■ object_schema: Specifies the schema of the object to which the Data Redaction policy applies. If you omit this setting (or enter NULL), then Oracle Database uses the name of the current schema. object_name: Specifies the name of the table or view to be used for the Data Redaction policy. policy_name: Specifies the name of the policy to be dropped. Example 5–18 shows how to drop a Data Redaction policy. Example 5–18 Dropping a Data Redaction Policy BEGIN DBMS_REDACT.DROP_POLICY ( object_schema => 'mavis', object_name => 'cust_info', policy_name => 'redact_cust_user_ids'); END; / Example: How Oracle Data Redaction Affects Tables and Views Oracle Data Redaction policies apply to their target table or view and to any views that are created on this target, including materialized views. (See "Creating Policies on Materialized Views" on page 7-3 for restrictions on creating Data Redaction policies on materialized views.) If you create a view chain (that is, a view based on another view), then the Data Redaction policy also applies throughout this view chain. The policies remain in effect all of the way up through this view chain, but if another policy is created for one of these views, then for the columns affected in the subsequent views, this new policy takes precedence. To understand how this concept works, try the following example: 1. Create and populate the following table: CREATE TABLE TABLE1 (TC1 VARCHAR2(20), TN1 NUMBER(10)); INSERT INTO TABLE1 VALUES ('5111-1111-1111-1118', 987654329); 2. Create the following views, which will constitute the view chain for table table1: CREATE VIEW view1 (vc1, vn1) AS SELECT tc1, tn1 FROM table1; CREATE VIEW view2 (vc2, vn2) AS SELECT vc1, vn1 FROM view1; CREATE VIEW view3 (vc3, vn3) AS SELECT vc2, vn2 FROM view2; Configuring Oracle Data Redaction Policies 5-33 Example: How Oracle Data Redaction Affects Tables and Views 3. Create the following policy on the table1 table, which changes the display of the tc1 column to random values. BEGIN DBMS_REDACT.ADD_POLICY( object_schema => 'NULL', object_name => 'table1', column_name => 'tc1', policy_name => 't1pol', function_type => DBMS_REDACT.RANDOM, expression => '1=1'); END; / 4. Query table1.tc1, view1.vc1, view2.vc2, and view3.vc3, and you will see that they all produce random output, based on the t1pol Data Redaction policy. For example: SELECT vc3 FROM view3; VC3 ----------------------M,v]3(z+U4~e;0#3]<' 5. Create the following policy on view2, which changes the output of column vc2 to display no output at all (that is, a blank space). BEGIN DBMS_REDACT.ADD_POLICY( object_schema => 'NULL', object_name => 'view2', column_name => 'vc2', policy_name => 'v2pol', function_type => DBMS_REDACT.FULL, expression => '1=1'); END; / 6. Query views view2 and view3. SELECT vc2 FROM view2; SELECT vc3 FROM view3; Both queries produce the same output (a blank space), which illustrates how for these views, policy v2pol overrides the base table policy, t1pol. 7. Query table table1 and view view1. SELECT tc1 FROM table1; SELECT vc1 FROM view1; Because table1 and view1 are lower in the chain, they are not affected by policy v2pol1. The output for both remains as random values. 8. Create the following policy on view1, which redacts the first 5 digits of the numeric values in column vn1 to 9. BEGIN DBMS_REDACT.ADD_POLICY( object_schema => 'NULL', object_name => 'view1', 5-34 Oracle Database Advanced Security Administrator's Guide Example: How Oracle Data Redaction Affects Tables and Views column_name policy_name function_type function_parameters expression END; / 9. => => => => => 'vn1', 'v1pol', DBMS_REDACT.PARTIAL, '9,1,5', '1=1'); Query view view1: SELECT vc1, vn1 FROM view1; VC1 VN1 ------------------------------------- ---------------:'F6`BhJDlJ7V 999994329 Here, view view1 is using two policies. Policy t1pol (on table table1) continues to redact column vc1, and policy v1pol (on view view1) redacts column vn1. 10. Query view view2: SELECT vc2, vn2 FROM view2; VC2 VN2 ------------------------------------- ---------------999994329 View view2 also uses two policies: the blank space for its column vc2 is generated by policy v2pol, and the partial numeric redaction for vn2 comes from policy v1pol for view view1. 11. Query view view3: SELECT vc3, vn3 FROM view3; VC3 VN3 ------------------------------------- ---------------999994329 Because view view3 has no direct policies, it uses the policy settings from both view1 and view2. Hence, the output is the same as the output for view2. 12. Disable the policy. If you disable a policy, then the output for all of the views along the view chain that are affected by the policy is also changed. For example, disable the policy t1pol, which was created for table table1: EXEC DBMS_REDACT.DISABLE_POLICY (NULL, 'TABLE1', 'T1POL'); Now query view1 again: SELECT vc1, vn1 FROM view1; VC1 VN1 ------------------------------------- ---------------5111-1111-1111-1118 999994329 Column vc1 shows the values from the base table table1. Column vn1 still shows the redacted values from policy v2pol. 13. To remove the components of this exercise: Configuring Oracle Data Redaction Policies 5-35 Example: Using SQL Expressions to Build Reports with Redacted Values EXEC EXEC EXEC DROP DROP DROP DROP DBMS_REDACT.DROP_POLICY (NULL, 'table1', 't1pol'); DBMS_REDACT.DROP_POLICY (NULL, 'view1', 'v1pol'); DBMS_REDACT.DROP_POLICY (NULL, 'view2', 'v2pol'); TABLE table1; VIEW view1; VIEW view2; VIEW view3; Figure 5–1 shows how these policies affect the chain of views described in the previous example. Figure 5–1 How Oracle Data Redaction Policies Work in a Chain of Views "Dropping Policies When the Recycle Bin Is Enabled" on page 7-3 for information about how Oracle Data Redaction policies are affected when you drop their associated tables or views when the recycle bin is enabled See Also: Example: Using SQL Expressions to Build Reports with Redacted Values You can use SQL expressions to build reports that are based on columns that have Oracle Data Redaction policies defined on them. The values used in the SQL expression will be redacted. This redaction occurs in such a way that the redaction takes place before the SQL expression is evaluated: the result value that is displayed in the report is the end result of the evaluated SQL expression over the redacted values, rather than the redacted result of the SQL expression as a whole. For example, suppose you create the following Data Redaction policy for the HR.EMPLOYEES table, which will replace the first 4 digits of the value from the SALARY column with the number 9 and the first digit of the value from the COMMISSION_PCT column with a 9. BEGIN DBMS_REDACT.ADD_POLICY( object_schema object_name column_name column_description policy_name policy_description function_type => => => => => => => 'HR', 'EMPLOYEES', 'SALARY', 'emp_sal_comm shows employee salary and commission', 'redact_emp_sal_comm', 'Partially redacts the emp_sal_comm column', DBMS_REDACT.PARTIAL, 5-36 Oracle Database Advanced Security Administrator's Guide Finding Information About Oracle Data Redaction Policies function_parameters => expression => END; / BEGIN DBMS_REDACT.ALTER_POLICY( object_schema => object_name => policy_name => action => column_name => function_type => function_parameters => expression => END; / '9,1,4', '1=1'); 'HR', 'EMPLOYEES', 'redact_emp_sal_comm', DBMS_REDACT.ADD_COLUMN, 'COMMISSION_PCT', DBMS_REDACT.PARTIAL, '9,1,1', '1=1'); Log in to the HR schema and then run the following report, which uses the SQL expression (SALARY + COMMISSION_PCT) to combine the employees’ salaries and commissions: SELECT (SALARY + COMMISSION_PCT) total_emp_compensation FROM EMPLOYEES WHERE DEPARTMENT_ID = 80; TOTAL_EMP_COMPENSATION ---------------------9999.9 9999.95 99990.95 ... You can use a variety of SQL expressions for the report, including concatenation. For example: SELECT 'Employee ID ' || EMPLOYEE_ID || ' has a salary of ' || SALARY || ' and a commission of ' || COMMISSION_PCT || '.' detailed_emp_compensation FROM EMPLOYEES WHERE DEPARTMENT_ID = 80 ORDER BY EMPLOYEE_ID; DETAILED_EMP_COMPENSATION ------------------------------------------------------------Employee ID 150 has a salary of 99990 and a commission of .9. Employee ID 151 has a salary of 9999 and a commission of .95. Employee ID 152 has a salary of 9999 and a commission of .95. ... Finding Information About Oracle Data Redaction Policies Table 5–6 lists data dictionary views that provide information about Data Redaction policies. Before you can query these views, you must be granted the SELECT_CATALOG_ ROLE role. Configuring Oracle Data Redaction Policies 5-37 Finding Information About Oracle Data Redaction Policies Table 5–6 Data Redaction Views View Description REDACTION_COLUMNS Describes all of the redacted columns in the database, giving the owner of the table or view within which the column resides, the object name, the column name, the type of redaction function, the parameters to the redaction function (if any), and a description of the redaction policy REDACTION_POLICIES Describes all of the data redaction policies in the database. It includes information about the object owner, object name, policy name, policy expression, whether the policy is enabled, and a description of the Data Redaction policy. REDACTION_VALUES_FOR_TYPE_FULL Shows the current redaction values for Data Redaction policies that use full redaction 5-38 Oracle Database Advanced Security Administrator's Guide 6 Oracle Data Redaction Use with Oracle Database Features 6 You can use Oracle Data Redaction with other Oracle products, such as Oracle Virtual Private Database or Oracle Enterprise Manager Data Masking and Subsetting Pack. This chapter contains the following topics: ■ ■ Oracle Data Redaction and DML and DDL Operations Oracle Data Redaction and Nested Functions, Inline Views, and the WHERE Clause ■ Oracle Data Redaction and Aggregate Functions ■ Oracle Data Redaction and Object Types ■ Oracle Data Redaction and Editions ■ Oracle Data Redaction and Oracle Virtual Private Database ■ Oracle Data Redaction and Oracle Database Vault ■ Oracle Data Redaction and the EXPDP Utility access_method Parameter ■ Oracle Data Redaction and Data Masking and Subsetting Pack Oracle Data Redaction and DML and DDL Operations Although you will use Oracle Data Redaction primarily for redacting the displayed results of application queries, you should understand of how it affects DML and DDL operations, especially if you have users who issue ad-hoc SQL against tables with redacted columns. Note the following: ■ ■ Oracle Data Redaction treats the RETURNING INTO clause of a DML statement as a query, even though the result is not displayed. The result that is sent to the buffer is what would have been displayed had the RETURNING INTO clause been run as an ordinary SQL query, rather than as part of a DML statement. If your application performs further processing on the buffer that contains the RETURNING INTO value, then consider changing the application because it may not expect to find a redacted value in the buffer. If a redacted column appears as the source in a DML or DDL operation, then Oracle Data Redaction considers this as an attempt to circumvent the policy and prevents it with an ORA-28081: Insufficient privileges - the command references a redacted object error unless you have the EXEMPT REDACTION POLICY system privilege. Internally, Oracle Data Pump issues these kinds of Oracle Data Redaction Use with Oracle Database Features 6-1 Oracle Data Redaction and Nested Functions, Inline Views, and the WHERE Clause operations, so you may also need to grant the EXEMPT REDACTION POLICY system privilege to a user if they need to perform schema-level exports of tables that have redacted columns. Oracle Data Redaction and Nested Functions, Inline Views, and the WHERE Clause Oracle Data Redaction policies work as follows: ■ ■ ■ Nested functions are redacted innermost. For example, in SELECT SUM(AVG(TO_ NUMBER(((X))) FROM HR.EMPLOYEES WHERE ..., the TO_NUMBER function is redacted first, followed by AVG, and then last the SUM function. Inline views are redacted outermost. For example, in SELECT XYZ … AS SELECT A… AS SELECT B… AS SELECT C…, SELECT XYZ is redacted first, followed by AS SELECT A, then AS SELECT B, and so on. AS SELECT C is redacted last. The WHERE clause is never redacted. Data Redaction redacts only data in the column SELECT list. Oracle Data Redaction and Aggregate Functions Because Oracle Data Redaction dynamically modifies the value of each row in a column, certain SQL queries that use aggregate functions cannot take full advantage of database optimizations that presume the row values to be static. In the case of SQL queries that call aggregate functions, it may be possible to notice performance overhead due to redaction. Oracle Data Redaction and Object Types You cannot redact object types. This is because Database Redaction cannot handle all of the possible ways that you can configure object types. Oracle Data Redaction and Editions You cannot redact editioned views. You also cannot use a redacted column in the definition of any editioned view. Oracle Data Redaction and Oracle Virtual Private Database Oracle Virtual Private Database policies are unaffected by Oracle Data Redaction because the Virtual Private Database inline view, which contains the Virtual Private Database predicate, acts on actual values. Oracle Data Redaction differs from Oracle Virtual Private Database in the following ways: ■ ■ ■ Oracle Data Redaction provides more redacting features than Oracle Virtual Private Database, which only supports NULL redacting. Many applications cannot use NULL redacting, so Data Redaction is a good solution for these applications. Oracle Virtual Private Database policies can be static, dynamic, and context sensitive, whereas Data Redaction policies only allow static and context-sensitive policy expressions. Data Redaction permits only one policy to be defined on a table or view, whereas you can define multiple Virtual Private Database policies on an object. 6-2 Oracle Database Advanced Security Administrator's Guide Oracle Data Redaction and Data Masking and Subsetting Pack ■ Data Redaction is when application users try to access an object that is protected by a Data Redaction policy using a synonym, but (unlike Oracle Virtual Private Database) Data Redaction does not support the creation of policies directly on the synonyms themselves. Oracle Data Redaction and Oracle Database Vault You can use Oracle Data Redaction in an Oracle Database Vault environment. For example, if there is an Oracle Database Vault realm around an object, a user who does not belong to the authorized list of realm owners or participants cannot see the object data, regardless of whether the user was granted the EXEMPT REDACTION POLICY privilege. If the user attempts a DML or DDL statement on the data, error messages result. Oracle Data Redaction and the EXPDP Utility access_method Parameter If you are using Oracle Data Pump to perform full database export operations using the new Data Pump default settings (direct_path), and if you receive error messages that you do not understand, then use this section to repeat the operation in such a way as to better understand the error. If you try to use the Oracle Data Pump Export (EXPDP) utility with the access_method parameter set to direct_path to export data from a schema that contains an object that has a Data Redaction policy defined on it, then the following error message may appear and the export operation fails: ORA-31696: unable to export/import TABLE_DATA:"schema.table" using client specified DIRECT_PATH method This problem only occurs when you perform a schema-level export as a user who was not granted the EXP_FULL_DATABASE role. It does not occur during a full database export, which requires the EXP_FULL_DATABASE role. The EXP_FULL_DATABASE role includes the EXEMPT REDACTION POLICY system privilege, which bypasses Data Redaction policies. To find the underlying problem, try the EXPDP invocation again, but do not set the access_method parameter to direct_path. Instead, use either automatic or external_ table. The underlying problem could be a permissions problem, for example: ORA-28081: Insufficient privileges - the command references a redacted object. Oracle Database Utilities for more information about using Data Pump Export. See Also: Oracle Data Redaction and Data Masking and Subsetting Pack Oracle Enterprise Manager Data Masking and Subsetting Pack enables you to create a development or test copy of the production database, by taking the data in the production database, masking this data in bulk, and then putting the resulting masked data in the development or test copy. You can still apply Data Redaction policies to the non-production database, in order to redact columns that contain data that was already masked by Oracle Enterprise Manager Data Masking and Subsetting Pack. Remember that Oracle Enterprise Manager Data Masking and Subsetting Pack is used to mask data sets when you want to move the data to development and test environments. Data Redaction is mainly designed for redacting at runtime for Oracle Data Redaction Use with Oracle Database Features 6-3 Oracle Data Redaction and Data Masking and Subsetting Pack production applications in a consistent fashion across multiple applications, without having to make application code changes. See Also: Oracle Database Real Application Testing User's Guide for more information about data masking 6-4 Oracle Database Advanced Security Administrator's Guide 7 Security Guidelines for Oracle Data Redaction 7 This chapter provides a set of security guidelines for using Oracle Data Redaction. This chapter contains the following topics: ■ General Usage Guidelines ■ Restricting Administrative Access to Oracle Data Redaction Policies ■ How Oracle Data Redaction Affects the SYS, SYSTEM and Default Schemas ■ Writing Policy Expressions That Depend on SYS_CONTEXT Attributes ■ Creating Policies on Materialized Views ■ Dropping Policies When the Recycle Bin Is Enabled General Usage Guidelines ■ ■ ■ ■ ■ ■ ■ Oracle Data Redaction is not intended to protect against attacks by privileged database users who run ad hoc queries directly against the database. Oracle Data Redaction is not intended to protect against users who run exhaustive SQL queries that attempt to determine the actual values by inference. Oracle Data Redaction relies on the database and application context values. For applications, it is the responsibility of the application to properly initialize the context value. Oracle Data Redaction is not enforced for users who are logged in using the SYSDBA administrative privilege. Certain DDL statements that attempt to copy the actual data out from under the control of a data redaction policy (that is, CREATE TABLE AS SELECT, INSERT AS SELECT) are blocked by default, but you can disable this behavior by granting the user the EXEMPT REDACTION POLICY system privilege Oracle Data Redaction does not affect day-to-day database operations, such as backup and recovery, Oracle Data Pump exports and imports, Oracle Data Guard operations, and replication. Do not include any redacted columns in a SQL expression that is used in a GROUP BY clause in a SQL statement. Oracle does not support this behavior, and raises an ORA-00979: not a GROUP BY expression error. This happens because internally the expression in the SELECT list must be modified by Data Redaction, but this causes it to no longer be found when it comes time to process the GROUP BY clause (which is currently not updated by Data Redaction) leading to this unintended error message. Security Guidelines for Oracle Data Redaction 7-1 Restricting Administrative Access to Oracle Data Redaction Policies Restricting Administrative Access to Oracle Data Redaction Policies You can restrict the list of users who can create, view and edit Data Redaction policies by limiting who has the EXECUTE privilege on the DBMS_REDACT package and by limiting who has the SELECT privilege on the REDACTION_POLICIES and REDACTION_COLUMNS views. You also can restrict who is exempted from redaction by limiting the EXEMPT REDACTION POLICY privilege. If you use Oracle Database Vault to restrict privileged user access, then you can use realms to restrict granting of EXEMPT REDACTION POLICY. See Also: ■ ■ ■ "Exempting Users from Oracle Data Redaction Policies" on page 5-26 "Oracle Data Redaction and Oracle Database Vault" on page 6-3 Oracle Database Vault Administrator's Guide for more information about Oracle Database Vault How Oracle Data Redaction Affects the SYS, SYSTEM and Default Schemas Both users SYS and SYSTEM automatically have the EXEMPT REDACTION POLICY system privilege. (SYSTEM has the EXP_FULL_DATABASE role, which includes the EXEMPT REDACTION POLICY system privilege.) This means that the SYS and SYSTEM users can always bypass any existing Oracle Data Redaction policies, and will always be able to view data from tables (or views) that have Data Redaction policies defined on them. Follow these guidelines: ■ ■ ■ Do not create Data Redaction policies on the default Oracle Database schemas, including the SYS and SYSTEM schemas. Be aware that granting the EXEMPT DATA REDACTION system privilege to additional roles may enable users to bypass Oracle Data Redaction, because the grantee role may have been granted to additional roles. Do not revoke the EXEMPT DATA REDACTION system privilege from the roles that it was granted to by default. Writing Policy Expressions That Depend on SYS_CONTEXT Attributes Be careful when writing a policy expression that depends on a SYS_CONTEXT attribute that is populated by an application, because the application might not always populate that attribute. If the user somehow connects directly (rather than through the application), then the SYS_CONTEXT attribute would not have been populated. If you do not handle this NULL scenario in your policy expression, you could unintentionally reveal actual data to the querying user. For example, suppose you wanted to create a policy expression that intends to redact the query results for everyone except users who have the client identifier value of SUPERVISOR. The following expression unintentionally enables querying users who have NULL as the value for their CLIENT_IDENTIFIER to see the real data: SYS_CONTEXT('USERENV', 'CLIENT_IDENTIFIER') IS NOT 'SUPERVISOR' A more rigorous policy expression redacts the result of the query if the client identifier is not set, that is, it has a NULL value. SYS_CONTEXT('USERENV', 'CLIENT_IDENTIFIER') IS NOT 'SUPERVISOR' OR IS NULL 7-2 Oracle Database Advanced Security Administrator's Guide Dropping Policies When the Recycle Bin Is Enabled Remember that in SQL, comparisons with NULL are undefined, and are thus FALSE, but redaction only takes place when the policy expression evaluates to TRUE. Creating Policies on Materialized Views You can create Oracle Data Redaction policies on materialized views and on their base tables. However, ensure that the creator of the materialized view, or the user who performs the refresh of the materialized view, is not blocked by any Data Redaction policies. In other words, the user performing the materialized view creation or refresh operations should be exempt from the Data Redaction policy. As a best practice, when you create a new materalized view, treat it as a copy of the actual table, and then create a separate Data Redaction policy to protect it. Dropping Policies When the Recycle Bin Is Enabled If you drop a table or view that has an Oracle Data Redaction policy defined on it when the recycle bin feature is enabled, and if you query the REDACTION_COLUMNS or REDACTION_POLICIES data dictionary views before you purge the recycle bin, then you will see object names such as BIN$... (for example, BIN$1Xu5PSW5VaPgQxGS5AoAEA==$0). This is normal behavior. These policies are removed when you purge the recycle bin. To find if the recycle bin is enabled, run the SHOW PARAMETER RECYCLEBIN command in SQL*Plus. See Also: Oracle Database Administrator's Guide for information about purging objects from the recycle bin Security Guidelines for Oracle Data Redaction 7-3 Dropping Policies When the Recycle Bin Is Enabled 7-4 Oracle Database Advanced Security Administrator's Guide Part III Part III Data Encryption and Integrity This part describes how to implement and manage transparent data encryption in your Oracle databases. It also describes how to configure Oracle Advanced Security data encryption and integrity for your Oracle network and for thin JDBC connections to the database. Part II contains the following chapters: ■ ■ ■ Chapter 8, "Securing Stored Data Using Transparent Data Encryption" Chapter 9, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" Chapter 10, "Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients" 8 Securing Stored Data Using Transparent Data Encryption 8 Transparent Data Encryption(TDE) enables you to encrypt sensitive data, such as credit card numbers, stored in tables and tablespaces. Encrypted data is transparently decrypted for a database user or application that has access to data. TDE helps protect data stored on media in the event that the storage media or data file gets stolen. This chapter is divided into the following topics: ■ About Transparent Data Encryption ■ Using Transparent Data Encryption ■ Managing Transparent Data Encryption ■ Example: Getting Started with TDE Column Encryption and TDE Tablespace Encryption ■ Troubleshooting Transparent Data Encryption ■ Transparent Data Encryption Reference Information About Transparent Data Encryption Oracle Database uses authentication, authorization, and auditing mechanisms to secure data in the database, but not in the operating system data files where data is stored. To protect these data files, Oracle Database provides Transparent Data Encryption (TDE). TDE encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE stores the encryption keys in a security module external to the database. Database users and applications do not need to manage key storage or create auxiliary tables, views, and triggers. An application that processes sensitive data can use TDE to provide strong data encryption with little or no change to the application. Use TDE to protect confidential data, such as credit card and social security numbers, stored in table columns. You can also use TDE to encrypt entire tablespaces. This section contains the following topics: ■ Benefits of Using Transparent Data Encryption ■ Types of Transparent Data Encryption Benefits of Using Transparent Data Encryption Transparent Data Encryption (TDE) has the following advantages: Securing Stored Data Using Transparent Data Encryption 8-1 About Transparent Data Encryption ■ ■ ■ ■ ■ ■ As a security administrator, you can be sure that sensitive data is safe in case the storage media or data file gets stolen. Implementing TDE helps you address security-related regulatory compliance issues. You do not need to create triggers or views to decrypt data for the authorized user or application. Data from tables is transparently decrypted for the database user and application. Database users and applications need not be aware of the fact that the data they are accessing is stored in encrypted form. Data is transparently decrypted for the database users and applications. Applications need not be modified to handle encrypted data. Data encryption and decryption is managed by the database. Key management operations are automated. The user or application does not need to manage encryption keys. Types of Transparent Data Encryption Transparent Data Encryption (TDE) column encryption enables you to encrypt sensitive data stored in select table columns. TDE tablespace encryption enables you to encrypt all data stored in a tablespace. Both TDE column encryption and TDE tablespace encryption use a two-tiered, key-based architecture. Even if the encrypted data is retrieved, it cannot be understood until authorized decryption occurs, which is automatic for users authorized to access the table. The following sections discuss TDE column encryption and TDE tablespace encryption: ■ TDE Column Encryption ■ TDE Tablespace Encryption TDE Column Encryption TDE column encryption is used to protect confidential data, such as credit card and social security numbers, stored in table columns. TDE column encryption uses the two-tiered, key-based architecture to transparently encrypt and decrypt sensitive table columns. The TDE master encryption key is stored in an external security module, which can be an Oracle wallet or Hardware Security Module (HSM). This master encryption key is used to encrypt the table key, which in turn is used to encrypt and decrypt data in the table column. Figure 8–1shows an overview of the TDE column encryption process. 8-2 Oracle Database Advanced Security Administrator's Guide About Transparent Data Encryption Figure 8–1 TDE Column Encryption Overview As shown in Figure 8–1, the master encryption key is stored in an external security module that is outside the database and accessible only to the security administrator. For this external security module, Oracle uses an Oracle wallet or Hardware Security Module (HSM), as described in this chapter. Storing the master encryption key in this way prevents its unauthorized use. Using an external security module (wallet/HSM) separates ordinary program functions from encryption operations, making it possible to divide duties between database administrators and security administrators. Security is enhanced because the wallet password can be unknown to the database administrator, requiring the security administrator to provide the password. When a table contains encrypted columns, a single table key is used regardless of the number of encrypted columns. The table keys for all tables are encrypted with the database server master encryption key and stored in a dictionary table in the database. No keys are stored in the clear. TDE Tablespace Encryption TDE tablespace encryption enables you to encrypt an entire tablespace. All objects created in the encrypted tablespace are automatically encrypted. TDE tablespace encryption is useful if you want to secure sensitive data in tables. You do not need to perform a granular analysis of each table column to determine the columns that need encryption. In addition, TDE tablespace encryption takes advantage of bulk encryption and caching to provide enhanced performance. While the actual performance impact on applications can vary, the performance overhead is roughly estimated to be in between 5% and 8%. TDE tablespace encryption is a good alternative to TDE column encryption if your tables contain sensitive data in multiple columns, or if you want to protect the entire table and not just individual columns. TDE tablespace encryption encrypts all data that is stored in an encrypted tablespace and its corresponding redo data. This includes internal large objects (LOBs) such as Securing Stored Data Using Transparent Data Encryption 8-3 About Transparent Data Encryption BLOBs and CLOBs. TDE tablespace encryption does not encrypt data that is stored outside the tablespace. For example, BFILE data is not encrypted as it is stored outside the database. If you create a table with a BFILE column in an encrypted tablespace, then this particular column will not be encrypted. However, SecureFile LOBs are supported from Oracle Database 11g Release 1 (11.1). All data in an encrypted tablespace is stored in encrypted format on the disk. Data is transparently decrypted for an authorized user having the necessary privileges to view or modify the data. A database user or application does not need to know if the data in a particular table is encrypted on the disk. In the event that the data files on a disk or backup media gets stolen, the data is not compromised. TDE tablespace encryption uses the two-tiered, key-based architecture to transparently encrypt (and decrypt) tablespaces. The TDE master key is stored in an external security module (Oracle Wallet or HSM). This TDE master key is used to encrypt the TDE tablespace encryption key, which in turn is used to encrypt and decrypt data in the tablespace. Figure 8–2 shows an overview of the TDE tablespace encryption process. Figure 8–2 TDE Tablespace Encryption Note: The encrypted data is protected during operations like JOIN and SORT. This means that the data is safe when it is moved to temporary tablespaces. Data in undo and redo logs is also protected. TDE tablespace encryption also allows index range scans on data in encrypted tablespaces. This is not possible with TDE column encryption. Oracle Database 11g Release 2 (11.2) implements the following enhancements to TDE tablespace encryption: ■ ■ A unified master encryption key is used for both TDE column encryption and TDE tablespace encryption. You can reset the unified master encryption key. This provides enhanced security and helps meet security and compliance requirements. 8-4 Oracle Database Advanced Security Administrator's Guide Using Transparent Data Encryption Using Transparent Data Encryption The following sections discuss using Transparent Data Encryption (TDE): ■ Enabling Transparent Data Encryption ■ Setting and Resetting the Master Encryption Key ■ Opening and Closing the Encrypted Wallet ■ Encrypting Columns in Tables ■ Encrypting Entire Tablespaces ■ Using Hardware Security Modules with TDE ■ Using Transparent Data Encryption with Oracle RAC Enabling Transparent Data Encryption TDE column encryption was first introduced in Oracle Database 10g release 2 (10.2). To use this feature, you must be running Oracle Database 10g release 2 (10.2) or higher. TDE tablespace encryption was introduced in Oracle Database 11g release 1 (11.1). To use this feature, you must be running Oracle Database 11g release 1 (11.1) or higher. Note: Oracle Database 11g Release 1 (11.1) and higher versions ensure greater security by protecting data in temporary tablespaces during operations such as JOIN and SORT. The data in temporary tablespaces stays encrypted during these operations. To start using TDE, the security administrator must create a wallet and set a master key. The wallet can be the default database wallet shared with other Oracle Database components, or a separate wallet specifically used by TDE. Oracle strongly recommends that you use a separate wallet to store the master encryption key. Specifying a Wallet Location for Transparent Data Encryption If you wish to use a wallet specifically for TDE, then you must specify a wallet location in the sqlnet.ora file by using the ENCRYPTION_WALLET_LOCATION parameter. Oracle recommends that you use the ENCRYPTION_WALLET_LOCATION parameter to specify a wallet location for TDE. "Sample sqlnet.ora File" on page A-1for an example of the syntax used to set this parameter See Also: Using Wallets with Automatic Login Enabled The external security module can use wallets with the automatic login feature enabled. These wallets remain open all of the time. The security administrator does not have to reopen the wallet after a database instance has been restarted. If your environment does not require the extra security provided by a wallet that must be explicitly opened for use, then you may use an auto login wallet. You can also choose to create a local auto login wallet. Local auto login wallets cannot be moved to another computer. They must be used on the host on which they are created. Securing Stored Data Using Transparent Data Encryption 8-5 Using Transparent Data Encryption See Also: "Using an Auto Login Wallet" on page 8-24 for more information on auto login wallets. Setting and Resetting the Master Encryption Key The master encryption key is stored in an external security module, and it is used to protect the table keys and tablespace encryption keys. By default, the master encryption key is a random key generated by Transparent Data Encryption (TDE). It can also be an existing key pair from a PKI certificate designated for encryption. To use TDE with PKI key pairs, the issuing certificate authority must be able to issue X.509v3 certificates with the key usage field marked for encryption. PKI-based encryption does not work with TDE tablespace encryption or hardware security modules. To know more about hardware security modules, refer to "Using Hardware Security Modules with TDE" on page 8-19. Note: Neither key type is more secure, but if you have already deployed PKI within your organization, then you can leverage such PKI services as key escrow and recovery. However, encryption using current PKI algorithms requires significantly more system resources than symmetric key encryption. Using a PKI key pair as a master encryption key may result in greater performance degradation when accessing encrypted columns in the database. Use the ALTER SYSTEM command to set or reset (rekey) the master encryption key. The following sections discuss setting and resetting the master encryption key. Setting the Master Encryption Key Before you can encrypt or decrypt database columns or tablespaces, you must generate a master encryption key. Oracle Database 11g Release 2 (11.2) uses the same master encryption key for both TDE column encryption and TDE tablespace encryption. To set the master encryption key, use the following command: SQL> ALTER SYSTEM SET ENCRYPTION KEY ["certificate_ID"] IDENTIFIED BY "password" where ■ certificate_ID is an optional string containing the unique identifier of a certificate stored in the Oracle wallet. Use this parameter if you intend to use your PKI private key as your master encryption key. This parameter has no default setting. Enclose the certificate_ID in double quotation marks (" "). You can search for a certificate_ID by querying the V$WALLET fixed view when the wallet is open. Only certificates that can be used as master encryption keys by TDE are shown. ■ password is the mandatory wallet password for the security module, with no default setting. It is case sensitive. Enclose the password string in double quotation marks (" "). Oracle Database SQL Reference for the rules related to supplying passwords See Also: 8-6 Oracle Database Advanced Security Administrator's Guide Using Transparent Data Encryption The wallet location specified by the ENCRYPTION_WALLET_LOCATION parameter, in the sqlnet.ora parameter file, is used to create the master encryption key. If the ENCRYPTION_WALLET_LOCATION parameter is not present in the sqlnet.ora file, then the WALLET_LOCATION value is used. A new wallet is created if one does not exist already. If no wallet location is specified in the sqlnet.ora file, then the default database wallet location is used. The default database wallet location is ORACLE_BASE/admin/DB_ UNIQUE_NAME/wallet or ORACLE_HOME/admin/DB_UNIQUE_NAME/wallet. Here, DB_ UNIQUE_NAME is the unique name of the database specified in the initialization parameter file. If an existing auto login wallet is present at the expected wallet location, then a new wallet is not created. Resetting the Master Encryption Key Reset/Regenerate the master encryption key only if it has been compromised or as per the security policies of the organization. You should back up the wallet before resetting the master encryption key. Frequent master encryption key regeneration does not necessarily enhance system security. Security modules can store a large number of keys. However, this number is not unlimited. Frequent master encryption key regeneration can exhaust all available storage space. To reset the master encryption key, use the SQL syntax as shown in "Setting the Master Encryption Key" on page 8-6. If you are resetting the master encryption key for a wallet that has auto login enabled, then you must ensure that both the auto login wallet, identified by the .sso file, and the encryption wallet, identified by the .p12 file, are present before issuing the command to reset the master encryption key. Note: The ALTER SYSTEM SET ENCRYPTION KEY command is a data definition language (DDL) command requiring the ALTER SYSTEM privilege, and it automatically commits any pending transactions. Example 8–1 shows a sample usage of this command. Example 8–1 Setting or Resetting the Master Encryption Key To Use a PKI-Based Private Key SQL> ALTER SYSTEM SET ENCRYPTION KEY "j23lm781098dhb345sm" IDENTIFIED BY "password"; Here, j23lm781098dhb345sm is the certificate ID and password is the wallet password. For PKI-based keys, certificate revocation lists are not enforced as enforcing certificate revocation may lead to losing access to all encrypted information in the database. However, you cannot use the same certificate to create the master key again. Opening and Closing the Encrypted Wallet The database must load the master encryption key into memory before it can encrypt or decrypt columns/tablespaces. Opening the wallet allows the database to access the master encryption key. Use the following ALTER SYSTEM command to explicitly open the wallet: SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password" Securing Stored Data Using Transparent Data Encryption 8-7 Using Transparent Data Encryption where password is the password to open the wallet. Enclose the password string in double quotation marks (" "). The password to open the wallet is the password that you specify for creating the master encryption key. This is discussed under "Setting the Master Encryption Key" on page 8-6. Note: Once the wallet has been opened, it remains open until you shut down the database instance, or close it explicitly by issuing the following command: SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "password" Closing the wallet disables all encryption and decryption operations. Any attempt to encrypt/decrypt data or access encrypted data results in the following error: ORA-28365: wallet is not open Each time you restart a database instance, you must issue the ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password" command to reenable encryption and decryption operations. Auto login wallets are opened automatically and do not need to be opened explicitly. Note: In case an auto login wallet needs to be closed, it can be closed with the following command: SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE No password is required to close an auto login wallet. If the user does not have the ALTER SYSTEM privilege, or the wallet is unavailable, or an incorrect password is given, then the command returns an error and exits. If the wallet is already open, the command returns an error and takes no action. Example 8–2 shows an example of each usage case. Example 8–2 Opening the External Security Module Wallet with ALTER SYSTEM SQL> --Successfully opening the wallet SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "U83j10LLt8v"; Wallet opened. SQL> --Trying to open a wallet that is already open SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "U83j10LLt8v"; ERROR at line 1: ORA-28354: wallet already open SQL> --Trying to open the wallet with an incorrect password SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "U93j10LLt8v"; ERROR at line 1: ORA-28353: failed to open wallet Encrypting Columns in Tables The following sections discuss using TDE column encryption: 8-8 Oracle Database Advanced Security Administrator's Guide Using Transparent Data Encryption ■ Creating Tables with Encrypted Columns ■ Encrypting Columns in Existing Tables ■ Creating an Index on an Encrypted Column ■ Adding or Removing Salt from an Encrypted Column ■ Changing the Encryption Key or Algorithm for Tables with Encrypted Columns ■ Data Types That Can Be Encrypted with TDE Column Encryption ■ Restrictions on Using TDE Column Encryption Creating Tables with Encrypted Columns To create relational tables with encrypted columns, specify the SQL ENCRYPT clause when you define database columns with the CREATE TABLE statement. This section contains the following topics: ■ ■ Creating a Table with an Encrypted Column Creating a Table with an Encrypted Column Using a Nondefault Algorithm and No Salt ■ Using the NOMAC Parameter to Save Disk Space and Improve Performance ■ Creating an Encrypted Column in an External Table Creating a Table with an Encrypted Column By default, TDE uses the AES encryption algorithm with a 192-bit key length (AES192). If you encrypt a table column without specifying an algorithm, the column is encrypted using the AES192 algorithm. TDE adds salt to cleartext before encrypting it. This makes it harder for attackers to steal data through a brute force attack. TDE also adds a Message Authentication Code (MAC) to the data for integrity checking. The SHA-1 integrity algorithm is used by default. If there are multiple encrypted columns in a table, then all of these columns must use the same pair of encryption and integrity algorithms. Note: Salt is specified at the column level. This means that an encrypted column in a table can choose not to use salt irrespective of whether other encrypted columns in the table use salt or not. Example 8–3 creates a new table with an encrypted column. The column is encrypted using the default encryption algorithm (AES192). Salt and MAC are added by default. Example 8–3 Creating a New Table with an Encrypted Column Using the Default Algorithm (AES192) CREATE TABLE employee ( first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER, salary NUMBER(6) ENCRYPT ); Creating a Table with an Encrypted Column Using a Nondefault Algorithm and No Salt By default, TDE adds salt to cleartext before encrypting it. This makes it harder for Securing Stored Data Using Transparent Data Encryption 8-9 Using Transparent Data Encryption attackers to steal data through a brute force attack. However, if you plan to index the encrypted column, you must use NO SALT. TDE also enables you to specify a nondefault encryption algorithm. You can choose from one of the following algorithms: ■ 3DES168 ■ AES128 ■ AES192 (default) ■ AES256 Example 8–4 shows how to specify the NO SALT parameter with the SQL ENCRYPT clause (empID NUMBER ENCRYPT NO SALT). It also shows the syntax for specifying a different encryption algorithm (salary NUMBER(6) ENCRYPT USING '3DES168'). Note that the string which specifies the algorithm must be enclosed in single quotation marks (' '). The empID and salary columns will both use the 3DES168 encryption algorithm. This is because all encrypted columns in a table must use the same encryption algorithm. The salary column will use salt by default. The empID column will not use salt as the NO SALT option has been specified for it. Example 8–4 Creating a New Table with an Encrypted Column Using 3DES168 and NO SALT CREATE TABLE employee ( first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER ENCRYPT NO SALT, salary NUMBER(6) ENCRYPT USING '3DES168' ); Using the NOMAC Parameter to Save Disk Space and Improve Performance The NOMAC parameter enables you to skip the integrity check performed by TDE. This saves 20 bytes of disk space per encrypted value. If the number of rows and encrypted columns in the table is large, then this adds up to a significant amount of disk space. The NOMAC parameter also reduces the performance overheads associated with TDE. Using the NOMAC parameter causes the integrity check to be skipped during encryption and decryption operations. This saves processing cycles and leads to faster performance. TDE uses the SHA-1 integrity algorithm by default. All encrypted columns in a table must use the same integrity algorithm. If you already have a table column using the SHA-1 algorithm, then you cannot use the NOMAC parameter to encrypt another column in the same table. Note: You can change the integrity algorithm used by all encrypted columns in a table using the ALTER TABLE....REKEY... command. See Example 8–6 for an example. Example 8–5 creates a table with an encrypted column. The empID column is encrypted using the NOMAC parameter. 8-10 Oracle Database Advanced Security Administrator's Guide Using Transparent Data Encryption Example 8–5 Using the NOMAC parameter in a CREATE TABLE statement CREATE TABLE employee ( first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER ENCRYPT 'NOMAC' NO SALT , salary NUMBER(6) ); Example 8–6 shows how to change the integrity algorithm for encrypted columns in a table. The encryption algorithm is set to 3DES168 and the integrity algorithm is set to SHA-1. The second ALTER TABLE statement sets the integrity algorithm to NOMAC. Example 8–6 Changing the Integrity Algorithm for a Table SQL> ALTER TABLE EMPLOYEE REKEY USING '3DES168' 'SHA-1'; Table altered. SQL> ALTER TABLE EMPLOYEE REKEY USING '3DES168' 'NOMAC'; Table altered. Creating an Encrypted Column in an External Table The external table feature enables you to access data in external sources as if the data were in a database table. External tables can be updated using the ORACLE_DATAPUMP access driver. See Also: Oracle Database Concepts for discussions on Schema Objects and Tables. To encrypt specific columns in an external table, use the ENCRYPT clause when defining those columns. A system generated key is used to encrypt the columns. For example, the following definition encrypts the ssn column using the 3DES168 algorithm: CREATE TABLE emp_ext ( first_name, .... ssn ENCRYPT USING '3DES168', .... ... ... If you plan to move your external table to a new location, then you cannot use a randomly generated key to encrypt the columns. This is because the randomly generated key will not be available at the new location. For such scenarios, you should specify a password while encrypting the columns. After you move the data, you can use the same password to regenerate the key required to access encrypted column data at the new location. Table partition exchange also requires a password-based table key. Example 8–7 creates an external table using a password to create the table key. Example 8–7 Creating a New External Table with a Password-Generated Table Key CREATE TABLE emp_ext ( first_name, last_name, empID, salary, ssn ENCRYPT IDENTIFIED BY "xIcf3T9u" Securing Stored Data Using Transparent Data Encryption 8-11 Using Transparent Data Encryption ) ORGANIZATION EXTERNAL ( TYPE ORACLE_DATAPUMP DEFAULT DIRECTORY "D_DIR" LOCATION('emp_ext.dat') ) REJECT LIMIT UNLIMITED AS SELECT * FROM EMPLOYEE; Oracle Database SQL Language Reference about CREATE TABLE, ENCRYPT, and the rules for passwords. See Also: Encrypting Columns in Existing Tables To add an encrypted column to an existing table, or to encrypt or decrypt an existing column, you use the ALTER TABLE SQL command with the ADD or MODIFY clause. This section contains the following topics: ■ Adding an Encrypted Column to an Existing Table ■ Encrypting an Unencrypted Column ■ Disabling Encryption on a Column Adding an Encrypted Column to an Existing Table To add an encrypted column to an existing table, you use the ALTER TABLE ADD command, specifying the new column with the ENCRYPT clause. Example 8–8 adds an encrypted column, ssn, to an existing table, called employee. Example 8–8 Adding an Encrypted Column to an Existing Table SQL> ALTER TABLE employee ADD (ssn VARCHAR2(11) ENCRYPT); The ssn column is encrypted with the default AES192 algorithm. Salt and MAC are added by default. You can choose to encrypt the column using a different algorithm. You can also specify NO SALT, if you wish to index the column. Encrypting an Unencrypted Column To encrypt an unencrypted column, use the ALTER TABLE MODIFY command, specifying the unencrypted column with the ENCRYPT clause. Example 8–9 encrypts the first_name column in the employee table. Example 8–9 Encrypting an Unencrypted Column SQL> ALTER TABLE employee MODIFY (first_name ENCRYPT); The first_name column is encrypted with the default AES192 algorithm. Salt is added to the data, by default. You can choose to encrypt the column using a different algorithm. You can also specify NO SALT, if you wish to index the column. You can also choose to skip integrity checks by using the NOMAC parameter. Example 8–10 encrypts the first_name column in the employee table using the NOMAC parameter. Example 8–10 Using the NOMAC parameter in an ALTER TABLE statement SQL> ALTER TABLE employee MODIFY (first_name ENCRYPT 'NOMAC'); 8-12 Oracle Database Advanced Security Administrator's Guide Using Transparent Data Encryption Disabling Encryption on a Column You may want to disable encryption for reasons of compatibility or performance. To disable column encryption, use the ALTER TABLE MODIFY command with the DECRYPT clause. Example 8–11 decrypts the first_name column in the employee table. Example 8–11 Turning Off Column Encryption SQL> ALTER TABLE employee MODIFY (first_name DECRYPT); Creating an Index on an Encrypted Column To create an index on an encrypted column, you use the standard CREATE INDEX command. The column being indexed must have been encrypted without salt. Example 8–12 shows how to create an index on a column that has been encrypted without salt. Example 8–12 Creating Index on a Column Encrypted Without Salt CREATE TABLE employee ( first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER ENCRYPT NO SALT, salary NUMBER(6) ENCRYPT USING '3DES168' ); CREATE INDEX employee_idx on employee (empID); You cannot create an index on a column that has been encrypted with salt. If you try to do this, an error (ORA-28338) is raised. Note: Adding or Removing Salt from an Encrypted Column Salt is a way to strengthen the security of encrypted data. It is a random string added to the data before it is encrypted. This ensures that the same plaintext data does not always translate to the same encrypted text. Salt removes the one common method attackers use to steal data, namely, matching patterns of encrypted text. Adding salt requires an additional 16 bytes of storage, per encrypted data value. To add or remove salt from encrypted columns, use the ALTER TABLE MODIFY command. Example 8–13 encrypts the first_name column using salt. If the first_ name column was encrypted without salt earlier, then this command reencrypts it using salt. Example 8–13 Adding Salt to an Encrypted Column SQL> ALTER TABLE employee MODIFY (first_name ENCRYPT SALT); Example 8–14 removes salt from the first_name column. If you need to index a column that was encrypted using salt, then you can use this command to remove the salt before indexing. Example 8–14 Removing Salt from an Encrypted Column SQL> ALTER TABLE employee MODIFY (first_name ENCRYPT NO SALT); Securing Stored Data Using Transparent Data Encryption 8-13 Using Transparent Data Encryption Changing the Encryption Key or Algorithm for Tables with Encrypted Columns Each table can have only one table key for its columns. You can regenerate the table key with the ALTER TABLE command. You can also choose to use a different encryption algorithm for the new table key. Example 8–15 regenerates the table key for the employee table. Example 8–15 Changing the Encryption Key on Tables Containing Encrypted Columns SQL> ALTER TABLE employee REKEY; Example 8–16 regenerates the table key for the employee table using the 3DES168 algorithm. Example 8–16 Changing the Encryption Key and Algorithm on Tables Containing Encrypted Columns SQL> ALTER TABLE employee REKEY USING '3DES168'; Data Types That Can Be Encrypted with TDE Column Encryption The following data types can be encrypted using this feature: ■ BINARY_DOUBLE ■ BINARY_FLOAT ■ CHAR ■ DATE ■ INTERVAL DAY TO SECOND ■ INTERVAL YEAR TO MONTH ■ LOBs (Internal LOBs and SECUREFILE LOBs Only) ■ NCHAR ■ NUMBER ■ NVARCHAR2 ■ RAW ■ ■ TIMESTAMP (includes TIMESTAMP WITH TIME ZONE and TIMESTAMP WITH LOCAL TIME ZONE) VARCHAR2 You cannot encrypt a column if the encrypted column size becomes greater than the size allowed by the data type of the column. Table 8–1 shows the maximum allowable sizes for various data types. Table 8–1 Maximum Allowable Size for Data Types Data Type Maximum Size CHAR 1932 bytes VARCHAR2 3932 bytes NVARCHAR2 1966 bytes NCHAR 966 bytes 8-14 Oracle Database Advanced Security Administrator's Guide Using Transparent Data Encryption TDE tablespace encryption does not have these data type restrictions. Note: Restrictions on Using TDE Column Encryption TDE column encryption encrypts and decrypts data at the SQL layer. Oracle Database utilities and features that bypass the SQL layer cannot leverage the services provided by TDE column encryption. Do not use TDE column encryption with the following database features: ■ Index types other than B-tree ■ Range scan search through an index ■ External large objects (BFILE) ■ Synchronous Change Data Capture ■ Transportable Tablespaces ■ Original import/export utilities In addition, you cannot use TDE column encryption to encrypt columns used in foreign key constraints. See Also: ■ ■ "Export and Import of Tables with Encrypted Columns" on page 8-26 "Data Types That Can Be Encrypted with TDE Column Encryption" on page 8-14 Note: Oracle Database 10g release 2 (10.2) TDE did not support large object (LOB) data types such as BLOB and CLOB. Oracle Database 11g TDE supports internal large object data types such as BLOB and CLOB. However, you cannot encrypt external LOBs (BFILE). Applications that need to use these unsupported features can use the DBMS_CRYPTO package for their encryption needs. See Also: "DBMS_CRYPTO" in Oracle Database PL/SQL Packages and Types Reference TDE protects data stored on disk/media. It does not protect data in transit. Use Oracle Advanced Security network encryption solutions discussed in Chapter 2, "Configuration and Administration Tools Overview"to encrypt data over the network. Encrypting Entire Tablespaces In order to use TDE tablespace encryption, you must be running Oracle Database 11g release 1 (11.1) or higher. If you have upgraded from an earlier release, the compatibility for the database must have been set to 11.0.0 or higher. To use the enhanced tablespace encryption features in Oracle Database 11g Release 2 (11.2), the compatibility for the database must be set to 11.2 or higher. Securing Stored Data Using Transparent Data Encryption 8-15 Using Transparent Data Encryption Advancing the database compatibility, using the COMPATIBLE initialization parameter, is an irreversible change. Note: The following steps discuss using TDE tablespace encryption: ■ Setting the Tablespace Master Encryption Key ■ Opening the Oracle Wallet ■ Creating an Encrypted Tablespace ■ Restrictions on Using TDE Tablespace Encryption Setting the Tablespace Master Encryption Key Before you can encrypt or decrypt tablespaces, you must generate or set a master encryption key. The tablespace master encryption key is stored in an external security module and is used to encrypt the TDE tablespace encryption keys. Check to ensure that the ENCRYPTION_WALLET_LOCATION (or WALLET_LOCATION) parameter in the sqlnet.ora file points to the correct software wallet location. For example: ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/app/wallet))) Oracle Database 11g Release 2 (11.2) uses the same master encryption key for both TDE column encryption and TDE tablespace encryption. When you issue the ALTER SYSTEM SET ENCRYPTION KEY command, a unified master encryption key is created for both TDE column encryption and TDE tablespace encryption. Creating a master encryption key is discussed under "Setting the Master Encryption Key" on page 8-6. If you were already using TDE in Oracle Database 10g release 2 (10.2), and have upgraded the database to 11g Release 2 (11.2), then you must reissue the ALTER SYSTEM SET ENCRYPTION KEY command to create a unified master encryption key. If you were already using TDE tablespace encryption in Oracle Database 11g release 1 (11.1), and have upgraded the database to 11g release 2 (11.2), then you have separate master encryption keys for TDE column encryption and TDE tablespace encryption. You must create a unified master encryption key by reissuing the ALTER SYSTEM SET ENCRYPTION KEY command. Resetting the Tablespace Master Encryption Key Oracle Database 11g Release 2 (11.2) uses a unified master encryption key for both TDE column encryption and TDE tablespace encryption. When you reset (rekey) the master encryption key for TDE column encryption, the master encryption key for TDE tablespace encryption also gets reset. The ALTER SYSTEM SET ENCRYPTION KEY command resets the tablespace master encryption key. Resetting the master encryption key is discussed under "Setting and Resetting the Master Encryption Key" on page 8-6. Opening the Oracle Wallet Before you can create an encrypted tablespace, the Oracle wallet containing the tablespace master encryption key must be open. The wallet must also be open before you can access data in an encrypted tablespace. Opening the Oracle wallet has been discussed under "Opening and Closing the Encrypted Wallet" on page 8-7. 8-16 Oracle Database Advanced Security Administrator's Guide Using Transparent Data Encryption The security administrator needs to open the Oracle wallet after starting the Oracle instance. A restart of the Oracle instance requires the security administrator to open the wallet again. Note: The security administrator also needs to open the wallet before performing database recovery operations. This is because background processes may require access to encrypted redo and undo logs. When performing database recovery, the wallet must be opened before opening the database. This is illustrated in the following statements: SQL> STARTUP MOUNT; SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password"; SQL> ALTER DATABASE OPEN; You can also choose to use auto login wallets, if your environment does not require the extra security provided by a wallet that needs to be explicitly opened. Creating an Encrypted Tablespace The CREATE TABLESPACE command enables you to create an encrypted tablespace. The permanent_tablespace_clause enables you to choose the encryption algorithm and the key length for encryption. The ENCRYPT keyword in the storage_clause encrypts the tablespace. The following syntax illustrates this: CREATE [ BIGFILE | SMALLFILE ] { permanent_tablespace_clause | temporary_tablespace_clause | undo_tablespace_clause } ; Where, permanent_tablespace_clause= TABLESPACE tablespace ......... ENCRYPTION [USING algorithm] ......... storage_clause ......... Where, storage_clause= ......... [ENCRYPT] ......... Here: algorithm can have one of the following values: ■ 3DES168 ■ AES128 ■ AES192 ■ AES256 Securing Stored Data Using Transparent Data Encryption 8-17 Using Transparent Data Encryption The key lengths are included in the names of the algorithms themselves. If no encryption algorithm is specified, the default encryption algorithm is used. The default encryption algorithm is AES128. Note: ■ ■ The ENCRYPTION keyword in the permanent_tablespace_clause is used to specify the encryption algorithm. The ENCRYPT keyword in the storage_clause actually encrypts the tablespace. For security reasons, a tablespace cannot be encrypted with the NO SALT option. Oracle Database SQL Reference Guide for the CREATE TABLESPACE command syntax. See Also: Example 8–17 creates a tablespace called securespace. The tablespace is encrypted using the 3DES algorithm. The key length is 168 bits. Example 8–17 Creating an Encrypted Tablespace CREATE TABLESPACE securespace DATAFILE '/home/user/oradata/secure01.dbf' SIZE 150M ENCRYPTION USING '3DES168' DEFAULT STORAGE(ENCRYPT); Example 8–18 creates a tablespace called securespace2. As no encryption algorithm is specified, the default encryption algorithm (AES128) is used. The key length is 128 bits. Example 8–18 Creating an Encrypted Tablespace CREATE TABLESPACE securespace2 DATAFILE '/home/user/oradata/secure01.dbf' SIZE 150M ENCRYPTION DEFAULT STORAGE(ENCRYPT); The following data dictionary views maintain information about the encryption status of a tablespace. You can query these views to verify that a tablespace has been encrypted: ■ ■ DBA_TABLESPACES: The ENCRYPTED column indicates whether a tablespace is encrypted USER_TABLESPACES: The ENCRYPTED column indicates whether a tablespace is encrypted See Also: Oracle Database Reference for a full description of these data dictionary views. You cannot encrypt an existing tablespace. However, you can import data into an encrypted tablespace using the Oracle Data Pump utility. You can also use SQL commands like CREATE TABLE...AS SELECT...or ALTER TABLE...MOVE... to move data into an encrypted tablespace. The CREATE TABLE...AS SELECT... command enables you to create a table from an existing table. The ALTER TABLE...MOVE... command enables you to move a table into the encrypted tablespace. 8-18 Oracle Database Advanced Security Administrator's Guide Using Transparent Data Encryption See Also: Oracle Database SQL Language Reference for more details on the CREATE TABLE and ALTER TABLE commands. Restrictions on Using TDE Tablespace Encryption TDE tablespace encryption encrypts/decrypts data during read/write operations, as opposed to TDE column encryption, which encrypts/decrypts data at the SQL layer. This means that most restrictions that apply to TDE column encryption, such as data type restrictions and index type restrictions, are not applicable to TDE tablespace encryption. The following list includes the restrictions that apply to TDE tablespace encryption: ■ ■ External Large Objects (BFILEs) cannot be encrypted using TDE tablespace encryption. This is because these files reside outside the database. To perform import and export operations, use Oracle Data Pump. Using Hardware Security Modules with TDE A hardware security module (HSM) is a physical device that provides secure storage for encryption keys. It also provides secure computational space (memory) to perform encryption and decryption operations. HSM is a more secure alternative to the Oracle wallet. TDE can use HSM to provide enhanced security for sensitive data. An HSM is used to store the master encryption key used for TDE. The key is secure from unauthorized access attempts as the HSM is a physical device and not an operating system file. All encryption and decryption operations that use the master encryption key are performed inside the HSM. This means that the master encryption key is never exposed in insecure memory. Using HSM involves an initial setup of the HSM device. You also need to configure TDE to use HSM. Once the initial setup is done, HSM can be used just like an Oracle software wallet. The following steps discuss configuring and using hardware security modules: 1. Set the ENCRYPTION_WALLET_LOCATION Parameter in the sqlnet.ora File 2. Copy the PKCS#11 Library to Its Correct Path 3. Set Up the HSM 4. Generate a Master Encryption Key for HSM-Based Encryption 5. Reconfigure the Software Wallet (Optional) 6. Ensure that the HSM Is Accessible 7. Encrypt and Decrypt Data Set the ENCRYPTION_WALLET_LOCATION Parameter in the sqlnet.ora File The ENCRYPTION_WALLET_LOCATION parameter specifies the location of the Oracle wallet. You need to change this parameter to reflect the fact that an HSM is to be used in place of the software wallet. Use the following steps to set the ENCRYPTION_WALLET_LOCATION parameter: 1. Open the sqlnet.ora file. This file is located in the $ORACLE_HOME/network/admin directory. 2. Add the ENCRYPTION_WALLET_LOCATION parameter to the sqlnet.ora file, as follows: Securing Stored Data Using Transparent Data Encryption 8-19 Using Transparent Data Encryption ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM)) If the ENCRYPTION_WALLET_LOCATION parameter is already present in the sqlnet.ora file, then change the METHOD value to HSM: ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=HSM)(METHOD_DATA= (DIRECTORY=/app/wallet))) If a DIRECTORY value is present in the ENCRYPTION_WALLET_ LOCATION parameter, then make sure that you do not delete it. Although HSM does not require a DIRECTORY value, the value is used to locate your old software wallet when migrating to HSM-based transparent data encryption. Also, the DIRECTORY value might be required by tools, such as Recovery Manager (RMAN), to locate the software wallet. Note: 3. Save and close the file. Copy the PKCS#11 Library to Its Correct Path Your HSM vendor supplies you with an associated PKCS#11 library. You should copy this library to the specified directory structure to ensure that the database is able to find this library. Use the following directory structures for UNIX and Windows respectively: /opt/oracle/extapi/[32,64]/hsm/{VENDOR}/{VERSION}/libapiname.ext %SYSTEM_DRIVE%\oracle\extapi\[32,64]\hsm\{VENDOR}\{VERSION}\libapiname.ext Here: [32,64] specifies whether the supplied binary is 32-bits or 64-bits VENDOR stands for the name of the vendor supplying the library VERSION refers to the version of the library. This should preferably be in a format, number.number.number apiname requires no special format. However, the apiname must be prefixed with the word lib, as illustrated in the syntax. .ext needs to be replaced by the extension of the library file. This extension is .so on Unix. Only one PKCS#11 library is supported at a time. If you wish to use an HSM from a new vendor, then you should replace the PKCS#11 library from the earlier vendor with the library from the new vendor. Note: Set Up the HSM Your HSM vendor should have provided you the instructions to set up the HSM interface. Use your HSM management interface and the instructions provided by your vendor to set up the HSM. Create the user account and password that would be used by the database to interact with the HSM. 8-20 Oracle Database Advanced Security Administrator's Guide Using Transparent Data Encryption The HSM is set up by the HSM administrator or the security administrator responsible for managing TDE. Note: Generate a Master Encryption Key for HSM-Based Encryption To start using HSM-based encryption, you need to create a master encryption key that will be stored inside the HSM. The master encryption key is used to encrypt or decrypt table keys inside the HSM. Use the following command to create the master encryption key: SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "user_Id:password" [MIGRATE USING "wallet_password"] Here: user_Id is the user Id created for the database using the HSM management interface password is the password created for the user Id using the HSM management interface. Enclose the user_Id:password string in double quotation marks (" "). wallet_password is the password required to open an existing Oracle wallet on the file system. Enclose the wallet_password string in double quotation marks (" "). The user_Id and password are not created automatically. You must set these up using the HSM management interface before issuing the ALTER SYSTEM SET ENCRYPTION KEY command. This is different from the procedure used for an Oracle wallet. An Oracle wallet requires no prior setup before issuing the ALTER SYSTEM SET ENCRYPTION KEY command. Note: If you are already using transparent data encryption and not using HSM, then you need to use the MIGRATE USING wallet_password clause in the preceding command. This decrypts the existing table keys and reencrypts them with the newly created, HSM-based, master encryption key. If the database contains columns encrypted with a public key, then the columns are decrypted and reencrypted with an AES symmetric key generated by HSM-based transparent data encryption. Note: Reconfigure the Software Wallet (Optional) This step is applicable if you have exported encrypted data or created encrypted backups using the software wallet. Tools like Oracle Data Pump and Recovery Manager require access to the old software wallet to perform decryption and encryption operations on data exported or backed up using the software wallet. You can use either of the following approaches to reconfigure the software wallet: ■ Change the wallet password to the HSM userId:password string. Here: user_Id is the user Id created for the database using the HSM management interface password is the password created for the user Id using the HSM management interface. Enclose the user_Id:password string in double quotation marks (" "). Securing Stored Data Using Transparent Data Encryption 8-21 Using Transparent Data Encryption Use Oracle Wallet Manager or the orapki command-line utility to change the password for the software wallet. SQL*Plus cannot be used to change the wallet password. "Changing the Password" on page 14-13 for more details on changing the wallet password See Also: ■ You can alternatively choose to use an auto login wallet. The auto login wallet is identified by a file with the .sso extension. Use an auto login wallet only if your environment does not require the extra security provided by a wallet that needs to be explicitly opened. You can also choose to create a local auto login wallet. Local auto login wallets cannot be moved to another computer. They must be used on the host on which they are created. See Also: ■ ■ "Using Auto Login" on page 14-14 for information about enabling auto login using Oracle Wallet Manager "Creating, Viewing, and Modifying Wallets with orapki" on page E-2 for information about enabling auto login and local auto login using the orapki command-line utility Ensure that the HSM Is Accessible The security administrator must make sure that the HSM is accessible to the database before any encryption or decryption can be performed. This is analogous to opening the Oracle wallet. Use the following command to make the HSM accessible: SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "user_Id:password" Here: user_Id is the user Id created for the database using the HSM management interface password is the password created for the user Id using the HSM management interface Enclose the user_Id:password string in double quotation marks (" ") Access to the HSM needs to reenabled every time the database instance is restarted. Note: The security administrator can disable access to the HSM using the ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "user_Id:password" command. This disables all encryption and decryption operations in the HSM. A database user or application cannot perform any operation involving encrypted data until the wallet has been reopened. For example, the following operations will fail if the HSM is not accessible: ■ SELECT data from an encrypted column ■ INSERT data into on an encrypted column ■ CREATE a table with encrypted column(s) ■ ALTER the encryption properties of a column ■ CREATE an encrypted tablespace 8-22 Oracle Database Advanced Security Administrator's Guide Managing Transparent Data Encryption Encrypt and Decrypt Data HSM use is transparent to the end user. The commands to create a table with encrypted columns, access encrypted data, or decrypt data are the same regardless of whether the master encryption key resides in an Oracle wallet or HSM. Using Transparent Data Encryption with Oracle RAC Oracle Database 11g Release 2 (11.2) enables Oracle Real Application Clusters (Oracle RAC) nodes to share the wallet. This eliminates the need to manually copy and synchronize the wallet across all nodes. Oracle recommends that you create the wallet on a shared file system. This allows all instances to access the same shared wallet. Any wallet operation, like opening or closing the wallet, performed on any one Oracle RAC instance is applicable for all other Oracle RAC instances. This means that when you open and close the wallet for one instance, then it opens and closes for all Oracle RAC instances. When using a shared file system, you need to ensure that the ENCRYPTION_WALLET_ LOCATION or WALLET_LOCATION parameter for all Oracle RAC instances point to the same shared wallet location. The security administrator also needs to ensure security of the shared wallet by assigning appropriate directory permissions. A master key rekey performed on one instance is applicable for all instances. When a new Oracle RAC node comes up, it is aware of the current wallet open or close status. Using a Non-Shared File System to Store the Wallet If you are not using a shared file system to store the wallet, then you need to copy the wallet to all nodes after a master key rekey. If you need to reset the master encryption key for the database, then use the following steps: 1. Reset the master encryption key on the first Oracle RAC node. Use the following command: See "Setting and Resetting the Master Encryption Key" on page 8-6 for more information. 2. Copy the wallet with the new master encryption key from the first node to all other nodes. 3. Close and reopen the wallet on any one node. Use the following commands: SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "password"; SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password"; Any wallet operation, like opening or closing the wallet, performed on any one Oracle RAC instance is applicable for all other Oracle RAC instances. This is true even if you are not using a shared file system. Note: All Oracle RAC nodes are now configured to use the new master encryption key. Managing Transparent Data Encryption This section contains these topics: ■ Oracle Wallet Management ■ Backup and Recovery of Master Encryption Keys Securing Stored Data Using Transparent Data Encryption 8-23 Managing Transparent Data Encryption ■ Export and Import of Tables with Encrypted Columns ■ Performance and Storage Overheads ■ Security Considerations ■ Using Transparent Data Encryption in a Multi-Database Environment ■ Replication in Distributed Environments ■ Compression and Data Deduplication of Encrypted Data ■ Transparent Data Encryption with OCI ■ Transparent Data Encryption in a Multi-Database Environment ■ Transparent Data Encryption Data Dictionary Views Oracle Wallet Management Transparent Data Encryption (TDE) stores the master encryption key in an Oracle wallet. The wallet can also be an auto login wallet that allows access to encrypted data without requiring a security administrator to explicitly open the wallet. Specifying a Separate Wallet for Transparent Data Encryption When determining which wallet to use, TDE first attempts to use the wallet specified by the parameter ENCRYPTION_WALLET_LOCATION. If the parameter is not set, then it attempts to use the wallet specified by the parameter WALLET_LOCATION. If this fails as well, then TDE looks for a wallet at the default database location. Oracle strongly recommends that you use a separate wallet for storing master encryption keys used by TDE. To designate a separate wallet, set the ENCRYPTION_ WALLET_LOCATION parameter in the sqlnet.ora file to point to the wallet used exclusively by TDE. "Sample sqlnet.ora File" on page A-1for an example of the syntax used to set this parameter See Also: Using an Auto Login Wallet You can create an auto login wallet with Oracle Wallet Manager or the orapki command-line utility. The auto login wallet allows convenient access to encrypted data across database instance restarts. You should not remove the PKCS#12 wallet (ewallet.p12 file) after the auto login wallet (.sso file) has been created. You need the PKCS#12 wallet to regenerate/rekey the master encryption key in future. Note: TDE uses an auto login wallet only if it is available at the correct location (ENCRYPTION_ WALLET_LOCATION, WALLET_LOCATION, or default wallet location), and the SQL command to open an encrypted wallet has not already been executed. If an auto login wallet is being used, you must not use the ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password" command. 8-24 Oracle Database Advanced Security Administrator's Guide Managing Transparent Data Encryption See Also: ■ ■ "Using Auto Login" on page 14-14 for information about enabling auto login using Oracle Wallet Manager "Creating, Viewing, and Modifying Wallets with orapki" on page E-2 for information about enabling auto login and local auto login using the orapki command-line utility Creating Wallets When you create the master encryption key using the ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password" command, TDE checks to see if a wallet exists in the default or specified location. If no wallet exists, then a wallet is created automatically. In addition to the SQL command, you can also use Oracle Wallet Manager to create wallets. Oracle Wallet Manager is a full-featured tool that allows you to create wallets and to view and modify their content. You can also use the orapki command like utility to create wallets. See Also: ■ ■ Chapter 14, "Using Oracle Wallet Manager" for more information about Oracle Wallet Manager "Creating, Viewing, and Modifying Wallets with orapki" Backup and Recovery of Master Encryption Keys This section contains the following topics: ■ Backup and Recovery of Oracle Wallet ■ Backup and Recovery of PKI Key Pair Backup and Recovery of Oracle Wallet You cannot access any encrypted data without the master encryption key. As the master encryption key is stored in the Oracle wallet, the wallet should be periodically backed up in a secure location. You must back up a copy of the wallet whenever a new master encryption key is set. The Oracle wallet should not be backed up with the encrypted data. The wallet should be backed up separately. This is especially true when using the auto login wallet, which does not require a password to open. In case the backup tape gets lost, a malicious user should not be able to get both the encrypted data and the wallet. Recovery Manager (RMAN) does not back up the wallet as part of the database backup. When using a media manager like Oracle Secure Backup (OSB) with RMAN, OSB automatically excludes auto-open wallets (the cwallet.sso files). However, encryption wallets (the ewallet.p12 files) are not excluded automatically. It is a good practice to add the following exclude dataset statement to your OSB configuration: exclude name *.p12 This instructs OSB to exclude the encryption wallet from the backup set. If you lose the wallet that stores the master encryption key, you can restore access to encrypted data by copying the backed-up version of the wallet to the appropriate location. If the restored wallet was archived after the last time that the master encryption key was reset, then no additional action needs to be taken. Securing Stored Data Using Transparent Data Encryption 8-25 Managing Transparent Data Encryption If the restored wallet does not contain the most recent master encryption key, then you can recover old data up to the point when the master encryption key was reset by rolling back the state of the database to that point in time. All modifications to encrypted columns after the master encryption key was reset are lost. Backup and Recovery of PKI Key Pair TDE column encryption supports the use of PKI asymmetric key pairs as master encryption keys. This enables it to leverage existing key backup, escrow, and recovery facilities from leading certificate authority vendors. In current key escrow or recovery systems, the certificate authority with key recovery capabilities typically stores a version of the private key, or a piece of information that helps recover the private key. If the private key is lost, the user can recover the original key and certificate by contacting the certificate authority and initiating a key recovery process. Typically, the key recovery process is automated and requires the user to present certain authenticating credentials to the certificate authority. TDE puts no restrictions on the key recovery process other than that the recovered key and its associated certificate be a PKCS#12 file that can be imported into an Oracle wallet. This requirement is consistent with the key recovery mechanisms of leading certificate authorities. After obtaining the PKCS#12 file with the original certificate and private key, you need to create a new empty wallet in the same location as the previous wallet. To do this, you can use Oracle Wallet Manager. You can then import the PKCS#12 file into the wallet by using the same utility. You should choose a strong password to protect the wallet. After the wallet has been created and the correct certificates imported, log onto the database and execute the following command at the SQL prompt to complete the recovery process: SQL> ALTER SYSTEM SET ENCRYPTION KEY "certificate_id" IDENTIFIED BY "wallet_ password" To retrieve the certificate_id of the certificate in the wallet, query the V$WALLET fixed view after the wallet has been opened. Export and Import of Tables with Encrypted Columns The following points are important when exporting tables containing encrypted columns: ■ ■ Sensitive data should remain unintelligible during transport Authorized users should be able to decrypt the data after it is imported at the destination You can use the Oracle Data Pump utility to export and import tables containing encrypted columns. Oracle Data Pump makes use of the ENCRYPTION parameter to enable encryption of data in dump file sets. The ENCRYPTION parameter allows the following values: ■ ENCRYPTED_COLUMNS_ONLY: Encrypted columns are written to the dump file set in encrypted format ■ DATA_ONLY: All data is written to the dump file set in encrypted format ■ METADATA_ONLY: All metadata is written to the dump file set in encrypted format 8-26 Oracle Database Advanced Security Administrator's Guide Managing Transparent Data Encryption ■ ALL: All data and metadata is written to the dump file set in encrypted format ■ NONE: Encryption is not used for dump file sets The following steps discuss exporting and importing tables with encrypted columns using ENCRYPTION=ENCRYPTED_COLUMNS_ONLY: 1. You should ensure that the encryption wallet is open, before attempting to export tables containing encrypted columns. This is because the encrypted columns need to be decrypted using the table keys, which in turn requires access to the master encryption key. The columns are reencrypted using a password, before they are exported. 2. Use the ENCRYPTION_PASSWORD parameter to specify a password that is used to encrypt column data in the export dump file set. The following example exports the employee_data table: expdp hr TABLES=employee_data DIRECTORY=dpump_dir DUMPFILE=dpcd2be1.dmp ENCRYPTION=ENCRYPTED_COLUMNS_ONLY ENCRYPTION_PASSWORD=PWD2encrypt Password: password_for_hr 3. When importing data into the target database, you need to specify the same password. The password is used to decrypt the data. Data is reencrypted with the new table keys generated in the target database. The target database must have the wallet open to access the master encryption key. The following example imports the employee_data table: impdp hr TABLES=employee_data DIRECTORY=dpump_dir DUMPFILE=dpcd2be1.dmp ENCRYPTION_PASSWORD=PWD2encrypt Password: password_for_hr Oracle Data Pump functionality has been enhanced in Oracle Database 11g Release 2 (11.2). You can encrypt entire dump sets, as opposed to encrypting just transparent data encryption columns. The ENCRYPTION_MODE parameter enables you to specify the encryption mode. ENCRYPTION_MODE=DUAL encrypts the dump set using the master key stored in the wallet and the password provided. The following example uses dual encryption mode: expdp hr DIRECTORY=dpump_dir1 DUMPFILE=hr_enc.dmp ENCRYPTION=all ENCRYPTION_PASSWORD=PWD2encrypt ENCRYPTION_ALGORITHM=AES256 ENCRYPTION_MODE=dual Password: password_for_hr While importing, you can use either the password or the wallet master key to decrypt the data. If the password is not supplied, then the master key in the wallet is used to decrypt the data. The wallet must be present, and open, at the target database. The open wallet is also required to reencrypt column encryption data at the target database. You can use ENCRYPTION_MODE=TRANSPARENT to transparently encrypt the dump file set with the master encryption key stored in the wallet. A password is not required in this case. The wallet must be present, and open, at the target database, for successful decryption during import. The open wallet is also required to reencrypt column encryption data at the target database. Securing Stored Data Using Transparent Data Encryption 8-27 Managing Transparent Data Encryption See Also: ■ ■ "Overview of Data Pump", "Data Pump Export", and "Data Pump Import" in the Oracle Database Utilities Guide for details on using Oracle Data Pump and the associated encryption parameters. "Creating an Encrypted Column in an External Table" on page 8-11 Performance and Storage Overheads The overhead associated with Transparent Data Encryption (TDE) can be categorized into the following: ■ Performance Overheads ■ Storage Overheads Performance Overheads TDE tablespace encryption has small associated overheads. While the actual performance impact on applications can vary, it is roughly estimated to be in between 5% and 8%. TDE column encryption affects performance only when data is retrieved from or inserted into an encrypted column. No reduction in performance occurs for operations involving unencrypted columns, even if these columns are in a table containing encrypted columns. Accessing data in encrypted columns involves small overheads. The overhead associated with encrypting or decrypting a common attribute, such as credit card number, is estimated to be around 5%. This means that a SELECT operation (involves decryption) or an INSERT operation (involves encryption) would take roughly 5% more time than what it takes with clear text data. The total performance overhead depends on the number of encrypted columns and their frequency of access. The columns most appropriate for encryption are those containing the most sensitive data. "Using the NOMAC Parameter to Save Disk Space and Improve Performance" on page 8-10 See Also: Enabling encryption on an existing table results in a full table update like any other ALTER TABLE operation that modifies table characteristics. Administrators should keep in mind the potential performance and redo log impact on the database server before enabling encryption on a large existing table. A table can temporarily become inaccessible for write operations while encryption is being enabled, table keys are being rekeyed, or the encryption algorithm is being changed. You can use online table redefinition to ensure that the table is available for write operations during such procedures. "Redefining Tables Online" in Oracle Database Administrator's Guide See Also: If TDE column encryption is being enabled on a very large table, then the redo log size might need to be increased to accommodate the operation. It has also been observed that encrypting an indexed column takes more time than encrypting a column without indexes. If you need to encrypt a column that has an 8-28 Oracle Database Advanced Security Administrator's Guide Managing Transparent Data Encryption index built on it, you can try dropping the index, encrypting the column with NO SALT, and then re-creating the index. If you index an encrypted column, then the index is created on the encrypted values. When you query for a value in the encrypted column, Oracle transparently encrypts the value used in the SQL query. It then performs an index lookup using the encrypted value. If you need to perform range scans over indexed, encrypted, columns, then you should use TDE tablespace encryption in place of TDE column encryption. Note: Storage Overheads TDE tablespace encryption has no storage overheads. However, TDE column encryption has some associated storage overheads. Encrypted column data needs more storage space than clear text data. In addition, TDE pads out encrypted values to multiples of 16 bytes. This means that if a credit card number requires 9 bytes for storage, then an encrypted credit card value will require an additional 7 bytes. Each encrypted value is also associated with a 20-byte integrity check. This is not applicable if you have encrypted columns using the NOMAC parameter. Also, if data has been encrypted with salt, then each encrypted value requires an additional 16 bytes of storage. The maximum storage overhead for each encrypted value is 52 bytes. "Using the NOMAC Parameter to Save Disk Space and Improve Performance" on page 8-10 See Also: Security Considerations Security considerations for Transparent Data Encryption (TDE) operate within the broader arena of total system security. As a security administrator, you must identify the levels of risk to be addressed and the degrees of sensitivity of data maintained by the site. Costs and benefits must be evaluated for the alternative methods of achieving acceptable protections. In many cases, it makes sense to have separate security administrators, a separate wallet for TDE, and protected backup procedures for encrypted data. Having a separate wallet for TDE permits auto-login for other Oracle components but preserves password protection for the TDE wallet. Additional security considerations apply to normal database and network operations when using TDE. Encrypted column data stays encrypted in the data files, undo logs, redo logs, and the buffer cache of the system global area (SGA). However, data is decrypted during expression evaluation, making it possible for decrypted data to appear in the swap file on the disk. Privileged operating system users can potentially view this data. Column values encrypted using TDE are stored in the data files in encrypted form. However, these data files may still contain some clear-text fragments, called ghost copies, left over by past data operations on the table. This is similar to finding data on the disk after a file has been deleted by the operating system. Old clear-text fragments may be present for some time until the database overwrites the blocks containing such values. If privileged operating system users bypass the access controls of the database, they might be able to directly access these values in the data file holding the tablespace. You can use the following procedure to minimize this risk: Securing Stored Data Using Transparent Data Encryption 8-29 Managing Transparent Data Encryption 1. Create a new tablespace in a new data file. You can use the CREATE TABLESPACE statement. 2. Move the table containing encrypted columns to the new tablespace. You can use the ALTER TABLE.....MOVE statement. Repeat this step for all objects in the original tablespace. 3. Drop the original tablespace. You can use the DROP TABLESPACE tablespace INCLUDING CONTENTS KEEP DATAFILES statement. Oracle recommends that you securely delete data files using platform specific utilities. 4. Use platform and file system specific utilities to securely delete the old data file. Examples of such utilities include shred (on Linux) and sdelete (on Windows). Using Transparent Data Encryption in a Multi-Database Environment If there are multiple Oracle databases installed on the same server (for example, databases sharing the same Oracle binary but using different data files), then each database must access its own Transparent Data Encryption wallet. Wallets are not designed to be shared between databases. By design, there must be one wallet per database. You cannot use the same wallet for more than one database. To configure the sqlnet.ora file for a multi-database environment, use one of the following options: 1. If the databases share the same Oracle home, then keep the sqlnet.ora file in the default location, which is in the ORACLE_HOME/network/admin directory. In this case, it is ideal to use the default location. Ensure that the sqlnet.ora file has no WALLET_LOCATION or ENCRYPTION_WALLET_LOCATION entries. Transparent Data Encryption accesses the wallet from the default sqlnet.ora location if these two entries are not in the sqlnet.ora file. 2. If Option 1 is not feasible for your site, then you can specify the wallet location based on an environment variable setting, such as ORACLE_SID. For example: ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /home/oracle/wallet/$ORACLE_SID) 3. If Options 1 and 2 are not feasible, then use separate sqlnet.ora files, one for each database. Ensure that you have correctly set the TNS_ADMIN environment variable to point to the correct database configuration. See SQL*Plus User's Guide and Reference for more information and examples of setting the TNS_ADMIN variable. Caution: Using a wallet from another database can cause partial or complete data loss. Replication in Distributed Environments Oracle Data Guard supports Transparent Data Encryption (TDE). If the primary database uses TDE, then each standby database in a Data Guard configuration must have a copy of the encryption wallet from the primary database. If you reset the master encryption key in the primary database, then the wallet containing the master encryption key needs to be copied to each standby database. 8-30 Oracle Database Advanced Security Administrator's Guide Managing Transparent Data Encryption Encrypted data in log files remains encrypted when data is transferred to the standby database. Encrypted data also stays encrypted during transit. See Also: Appendix C in the Oracle Data Guard Concepts and Administration Guide for more information about the use of TDE with logical standby databases TDE works with SQL*Loader direct path loads. The data loaded into encrypted columns is transparently encrypted during the direct path load. Materialized views work with TDE tablespace encryption. You can create both materialized views and materialized view logs in encrypted tablespaces. Materialized views also work with TDE column encryption. However, materialized view logs cannot contain encrypted columns. See Also: "Materialized View Concepts and Architecture" in the Oracle Database Advanced Replication Guide for more information on materialized views Compression and Data Deduplication of Encrypted Data With tablespace encryption, Oracle Database compresses tables and indexes before encrypting the tablespace. This ensures that you receive the maximum space and performance benefits from compression, while also receiving the security of encryption at rest. In the CREATE TABLESPACE SQL statement, include both the COMPRESS and ENCRYPT clauses. With column encryption, Oracle Database compresses the data after it encrypts the column. This means that compression will have minimal effectiveness on encrypted columns. There is one notable exception: if the column is a SecureFiles LOB, and the encryption is implemented with SecureFiles LOB Encryption, and the compression (and possibly deduplication) are implemented with SecureFiles LOB Compression & Deduplication, then compression is performed before encryption. Similar to the CREATE TABLESPACE statement for tablespace encryption, include both the COMPRESS and ENCRYPT clauses. See Also: ■ ■ Oracle Database Backup and Recovery User's Guide for more information about the Advanced Compression Option Oracle Database SecureFiles and Large Objects Developer's Guide for information about SecureFiles LOB storage Transparent Data Encryption with OCI Row shipping cannot be used, because the key to make the row usable is not available at the receipt-point. Transparent Data Encryption in a Multi-Database Environment If there are multiple Oracle databases installed on the same server (for example, databases sharing the same Oracle binary but using different data files), then each database must access its own Transparent Data Encryption keystore. Wallets are not designed to be shared between databases. By design, there must be one wallet per database. You cannot use the same wallet for more than one database. Securing Stored Data Using Transparent Data Encryption 8-31 Managing Transparent Data Encryption To configure the sqlnet.ora file for a multi-database environment, use one of the following options: 1. If the databases share the same Oracle home, then keep the sqlnet.ora file in the default location, which is in the ORACLE_HOME/network/admin directory. In this case, it is ideal to use the default location. Ensure that the sqlnet.ora file has no WALLET_LOCATION or ENCRYPTION_WALLET_LOCATION entries. Transparent Data Encryption accesses the wallet from the default sqlnet.ora location if these two entries are not in the sqlnet.ora file. 2. If Option 1 is not feasible for your site, then you can specify the wallet location based on an environment variable setting, such as ORACLE_SID. For example: ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /home/oracle/wallet/$ORACLE_SID) 3. If Options 1 and 2 are not feasible, then use separate sqlnet.ora files, one for each database. Ensure that the TNS_ADMIN environment variable is correctly set to point to the correct database configuration. See SQL*Plus User's Guide and Reference for more information and examples of setting the TNS_ADMIN variable. Caution: Using a keystore from another database can cause partial or complete data loss. Transparent Data Encryption Data Dictionary Views The following data dictionary views maintain information about encryption details, tablespaces, and wallet details: ■ ALL_ENCRYPTED_COLUMNS The ALL_ENCRYPTED_COLUMNS view displays encryption information about encrypted columns in the tables accessible to the current user. Table 8–2 lists the information included in this view: Table 8–2 Description of the ALL_ENCRYPTED_COLUMNS Data Dictionary View Column Datatype NULL Description OWNER VARCHAR2(30) NOT NULL Owner of the table TABLE_NAME VARCHAR2(30) NOT NULL Name of the table COLUMN_NAME VARCHAR2(30) NOT NULL Name of the column ENCRYPTION_ALG VARCHAR2(29) SALT VARCHAR2(3) 8-32 Oracle Database Advanced Security Administrator's Guide Encryption algorithm used to protect secrecy of data in this table: ■ 3 Key Triple DES 168 bits key ■ AES 128 bits key ■ AES 192 bits key ■ AES 256 bits key Indicates whether the column is encrypted with SALT (YES) or not (NO) Managing Transparent Data Encryption Table 8–2 (Cont.) Description of the ALL_ENCRYPTED_COLUMNS Data Dictionary View Column Datatype INTEGRITY_ALG VARCHAR2(12) ■ NULL Description Integrity algorithm used for the table: ■ SHA-1 ■ NOMAC DBA_ENCRYPTED_COLUMNS The DBA_ENCRYPTED_COLUMNS view displays encryption information for all encrypted columns in the database. The view details are the same as the ALL_ ENCRYPTED_COLUMNS view. ■ USER_ENCRYPTED_COLUMNS The USER_ENCRYPTED_COLUMNS view displays encryption information for encrypted table columns in the user’s schema. The view details are the same as the ALL_ ENCRYPTED_COLUMNS view, except for the OWNER column. The OWNER column is not included, as data from only tables owned by the user are displayed. ■ V$ENCRYPTED_TABLESPACES The V$ENCRYPTED_TABLESPACES view displays information about the tablespaces that are encrypted. Table 8–3 lists the information included in this view: Table 8–3 Description of the V$ENCRYPTED_TABLESPACES View Column Datatype Description TS# NUMBER Tablespace number ENCRYPTIONALG VARCHAR2(7) Encryption algorithm: ENCRYPTEDTS ■ VARCHAR2(3) ■ NONE ■ 3DES168 ■ AES128 ■ AES192 ■ AES256 Indicates whether the tablespace is encrypted (YES) or not (NO) V$WALLET The V$WALLET view displays metadata information for a PKI certificate, which may be used as a master key for TDE. Table 8–4 summarizes the information included in this view. Table 8–4 Description of the V$WALLET View Column Datatype Description CERT_ID VARCHAR2(52) A unique certificate identifier value used to specify a particular PKI certificate for use as the master key DN VARCHAR2(255) Distinguished name of a particular PKI certificate SERIAL_NUM VARCHAR2(40) Unique serial number assigned to a certificate by the issuer or signer Securing Stored Data Using Transparent Data Encryption 8-33 Example: Getting Started with TDE Column Encryption and TDE Tablespace Encryption Table 8–4 (Cont.) Description of the V$WALLET View Column Datatype Description ISSUER VARCHAR2(255) Distinguished name of the Certificate Authority or issuer that issued and signed the certificate KEYSIZE NUMBER Size of the PKI key associated with the certificate STATUS VARCHAR2(16) Current status of the certificate: ■ UNUSED ■ IN USE ■ USED This column allows the user to identify whether a certificate is currently in use or has already been used for transparent database encryption. ■ V$ENCRYPTION_WALLET V$ENCRYPTION_WALLET displays information on the status of the wallet and the wallet location for TDE. Table 8–5 summarizes the information included in this view. Table 8–5 Description of the V$ENCRYPTION_WALLET View Column Datatype Description WRL_TYPE VARCHAR2(20) Type of the wallet resource locator (for example, FILE) WRL_PARAMETER VARCHAR2(4000) Parameter of the wallet resource locator (for example, absolute filename if WRL_TYPE = FILE) STATUS VARCHAR2(9) Status of the wallet: ■ OPEN ■ CLOSED ■ UNDEFINED ■ OPEN_NO_MASTER_KEY See Also: Oracle Database Reference for a full description of these data dictionary views. Example: Getting Started with TDE Column Encryption and TDE Tablespace Encryption This section uses a tutorial approach to help you get started with TDE column encryption and TDE tablespace encryption. We illustrate the following tasks using sample scenarios: ■ Prepare the Database for Transparent Data Encryption ■ Create a Table with an Encrypted Column ■ Create an Index on an Encrypted Column ■ Alter a Table to Encrypt an Existing Column ■ Create an Encrypted Tablespace ■ Create a Table in an Encrypted Tablespace 8-34 Oracle Database Advanced Security Administrator's Guide Example: Getting Started with TDE Column Encryption and TDE Tablespace Encryption Prepare the Database for Transparent Data Encryption In order to start using Transparent Data Encryption (TDE), let us first prepare the database by specifying an Oracle wallet location and setting the master encryption key. The following steps prepare the database to use TDE: 1. Specify an Oracle Wallet Location in the sqlnet.ora File 2. Create the Master Encryption Key 3. Open the Oracle Wallet Specify an Oracle Wallet Location in the sqlnet.ora File Open the sqlnet.ora file located in $ORACLE_HOME/network/admin. Enter the following line at the end of the file: ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/app/wallet))) Save the changes and close the file. You can choose any directory for the encrypted wallet, but the path should not point to the standard obfuscated wallet (cwallet.sso) created during the database installation. Note: Create the Master Encryption Key Next, we need to create the master encryption key, which is used to encrypt the table keys. Enter the following commands to create the master encryption key: SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "Easy2rem"; The preceding command achieves the following: ■ ■ If no encrypted wallet is present in the directory specified, an encrypted wallet is created (ewallet.p12), the wallet is opened, and the master encryption key for TDE is created/re-created. If an encrypted wallet is present in the directory specified, the wallet is opened, and the master encryption key for TDE is created/re-created. Note: ■ ■ The master encryption key should only be created once, unless you want to reencrypt your data with a new encryption key. Only users with the ALTER SYSTEM privilege can create a master encryption key or open the wallet. Open the Oracle Wallet Every time the database is shut down, the Oracle wallet is closed. You can also explicitly close the wallet. You need to make sure that the Oracle wallet is open before you can perform any encryption or decryption operation. Use the following command to open the wallet containing the master encryption key: SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "Easy2rem"; Securing Stored Data Using Transparent Data Encryption 8-35 Example: Getting Started with TDE Column Encryption and TDE Tablespace Encryption The password used with the preceding command is the same that you used to create the master encryption key. This becomes the password to open the wallet and make the master encryption key accessible. Note: Create a Table with an Encrypted Column We can now create tables with encrypted columns. Let us create a table called cust_ payment_info. This table contains a column called credit_card_number. The credit_ card_number column contains sensitive data, which we would like to encrypt. Use the following command to create the table: CREATE TABLE cust_payment_info (first_name VARCHAR2(11), last_name VARCHAR2(10), order_number NUMBER(5), credit_card_number VARCHAR2(16) ENCRYPT NO SALT, active_card VARCHAR2(3)); The table is created in the default tablespace of the user that issues this command. The credit_card_number column is encrypted without SALT. All data entered for the credit_card_number column would be encrypted on disk. Any user with access to the credit_card_number data can view the decrypted data. A database user or application need not be aware if the contents of a particular column are encrypted on the disk. You can now enter data into the table. The following example adds some sample data to the cust_payment_info table: INSERT INTO cust_payment_info VALUES ('Jon', 'Oldfield', 10001, '5446959708812985','YES'); INSERT INTO cust_payment_info VALUES ('Chris', 'White', 10002, '5122358046082560','YES'); INSERT INTO cust_payment_info VALUES ('Alan', 'Squire', 10003, '5595968943757920','YES'); INSERT INTO cust_payment_info VALUES ('Mike', 'Anderson', 10004, '4929889576357400','YES'); INSERT INTO cust_payment_info VALUES ('Annie', 'Schmidt', 10005, '4556988708236902','YES'); INSERT INTO cust_payment_info VALUES ('Elliott', 'Meyer', 10006, '374366599711820','YES'); INSERT INTO cust_payment_info VALUES ('Celine', 'Smith', 10007, '4716898533036','YES'); INSERT INTO cust_payment_info VALUES ('Steve', 'Haslam', 10008, '340975900376858','YES'); INSERT INTO cust_payment_info VALUES ('Albert', 'Einstein', 10009, '310654305412389','YES'); All data entered into the credit_card_number column is stored on the disk in encrypted form. Create an Index on an Encrypted Column You can create an index on an encrypted column if it has been encrypted without salt. Let us create an index on the credit_card_number column. The following command creates an index on the credit_card_number column: CREATE INDEX cust_payment_info_idx ON cust_payment_info (credit_card_number); 8-36 Oracle Database Advanced Security Administrator's Guide Example: Getting Started with TDE Column Encryption and TDE Tablespace Encryption Alter a Table to Encrypt an Existing Column You can use the ALTER TABLE command to alter an existing table. Let us alter a table called employees with no encrypted columns. The following command describes the employees table: SQL> DESC employees Name Null? ----------------------------------------- -------FIRSTNAME LASTNAME EMP_SSN DEPT Type ---------------------------VARCHAR2(11) VARCHAR2(10) VARCHAR2(9) VARCHAR2(20) The following command encrypts the emp_ssn column in the employees table: SQL> ALTER TABLE employees MODIFY (emp_ssn ENCRYPT); The following command describes the altered employees table: SQL> DESC employees Name Null? ----------------------------------------- -------FIRSTNAME LASTNAME EMP_SSN DEPT Type ---------------------------VARCHAR2(11) VARCHAR2(10) VARCHAR2(9) ENCRYPT VARCHAR2(20) All existing data in the emp_ssn column will now be encrypted on the disk. Data would be transparently decrypted for users, who otherwise have access to the data. Create an Encrypted Tablespace TDE tablespace encryption enables you to encrypt an entire tablespace. All data stored in the tablespace is encrypted by default. Thus, if you create any table in an encrypted tablespace, it is encrypted by default. You do not need to perform a granular analysis of each table column to determine the columns that need encryption. Let us create an encrypted tablespace to store encrypted tables. The following command creates an encrypted tablespace called securespace: SQL> CREATE TABLESPACE securespace 2 DATAFILE '/home/oracle/oracle3/product/11.1.0/db_1/secure01.dbf' 3 SIZE 150M 4 ENCRYPTION 5 DEFAULT STORAGE(ENCRYPT); Tablespace created. Create a Table in an Encrypted Tablespace If we create a table in an encrypted tablespace, then all data in the table is stored in encrypted form on the disk. The following command creates a table called, customer_ info_payment in an encrypted tablespace called, securespace. SQL> 2 3 4 CREATE TABLE customer_payment_info (first_name VARCHAR2(11), last_name VARCHAR2(10), order_number NUMBER(5), Securing Stored Data Using Transparent Data Encryption 8-37 Troubleshooting Transparent Data Encryption 5 credit_card_number VARCHAR2(16), 6 active_card VARCHAR2(3))TABLESPACE securespace; Table created. Troubleshooting Transparent Data Encryption This section lists common error messages that you may encounter while configuring and using Transparent Data Encryption (TDE). It also lists the common causes of these error messages and possible solutions for them. ORA-28330: encryption is not allowed for this data type Cause: Data type was not supported for column encryption. Action: None ORA-28331: encrypted column size too long for its data type Cause: column was encrypted and for VARCHAR2, the length specified was > 3932; for CHAR, the length specified was > 1932; for NVARCHAR2, the length specified was > 1966; for NCHAR, the length specified was > 966; Action: Reduce the column size. ORA-28332: cannot have more than one password for the encryption key Cause: More than one password was specified in the user command. Action: None ORA-28333: column is not encrypted Cause: An attempt was made to rekey or decrypt an unencrypted column. Action: None ORA-28334: column is already encrypted Cause: An attempt was made to encrypt an encrypted column. Action: None ORA-28335: referenced or referencing FK constraint column cannot be encrypted Cause: encrypted columns were involved in the referential constraint Action: None ORA-28336: cannot encrypt SYS owned objects Cause: An attempt was made to encrypt columns in a table owned by SYS. Action: None ORA-28337: the specified index may not be defined on an encrypted column Cause: Index column was either a functional, domain, or join index. Action: None ORA-28338: cannot encrypt indexed column(s) with salt Cause: An attempt was made to encrypt index column with salt. Action: Alter the table and specify column encrypting without salt. ORA-28339: missing or invalid encryption algorithm Cause: Encryption algorithm was missing or invalid in the user command. Action: Must specify a valid algorithm. 8-38 Oracle Database Advanced Security Administrator's Guide Troubleshooting Transparent Data Encryption ORA-28340: a different encryption algorithm has been chosen for the table Cause: Existing encrypted columns were associated with a different algorithm. Action: No need to specify an algorithm, or specify the same one for the existing encrypted columns. ORA-28341: cannot encrypt constraint column(s) with salt Cause: An attempt was made to encrypt constraint columns with salt. Action: Encrypt the constraint columns without salt. ORA-28342: integrity check fails on column key Cause: Encryption metadata may have been improperly altered. Action: None ORA-28343: fails to encrypt data Cause: data or encryption metadata may have been improperly altered or the security module may not have been properly setup Action: None ORA-28344: fails to decrypt data Cause: data or encryption metadata may have been improperly altered or the security module may not have been properly setup Action: None ORA-28345: cannot downgrade because there exists encrypted column Cause: An attempt was made to downgrade when there was an encrypted column in the system. Action: Decrypt these columns before attempting to downgrade. ORA-28346: an encrypted column cannot serve as a partitioning column Cause: An attempt was made to encrypt a partitioning key column or create partitioning index with encrypted columns. Action: The column must be decrypted. ORA-28347: encryption properties mismatch Cause: An attempt was made to issue an ALTER TABLE EXCHANGE PARTITION | SUBPARTITION command, but encryption properties were mismatched. Action: Make sure encryption algorithms and columns keys are identical. The corresponding columns must be encrypted on both tables with the same salt and non-salt flavor. ORA-28348: index defined on the specified column cannot be encrypted Cause: An attempt was made to encrypt a column which is in a functional index, domain index, or join index. Action: drop the index ORA-28349: cannot encrypt the specified column recorded in the materialized view log Cause: An attempt was made to encrypt a column which is already recorded in the materialized view log. Action: drop the materialized view log Securing Stored Data Using Transparent Data Encryption 8-39 Troubleshooting Transparent Data Encryption ORA-28350: cannot encrypt the specified column recorded in CDC synchronized change table Cause: An attempt was made to encrypt a column which is already recorded in CDC synchronized change table. Action: drop the synchronized change table ORA-28351: cannot encrypt the column of a cluster key Cause: An attempt was made to encrypt a column of the cluster key. A column of the cluster key in a clustered table cannot be encrypted. Action: None ORA-28353: failed to open wallet Cause: The database was unable to open the security module wallet due to an incorrect wallet path or password It is also possible that a wallet has not been created. Action: Execute the command again using the correct wallet password or verifying a wallet exists in the specified directory. If necessary, create a new wallet and initialize it. ORA-28354: wallet already open Cause: The security module wallet has already been opened. Action: None ORA-28356: invalid open wallet syntax Cause: The command to open the wallet contained improper spelling or syntax. Action: If attempting to open the wallet, verify the spelling and syntax and execute the command again. ORA-28357: password required to open the wallet Cause: A password was not provided when executing the open wallet command. Action: Retry the command with a valid password. ORA-28358: improper set key syntax Cause: The command to set the master key contained improper spelling or syntax. Action: If attempting to set the master key for Transparent Database Encryption, verify the spelling and syntax and execute the command again. ORA-28359: invalid certificate identifier Cause: The certificate specified did not exist in the wallet. Action: Query the V$WALLET fixed view to find the proper certificate identifier for certificate to be used. ORA-28361: master key not yet set Cause: The master key for the instance was not set. Action: Execute the ALTER SYSTEM SET KEY command to set a master key for the database instance. ORA-28362: master key not found Cause: The required master key required could not be located. This may be caused by the use of an invalid or incorrect wallet. 8-40 Oracle Database Advanced Security Administrator's Guide Troubleshooting Transparent Data Encryption Action: Check wallet location parameters to see if they specify the correct wallet. Also, verify that an SSO wallet is not being used when an encrypted wallet is intended. ORA-28363: buffer provided not large enough for output Cause: A provided output buffer is too small to contain the output. Action: Check the size of the output buffer to make sure it is initialized to the proper size. ORA-28364: invalid wallet operation Cause: The command to operate the wallet contained improper spelling or syntax. Action: Verify the spelling and syntax and execute the command again. ORA-28365: wallet is not open Cause: The security module wallet has not been opened. Action: Open the wallet. ORA-28366: invalid database encryption operation Cause: The command for database encryption contained improper spelling or syntax. Action: Verify the spelling and syntax and execute the command again. ORA-28367: wallet does not exist Cause: The Oracle wallet has not been created or the wallet location parameters in sqlnet.ora specifies an invalid wallet path. Action: Verify that the WALLET_LOCATION or the ENCRYPTION_WALLET_ LOCATION parameter is correct and that a valid wallet exists in the path specified. ORA-28368: cannot auto-create wallet Cause: The database failed to auto create an Oracle wallet. The Oracle process may not have proper file permissions or a wallet may already exist. Action: Confirm that proper directory permissions are granted to the Oracle user and that neither an encrypted or obfuscated wallet exists in the specified wallet location and try again. ORA-28369: cannot add files to encryption-ready tablespace when offline Cause: You attempted to add files to an encryption-ready tablespace when all the files in the tablespace were offline. Action: Bring the tablespace online and try again ORA-28370: ENCRYPT storage option not allowed Cause: You attempted to specify the ENCRYPT storage option. This option may only be specified during CREATE TABLESPACE. Action: Remove this option and retry the statement. ORA-28371: ENCRYPTION clause and/or ENCRYPT storage option not allowed Cause: You attempted to specify the ENCRYPTION clause or ENCRYPT storage option for creating TEMP or UNDO tablespaces. Action: Remove these options and retry the statement. ORA-28372: missing ENCRYPT storage option for encrypted tablespace Securing Stored Data Using Transparent Data Encryption 8-41 Transparent Data Encryption Reference Information Cause: You attempted to specify ENCRYPTION property for CREATE TABLESPACE without specifying ENCRYPT storage option to encrypt the tablespace. Action: Add ENCRYPT storage option and retry the statement. ORA-28373: missing ENCRYPTION clause for encrypted tablespace Cause: You attempted to specify storage option ENCRYPT in CREATE TABLESPACE without specifying ENCRYPTION property to encrypt the tablespace. Action: Add ENCRYPTION clause and retry the statement. ORA-28374: typed master key not found in wallet Cause: You attempted to access encrypted tablespace or redo logs with a typed master key not existing in the wallet. Action: Copy the correct Oracle Wallet from the instance where the tablespace was created. ORA-28375: cannot perform cross-endianism conversion on encrypted tablespace Cause: You attempted to perform cross-endianism conversion on encrypted tablespace. Action: Cross-endianism conversion on encrypted tablespace is not supported. ORA-28376: cannot find PKCS11 library Cause: The HSM vendor's library cannot be found. Action: Place the HSM vendor's library in the following directory structure: For Unix like system: /opt/oracle/extapi/[32,64]/hsm/{VENDOR}/{VERSION}/lib . For Windows systems: %SYSTEM_ DRIVE%\oracle\extapi\[32,64]\hsm\{VENDOR}\{VERSION}\lib . [32, 64] - refers to 32bit or 64bit binary. {VENDOR} - The name of the vendor supplying the library. {VERSION} - Version of the library, preferably in num#.num#.num# for// mat. ORA-28377: No need to migrate from wallet to HSM Cause: There are either no encrypted columns or all column keys are already encrypted with the HSM master key. Action: No action required. ORA-28378: Wallet not open after setting the Master Key Cause: The Master Key has been set or reset. However, wallet could not be reopened successfully. Action: Reopen the wallet. Transparent Data Encryption Reference Information This section includes the following topics: ■ Supported Encryption and Integrity Algorithms ■ Quick Reference: Transparent Data Encryption SQL Commands 8-42 Oracle Database Advanced Security Administrator's Guide Transparent Data Encryption Reference Information Supported Encryption and Integrity Algorithms By default, Transparent Data Encryption (TDE) uses the Advanced Encryption Standard with a 192-bit length cipher key (AES192). In addition, salt is added by default to cleartext before encryption unless specified otherwise. Note that salt cannot be added to indexed columns that you want to encrypt. For indexed columns, choose the NO SALT parameter for the SQL ENCRYPT clause. You can change encryption algorithms and encryption keys on existing encrypted columns by setting a different algorithm with the SQL ENCRYPT clause. See Also: ■ ■ Example 8–4 on page 8-10 for the correct syntax when choosing the NO SALT parameter for the SQL ENCRYPT clause "Changing the Encryption Key or Algorithm for Tables with Encrypted Columns" on page 8-14 for syntax examples when setting a different algorithm with the SQL ENCRYPT clause Table 8–6 lists the supported encryption algorithms. Table 8–6 Supported Encryption Algorithms for Transparent Data Encryption Algorithm Key Size Parameter Name Triple DES (Data Encryption Standard) 168 bits 3DES168 AES (Advanced Encryption Standard) 128 bits AES128 AES 192 bits (default) AES192 AES 256 bits AES256 For integrity protection, the SHA-1 hashing algorithm is used. Quick Reference: Transparent Data Encryption SQL Commands Table 8–7 provides a summary of the SQL commands you can use to implement and manage transparent data encryption. Table 8–7 Transparent Data Encryption SQL Commands Quick Reference Task SQL Command Add encrypted column to existing table ALTER TABLE table_name ADD (column_name datatype ENCRYPT); Create table and encrypt column CREATE TABLE table_name (column_name datatype ENCRYPT); Encrypt unencrypted existing column ALTER TABLE table_name MODIFY (column_name ENCRYPT); Master encryption key: set or reset ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "password"; Master encryption key: set or reset to use PKI certificate ALTER SYSTEM SET ENCRYPTION KEY "certificate_ID" IDENTIFIED BY "password"; Wallet: open to access master encryption key ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password"; Securing Stored Data Using Transparent Data Encryption 8-43 Transparent Data Encryption Reference Information 8-44 Oracle Database Advanced Security Administrator's Guide 9 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients 9 This chapter describes how to configure native Oracle Net Services data encryption and integrity for Oracle Advanced Security. It contains the following topics: ■ Oracle Advanced Security Encryption ■ Oracle Advanced Security Data Integrity ■ Diffie-Hellman Based Key Negotiation ■ How To Configure Data Encryption and Integrity Oracle Advanced Security Encryption The purpose of a secure cryptosystem is to convert plaintext data into unintelligible ciphertext based on a key, in such a way that it is very hard (computationally infeasible) to convert ciphertext back into its corresponding plaintext without knowledge of the correct key. In a symmetric cryptosystem, the same key is used both for encryption and decryption of the same data. Oracle Advanced Security provides the Advanced Encryption Standard (AES) and 3DES symmetric cryptosystems for protecting the confidentiality of Oracle Net Services traffic. This section describes data encryption algorithms available in the current release of Oracle Advanced Security: ■ Advanced Encryption Standard ■ Triple-DES Support Prior to Release 8.1.7, Oracle Advanced Security provided three editions: Domestic, Upgrade, and Export each with different key lengths. This release now contains a complete complement of the available encryption algorithms and key lengths, previously only available in the Domestic edition. Users deploying prior versions of the product can obtain the Domestic edition for a specific product release. Note: Advanced Encryption Standard Oracle Advanced Security supports the Federal Information Processing Standard (FIPS) encryption algorithm, Advanced Encryption Standard (AES). AES can be used by all U.S. government organizations and businesses to protect sensitive data over a network. This encryption algorithm defines three standard key lengths, which are Configuring Network Data Encryption and Integrity for Oracle Servers and Clients 9-1 Oracle Advanced Security Data Integrity 128-bit, 192-bit, and 256-bit. All versions operate in outer Cipher Block Chaining (CBC) mode. Triple-DES Support Oracle Advanced Security supports Triple-DES encryption (3DES), which encrypts message data with three passes of the DES algorithm. 3DES provides a high degree of message security, but with a performance penalty. The magnitude of the performance penalty depends on the speed of the processor performing the encryption. 3DES typically takes three times as long to encrypt a data block when compared to the standard DES algorithm. 3DES is available in two-key and three-key versions, with effective key lengths of 112-bits and 168-bits, respectively. Both versions operate in outer Cipher Block Chaining (CBC) mode. 3DES has been replaced by AES as the encryption algorithm of choice for commercial and government uses Note: Oracle Advanced Security Data Integrity Encryption of network data provides data privacy so that unauthorized parties are not able to view plaintext data as it passes over the network. Oracle Advanced Security also provides protection against two forms of active attack. Table 9–1 provides information about these attacks. Table 9–1 Two Forms of Attack Type of Attack Explanation Data modification attack An unauthorized party intercepting data in transit, altering it, and retransmitting it is a data modification attack. For example, intercepting a $100 bank deposit, changing the amount to $10,000, and retransmitting the higher amount is a data modification attack. Replay attack Repetitively retransmitting an entire set of valid data is a replay attack, such as intercepting a $100 bank withdrawal and retransmitting it ten times, thereby receiving $1,000. Data Integrity Algorithms Supported Oracle Advanced Security lets you select a keyed, sequenced implementation of the Secure Hash Algorithm (SHA-1) to protect against both of these forms of attack. Both of these hash algorithms create a checksum that changes if the data is altered in any way. This protection operates independently from the encryption process so you can enable data integrity with or without enabling encryption. See Also: "Configuring Integrity on the Client and the Server" on page 9-7 Diffie-Hellman Based Key Negotiation Secure key distribution is difficult in a multiuser environment. Oracle Advanced Security uses the well known Diffie-Hellman key negotiation algorithm to perform secure key distribution for both encryption and data integrity. 9-2 Oracle Database Advanced Security Administrator's Guide How To Configure Data Encryption and Integrity When encryption is used to protect the security of encrypted data, keys must be changed frequently to minimize the effects of a compromised key. Accordingly, the Oracle Advanced Security key management function changes the session key with every session. Authentication Key Fold-in The purpose of Authentication Key Fold-in is to defeat a possible third-party attack (historically called the man-in-the-middle attack) on the Diffie-Hellman key negotiation. It strengthens the session key significantly by combining a shared secret, known only to the client and the server, with the original session key negotiated by Diffie-Hellman. The client and the server begin communicating using the session key generated by Diffie-Hellman. When the client authenticates to the server, they establish a shared secret that is only known to both parties. Oracle Advanced Security combines the shared secret and the Diffie-Hellman session key to generate a stronger session key designed to defeat a man-in-the-middle attack. The authentication key fold-in function is an imbedded feature of Oracle Advanced Security and requires no configuration by the system or network administrator. Note: How To Configure Data Encryption and Integrity This section describes how to configure Oracle Advanced Security native Oracle Net Services encryption and integrity and presumes the prior installation of Oracle Net Services. The network or security administrator sets up the encryption and integrity configuration parameters. The profile on client and server systems using data encryption and integrity (sqlnet.ora file) must contain some or all of the parameters listed in this section, under the following topics: ■ About Activating Encryption and Integrity ■ About Negotiating Encryption and Integrity ■ Configuring Encryption and Integrity Parameters Using Oracle Net Manager Chapter 13, "Configuring Secure Sockets Layer Authentication", to configure the SSL feature for encryption, integrity, and authentication See Also: About Activating Encryption and Integrity In any network connection, it is possible for both the client and server to support more than one encryption algorithm and more than one integrity algorithm. When a connection is made, the server selects which algorithm to use, if any, from those algorithms specified in the sqlnet.ora files. The server searches for a match between the algorithms available on both the client and the server, and picks the first algorithm in its own list that also appears in the client list. If one side of the connection does not specify an algorithm list, all the algorithms installed on that side are acceptable. The connection fails with error message ORA-12650 if either side specifies an algorithm that is not installed. Encryption and integrity parameters are defined by modifying a sqlnet.ora file on the clients and the servers on the network. Configuring Network Data Encryption and Integrity for Oracle Servers and Clients 9-3 How To Configure Data Encryption and Integrity You can choose to configure any or all of the available Oracle Advanced Security encryption algorithms (Table 9–3), and the available integrity algorithm (SHA-1). Only one encryption algorithm and one integrity algorithm are used for each connect session. Note: Oracle Advanced Security selects the first encryption algorithm and the first integrity algorithm enabled on the client and the server. Oracle recommends that you select algorithms and key lengths in the order in which you prefer negotiation, choosing the strongest key length first. Appendix A, "Data Encryption and Integrity Parameters" See Also: About Negotiating Encryption and Integrity To negotiate whether to turn on encryption or integrity, you can specify four possible values for the Oracle Advanced Security encryption and integrity configuration parameters. The four values are listed in the order of increasing security. The value REJECTED provides the minimum amount of security between client and server communications, and the value REQUIRED provides the maximum amount of network security: ■ REJECTED ■ ACCEPTED ■ REQUESTED ■ REQUIRED The default value for each of the parameters is ACCEPTED. Oracle Database servers and clients are set to ACCEPT encrypted connections out of the box. This means that you can enable the desired encryption and integrity settings for a connection pair by configuring just one side of the connection, server-side or client-side. So, for example, if there are many Oracle clients connecting to an Oracle database, you can configure the required encryption and integrity settings for all these connections by making the appropriate sqlnet.ora changes at the server end. You do not need to implement configuration changes for each client separately. REJECTED Select this value if you do not elect to enable the security service, even if required by the other side. In this scenario, this side of the connection specifies that the security service is not permitted. If the other side is set to REQUIRED, the connection terminates with error message ORA-12650. If the other side is set to REQUESTED, ACCEPTED, or REJECTED, the connection continues without error and without the security service enabled. ACCEPTED Select this value to enable the security service if required or requested by the other side. 9-4 Oracle Database Advanced Security Administrator's Guide How To Configure Data Encryption and Integrity In this scenario, this side of the connection does not require the security service, but it is enabled if the other side is set to REQUIRED or REQUESTED. If the other side is set to REQUIRED or REQUESTED, and an encryption or integrity algorithm match is found, the connection continues without error and with the security service enabled. If the other side is set to REQUIRED and no algorithm match is found, the connection terminates with error message ORA-12650. If the other side is set to REQUESTED and no algorithm match is found, or if the other side is set to ACCEPTED or REJECTED, the connection continues without error and without the security service enabled. REQUESTED Select this value to enable the security service if the other side permits it. In this scenario, this side of the connection specifies that the security service is desired but not required. The security service is enabled if the other side specifies ACCEPTED, REQUESTED, or REQUIRED. There must be a matching algorithm available on the other side, otherwise the service is not enabled. If the other side specifies REQUIRED and there is no matching algorithm, the connection fails. REQUIRED Select this value to enable the security service or preclude the connection. In this scenario, this side of the connection specifies that the security service must be enabled. The connection fails if the other side specifies REJECTED or if there is no compatible algorithm on the other side. Table 9–2 shows whether the security service is enabled, based on a combination of client and server configuration parameters. If either the server or client has specified REQUIRED, the lack of a common algorithm causes the connection to fail. Otherwise, if the service is enabled, lack of a common service algorithm results in the service being disabled. Table 9–2 Encryption and Data Integrity Negotiations Client Setting Server Setting Encryption and Data Negotiation REJECTED REJECTED OFF ACCEPTED REJECTED OFF REQUESTED REJECTED OFF REQUIRED REJECTED Connection fails REJECTED ACCEPTED OFF ACCEPTED ACCEPTED OFF1 REQUESTED ACCEPTED ON REQUIRED ACCEPTED ON REJECTED REQUESTED OFF ACCEPTED REQUESTED ON REQUESTED REQUESTED ON REQUIRED REQUESTED ON REJECTED REQUIRED Connection fails Configuring Network Data Encryption and Integrity for Oracle Servers and Clients 9-5 How To Configure Data Encryption and Integrity Table 9–2 (Cont.) Encryption and Data Integrity Negotiations Client Setting Server Setting Encryption and Data Negotiation ACCEPTED REQUIRED ON REQUESTED REQUIRED ON REQUIRED REQUIRED ON 1 This value defaults to OFF. Cryptography and data integrity are not enabled until the user changes this parameter by using Oracle Net Manager or by modifying the sqlnet.ora file. Configuring Encryption and Integrity Parameters Using Oracle Net Manager You can set up or change encryption and integrity parameter settings using Oracle Net Manager. This section describes the following topics: ■ Configuring Encryption on the Client and the Server ■ Configuring Integrity on the Client and the Server See Also: ■ ■ Appendix A, "Data Encryption and Integrity Parameters", for valid encryption algorithms Oracle Net Manager online help, for more detailed configuration information Configuring Encryption on the Client and the Server Use Oracle Net Manager to configure encryption on the client and on the server (See Also "Starting Oracle Net Manager" on page 2-2). The steps to configure Oracle Net Manager are: 1. Navigate to the Oracle Advanced Security profile (For details, refer to "Navigating to the Oracle Advanced Security Profile" on page 2-2). 2. Click the Encryption tab. 3. Select CLIENT or SERVER option from the Integrity box. 4. From the Encryption Type list, select one of the following: ■ REQUESTED ■ REQUIRED ■ ACCEPTED ■ REJECTED 5. (Optional) In the Encryption Seed field, enter between 10 and 70 random characters. The encryption seed for the client should not be the same as that for the server. 6. Select an encryption algorithm in the Available Methods list. Move it to the Selected Methods list by choosing the right arrow (>). Repeat for each additional method you want to use. 7. Select File, Save Network Configuration. The sqlnet.ora file is updated. 8. Repeat this procedure to configure encryption on the other system. The sqlnet.ora file on the two systems should contain the following entries: ■ On the server: 9-6 Oracle Database Advanced Security Administrator's Guide How To Configure Data Encryption and Integrity SQLNET.ENCRYPTION_SERVER = [accepted | rejected | requested | required] SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_algorithm [,valid_ encryption_algorithm]) ■ On the client: SQLNET.ENCRYPTION_CLIENT = [accepted | rejected | requested | required] SQLNET.ENCRYPTION_TYPES_CLIENT = (valid_encryption_algorithm [,valid_ encryption_algorithm]) Valid encryption algorithms and their associated legal values are summarized by Table 9–3: Table 9–3 Valid Encryption Algorithms Algorithm Name Legal Value RC4 256-bit key RC4_256 RC4 128-bit key RC4_128 RC4 56-bit key RC4_56 RC4 40-bit key RC4_40 AES 256-bit key AES256 AES 192-bit key AES192 AES 128-bit key AES128 3-key 3DES 3DES168 2-key 3DES 3DES112 DES 56-bit key DES DES 40-bit key DES40 Configuring Integrity on the Client and the Server Use Oracle Net Manager to configure data integrity on the client and on the server. See Also: "Starting Oracle Net Manager" on page 2-2 1. Navigate to the Oracle Advanced Security profile. (For details, refer to "Navigating to the Oracle Advanced Security Profile" on page 2-2) The Oracle Advanced Security tabbed window is displayed. 2. Click the Integrity tab. 3. Depending upon which system you are configuring, select the Server or Client from the Integrity box. 4. From the Checksum Level list, select one of the following checksum level values: 5. ■ REQUESTED ■ REQUIRED ■ ACCEPTED ■ REJECTED Select an integrity algorithm in the Available Methods list. Move it to the Selected Methods list by choosing the right arrow (>). Repeat for each additional method you want to use. Configuring Network Data Encryption and Integrity for Oracle Servers and Clients 9-7 How To Configure Data Encryption and Integrity 6. Select File, Save Network Configuration. The sqlnet.ora file is updated. 7. Repeat this procedure to configure integrity on the other system. The sqlnet.ora file on the two systems should contain the following entries: ■ On the server: SQLNET.CRYPTO_CHECKSUM_SERVER = [accepted | rejected | requested | required] SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (valid_crypto_checksum_algorithm [,valid_crypto_checksum_algorithm]) ■ On the client: SQLNET.CRYPTO_CHECKSUM_CLIENT = [accepted | rejected | requested | required] SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (valid_crypto_checksum_algorithm [,valid_crypto_checksum_algorithm]) The valid integrity algorithm is SHA-1 and its associated legal value is SHA1. 9-8 Oracle Database Advanced Security Administrator's Guide 10 Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients 10 This chapter describes the Java implementation of Oracle Advanced Security, which lets thin Java Database Connectivity (JDBC) clients securely connect to Oracle Databases. This chapter contains the following topics: ■ About the Java Implementation ■ Configuration Parameters See Also: Oracle Database JDBC Developer's Guide and Reference, for information about JDBC, including examples About the Java Implementation The Java implementation of Oracle Advanced Security provides network authentication, encryption and integrity protection for Thin JDBC clients communicating with Oracle Databases that have Oracle Advanced Security enabled. This section contains the following topics: ■ Java Database Connectivity Support ■ Securing Thin JDBC ■ Implementation Overview ■ Obfuscation Java Database Connectivity Support Java Database Connectivity (JDBC), an industry-standard Java interface, is a Java standard for connecting to a relational database from a Java program. Sun Microsystems defined the JDBC standard and Oracle implements and extends the standard with its own JDBC drivers. Oracle JDBC drivers are used to create JDBC applications to communicate with Oracle databases. Oracle implements two types of JDBC drivers: Thick JDBC drivers built on top of the C-based Oracle Net client, as well as a Thin (Pure Java) JDBC driver to support downloadable applets. Oracle extensions to JDBC include the following features: ■ Data access and manipulation ■ LOB access and manipulation ■ Oracle object type mapping Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients 10-1 About the Java Implementation ■ Object reference access and manipulation ■ Array access and manipulation ■ Application performance enhancement Securing Thin JDBC As the Thin JDBC driver is designed to be used with downloadable applets used over the Internet, Oracle designed a 100% Java implementation of Oracle Advanced Security authentication, encryption, and integrity algorithms, for use with thin clients. Oracle Advanced Security provides the following features for Thin JDBC: ■ Strong Authentication ■ Data encryption ■ Data integrity checking ■ Secure connections from Thin JDBC clients to the Oracle RDBMS ■ ■ ■ Ability for developers to build applets that transmit data over a secure communication channel Secure connections from middle tier servers with Java Server Pages (JSP) to the Oracle RDBMS Secure connections from Oracle Database 11g Release 2 (11.2) to older versions of Oracle databases with Oracle Advanced Security installed The Oracle JDBC Thin driver supports Oracle Advanced Security SSL implementation and third party authentication methods such as RADIUS and Kerberos. Thin JDBC support for authentication methods like RADIUS, Kerberos, and SSL were introduced in Oracle Database 11g Release 1 (11.1). The Oracle Advanced Security Java implementation provides Java versions of the following encryption algorithms: ■ AES256: AES 256-bit key ■ AES192: AES 192-bit key ■ AES128: AES 128-bit key ■ 3DES168: 3-key 3DES ■ 3DES112: 2-key 3DES In the preceding list of algorithms, CBC refers to the Cipher Block Chaining mode. Note: Thin JDBC support for the Advanced Encryption Standard (AES) has been newly introduced in Oracle Database 11g Release 2 (11.2). In addition, this implementation provides data integrity checking for Thin JDBC using Secure Hash Algorithm (SHA1). Thin JDBC support for SHA1 was introduced in Oracle Database 11g Release 1 (11.1). See Also: Oracle Database JDBC Developer's Guide and Reference for details on configuring authentication, encryption, and integrity for thin JDBC clients 10-2 Oracle Database Advanced Security Administrator's Guide Configuration Parameters Implementation Overview On the server side, the negotiation of algorithms and the generation of keys function exactly the same as Oracle Advanced Security native encryption. This enables backward and forward compatibility of clients and servers. On the client side, the algorithm negotiation and key generation occur in exactly the same manner as OCI clients. The client and server negotiate encryption algorithms, generate random numbers, use Diffie-Hellman to exchange session keys, and use the Oracle Password Protocol, in the same manner as the traditional Oracle Net clients. Thin JDBC contains a complete implementation of a Oracle Net client in pure Java. Obfuscation The Java cryptography code is obfuscated. Obfuscation protects Java classes and methods that contain encryption and decryption capabilities with obfuscation software. Java byte code obfuscation is a process frequently used to protect intellectual property written in the form of Java programs. It mixes up Java symbols found in the code. The process leaves the original program structure intact, letting the program run correctly while changing the names of the classes, methods, and variables in order to hide the intended behavior. Although it is possible to decompile and read non-obfuscated Java code, obfuscated Java code is sufficiently difficult to decompile to satisfy U.S. government export controls. Configuration Parameters A properties class object containing several configuration parameters is passed to the Oracle Advanced Security interface. All JDBC connection properties including the ones pertaining to Oracle Advanced Security are defined as constants in the oracle.jdbc.OracleConnection interface. The following list enumerates some of these connection properties: ■ CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL Parameter ■ CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES Parameter ■ CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL Parameter ■ CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES Parameter ■ CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_SERVICES Parameter See Also: Oracle Database JDBC Developer's Guide and Reference for detailed information on configuration parameters and configuration examples CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL Parameter This parameter defines the level of security that the client wants to negotiate with the server. Table 10–1 describes this parameters attributes. Table 10–1 CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL Attributes Attribute Description Parameter Type String Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients 10-3 Configuration Parameters Table 10–1 (Cont.) CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL Attribute Description Parameter Class Static Permitted Values REJECTED; ACCEPTED; REQUESTED; REQUIRED Default Value ACCEPTED Syntax prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_ENCRYPTION_LEVEL,level); where prop is an object of the Properties class Example prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_ENCRYPTION_LEVEL,"REQUIRED"); where prop is an object of the Properties class CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES Parameter This parameter defines the encryption algorithm to be used. Table 10–2 describes this parameter's attributes. Table 10–2 CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES Attributes Attribute Description Parameter Type String Parameter Class Static Permitted Values AES256,AES192, AES128, 3DES168, 3DES112 Syntax prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_ENCRYPTION_TYPES,algorithm); where prop is an object of the Properties class Example prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_ENCRYPTION_TYPES, "( AES256, AES192 )"); where prop is an object of the Properties class CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL Parameter This parameter defines the level of security that it wants to negotiate with the server for data integrity. Table 10–3 describes this parameter's attributes. Table 10–3 CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL Attributes Attribute Description Parameter Type String Parameter Class Static Permitted Values REJECTED; ACCEPTED; REQUESTED; REQUIRED Default Value ACCEPTED Syntax prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_CHECKSUM_LEVEL,level); where prop is an object of the Properties class Example prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_CHECKSUM_LEVEL,"REQUIRED"); where prop is an object of the Properties class 10-4 Oracle Database Advanced Security Administrator's Guide Configuration Parameters CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES Parameter This parameter defines the data integrity algorithm to be used. Table 10–4 describes this parameter's attributes. Table 10–4 CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES Attributes Attribute Description Parameter Type String Parameter Class Static Permitted Values SHA1 Syntax prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_CHECKSUM_TYPES, algorithm); where prop is an object of the Properties class Example prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_CHECKSUM_TYPES,"( SHA1 )"); where prop is an object of the Properties class CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_SERVICES Parameter This parameter determines the authentication service to be used. Table 10–5 describes this parameter’s attributes. Table 10–5 Attributes CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_SERVICES Attribute Description Parameter Type String Parameter Class Static Permitted Values RADIUS, KERBEROS, SSL Syntax prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_AUTHENTICATION_SERVICES,authentication); where prop is an object of the Properties class Example prop.setProperty(OracleConnection.CONNECTION_PROPERTY_ THIN_NET_AUTHENTICATION_SERVICES,"( RADIUS, KERBEROS, SSL)"); where prop is an object of the Properties class AnoServices Constants The oracle.net.ano.AnoServices interface has been updated in this release to include the names of all the encryption, authentication, and checksum algorithms supported by the JDBC Thin driver. The following constants have been added to the oracle.net.ano.AnoServices interface: // ---- SUPPORTED ENCRYPTION ALG ----public static final String ENCRYPTION_3DES112 = "3DES112"; public static final String ENCRYPTION_3DES168 = "3DES168"; public static final String ENCRYPTION_AES128 = "AES128"; public static final String ENCRYPTION_AES192 = "AES192"; public static final String ENCRYPTION_AES256 = "AES256"; // ---- SUPPORTED INTEGRITY ALG ---public static final String CHECKSUM_SHA1 = "SHA1"; // ---- SUPPORTED AUTHENTICATION ADAPTORS ---- Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients 10-5 Configuration Parameters public static final String AUTHENTICATION_RADIUS = "RADIUS"; public static final String AUTHENTICATION_KERBEROS = "KERBEROS"; You can use these constants to set the encryption, integrity, and authentication parameters. Example 10–1 illustrates one such scenario. Example 10–1 Using AnoServices Constants in JDBC Client Code import java.sql.*; import java.util.Properties; import oracle.jdbc.*; import oracle.net.ano.AnoServices; /** * JDBC thin driver demo: new security features in 11gR1. * * This program attempts to connect to the database using the JDBC thin * driver and requires the connection to be encrypted with either AES256 or AES192 * and the data integrity to be verified with SHA1. * * In order to activate encryption and checksumming in the database you need to * modify the sqlnet.ora file. For example: * * SQLNET.ENCRYPTION_TYPES_SERVER = (AES256,AES192,AES128) * SQLNET.ENCRYPTION_SERVER = accepted * SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA1) * SQLNET.CRYPTO_CHECKSUM_SERVER = accepted * * This output of this program is: * Connection created! Encryption algorithm is: AES256, data integrity algorithm * is: SHA1 * */ public class DemoAESAndSHA1 { static final String USERNAME= "hr"; static final String PASSWORD= "hr"; static final String URL = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=somehost.us.example.c om)(PORT=5561))" +"(CONNECT_DATA=(SERVICE_NAME=itydemo.regress.rdbms.dev.us.example.com)))"; public static final void main(String[] argv) { DemoAESAndSHA1 demo = new DemoAESAndSHA1(); try { demo.run(); }catch(SQLException ex) { ex.printStackTrace(); } } void run() throws SQLException { OracleDriver dr = new OracleDriver(); Properties prop = new Properties(); // We require the connection to be encrypted with either AES256 or AES192. // If the database doesn't accept such a security level, then the connection // attempt will fail. prop.setProperty( 10-6 Oracle Database Advanced Security Administrator's Guide Configuration Parameters OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL,AnoServices.ANO_ REQUIRED); prop.setProperty( OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES, "( " + AnoServices.ENCRYPTION_AES256 + "," +AnoServices.ENCRYPTION_AES192 + ")"); // We also require the use of the SHA1 algorithm for data integrity checking. prop.setProperty( OracleConnection.CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL,AnoServices.ANO_ REQUIRED); prop.setProperty( OracleConnection.CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES, "( " + AnoServices.CHECKSUM_SHA1 + " )"); prop.setProperty("user",DemoAESAndSHA1.USERNAME); prop.setProperty("password",DemoAESAndSHA1.PASSWORD); OracleConnection oraConn = (OracleConnection)dr.connect(DemoAESAndSHA1.URL,prop); System.out.println("Connection created! Encryption algorithm is: "+oraConn.getEncryptionAlgorithmName() +", data integrity algorithm is: "+oraConn.getDataIntegrityAlgorithmName()); oraConn.close(); } } Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients 10-7 Configuration Parameters 10-8 Oracle Database Advanced Security Administrator's Guide Part IV Part IV Oracle Advanced Security Strong Authentication This part describes how to configure strong authentication methods for the Oracle network. Part III contains the following chapters: ■ Chapter 11, "Configuring RADIUS Authentication" ■ Chapter 12, "Configuring Kerberos Authentication" ■ Chapter 13, "Configuring Secure Sockets Layer Authentication" ■ Chapter 14, "Using Oracle Wallet Manager" ■ Chapter 15, "Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security" 11 1 Configuring RADIUS Authentication This chapter describes how to configure an Oracle Database server for use with RADIUS (Remote Authentication Dial-In User Service). It contains the following topics: ■ About RADIUS ■ RADIUS Authentication Modes ■ Enabling RADIUS Authentication, Authorization, and Accounting ■ Using RADIUS to Log In to a Database ■ RSA ACE/Server Configuration Checklist SecurID, an authentication product of RSA Security, Inc., though not directly supported by Oracle Advanced Security, has been certified as RADIUS-compliant. You can therefore, run SecurID under RADIUS. Note: Refer to the RSA Security SecurID documentation for further information. About RADIUS RADIUS is a client/server security protocol widely used to enable remote authentication and access. Oracle Advanced Security uses this industry standard in a client/server network environment. You can enable the network to use any authentication method that supports the RADIUS standard, including token cards and smart cards, by installing and configuring the RADIUS protocol. Moreover, when you use RADIUS, you can change the authentication method without modifying either the Oracle client or the Oracle database server. From the user's perspective, the entire authentication process is transparent. When the user seeks access to an Oracle database server, the Oracle database server, acting as the RADIUS client, notifies the RADIUS server. The RADIUS server: ■ ■ ■ ■ Looks up the user's security information Passes authentication and authorization information between the appropriate authentication server or servers and the Oracle database server Grants the user access to the Oracle database server Logs session information, including when, how often, and for how long the user was connected to the Oracle database server Configuring RADIUS Authentication 11-1 RADIUS Authentication Modes Oracle Advanced Security does not support RADIUS authentication over database links. Note: The Oracle/RADIUS environment is displayed in Figure 11–1: Figure 11–1 RADIUS in an Oracle Environment Oracle Client Oracle Server Radius Client Radius Server or RSA ACE / Server The Oracle database server acts as the RADIUS client, passing information between the Oracle client and the RADIUS server. Similarly, the RADIUS server passes information between the Oracle database server and the appropriate authentication servers. The authentication components are listed in Table 11–1: Table 11–1 RADIUS Authentication Components Component Stored Information Oracle client Configuration setting for communicating through RADIUS. Oracle database server/RADIUS client Configuration settings for passing information between the Oracle client and the RADIUS server. RADIUS server Authentication and authorization information for all users. The secret key file. Each client's name or IP address. Each client's shared secret. Unlimited number of menu files enabling users already authenticated to select different login options without reconnecting. Authentication server or servers User authentication information such as pass codes and PINs, depending on the authentication method in use. Note: The RADIUS server can also be the authentication server. A RADIUS server vendor is often the authentication server vendor as well. In this case authentication can be processed on the RADIUS server. For example, the RSA ACE/Server is both a RADIUS server and an authentication server. It thus authenticates the user's pass code. See Also: Oracle Database Net Services Administrator's Guide, for information about the sqlnet.ora file RADIUS Authentication Modes User authentication can take place in the following ways: ■ Synchronous Authentication Mode 11-2 Oracle Database Advanced Security Administrator's Guide RADIUS Authentication Modes ■ Challenge-Response (Asynchronous) Authentication Mode Synchronous Authentication Mode In the synchronous mode, RADIUS lets you use various authentication methods, including passwords and SecurID token cards. Figure 11–2 shows the sequence in which synchronous authentication occurs: Figure 11–2 Client 1 Synchronous Authentication Sequence Oracle server/ RADIUS client RADIUS Server Authentication Server 2 3 4 5 ... 6 The following steps describe the Synchronous Authentication Sequence: 1. A user logs in by entering a connect string, pass code, or other value. The client system passes this data to the Oracle database server. 2. The Oracle database server, acting as the RADIUS client, passes the data from the Oracle client to the RADIUS server. 3. The RADIUS server passes the data to the appropriate authentication server, such as Smart Card or SecurID ACE for validation. 4. The authentication server sends either an Access Accept or an Access Reject message back to the RADIUS server. 5. The RADIUS server passes this response to the Oracle database server/RADIUS client. 6. The Oracle database server/RADIUS client passes the response back to the Oracle client. Example: Synchronous Authentication with SecurID Token Cards With SecurID authentication, each user has a token card that displays a dynamic number that changes every sixty seconds. To gain access to the Oracle database Configuring RADIUS Authentication 11-3 RADIUS Authentication Modes server/RADIUS client, the user enters a valid pass code that includes both a personal identification number (PIN) and the dynamic number currently displayed on the user's SecurID card. The Oracle database server passes this authentication information from the Oracle client to the RADIUS server, which in this case is the authentication server for validation. Once the authentication server (RSA ACE/Server) validates the user, it sends an accept packet to the Oracle database server, which, in turn, passes it to the Oracle client. The user is now authenticated and able to access the appropriate tables and applications. See Also: ■ Chapter 1, "Introduction to Oracle Advanced Security" ■ "Token Cards" on page 1-8 ■ Documentation provided by RSA Security, Inc. Challenge-Response (Asynchronous) Authentication Mode When the system uses the asynchronous mode, the user does not need to enter a user name and password at the SQL*Plus CONNECT string. Instead, a graphical user interface asks the user for this information later in the process. Figure 11–3 shows the sequence in which challenge-response (asynchronous) authentication occurs. If the RADIUS server is the authentication server, Steps 3, 4, and 5, and Steps 9, 10, and 11 in Figure 11–3 are combined. Note: 11-4 Oracle Database Advanced Security Administrator's Guide RADIUS Authentication Modes Figure 11–3 Client 1 Asynchronous Authentication Sequence Oracle server/ RADIUS client RADIUS Server Authentication Server 2 3 4 5 6 7 8 9 10 11 ... 12 The following steps describe the Asynchronous Authentication Sequence: 1. A user initiates a connection to an Oracle database server. The client system passes the data to the Oracle database server. 2. The Oracle database server, acting as the RADIUS client, passes the data from the Oracle client to the RADIUS server. 3. The RADIUS server passes the data to the appropriate authentication server, such as a Smart Card, SecurID ACE, or token card server. 4. The authentication server sends a challenge, such as a random number, to the RADIUS server. 5. The RADIUS server passes the challenge to the Oracle database server/RADIUS client. 6. The Oracle database server/RADIUS client, in turn, passes it to the Oracle client. A graphical user interface presents the challenge to the user. Configuring RADIUS Authentication 11-5 RADIUS Authentication Modes 7. The user provides a response to the challenge. To formulate a response, the user can, for example, enter the received challenge into the token card. The token card provides a dynamic password that is entered into the graphical user interface. The Oracle client passes the user's response to the Oracle database server/RADIUS client. 8. The Oracle database server/RADIUS client sends the user's response to the RADIUS server. 9. The RADIUS server passes the user's response to the appropriate authentication server for validation. 10. The authentication server sends either an Access Accept or an Access Reject message back to the RADIUS server. 11. The RADIUS server passes the response to the Oracle database server/RADIUS client. 12. The Oracle database server/RADIUS client passes the response to the Oracle client. Example: Asynchronous Authentication with Smart Cards With smart card authentication, the user logs in by inserting the smart card into a smart card reader that reads the smart card. The smart card is a plastic card, like a credit card, with an embedded integrated circuit for storing information. The Oracle client sends the login information contained in the smart card to the authentication server by way of the Oracle database server/RADIUS client and the RADIUS server. The authentication server sends back a challenge to the Oracle client, by way of the RADIUS server and the Oracle database server, prompting the user for authentication information. The information could be, for example, a PIN as well as additional authentication information contained on the smart card. The Oracle client sends the user's response to the authentication server by way of the Oracle database server and the RADIUS server. If the user has entered a valid number, the authentication server sends an accept packet back to the Oracle client by way of the RADIUS server and the Oracle database server. The user is now authenticated and authorized to access the appropriate tables and applications. If the user has entered incorrect information, the authentication server sends back a message rejecting user's access. Example: Asynchronous Authentication with ActivCard Tokens One particular ActivCard token is a hand-held device with a keypad and which displays a dynamic password. When the user seeks access to an Oracle database server by entering a password, the information is passed to the appropriate authentication server by way of the Oracle database server/RADIUS client and the RADIUS server. The authentication server sends back a challenge to the client, by way of the RADIUS server and the Oracle database server. The user types that challenge into the token, and the token displays a number for the user to send in response. The Oracle client then sends the user's response to the authentication server by way of the Oracle database server and the RADIUS server. If the user has typed a valid number, the authentication server sends an accept packet back to the Oracle client by way of the RADIUS server and the Oracle database server. The user is now authenticated and authorized to access the appropriate tables and applications. If the user has entered an incorrect response, the authentication server sends back a message rejecting the user's access. 11-6 Oracle Database Advanced Security Administrator's Guide Enabling RADIUS Authentication, Authorization, and Accounting Enabling RADIUS Authentication, Authorization, and Accounting This section contains: ■ Step 1: Install RADIUS on the Oracle Database Server and on the Oracle Client ■ Step 2: Configure RADIUS Authentication ■ Step 3: Create a User and Grant Access ■ Step 4: Configure External RADIUS Authorization (optional) ■ Step 5: Configure RADIUS Accounting ■ Step 6: Add the RADIUS Client Name to the RADIUS Server Database ■ Step 7: Configure the Authentication Server for Use with RADIUS. ■ Step 8: Configure the RADIUS Server for Use with the Authentication Server ■ Step 9: Configure Mapping Roles Step 1: Install RADIUS on the Oracle Database Server and on the Oracle Client RADIUS is installed with Oracle Advanced Security during a typical installation of Oracle Database. See Also: Oracle Database operating system-specific installation documentation, for information about installing Oracle Advanced Security and the RADIUS adapter Step 2: Configure RADIUS Authentication This section contains: ■ Step 2A: Configure RADIUS on the Oracle Client ■ Step 2B: Configure RADIUS on the Oracle Database Server ■ Step 2C: Configure Additional RADIUS Features Step 2A: Configure RADIUS on the Oracle Client 1. Start Oracle Net Manager. ■ (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line: netmgr ■ (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager. 2. Expand Oracle Net Configuration, and from Local, select Profile. 3. From the Naming list, select Network Security. The Network Security tabbed window appears. 4. Select the Authentication tab. (It should be selected by default.) Configuring RADIUS Authentication 11-7 Enabling RADIUS Authentication, Authorization, and Accounting 5. From the Available Methods list, select RADIUS. 6. Select the right-arrow (>) to move RADIUS to the Selected Methods list. Move any other methods you want to use in the same way. 7. Arrange the selected methods in order of required usage by selecting a method in the Selected Methods list, and clicking Promote or Demote to position it in the list. For example, put RADIUS at the top of the list for it to be the first service used. 8. From the File menu, select Save Network Configuration. The sqlnet.ora file is updated with the following entry: SQLNET.AUTHENTICATION_SERVICES=(RADIUS) Step 2B: Configure RADIUS on the Oracle Database Server This section contains: ■ Step 2B(1): Create the RADIUS Secret Key File on the Oracle Database Server ■ Step 2B(2): Configure RADIUS Parameters on the Server (sqlnet.ora File) ■ Step 2B(3): Set Oracle Database Server Initialization Parameters Step 2B(1): Create the RADIUS Secret Key File on the Oracle Database Server 1. Obtain the RADIUS secret key from the RADIUS server. For each RADIUS client, the administrator of the RADIUS server creates a shared secret key, which must be less than or equal to 16 characters. 2. On the Oracle database server, create a directory: ■ (UNIX) $ORACLE_HOME/network/security ■ (Windows) ORACLE_BASE\ORACLE_HOME\network\security 3. Create the file radius.key to hold the shared secret copied from the RADIUS server. Place the file in the directory you created in Step 2. 4. Copy the shared secret key and paste it (and nothing else) into the radius.key file created on the Oracle database server. 5. For security purposes, change the file permission of radius.key to read only, accessible only by the Oracle owner. 11-8 Oracle Database Advanced Security Administrator's Guide Enabling RADIUS Authentication, Authorization, and Accounting Oracle relies on the file system to keep this file secret. See Also: The RADIUS server administration documentation, for information about obtaining the secret key Step 2B(2): Configure RADIUS Parameters on the Server (sqlnet.ora File) 1. Start Oracle Net Manager. ■ (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line: netmgr ■ (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager. 2. Expand Oracle Net Configuration, and from Local, select Profile. 3. From the Naming list, select Network Security. The Network Security tabbed window appears. 4. Select the Authentication tab. 5. From the Available Methods list, select RADIUS. 6. Move RADIUS to the Selected Methods list by choosing the right-arrow (>). 7. To arrange the selected methods in order of desired use, select a method in the Selected Methods list, and select Promote or Demote to position it in the list. For example, if you want RADIUS to be the first service used, put it at the top of the list. 8. Select the Other Params tab. 9. From the Authentication Service list, select RADIUS. 10. In the Host Name field, accept the localhost as the default primary RADIUS server, or enter another host name. 11. Ensure that the default value of the Secret File field is valid. 12. From the File menu, select Save Network Configuration. Configuring RADIUS Authentication 11-9 Enabling RADIUS Authentication, Authorization, and Accounting The sqlnet.ora file is updated with the following entries: SQLNET.AUTHENTICATION_SERVICES=RADIUS SQLNET.RADIUS_AUTHENTICATION=RADIUS_server_{hostname|IP_address} Step 2B(3): Set Oracle Database Server Initialization Parameters 1. Add the following setting to the init.ora initialization file. OS_AUTHENT_PREFIX="" By default, the init.ora file is located in the ORACLE_HOME/dbs directory (or the same location of the data files) on Linux and UNIX systems, and in the ORACLE_ HOME\database directory on Windows. 2. Restart the database. For example: SQL> SHUTDOWN SQL> STARTUP Oracle Database Reference and the Oracle Database Administrator's Guide for information about setting initialization parameters on an Oracle Database server See Also: Step 2C: Configure Additional RADIUS Features This section contains: ■ Step 2C(1): Change Default Settings ■ Step 2C(2): Configure Challenge-Response ■ Step 2C(3): Set Parameters for an Alternate RADIUS Server Step 2C(1): Change Default Settings 1. Start Oracle Net Manager. ■ (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line: netmgr ■ (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager. 2. Expand Oracle Net Configuration, and from Local, select Profile. 3. From the Naming list, select Network Security. The Network Security tabbed window appears. 4. Click the Other Params tab. 5. From the Authentication Service list, select RADIUS. 6. Change the default setting for any of the following fields: ■ ■ Port Number: Specifies the listening port of the primary RADIUS server. The default value is 1645. Timeout (seconds): Specifies the time the Oracle database server waits for a response from the primary RADIUS server. The default is 15 seconds. 11-10 Oracle Database Advanced Security Administrator's Guide Enabling RADIUS Authentication, Authorization, and Accounting ■ ■ 7. Number of Retries: Specifies the number of times the Oracle database server resends messages to the primary RADIUS server. The default is three retries. For instructions on configuring RADIUS accounting, see Step 5: Configure RADIUS Accounting on page 11-14. Secret File: Specifies the location of the secret key on the Oracle database server. The field specifies the location of the secret key file, not the secret key itself. For information about specifying the secret key, see Step 2B(1): Create the RADIUS Secret Key File on the Oracle Database Server on page 11-8. From the File menu, select Save Network Configuration. The sqlnet.ora file is updated with the following entries: SQLNET.RADIUS_AUTHENTICATION_PORT=(PORT) SQLNET.RADIUS_AUTHENTICATION_TIMEOUT= (NUMBER OF SECONDS TO WAIT FOR response) SQLNET.RADIUS_AUTHENTICATION_RETRIES= (NUMBER OF TIMES TO RE-SEND TO RADIUS server) SQLNET.RADIUS_SECRET=(path/radius.key) Step 2C(2): Configure Challenge-Response The challenge-response (asynchronous) mode presents the user with a graphical interface requesting first a password, then additional information (for example, a dynamic password that the user obtains from a token card). With the RADIUS adapter, this interface is Java-based to provide optimal platform independence. Third party vendors of authentication devices must customize this graphical user interface to fit their particular device. For example, a smart card vendor would customize the Java interface so that the Oracle client reads data, such as a dynamic password, from the smart card. When the smart card receives a challenge, it responds by prompting the user for more information, such as a PIN. Note: Appendix C, "Integrating Authentication Devices Using RADIUS", for information about how to customize the challenge-response user interface See Also: To configure challenge-response: 1. If you are using JDK 1.1.7 or JRE 1.1.7, then set the JAVA_HOME environment variable to the JRE or JDK location on the system where the Oracle client is run: ■ On UNIX, enter this command at the prompt: % setenv JAVA_HOME /usr/local/packages/jre1.1.7B ■ On Windows, select Start, Settings, Control Panel, System, Environment, and set the JAVA_HOME variable as follows: c:\java\jre1.1.7B This step is not required for any other JDK/JRE version. 2. Start Oracle Net Manager. ■ (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line: Configuring RADIUS Authentication 11-11 Enabling RADIUS Authentication, Authorization, and Accounting netmgr ■ (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager. 3. Expand Oracle Net Configuration, and from Local, select Profile. 4. From the Naming list, select Network Security. The Network Security tabbed window appears. 5. From the Authentication Service list, select RADIUS. 6. In the Challenge Response field, enter ON to enable challenge-response. 7. In the Default Keyword field, accept the default value of the challenge or enter a keyword for requesting a challenge from the RADIUS server. The keyword feature is provided by Oracle and supported by some, but not all, RADIUS servers. You can use this feature only if your RADIUS server supports it. By setting a keyword, you let the user avoid using a password to verify identity. If the user does not enter a password, the keyword you set here is passed to the RADIUS server which responds with a challenge requesting, for example, a driver's license number or birth date. If the user does enter a password, the RADIUS server may or may not respond with a challenge, depending upon the configuration of the RADIUS server. 8. In the Interface Class Name field, accept the default value of DefaultRadiusInterface or enter the name of the class you have created to handle the challenge-response conversation. If other than the default RADIUS interface is used, then you also must edit the sqlnet.ora file to enter SQLNET.RADIUS_CLASSPATH=(location), where location is the complete path name of the jar file. It defaults to $ORACLE_HOME/network/jlib/netradius.jar: $ORACLE_HOME/JRE/lib/vt.jar 9. From the File menu, select Save Network Configuration. The sqlnet.ora file is updated with the following entries: SQLNET.RADIUS_CHALLENGE_RESPONSE=([ON | OFF]) SQLNET.RADIUS_CHALLENGE_KEYWORD=(KEYWORD) SQLNET.RADIUS_AUTHENTICATION_INTERFACE=(name of interface including the package name delimited by "/" for ".") Step 2C(3): Set Parameters for an Alternate RADIUS Server If you are using an alternate RADIUS server, set these parameters in the sqlnet.ora file using any text editor. SQLNET.RADIUS_ALTERNATE=(hostname or ip address of alternate radius server) SQLNET.RADIUS_ALTERNATE_PORT=(1812) SQLNET.RADIUS_ALTERNATE_TIMEOUT=(number of seconds to wait for response) SQLNET.RADIUS_ALTERNATE_RETRIES=(number of times to re-send to radius server) Step 3: Create a User and Grant Access 1. Start SQL*Plus and execute these commands to create and grant access to a user identified externally on the Oracle database server. SQL> SQL> SQL> SQL> CONNECT system@database_name; Enter password: CREATE USER username IDENTIFIED EXTERNALLY; GRANT CREATE SESSION TO USER username; 11-12 Oracle Database Advanced Security Administrator's Guide Enabling RADIUS Authentication, Authorization, and Accounting SQL> EXIT If you are using Windows, then you can use the Security Manager tool in Oracle Enterprise Manager. 2. Enter the same username in the RADIUS server's users file. See Also: ■ Oracle Database Administrator's Guide ■ Oracle Database Heterogeneous Connectivity User's Guide ■ Administration documentation for the RADIUS server Step 4: Configure External RADIUS Authorization (optional) If you require external RADIUS authorization for RADIUS users who connect to an Oracle database, then you must perform the following steps to configure the Oracle server, the Oracle client, and the RADIUS server: ■ Step 4A: Configure the Oracle Server (RADIUS Client) ■ Step 4B: Configure the Oracle Client Where Users Log In ■ Step 4C: Configure the RADIUS Server Step 4A: Configure the Oracle Server (RADIUS Client) 1. Add the OS_ROLE parameter to the init.ora file and set this parameter to TRUE as follows: OS_ROLE=TRUE 2. Restart the database so that the system can read the change to the init.ora file. For example: SQL> SHUTDOWN SQL> STARTUP 3. Set the RADIUS challenge-response mode to ON for the server if you have not already done so by following the steps listed in "Step 2C(2): Configure Challenge-Response" on page 11-11. 4. Add externally identified users and roles. Step 4B: Configure the Oracle Client Where Users Log In Set the RADIUS challenge-response mode to ON for the client if you have not already done so by following the steps listed in "Step 2C(2): Configure Challenge-Response" on page 11-11. Step 4C: Configure the RADIUS Server 1. Add the following attributes to the RADIUS server attribute configuration file: ATTRIBUTE NAME CODE TYPE VENDOR_SPECIFIC 26 Integer ORACLE_ROLE 1 String Configuring RADIUS Authentication 11-13 Enabling RADIUS Authentication, Authorization, and Accounting 2. Assign a Vendor ID for Oracle in the RADIUS server attribute configuration file that includes the SMI Network Management Private Enterprise Code of 111. For example, enter the following in the RADIUS server attribute configuration file: VALUE 3. VENDOR_SPECIFIC ORACLE 111 Using the following syntax, add the ORACLE_ROLE attribute to the user profile of the users who will use external RADIUS authorization: ORA_databaseSID_rolename[_[A]|[D]] where: ■ ■ ■ ■ ■ ORA designates that this role is used for Oracle purposes databaseSID is the Oracle system identifier that is configured in the database server's init.ora file rolename is the name of role as it is defined in the data dictionary. A is an optional character that indicates the user has administrator's privileges for this role D is an optional character that indicates this role is to be enabled by default Ensure that RADIUS groups which map to Oracle roles adhere to the ORACLE_ROLE syntax. For example: USERNAME USERPASSWD="user_password", SERVICE_TYPE=login_user, VENDOR_SPECIFIC=ORACLE, ORACLE_ROLE=ORA_ora920_sysdba See Also: The RADIUS server administration documentation for information about configuring the server. Step 5: Configure RADIUS Accounting RADIUS accounting logs information about access to the Oracle database server and stores it in a file on the RADIUS accounting server. Use this feature only if both the RADIUS server and authentication server support it. This section contains: ■ Step 5A: Set RADIUS Accounting on the Oracle Database Server ■ Step 5B: Configure the RADIUS Accounting Server Step 5A: Set RADIUS Accounting on the Oracle Database Server 1. Start Oracle Net Manager. ■ (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line: netmgr ■ (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager. 2. Expand Oracle Net Configuration, and from Local, select Profile. 3. From the Naming list, select Network Security. 11-14 Oracle Database Advanced Security Administrator's Guide Enabling RADIUS Authentication, Authorization, and Accounting The Network Security tabbed window appears. 4. Select the Other Params tab. 5. From the Authentication Service list, select RADIUS. 6. In the Send Accounting field, enter ON to enable accounting or OFF to disable accounting. 7. From the File menu, select Save Network Configuration. The sqlnet.ora file is updated with the following entry: SQLNET.RADIUS_SEND_ACCOUNTING= ON Step 5B: Configure the RADIUS Accounting Server RADIUS Accounting Server consists of an accounting server residing on either the same host as the RADIUS authentication server or on a separate host. See Also: Administration documentation for the RADIUS server, for information about configuring RADIUS accounting Step 6: Add the RADIUS Client Name to the RADIUS Server Database You can use virtually any RADIUS server that complies with the standards in the Internet Engineering Task Force (IETF) RFC #2138, Remote Authentication Dial In User Service (RADIUS) and RFC #2139 RADIUS Accounting. Because RADIUS servers vary, consult the documentation for your particular RADIUS server for any unique interoperability requirements. To add the RADIUS client name to a Livingston RADIUS server: 1. Open the clients file, which can be found at /etc/raddb/clients. The following text and table appear: @ (#) clients 1.1 2/21/96 Copyright 1991 Livingston Enterprises Inc This file contains a list of clients which are allowed to make authentication requests and their encryption key. The first field is a valid hostname. The second field (separated by blanks or tabs) is the encryption key. Client Name Key 2. In the CLIENT NAME column, enter the host name or IP address of the host on which the Oracle database server is running. In the KEY column, type the shared secret. The value you enter in the CLIENT NAME column, whether it is the client's name or IP address, depends on the RADIUS server. 3. Save and close the clients file. See Also: Administration documentation for the RADIUS server Step 7: Configure the Authentication Server for Use with RADIUS Refer to the authentication server documentation for instructions about configuring the authentication servers. "Related Documentation" on page 2-xxii, which contains a list of possible resources. See Also: Configuring RADIUS Authentication 11-15 Enabling RADIUS Authentication, Authorization, and Accounting Step 8: Configure the RADIUS Server for Use with the Authentication Server Refer to the RADIUS server documentation for instructions about configuring the RADIUS server for use with the authentication server. Step 9: Configure Mapping Roles If the RADIUS server supports vendor type attributes, you can manage roles by storing them in the RADIUS server. The Oracle database server downloads the roles when there is a CONNECT request using RADIUS. To use this feature, configure roles on both the Oracle database server and the RADIUS server. To configure roles on the Oracle database server: 1. Use a text editor to set the OS_ROLES parameter in the initialization parameters file on the Oracle database server. By default, the init.ora file is located in the ORACLE_HOME/dbs directory (or the same location of the data files) on Linux and UNIX systems, and in the ORACLE_ HOME\database directory on Windows. 2. Stop and restart the Oracle database server. For example: SQL> SHUTDOWN SQL> STARTUP 3. Create each role that the RADIUS server will manage on the Oracle database server with the value IDENTIFIED EXTERNALLY. To configure roles on the RADIUS server, use the following syntax: ORA_DatabaseName.DatabaseDomainName_RoleName In this specification: ■ ■ ■ DatabaseName is the name of the Oracle database server for which the role is being created. This is the same as the value of the DB_NAME initialization parameter. DatabaseDomainName is the name of the domain to which the Oracle database server belongs. The value is the same as the value of the DB_DOMAIN initialization parameter. RoleName is name of the role created in the Oracle database server. For example: ORA_USERDB.US.EXAMPLE.COM_MANAGER 4. Configure RADIUS challenge-response mode. See Also: ■ ■ Challenge-Response (Asynchronous) Authentication Mode on page 11-4 Step 2C(2): Configure Challenge-Response on page 11-11 11-16 Oracle Database Advanced Security Administrator's Guide RSA ACE/Server Configuration Checklist Using RADIUS to Log In to a Database If you are using the synchronous authentication mode, launch SQL*Plus and enter the following command at the prompt: CONNECT username@database_alias Enter password: password You can log in with this command only when challenge-response is not turned to ON. Note: If you are using the challenge-response mode, launch SQL*Plus and, at the prompt, enter the command that follows: CONNECT /@database_alias Note: ■ ■ You can log in with this command only when challenge-response is turned to ON. The challenge-response mode can be configured for all login cases. RSA ACE/Server Configuration Checklist If you are using an RSA ACE/Server as a RADIUS server, check the following items before making your initial connection: ■ ■ Ensure that the host agent in the RSA ACE/Server is set up to send a node secret. In version 5.0, this is done by leaving the SENT Node secret box unchecked. If the RSA ACE/Server fails to send a node secret to the agent, then a node verification failure message will be written to the RSA ACE/Server log. If you are using RSA SecurID tokens, then ensure that the token is synchronized with the RSA ACE/Server. See Also: RSA ACE/Server documentation for specific information about troubleshooting. Configuring RADIUS Authentication 11-17 RSA ACE/Server Configuration Checklist 11-18 Oracle Database Advanced Security Administrator's Guide 12 12 Configuring Kerberos Authentication This chapter describes how to configure Oracle Advanced Security for Oracle Database for use with Kerberos authentication, and how to configure Kerberos to authenticate Oracle database users. This chapter contains the following sections: ■ Enabling Kerberos Authentication ■ Utilities for the Kerberos Authentication Adapter ■ Configuring Interoperability with a Windows 2000 Domain Controller KDC ■ Configuring Kerberos Authentication Fallback Behavior ■ Troubleshooting the Oracle Kerberos Authentication Configuration See Also: Oracle Database Enterprise User Security Administrator's Guide for information on migrating Kerberos users to Kerberos-authenticated enterprise users Enabling Kerberos Authentication This section contains: ■ Step 1: Install Kerberos ■ Step 2: Configure a Service Principal for an Oracle Database Server ■ Step 3: Extract a Service Key Table from Kerberos ■ Step 4: Install an Oracle Database Server and an Oracle Client ■ Step 5: Install Oracle Net Services and Oracle Advanced Security ■ Step 6: Configure Oracle Net Services and Oracle Database ■ Step 7: Configure Kerberos Authentication ■ Step 8: Create a Kerberos User ■ Step 9: Create an Externally Authenticated Oracle User ■ Step 10: Get an Initial Ticket for the Kerberos/Oracle User Step 1: Install Kerberos Install Kerberos on the system that functions as the authentication server. See Also: Your Kerberos version 5 source distribution for notes about building and installing Kerberos Configuring Kerberos Authentication 12-1 Enabling Kerberos Authentication After upgrading from a 32-bit version of Oracle Database, the first use of the Kerberos authentication adapter causes an error message: ORA-01637: Packet receive failed. Note: Workaround: After upgrading to the 64-bit version of the database and before using Kerberos external authentication method, check for a file named /usr/tmp/oracle_service_name.RC on your computer, and remove it. Step 2: Configure a Service Principal for an Oracle Database Server To enable the Oracle database server to validate the identity of clients that authenticate themselves using Kerberos, you must create a service principal for Oracle Database. The name of the principal should have the following format: kservice/kinstance@REALM Each of the fields in the service principal specify the following values: Service Principal Field Description kservice A case-sensitive string that represents the Oracle service. This can be the same as the database service name. kinstance Typically the fully qualified DNS name of the system on which Oracle Database is running. REALM The name of the Kerberos realm with which the service principal is registered. REALM must always be uppercase and is typically the DNS domain name. The utility names in this section are executable programs. However, the Kerberos user name krbuser and the realm EXAMPLE.COM are examples only. Note: For example, suppose kservice is oracle, the fully qualified name of the system on which Oracle Database is running is dbserver.example.com and the realm is EXAMPLE.COM. The principal name then is: oracle/dbserver.example.com@EXAMPLE.COM It is a convention to use the DNS domain name as the name of the realm. To create the service principal, run kadmin.local. On UNIX, run this command as the root user, by using the following syntax: # cd /kerberos-install-directory/sbin # ./kadmin.local To add a principal named oracle/dbserver.example.com@EXAMPLE.COM to the list of server principals known by Kerberos, enter the following: kadmin.local:addprinc -randkey oracle/dbserver.example.com@EXAMPLE.COM Step 3: Extract a Service Key Table from Kerberos Extract the service key table from Kerberos and copy it to the Oracle database server/Kerberos client system. 12-2 Oracle Database Advanced Security Administrator's Guide Enabling Kerberos Authentication For example, use the following steps to extract a service key table for dbserver.example.com: 1. Enter the following to extract the service key table: kadmin.local: ktadd -k /tmp/keytab oracle/dbserver.example.com Entry for principal oracle/dbserver.example.com with kvno 2, encryption DES-CBC-CRC added to the keytab WRFILE: 'WRFILE:/tmp/keytab kadmin.local: exit oklist -k -t /tmp/keytab 2. After the service key table has been extracted, verify that the new entries are in the table in addition to the old ones. If they are not, or you need to add more, use kadmin.local to append to them. If you do not enter a realm when using ktadd, it uses the default realm of the Kerberos server. kadmin.local is connected to the Kerberos server running on the localhost. 3. If the Kerberos service key table is on the same system as the Kerberos client, you can move it. If the service key table is on a different system from the Kerberos client, you must transfer the file with a program such as FTP. If using FTP, transfer the file in binary mode. The following example shows how to move the service key table on a UNIX platform: # mv /tmp/keytab /etc/v5srvtab The default name of the service file is /etc/v5srvtab. 4. Verify that the owner of the Oracle database server executable can read the service key table (/etc/v5srvtab in the previous example). To do so, set the file owner to the Oracle user, or make the file readable by the group to which Oracle belongs. Caution: Do not make the file readable to all users. This can cause a security breach. Step 4: Install an Oracle Database Server and an Oracle Client Install the Oracle database server and client software. See Also: Oracle Database operating system-specific installation documentation Step 5: Install Oracle Net Services and Oracle Advanced Security Install Oracle Net Services and Oracle Advanced Security on the Oracle database server and Oracle client systems. See Also: Oracle Database operating system-specific installation documentation Step 6: Configure Oracle Net Services and Oracle Database Configure Oracle Net Services on the Oracle database server and client. Configuring Kerberos Authentication 12-3 Enabling Kerberos Authentication See Also: ■ ■ Oracle Database operating system-specific installation documentation Oracle Database Net Services Administrator's Guide. Step 7: Configure Kerberos Authentication Perform these tasks to set required parameters in the Oracle database server and client sqlnet.ora files. This section contains: ■ Step 7A: Configure Kerberos on the Client and on the Database Server ■ Step 7B: Set the Initialization Parameters ■ Step 7C: Set sqlnet.ora Parameters (Optional) Step 7A: Configure Kerberos on the Client and on the Database Server To configure Kerberos authentication service parameters on the client and on the database server: 1. Start Oracle Net Manager. ■ (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line: netmgr ■ (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager. 2. Expand Oracle Net Configuration, and from Local, select Profile. 3. From the Naming list, select Network Security. The Network Security tabbed window appears. 4. Select the Authentication tab. 5. From the Available Methods list, select KERBEROS5. 6. Move KERBEROS5 to the Selected Methods list by clicking the right arrow (>). 12-4 Oracle Database Advanced Security Administrator's Guide Enabling Kerberos Authentication 7. Arrange the selected methods in order of use. To do this, select a method in the Selected Methods list, then click Promote or Demote to position it in the list. For example, if you want KERBEROS5 to be the first service used, move it to the top of the list. 8. Select the Other Params tab. 9. From the Authentication Service list, select KERBEROS(V5). The Service field defines the name of the service Oracle Database uses to obtain a Kerberos service ticket. When you provide the value for this field, the other fields are enabled. 10. Optionally enter values for the following fields: ■ Credential Cache File ■ Configuration File ■ Realm Translation File ■ Key Table ■ Clock Skew See the Oracle Net Manager online Help, and "Step 7C: Set sqlnet.ora Parameters (Optional)" on page 12-6, for more information about the fields and the parameters they configure. 11. From the File menu, select Save Network Configuration. The sqlnet.ora file is updated with the following entries: SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=kservice Step 7B: Set the Initialization Parameters As Kerberos user names can be long, and Oracle user names are limited to 30 characters, Oracle recommends that you set the value of OS_AUTHENT_PREFIX to null in the initialization parameter file. OS_AUTHENT_PREFIX="" Setting this parameter to null overrides the default value of OPS$. Configuring Kerberos Authentication 12-5 Enabling Kerberos Authentication Note: Oracle Database 11g Release 2 (11.2) enables you to create external database users that have Kerberos user names of more than 30 characters. See "Step 9: Create an Externally Authenticated Oracle User" on page 12-8 for more information. Step 7C: Set sqlnet.ora Parameters (Optional) In addition to the required parameters, you can optionally set the following parameters in the sqlnet.ora file on the client and the Oracle database server: Attribute Description Parameter: SQLNET.KERBEROS5_CC_NAME=pathname_to_credentials_cache_file Description: Specifies the complete path name to the Kerberos credentials cache (CC) file. The default value is operating system-dependent. For UNIX, it is /tmp/krb5cc_userid. You can use the following formats to specify a value for SQLNET.KERBEROS5_CC_NAME: ■ SQLNET.KERBEROS5_CC_NAME=complete_path_to_cc_file For example: SQLNET.KERBEROS5_CC_NAME=/tmp/kcache SQLNET.KERBEROS5_CC_NAME=D:\tmp\kcache ■ SQLNET.KERBEROS5_CC_NAME=FILE:complete_path_to_cc_file For example: SQLNET.KERBEROS5_CC_NAME=FILE:/tmp/kcache ■ SQLNET.KERBEROS5_CC_NAME=OSMSFT: Use this value if you are running Windows and using a Microsoft KDC. You can also set this parameter by using the KRB5CCNAME environment variable, but the value set in the sqlnet.ora file takes precedence over the value set in KRB5CCNAME. Example: SQLNET.KERBEROS5_CC_NAME=/usr/tmp/krbcache Parameter: SQLNET.KERBEROS5_CLOCKSKEW=number_of_seconds_accepted_as_ network_delay Description: This parameter specifies how many seconds can pass before a Kerberos credential is considered out-of-date. It is used when a credential is actually received by either a client or a database server. An Oracle database server also uses it to decide if a credential needs to be stored to protect against a replay attack. The default is 300 seconds. Example: SQLNET.KERBEROS5_CLOCKSKEW=1200 Parameter: SQLNET.KERBEROS5_CONF=pathname_to_Kerberos_ configuration_file Description: This parameter specifies the complete path name to the Kerberos configuration file. The configuration file contains the realm for the default KDC (key distribution center) and maps realms to KDC hosts. The default is operating system-dependent. For UNIX, it is /krb5/krb.conf. Example: SQLNET.KERBEROS5_CONF=/krb/krb.conf Parameter: SQLNET.KERBEROS5_CONF_MIT=[TRUE|FALSE] 12-6 Oracle Database Advanced Security Administrator's Guide Enabling Kerberos Authentication Attribute Description Description: This parameter specifies whether the new MIT Kerberos configuration format is used. If the value is set to TRUE, it will parse the file according to the new configuration format rules. When the value is set to FALSE, the default (non-MIT) configuration is used. The default is FALSE. Example: SQLNET.KERBEROS5_CONF_MIT=False Parameter: SQLNET.KERBEROS5_KEYTAB= pathname_to_Kerberos_principal/key_table Description: This parameter specifies the complete path name to the Kerberos principal/secret key mapping file. It is used by the Oracle database server to extract its key and decrypt the incoming authentication information from the client. The default is operating system-dependent. For UNIX, it is /etc/v5srvtab. Example: SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab Parameter: SQLNET.KERBEROS5_REALMS= pathname_to_Kerberos_realm_translation_file Description: This parameter specifies the complete path name to the Kerberos realm translation file. The translation file provides a mapping from a host name or domain name to a realm. The default is operating system-dependent. For UNIX, it is /etc/krb.realms. Example: SQLNET.KERBEROS5_REALMS=/krb5/krb.realms Support for Credential Cache Type 4 Format Oracle Database now supports and recognizes the credential cache type 4 format. This feature is useful for those environments that use newer versions of MIT Kerberos 5 (1.3.x and above) utilities. To use this feature, you need to set the following parameter in the sqlnet.ora file: SQLNET.KERBEROS5_CONF_MIT = TRUE Your Kerberos configuration file (krb5.conf) should have the following settings: ... [libdefaults] ... kdc_timesync = 1 ccache_type = 4 Step 8: Create a Kerberos User To create Oracle users that Kerberos can authenticate, perform this task on the Kerberos authentication server where the administration tools are installed. The realm must already exist. The utility names in this section are executable programs. However, the Kerberos user name krbuser and realm EXAMPLE.COM are examples only. They can vary among systems. Note: Run /krb5/admin/kadmin.local as root to create a new Kerberos user, such as krbuser. The following example is UNIX-specific: Configuring Kerberos Authentication 12-7 Utilities for the Kerberos Authentication Adapter # ./kadmin.local kadmin.local: addprinc krbuser Enter password for principal: "krbuser@EXAMPLE.COM": (password does not display) Re-enter password for principal: "krbuser@EXAMPLE.COM": (password does not display) kadmin.local: exit Step 9: Create an Externally Authenticated Oracle User Run SQL*Plus on the Oracle database server to create the Oracle user that corresponds to the Kerberos user. In the following example, OS_AUTHENT_PREFIX is set to null (""). The Oracle user name is in uppercase enclosed in double quotation marks as shown in the following example: SQL> CONNECT / AS SYSDBA; SQL> CREATE USER "KRBUSER@EXAMPLE.COM" IDENTIFIED EXTERNALLY; SQL> GRANT CREATE SESSION TO "KRBUSER@EXAMPLE.COM"; If the user’s Kerberos principal name is longer than 30 characters, and up to 1024 characters, then create the user as follows: SQL> CREATE USER db_user_name IDENTIFIED EXTERNALLY AS 'kerberos_principal_name' For example: SQL> CREATE USER KRBUSER IDENTIFIED EXTERNALLY AS 'KerberosUser@EXAMPLE.COM'; The database administrator should ensure that two database users are not identified externally by the same Kerberos principal name. Note: Step 10: Get an Initial Ticket for the Kerberos/Oracle User Before you can connect to the database, you must ask the Key Distribution Center (KDC) for an initial ticket. To do so, run the following on the client: % okinit username If, when making a database connection, a reference such as the following follows a database link, you must use the forwardable flag (-f) option: sqlplus /@oracle Executing okinit -f enables credentials that can be used across database links. Run the following commands on the Oracle client: % okinit -f Password for krbuser@EXAMPLE.COM:password Utilities for the Kerberos Authentication Adapter Three utilities are shipped with the Oracle Kerberos authentication adapter. These utilities are intended for use on an Oracle client with Oracle Kerberos authentication support installed. Use the following utilities for these specified tasks: ■ Obtaining the Initial Ticket with the okinit Utility ■ Displaying Credentials with the oklist Utility ■ Removing Credentials from the Cache File with the okdstry Utility 12-8 Oracle Database Advanced Security Administrator's Guide Utilities for the Kerberos Authentication Adapter Obtaining the Initial Ticket with the okinit Utility The okinit utility obtains and caches Kerberos tickets. This utility is typically used to obtain the ticket-granting ticket, using a password entered by the user to decrypt the credential from the key distribution center (KDC). The ticket-granting ticket is then stored in the user's credential cache. The options available with okinit are listed in Table 12–1: Table 12–1 Options for the okinit Utility Option Description -f Ask for a forwardable ticket-granting ticket. This option is necessary to follow database links. -l Specify the lifetime of the ticket-granting ticket and all subsequent tickets. By default, the ticket-granting ticket is good for eight (8) hours, but shorter or longer-lived credentials may be desired. Note that the KDC can ignore this option or put site-configured limits on what can be specified. The lifetime value is a string that consists of a number qualified by w (weeks), d (days), h (hours), m (minutes), or s (seconds), as in the following example: okinit -l 2wld6h20m30s The example requests a ticket-granting ticket that has a life time of 2 weeks, 1 day, 6 hours, 20 minutes, and 30 seconds. -c Specify an alternative credential cache. For UNIX, the default is /tmp/krb5cc_uid. You can also specify the alternate credential cache by using the SQLNET.KERBEROS5_CC_NAME parameter in the sqlnet.ora file. -e Specifies a number representing the Kerberos encryption type to use. This option can be used to request a particular Kerberos encryption type key for the session. If you specify more than one encryption type, then the KDC chooses the common and strongest encryption type from the list. The following values are allowed: ■ 16 for DES3-CBC-SHA1 ■ 18 for AES256-CTS The following example requests for the DES-CBC-CRC and DES3-CBC-SHA1 encryption types: okinit -e 1 -e 16 krbuser@REALM Note that you can repeat the option to request multiple encryption types. -? List command line options. Displaying Credentials with the oklist Utility Run the oklist utility to display the list of tickets held. Available oklist options are listed in Table 12–2: Configuring Kerberos Authentication 12-9 Configuring Interoperability with a Windows 2000 Domain Controller KDC Table 12–2 Options for the oklist Utility Option Description -f Show flags with credentials. Relevant flags are: ■ I, credential is a ticket-granting ticket ■ F, credential is forwardable ■ f, credential is forwarded. -c Specify an alternative credential cache. In UNIX, the default is /tmp/krb5cc_uid. The alternate credential cache can also be specified by using the SQLNET.KERBEROS5_CC_NAME parameter in the sqlnet.ora file. -k List the entries in the service table (default /etc/v5srvtab) on UNIX. The alternate service table can also be specified by using the SQLNET.KERBEROS5_KEYTAB parameter in the sqlnet.ora file. The show flag option (-f) displays additional information, as shown in the following example: % oklist -f 27-Jul-1999 21:57:51 28-Jul-1999 05:58:14 krbtgt/EXAMPLE.COM@EXAMPLE.COM Flags: FI Removing Credentials from the Cache File with the okdstry Utility Use the okdstry utility to remove credentials from the credentials cache file: $ okdstry -f where the -f command option lets you specify an alternative credential cache. For UNIX, the default is /tmp/krb5cc_uid. You can also specify the alternate credential cache by using the SQLNET.KRB5_CC_NAME parameter in the sqlnet.ora file. Connecting to an Oracle Database Server Authenticated by Kerberos You can now connect to an Oracle database server without using a user name or password. Enter a command similar to the following: $ sqlplus /@net_service_name where net_service_name is an Oracle Net Services service name. For example: $ sqlplus /@oracle_dbname Chapter 1, "Introduction to Oracle Advanced Security" and Oracle Database Heterogeneous Connectivity User's Guide for information about external authentication See Also: Configuring Interoperability with a Windows 2000 Domain Controller KDC Oracle Advanced Security, which complies with MIT Kerberos, can interoperate with tickets that are issued by a Kerberos Key Distribution Center (KDC) on a Windows 2000 domain controller to enable Kerberos authentication with an Oracle database. To configure Kerberos authentication that uses a Windows 2000 domain controller KDC, perform the following tasks: 12-10 Oracle Database Advanced Security Administrator's Guide Configuring Interoperability with a Windows 2000 Domain Controller KDC ■ Step 1: Configure Oracle Kerberos Client for a Windows 2000 Domain Controller KDC ■ Step 2: Configure a Windows 2000 Domain Controller KDC for the Oracle Client ■ Step 3: Configure Oracle Database for a Windows 2000 Domain Controller KDC ■ Step 4: Obtain an Initial Ticket for the Kerberos/Oracle User Step 1: Configure Oracle Kerberos Client for a Windows 2000 Domain Controller KDC You must perform the following steps must on the Oracle Kerberos client. Step 1A: Create the Client Kerberos Configuration Files Create the following Kerberos client configuration files that refer to the Windows 2000 domain controller as the Kerberos KDC. In the examples that follow, the Windows 2000 domain controller is running on a node named sales3854.us.example.com. ■ krb.conf file For example: SALES3854.US.EXAMPLE.COM SALES3854.US.EXAMPLE.COM sales3854.us.example.com admin server ■ krb5.conf file For example: [libdefaults] default_realm=SALES.US.EXAMPLE.COM [realms] SALES.US.EXAMPLE.COM= { kdc=sales3854.us.example.com:88 } [domain_realm] .us.example.com=SALES.US.EXAMPLE.COM ■ krb5.realms file For example: us.example.com SALES.US.EXAMPLE.COM Step 2A: Specify the Oracle Configuration Parameters in the sqlnet.ora File Configuring an Oracle client to interoperate with a Windows 2000 domain controller KDC uses the same sqlnet.ora file parameters that are listed in "Step 7A: Configure Kerberos on the Client and on the Database Server" on page 12-4. Set the following parameters in the sqlnet.ora file on the client: SQLNET.KERBEROS5_CONF=pathname_to_Kerberos_configuration_file SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=Kerberos_service_name SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5) Note: Ensure that the SQLNET.KERBEROS5_CONF_MIT parameter is set to TRUE because the Windows 2000 operating system is designed to interoperate only with security services that are based on MIT Kerberos version 5. Configuring Kerberos Authentication 12-11 Configuring Interoperability with a Windows 2000 Domain Controller KDC Step 3A: Specify the Listening Port Number The Windows 2000 domain controller KDC listens on UDP/TCP port 88. Ensure that the system file entry for kerberos5 is set to UDP/TCP port 88 as follows: For the UNIX environment, ensure that the first kerberos5 entry in the /etc/services file is set to 88. Step 2: Configure a Windows 2000 Domain Controller KDC for the Oracle Client The following steps must be performed on the Windows 2000 domain controller. See Also: Microsoft documentation for information about how to create users in Active Directory. Step 2A: Create the User Create a new user for the Oracle client in Microsoft Active Directory. Step 2B: Create the Oracle Database Principal 1. Create a new user for the Oracle database in Microsoft Active Directory. For example, if the Oracle database runs on the host sales3854.us.example.com, then use Active Directory to create a user with the user name sales3854.us.example.com and the password oracle. Do not create a user as host/hostname.dns.com, such as oracle/sales3854.us.example.com, in Active Directory. Microsoft's KDC does not support multipart names like an MIT KDC does. An MIT KDC allows multipart names to be used for service principals because it treats all principals as user names. However, Microsoft's KDC does not. 2. Use the Ktpass command line utility to extract the keytab file with the following syntax: Ktpass -princ service/hostname@NT-DNS-REALM-NAME -mapuser account -pass password -out keytab.file Using the database user created in the previous step, the following is an example of Ktpass usage: C:> Ktpass -princ oracle/sales3854.us.example.com@SALES.US.COM -mapuser sales3854 -pass oracle -out C:\temp\v5srvtab This utility is part of the Windows 2000 Support Tools and can be found on the Windows 2000 distribution media in the \support\reskit\netmgmt\security folder. 3. Copy the extracted keytab file to the host computer where the Oracle database is installed. For example, the keytab that was created in the previous step can be copied to /krb5/v5svrtab. See Also: Detailed information about Windows 2000 interoperability with Kerberos 5 that is available at the following URL: http://technet.microsoft.com/hi-in/windowsserver/2000/bb735396(e n-us).aspx 12-12 Oracle Database Advanced Security Administrator's Guide Configuring Kerberos Authentication Fallback Behavior Step 3: Configure Oracle Database for a Windows 2000 Domain Controller KDC The following steps must be performed on the host computer where the Oracle database is installed. Step 3A: Set Configuration Parameters in the sqlnet.ora File Specify values for the following parameters in the sqlnet.ora file for the database server: SQLNET.KERBEROS5_CONF=pathname_to_Kerberos_configuration_file SQLNET.KERBEROS5_KEYTAB=pathname_to_Kerberos_principal/key_table SQLNET.KERBEROS5_CONF_MIT=TRUE SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=Kerberos_service_name SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5) Note: Ensure that the SQLNET.KERBEROS5_CONF_MIT parameter is set to TRUE because the Windows 2000 operating system is designed to interoperate only with security services that are based on MIT Kerberos version 5. Step 3B: Create an Externally Authenticated Oracle User Follow the task information for "Step 9: Create an Externally Authenticated Oracle User" on page 12-8 to create an externally authenticated Oracle user. Ensure that the username is created in all uppercase characters. For example, ORAKRB@SALES.US.EXAMPLE.COM. "Step 7: Configure Kerberos Authentication" on page 12-4 for information about using Oracle Net Manager to set the sqlnet.ora file parameters. See Also: Step 4: Obtain an Initial Ticket for the Kerberos/Oracle User Before a client can connect to the database, the client must request an initial ticket. To request an initial ticket, follow the task information for "Step 10: Get an Initial Ticket for the Kerberos/Oracle User" on page 12-8. The user does not need to explicitly request for an initial ticket, using the okinit command, when using the Windows native cache. Note: If the Oracle client is running on Windows 2000 or later, the Kerberos ticket is automatically retrieved when the user logs in to Windows. Microsoft documentation for details on the Kerbtray.exe utility, which can be used to display Kerberos ticket information for a system See Also: Configuring Kerberos Authentication Fallback Behavior After you have configured Kerberos authentication for Oracle clients to use Kerberos authentication to authenticate to an Oracle database, there are cases where you may want to fall back to password-based authentication. An example would be if you have fixed user database links in the Oracle database. Configuring Kerberos Authentication 12-13 Troubleshooting the Oracle Kerberos Authentication Configuration To enable Kerberos authentication to fall back to password-based authentication, set the SQLNET.FALLBACK_AUTHENTICATION parameter to TRUE in the sqlnet.ora files on both the client and the server. The default of this parameter is FALSE and this means that by default, the connection fails when Kerberos authentication fails. See Also: Oracle Database Net Services Reference Troubleshooting the Oracle Kerberos Authentication Configuration This section lists some common configuration problems and explains how to resolve them. ■ ■ ■ ■ If you cannot get your ticket-granting ticket using okinit: – Ensure that the default realm is correct by examining the krb.conf file. – Ensure that the KDC is running on the host specified for the realm. – Ensure that the KDC has an entry for the user principal and that the passwords match. – Ensure that the krb.conf and krb.realms files are readable by Oracle. – Ensure that the TNS_ADMIN environment variable is pointing to the directory containing the sqlnet.ora configuration file. If you have an initial ticket but still cannot connect: – After trying to connect, check for a service ticket. – Check that the sqlnet.ora file on the database server side has a service name that corresponds to a service known by Kerberos. – Check that the clocks on all systems involved are set to times that are within a few minutes of each other or change the SQLNET.KERBEROS5_CLOCKSKEW parameter in the sqlnet.ora file. If you have a service ticket and you still cannot connect: – Check the clocks on the client and database server. – Check that the v5srvtab file exists in the correct location and is readable by Oracle. Remember to set the sqlnet.ora parameters. – Check that the v5srvtab file has been generated for the service named in the sqlnet.ora file on the database server side. If everything seems to work fine, but then you issue another query and it fails: – Check that the initial ticket is forwardable. You must have obtained the initial ticket by running the okinit utility. – Check the expiration date on the credentials. If the credentials have expired, then close the connection and run okinit to get a new initial ticket. 12-14 Oracle Database Advanced Security Administrator's Guide 13 13 Configuring Secure Sockets Layer Authentication This chapter describes how to configure and use the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols which are supported by Oracle Advanced Security. It contains the following topics: ■ Secure Sockets Layer and Transport Layer Security ■ Public Key Infrastructure in an Oracle Environment ■ Secure Sockets Layer Combined with Other Authentication Methods ■ Secure Sockets Layer and Firewalls ■ Secure Sockets Layer Usage Issues ■ Enabling Secure Sockets Layer ■ Troubleshooting Secure Sockets Layer ■ Certificate Validation with Certificate Revocation Lists ■ Configuring Your System to Use Hardware Security Modules ■ Configuring SSL in an Oracle Real Application Clusters Environment Secure Sockets Layer and Transport Layer Security Secure Sockets Layer (SSL) is an industry standard protocol originally designed by Netscape Communications Corporation for securing network connections. SSL uses RSA public key cryptography in conjunction with symmetric key cryptography to provide authentication, encryption, and data integrity. This section contains: ■ The Difference Between Secure Sockets Layer and Transport Layer Security ■ How Oracle Database Uses Secure Sockets Layer for Authentication ■ How Secure Sockets Layer Works in an Oracle Environment: The SSL Handshake The Difference Between Secure Sockets Layer and Transport Layer Security Although SSL was primarily developed by Netscape Communications Corporation, the Internet Engineering Task Force (IETF) took over development of it, and renamed it Transport Layer Security (TLS). Essentially, TLS is an incremental improvement to SSL version 3.0. Configuring Secure Sockets Layer Authentication 13-1 Secure Sockets Layer and Transport Layer Security If you want to use TLS Version 1.1 or 1.2, then you can download one of the following patches from My Oracle Support: ■ ■ Linux systems: Patch 19207156: MES BUNDLE ON TOP OF RDBMS 11.2.0.4.2 DBPSU (requires April 2014 PSU Microsoft Windows systems: Patch 19651773: WINDOWS DB BUNDLE PATCH 11.2.0.4.10 See Also: ■ ■ https://support.oracle.com The TLS Protocol Version 1.0 [RFC 2246] at the IETF Web site, which can be found at: http://www.ietf.org To simplify discussion, this chapter uses the term SSL where either SSL or TLS may be appropriate because SSL is the most widely recognized term. However, where distinctions occur between how you use or configure these protocols, this chapter specifies what is appropriate for either SSL or TLS. Note: How Oracle Database Uses Secure Sockets Layer for Authentication Oracle Advanced Security supports authentication by using digital certificates over SSL in addition to the native encryption and data integrity capabilities of these protocols. By using Oracle Advanced Security SSL functionality to secure communications between clients and servers, you can ■ ■ Use SSL to encrypt the connection between clients and servers Authenticate any client or server, such as Oracle Application Server 10g, to any Oracle database server that is configured to communicate over SSL You can use SSL features by themselves or in combination with other authentication methods supported by Oracle Advanced Security. For example, you can use the encryption provided by SSL in combination with the authentication provided by Kerberos. SSL supports any of the following authentication modes: ■ Only the server authenticates itself to the client ■ Both client and server authenticate themselves to each other ■ Neither the client nor the server authenticates itself to the other, thus using the SSL encryption feature by itself See Also: ■ ■ The SSL Protocol, version 3.0, published by the Internet Engineering Task Force, for a more detailed discussion of SSL Chapter 1, "Introduction to Oracle Advanced Security", for more information about authentication methods 13-2 Oracle Database Advanced Security Administrator's Guide Public Key Infrastructure in an Oracle Environment How Secure Sockets Layer Works in an Oracle Environment: The SSL Handshake When a network connection over SSL is initiated, the client and server perform an SSL handshake that includes the following steps: ■ ■ ■ ■ The client and server establish which cipher suites to use. This includes which encryption algorithms are used for data transfers. The server sends its certificate to the client, and the client verifies that the server's certificate was signed by a trusted CA. This step verifies the identity of the server. Similarly, if client authentication is required, the client sends its own certificate to the server, and the server verifies that the client's certificate was signed by a trusted CA. The client and server exchange key information using public key cryptography. Based on this information, each generates a session key. All subsequent communications between the client and the server is encrypted and decrypted by using this session key and the negotiated cipher suite. The authentication process consists of the following steps: 1. On a client, the user initiates an Oracle Net connection to the server by using SSL. 2. SSL performs the handshake between the client and the server. 3. If the handshake is successful, the server verifies that the user has the appropriate authorization to access the database. Public Key Infrastructure in an Oracle Environment This section contains: ■ About Public Key Infrastructure in an Oracle Environment ■ About Public Key Cryptography ■ Public Key Infrastructure Components in an Oracle Environment About Public Key Infrastructure in an Oracle Environment A public key infrastructure (PKI) is a substrate of network components that provide a security underpinning, based on trust assertions, for an entire organization. A PKI exists so that disparate network entities can access its security services, which use public-key cryptography on an as-needed basis. Oracle provides a complete PKI that is based on RSA Security, Inc., Public-Key Cryptography Standards, and which interoperates with Oracle servers and clients. About Public Key Cryptography Traditional private-key or symmetric-key cryptography requires a single, secret key that is shared by two or more parties to a secure communication. This key is used to both encrypt and decrypt secure messages sent between the parties, requiring prior, secure distribution of the key to each party. The problem with this method is that it is difficult to securely transmit and store the key. Public-key cryptography provides a solution to this problem, by employing public and private key pairs and a secure method for key distribution. The freely available public key is used to encrypt messages that can only be decrypted by the holder of the associated private key. The private key is securely stored, together with other security credentials, in an encrypted container called a wallet. Configuring Secure Sockets Layer Authentication 13-3 Public Key Infrastructure in an Oracle Environment Public-key algorithms can guarantee the secrecy of a message, but they do not necessarily guarantee secure communications because they do not verify the identities of the communicating parties. To establish secure communications, it is important to verify that the public key used to encrypt a message does in fact belong to the target recipient. Otherwise, a third party can potentially eavesdrop on the communication and intercept public key requests, substituting its own public key for a legitimate key (the man-in-the-middle attack). In order to avoid such an attack, it is necessary to verify the owner of the public key, a process called authentication. Authentication can be accomplished through a certificate authority (CA), which is a third party that is trusted by both of the communicating parties. The CA issues public key certificates that contain an entity's name, public key, and certain other security credentials. Such credentials typically include the CA name, the CA signature, and the certificate effective dates (From Date, To Date). The CA uses its private key to encrypt a message, while the public key is used to decrypt it, thus verifying that the message was encrypted by the CA. The CA public key is well known and does not have to be authenticated each time it is accessed. Such CA public keys are stored in wallets. Public Key Infrastructure Components in an Oracle Environment Public key infrastructure (PKI) components in an Oracle environment include the following: ■ Certificate Authority ■ Certificates ■ Certificate Revocation Lists ■ Wallets ■ Hardware Security Modules Certificate Authority A certificate authority (CA) is a trusted third party that certifies the identity of entities, such as users, databases, administrators, clients, and servers. When an entity requests certification, the CA verifies its identity and grants a certificate, which is signed with the CA's private key. Different CAs may have different identification requirements when issuing certificates. Some CAs may verify a requester's identity with a driver's license, some may verify identity with the requester's fingerprints, while others may require that requesters have their certificate request form notarized. The CA publishes its own certificate, which includes its public key. Each network entity has a list of trusted CA certificates. Before communicating, network entities exchange certificates and check that each other's certificate is signed by one of the CAs on their respective trusted CA certificate lists. Network entities can obtain their certificates from the same or different CAs. By default, Oracle Advanced Security automatically installs trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when you create a new wallet. Oracle Application Server Certificate Authority, part of Oracle Identity Management Infrastructure, is a new Oracle PKI component available in Oracle Application Server 10g (9.0.4). 13-4 Oracle Database Advanced Security Administrator's Guide Public Key Infrastructure in an Oracle Environment See Also: "Wallets" on page 13-5 Certificates A certificate is created when an entity's public key is signed by a trusted certificate authority (CA). A certificate ensures that an entity's identification information is correct and that the public key actually belongs to that entity. A certificate contains the entity's name, public key, and an expiration date, as well as a serial number and certificate chain information. It can also contain information about the privileges associated with the certificate. When a network entity receives a certificate, it verifies that it is a trusted certificate, that is, one that has been issued and signed by a trusted certificate authority. A certificate remains valid until it expires or until it is revoked. Certificate Revocation Lists Typically, when a CA signs a certificate binding a public key pair to a user identity, the certificate is valid for a specified period of time. However, certain events, such as user name changes or compromised private keys, can render a certificate invalid before the validity period expires. When this happens, the CA revokes the certificate and adds its serial number to a Certificate Revocation List (CRL). The CA periodically publishes CRLs to alert the user population when it is no longer acceptable to use a particular public key to verify its associated user identity. When servers or clients receive user certificates in an Oracle environment, they can validate the certificate by checking its expiration date, signature, and revocation status. Certificate revocation status is checked by validating it against published CRLs. If certificate revocation status checking is turned on, then the server searches for the appropriate CRL depending on how this feature has been configured. The server searches for CRLs in the following locations: 1. Oracle Internet Directory 2. CRL Distribution Point, a location specified in the CRL Distribution Point (CRL DP) X.509, version 3, certificate extension when the certificate is issued. "Certificate Validation with Certificate Revocation Lists" on page 13-24 for information about configuring and managing this PKI component See Also: To use CRLs with other Oracle products, refer to the specific product documentation. This implementation of certificate validation with CRLs is only available in the Oracle Database 11g Release 2 (11.2) SSL adapter. Note: Wallets A wallet is a container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. In an Oracle environment, every entity that communicates over SSL must have a wallet containing an X.509 version 3 certificate, private key, and list of trusted certificates, with the exception of Diffie-Hellman. Security administrators use Oracle Wallet Manager to manage security credentials on the server. Wallet owners use it to manage security credentials on clients. Specifically, you use Oracle Wallet Manager to do the following: Configuring Secure Sockets Layer Authentication 13-5 Secure Sockets Layer Combined with Other Authentication Methods ■ Generate a public-private key pair and create a certificate request ■ Store a user certificate that matches with the private key ■ Configure trusted certificates Installation of Oracle Advanced Security 11g Release 2 (11.2) also installs Oracle Wallet Manager release 10.1. Note: See Also: ■ Chapter 14, "Using Oracle Wallet Manager" ■ "Creating a New Wallet" on page 14-8 ■ "Managing Trusted Certificates" on page 14-20 Hardware Security Modules Oracle Advanced Security uses these devices for the following functions: ■ ■ Store cryptographic information, such as private keys Perform cryptographic operations to off load RSA operations from the server, freeing the CPU to respond to other transactions Cryptographic information can be stored on two types of hardware devices: ■ ■ (Server-side) Hardware boxes where keys are stored in the box, but managed by using tokens. (Client-side) Smart card readers, which support storing private keys on tokens. An Oracle environment supports hardware devices using APIs that conform to the RSA Security, Inc., Public-Key Cryptography Standards (PKCS) #11 specification. Note: Currently, SafeNET and nCipher devices are certified with Oracle Advanced Security "Configuring Your System to Use Hardware Security Modules" on page 13-34 for details configuration details. See Also: Secure Sockets Layer Combined with Other Authentication Methods You can configure Oracle Advanced Security to use SSL concurrently with database user names and passwords, RADIUS, and Kerberos, which are discussed in the following sections: ■ Architecture: Oracle Advanced Security and Secure Sockets Layer ■ How Secure Sockets Layer Works with Other Authentication Methods Appendix A, "Data Encryption and Integrity Parameters" for information about how to configure SSL with other supported authentication methods, including an example of a sqlnet.ora file with multiple authentication methods specified. See Also: 13-6 Oracle Database Advanced Security Administrator's Guide Secure Sockets Layer and Firewalls Architecture: Oracle Advanced Security and Secure Sockets Layer Figure 1–4 on page 1-10, which displays the Oracle Advanced Security implementation architecture, shows that Oracle Advanced Security operates at the session layer on top of SSL and uses TCP/IP at the transport layer. This separation of functionality lets you employ SSL concurrently with other supported protocols. See Also: Oracle Database Net Services Administrator's Guide for information about stack communications in an Oracle networking environment How Secure Sockets Layer Works with Other Authentication Methods Figure 13–1 illustrates a configuration in which SSL is used in combination with another authentication method supported by Oracle Advanced Security. Figure 13–1 SSL in Relation to Other Authentication Methods Wallet 1 4 2 3 Oracle Client 5 Oracle Server Authentication Server In this example, SSL is used to establish the initial handshake (server authentication), and an alternative authentication method is used to authenticate the client 1. The client seeks to connect to the Oracle database server. 2. SSL performs a handshake during which the server authenticates itself to the client and both the client and server establish which cipher suite to use. 3. Once the SSL handshake is successfully completed, the user seeks access to the database. 4. The Oracle database server authenticates the user with the authentication server using a non-SSL authentication method such as Kerberos or RADIUS. 5. Upon validation by the authentication server, the Oracle database server grants access and authorization to the user, and then the user can access the database securely by using SSL. "How Secure Sockets Layer Works in an Oracle Environment: The SSL Handshake" on page 13-3 See Also: Secure Sockets Layer and Firewalls Oracle Advanced Security supports two types of firewalls: ■ ■ Application proxy-based firewalls, such as Network Associates Gauntlet, or Axent Raptor. Stateful packet inspection firewalls, such as Check Point Firewall-1, or Cisco PIX Firewall. Configuring Secure Sockets Layer Authentication 13-7 Secure Sockets Layer Usage Issues When you enable SSL, stateful inspection firewalls behave like application proxy firewalls because they do not decrypt encrypted packets. Firewalls do not inspect encrypted traffic. When a firewall encounters data addressed to an SSL port on an intranet server, it checks the target IP address against its access rules and lets the SSL packet pass through to permitted SSL ports, rejecting all others. With the Oracle Net Firewall Proxy kit, a product offered by some firewall vendors, firewall applications can provide specific support for database network traffic. If the proxy kit is implemented in the firewall, then the following processing takes place: ■ ■ ■ The Net Proxy (a component of the Oracle Net Firewall Proxy kit) determines where to route its traffic. The database listener requires access to a certificate in order to participate in the SSL handshake. The listener inspects the SSL packet and identifies the target database, returning the port on which the target database listens to the client. This port must be designated as an SSL port. The client communicates on this server-designated port in all subsequent connections. Secure Sockets Layer Usage Issues Consider the following issues when using SSL: ■ ■ SSL use enables secure communication with other Oracle products, such as Oracle Internet Directory. Because SSL supports both authentication and encryption, the client/server connection is somewhat slower than the standard Oracle Net TCP/IP transport (using native encryption). ■ Each SSL authentication mode requires configuration settings. ■ Multi-threaded clients currently cannot use SSL. If you configure SSL encryption, you must disable non-SSL encryption. To disable such encryption, refer to "Disabling Oracle Advanced Security Authentication" on page 15-1. Note: See Also: ■ ■ "Configuring Your System to Use Hardware Security Modules" on page 13-34 for information about improving SSL performance with hardware accelerators "Enabling Secure Sockets Layer" on page 13-8 Enabling Secure Sockets Layer This section contains: ■ Step 1: Install Oracle Advanced Security and Related Products ■ Step 2: Configure Secure Sockets Layer on the Server ■ Step 3: Configure Secure Sockets Layer on the Client ■ Step 4: Log on to the Database Instance 13-8 Oracle Database Advanced Security Administrator's Guide Enabling Secure Sockets Layer Step 1: Install Oracle Advanced Security and Related Products Install Oracle Advanced Security on both the client and server. When you do this, the Oracle Universal Installer automatically installs SSL libraries and Oracle Wallet Manager on your computer. Oracle Database platform-specific installation documentation See Also: Step 2: Configure Secure Sockets Layer on the Server During installation, Oracle sets defaults on both the Oracle database server and on the Oracle client for all SSL parameters except the location of the Oracle wallet. To configure SSL on the server, perform these steps: ■ Step 2A: Confirm Wallet Creation on the Server ■ Step 2B: Specify the Database Wallet Location on the Server ■ Step 2C: Set the Secure Sockets Layer Cipher Suites on the Server (Optional) ■ Step 2D: Set the Required SSL Version on the Server (Optional) ■ Step 2E: Set SSL Client Authentication on the Server (Optional) ■ Step 2F: Set SSL as an Authentication Service on the Server (Optional) ■ Step 2G: Create a Listening Endpoint that Uses TCP/IP with SSL on the Server Appendix B, "Authentication Parameters" for the dynamic parameter names See Also: Step 2A: Confirm Wallet Creation on the Server Before proceeding to the next step, you must confirm that a wallet has been created. To confirm that your wallet is ready, open it by using Oracle Wallet Manager. The wallet should contain a certificate with a status of Ready and auto login turned on. If auto login is not on, then select it from the Wallet menu and save the wallet again. This turns auto login on. See Also: ■ "Opening an Existing Wallet" on page 14-9 ■ "Creating a New Wallet" on page 14-8 ■ "Using Auto Login" on page 14-14 Step 2B: Specify the Database Wallet Location on the Server 1. Start Oracle Net Manager. ■ (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line: netmgr ■ (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager. 2. Expand Oracle Net Configuration, and from Local, select Profile. 3. From the Naming list, select Network Security. The Network Security tabbed window appears. Configuring Secure Sockets Layer Authentication 13-9 Enabling Secure Sockets Layer 4. Click the SSL tab and select Configure SSL for: Server. 5. In the Wallet Directory box, enter the directory in which the Oracle wallet is located or click Browse to find it by searching the file system. Note that if you are configuring the database-to-directory SSL connection for Enterprise User Security, then Database Configuration Assistant automatically creates a database wallet while registering the database with the directory. You must use that wallet to store the database PKI credentials for SSL-authenticated Enterprise User Security. Important: ■ ■ Use Oracle Wallet Manager to create the wallet. Refer to "Creating a New Wallet" on page 14-8. Use Oracle Net Manager to set the wallet location in the sqlnet.ora file. Ensure that you enter the same wallet location when you create it and when you set the location in the sqlnet.ora file. 6. From the File menu, select Save Network Configuration. The sqlnet.ora and listener.ora files are updated with the following entries: wallet_location = (SOURCE= (METHOD=File) (METHOD_DATA= (DIRECTORY=wallet_location))) Note: The listener uses the wallet defined in the listener.ora file. It can use any database wallet. When SSL is configured for a server using Net Manager, the wallet location is entered into the listener.ora and the sqlnet.ora files. The listener.ora file is not relevant to the Oracle client. To change the listener wallet location so that the listener has its own wallet, you can edit listener.ora to enter the new location. Step 2C: Set the Secure Sockets Layer Cipher Suites on the Server (Optional) This section contains: ■ About the Secure Sockets Layer Cipher Suites ■ Supported Secure Sockets Layer Cipher Suites ■ Specifying Secure Sockets Cipher Suites for the Database Server About the Secure Sockets Layer Cipher Suites A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth. When you install Oracle Advanced Security, the SSL cipher suites listed in Table 13–1 are set for you by default and negotiated in the order they are listed. You can override the default order by setting the SSL_CIPHER_SUITES parameter. For example, if you use Oracle Net Manager to add the cipher suite SSL_RSA_WITH_3DES_EDE_CBC_SHA, all other cipher suites in the default setting are ignored. 13-10 Oracle Database Advanced Security Administrator's Guide Enabling Secure Sockets Layer You can prioritize the cipher suites. When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following: ■ ■ ■ ■ Compatibility. Server and client must be configured to use compatible cipher suites for a successful connection. Cipher priority and strength. Prioritize cipher suites starting with the strongest and moving to the weakest to ensure the highest level of security possible. The level of security you want to use. For example, triple-DES encryption is stronger than DES The impact on performance. For example, triple-DES encryption is slower than DES. Notes: Regarding Diffie-Hellman anonymous authentication: 1. If you set the server to employ this cipher suite, then you must also set the same cipher suite on the client. Otherwise, the connection fails. 2. If you use a cipher suite employing Diffie-Hellman anonymous, then you must set the SSL_CLIENT_AUTHENTICATION parameter to FALSE. For more information, refer to "Step 2E: Set SSL Client Authentication on the Server (Optional)" on page 13-13. Supported Secure Sockets Layer Cipher Suites Table 13–1 lists the SSL cipher suites supported in the current release of Oracle Advanced Security. These cipher suites are set by default when you install Oracle Advanced Security. The following table also lists the authentication, encryption, and data integrity types each cipher suite uses. Table 13–1 SSL Cipher Suites Cipher Suites Authentication Encryption Data Integrity SSL_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES EDE CBC SHA-1 SSL_RSA_WITH_AES_128_CBC_SHA1 RSA AES 128 CBC SHA-1 SSL_RSA_WITH_AES_256_CBC_SHA1 RSA AES 256 CBC SHA-1 1 AES ciphers work with Transport Layer Security (TLS 1.0) only Specifying Secure Sockets Cipher Suites for the Database Server 1. Start Oracle Net Manager. ■ (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line: netmgr ■ (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager. 2. Expand Oracle Net Configuration, and from Local, select Profile. 3. From the Naming list, select Network Security. The Network Security tabbed window appears. 4. Select the SSL tab and then select Configure SSL for: Server. 5. In the Cipher Suite Configuration area, click Add. Configuring Secure Sockets Layer Authentication 13-11 Enabling Secure Sockets Layer A dialog box displays available cipher suites. To see the US domestic cipher suites, click the Show US Domestic Cipher Suits check box. 6. Select a suite and click OK. The Cipher Suite Configuration list is updated: 7. Use the up and down arrows to prioritize the cipher suites. 8. From the File menu, select Save Network Configuration. The sqlnet.ora file is updated with the following entry: SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2]) Step 2D: Set the Required SSL Version on the Server (Optional) You can set the SSL_VERSION parameter in the sqlnet.ora or the listener.ora file. This parameter defines the version of SSL that must run on the systems with which the server communicates. You can require these systems to use any valid version. The default setting for this parameter in sqlnet.ora is undetermined, which is set by selecting Any from the list in the SSL tab of the Oracle Advanced Security window. To set the SSL version for the server: 1. In the Require SSL Version list, the default is Any. Accept this default or select the SSL version you want to use. 2. Select File, Save Network Configuration. If you chose Any, then the sqlnet.ora file is updated with the following entry: SSL_VERSION=UNDETERMINED Note: SSL 2.0 is not supported on the server side. 13-12 Oracle Database Advanced Security Administrator's Guide Enabling Secure Sockets Layer Oracle Database Net Services Reference for a full list of SSL_ VERSION values See Also: Step 2E: Set SSL Client Authentication on the Server (Optional) The SSL_CLIENT_AUTHENTICATION parameter in the sqlnet.ora file controls whether the client is authenticated using SSL. The default value is TRUE. You must set this parameter to FALSE if you are using a cipher suite that contains Diffie-Hellman anonymous authentication (DH_anon). Also, you can set this parameter to FALSE for the client to authenticate itself to the server by using any of the non-SSL authentication methods supported by Oracle Advanced Security, such as Kerberos or RADIUS. There is a known bug in which an OCI client requires a wallet even when using a cipher suite with DH_ANON, which does not authenticate the client. Note: To set SSL_CLIENT_AUTHENTICATION to FALSE on the server: 1. In the SSL page Oracle Net Manager, deselect Require Client Authentication. 2. From the File menu, select Save Network Configuration. The sqlnet.ora file is updated with the following entry: SSL_CLIENT_AUTHENTICATION=FALSE Oracle Database Net Services Reference for a full list of SSL_ CLIENT_AUTHENTICATION values See Also: Configuring Secure Sockets Layer Authentication 13-13 Enabling Secure Sockets Layer Step 2F: Set SSL as an Authentication Service on the Server (Optional) The SQLNET.AUTHENTICATION_SERVICES parameter in the sqlnet.ora file sets the SSL authentication service. Set this parameter if you want to use SSL authentication in conjunction with another authentication method supported by Oracle Advanced Security. For example, use this parameter if you want the server to authenticate itself to the client by using SSL and the client to authenticate itself to the server by using Kerberos. To set the SQLNET.AUTHENTICATION_SERVICES parameter on the server, add TCP/IP with SSL (TCPS) to this parameter in the sqlnet.ora file by using a text editor. For example, if you want to use SSL authentication in conjunction with RADIUS authentication, set this parameter as follows: SQLNET.AUTHENTICATION_SERVICES = (TCPS, radius) If you do not want to use SSL authentication in conjunction with another authentication method, then do not set this parameter. See Also: Oracle Database Net Services Reference for a full list of AUTHENTICATION_SERVICES values Step 2G: Create a Listening Endpoint that Uses TCP/IP with SSL on the Server Configure the listener with a TCP/IP with SSL listening endpoint in the listener.ora file. Oracle recommends using port number 2484 for typical Oracle Net clients. See Also: ■ ■ Oracle Database Net Services Administrator's Guide for detailed information about configuring the listener.ora file "Certificate Validation with Certificate Revocation Lists" on page 13-24 for information about configuring your system to validate certificates with certificate revocation lists Step 3: Configure Secure Sockets Layer on the Client To configure SSL on the client: ■ Step 3A: Confirm Client Wallet Creation ■ Step 3B: Configure the Server DNs and Use TCP/IP with SSL on the Client ■ Step 3C: Specify Required Client SSL Configuration (Wallet Location) ■ Step 3D: Set the Client Secure Sockets Layer Cipher Suites (Optional) ■ Step 3E: Set the Required SSL Version on the Client (Optional) ■ Step 3F: Set SSL as an Authentication Service on the Client (Optional) Step 3G: Specify the Certificate to Use for Authentication on the Client (Optional) Appendix B, "Authentication Parameters" for the dynamic parameter names See Also: Step 3A: Confirm Client Wallet Creation Before proceeding to the next step, you must confirm that a wallet has been created on the client and that the client has a valid certificate. 13-14 Oracle Database Advanced Security Administrator's Guide Enabling Secure Sockets Layer Oracle recommends that you use Oracle Wallet Manager to remove the trusted certificate in your Oracle wallet associated with each certificate authority that you do not use. Note: See Also: ■ ■ ■ Chapter 14, "Using Oracle Wallet Manager", for general information about wallets "Opening an Existing Wallet" on page 14-9, for information about opening an existing wallet "Creating a New Wallet" on page 14-8, for information about creating a new wallet Step 3B: Configure the Server DNs and Use TCP/IP with SSL on the Client This section contains: ■ About Configuring the Server DNS and Using TCP/IP with SSL on the Client ■ Configuring the Server DNS and Using TCP/IP with SSL on the Client About Configuring the Server DNS and Using TCP/IP with SSL on the Client Next, you are ready to configure the Oracle Net Service name to include the server DNs and to use TCP/IP with SSL on the client. You must specify the server's distinguished name (DN) and TCPS as the protocol in the client network configuration files to enable server DN matching and TCP/IP with SSL connections. Server DN matching prevents the database server from faking its identity to the client during connections by matching the server's global database name against the DN from the server certificate. You must manually edit the client network configuration files, tnsnames.ora and listener.ora, to specify the server's DN and the TCP/IP with SSL protocol. The tnsnames.ora file can be located on the client or in the LDAP directory. If it is located on the client, then it typically resides in the same directory as the listener.ora file. Depending on the operating system, these files reside in the following directory locations: ■ (UNIX) $ORACLE_HOME/network/admin/ ■ (Windows) ORACLE_BASE\ORACLE_HOME\network\admin\ Configuring the Server DNS and Using TCP/IP with SSL on the Client 1. In the client tnsnames.ora file, add the SSL_SERVER_CERT_DN parameter and specify the database server's DN as follows: (SECURITY= (SSL_SERVER_CERT_DN="cn=finance,cn=OracleContext,c=us,o=acme")) The client uses this information to obtain the list of DNs it expects for each of the servers, enforcing the server's DN to match its service name. Example 13–1 shows an entry for the Finance database in the tnsnames.ora file. Alternatively, the administrator can ensure that the common name (CN) portion of the server's DN matches the service name. 2. In the client tnsnames.ora file, enter tcps as the PROTOCOL in the ADDRESS parameter. This specifies that the client will use TCP/IP with SSL to connect to the Configuring Secure Sockets Layer Authentication 13-15 Enabling Secure Sockets Layer database that is identified in the SERVICE_NAME parameter. Example 13–1 also shows an entry that specifies TCP/IP with SSL as the connecting protocol in the tnsnames.ora file. 3. In the listener.ora file, enter tcps as the PROTOCOL in the ADDRESS parameter. Example 13–2 shows an entry that specifies TCP/IP with SSL as the protocol. Example 13–1 Sample tnsnames.ora File with Server Certificate DN and TCP/IP with SSL Specified finance= (DESCRIPTION= (ADDRESS_LIST= (ADDRESS= (PROTOCOL = tcps) (HOST = finance_server) (PORT = 1575))) (CONNECT_DATA= (SERVICE_NAME= Finance.us.example.com)) (SECURITY= (SSL_SERVER_CERT_DN="cn=finance,cn=OracleContext,c=us,o=acme")) Example 13–2 Sample listener.ora File with TCP/IP with SSL Specified as the Protocol LISTENER= (DESCRIPTION_LIST= (DESCRIPTION= (ADDRESS= (PROTOCOL = tcps) (HOST = finance_server) (PORT = 1575)))) Step 3C: Specify Required Client SSL Configuration (Wallet Location) 1. Start Oracle Net Manager. ■ (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line: netmgr ■ (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager. 2. Expand Oracle Net Configuration, and from Local, select Profile. 3. From the Naming list, select Network Security. The Network Security tabbed window appears. 4. Select the SSL tab. 5. Select Configure SSL for: Client. 13-16 Oracle Database Advanced Security Administrator's Guide Enabling Secure Sockets Layer 6. In the Wallet Directory box, enter the directory in which the Oracle wallet is located, or click Browse to find it by searching the file system. 7. From the Match server X.509 name list, select one of the following options: ■ Yes: Requires that the server's distinguished name (DN) match its service name. SSL ensures that the certificate is from the server and connections succeed only if there is a match. This check can be made only when RSA ciphers are selected, which is the default setting. ■ ■ No (default): SSL checks for a match between the DN and the service name, but does not enforce it. Connections succeed regardless of the outcome but an error is logged if the match fails. Let Client Decide: Enables the default. The following alert is displayed when you select No: Security Alert Not enforcing the server X.509 name match allows a server to potentially fake its identity. Oracle recommends selecting YES for this option so that connections are refused when there is a mismatch. 8. From the File menu, select Save Network Configuration. The sqlnet.ora file on the client is updated with the following entries: SSL_CLIENT_AUTHENTICATION =TRUE wallet_location = (SOURCE= (METHOD=File) (METHOD_DATA= (DIRECTORY=wallet_location))) SSL_SERVER_DN_MATCH=(ON/OFF) Configuring Secure Sockets Layer Authentication 13-17 Enabling Secure Sockets Layer See Also: For information about the server match parameters: ■ "SSL X.509 Server Match Parameters" on page B-8 For information about using Oracle Net Manager to configure TCP/IP with SSL: ■ Oracle Database Net Services Administrator's Guide ■ Oracle Database Net Services Reference Step 3D: Set the Client Secure Sockets Layer Cipher Suites (Optional) This section contains: ■ About Setting the Client Secure Sockets Layer Cipher Suites ■ Setting the Client Secure Sockets Layer Cipher Suites About Setting the Client Secure Sockets Layer Cipher Suites A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth. When you install Oracle Advanced Security, the SSL cipher suites listed in Table 13–1 are set for you by default. This table lists them in the order they are tried when two entities are negotiating a connection. You can override the default by setting the SSL_ CIPHER_SUITES parameter. For example, if you use Oracle Net Manager to add the cipher suite SSL_RSA_WITH_3DES_EDE_CBC_SHA, all other cipher suites in the default setting are ignored. You can prioritize the cipher suites. When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following: ■ ■ ■ The level of security you want to use. For example, triple-DES encryption is stronger than DES. The impact on performance. For example, triple-DES encryption is slower than DES. Refer to "Configuring Your System to Use Hardware Security Modules" on page 13-34 for information about using SSL hardware accelerators with Oracle Advanced Security. Administrative requirements. The cipher suites selected for a client must be compatible with those required by the server. For example, in the case of an Oracle Call Interface (OCI) user, the server requires the client to authenticate itself. You cannot, in this case, use a cipher suite employing Diffie-Hellman anonymous authentication, which disallows the exchange of certificates. You typically prioritize cipher suites starting with the strongest and moving to the weakest. Table 13–1 on page 13-11 lists the SSL cipher suites that are supported in the current release of Oracle Advanced Security. These cipher suites are set by default when you install Oracle Advanced Security. The table also lists the authentication, encryption, and data integrity types each cipher suite uses. 13-18 Oracle Database Advanced Security Administrator's Guide Enabling Secure Sockets Layer Note: If the SSL_CLIENT_AUTHENTICATION parameter is set to true in the sqlnet.ora file, then disable all cipher suites that use Diffie-Hellman anonymous authentication. Otherwise, the connection fails. Setting the Client Secure Sockets Layer Cipher Suites 1. Start Oracle Net Manager. ■ (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line: netmgr ■ (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager. 2. Expand Oracle Net Configuration, and from Local, select Profile. 3. From the Naming list, select Network Security. The Network Security tabbed window appears. 4. Select the SSL tab. 5. In the Cipher Suite Configuration region, click Add. A dialog box displays available cipher suites. 6. Select a suite and click OK. The Cipher Suite Configuration list is updated as follows: 7. Use the up and down arrows to prioritize the cipher suites. 8. Select File, Save Network Configuration. The sqlnet.ora file is updated with the following entry: Configuring Secure Sockets Layer Authentication 13-19 Enabling Secure Sockets Layer SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2]) Step 3E: Set the Required SSL Version on the Client (Optional) You can set the SSL_VERSION parameter in the sqlnet.ora file. This parameter defines the version of SSL that must run on the systems with which the client communicates. You can require these systems to use any valid version. The default setting for this parameter in sqlnet.ora is undetermined, which is set by selecting Any from the list in the SSL tab of the Oracle Advanced Security window. When Any is selected, TLS 1.0 is tried first, then SSL 3.0, and SSL 2.0 are tried in that order. Ensure that the client SSL version is compatible with the version the server uses. To set the required SSL version for the client: 1. In the Require SSL Version list, the default setting is Any. Accept this default or select the SSL version you want to configure. 2. Select File, Save Network Configuration. The sqlnet.ora file is updated. If you selected Any, then it is updated with the following entry: SSL_VERSION=UNDETERMINED Oracle Database Net Services Reference for a full list of SSL_ VERSION values See Also: Step 3F: Set SSL as an Authentication Service on the Client (Optional) The SQLNET.AUTHENTICATION_SERVICES parameter in the sqlnet.ora file sets the SSL authentication service. Typically, the sqlnet.ora file is located in the same directory as the other network configuration files. Depending on the platform, the sqlnet.ora file is in the following directory location: ■ (UNIX) $ORACLE_HOME/network/admin ■ (Windows) ORACLE_BASE\ORACLE_HOME\network\admin\ Set the SQLNET.AUTHENTICATION_SERVICES parameter if you want to use SSL authentication in conjunction with another authentication method supported by Oracle Database. For example, use this parameter if you want the server to authenticate itself to the client by using SSL and the client to authenticate itself to the server by using RADIUS. To set the client SQLNET.AUTHENTICATION_SERVICES parameter, add TCP/IP with SSL (TCPS) to this parameter in the sqlnet.ora file by using a text editor. For example, if you want to use SSL authentication in conjunction with RADIUS authentication, then set this parameter as follows: SQLNET.AUTHENTICATION_SERVICES = (TCPS, radius) If you do not want to use SSL authentication in conjunction with another authentication method, then do not set this parameter. Oracle Database Net Services Reference for a full list of AUTHENTICATION_SERVICES values See Also: Step 3G: Specify the Certificate to Use for Authentication on the Client (Optional) The SQLNET.SSL_EXTENDED_KEY_USAGE parameter in the sqlnet.ora file specifies which certificate to use in authenticating to the database server. Typically, the 13-20 Oracle Database Advanced Security Administrator's Guide Troubleshooting Secure Sockets Layer sqlnet.ora file is located in the same directory as the other network configuration files. Depending on the platform, the sqlnet.ora file is in one of the following directory locations: ■ (UNIX) $ORACLE_HOME/network/admin ■ (Windows) ORACLE_BASE\ORACLE_HOME\network\admin\ Set the SQLNET.SSL_EXTENDED_KEY_USAGE parameter if you have multiple certificates in the security module, but there is only one certificate with extended key usage field of client authentication, and this certificate is exactly the one you want to use to authenticate to the database. For example, use this parameter if you have multiple certificates in a smart card, only one of which has an extended key usage field of client authentication, and you want to use this certificate C to authenticate to the database. By setting this parameter on a Windows client to client authentication, the MSCAPI certificate selection box will not appear, and the certificate C is automatically used for the SSL authentication of the client to the server. To set the client SQLNET.SSL_EXTENDED_KEY_USAGE parameter, edit the sqlnet.ora file to have the following line: SQLNET.SSL_EXTENDED_KEY_USAGE = "client authentication" If you do not want to use the certificate filtering, then remove the SQLNET.SSL_ EXTENDED_KEY_USAGE parameter setting from the sqlnet.ora file. Oracle Database Net Services Reference for a full list of SSL_ EXTENDED_KEY_USAGE values See Also: Step 4: Log on to the Database Instance If you are using SSL authentication for the client (SSL_CLIENT_AUTHENTICATION=true in the sqlnet.ora file), then launch SQL*Plus and enter the following: CONNECT/@net_service_name If you are not using SSL authentication (SSL_CLIENT_AUTHENTICATION=false in the sqlnet.ora file), then launch SQL*Plus and enter the following: CONNECT username@net_service_name Enter password: password "Certificate Validation with Certificate Revocation Lists" on page 13-24 for information about configuring the client for certificate validation with certificate revocation lists See Also: Troubleshooting Secure Sockets Layer The following section lists the most common errors you may receive while using the Oracle Advanced Security SSL adapter. It may be necessary to enable Oracle Net tracing to determine the cause of an error. For information about setting tracing parameters to enable Oracle Net tracing, refer to Oracle Database Net Services Administrator's Guide. ORA-28759: Failure to Open File Cause: The system could not open the specified file. Typically, this error occurs because the wallet cannot be found. Action: Check the following: Configuring Secure Sockets Layer Authentication 13-21 Troubleshooting Secure Sockets Layer ■ ■ ■ Ensure that the correct wallet location is specified in the sqlnet.ora file. This should be the same directory location where you saved the wallet. Enable Oracle Net tracing to determine the name of the file that cannot be opened and the reason. Ensure that auto login was enabled when you saved the wallet. Refer to "Using Auto Login" on page 14-14 ORA-28786: Decryption of Encrypted Private Key Failure Cause: An incorrect password was used to decrypt an encrypted private key. Frequently, this happens because an auto login wallet is not being used. Action: Use Oracle Wallet Manager to turn the auto login feature on for the wallet. Then save the wallet again. Refer to, "Using Auto Login" on page 14-14. If the auto login feature is not being used, then enter the correct password. ORA-28858: SSL Protocol Error Cause: This is a generic error that can occur during SSL handshake negotiation between two processes. Action: Enable Oracle Net tracing and attempt the connection again to produce trace output. Then contact Oracle customer support with the trace output. ORA-28859 SSL Negotiation Failure Cause: An error occurred during the negotiation between two processes as part of the SSL protocol. This error can occur when two sides of the connection do not support a common cipher suite. Action: Check the following: ■ ■ Use Oracle Net Manager to ensure that the SSL versions on both the client and the server match, or are compatible. For example, if the server accepts only SSL 3.0 and the client accepts only TLS 1.0, then the SSL connection will fail. Use Oracle Net Manager to check what cipher suites are configured on the client and the server, and ensure that compatible cipher suites are set on both. If the error still persists, then enable Oracle Net tracing and attempt the connection again. Contact Oracle customer support with the trace output. "Step 3D: Set the Client Secure Sockets Layer Cipher Suites (Optional)" on page 13-18 for details about setting compatible cipher suites on the client and the server See Also: If you do not configure any cipher suites, then all available cipher suites are enabled. Note: ORA-28862: SSL Connection Failed Cause: This error occurred because the peer closed the connection. Action: Check the following: ■ ■ Ensure that the correct wallet location is specified in the sqlnet.ora file so the system can find the wallet. Use Oracle Net Manager to ensure that cipher suites are set correctly in the sqlnet.ora file. Sometimes this error occurs because the sqlnet.ora has been 13-22 Oracle Database Advanced Security Administrator's Guide Troubleshooting Secure Sockets Layer manually edited and the cipher suite names are misspelled. Ensure that case sensitive string matching is used with cipher suite names. ■ ■ Use Oracle Net Manager to ensure that the SSL versions on both the client and the server match or are compatible. Sometimes this error occurs because the SSL version specified on the server and client do not match. For example, if the server accepts only SSL 3.0 and the client accepts only TLS 1.0, then the SSL connection will fail. For more diagnostic information, enable Oracle Net tracing on the peer. ORA-28865: SSL Connection Closed Cause: The SSL connection closed because of an error in the underlying transport layer, or because the peer process quit unexpectedly. Action: Check the following: ■ ■ ■ ■ Use Oracle Net Manager to ensure that the SSL versions on both the client and the server match, or are compatible. Sometimes this error occurs because the SSL version specified on the server and client do not match. For example, if the server accepts only SSL 3.0 and the client accepts only TLS 1.0, then the SSL connection will fail. If you are using a Diffie-Hellman anonymous cipher suite and the SSL_ CLIENT_AUTHENTICATION parameter is set to true in the server's listener.ora file, then the client does not pass its certificate to the server. When the server does not receive the client's certificate, it (the server) cannot authenticate the client so the connection is closed. To resolve this use another cipher suite, or set this listener.ora parameter to false. Enable Oracle Net tracing and check the trace output for network errors. For details, refer to Actions listed for "ORA-28862: SSL Connection Failed" on page 13-22 ORA-28868: Peer Certificate Chain Check Failed Cause: When the peer presented the certificate chain, it was checked and that check failed. This failure can be caused by a number of problems, including: ■ ■ ■ One of the certificates in the chain has expired. A certificate authority for one of the certificates in the chain is not recognized as a trust point. The signature in one of the certificates cannot be verified. Action: Refer to, "Opening an Existing Wallet" on page 14-9 to use Oracle Wallet Manager to open your wallet and check the following: ■ ■ Ensure that all of the certificates installed in your wallet are current (not expired). Ensure that a certificate authority's certificate from your peer's certificate chain is added as a trusted certificate in your wallet. Refer to, "Importing a Trusted Certificate" on page 14-21 to use Oracle Wallet Manager to import a trusted certificate. ORA-28885: No certificate with the required key usage found. Cause: Your certificate was not created with the appropriate X.509 version 3 key usage extension. Action: Use Oracle Wallet Manager to check the certificate's key usage. Refer to, Table 14–1, " KeyUsage Values" on page 14-4. Configuring Secure Sockets Layer Authentication 13-23 Certificate Validation with Certificate Revocation Lists ORA-29024: Certificate Validation Failure Cause: The certificate sent by the other side could not be validated. This may occur if the certificate has expired, has been revoked, or is invalid for any other reason. Action: Check the following: ■ ■ ■ Check the certificate to determine whether it is valid. If necessary, get a new certificate, inform the sender that her certificate has failed, or resend. Check to ensure that the server's wallet has the appropriate trust points to validate the client's certificate. If it does not, then use Oracle Wallet Manager to import the appropriate trust point into the wallet. Refer to, "Importing a Trusted Certificate" on page 14-21 for details. Ensure that the certificate has not been revoked and that certificate revocation list (CRL) checking is turned on. For details, refer to "Configuring Certificate Validation with Certificate Revocation Lists" on page 13-26 ORA-29223: Cannot Create Certificate Chain Cause: A certificate chain cannot be created with the existing trust points for the certificate being installed. Typically, this error is returned when the peer does not give the complete chain and you do not have the appropriate trust points to complete it. Action: Use Oracle Wallet Manager to install the trust points that are required to complete the chain. Refer to,"Importing a Trusted Certificate" on page 14-21 Certificate Validation with Certificate Revocation Lists This section contains: ■ About Certificate Validation with Certificate Revocation Lists ■ What CRLs Should You Use? ■ How CRL Checking Works ■ Configuring Certificate Validation with Certificate Revocation Lists ■ Certificate Revocation List Management ■ Troubleshooting Certificate Validation About Certificate Validation with Certificate Revocation Lists The process of determining whether a given certificate can be used in a given context is referred to as certificate validation. Certificate validation includes determining that ■ ■ A trusted certificate authority (CA) has digitally signed the certificate The certificate's digital signature corresponds to the independently-calculated hash value of the certificate itself and the certificate signer's (CA's) public key ■ The certificate has not expired ■ The certificate has not been revoked The SSL network layer automatically performs the first three validation checks, but you must configure certificate revocation list (CRL) checking to ensure that certificates have not been revoked. CRLs are signed data structures that contain a list of revoked certificates. They are usually issued and signed by the same entity who issued the original certificate. (See certificate revocation lists.) 13-24 Oracle Database Advanced Security Administrator's Guide Certificate Validation with Certificate Revocation Lists What CRLs Should You Use? You should have CRLs for all of the trust points that you honor. The trust points are the trusted certificates from a third party identity that is qualified with a level of trust. Typically, the certificate authorities you trust are called trust points. How CRL Checking Works Certificate revocation status is checked against CRLs, which are located in file system directories, Oracle Internet Directory, or downloaded from the location specified in the CRL Distribution Point (CRL DP) extension on the certificate. Typically, CRL definitions are valid for a few days. If you store your CRLs on the local file system or in the directory, then you must update them regularly. If you use CRL DPs then CRLs are downloaded each time a certificate is used, so there is no need to regularly refresh the CRLs. The server searches for CRLs in the following locations in the order listed. When the system finds a CRL that matches the certificate CA's DN, it stops searching. 1. Local file system The system checks the sqlnet.ora file for the SSL_CRL_FILE parameter first, followed by the SSL_CRL_PATH parameter. If these two parameters are not specified, then the system checks the wallet location for any CRLs. Note: Note: if you store CRLs on your local file system, then you must use the orapki utility to periodically update them. Fro more information, refer to "Renaming CRLs with a Hash Value for Certificate Validation" on page 13-29 2. Oracle Internet Directory If the server cannot locate the CRL on the local file system and directory connection information has been configured in an ldap.ora file, then the server searches in the directory. It searches the CRL subtree by using the CA's distinguished name (DN) and the DN of the CRL subtree. The server must have a properly configured ldap.ora file to search for CRLs in the directory. It cannot use the Domain Name System (DNS) discovery feature of Oracle Internet Directory. Also note that if you store CRLs in the directory, then you must use the orapki utility to periodically update them. For details, refer to "Uploading CRLs to Oracle Internet Directory" on page 13-30 3. CRL DP If the CA specifies a location in the CRL DP X.509, version 3, certificate extension when the certificate is issued, then the appropriate CRL that contains revocation information for that certificate is downloaded. Currently, Oracle Advanced Security supports downloading CRLs over HTTP and LDAP. Note: ■ ■ For performance reasons, only user certificates are checked. Oracle recommends that you store CRLs in the directory rather than the local file system. Configuring Secure Sockets Layer Authentication 13-25 Certificate Validation with Certificate Revocation Lists Configuring Certificate Validation with Certificate Revocation Lists This section contains: ■ About Configuring Certificate Validation with Certificate Revocation Lists ■ Enabling Certificate Revocation Status Checking for the Client or Server ■ Disabling Certificate Revocation Status Checking "Troubleshooting Certificate Validation" on page 13-32 for information about resolving certificate validation errors. See Also: About Configuring Certificate Validation with Certificate Revocation Lists The SSL_CERT_REVOCATION parameter must be set to REQUIRED or REQUESTED in the sqlnet.ora file to enable certificate revocation status checking. By default this parameter is set to NONE indicating that certificate revocation status checking is turned off. If you want to store CRLs on your local file system or in Oracle Internet Directory, then you must use the command line utility, orapki, to rename CRLs in your file system or upload them to the directory. Refer to, "Certificate Revocation List Management" on page 13-28 for information about using orapki. Note: Enabling Certificate Revocation Status Checking for the Client or Server 1. Start Oracle Net Manager. ■ (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line: netmgr ■ (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager. 2. Expand Oracle Net Configuration, and from Local, select Profile. 3. From the Naming list, select Network Security. The Network Security tabbed window appears. 4. Select the SSL tab. 5. Select one of the following options from the Revocation Check list: 13-26 Oracle Database Advanced Security Administrator's Guide Certificate Validation with Certificate Revocation Lists ■ REQUIRED Requires certificate revocation status checking. The SSL connection is rejected if a certificate is revoked or no CRL is found. SSL connections are accepted only if it can be verified that the certificate has not been revoked. ■ REQUESTED Performs certificate revocation status checking if a CRL is available. The SSL connection is rejected if a certificate is revoked. SSL connections are accepted if no CRL is found or if the certificate has not been revoked. For performance reasons, only user certificates are checked for revocation. 6. (Optional) If CRLs are stored on your local file system, then set one or both of the following fields that specify where they are stored. These fields are available only when Revocation Check is set to REQUIRED or REQUESTED. – Certificate Revocation Lists Path: Enter the path to the directory where CRLs are stored or click Browse to find it by searching the file system. Specifying this path sets the SSL_CRL_PATH parameter in the sqlnet.ora file. If a path is not specified for this parameter, then the default is the wallet directory. Both DER-encoded (binary format) and PEM-encoded (BASE64) CRLs are supported. – Certificate Revocation Lists File: Enter the path to a comprehensive CRL file (where PEM-encoded (BASE64) CRLs are concatenated in order of preference in one file) or click Browse to find it by searching the file system. Specifying this file sets the SSL_CRL_FILE parameter in the sqlnet.ora file. If this parameter is set, then the file must be present in the specified location, or else the application will error out during startup. If you want to store CRLs in a local file system directory by setting the Certificate Revocation Lists Path, then you must use the orapki utility to Configuring Secure Sockets Layer Authentication 13-27 Certificate Validation with Certificate Revocation Lists rename them so the system can locate them. See "Renaming CRLs with a Hash Value for Certificate Validation" on page 13-29 for more information. 7. (Optional) If CRLs are fetched from Oracle Internet Directory, then directory server and port information must be specified in an ldap.ora file. When configuring your ldap.ora file, you should specify only a non-SSL port for the directory. CRL download is done as part of the SSL protocol, and making an SSL connection within an SSL connection is not supported. Oracle Advanced Security CRL functionality will not work if the Oracle Internet Directory non-SSL port is disabled. 8. From the File menu, select Save Network Configuration. The sqlnet.ora file is updated. Disabling Certificate Revocation Status Checking 1. Start Oracle Net Manager. ■ (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line: netmgr ■ (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager. 2. Expand Oracle Net Configuration, and from Local, select Profile. 3. From the Naming list, select Network Security. The Network Security tabbed window appears. 4. Select the SSL tab. 5. Select NONE from the Revocation Check list. 6. From the File menu, select Save Network Configuration. The sqlnet.ora file is updated with the following entry: SSL_CERT_REVOCATION=NONE Certificate Revocation List Management This section contains: ■ About Certificate Revocation Management ■ Displaying orapki Help for Commands That Manage CRLs ■ Renaming CRLs with a Hash Value for Certificate Validation ■ Uploading CRLs to Oracle Internet Directory ■ Listing CRLs Stored in Oracle Internet Directory ■ Viewing CRLs in Oracle Internet Directory ■ Deleting CRLs from Oracle Internet Directory About Certificate Revocation Management Before you can enable certificate revocation status checking, you must ensure that the CRLs you receive from the CAs you use are in a form (renamed with a hash value) or 13-28 Oracle Database Advanced Security Administrator's Guide Certificate Validation with Certificate Revocation Lists in a location (uploaded to the directory) where your computer can use them. Oracle Advanced Security provides a command-line utility, orapki, that you can use to perform the tasks described in this section. You can also use LDAP command-line tools to manage CRLs in Oracle Internet Directory. CRLs must be updated at regular intervals (before they expire) for successful validation. You can automate this task by using orapki commands in a script. Note: Displaying orapki Help for Commands That Manage CRLs You can display all the orapki commands that are available for managing CRLs by entering the following at the command line: orapki crl help This command displays all available CRL management commands and their options. Note: Using the -summary, -complete, or -wallet command options is always optional. A command will still run if these command options are not specified. Renaming CRLs with a Hash Value for Certificate Validation When the system validates a certificate, it must locate the CRL issued by the CA who created the certificate. The system locates the appropriate CRL by matching the issuer name in the certificate with the issuer name in the CRL. When you specify a CRL storage location for the Certificate Revocation Lists Path field in Oracle Net Manager, which sets the SSL_CRL_PATH parameter in the sqlnet.ora file, use the orapki utility to rename CRLs with a hash value that represents the issuer's name. Creating the hash value enables the server to load the CRLs. On UNIX operating systems, orapki creates a symbolic link to the CRL. On Windows operating systems, it creates a copy of the CRL file. In either case, the symbolic link or the copy created by orapki are named with a hash value of the issuer's name. Then when the system validates a certificate, the same hash function is used to calculate the link (or copy) name so the appropriate CRL can be loaded. Depending on the operating system, enter one of the following commands to rename CRLs stored in the file system. To rename CRLs stored in UNIX file systems: orapki crl hash -crl crl_filename [-wallet wallet_location] -symlink crl_directory [-summary] To rename CRLs stored in Windows file systems: orapki crl hash -crl crl_filename [-wallet wallet_location] -copy crl_directory [-summary] In this specification, crl_filename is the name of the CRL file, wallet_location is the location of a wallet that contains the certificate of the CA that issued the CRL, and crl_directory is the directory where the CRL is located. Configuring Secure Sockets Layer Authentication 13-29 Certificate Validation with Certificate Revocation Lists Using -wallet and -summary are optional. Specifying -wallet causes the tool to verify the validity of the CRL against the CA's certificate prior to renaming the CRL. Specifying the -summary option causes the tool to display the CRL issuer's name. Uploading CRLs to Oracle Internet Directory Publishing CRLs in the directory enables CRL validation throughout your enterprise, eliminating the need for individual applications to configure their own CRLs. All applications can use the CRLs stored in the directory where they can be centrally managed, greatly reducing the administrative overhead of CRL management and use. The user who uploads CRLs to the directory by using orapki must be a member of the directory group CRLAdmins (cn=CRLAdmins,cn=groups,%s_OracleContextDN%). This is a privileged operation because these CRLs are accessible to the entire enterprise. Contact your directory administrator to get added to this administrative directory group. To upload CRLs to the directory, enter the following at the command line: orapki crl upload -crl crl_location -ldap hostname:ssl_port -user username [-wallet wallet_location] [-summary] In this specification, crl_location is the file name or URL where the CRL is located, hostname and ssl_port (SSL port with no authentication) are for the system on which your directory is installed, username is the directory user who has permission to add CRLs to the CRL subtree, and wallet_location is the location of a wallet that contains the certificate of the CA that issued the CRL. Using -wallet and -summary are optional. Specifying -wallet causes the tool to verify the validity of the CRL against the CA's certificate prior to uploading it to the directory. Specifying the -summary option causes the tool to print the CRL issuer's name and the LDAP entry where the CRL is stored in the directory. The following example illustrates uploading a CRL with the orapki utility: orapki crl upload -crl /home/user1/wallet/crldir/crl.txt -ldap host1.example.com:3533 -user cn=orcladmin Note: ■ ■ The orapki utility will prompt you for the directory password when you perform this operation. Ensure that you specify the directory SSL port on which the Diffie-Hellman-based SSL server is running. This is the SSL port that does not perform authentication. Neither the server authentication nor the mutual authentication SSL ports are supported by the orapki utility. Listing CRLs Stored in Oracle Internet Directory You can display a list of all CRLs stored in the directory with orapki, which is useful for browsing to locate a particular CRL to view or download to your local computer. This command displays the CA who issued the CRL (Issuer) and its location (DN) in the CRL subtree of your directory. To list CRLs in Oracle Internet Directory, enter the following at the command line: orapki crl list -ldap hostname:ssl_port 13-30 Oracle Database Advanced Security Administrator's Guide Certificate Validation with Certificate Revocation Lists where the hostname and ssl_port are for the system on which your directory is installed. Note that this is the directory SSL port with no authentication as described in the preceding section. Viewing CRLs in Oracle Internet Directory You can view specific CRLs that are stored in Oracle Internet Directory in a summarized format or you can request a complete listing of revoked certificates for the specified CRL. A summary listing provides the CRL issuer's name and its validity period. A complete listing provides a list of all revoked certificates contained in the CRL. To view a summary listing of a CRL in Oracle Internet Directory, enter the following at the command line: orapki crl display -crl crl_location [-wallet wallet_location] -summary where crl_location is the location of the CRL in the directory. It is convenient to paste the CRL location from the list that displays when you use the orapki crl list command. Refer to, "Listing CRLs Stored in Oracle Internet Directory" on page 13-30. To view a list of all revoked certificates contained in a specified CRL, which is stored in Oracle Internet Directory, enter the following at the command line: orapki crl display -crl crl_location [-wallet wallet_location] -complete For example, the following orapki command: orapki crl display -crl $T_WORK/pki/wlt_crl/nzcrl.txt -wallet $T_WORK/pki/wlt_crl -complete produces the following output, which lists the CRL issuer's DN, its publication date, date of its next update, and the revoked certificates it contains: issuer = CN=root,C=us, thisUpdate = Sun Nov 16 10:56:58 PST 2003, nextUpdate = Mon Sep 30 11:56:58 PDT 2013, revokedCertificates = {(serialNo = 153328337133459399575438325845117876415, revocationDate - Sun Nov 16 10:56:58 PST 2003)} CRL is valid Using the -wallet option causes the orapki crl display command to validate the CRL against the CA's certificate. Depending on the size of your CRL, choosing the -complete option may take a long time to display. You can also use Oracle Directory Manager, a graphical user interface tool that is provided with Oracle Internet Directory, to view CRLs in the directory. CRLs are stored in the following directory location: cn=CRLValidation,cn=Validation,cn=PKI,cn=Products,cn=OracleContext Deleting CRLs from Oracle Internet Directory The user who deletes CRLs from the directory by using orapki must be a member of the directory group CRLAdmins. Refer to "Uploading CRLs to Oracle Internet Directory" on page 13-30 for information about this directory administrative group. To delete CRLs from the directory, enter the following at the command line: orapki crl delete -issuer issuer_name -ldap host:ssl_port -user username [-summary] Configuring Secure Sockets Layer Authentication 13-31 Certificate Validation with Certificate Revocation Lists where issuer_name is the name of the CA who issued the CRL, the hostname and ssl_ port are for the system on which your directory is installed, and username is the directory user who has permission to delete CRLs from the CRL subtree. Ensure that this must be a directory SSL port with no authentication. Refer to, "Uploading CRLs to Oracle Internet Directory" on page 13-30 for more information about this port. Using the -summary option causes the tool to print the CRL LDAP entry that was deleted. For example, the following orapki command: orapki crl delete -issuer "CN=root,C=us" -ldap machine1:3500 -user cn=orcladmin -summary produces the following output, which lists the location of the deleted CRL in the directory: Deleted CRL at cn=root cd45860c.rN,cn=CRLValidation,cn=Validation,cn=PKI,cn=Products,cn=OracleContext Troubleshooting Certificate Validation To determine whether certificates are being validated against CRLs, you can enable Oracle Net tracing. When a revoked certificate is validated by using CRLs, then you will see the following entries in the Oracle Net tracing file without error messages logged between entry and exit: nzcrlVCS_VerifyCRLSignature: entry nzcrlVCS_VerifyCRLSignature: exit nzcrlVCD_VerifyCRLDate: entry nzcrlVCD_VerifyCRLDate: exit nzcrlCCS_CheckCertStatus: entry nzcrlCCS_CheckCertStatus: Certificate is listed in CRL nzcrlCCS_CheckCertStatus: exit Note that when certificate validation fails, the peer in the SSL handshake sees an ORA-29024: Certificate Validation Failure. If this message displays, refer to "ORA-29024: Certificate Validation Failure" on page 13-24 for information about how to resolve the error. Note: See Also: Oracle Database Net Services Administrator's Guide for information about setting tracing parameters to enable Oracle Net tracing Oracle Net Tracing File Error Messages Associated with Certificate Validation The following trace messages, relevant to certificate validation, may be logged between the entry and exit entries in the Oracle Net tracing file. Oracle SSL looks for CRLs in multiple locations, so there may be multiple errors in the trace. Check the following list of possible error messages for information about how to resolve them. CRL signature verification failed with RSA status Cause: The CRL signature cannot be verified. 13-32 Oracle Database Advanced Security Administrator's Guide Certificate Validation with Certificate Revocation Lists Action: Ensure that the downloaded CRL is issued by the peer's CA and that the CRL was not corrupted when it was downloaded. Note that the orapki utility verifies the CRL before renaming it with a hash value or before uploading it to the directory. "Certificate Revocation List Management" on page 13-28 for information about using orapki for CRL management See Also: CRL date verification failed with RSA status Cause: The current time is later than the time listed in the next update field. You should not see this error if CRL DP is used. The systems searches for the CRL in the following order: 1. File system 2. Oracle Internet Directory 3. CRL DP The first CRL found in this search may not be the latest. Action: Update the CRL with the most recent copy. CRL could not be found Cause: The CRL could not be found at the configured locations. This will return error ORA-29024 if the configuration specifies that certificate validation is require. Action: Ensure that the CRL locations specified in the configuration are correct by performing the following steps: 1. Use Oracle Net Manager to check if the correct CRL location is configured. Refer to "Configuring Certificate Validation with Certificate Revocation Lists" on page 13-26 2. If necessary, use the orapki utility to configure CRLs for system use as follows: – For CRLs stored on your local file system, refer to "Renaming CRLs with a Hash Value for Certificate Validation" on page 13-29 – CRLs stored in the directory, refer to "Uploading CRLs to Oracle Internet Directory" on page 13-30 Oracle Internet Directory host name or port number not set Cause: Oracle Internet Directory connection information is not set. Note that this is not a fatal error. The search continues with CRL DP. Action: If you want to store the CRLs in Oracle Internet Directory, then use Oracle Net Configuration Assistant to create and configure an ldap.ora file for your Oracle home. Fetch CRL from CRL DP: No CRLs found Cause: The CRL could not be fetched by using the CRL Distribution Point (CRL DP). This happens if the certificate does not have a location specified in its CRL DP extension, or if the URL specified in the CRL DP extension is incorrect. Action: Ensure that your certificate authority publishes the CRL to the URL that is specified in the certificate's CRL DP extension. Manually download the CRL. Then depending on whether you want to store it on your local file system or in Oracle Internet Directory, perform the following steps: Configuring Secure Sockets Layer Authentication 13-33 Configuring Your System to Use Hardware Security Modules If you want to store the CRL on your local file system: 1. Use Oracle Net Manager to specify the path to the CRL directory or file. Refer to "Configuring Certificate Validation with Certificate Revocation Lists" on page 13-26 2. Use the orapki utility to configure the CRL for system use. Refer to "Renaming CRLs with a Hash Value for Certificate Validation" on page 13-29 If you want to store the CRL in Oracle Internet Directory: 1. Use Oracle Net Configuration Assistant to create and configure an ldap.ora file with directory connection information. 2. Use the orapki utility to upload the CRL to the directory. Refer to "Uploading CRLs to Oracle Internet Directory" on page 13-30 Configuring Your System to Use Hardware Security Modules This section contains: ■ About Configuring Your System to Use Hardware Security Modules ■ Guidelines for Using Hardware Security Modules with Oracle Advanced Security ■ Configuring Your System to Use nCipher Hardware Security Modules ■ Configuring Your System to Use SafeNET Hardware Security Modules ■ Troubleshooting Using Hardware Security Modules About Configuring Your System to Use Hardware Security Modules Oracle Advanced Security supports hardware security modules that use APIs which conform to the RSA Security, Inc., PKCS #11 specification. Typically, these hardware devices are used to securely store and manage private keys in tokens or smart cards, or to accelerate cryptographic processing. Guidelines for Using Hardware Security Modules with Oracle Advanced Security The following general guidelines apply if you are using a hardware security module with Oracle Advanced Security: 1. Contact your hardware device vendor to obtain the necessary hardware, software, and PKCS #11 libraries. 2. Install the hardware, software, and libraries where appropriate for the hardware security module you are using. 3. Test your hardware security module installation to ensure that it is operating correctly. Refer to your device documentation for instructions. 4. Create a wallet of the type PKCS11 by using Oracle Wallet Manager and specify the absolute path to the PKCS #11 library (including the library name) if you wish to store the private key in the token. Oracle PKCS11 wallets contain information that points to the token for private key access. You can use the wallet containing PKCS #11 information just as you would use any Oracle wallet, except the private keys are stored on the hardware device and the cryptographic operations are performed on the device as well. 13-34 Oracle Database Advanced Security Administrator's Guide Configuring Your System to Use Hardware Security Modules "Creating a Wallet to Store Hardware Security Module Credentials" on page 14-8 See Also: Configuring Your System to Use nCipher Hardware Security Modules This section contains: ■ About Configuring Your System to Use nCipher Hardware Security Modules ■ Oracle Components Required To Use an nCipher Hardware Security Module ■ About Installing an nCipher Hardware Security Module About Configuring Your System to Use nCipher Hardware Security Modules Hardware security modules made by nCipher Corporation are certified to operate with Oracle Advanced Security. These modules provide a secure way to store keys and off-load cryptographic processing. Primarily, these devices provide the following benefits: ■ Off-load cryptographic processing that frees your server to respond to other requests ■ Secure private key storage on the device ■ Allow key administration through the use of smart cards You must contact your nCipher representative to obtain certified hardware and software to use with Oracle Advanced Security. Note: Oracle Components Required To Use an nCipher Hardware Security Module To use an nCipher hardware security module, you need the following components: ■ nCipher Hardware Security Module ■ Supporting nCipher PKCS #11 library The following platform-specific PKCS#11 library is required: – libcknfast.so library for UNIX 32-Bit – libcknfast-64.so library for UNIX 64-Bit – cknfast.dll library for Windows You must contact your nCipher representative to have the hardware security module or the secure accelerator installed, and to acquire the necessary library. Note: These tasks must be performed before you can use an nCipher hardware security module with Oracle Advanced Security. About Installing an nCipher Hardware Security Module To use the secure accelerator, you must provide the absolute path to the directory that contains the nCipher PKCS #11 library (including the library name) when you create the wallet by using Oracle Wallet Manager. This enables the library to be loaded at runtime. Typically, the nCipher card is installed at the following locations: ■ /opt/nfast for UNIX Configuring Secure Sockets Layer Authentication 13-35 Configuring Your System to Use Hardware Security Modules ■ C:\nfast for Windows The nCipher PKCS #11 library is located at the following location for typical installations: ■ /opt/nfast/toolkits/pkcs11/libcknfast.so for UNIX 32-Bit ■ /opt/nfast/toolkits/pkcs11/libcknfast-64.so for UNIX 64-Bit ■ C:\nfast\toolkits\pkcs11\cknfast.dll for Windows Use the 32-bit library version when using the 32-bit release of Oracle Database and use the 64-bit library version when using the 64-bit release of Oracle Database. For example, use the 64-bit nCipher PKCS #11 library for the Oracle Database for Solaris Operating System (SPARC 64-bit). Note: Configuring Your System to Use SafeNET Hardware Security Modules This section contains: ■ About Configuring Your System to Use SafeNet Hardware Security Modules ■ Oracle Components for the SafeNET Luna SA Hardware Security Module ■ About Installing a SafeNET Hardware Security Module About Configuring Your System to Use SafeNet Hardware Security Modules Hardware security modules made by SafeNET Incorporated are certified to operate with Oracle Advanced Security. These modules provide a secure way to store keys and off-load cryptographic processing. Primarily, these devices provide the following benefits: ■ ■ Off-load of cryptographic processing to free your server to respond to more requests Secure private key storage on the device You must contact your SafeNET representative to obtain certified hardware and software to use with Oracle Advanced Security. Note: Oracle Components for the SafeNET Luna SA Hardware Security Module To use a SafeNET Luna SA hardware security module, you must have the following components ■ SafeNET Luna SA Hardware Security Module ■ Supporting SafeNET Luna SA PKCS #11 library The following platform-specific PKCS#11 library is required: – libCryptoki2.so library for UNIX – cryptoki.dll library for Windows 13-36 Oracle Database Advanced Security Administrator's Guide Configuring Your System to Use Hardware Security Modules You must contact your SafeNET representative to have the hardware security module or the secure accelerator installed, and to acquire the necessary library. Note: These tasks must be performed before you can use a SafeNET hardware security module with Oracle Advanced Security. About Installing a SafeNET Hardware Security Module To use the secure accelerator, you must provide the absolute path to the directory that contains the SafeNET PKCS #11 library (including the library name) when you create the wallet using Oracle Wallet Manager. This enables the library to be loaded at runtime. Typically, the SafeNET Luna SA client is installed at the following location: ■ /usr/lunasa for UNIX ■ C:\Program Files\LunaSA for Windows The SafeNET Luna SA PKCS #11 library is located at the following location for typical installations: ■ /usr/lunasa/lib/libCryptoki2.so for UNIX ■ C:\Program Files\LunaSA\cryptoki2.dll for Windows Troubleshooting Using Hardware Security Modules This section contains: ■ Errors in the Oracle Net Trace Files ■ Error Messages Associated with Using Hardware Security Modules Errors in the Oracle Net Trace Files To detect whether the module is being used, you can turn on Oracle Net tracing. If the wallet contains PKCS #11 information and the private key on the module is being used, then you will see the following entries in the Oracle Net tracing file without error messages logged between entry and exit: nzpkcs11_Init: entry nzpkcs11CP_ChangeProviders: entry nzpkcs11CP_ChangeProviders: exit nzpkcs11GPK_GetPrivateKey: entry nzpkcs11GPK_GetPrivateKey: exit nzpkcs11_Init: exit ... nzpkcs11_Decrypt: entry nzpkcs11_Decrypt: exit nzpkcs11_Sign: entry nzpkcs11_Sign: exit See Also: Oracle Database Net Services Administrator's Guide for information about setting tracing parameters to enable Oracle Net tracing Error Messages Associated with Using Hardware Security Modules The following errors are associated with using PKCS #11 hardware security modules: ORA-43000: PKCS11: library not found Configuring Secure Sockets Layer Authentication 13-37 Configuring SSL in an Oracle Real Application Clusters Environment Cause: The system cannot locate the PKCS #11 library at the location specified when the wallet was created. This happens only when the library is moved after the wallet is created. Action: Copy the PKCS #11 library back to its original location where it was when the wallet was created. ORA-43001: PKCS11: token not found Cause: The smart card that was used to create the wallet is not present in the hardware security module slot. Action: Ensure that the smart card that was used when the wallet was created is present in the hardware security module slot. ORA-43002: PKCS11: passphrase is wrong Cause: This can occur when an incorrect password is specified at wallet creation, or the PKCS #11 device password is changed after the wallet is created and not updated in the wallet by using Oracle Wallet Manager. Action: Depending on the cause, take one of the following actions: If you see this error during wallet creation, then check to ensure that you have the correct password and reenter it. If the password changed after wallet creation, then use Oracle Wallet Manager to open the wallet and enter a new password. "Creating a Wallet to Store Hardware Security Module Credentials" on page 14-8 See Also: The nCipher log file is in the directory where the module is installed at the following location: Note: /log/logfile See Also: nCipher and SafeNET documentation for more information about troubleshooting nCipher and SafeNET devices Configuring SSL in an Oracle Real Application Clusters Environment You can configure Secure Sockets Layer for use with an Oracle Real Application Clusters (Oracle RAC) environment. This section contains: ■ Step 1: Configure the TCPS Protocol Endpoints ■ Step 2: Update the Local Listener Parameter on Each Oracle RAC Node ■ Step 3: Create SSL Certificates and Wallets for the Cluster and for the Clients ■ Step 4: Copy the Wallet to Each Cluster Node and Create an Obfuscated Wallet ■ Step 5: Define Wallet Locations in the listener.ora and sqlnet.ora Files ■ Step 6: Restart the Database Instances and Listeners ■ Step 7: Test the Configuration from a Cluster Node ■ Step 8: Test the Configuration from a Remote Client 13-38 Oracle Database Advanced Security Administrator's Guide Configuring SSL in an Oracle Real Application Clusters Environment Step 1: Configure the TCPS Protocol Endpoints In an Oracle RAC environment, clients access one of three scan listeners and are then routed to database listeners. To support Secure Sockets Layer, all the listeners must have TCPS protocol endpoints. The following procedure adds the TCPS endpoints to the database node listeners and scan listeners. 1. Check the listener resources to ensure that there is support for the TCP endpoints. For example: crsctl stat res -p |grep ENDPOINTS Output similar to the following appears: ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 2. <= <= <= <= database listener listener_scan1 listener_scan2 listener_scan3 Add the TCPS endpoints to the database listeners. Specify a port number that is different from the TCP port number, and is not currently used, for the TCPS value. For example: srvctl modify listener -p "TCP:1521/TCPS:1523"; 3. Restart the listener. srvctl stop listener srvctl start listener 4. Check the listener configuration. srvctl config listener Output similar to the following appears: Name: LISTENER Network: 1, Owner: oracle Home: CRS_home End points: TCP:1521/TCPS:1523 5. Check the listener status. lsnrctl status Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER))) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.141.155.188)(PORT=1523))) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.141.155.183)(PORT=1521))) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.141.155.188)(PORT=1521))) 6. Check the listener resources again. crsctl stat res -p |grep ENDPOINTS ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 TCPS:1523 <= database listener <= listener_scan1 <= listener_scan2 <= listener_scan3 Configuring Secure Sockets Layer Authentication 13-39 Configuring SSL in an Oracle Real Application Clusters Environment The first ENDPOINTS line, which contains the TCPS flag, shows that the configuration has been successful. In the next step, you add this TCPS to the scan listener. 7. Add the TCPS endpoints for the scan listeners. srvctl stop scan_listener srvctl stop scan srvctl modify scan_listener -p TCP:1521/TCPS:1523 Alternatively, you can use commands similar to the following: srvctl srvctl srvctl srvctl 8. remove scan_listener -f add scan_listener -l LISTENER -p TCP:1521/TCPS:1523 start scan start scan_listener Check the scan listener configuration. First, find all the listeners that have been configured so far. srvctl config scan_listener SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521/TCPS:1523 SCAN Listener LISTENER_SCAN2 exists. Port: TCP:1521/TCPS:1523 SCAN Listener LISTENER_SCAN3 exists. Port: TCP:1521/TCPS:1523 Then check each individual listener. The following command checks scan listener 3. lsnrctl status listener_scan3 Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER_SCAN3))) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.141.155.186)(PORT=1521))) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.141.155.186)(PORT=1523))) 9. Check the listener resources to ensure that you have configured them all. crsctl stat res -p |grep ENDPOINTS The following output shows that they have all been configured, because each line has the TCPS flag. ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 ENDPOINTS=TCP:1521 TCPS:1523 TCPS:1523 TCPS:1523 TCPS:1523 <= <= <= <= database listener listener_scan1 listener_scan2 listener_scan3 Step 2: Update the Local Listener Parameter on Each Oracle RAC Node PMON must send the endpoint values that are stored in the local listener to the scan listeners so that they can create the approprirate service handlers. In this next procedure, you will add the TCPS endpoints for the database node listeners that you had created in Step 1: Configure the TCPS Protocol Endpoints to the local listener startup parameter on each Oracle RAC node. The local listener IP address is unique to each node. When you issue the ALTER SYSTEM statement, you must state the local instance SID value (for example, sid = 'instance'). 1. Select a node and identify the local listener endpoints. lsnrctl status |grep PORT 13-40 Oracle Database Advanced Security Administrator's Guide Configuring SSL in an Oracle Real Application Clusters Environment Output similar to the following appears. You can identify the TCPS protocol endpoint by the PROTOCOL value. Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.141.155.188)(PORT=1523))) <= new TCPS endpoint (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.141.155.183)(PORT=1521))) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.141.155.188)(PORT=1521))) 2. Log into the database instance with the SYSDBA administrative privilege. sqlplus / as sysdba 3. Check the value of the local listener. SHOW PARAMETER LOCAL_LISTENER Output similar to the following appears: NAME TYPE VALUE ------------------------------------ ----------- -----------------------------local_listener string (DESCRIPTION=(ADDRESS_ LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=10.141.155.188)(PORT=1521)))) 4. Add the TCPS endpoint that you identified in Step 1 to the local_listener value. Ensure that you also set the SID to the local nodes instance name. Set the scope to memory so that changes can be verified before updating the spfile. For example: ALTER SYSTEM SET local_listener='(DESCRIPTION=(ADDRESS_ LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=10.141.155.188)(PORT=1521))(ADDRESS=(PROTOCOL =TCPS)(HOST=10.141.155.188)(PORT=1523))))' scope=memory sid='NETRAC1'; 5. Check the value of the local listener again. SHOW PARAMETER LOCAL_LISTENER Output similar to the following should appear: NAME TYPE VALUE ------------------------------------ ----------- -----------------------------local_listener string (DESCRIPTION=(ADDRESS_ LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=10.141.155.188)(PORT=1521))(ADDRESS=(PROTOCOL =TCPS)(HOST=10.141.155.188)(PORT=1523)))) If the Oracle RAC cluster uses COST to restrict instance registration, then all local and node listener COST value lists must include TCPS. Without a TCPS rule, the scan listener TCPS handlers go into a blocked state. For more information, see Doc ID: 1537743.1 "Scan Listener TCPS Service Handlers are Blocked after Implementing COST on an SSL Cluster" on My Oracle Support (formerly OracleMetaLink) at https://support.oracle.com 6. Write the changes to the spfile by running an ALTER SYSTEM statement similar to the following: ALTER SYSTEM SET LOCAL_LISTENER='(DESCRIPTION=(ADDRESS_ LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=10.141.155.188)(PORT=1521))(ADDRESS=(PROTOCOL =TCPS)(HOST=10.141.155.188)(PORT=1523))))' scope=both sid='NETRAC1'; Configuring Secure Sockets Layer Authentication 13-41 Configuring SSL in an Oracle Real Application Clusters Environment 7. Repeat these steps to update the remaining nodes until all nodes are properly registering their TCPS endpoints with the scan listeners. Step 3: Create SSL Certificates and Wallets for the Cluster and for the Clients The choice and usage of a Certificate Authority (CA) for certificate signing depends on your site’s policies. To make a successful SSL connection, the server and connecting clients must have unique SSL certifcates that are signed by the same trusted Certificate Authority. You should create the certificate requests for the cluster and for a test client that will connect to the database over SSL. Have these requests signed by the CA, and then build wallets using the signed user certificates and trusted root certificate. Note that the cluster and client wallets have unique identities but share the same trusted certificate. This is the proper wallet setup for an SSL connection. This section contains: ■ Creating the SSL Certificate for Each Cluster and for the Test Client ■ Signing Each User Certificate Creating the SSL Certificate for Each Cluster and for the Test Client 1. Create a directory to be used as the CA home. Restrict access of the CA home to the user or group of users that can authorize and sign digital certificates. For example: cd $ORACLE_BASE mkdir CA; chmod 700 CA; cd CA; pwd /home/app/oracle/CA export CA_HOME=/home/app/oracle/CA 2. In the CA home, use orapki to create the Certificate Authority wallet. orapki wallet create -wallet $CA_HOME Enter password: CA_password Enter password again: CA_password The orapki utility creates a default wallet that is populated with several well known trusted certificates. You do not need these certificates for this procedure, so you can remove them as follows: orapki wallet remove -trusted_cert_all -wallet $CA_HOME -pwd [CA_password] 3. Create a self signed (root) certificate for the CA wallet. For example: orapki wallet add -wallet $CA_HOME -self_signed -dn "CN=Oracle test CA,O=Oracle,C=US" -keysize 1024 -validity 3650 -pwd [CA_password] In this specification: ■ ■ dn refers to the distinguished name, which can be any valid x509 formated name (for example, -dn CN=Widget Corp.,C=US). keysize sets the bit size of the key. The following values are valid: 512, 1024, or 2048. 13-42 Oracle Database Advanced Security Administrator's Guide Configuring SSL in an Oracle Real Application Clusters Environment ■ 4. validity, which is mandatory, specifies the number of days, starting from the current date, that this certificate will be valid. Extract the root CA certificate from the wallet. This root certificate will be used as the trusted CA certificate in user or application wallets and can be distributed or published for users that are building PKCS12 wallets. For example: orapki wallet export -wallet $CA_HOME -dn "CN=Oracle test CA,O=Oracle,C=US" -cert testCAroot.cer -pwd [CA_password] At this stage, the $CA_HOME now contains an ewallet.p12 (the PKCS12 wallet) and a testCAroot.cer base64 certificate. ls -al total 16 drwx------ 2 psmith psmith 4096 Aug 23 15:15 drwxrwxr-x 11 psmith psmith 4096 Aug 23 13:54 -rw------- 1 psmith psmith 2560 Aug 23 15:13 -rw------- 1 psmith psmith 706 Aug 23 15:15 5. . .. ewallet.p12 testCAroot.cer Ensure that the wallet was successfully created. For example: orapki wallet display -wallet $CA_HOME -summary Enter wallet password: CA_password Requested Certificates: User Certificates: Subject: CN=Oracle test CA,O=Oracle,C=US Trusted Certificates: Subject: CN=Oracle test CA,O=Oracle,C=US 6. Back up the wallet and password. Signing Each User Certificate Using the CA wallet, the orapki utility can be used to sign digital certificate requests and provide authorized digital user certificates for different entities and processes in test environments. Repeat this process for each entity in the test environment that participates in PKI functionality. A valid wallet consists of a root CA certificate and the signed user certificate. 1. Create a user wallet in a directory or location outside of the CA home. For example: cd ~ mkdir user_wallet; cd user_wallet pwd /home/user_wallet export MY_WALLET=/home/user_wallet orapki wallet create -wallet $MY_WALLET Enter password: user_password Enter password again: user_password Configuring Secure Sockets Layer Authentication 13-43 Configuring SSL in an Oracle Real Application Clusters Environment The orapki utility creates a wallet with several well known trusted certificates already installed. You do not need these certificates for this procedure, so you can remove them as follows: orapki wallet remove -trusted_cert_all -wallet $MY_WALLET -pwd [user_password] 2. Create a user identity (user DN) and then a certificate request. For example: orapki wallet add -wallet $USER_WALLET -dn "CN=testuser" -keysize 1024 -pwd [user_password] orapki wallet export -wallet $USER_WALLET -dn "CN=testuser" -request $USER_ WALLET/testuser.req -pwd [user_password] ls ewallet.p12 testuser.req At this stage, the testuser request can now be signed by the CA. Access to the CA home wallet and CA wallet password are needed for this step. After testuser.req is signed, then the output file testuser.cer is created. 3. Create the signed certificate. For example: orapki cert create -wallet $CA_HOME -request $MY_WALLET/testuser.req -cert $USER_WALLET/testuser.cer -validity 3650 -pwd [CA_password] ls ewallet.p12 4. testuser.cer testuser.req Import the root certificate (testCAroot.cer) and the signed user certificate (testuser.cer) into the user wallet. The following example retrieves the root certificate from the $CA_HOME. Alternative, you can copy the certificate to the user’s wallet directory and then import it locally. orapki wallet add -wallet $USER_WALLET -trusted_cert -cert $CA_ HOME/testCAroot.cer -pwd [user_password] orapki wallet add -wallet $USER_WALLET -user_cert -cert $USER_ WALLET/testuser.cer -pwd [user_password] 5. Check the completed wallet. For example: orapki wallet display -wallet $MY_WALLET -summary -pwd [user_password] Requested Certificates: User Certificates: Subject: CN=testuser Trusted Certificates: Subject: CN=Oracle test CA,O=Oracle,C=US Step 4: Copy the Wallet to Each Cluster Node and Create an Obfuscated Wallet 1. After you create the cluster wallet in Step 3: Create SSL Certificates and Wallets for the Cluster and for the Clients, copy the wallet to each node of the cluster. 13-44 Oracle Database Advanced Security Administrator's Guide Configuring SSL in an Oracle Real Application Clusters Environment There is no specific rule to wallet placement except that the wallet location should be accessable by both the database (PMON) and by the scan and local listeners which are normally running out of the Grid Infrastructure home. This procedure assumes that you have copied the wallet to the following directory: /u01/app/oracle/product/11.2.0.4/db_1/network/admin/wallet 2. Create the cwallet.sso file. For example: orapki wallet create -wallet /u01/app/oracle/product/11.2.0.4/db_ 1/network/admin/wallet -auto_login Enter password: password The cwallet.sso is an obfuscated mirror copy of the ewallet.p12 and is the file that is accessed by PMON and listeners. If you create the cwallet.sso on the cluster, then you can copy it along with the ewallet.p12 file to the wallet directory on each node. You can also create the cwallet.sso wallet in each node separately if ewallet.p12 is already in place. 3. Ensure that the two wallets are in place. For example: ls -al drwxr-xr-x. drwxr-xr-x. -rw-------. -rw-------. 2 5 1 1 oracle oracle oracle oracle oracle oracle oracle oracle 4096 4096 2549 2472 Feb Feb Feb Feb 7 11:12 . 15 11:00 .. 15 16:13 cwallet.sso 7 11:11 ewallet.p12 Step 5: Define Wallet Locations in the listener.ora and sqlnet.ora Files Both PMON and the listener processes of each node must be able to access the wallets. Each node’s sqlnet.ora and listener.ora files must have the wallet locations defined. 1. Edit the $GRID_HOME/network/admin/listener.ora file and add the following settings: SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/product/11.2.0.4/db_1/network/admin/wallet) ) ) This example uses the wallet directory described in "Step 4: Copy the Wallet to Each Cluster Node and Create an Obfuscated Wallet" on page 13-44. Listeners in a cluster normally run out of the Grid Infrastructure home directory. 2. Edit the database $ORACLE_HOME/network/admin/sqlnet.ora file and add the following settings: SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS) SSL_VERSION = 0 Configuring Secure Sockets Layer Authentication 13-45 Configuring SSL in an Oracle Real Application Clusters Environment SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/product/11.2.0.4/db_1/network/admin/wallet) ) ) This example uses the wallet directory described in "Step 4: Copy the Wallet to Each Cluster Node and Create an Obfuscated Wallet" on page 13-44. Instances in a cluster normally run out of the database home directory. 3. Repeat this procedure for each node. Step 6: Restart the Database Instances and Listeners With the wallets in place and .ora files edited, you must restart the PMON and listener processes so that they can recognize the new wallet settings. With the restart the instances will also use the local_listener values that you added in "Step 2: Update the Local Listener Parameter on Each Oracle RAC Node" on page 13-40. Ensure that the scan listeners have the proper TCPS handlers, and if necessary, correct any discrepancies. Restart commands are as follows: srvctl stop listener srvctl start listener srvctl stop scan_listener srvctl start scan_listener srvctl stop database -d netrac srvctl start database -d netrac Step 7: Test the Configuration from a Cluster Node With the cluster environment configured for SSL the simplest way to quickly test it is to make an SSL connection on one of the cluster nodes. 1. Log in to the computer that has one of the cluster nodes. 2. In the tnsnames.ora file for this node, create a connect descriptor that uses the scan listener TCPS endpoint. For example: NETRACSSL = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = net-scan)(PORT = 1523)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = NETRAC.us.example.com) ) ) 3. Use SQL*Plus to connect to this database instance using the TCPS connect descriptor. For example: sqlplus psmith@netracssl 13-46 Oracle Database Advanced Security Administrator's Guide Configuring SSL in an Oracle Real Application Clusters Environment Enter password: password Step 8: Test the Configuration from a Remote Client 1. On the computer that is used for the remote client, create a wallet directory location. 2. Add this location information to the sqlnet.ora file for the remote client. For example: WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = C:\app\oracle\product\11.2.0.4\dbhome_1\NETWORK\ADMIN\wallet) ) ) 3. Move the wallet that you created in "Step 3: Create SSL Certificates and Wallets for the Cluster and for the Clients" on page 13-42 to the remote client wallet directory. 4. On the remote client, create the cwallet.sso. For example: orapki wallet create -wallet . -auto_login Enter wallet password: password 5. Check the wallet directory to ensure that the two files are there. For example: cd $ORACLE_HOME/network/admin/wallet ls cwallet.sso ewallet.p12 6. In the listener.ora file, create a connect descriptor that uses the scan listener TCPS endpoint. For example: NETRACSSL = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = net-scan)(PORT = 1523)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = NETRAC.us.example.com) ) ) 7. Use SQL*Plus to connect to this database instance using the TCPS connect descriptor. For example: sqlplus psmith@netracssl Enter password: password Configuring Secure Sockets Layer Authentication 13-47 Configuring SSL in an Oracle Real Application Clusters Environment 13-48 Oracle Database Advanced Security Administrator's Guide 14 14 Using Oracle Wallet Manager Security administrators use Oracle Wallet Manager to manage public key security credentials on Oracle clients and servers. The wallets it creates can be read by Oracle Database, Oracle Application Server 10g, and the Oracle Identity Management infrastructure. This chapter describes Oracle Wallet Manager using the following topics: ■ Oracle Wallet Manager Overview ■ Starting Oracle Wallet Manager ■ How to Create a Complete Wallet: Process Overview ■ Managing Wallets ■ Managing Certificates See Also: ■ ■ "Public Key Infrastructure in an Oracle Environment" on page 13-3, which discusses all of the Oracle PKI components Appendix E, "orapki Utility" for information about the orapki command line utility you can use to create wallets and issue certificates for testing purposes Oracle Wallet Manager Overview Oracle Wallet Manager is an application that wallet owners use to manage and edit the security credentials in their Oracle wallets. A wallet is a password-protected container used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. You can use Oracle Wallet Manager to perform the following tasks: ■ Creating wallets ■ Generating certificate requests ■ Opening wallets to access PKI-based services ■ Saving credentials to hardware security modules, by using APIs that comply with the Public-Key Cryptography Standards #11 (PKCS #11) specification ■ Uploading wallets to (and downloading them from) an LDAP directory ■ Importing third-party PKCS #12-format wallets ■ Exporting Oracle wallets to a third-party environment Using Oracle Wallet Manager 14-1 Oracle Wallet Manager Overview Oracle Wallet Manager provides the following features: ■ Wallet Password Management ■ Strong Wallet Encryption ■ Microsoft Windows Registry Wallet Storage ■ Backward Compatibility ■ Public-Key Cryptography Standards (PKCS) Support ■ Multiple Certificate Support ■ LDAP Directory Support "Public Key Infrastructure in an Oracle Environment" on page 13-3 See Also: Wallet Password Management Oracle wallets are password protected. Oracle Wallet Manager includes an enhanced wallet password management module that enforces Password Management Policy guidelines, including the following: ■ Minimum password length (8 characters) ■ Maximum password length unlimited ■ Alphanumeric character mix required Strong Wallet Encryption Oracle Wallet Manager stores private keys associated with X.509 certificates and uses Triple-DES encryption. Microsoft Windows Registry Wallet Storage Oracle Wallet Manager lets you store multiple Oracle wallets in a Windows file management system or in the user profile area of the Microsoft Windows system registry. Storing your wallets in the registry provides the following benefits: ■ ■ Better Access Control: Wallets stored in the user profile area of the registry are only accessible by the associated user. User access controls for the system thus become, by extension, access controls for the wallets. In addition, when a user logs out of a system, access to that user's wallets is effectively precluded. Easier Administration: Wallets are associated with specific user profiles, so no file permissions need to be managed, and the wallets stored in the profile are automatically deleted when the user profile is deleted. You can use Oracle Wallet Manager to create and manage the wallets in the registry. Options Supported: ■ Open a wallet from the registry ■ Save a wallet to the registry ■ Save As to a different registry location ■ Delete a wallet from the registry ■ Open a wallet from the file system and save it to the registry ■ Open a wallet from the registry and save it to the file system 14-2 Oracle Database Advanced Security Administrator's Guide Oracle Wallet Manager Overview See Also: Oracle Database Platform Guide for Windows Backward Compatibility Oracle Wallet Manager is backward-compatible to Release 8.1.7. Public-Key Cryptography Standards (PKCS) Support RSA Laboratories, a division of RSA Security, Inc., has developed, in cooperation with representatives from industry, academia, and government, a family of basic cryptography standards called Public-Key Cryptography Standards, or PKCS for short. These standards establish interoperability between computer systems that use public-key technology to secure data across intranets and the Internet. Oracle Wallet Manager stores X.509 certificates and private keys in PKCS #12 format, and generates certificate requests according to the PKCS #10 specification. These capabilities make the Oracle wallet structure interoperable with supported third-party PKI applications and provide wallet portability across operating systems. Oracle Wallet Manager wallets can store credentials on hardware security modules that use APIs conforming to the PKCS #11 specification. When a wallet is created with PKCS11 chosen as the wallet type, then all keys stored in that wallet are saved to a hardware security module or token. Examples of such hardware devices include smart cards, PCMCIA cards, smart diskettes, or other portable hardware devices that store private keys or perform cryptographic operations (or both). To use Oracle Wallet Manager with PKCS #11 integration on the 64-bit Solaris Operating System, enter the following at the command line: owm -pkcs11 Note: See Also: ■ ■ ■ ■ "Importing User Certificates Created with a Third-Party Tool" on page 14-19 "Exporting Oracle Wallets to Third-Party Environments" on page 14-10 "Creating a Wallet to Store Hardware Security Module Credentials" on page 14-8 To view PKCS standards documents, navigate to the following URL: http://www.rsasecurity.com/rsalabs/ Multiple Certificate Support Oracle Wallet Manager enables you to store multiple certificates in each wallet, supporting any of the following Oracle PKI certificate usages: ■ SSL authentication ■ S/MIME signature ■ S/MIME encryption ■ Code-Signing ■ CA Certificate Signing Using Oracle Wallet Manager 14-3 Oracle Wallet Manager Overview Each certificate request you create generates a unique private/public key pair. The private key stays in the wallet and the public key is sent with the request to a certificate authority. When that certificate authority generates your certificate and signs it, you can import it only into the wallet that has the corresponding private key. If the wallet also contains a separate certificate request, the private/public key pair corresponding to that request is of course different from the pair for the first certificate request. Sending this separate certificate request to a certificate authority can get you a separate signed certificate, which you can import into this same wallet A single certificate request can be sent to a certificate authority multiple times to obtain multiple certificates. However, only one certificate corresponding to that certificate request can be installed in the wallet. Oracle Wallet Manager uses the X.509 Version 3 KeyUsage extension to define Oracle PKI certificate usages (Table 14–1). A single certificate cannot be applied to all possible certificate usages. Table 14–2 and Table 14–3 show legal usage combinations. Table 14–1 KeyUsage Values Value Usage 0 digitalSignature 1 nonRepudiation 2 keyEncipherment 3 dataEncipherment 4 keyAgreement 5 keyCertSign 6 cRLSign 7 encipherOnly 8 decipherOnly When installing a certificate, Oracle Wallet Manager maps the KeyUsage extension values to Oracle PKI certificate usages as specified in Table 14–2 and Table 14–3. Table 14–2 Oracle Wallet Manager Import of User Certificates to an Oracle Wallet KeyUsage Value Critical?1 Usage none NA Certificate is importable for SSL or S/MIME encryption use. 0 alone or along with any values excluding 5 and 2 NA Accept certificate for S/MIME signature or code-signing use. 1 alone Yes Not importable 1 alone No Accept certificate for S/MIME signature or code-signing use. 2 alone or along with any combination excluding 5 NA Accept certificate for SSL or S/MIME encryption use. 5 alone or along with any other values NA Accept certificate for CA certificate signing use. Any settings not listed previously Yes Not importable. 14-4 Oracle Database Advanced Security Administrator's Guide Oracle Wallet Manager Overview Table 14–2 (Cont.) Oracle Wallet Manager Import of User Certificates to an Oracle Wallet 1 KeyUsage Value Critical?1 Usage Any settings not listed previously No If the KeyUsage extension is critical, the certificate cannot be used for other purposes. Table 14–3 1 Certificate is importable for SSL or S/MIME encryption use. Oracle Wallet Manager Import of Trusted Certificates to an Oracle Wallet KeyUsage Value Critical?1 Usage none NA Importable. Any combination excluding 5 Yes Not importable. Any combination excluding 5 No Importable 5 alone or along with any other values NA Importable. If the KeyUsage extension is marked critical, the certificate cannot be used for other purposes. You should obtain, from the certificate authority, certificates with the correct KeyUsage value matching your required Oracle PKI certificate usage. A single wallet can contain multiple key pairs for the same usage. Each certificate can support multiple Oracle PKI certificate usages, as indicated by Table 14–2 and Table 14–3. Oracle PKI applications use the first certificate containing the required PKI certificate usage. For example, for SSL usage, the first certificate containing the SSL Oracle PKI certificate usage is used. If you do not have a certificate with SSL usage, then an ORA-28885 error (No certificate with required key usage found) is returned. LDAP Directory Support Oracle Wallet Manager can upload wallets to and retrieve them from an LDAP-compliant directory. Storing wallets in a centralized LDAP-compliant directory lets users access them from multiple locations or devices, ensuring consistent and reliable user authentication while providing centralized wallet management throughout the wallet life cycle. To prevent a user from accidentally overwriting functional wallets, only wallets containing an installed certificate can be uploaded. Directory user entries must be defined and configured in the LDAP directory before Oracle Wallet Manager can be used to upload or download wallets for a user. If a directory contains Oracle8i (or prior) users, then they are automatically upgraded to use the wallet upload and download feature on first use. Oracle Wallet Manager downloads a user wallet by using a simple password-based connection to the LDAP directory. However, for uploads it uses an SSL connection if the open wallet contains a certificate with SSL Oracle PKI certificate usage. If an SSL certificate is not present in the wallet, password-based authentication is used. The directory password and the wallet password are independent and can be different. Oracle recommends that these passwords be maintained to be consistently different, where neither one can logically be derived from the other. Note: Using Oracle Wallet Manager 14-5 Starting Oracle Wallet Manager See Also: ■ Uploading a Wallet to an LDAP Directory on page 14-11. ■ Downloading a Wallet from an LDAP Directory on page 14-11 ■ Multiple Certificate Support on page 14-3, for more information about Oracle PKI certificate usage. Starting Oracle Wallet Manager To start Oracle Wallet Manager: ■ ■ (Windows) Select Start, Programs, Oracle-HOME_NAME, Integrated Management Tools, Wallet Manager (UNIX) At the command line, enter owm. How to Create a Complete Wallet: Process Overview Wallets provide a necessary repository in which you can securely store your user certificates and the trust point you need to validate the certificates of your peers. The following steps provide an overview of the complete wallet creation process: 1. Use Oracle Wallet Manager to create a new wallet: 2. Generate a certificate request. Note that when you create a new wallet with Oracle Wallet Manager, the tool automatically prompts you to create a certificate request. 3. Send the certificate request to the CA you want to use. You can copy and paste the certificate request text into an e-mail message, or you can export the certificate request to a file. The certificate request becomes part of your wallet. It must remain there until you remove its associated certificate. 4. When the CA sends your signed user certificate and its associated trusted certificate, then you can import these certificates in the following order. The user certificates and trusted certificates in the PKCS #7 format can be imported at the same time. ■ ■ 5. First import the CA's trusted certificate into your wallet. This step may be optional if the new user certificate has been issued by one of the CAs whose trusted certificate is already present in Oracle Wallet Manager by default. After you have successfully imported the trusted certificate, then import the user certificate that the CA sent to you into your wallet. (Optional) Set the auto login feature for your wallet. Typically, this feature, which enables PKI-based access to services without a password, is required for most wallets. It is required for database server and client wallets. It is only optional for products that take the wallet password at the time of startup. After completing the preceding process, you have a wallet that contains a user certificate and its associated trust points. For more information about these steps, refer to Managing Certificates on page 14-14 See Also: 14-6 Oracle Database Advanced Security Administrator's Guide Managing Wallets Managing Wallets This section describes how to create a new wallet and perform associated wallet management tasks, such as generating certificate requests, exporting certificate requests, and importing certificates into wallets, in the following subsections: ■ Required Guidelines for Creating Wallet Passwords ■ Creating a New Wallet ■ Opening an Existing Wallet ■ Closing a Wallet ■ Exporting Oracle Wallets to Third-Party Environments ■ Exporting Oracle Wallets to Tools that Do Not Support PKCS #12 ■ Uploading a Wallet to an LDAP Directory ■ Downloading a Wallet from an LDAP Directory ■ Saving Changes ■ Saving the Open Wallet to a New Location ■ Saving in System Default ■ Deleting the Wallet ■ Changing the Password ■ Using Auto Login Required Guidelines for Creating Wallet Passwords Because an Oracle wallet contains user credentials that can be used to authenticate the user to multiple databases, it is especially important to choose a strong wallet password. A malicious user who guesses the wallet password can access all the databases to which the wallet owner has access. Passwords must contain at least eight characters that consist of alphabetic characters combined with numbers or special characters. Caution: It is strongly recommended that users avoid choosing easily guessed passwords based on user names, phone numbers, or government identification numbers, such as "admin0," "oracle1," or "2135551212A." This prevents a potential attacker from using personal information to deduce the users' passwords. It is also a prudent security practice for users to change their passwords periodically, such as once in each month or once in each quarter. When you change passwords, you must regenerate auto-login wallets. See Also: ■ Wallet Password Management on page 14-2. ■ "Using Auto Login" on page 14-14 Using Oracle Wallet Manager 14-7 Managing Wallets Creating a New Wallet You can use Oracle Wallet Manager to create PKCS #12 wallets (the standard default wallet type) that store credentials in a directory on your file system. It can also be used to create PKCS #11 wallets that store credentials on a hardware security module for servers, or private keys on tokens for clients. The following sections explain how to create both types of wallets by using Oracle Wallet Manager. Creating a Standard Wallet Unless you have a hardware security module (a PKCS #11 device), then you should use a standard wallet that stores credentials in a directory on your file system. To create a standard wallet, perform the following tasks: 1. Select Wallet, then New from the menu bar. The New Wallet dialog box is displayed. 2. Follow the "Required Guidelines for Creating Wallet Passwords" on page 14-7 and enter a password in the Wallet Password field. This password protects unauthorized use of your credentials. 3. Reenter that password in the Confirm Password field. 4. Select Standard from the Wallet Type list. 5. Click OK to continue. If the entered password does not conform to the required guidelines, then the following message is displayed: Password must have a minimum length of eight characters, and contain alphabetic characters combined with numbers or special characters. Do you want to try again? 6. An alert is displayed, and informs you that a new empty wallet has been created. It prompts you to decide whether you want to add a certificate request. Refer to "Adding a Certificate Request" on page 14-15. If you select No, then you are returned to the Oracle Wallet Manager main window. The new wallet you just created is displayed in the left window pane. The certificate has a status of [Empty], and the wallet displays its default trusted certificates. 7. Select Wallet, then Save In System Default to save the new wallet. If you do not have permission to save the wallet in the system default, you can save it to another location. This location must be used in the SSL configuration for clients and servers. A message at the bottom of the window confirms that the wallet was successfully saved. Creating a Wallet to Store Hardware Security Module Credentials To create a wallet to store credentials on a hardware security module that complies with PKCS #11, perform the following tasks: 1. Select Wallet, then New from the menu bar. The New Wallet dialog box is displayed. 2. Follow the "Required Guidelines for Creating Wallet Passwords" on page 14-7 and enter a password in the Wallet Password field. 3. Reenter that password in the Confirm Password field. 14-8 Oracle Database Advanced Security Administrator's Guide Managing Wallets 4. Select PKCS11 from the Wallet Type list, and click OK to continue. The New PKCS11 Wallet window is displayed. 5. Select a vendor name from the Select Hardware Vendor list. In the current release of Oracle Wallet Manager, SafeNET and nCipher hardware have been certified to interoperate with Oracle wallets. Note: 6. In the PKCS11 library filename field, enter the path to the directory where the PKCS11 library is stored, or click Browse to find it by searching the file system. 7. Enter the SmartCard password, and click OK. The smart card password, which is different from the wallet password, is stored in the wallet. 8. An alert is displayed, and informs you that a new empty wallet has been created. It prompts you to decide whether you want to add a certificate request. For more information, refer to "Adding a Certificate Request" on page 14-15. If you select No, you are returned to the Oracle Wallet Manager main window. The new wallet you just created is displayed in the left window pane. The certificate has a status of [Empty], and the wallet displays its default trusted certificates. 9. Select Wallet, then Save In System Default to save the new wallet. If you do not have permission to save the wallet in the system default, you can save it to another location. A message at the bottom of the window confirms that the wallet was successfully saved. Note: If you change the smart card password or move the PKCS #11 library, an error message displays when you try to open the wallet. Then you are prompted to enter the new smart card password or the new path to the library. Opening an Existing Wallet Open a wallet that already exists in the file system directory as follows: 1. Select Wallet, Open from the menu bar. The Select Directory dialog box is displayed. 2. Navigate to the directory location in which the wallet is located, and select the directory. 3. Click OK. The Open Wallet dialog box is displayed. 4. Enter the wallet password in the Wallet Password field. 5. Click OK. You are returned to the main window and a message is displayed at the bottom of the window indicating the wallet was opened successfully. The wallet's certificate and its trusted certificates are displayed in the left window pane. Using Oracle Wallet Manager 14-9 Managing Wallets Closing a Wallet To close an open wallet in the currently selected directory: Select Wallet, then Close. A message is displayed at the bottom of the window to confirm that the wallet is closed. Exporting Oracle Wallets to Third-Party Environments Oracle Wallet Manager can export its own wallets to third-party environments. To export a wallet to third-party environments: 1. Use Oracle Wallet Manager to save the wallet file. 2. Follow the procedure specific to your third-party product to import an operating system PKCS #12 wallet file created by Oracle Wallet Manager (called ewallet.p12 on UNIX and Windows platforms). Note: ■ ■ Oracle Wallet Manager supports multiple certificates for each wallet, yet current browsers typically support import of single-certificate wallets only. For these browsers, you must export an Oracle wallet containing a single key-pair. Oracle Wallet Manager supports wallet export to only Netscape Communicator 4.7.2 and later, OpenSSL, and Microsoft Internet Explorer 5.0 and later. Exporting Oracle Wallets to Tools that Do Not Support PKCS #12 You can export a wallet to a text-based PKI format if you want to put a wallet into a tool that does not support PKCS #12. Individual components are formatted according to the standards listed in Table 14–4. Within the wallet, only those certificates with SSL key usage are exported with the wallet. To export a wallet to text-based PKI format: 1. Select Operations, Export Wallet. The Export Wallet dialog box is displayed. 2. Enter the destination file system directory for the wallet, or navigate to the directory structure under Folders. 3. Enter the destination file name for the wallet. 4. Click OK to return to the main window. Table 14–4 PKI Wallet Encoding Standards Component Encoding Standard Certificate chains X509v3 Trusted certificates X509v3 Private keys PKCS #8 14-10 Oracle Database Advanced Security Administrator's Guide Managing Wallets Uploading a Wallet to an LDAP Directory To upload a wallet to an LDAP directory, Oracle Wallet Manager uses SSL if the specified wallet contains an SSL certificate. Otherwise, it lets you enter the directory password. To prevent accidental destruction of your wallet, Oracle Wallet Manager will not permit you to execute the upload option unless the target wallet is currently open and contains at least one user certificate. To upload a wallet: 1. Select Wallet, Upload Into The Directory Service. If the currently open wallet has not been saved, a dialog box is displayed with the following message: The wallet needs to be saved before uploading Click Yes to proceed. 2. Wallet certificates are checked for SSL key usage. Depending on whether a certificate with SSL key usage is found in the wallet, one of the following results occur: ■ ■ If at least one certificate has SSL key usage: When prompted, enter the LDAP directory server host name and port information, then click OK. Oracle Wallet Manager attempts connection to the LDAP directory server using SSL. A message is displayed indicating whether the wallet was uploaded successfully or it failed. If no certificates have SSL key usage: When prompted, enter the user's distinguished name (DN), the LDAP server host name and port information, and click OK. Oracle Wallet Manager attempts connection to the LDAP directory server using simple password authentication mode, assuming that the wallet password is the same as the directory password. If the connection fails, a dialog box prompts for the directory password of the specified DN. Oracle Wallet Manager attempts connection to the LDAP directory server using this password and displays a warning message if the attempt fails. Otherwise, Oracle Wallet Manager displays a status message at the bottom of the window indicating that the upload was successful. Note: ■ ■ You should ensure that the distinguished name used matches a corresponding user entry of object class inetOrgPerson in the LDAP directory. When uploading a wallet with an SSL certificate, use the SSL port. When uploading a wallet that does not contain an SSL certificate, use the non-SSL port. Downloading a Wallet from an LDAP Directory When a wallet is downloaded from an LDAP directory, it is resident in working memory. It is not saved to the file system unless you explicitly save it using any of the save options described in the following sections. Using Oracle Wallet Manager 14-11 Managing Wallets See Also: ■ "Saving Changes" on page 14-12 ■ "Saving the Open Wallet to a New Location" on page 14-12 ■ "Saving in System Default" on page 14-13 To download a wallet from an LDAP directory: 1. Select Wallet, Download From The Directory Service.... 2. A dialog box prompts for the user's distinguished name (DN), and the LDAP directory password, host name, and port information. Oracle Wallet Manager uses simple password authentication to connect to the LDAP directory. Depending on whether the downloading operation succeeds or not, one of the following results occurs: ■ ■ If the download operation fails: Check to make sure that you have correctly entered the user's DN, and the LDAP server host name and port information. The port used must be the non-SSL port. If the download is successful: Click OK to open the downloaded wallet. Oracle Wallet Manager attempts to open that wallet using the directory password. If the operation fails after using the directory password, then a dialog box prompts for the wallet password. If Oracle Wallet Manager cannot open the target wallet using the wallet password, then check to make sure you entered the correct password. Otherwise a message displays at the bottom of the window, indicating that the wallet was downloaded successfully. Saving Changes To save your changes to the current open wallet: Select Wallet, then Save. A message at the bottom of the window confirms that the wallet changes were successfully saved to the wallet in the selected directory location. Saving the Open Wallet to a New Location To save open wallets to a new location, use the Save As menu option: 1. Select Wallet, then Save As. The Select Directory dialog box is displayed. 2. Select a directory location in which to save the wallet. 3. Click OK. The following message is displayed if a wallet already exists in the selected location: A wallet already exists in the selected path. Do you want to overwrite it? Select Yes to overwrite the existing wallet or No to save the wallet to another location. A message at the bottom of the window confirms that the wallet was successfully saved to the selected directory location. 14-12 Oracle Database Advanced Security Administrator's Guide Managing Wallets Saving in System Default To save wallets in the default directory location, use the Save In System Default menu option: Select Wallet, Save In System Default. A message at the bottom of the window confirms that the wallet was successfully saved in the system default wallet location as follows for UNIX and Windows platforms: ■ (UNIX) $ORACLE_HOME/owm/wallets/username if the ORACLE_HOME environment variable has been set. ./owm/wallets/username if the ORACLE_HOME environment variable is not set. ■ (WINDOWS) ORACLE_HOME\owm\wallets\username if the ORACLE_HOME environment variable has been set. .\owm\wallets\username if the ORACLE_HOME environment variable is not set. Note: ■ ■ SSL uses the wallet that is saved in the system default directory location. Some Oracle applications are not able to use the wallet if it is not in the system default location. Check the Oracle documentation for your specific application to determine whether wallets must be placed in the default wallet directory location. Deleting the Wallet To delete the current open wallet: 1. Select Wallet, Delete. The Delete Wallet dialog box is displayed. 2. Review the displayed wallet location to verify you are deleting the correct wallet. 3. Enter the wallet password. 4. Click OK. A dialog panel is displayed to inform you that the wallet was successfully deleted. Any open wallet in application memory will remain in memory until the application exits. Therefore, deleting a wallet that is currently in use does not immediately affect system operation. Note: Changing the Password A password change is effective immediately. The wallet is saved to the currently selected directory, encrypted with the password. If you are using a wallet with auto login enabled, you must regenerate the auto login wallet after changing the password. Refer to "Using Auto Login" on page 14-14 Note: To change the password for the current open wallet: Using Oracle Wallet Manager 14-13 Managing Certificates 1. Select Wallet, then Change Password. The Change Wallet Password dialog box is displayed. 2. Enter the existing wallet password. 3. Enter the new password. 4. Reenter the new password. 5. Click OK. A message at the bottom of the window confirms that the password was successfully changed. See Also: ■ ■ "Required Guidelines for Creating Wallet Passwords" on page 14-7 "Wallet Password Management" on page 14-2, for password policy restrictions Using Auto Login PKI-based access to services can be enabled without requiring human interventions to supply the necessary passwords: this feature is called auto login. Enabling auto login creates an obfuscated copy of the wallet, which is then used automatically until the auto login feature is disabled for that wallet. Auto login wallets are protected by file system permissions. When auto login is enabled for a wallet, only the operating system user who created it can manage it, through the Oracle Wallet Manager. You must enable auto login if you want single sign-on access to multiple Oracle databases: such access is normally disabled, by default. Sometimes the obfuscated auto login wallets are called "SSO wallets" because they support single sign-on capability. Enabling Auto Login To enable auto login: 1. Select Wallet from the menu bar. 2. Select Auto Login. A message at the bottom of the window indicates that auto login is enabled. Disabling Auto Login To disable auto login: 1. Select Wallet from the menu bar. 2. Deselect Auto Login. A message at the bottom of the window indicates that auto login is disabled. Managing Certificates All certificates are signed data structures that bind a network identity with a corresponding public key. Table 14–5 describes the two types of certificates distinguished in this chapter. 14-14 Oracle Database Advanced Security Administrator's Guide Managing Certificates Table 14–5 Types of Certificates Certificate Type Examples User certificates Certificates issued to servers or users to prove an end entity's identity in a public key/private key exchange Trusted certificates Certificates representing entities whom you trust, such as certificate authorities who sign the user certificates they issue The following subsections describe how to manage both types of certificates: ■ Managing User Certificates ■ Managing Trusted Certificates Before a user certificate can be installed, the wallet must contain the trusted certificate representing the certificate authority who issued that user certificate. However, whenever you create a new wallet, several publicly trusted certificates are automatically installed, since they are so widely used. If the necessary certificate authority is not represented, then you must install its certificate first. Note: Also, you can import using the PKCS#7 certificate chain format, which gives you the user certificate and the CA certificate at the same time. Managing User Certificates User certificates, including server certificates, are used by end users, smart cards, or applications, such as Web servers. For example, if a CA issues a certificate for a Web server, placing its distinguished name (DN) in the Subject field, then the Web server is the certificate owner, thus the "user" for this user certificate. Managing user certificates involves the following tasks: ■ Adding a Certificate Request ■ Importing the User Certificate into the Wallet ■ Importing Certificates and Wallets Created by Third Parties ■ Removing a User Certificate from a Wallet ■ Removing a Certificate Request ■ Exporting a User Certificate ■ Exporting a User Certificate Request Adding a Certificate Request You can add multiple certificate requests with Oracle Wallet Manager. When adding multiple requests, Oracle Wallet Manager automatically populates each subsequent request dialog box with the content of the initial request that you can then edit. The actual certificate request becomes part of the wallet. You can reuse any certificate request to obtain a new certificate. However, you cannot edit an existing certificate request. Store only a correctly filled out certificate request in a wallet. To create a PKCS #10 certificate request: Using Oracle Wallet Manager 14-15 Managing Certificates 1. Select Operations, then Add Certificate Request. The Add Certificate Request dialog box is displayed. The online Help for Oracle Wallet Manager becomes unresponsive when modal dialog boxes appear, such as the one for entering certificate request information. The online Help becomes responsive once the modal dialog box is closed. Note: 2. Enter the information specified in Table 14–6. 3. Click OK. A message informs you that a certificate request was successfully created. You can either copy the certificate request text from the body of this dialog panel and paste it into an e-mail message to send to a certificate authority, or you can export the certificate request to a file. At this point, Oracle Wallet Manager has created your private/public key pair and stored it in the wallet. When the certificate authority issues your certificate, it will also be stored in the wallet and associate it with its corresponding private key. 4. Click OK to return to the Oracle Wallet Manager main window. The status of the certificate changes to [Requested]. See Also: Table 14–6 "Exporting a User Certificate Request" on page 14-20 Certificate Request: Fields and Descriptions Field Name Description Common Name Mandatory. Enter the name of the user's or service's identity. Enter a user's name in first name /last name format. Example: Eileen.Sanger Organizational Unit Optional. Enter the name of the identity's organizational unit. Example: Finance. Organization Optional. Enter the name of the identity's organization. Example: XYZ Corp. Locality/City Optional. Enter the name of the locality or city in which the identity resides. State/Province Optional. Enter the full name of the state or province in which the identity resides. Enter the full state name, because some certificate authorities do not accept two–letter abbreviations. Country Mandatory. Select Country to view a list of country abbreviations. Select the country in which the organization is located. Key Size Mandatory. Select Key Size to view a list of key sizes to use when creating the public/private key pair. Refer to Table 14–7 to evaluate key size. Advanced Optional. Select Advanced to view the Advanced Certificate Request dialog panel. Use this field to edit or customize the identity's distinguished name (DN). For example, you can edit the full state name and locality. Table 14–7 lists the available key sizes and the relative security each size provides. Typically, CAs use key sizes of 1024 or 2048. When certificate owners wish to keep their keys for a longer duration, they choose 3072 or 4096 bit keys. 14-16 Oracle Database Advanced Security Administrator's Guide Managing Certificates Table 14–7 Available Key Sizes Key Size Relative Security Level 512 or 768 Not regarded as secure. 1024 or 2048 Secure. 3072 or 4096 Very secure. Importing the User Certificate into the Wallet When the Certificate Authority grants you a certificate, it may send you an e-mail that has your certificate in text (BASE64) form or attached as a binary file. Certificate authorities may send your certificate in a PKCS #7 certificate chain or as an individual X.509 certificate. Oracle Wallet Manager can import both types. Note: PKCS #7 certificate chains are a collection of certificates, including the user's certificate and all of the supporting trusted CA and subCA certificates. In contrast, an X.509 certificate file contains an individual certificate without the supporting certificate chain. However, before you can import any such individual certificate, the signer’s certificate must be a Trusted Certificate in the wallet. To import the user certificate from the text of the Certificate Authority's e-mail Copy the certificate, represented as text (BASE64), from the e-mail message. Include the lines Begin Certificate and End Certificate. 1. Select Operations, Import User Certificate. The Import Certificate dialog box is displayed. 2. Select Paste the certificate, and then click OK. Another Import Certificate dialog box is displayed with the following message: Please provide a base64 format certificate and paste it below. 3. Paste the certificate into the dialog box, and click OK. a. If the certificate received is in PKCS#7 format, it is installed, and all the other certificates included with the PKCS#7 data are placed in the Trusted Certificate list. b. If the certificate received is not in PKCS#7 format, and the certificate of its CA is not already in the Trusted Certificates list, then more must be done. Oracle Wallet Manager will ask you to import the certificate of the CA that issued your certificate. This CA certificate will be placed in the Trusted Certificates list. (If the CA certificate was already in the Trusted Certificates list, your certificate is imported without additional steps.) After either (a) or (b) succeeds, a message at the bottom of the window confirms that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the status of the corresponding entry in the left panel subtree changes to [Ready]. Using Oracle Wallet Manager 14-17 Managing Certificates The standard X.509 certificate includes the following start and end text: Note: -----BEGIN CERTIFICATE---------END CERTIFICATE----- A typical PKCS#7 certificate includes more, as described earlier, and includes the following start and end text: -----BEGIN PKCS7---------END PKCS7----- You can use the standard Ctrl+c to copy, including all dashes, and Ctrl+v to paste. To import the certificate from a file The user certificate in the file can be in either text (BASE64) or binary (der) format. 1. Select Operations, Import User Certificate. The Import Certificate dialog box is displayed. 2. Select Select a file that contains the certificate, and click OK. Another Import Certificate dialog box is displayed. 3. Enter the path or folder name of the certificate file location. 4. Select the name of the certificate file (for example, cert.txt, cert.der). 5. Click OK. a. If the certificate received is in PKCS#7 format, it is installed, and all the other certificates included with the PKCS#7 data are placed in the Trusted Certificate list. b. If the certificate received is not in PKCS#7 format, and the certificate of its CA is not already in the Trusted Certificates list, then more must be done. Oracle Wallet Manager will ask you to import the certificate of the CA that issued your certificate. This CA certificate will be placed in the Trusted Certificates list. (If the CA certificate was already in the Trusted Certificates list, your certificate is imported without additional steps.) After either (a) or (b) succeeds, a message at the bottom of the window confirms that the certificate was successfully installed. You are returned to the Oracle Wallet Manager main panel, and the status of the corresponding entry in the left panel subtree changes to [Ready]. Importing Certificates and Wallets Created by Third Parties Third-party certificates are those created from certificate requests that were not generated using Oracle Wallet Manager. These third-party certificates are actually wallets, in the Oracle sense, because they contain more than just the user certificate; they also contain the private key for that certificate. Furthermore, they include the chain of trusted certificates validating that the certificate was created by a trustworthy entity. Oracle Wallet Manager makes these wallets available in a single step by importing them in PKCS#12 format, which includes all three elements described earlier: the user certificate, the private key, and the trusted certificates. It supports the following PKCS #12-format certificates: ■ Netscape Communicator 4.x and later 14-18 Oracle Database Advanced Security Administrator's Guide Managing Certificates ■ Microsoft Internet Explorer 5.x and later Oracle Wallet Manager adheres to the PKCS#12 standard, so certificates exported by any PKCS#12-compliant tool should be usable with Oracle Wallet Manager. Such third-party certificates cannot be stored into existing Oracle wallets because they would lack the private key and chain of trusted authorities. Therefore, each such certificate is exported and retrieved instead as an independent PKCS#12 file, that is, as its own wallet. Importing User Certificates Created with a Third-Party Tool Once a third party generates the wallet, you need to import it to make use of it, as described in this section. To import a certificate created with a third-party tool, perform the following tasks: 1. Follow the procedures for your particular product to export the certificate. Take the actions indicated in the exporting product to include the private key in the export, and specify the new password to protect the exported certificate. Also include all associated trust points. (Under PKCS #12, browsers do not necessarily export trusted certificates, other than the signer's own certificate. You may need to add additional certificates to authenticate to your peers. You can use Oracle Wallet Manager to import trusted certificates.) The resulting file, containing the certificate, the private key, and the trust points, is the new wallet that enables the third-party certificate to be used. 2. To be used by particular applications or servers, such as a web server or an LDAP server, wallets need to be located precisely. Each application has its own expectations as to which directory it will search to find the needed wallet. You must put the wallet where it will be sought, by copying it to the correct system and directory. 3. For use with UNIX or Windows applications or servers, the wallet must be named ewallet.p12. For other operating systems, refer to the Oracle documentation for that specific operating system. Once a third-party certificate is stored as ewallet.p12, you can open and manage it using Oracle Wallet Manager. You will have to supply the password you created when exporting this wallet. The password will be required whenever the associated application starts up or otherwise needs the certificate. To make such access automatic, refer to "Using Auto Login" on page 14-14. Note: However, if the private key for the desired certificate is held in a separate hardware security module, you will not be able to import that certificate. Removing a User Certificate from a Wallet To remove a user certificate from a wallet: 1. In the left panel subtree, select the certificate that you want to remove. 2. Select Operations, then Remove User Certificate. A dialog panel is displayed which prompts you to verify that you want to remove the user certificate from the wallet. Using Oracle Wallet Manager 14-19 Managing Certificates 3. Select Yes to return to the Oracle Wallet Manager main panel. The certificate displays a status of [Requested]. Removing a Certificate Request You must remove a certificate before removing its associated request. To remove a certificate request: 1. In the left panel subtree, select the certificate request that you want to remove. 2. Select Operations, then Remove Certificate Request. 3. Click Yes. The certificate displays a status of [Empty]. Exporting a User Certificate To save the certificate in a file system directory, export the certificate by using the following steps: 1. In the left panel subtree, select the certificate that you want to export. 2. Select Operations, then Export User Certificate from the menu bar. The Export Certificate dialog box is displayed. 3. Enter the file system directory location where you want to save your certificate, or navigate to the directory structure under Folders. 4. Enter a file name for your certificate in the Enter File Name field. 5. Click OK. A message at the bottom of the window confirms that the certificate was successfully exported to the file. You are returned to the Oracle Wallet Manager main window. "Exporting Oracle Wallets to Third-Party Environments" on page 14-10 for information about exporting wallets. Note that Oracle Wallet Manager supports storing multiple certificates in a single wallet, yet current browsers typically support only single-certificate wallets. For these browsers, you must export an Oracle wallet that contains a single key-pair. See Also: Exporting a User Certificate Request To save the certificate request in a file system directory, export the certificate request by using the following steps: 1. In the left panel subtree, select the certificate request that you want to export. 2. Select Operations, then Export Certificate Request. The Export Certificate Request dialog box is displayed. 3. Enter the file system directory location where you want to save your certificate request, or navigate to the directory structure under Folders. 4. Enter a file name for your certificate request, in the Enter File Name field. 5. Select OK. A message at the bottom of the window confirms that the certificate request was successfully exported to the file. You are returned to the Oracle Wallet Manager main window. Managing Trusted Certificates Managing trusted certificates includes the following tasks: 14-20 Oracle Database Advanced Security Administrator's Guide Managing Certificates ■ Importing a Trusted Certificate ■ Removing a Trusted Certificate ■ Exporting a Trusted Certificate ■ Exporting All Trusted Certificates Importing a Trusted Certificate You can import a trusted certificate into a wallet in either of two ways: paste the trusted certificate from an e-mail that you receive from the certificate authority, or import the trusted certificate from a file. Oracle Wallet Manager automatically installs trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when you create a new wallet. To copy and paste the text only (BASE64) trusted certificate Copy the trusted certificate from the body of the e-mail message you received that contained the user certificate. Include the lines Begin Certificate and End Certificate. 1. Select Operations, then Import Trusted Certificate from the menu bar. The Import Trusted Certificate dialog panel is displayed. 2. Select Paste the Certificate and click OK. Another Import Trusted Certificate dialog panel is displayed with the following message: Please provide a base64 format certificate and paste it below. 3. Paste the certificate into the window, and click OK. A message at the bottom of the window informs you that the trusted certificate was successfully installed. 4. Click OK. You are returned to the Oracle Wallet Manager main panel, and the trusted certificate is displayed at the bottom of the Trusted Certificates tree. Keyboard shortcuts for copying and pasting certificates: Use Ctrl+c to copy, and use Ctrl+v to paste. To import a file that contains the trusted certificate The file containing the trusted certificate should have been saved in either text (BASE64) or binary (der) format. 1. Select Operations, then Import Trusted Certificate. The Import Trusted Certificate dialog panel is displayed. 2. Enter the path or folder name of the trusted certificate location. 3. Select the name of the trusted certificate file (for example, cert.txt). 4. Click OK. A message at the bottom of the window informs you that the trusted certificate was successfully imported into the wallet. 5. Click OK to exit the dialog panel. You are returned to the Oracle Wallet Manager main panel, and the trusted certificate is displayed at the bottom of the Trusted Certificates tree. Removing a Trusted Certificate You cannot remove a trusted certificate if it has been used to sign a user certificate still present in the wallet. To remove such trusted certificates, you must first remove the Using Oracle Wallet Manager 14-21 Managing Certificates certificates it has signed. Also, you cannot verify a certificate after its trusted certificate has been removed from your wallet. To remove a trusted certificate from a wallet: 1. Select the trusted certificate listed in the Trusted Certificates tree. 2. Select Operations, then Remove Trusted Certificate... from the menu bar. A dialog panel warns you that your user certificate will no longer be verifiable by its recipients if you remove the trusted certificate that was used to sign it. 3. Select Yes. The selected trusted certificate is removed from the Trusted Certificates tree. Exporting a Trusted Certificate To export a trusted certificate to another file system location: 1. In the left panel subtree, select the trusted certificate that you want to export. 2. Select Operations, thenExport Trusted Certificate. The Export Trusted Certificate dialog box is displayed. 3. Enter a file system directory in which you want to save your trusted certificate, or navigate to the directory structure under Folders. 4. Enter a file name to save your trusted certificate. 5. Click OK. You are returned to the Oracle Wallet Manager main window. Exporting All Trusted Certificates To export all of your trusted certificates to another file system location: 1. Select Operations, then Export All Trusted Certificates.... The Export Trusted Certificate dialog box is displayed. 2. Enter a file system directory location where you want to save your trusted certificates, or navigate to the directory structure under Folders. 3. Enter a file name to save your trusted certificates. 4. Click OK. You are returned to the Oracle Wallet Manager main window. 14-22 Oracle Database Advanced Security Administrator's Guide 15 15 Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security This chapter describes how to configure multiple authentication methods under Oracle Advanced Security, and how to use conventional user name and password authentication, even if you have configured another authentication method. This also chapter describes how to configure your network so that Oracle clients can use a specific authentication method and Oracle servers can accept any method specified. This chapter contains the following topics: ■ Connecting with User Name and Password ■ Disabling Oracle Advanced Security Authentication ■ Configuring Multiple Authentication Methods ■ Configuring Oracle Database for External Authentication Connecting with User Name and Password To connect to an Oracle database server using a user name and password when an Oracle Advanced Security authentication method has been configured, disable the external authentication (Refer to "Disabling Oracle Advanced Security Authentication" on page 15-1). With the external authentication disabled, a user can connect to a database using the following format: % sqlplus username@net_service_name Enter password: password For example: % sqlplus hr@emp Enter password: password You can configure multiple authentication methods, including both externally authenticated users and password authenticated users, on a single database. Note: Disabling Oracle Advanced Security Authentication Use Oracle Net Manager to disable authentication methods (Refer to "Starting Oracle Net Manager" on page 2-2): Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security 15-1 Configuring Multiple Authentication Methods 1. Navigate to the Oracle Advanced Security profile. Refer to "Navigating to the Oracle Advanced Security Profile" on page 2-2. The Oracle Advanced Security tabbed window is displayed as shown in Figure 15–1. Figure 15–1 Oracle Advanced Security Authentication Window 1. Click the Authentication tab. 2. Sequentially move all authentication methods from the Selected Method list to the Available Methods list by selecting a method and choosing the left arrow [<]. 3. Select File, then Save Network Configuration. The sqlnet.ora file is updated with the following entry: SQLNET.AUTHENTICATION_SERVICES = (NONE) Configuring Multiple Authentication Methods Many networks use more than one authentication method on a single security server. Accordingly, Oracle Advanced Security lets you configure your network so that Oracle clients can use a specific authentication method, and Oracle database servers can accept any method specified. You can set up multiple authentication methods on both client and server systems either by using Oracle Net Manager, or by using any text editor to modify the sqlnet.ora file. Use Oracle Net Manager to add authentication methods to both clients and servers (Refer to "Starting Oracle Net Manager" on page 2-2) Following steps describe how to configure Multiple authentication Methods. 1. Navigate to the Oracle Advanced Security profile. Refer to "Navigating to the Oracle Advanced Security Profile" on page 2-2. The Oracle Advanced Security 15-2 Oracle Database Advanced Security Administrator's Guide Configuring Oracle Database for External Authentication tabbed window is displayed as shown in Figure 15–1. 2. Click the Authentication tab. 3. Select a method listed in the Available Methods list. 4. Sequentially move selected methods to the Selected Methods list by clicking the right arrow (>). 5. Arrange the selected methods in order of desired use. To do this, select a method in the Selected Methods list, and select Promote or Demote to position it in the list. 6. Select File, then Save Network Configuration. The sqlnet.ora file is updated with the following entry, listing the selected authentication methods: SQLNET.AUTHENTICATION_SERVICES = (KERBEROS5, RADIUS) SecurID functionality is available through RADIUS; RADIUS support is built into the RSA ACE/Server. Note: Chapter 11, "Configuring RADIUS Authentication" for more information See Also: Configuring Oracle Database for External Authentication This section describes the parameters you must set to configure Oracle Database for network authentication, using the following tasks: ■ Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora ■ Setting OS_AUTHENT_PREFIX to a Null Value See Also: ■ ■ The corresponding chapter in this guide for information about configuring a particular authentication method Appendix B, "Authentication Parameters" Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora The following parameter must be set in the sqlnet.ora file for all clients and servers to enable each to use a supported authentication method: SQLNET.AUTHENTICATION_SERVICES=(oracle_authentication_method) For example, for all clients and servers using Kerberos authentication, the sqlnet.ora parameter must be set as follows: SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5) Setting OS_AUTHENT_PREFIX to a Null Value Authentication service-based user names can be long, and Oracle user names are limited to 30 characters. Oracle strongly recommends that you enter a null value for the OS_AUTHENT_PREFIX parameter in the initialization file used for the database instance as follows: OS_AUTHENT_PREFIX="" Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security 15-3 Configuring Oracle Database for External Authentication The default value for OS_AUTHENT_PREFIX is OPS$; however, you can set it to any string. Note: Attention: If a database already has the OS_AUTHENT_PREFIX set to a value other than NULL (" "), do not change it, because it can inhibit previously created, externally identified users from connecting to the Oracle server. To create a user, launch SQL*Plus and enter the following: SQL> CREATE USER os_authent_prefix username IDENTIFIED EXTERNALLY; When OS_AUTHENT_PREFIX is set to a null value (" "), enter the following to create the user king: SQL> CREATE USER king IDENTIFIED EXTERNALLY; The advantage of creating a user in this way is that the administrator no longer needs to maintain different user names for externally identified users. This is true for all supported authentication methods. See Also: ■ ■ Oracle Database Administrator's Guide Oracle Database Heterogeneous Connectivity User's Guide 15-4 Oracle Database Advanced Security Administrator's Guide Part V Part V Appendixes Part IV contains the following reference appendixes: ■ Appendix A, "Data Encryption and Integrity Parameters" ■ Appendix B, "Authentication Parameters" ■ Appendix C, "Integrating Authentication Devices Using RADIUS" ■ Appendix D, "Oracle Advanced Security FIPS 140 Settings" ■ Appendix E, "orapki Utility" ■ Appendix F, "Entrust-Enabled Secure Sockets Layer Authentication" A A Data Encryption and Integrity Parameters This appendix describes encryption and data integrity parameters supported by Oracle Advanced Security. It also includes an example of a sqlnet.ora file generated by performing the network configuration described in Chapter 9, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" and Chapter 13, "Configuring Secure Sockets Layer Authentication". This appendix contains the following topics: ■ Sample sqlnet.ora File ■ Data Encryption and Integrity Parameters Sample sqlnet.ora File This section contains a sample sqlnet.ora configuration file for a set of clients with similar characteristics and a set of servers with similar characteristics. The file includes examples of Oracle Advanced Security encryption and data integrity parameters. Trace File Settings #Trace file setup trace_level_server=16 trace_level_client=16 trace_directory_server=/orant/network/trace trace_directory_client=/orant/network/trace trace_file_client=cli trace_file_server=srv trace_unique_client=true Oracle Advanced Security Transparent Data Encryption Settings ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /etc/ORACLE/WALLETS/oracle))) Oracle Advanced Security Network Encryption Settings #ASO Encryption sqlnet.encryption_server=accepted sqlnet.encryption_client=requested sqlnet.encryption_types_server=(AES_256) sqlnet.encryption_types_client=(AES_256) Data Encryption and Integrity Parameters A-1 Data Encryption and Integrity Parameters Oracle Advanced Security Network Data Integrity Settings #ASO Checksum sqlnet.crypto_checksum_server=requested sqlnet.crypto_checksum_client=requested sqlnet.crypto_checksum_types_server = (SHA1) sqlnet.crypto_checksum_types_client = (SHA1) Secure Sockets Layer Settings #SSL WALLET_LOCATION = (SOURCE= (METHOD = FILE) (METHOD_DATA = DIRECTORY=/wallet) SSL_CIPHER_SUITES=(SSL_RSA_WITH_3DES_EDE_CBC_SHA) SSL_VERSION= 3 SSL_CLIENT_AUTHENTICATION=FALSE Common Settings #Common automatic_ipc = off sqlnet.authentication_services = (beq) names.directory_path = (TNSNAMES) Kerberos Settings #Kerberos sqlnet.authentication_services = (beq, kerberos5) sqlnet.authentication_kerberos5_service = oracle sqlnet.kerberos5_conf= /krb5/krb.conf sqlnet.kerberos5_keytab= /krb5/v5srvtab sqlnet.kerberos5_realms= /krb5/krb.realm sqlnet.kerberos5_cc_name = /krb5/krb5.cc sqlnet.kerberos5_clockskew=900 sqlnet.kerberos5_conf_mit=false RADIUS Settings #Radius sqlnet.authentication_services = (beq, RADIUS ) sqlnet.radius_authentication_timeout = (10) sqlnet.radius_authentication_retries = (2) sqlnet.radius_authentication_port = (1645) sqlnet.radius_send_accounting = OFF sqlnet.radius_secret = /orant/network/admin/radius.key sqlnet.radius_authentication = radius.us.example.com sqlnet.radius_challenge_response = OFF sqlnet.radius_challenge_keyword = challenge sqlnet.radius_challenge_interface = oracle/net/radius/DefaultRadiusInterface sqlnet.radius_classpath = /jre1.1/ Data Encryption and Integrity Parameters If you do not specify any values for Server Encryption, Client Encryption, Server Checksum, or Client Checksum, the corresponding configuration parameters do not appear in the sqlnet.ora file. However, Oracle Advanced Security defaults to ACCEPTED. A-2 Oracle Database Advanced Security Administrator's Guide Data Encryption and Integrity Parameters For both data encryption and integrity algorithms, the server selects the first algorithm listed in its sqlnet.ora file that matches an algorithm listed in the client sqlnet.ora file, or in the client installed list if the client lists no algorithms in its sqlnet.ora file. If there are no entries in the server sqlnet.ora file, the server sequentially searches its installed list to match an item on the client side—either in the client sqlnet.ora file or in the client installed list. If no match can be made and one side of the connection REQUIRED the algorithm type (data encryption or integrity), the connection fails. Otherwise, the connection succeeds with the algorithm type inactive. Data encryption and integrity algorithms are selected independently of each other. Encryption can be activated without integrity, and integrity can be activated without encryption, as shown by Table A–1: Table A–1 Algorithm Type Selection Encryption Selected? Integrity Selected? Yes No Yes Yes No Yes No No See Also: ■ ■ Chapter 9, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" "About Activating Encryption and Integrity" on page 9-3 The following sections describe data encryption and integrity parameters: ■ SQLNET.ENCRYPTION_SERVER Parameter ■ SQLNET.ENCRYPTION_CLIENT Parameter ■ SQLNET.SSL_EXTENDED_KEY_USAGE Parameter ■ SQLNET.CRYPTO_CHECKSUM_SERVER Parameter ■ SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter ■ SQLNET.ENCRYPTION_TYPES_SERVER Parameter ■ SQLNET.ENCRYPTION_TYPES_CLIENT Parameter ■ SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter ■ SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter SQLNET.ENCRYPTION_SERVER Parameter This parameter specifies the desired encryption behavior when a client or a server acting as a client connects to this server. The behavior of the server partially depends on the SQLNET.ENCRYPTION_CLIENT setting at the other end of the connection. Table A–2 SQLNET.ENCRYPTION_SERVER Parameter Attributes Attribute Description Syntax SQLNET.ENCRYPTION_SERVER = valid_value Valid Values ACCEPTED, REJECTED, REQUESTED, REQUIRED Data Encryption and Integrity Parameters A-3 Data Encryption and Integrity Parameters Table A–2 (Cont.) SQLNET.ENCRYPTION_SERVER Parameter Attributes Attribute Description Default Setting ACCEPTED SQLNET.ENCRYPTION_CLIENT Parameter This parameter specifies the desired encryption behavior when this client or server acting as a client connects to a server. The behavior of the client partially depends on the value set for SQLNET.ENCRYPTION_SERVER at the other end of the connection. Table A–3 SQLNET.ENCRYPTION_CLIENT Parameter Attributes Attribute Description Syntax SQLNET.ENCRYPTION_CLIENT = valid_value Valid Values ACCEPTED, REJECTED, REQUESTED, REQUIRED Default Setting ACCEPTED SQLNET.SSL_EXTENDED_KEY_USAGE Parameter This parameter sets a Secure Sockets Layer certificate that uses extended key usage to always use client authentication. Table A–4 SQLNET.EXTENDED_KEY_USAGE Parameter Attributes Attribute Description Syntax SQLNET.SSL_EXTENDED_KEY_USAGE = valid_value Valid Values client authentication Default Setting client authentication SQLNET.CRYPTO_CHECKSUM_SERVER Parameter This parameter specifies the desired data integrity behavior when a client or another server acting as a client connects to this server. The behavior partially depends on the SQLNET.CRYPTO_CHECKSUM_CLIENT setting at the other end of the connection. Table A–5 SQLNET.CRYPTO_CHECKSUM_SERVER Parameter Attributes Attribute Description Syntax SQLNET.CRYPTO_CHECKSUM_SERVER = valid_value Valid Values ACCEPTED, REJECTED, REQUESTED, REQUIRED Default Setting ACCEPTED SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter This parameter specifies the desired data integrity behavior when this client or server acting as a client connects to a server. The behavior partially depends on the SQLNET.CRYPTO_CHECKSUM_SERVER setting at the other end of the connection. Table A–6 SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter Attributes Attribute Description Syntax SQLNET.CRYPTO_CHECKSUM_CLIENT = valid_value A-4 Oracle Database Advanced Security Administrator's Guide Data Encryption and Integrity Parameters Table A–6 (Cont.) SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter Attributes Attribute Description Valid Values ACCEPTED, REJECTED, REQUESTED, REQUIRED Default Setting ACCEPTED SQLNET.ENCRYPTION_TYPES_SERVER Parameter This parameter specifies a list of encryption algorithms used by this server in the order of intended use. This list is used to negotiate a mutually acceptable algorithm with the client end of the connection. Each algorithm is checked against the list of available client algorithm types until a match is found. If an algorithm that is not installed is specified on this side, the connection terminates with the error message ORA-12650. Table A–7 SQLNET.ENCRYPTION_TYPES_SERVER Parameter Attributes Attribute Description Syntax SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_ algorithm [,valid_encryption_algorithm]) Valid Values ■ AES256: AES (256-bit key size) ■ AES192: AES (192-bit key size) ■ 3DES168: 3-key Triple-DES (168-bit effective key size) ■ AES128: AES (128-bit key size) ■ 3DES112: 2-key Triple-DES (112-bit effective key size) Default Setting If no algorithms are defined in the local sqlnet.ora file, all installed algorithms are used in a negotiation in the preceding sequence. Usage Notes You can specify multiple encryption algorithms. It can be either a single value or a list of algorithm names. For example, either of the following encryption parameters is acceptable: SQLNET.ENCRYPTION_TYPES_SERVER=(AES_256) SQLNET.ENCRYPTION_TYPES_SERVER=(3DES112,3DES168) SQLNET.ENCRYPTION_TYPES_CLIENT Parameter This parameter specifies a list of encryption algorithms used by this client or server acting as a client. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. If an algorithm that is not installed is specified on this side, the connection terminates with the ORA-12650 error message. Table A–8 SQLNET.ENCRYPTION_TYPES_CLIENT Parameter Attributes Attribute Description Syntax SQLNET.ENCRYPTION_TYPES_CLIENT = (valid_encryption_ algorithm [,valid_encryption_algorithm]) Valid Values Default Setting ■ AES256: AES (256-bit key size). ■ AES192: AES (192-bit key size). ■ 3DES168: 3-key Triple-DES (168-bit effective key size). ■ AES128: AES (128-bit key size). ■ 3DES112: 2-key Triple-DES (112-bit effective key size). If no algorithms are defined in the local sqlnet.ora file, all installed algorithms are used in a negotiation. Data Encryption and Integrity Parameters A-5 Data Encryption and Integrity Parameters Table A–8 (Cont.) SQLNET.ENCRYPTION_TYPES_CLIENT Parameter Attributes Attribute Description Usage Notes You can specify multiple encryption algorithms. SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter This parameter specifies a list of data integrity algorithms that this server or client to another server uses, in order of intended use. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. Each algorithm is checked against the list of available client algorithm types until a match is found. If an algorithm is specified that is not installed on this side, the connection terminates with the ORA-12650 error message Table A–9 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter Attributes Attribute Description Syntax SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (valid_crypto_ checksum_algorithm [,valid_crypto_checksum_algorithm]) Valid Values SHA1: Secure Hash Algorithm Default Setting If no algorithms are defined in the local sqlnet.ora file, all installed algorithms are used in a negotiation in the preceding sequence. SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter This parameter specifies a list of data integrity algorithms that this client or server acting as a client uses. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. If an algorithm that is not installed on this side is specified, the connection terminates with the ORA-12650 error message. Table A–10 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter Attributes Attribute Description Syntax SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (valid_crypto_ checksum_algorithm [,valid_crypto_checksum_algorithm]) Valid Values SHA1: Secure Hash Algorithm Default Setting If no algorithms are defined in the local sqlnet.ora file, all installed algorithms are used in a negotiation. A-6 Oracle Database Advanced Security Administrator's Guide B B Authentication Parameters This appendix illustrates some sample configuration files with the profile file (sqlnet.ora) and the database initialization file authentication parameters, when using Kerberos, RADIUS, or SSL authentication. This appendix contains the following topics: ■ Parameters for Clients and Servers using Kerberos Authentication ■ Parameters for Clients and Servers using RADIUS Authentication ■ Parameters for Clients and Servers Using Secure Sockets Layer Parameters for Clients and Servers using Kerberos Authentication Following is a list of parameters to insert into the configuration files for clients and servers using Kerberos. Table B–1 Kerberos Authentication Parameters File Name Configuration Parameters sqlnet.ora SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle SQLNET.KERBEROS5_CC_NAME=/usr/tmp/DCE-CC SQLNET.KERBEROS5_CLOCKSKEW=1200 SQLNET.KERBEROS5_CONF=/krb5/krb.conf SQLNET.KERBEROS5_CONF_MIT=(FALSE) SQLNET.KERBEROS5_REALMS=/krb5/krb.realms SQLNET.KERBEROS5_KEYTAB=/krb5/v5sLrvtab SQLNET.FALLBACK_AUTHENTICATION=FALSE initialization parameter file OS_AUTHENT_PREFIX="" Parameters for Clients and Servers using RADIUS Authentication The following sections describe the parameters for RADIUS authentication ■ sqlnet.ora File Parameters ■ Minimum RADIUS Parameters ■ Initialization File Parameters Authentication Parameters B-1 Parameters for Clients and Servers using RADIUS Authentication sqlnet.ora File Parameters The following sections describe the sqlnet.ora parameters that are used to specify RADIUS authentication. SQLNET.AUTHENTICATION_SERVICES Parameter This parameter configures the client or the server to use the RADIUS adapter. Table B–2 describes this parameter's attributes. Table B–2 SQLNET.AUTHENTICATION_SERVICES Parameter Attributes Attribute Description Syntax SQLNET.AUTHENTICATION_SERVICES=(radius) Default setting None SQLNET.RADIUS_AUTHENTICATION Parameter This parameter sets the location of the primary RADIUS server, either host name or dotted decimal format. If the RADIUS server is on a different computer from the Oracle server, you must specify either the host name or the IP address of that computer. Table B–3 describes this parameter's attributes. Table B–3 SQLNET.RADIUS_AUTHENTICATION Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_AUTHENTICATION=RADIUS_server_IP_address Default setting localhost SQLNET.RADIUS_AUTHENTICATION_PORT Parameter This parameter sets the listening port of the primary RADIUS server. Table B–4 describes this parameter's attributes. Table B–4 SQLNET.RADIUS_AUTHENTICATION_PORT Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_AUTHENTICATION_PORT=port_number Default setting 1645 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter This parameter sets the time to wait for response. Table B–5 describes this parameter's attributes. Table B–5 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=time_in_seconds Default setting 5 SQLNET.RADIUS_AUTHENTICATION_RETRIES Parameter This parameter sets the number of times to resend authentication information. Table B–6 describes this parameter's attributes. B-2 Oracle Database Advanced Security Administrator's Guide Parameters for Clients and Servers using RADIUS Authentication Table B–6 SQLNET.RADIUS_AUTHENTICATION_RETRIES Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_AUTHENTICATION_RETRIES=n_times_to_resend Default setting 3 SQLNET.RADIUS_SEND_ACCOUNTING Parameter This parameter turns accounting on and off. If you enable accounting, packets will be sent to the active RADIUS server at the listening port plus one. By default, packets are sent to port 1646. You need to turn this feature on only when your RADIUS server supports accounting and you want to keep track of the number of times the user is logging on to the system. Table B–7 describes this parameter's attributes. Table B–7 SQLNET.RADIUS_SEND_ACCOUNTING Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_SEND_ACCOUNTING=on Default setting off SQLNET.RADIUS_SECRET Parameter This parameter specifies the file name and location of the RADIUS secret key. Table B–8 describes this parameter's attributes. Table B–8 SQLNET.RADIUS_SECRET Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_SECRET=path_to_RADIUS_secret_key Default setting $ORACLE_HOME/network/security/radius.key SQLNET.RADIUS_ALTERNATE Parameter This parameter sets the location of an alternate RADIUS server to be used in case the primary server becomes unavailable for fault tolerance. Table B–9 describes this parameter's attributes. Table B–9 SQLNET.RADIUS_ALTERNATE Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_ALTERNATE=alternate_RADIUS_server_hostname_ or_IP_address Default setting off SQLNET.RADIUS_ALTERNATE_PORT Parameter This parameter sets the listening port for the alternate RADIUS server. Table B–10 describes this parameter's attributes. Table B–10 SQLNET.RADIUS_ALTERNATE_PORT Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_ALTERNATE_PORT=alternate_RADIUS_server_ listening_port_number Default setting 1645 Authentication Parameters B-3 Parameters for Clients and Servers using RADIUS Authentication SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter This parameter sets the time to wait for response for the alternate RADIUS server. Table B–11 describes this parameter's attributes. Table B–11 SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_ALTERNATE_TIMEOUT=time_in_seconds Default setting 5 SQLNET.RADIUS_ALTERNATE_RETRIES Parameter This parameter sets the number of times that the alternate RADIUS server resends messages. Table B–12 describes this parameter's attributes. Table B–12 SQLNET.RADIUS_ALTERNATE_RETRIES Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_ALTERNATE_RETRIES=n_times_to_resend Default setting 3 SQLNET.RADIUS_CHALLENGE_RESPONSE Parameter This parameter turns on or turns off the challenge-response or asynchronous mode support. Table B–13 describes this parameter's attributes. Table B–13 SQLNET.RADIUS_CHALLENGE_RESPONSE Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_CHALLENGE_RESPONSE=on Default setting off SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter This parameter sets the keyword to request a challenge from the RADIUS server. User types no password on the client. Table B–14 describes this parameter's attributes. Table B–14 SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_CHALLENGE_KEYWORD=keyword Default setting challenge SQLNET.RADIUS_AUTHENTICATION_INTERFACE Parameter This parameter sets the name of the Java class that contains the graphical user interface when RADIUS is in the challenge-response (asynchronous) mode. Table B–15 describes this parameter's attributes. Table B–15 SQLNET.RADIUS_AUTHENTICATION_INTERFACE Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_AUTHENTICATION_INTERFACE=Java_class_name Default setting DefaultRadiusInterface (oracle/net/radius/DefaultRadiusInterface) B-4 Oracle Database Advanced Security Administrator's Guide Parameters for Clients and Servers Using Secure Sockets Layer SQLNET.RADIUS_CLASSPATH Parameter If you decide to use the challenge-response authentication mode, RADIUS presents the user with a Java-based graphical interface requesting first a password, then additional information, for example, a dynamic password that the user obtains from a token card. Add the SQLNET.RADIUS_CLASSPATH parameter in the sqlnet.ora file to set the path for the Java classes for that graphical interface, and to set the path to the JDK Java libraries. Table B–16 describes this parameter's attributes. Table B–16 SQLNET.RADIUS_CLASSPATH Parameter Attributes Attribute Description Syntax SQLNET.RADIUS_CLASSPATH=path_to_GUI_Java_classes Default setting $ORACLE_HOME/jlib/netradius.jar:$ORACLE_ HOME/JRE/lib/sparc/native_threads Minimum RADIUS Parameters sqlnet.authentication_services = (radius) sqlnet.radius.authentication = IP-address-of-RADIUS-server Initialization File Parameters OS_AUTHENT_PREFIX="" Parameters for Clients and Servers Using Secure Sockets Layer There are two ways to configure a parameter: ■ ■ Static: The name of the parameter that exists in the sqlnet.ora file. Parameters like SSL_CIPHER_SUITES and SSL_VERSION can also be configured using the listener.ora file. Dynamic: The name of the parameter used in the security subsection of the Oracle Net address. Secure Sockets Layer Authentication Parameters This section describes the static and dynamic parameters for configuring SSL on the server. Attribute Description Parameter Name (static) SQLNET.AUTHENTICATION_SERVICES Parameter Name (dynamic) AUTHENTICATION Parameter Type String LIST Parameter Class Static Permitted Values Add TCPS to the list of available authentication services. Default Value No default value. Description To control which authentication services a user wants to use. Note: The dynamic version supports only the setting of one type. Authentication Parameters B-5 Parameters for Clients and Servers Using Secure Sockets Layer Attribute Existing/New Parameter Description Existing Syntax (static) SQLNET.AUTHENTICATION_SERVICES = (TCPS, selected_method_ 1, selected_method_2) Example (static) SQLNET.AUTHENTICATION_SERVICES = (TCPS, radius) Syntax (dynamic) AUTHENTICATION = string Example (dynamic) AUTHENTICATION = (TCPS) Cipher Suite Parameters This section describes the static and dynamic parameters for configuring cipher suites. Attribute Description Parameter Name (static) SSL_CIPHER_SUITES Parameter Name (dynamic) SSL_CIPHER_SUITES Parameter Type String LIST Parameter Class Static Permitted Values Any known SSL cipher suite Default Value No default Description Controls the combination of encryption and data integrity used by SSL. Existing/New Parameter Existing Syntax (static) SSL_CIPHER_SUITES=(SSL_cipher_suite1[, SSL_cipher_suite2, ... SSL_ cipher_suiteN]) Example (static) SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA) Syntax (dynamic) SSL_CIPHER_SUITES=(SSL_cipher_suite1 [, SSL_cipher_suite2, ...SSL_cipher_suiteN]) Example (dynamic) SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA) Supported SSL Cipher Suites Oracle Advanced Security supports the following cipher suites: ■ SSL_RSA_WITH_3DES_EDE_CBC_SHA ■ SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ■ SSL_RSA_WITH_AES_128_CBC_SHA ■ SSL_RSA_WITH_AES_256_CBC_SHA Note that the cipher suites that use Advanced Encryption Standard (AES) work with Transport Layer Security (TLS 1.0) only. B-6 Oracle Database Advanced Security Administrator's Guide Parameters for Clients and Servers Using Secure Sockets Layer Secure Sockets Layer Version Parameters This section describes the static and dynamic parameters for configuring the version of SSL to be used. Attribute Description Parameter Name (static) SSL_VERSION Parameter Name (dynamic) SSL_VERSION Parameter Type string Parameter Class Static Permitted Values Any version that is valid to SSL. Values are as follows: undetermined | 3.0 | 1.0 | 1.1 | 1.2 If you want to specify one version or another version, then use "or". The following values are permitted: 1.0 or 3.0 | 1.2 or 3.0 | 1.1 or 1.0 | 1.2 or 1.0 | 1.2 or 1.1 | 1.1 or 1.0 or 3.0 | 1.2 or 1.0 or 3.0 | 1.2 or 1.1 or 1.0 | 1.2 or 1.1 or 3.0 | 1.2 or 1.1 or 1.0 or 3.0 Default Value "0" Description To force the version of the SSL connection. Existing/New Parameter New Syntax (static) SSL_VERSION=version Example (static) SSL_VERSION=1.0 or 3.0 Syntax (dynamic) SSL_VERSION=version Example (dynamic) SSL_VERSION=3.0 Secure Sockets Layer Client Authentication Parameters This section describes the static and dynamic parameters for configuring SSL on the client. Attribute Description Parameter Name (static) SSL_CLIENT_AUTHENTICATION Parameter Name (dynamic) SSL_CLIENT_AUTHENTICATION Parameter Type Boolean Parameter Class Static Permitted Values TRUE/FALSE Default Value TRUE Description To control whether a client, in addition to the server, is authenticated using SSL. Existing/New Parameter New Authentication Parameters B-7 Parameters for Clients and Servers Using Secure Sockets Layer Attribute Description Syntax (static) SSL_CLIENT_AUTHENTICATION={TRUE | FALSE} Example (static) SSL_CLIENT_AUTHENTICATION=FALSE Syntax (dynamic) SSL_CLIENT_AUTHENTICATION={TRUE | FALSE} Example (dynamic) SSL_CLIENT_AUTHENTICATION=FALSE SSL X.509 Server Match Parameters This section describes the parameters that are used to validate the identity of a server that the client connects to. SSL_SERVER_DN_MATCH Attribute Description Parameter Name SSL_SERVER_DN_MATCH Where stored sqlnet.ora Purpose Use this parameter to force the server's distinguished name (DN) to match its service name. If you force the match verifications, SSL ensures that the certificate is from the server. If you choose not to enforce the match verification, SSL performs the check but permits the connection, regardless of whether there is a match. Not forcing the match lets the server potentially fake its identity. Values yes|on|true. Specify to enforce a match. If the DN matches the service name, the connection succeeds; otherwise, the connection fails. no|off|false. Specify to not enforce a match. If the DN does not match the service name, the connection is successful, but an error is logged to the sqlnet.log file. Default Oracle8i, or later:.FALSE. SSL client (always) checks server DN. If it does not match the service name, the connection succeeds but an error is logged to sqlnet.log file. Usage Notes Additionally configure the tnsnames.ora parameter SSL_SERVER_ CERT_DN to enable server DN matching. SSL_SERVER_CERT_DN Attribute Description Parameter Name SSL_SERVER_CERT_DN Where stored tnsnames.ora. It can be stored on the client, for every server it connects to, or it can be stored in the LDAP directory, for every server it connects to, updated centrally. Purpose This parameter specifies the distinguished name (DN) of the server. The client uses this information to obtain the list of DNs it expects for each of the servers to force the server's DN to match its service name. Values Set equal to distinguished name (DN) of the server. Default n/a Usage Notes Additionally configure the sqlnet.ora parameter SSL_SERVER_DN_ MATCH to enable server DN matching. B-8 Oracle Database Advanced Security Administrator's Guide Parameters for Clients and Servers Using Secure Sockets Layer Attribute Description Example dbalias=(description=address_ list=(address=(protocol=tcps)(host=hostname)(port=portnum)) )(connect_data=(sid=Finance))(security=(SSL_SERVER_CERT_ DN="CN=Finance,CN=OracleContext,C=US,O=Acme")) Wallet Location For any application that must access a wallet for loading the security credentials into the process space, you must specify the wallet location parameters defined by Table B–17 in each of the following configuration files: ■ sqlnet.ora ■ listener.ora Table B–17 Wallet Location Parameters Static Configuration Dynamic Configuration WALLET_LOCATION = MY_WALLET_DIRECTORY (SOURCE= = your_wallet_dir (METHOD=File) (METHOD_DATA= (DIRECTORY=your wallet location) ) ) The default wallet location is the ORACLE_HOME directory. Authentication Parameters B-9 Parameters for Clients and Servers Using Secure Sockets Layer B-10 Oracle Database Advanced Security Administrator's Guide C C Integrating Authentication Devices Using RADIUS This appendix describes how third-party authentication vendors customize the RADIUS challenge-response user interface to fit their particular device. This appendix contains the following topics: ■ About the RADIUS Challenge-Response User Interface ■ Customizing the RADIUS Challenge-Response User Interface See Also: Chapter 11, "Configuring RADIUS Authentication" About the RADIUS Challenge-Response User Interface You can set up any authentication device that supports the RADIUS standard to authenticate Oracle users. When your authentication device uses the challenge-response mode, a graphical interface prompts the user first for a password and then for additional information. For example, a dynamic password that the user obtains from a token card. This interface is Java-based to provide optimal platform independence. Third party vendors of authentication devices must customize this graphical user interface to fit their particular device. For example, a smart card vendor customizes the Oracle client to issue the challenge to the smart card reader. Then, when the smart card receives a challenge, it responds by prompting the user for more information, such as a PIN. Customizing the RADIUS Challenge-Response User Interface You can customize this interface by creating your own class to support the functionality described in Table C–1. You can then open the sqlnet.ora file, look up the SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameter, and replace the name of the class listed there (DefaultRadiusInterface), with the name of the new class you have just created. When you make this change in the sqlnet.ora file, the class is loaded on the Oracle client in order to handle the authentication process. The third party must implement the Oracle RADIUS Interface, which is located in the ORACLE.NET.RADIUS package. public interface OracleRadiusInterface { public void radiusRequest(); public void radiusChallenge(String challenge); public String getUserName(); public String getPassword(); Integrating Authentication Devices Using RADIUS C-1 Customizing the RADIUS Challenge-Response User Interface } Table C–1 Server Encryption Level Setting Parameter Description radiusRequest Generally, this prompts the user for a user name and password, which will later be retrieved through getUserName and getPassword. getUserName Extracts the user name the user enters. If this method returns an empty string, it is assumed that the user wants to cancel the operation. The user then receives a message indicating that the authentication attempt failed. getPassword Extracts the password the user enters. If getUserName returns a valid string, but getPassword returns an empty string, the challenge keyword is replaced as the password by the database. If the user enters a valid password, a challenge may or may not be returned by the RADIUS server. radiusChallenge Presents a request sent from the RADIUS server for the user to respond to the server's challenge. getResponse Extracts the response the user enters. If this method returns a valid response, that information then populates the User-Password attribute in the new Access-Request packet. If an empty string is returned, the operation is aborted from both sides by returning the corresponding value. C-2 Oracle Database Advanced Security Administrator's Guide D D Oracle Advanced Security FIPS 140 Settings This appendix contains: ■ About the FIPS 140 Settings ■ Configuring Oracle Database for FIPS 140-2 ■ Configuring Oracle Database for FIPS 140-1 About the FIPS 140 Settings This appendix describes how to configure Oracle Database for the Federal Information Processing Standard (FIPS), for the current standard, 140-2, and for 140-1. To verify the current status of the certification, you can find information at the Computer Security Resource Center (CSRC) Web site address from the National Institute of Standards and Technology: http://csrc.nist.gov/ To find information specific to FIPS, you can search for Validated FIPS 140 Cryptographic Modules. The security policy, which is available on this site upon successful certification, includes requirements for secure configuration of the host operating system. Configuring Oracle Database for FIPS 140-2 This section contains: ■ About the FIPS 140-2 Settings ■ Configuring the SSLFIPS_140 Parameter ■ Selecting Cipher Suites ■ Post-Installation Checks ■ Verifying FIPS Connections About the FIPS 140-2 Settings The cryptographic libraries for SSL included in Oracle Database 10g are designed to meet FIPS 140-2 Level 2 certification. Oracle Advanced Security makes use of these cryptographic libraries for SSL authentication. The instructions in this appendix apply to Oracle Database Release 11.2.0.4 and later. For more information about upgrading to Release 11.2.0.4, visit the following Oracle Technology Network site: Oracle Advanced Security FIPS 140 Settings D-1 Configuring Oracle Database for FIPS 140-2 http://www.oracle.com/technetwork/database/enterprise-edition/downloads/in dex-092322.html Configuring the SSLFIPS_140 Parameter Oracle Advanced Security SSL adapter can be configured to run in FIPS mode by setting the SSLFIPS_140 parameter to TRUE in the fips.ora file. SSLFIPS_140=TRUE This parameter is set to FALSE by default. It must be set to TRUE on both the client and the server for FIPS mode operation. Make sure that the fips.ora file is either located in the $ORACLE_HOME/ldap/admin directory, or is pointed to by the FIPS_HOME environment variable. This procedure can be repeated in any Oracle home for any database server or client. The SSLFIPS_140 parameter replaces the SQLNET.SSLFIPS_140 parameter used in Oracle Database 10g Release 2 (10.2). The parameter needs to be set in the fips.ora file, and not the sqlnet.ora file. Note: Selecting Cipher Suites A cipher suite is a set of authentication, encryption and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see as to which cipher suite they will use when transmitting messages back and forth. Only the following cipher suites are approved for FIPS validation: ■ SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ■ SSL_RSA_WITH_AES_256_CBC_SHA ■ SSL_RSA_WITH_AES_128_CBC_SHA ■ SSL_RSA_WITH_3DES_EDE_CBC_SHA Oracle Advanced Security SSL cipher suites are automatically set to FIPS approved cipher suites. If you wish to configure specific cipher suites, you can do so by editing the SSL_CIPHER_SUITES parameter in the sqlnet.ora or the listener.ora file. SSL_CIPHER_SUITES=(SSL_cipher_suite1[,SSL_cipher_suite2[,..]]) You can also use Oracle Net Manager to set this parameter on the server and the client. "Step 2C: Set the Secure Sockets Layer Cipher Suites on the Server (Optional)" on page 13-10 and "Step 3D: Set the Client Secure Sockets Layer Cipher Suites (Optional)" on page 13-18 for more information on setting cipher suites. See Also: Post-Installation Checks After installation, the following permissions must be verified in the operating system: ■ Execute permissions must be set on all Oracle executable files so as to prevent execution of Oracle Cryptographic Libraries by users who are unauthorized to do so in accordance with the system security policy. D-2 Oracle Database Advanced Security Administrator's Guide Configuring Oracle Database for FIPS 140-1 ■ Read and write permissions must be set on all Oracle executable files so as to prevent accidental or deliberate reading or modification of Oracle Cryptographic Libraries by any user. To comply with FIPS 140-2 Level 2 requirements, the security policy must include procedures to prevent unauthorized users from reading, modifying or executing Oracle Cryptographic Libraries processes and the memory they are using in the operating system. Verifying FIPS Connections To check if FIPS mode is enabled, tracing can be added to the sqlnet.ora file. FIPS self-test messages can be found in the trace file. Add the following lines to sqlnet.ora to enable tracing: trace_directory_server=trace_dir trace_file_server=trace_file trace_level_server=trace_level For example: trace_directory=/private/oracle/owm trace_file_server=fips_trace.trc trace_level_server=6 Trace level 6 is the minimum trace level required to check the results of the FIPS self-tests. Configuring Oracle Database for FIPS 140-1 This section contains: ■ About the FIPS 140-1 Settings ■ sqlnet.ora FIPS 140-1 Configuration Parameters ■ Post Installation Checks ■ Status InformationPhysical Security The information contained in this section should be used with the information provided in Appendix A, "Data Encryption and Integrity Parameters". Note: About the FIPS 140-1 Settings The Oracle Database FIP 140-1 implementation has been validated under Federal Information Processing Standard (FIPS) 140-1 at the Level 2 security level. This appendix describes the formal configuration required to comply with the FIPS 140-1 standard. Refer to the NIST Cryptographic Modules Validation list at the following Web site address: http://csrc.nist.gov/cryptval/140-1/1401val.htm sqlnet.ora FIPS 140-1 Configuration Parameters This appendix contains information on the Oracle Advanced Security parameters required in the sqlnet.ora files to ensure that any connections created between a client and server are encrypted under the control of the server. Oracle Advanced Security FIPS 140 Settings D-3 Configuring Oracle Database for FIPS 140-1 Configuration parameters are contained in the sqlnet.ora file that is held locally for each of the client and server processes. The protection placed on these files should be equivalent to the level of a DBA. The following configuration parameters are described in this appendix: ■ ENCRYPTION_SERVER ■ ENCRYPTION_CLIENT ■ ENCRYPTION_TYPES_SERVER ■ ENCRYPTION_TYPES_CLIENT ■ FIPS_140 Server Encryption Level Setting The server side of the negotiation notionally controls the connection settings. The following parameter in the server file is mandatory: SQLNET.ENCRYPTION_SERVER=REQUIRED Setting the encryption as REQUIRED on the server side of the connection ensures that a connection is only permitted if encryption is used, irrespective of the parameter value on the client. Client Encryption Level Setting The ENCRYPTION_CLIENT parameter specifies the connection behavior for the client. One of the following parameter settings in the client file is mandatory: SQLNET.ENCRYPTION_CLIENT=(ACCEPTED|REQUESTED|REQUIRED) A connection to the server is only possible if there is agreement between client and server for the connection encryption. The server has this set to REQUIRED, therefore the client must not reject encryption for a valid connection to be the result. Failure to specify one of these values results in error when attempting to connect to a FIPS 140-1 compliant server. Server Encryption Selection List The ENCRYPTION_TYPES_SERVER parameter specifies a list of encryption algorithms that the server is permitted to use when acting as a server in the order of required usage. The specified algorithm must be installed or the connection terminates. For FIPS 140-1 compliance, only DES encryption is permitted and therefore the following parameter setting is mandatory: SQLNET.ENCRYPTION_TYPES_SERVER=(DES,DES40) Client Encryption Selection List The ENCRYPTION_TYPES_CLIENT parameter specifies the list of encryption algorithms which the client is prepared to use for the connection with the server. In order for a connection to be successful, the algorithm must first be installed and the encryption type must be mutually acceptable to the server. To create a connection with a server that is configured for FIPS 140-1, the following parameter setting is mandatory: SQLNET.ENCRYPTION_TYPES_CLIENT=(DES,DES40) D-4 Oracle Database Advanced Security Administrator's Guide Configuring Oracle Database for FIPS 140-1 FIPS Parameter The default setting of the FIPS_140 parameter is FALSE. Setting the parameter to TRUE is mandatory for both client and server to ensure Oracle Advanced Security complies with the standards defined in FIPS 140-1 as follows: SQLNET.FIPS_140=TRUE Use a text editor to set the FIPS_140 parameter in the sqlnet.ora file. You cannot use Oracle Net Manager to set this parameter. Note: Post Installation Checks After the installation, the following permissions must be verified in the operating system: ■ ■ Execute permissions must be set on all Oracle Advanced Security executable files so as to prevent execution of Oracle Advanced Security by users who are unauthorized to do so in accordance with the system security policy. Read and write permissions must be set on all executable files so as to prevent accidental or deliberate reading or modification of Oracle Advanced Security files by any user. To comply with FIPS 140-1 Level 2 requirements, the security policy must include procedures to prevent unauthorized users from reading or modifying Oracle Advanced Security processes and the memory they are using in the operating system. Status Information Status information for Oracle Advanced Security is available after the connection has been established. The information is contained in the RDBMS virtual table v$session_ connect_info. Running the query SELECT * from V$SESSION_CONNECT_INFO displays all of the product banner information for the active connection. Table D–1 shows an example of a connection configuration where the DES encryption data integrity is defined: Table D–1 Sample Output from v$session_connect_info SID AUTHENTICATION OSUSER NETWORK_SERVICE_BANNER 7 DATABASE oracle Oracle Bequeath operating system adapter for Solaris, v8.1.6.0.0 7 DATABASE oracle Oracle Advanced Security: encryption service for Solaris 7 DATABASE oracle Oracle Advanced Security: DES encryption service adapter 7 DATABASE oracle Oracle Advanced Security: crypto-checksumming service 7 DATABASE oracle Oracle Advanced Security: SHA-1 crypto-checksumming service adapter. Oracle Advanced Security FIPS 140 Settings D-5 Configuring Oracle Database for FIPS 140-1 Physical Security To comply with FIPS 140-1 Level 2 requirements, tamper-evident seals must be applied to the cover of each computer to ensure that removal of the cover is detectable. D-6 Oracle Database Advanced Security Administrator's Guide E E orapki Utility The orapki utility is provided to manage public key infrastructure (PKI) elements, such as wallets and certificate revocation lists, from the command line. This enables you to automate these tasks using scripts. Providing a way to incorporate the management of PKI elements into scripts makes it possible to automate many of the routine tasks of maintaining a PKI. The following topics are included in this appendix: ■ orapki Utility Overview ■ Creating Signed Certificates for Testing Purposes ■ Managing Oracle Wallets with orapki Utility ■ Managing Certificate Revocation Lists (CRLs) with orapki Utility ■ orapki Usage Examples ■ orapki Utility Commands Summary orapki Utility Overview This command-line utility can be used to perform the following tasks: ■ Creating and viewing signed certificates for testing purposes ■ Manage Oracle wallets: ■ – Create and display Oracle wallets – Add and remove certificate requests – Add and remove certificates – Add and remove trusted certificates Manage certificate revocation lists (CRLs): – Renaming CRLs with a hash value for certificate validation – Uploading, listing, viewing, and deleting CRLs in Oracle Internet Directory orapki Utility Syntax The basic syntax of the orapki command-line utility is as follows: orapki module command -parameter value where module can be wallet (Oracle wallet), crl (certificate revocation list), or cert (PKI digital certificate). The available commands depend on the module you are using. orapki Utility E-1 Creating Signed Certificates for Testing Purposes For example, if you are working with a wallet, then you can add a certificate or a key to the wallet with the add command. The following example adds the user certificate located at /private/lhale/cert.txt to the wallet located at $ORACLE_ HOME/wallet/ewallet.p12: orapki wallet add -wallet $ORACLE_HOME/wallet/ewallet.p12 -user_cert -cert /private/lhale/cert.txt Creating Signed Certificates for Testing Purposes The orapki utility provides a convenient, lightweight way to create signed certificates for testing purposes. To create a signed certificate for testing purposes, use the following command: orapki cert create [-wallet wallet_location] -request certificate_request_location -cert certificate_location -validity number_of_days [-summary] This command creates a signed certificate from the certificate request. The -wallet parameter specifies the wallet containing the user certificate and private key that will be used to sign the certificate request. The -validity parameter specifies the number of days, starting from the current date, that this certificate will be valid. Specifying a certificate and certificate request is mandatory for this command. To view a certificate, use the following command: orapki cert display -cert certificate_location [-summary | -complete] This command enables you to view a test certificate that you have created with orapki. You can choose either -summary or -complete, which determines how much detail the command will display. If you choose -summary, the command will display the certificate and its expiration date. If you choose -complete, it will display additional certificate information, including the serial number and public key. Managing Oracle Wallets with orapki Utility The following sections describe the syntax used to create and manage Oracle wallets with the orapki command-line utility. You can use these orapki utility wallet module commands in scripts to automate the wallet creation process. ■ Creating, Viewing, and Modifying Wallets with orapki ■ Adding Certificates and Certificate Requests to Oracle Wallets with orapki ■ Exporting Certificates and Certificate Requests from Oracle Wallets with orapki Note: The -wallet parameter is mandatory for all wallet module commands. Creating, Viewing, and Modifying Wallets with orapki This section contains the following topics: ■ Creating a PKCS#12 Wallet ■ Creating an Auto Login Wallet ■ Viewing a Wallet E-2 Oracle Database Advanced Security Administrator's Guide Managing Oracle Wallets with orapki Utility ■ Modifying the Password for a Wallet Creating a PKCS#12 Wallet To create an Oracle PKCS#12 wallet (ewallet.p12), use the following command: orapki wallet create -wallet wallet_location [-pwd password] This command prompts you to enter and reenter a wallet password, if no password has been specified on the command line. It creates a wallet in the location specified for -wallet. For security reasons, Oracle recommends that you do not specify the password at the command line. You should supply the password when prompted to do so. Note: Creating an Auto Login Wallet To create an auto login wallet (cwallet.sso) that does not need a password, use the following command: orapki wallet create -wallet wallet_location -auto_login_only This command creates an auto login wallet (cwallet.sso) that does not need a password to open. You can also modify or delete the wallet without using a password. File system permissions provide the necessary security for such auto login wallets. You can also create an auto login wallet that is associated with a PKCS#12 wallet. The auto login wallet does not need a password to open. However, you must supply the password for the associated PKCS#12 wallet in order to modify or delete the wallet. Any update to the PKCS#12 wallet also updates the associated auto login wallet. To create an auto login wallet (cwallet.sso) that is associated with a PKCS#12 wallet (ewallet.p12), use the following command: orapki wallet create -wallet wallet_location -auto_login [-pwd password] This command creates a wallet with auto login enabled (cwallet.sso) and associates it with a PKCS#12 wallet (ewallet.p12). The command prompts you to enter the password for the PKCS#12 wallet, if no password has been specified at the command line. For security reasons, Oracle recommends that you do not specify the password at the command line. You should supply the password when prompted to do so. Note: If the wallet_location already contains a PKCS#12 wallet, then auto login is enabled for it. You must supply the password for the existing PKCS#12 wallet in order to enable auto login for it. If the wallet_location does not contain a PKCS#12 wallet, then a new PKCS#12 wallet is created. You must specify a password for the new PKCS#12 wallet. If you wish to turn the auto login feature off for a PKCS#12 wallet, then use Oracle Wallet Manager. See Also: "Using Auto Login" on page 14-14 for more information orapki Utility E-3 Managing Oracle Wallets with orapki Utility You can also choose to create a local auto login wallet. Local auto login wallets cannot be moved to another computer. They must be used on the host on which they are created. A local auto login wallet does not need a password to open. However, you must supply the password for the associated PKCS#12 wallet in order to modify or delete the wallet. Any update to the PKCS#12 wallet also updates the associated auto login wallet. To create a local auto login wallet, use the following command: orapki wallet create -wallet wallet_location -auto_login_local [-pwd password] This command creates an auto login wallet (cwallet.sso) that is local to both the computer on which it is created and the user who created it. It associates it with a PKCS#12 wallet (ewallet.p12). The command prompts you to enter the password for the PKCS#12 wallet, if no password has been specified at the command line. For security reasons, Oracle recommends that you do not specify the password at the command line. You should supply the password when prompted to do so. Note: Viewing a Wallet To view an Oracle wallet, use the following command: orapki wallet display -wallet wallet_location This command displays the certificate requests, user certificates, and trusted certificates contained in the wallet, which must be a binary PKCS12 file, with extension .p12. Other files will fail. Modifying the Password for a Wallet To change the wallet password, use the following command: orapki wallet change_pwd -wallet wallet_location [-oldpwd password ] [-newpwd password] This command changes the current wallet password to the new password. The command prompts you for the old and new passwords if no password is supplied at the command line. For security reasons, Oracle recommends that you do not specify the password options at the command line. You should supply the password when prompted to do so. Note: Adding Certificates and Certificate Requests to Oracle Wallets with orapki To add a certificate request to an Oracle wallet, use the following command: orapki wallet add -wallet wallet_location -dn user_dn -keySize 512|1024|2048 This command adds a certificate request to a wallet for the user with the specified distinguished name (user_dn). The request also specifies the requested certificate's key size (512, 1024, or 2048 bits). To sign the request, export it with the export option. E-4 Oracle Database Advanced Security Administrator's Guide Managing Oracle Wallets with orapki Utility "Exporting Certificates and Certificate Requests from Oracle Wallets with orapki" on page E-6 for more information See Also: To add a trusted certificate to an Oracle wallet, use the following command: orapki wallet add -wallet wallet_location -trusted_cert -cert certificate_location This command adds a trusted certificate, at the specified location (-cert certificate_location), to a wallet. You must add all trusted certificates in the certificate chain of a user certificate before adding a user certificate, or the command to add the user certificate will fail. To add a root certificate to an Oracle wallet, use the following command: orapki wallet add -wallet wallet_location -dn certificate_dn -keySize 512|1024|2048 -self_signed -validity number_of_days This command creates a new self-signed (root) certificate and adds it to the wallet. The -validity parameter (mandatory) specifies the number of days, starting from the current date, that this certificate will be valid. You can specify a key size for this root certificate (-keySize) of 512, 1024, or 2048 bits. To add a user certificate to an Oracle wallet, use the following command: orapki wallet add -wallet wallet_location -user_cert -cert certificate_location This command adds the user certificate at the location specified with the -cert parameter to the Oracle wallet at the wallet_location. Before you add a user certificate to a wallet, you must add all the trusted certificates that make up the certificate chain. If all trusted certificates are not installed in the wallet before you add the user certificate, then adding the user certificate will fail. To add PKCS#11 information to a wallet You can use a wallet containing PKCS#11 information like any Oracle wallet. The private keys are stored on a hardware device. The cryptographic operations are also performed on the device. Use the following command to add PKCS#11 information to a wallet: orapki wallet p11_add -wallet wallet_location -p11_lib pkcs11Lib [-p11_tokenlabel tokenLabel] [-p11_tokenpw tokenPassphrase] [-p11_certlabel certLabel] [-pwd password] The parameters have the following meaning: ■ ■ ■ ■ ■ ■ -wallet specifies the wallet location. -p11_lib specifies the path to the PKCS#11 library. This includes the library filename. -p11_tokenlabel specifies the token or smart card used on the device. Use this when there are multiple tokens on the device. Token labels are set using vendor tools. -p11_tokenpw specifies the password that is used to access the token. Token passwords are set using vendor tools. -p11_certlabel is used to specify a certificate label on the token. Use this when a token contains multiple certificates. Certificate labels are set using vendor tools. -pwd is used to specify the wallet password. orapki Utility E-5 Managing Certificate Revocation Lists (CRLs) with orapki Utility For security reasons, Oracle recommends that you do not specify the password at the command line. You should supply the password when prompted to do so. Note: You can verify credentials on the hardware device using the PKCS#11 wallet. Use the following command for this purpose: orapki wallet p11_verify -wallet wallet_location [-pwd password] For security reasons, Oracle recommends that you do not specify the password at the command line. You should supply the password when prompted to do so. Note: Exporting Certificates and Certificate Requests from Oracle Wallets with orapki To export a certificate from an Oracle wallet, use the following command: orapki wallet export -wallet wallet_location -dn certificate_dn -cert certificate_ filename This command exports a certificate with the subject's distinguished name (-dn) from a wallet to a file that is specified by -cert. To export a certificate request from an Oracle wallet, use the following command: orapki wallet export -wallet wallet_location -dn certificate_request_dn -request certificate_request_filename This command exports a certificate request with the subject's distinguished name (-dn) from a wallet to a file that is specified by -request. Managing Certificate Revocation Lists (CRLs) with orapki Utility CRLs must be managed with orapki. This utility creates a hashed value of the CRL issuer's name to identify the CRLs location in your system. If you do not use orapki, your Oracle server cannot locate CRLs to validate PKI digital certificates. For detailed information about using orapki to manage CRLs refer to "Certificate Revocation List Management" on page 13-28. orapki Usage Examples This section includes examples of some of the orapki commands discussed in the preceding sections. Example E–1 illustrates the steps to create a wallet with a self-signed certificate and export the certificate to a file. Example E–1 Create a Wallet with a Self-Signed Certificate and Export the Certificate The following steps illustrate creating a wallet, adding a self-signed certificate to it, viewing the wallet and exporting the certificate: 1. Create a wallet orapki wallet create -wallet /private/user/orapki_use/root The wallet is created at the location, /private/user/orapki_use/root. E-6 Oracle Database Advanced Security Administrator's Guide orapki Usage Examples 2. Add a self-signed certificate to the wallet orapki wallet add -wallet /private/user/orapki_use/root -dn ’CN=root_test,C=US’ -keysize 2048 -self_signed -validity 3650 This creates a self-signed certificate with a validity of 3650 days. The distinguished name of the subject is CN=root_test,C=US. The key size for the certificate is 2048 bits. 3. View the wallet orapki wallet display -wallet /private/user/orapki_use/root This is used to view the certificate contained in the wallet. 4. Export the certificate orapki wallet export -wallet /private/user/orapki_use/root -dn ’CN=root_test,C=US’ -cert /private/user/orapki_use/root/b64certificate.txt This exports the self-signed certificate to the file, b64certificate.txt. Note that the distinguished name used is the same as in step 2. Example E–2 illustrates miscellaneous tasks related to creating user certificates. Example E–2 Create a Wallet and a User Certificate The following steps illustrate creating a wallet, creating a certificate request, exporting the certificate request, creating a signed certificate from the request for testing, viewing the certificate, adding a trusted certificate to the wallet and adding a user certificate to the wallet. 1. Create a wallet with auto login enabled orapki wallet create -wallet /private/user/orapki_use/server -auto_login This creates a wallet at /private/user/orapki_use/server with auto login enabled. 2. Add a certificate request to the wallet orapki wallet add -wallet /private/user/orapki_use/server -dn ’CN=server_ test,C=US’ -keysize 2048 This adds a certificate request to the wallet that was created. The distinguished name of the subject is CN=server_test,C=US. The key size specified is 2048 bits. 3. Export the certificate request to a file orapki wallet export -wallet /private/user/orapki_use/server -dn ’CN=server_ test,C=US’ -request /private/user/orapki_use/server/creq.txt This exports the certificate request to the specified file, which is creq.txt in this case. 4. Create a signed certificate from the request for test purposes orapki cert create -wallet /private/user/orapki_use/root -request /private/user/orapki_use/server/creq.txt -cert /private/user/orapki_ use/server/cert.txt -validity 3650 This creates a certificate, cert.txt with a validity of 3650 days. The certificate is created from the certificate request generated in the preceding step. 5. View the certificate orapki Utility E-7 orapki Utility Commands Summary orapki cert display -cert /private/user/orapki_use/server/cert.txt -complete This displays the certificate generated in the preceding step. The -complete option enables you to display additional certificate information, including the serial number and public key. 6. Add a trusted certificate to the wallet orapki wallet add -wallet /private/user/orapki_use/server -trusted_cert -cert /private/user/orapki_use/root/b64certificate.txt This adds a trusted certificate, b64certificate.txt to the wallet. You must add all trusted certificates in the certificate chain of a user certificate before adding a user certificate. 7. Add a user certificate to the wallet orapki wallet add -wallet /private/user/orapki_use/server -user_cert -cert /private/user/orapki_use/server/cert.txt This adds the user certificate, cert.txt to the wallet. orapki Utility Commands Summary This section lists and describes the following orapki commands: ■ orapki cert create ■ orapki cert display ■ orapki crl delete ■ orapki crl display ■ orapki crl hash ■ orapki crl list ■ orapki crl upload ■ orapki wallet add ■ orapki wallet create ■ orapki wallet display ■ orapki wallet export orapki cert create The following sections describe this command. Purpose Use the orapki cert create command to create a signed certificate for testing purposes. Syntax orapki cert create [-wallet wallet_location] -request certificate_request_location -cert certificate_location -validity number_of_days [-summary] ■ The -wallet parameter specifies the wallet containing the user certificate and private key that will be used to sign the certificate request. E-8 Oracle Database Advanced Security Administrator's Guide orapki Utility Commands Summary ■ ■ ■ The -request parameter (mandatory) specifies the location of the certificate request for the certificate you are creating. The -cert parameter (mandatory) specifies the directory location where the tool places the new signed certificate. The -validity parameter (mandatory) specifies the number of days, starting from the current date, that this certificate will be valid. orapki cert display The following sections describe this command. Purpose Use the orapki cert display command to display details of a specific certificate. Syntax orapki cert display -cert certificate_location [-summary|-complete] ■ ■ The -cert parameter specifies the location of the certificate you want to display. You can use either the -summary or the -complete parameter to display the following information: – -summary displays the certificate and its expiration date – -complete displays additional certificate information, including the serial number and public key orapki crl delete The following sections describe this command. Purpose Use the orapki crl delete command to delete CRLs from Oracle Internet Directory. Note that the user who deletes CRLs from the directory by using orapki must be a member of the CRLAdmins (cn=CRLAdmins,cn=groups,%s_OracleContextDN%) directory group. Prerequisites None Syntax orapki crl delete -issuer issuer_name -ldap hostname:ssl_port -user username [-wallet wallet_location] [-summary] ■ ■ The -issuer parameter specifies the name of the certificate authority (CA) who issued the CRL. The -ldap parameter specifies the host name and SSL port for the directory where the CRLs are to be deleted. Note that this must be a directory SSL port with no authentication. Refer to "Uploading CRLs to Oracle Internet Directory" on page 13-30 for more information about this port. See Also: orapki Utility E-9 orapki Utility Commands Summary ■ ■ ■ The -user parameter specifies the user name of the directory user who has permission to delete CRLs from the CRL subtree in the directory. The -wallet parameter (optional) specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL. Using it causes the tool to verify the validity of the CRL against the CA's certificate prior to deleting it from the directory. The -summary parameter is optional. Using it causes the tool to print the CRL LDAP entry that was deleted. orapki crl display The following sections describe this command. Purpose Use the orapki crl display command to display specific CRLs that are stored in Oracle Internet Directory. Syntax orapki crl display -crl crl_location [-wallet wallet_location] [-summary|-complete] ■ ■ ■ The -crl parameter specifies the location of the CRL in the directory. It is convenient to paste the CRL location from the list that displays when you use the orapki crl list command. Refer to "orapki crl list" on page E-11 The -wallet parameter (optional) specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL. Using it causes the tool to verify the validity of the CRL against the CA's certificate prior to displaying it. Choosing either the -summary or the -complete parameters displays the following information: – -summary provides a listing that contains the CRL issuer's name and the CRL's validity period – -complete provides a list of all revoked certificates that the CRL contains. Note that this option may take a long time to display, depending on the size of the CRL. orapki crl hash The following sections describe this command. Purpose Use the orapki crl hash command to generate a hash value of the certificate revocation list (CRL) issuer to identify the location of the CRL in the file system for certificate validation. Syntax orapki crl hash -crl crl_filename|URL [-wallet wallet_location] [-symlink|-copy] crl_directory [-summary] ■ The -crl parameter specifies the filename that contains the CRL or the URL where it can be found. E-10 Oracle Database Advanced Security Administrator's Guide orapki Utility Commands Summary ■ ■ ■ The -wallet parameter (optional) specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL. Using it causes the tool to verify the validity of the CRL against the CA's certificate prior to uploading it to the directory. Depending on the operating system, use either the -symlink or the -copy parameter: – (UNIX) use -symlink to create a symbolic link to the CRL at the crl_ directory location – (Windows) use -copy to create a copy of the CRL at the crl_directory location The -summary parameter (optional) causes the tool to display the CRL issuer's name. orapki crl list The following sections describe this command. Purpose Use the orapki crl list command to display a list of CRLs stored in Oracle Internet Directory. This is useful for browsing to locate a particular CRL to view or download to your local file system. Syntax orapki crl list -ldap hostname:ssl_port The -ldap parameter specifies the host name and SSL port for the directory server from where you want to list CRLs. Note that this must be a directory SSL port with no authentication. "Uploading CRLs to Oracle Internet Directory" on page 13-30 for more information about this port Tip: orapki crl upload The following sections describe this command. Purpose Use the orapki crl upload command to upload certificate revocation lists (CRLs) to the CRL subtree in Oracle Internet Directory. Note that you must be a member of the directory administrative group CRLAdmins (cn=CRLAdmins,cn=groups,%s_ OracleContextDN%) to upload CRLs to the directory. Syntax orapki crl upload -crl crl_location -ldap hostname:ssl_port -user username [-wallet wallet_location] [-summary] ■ ■ The -crl parameter specifies the directory location or the URL where the CRL is located that you are uploading to the directory. The -ldap parameter specifies the host name and SSL port for the directory where you are uploading the CRLs. Note that this must be a directory SSL port with no authentication. orapki Utility E-11 orapki Utility Commands Summary "Uploading CRLs to Oracle Internet Directory" on page 13-30 for more information about this port See Also: ■ ■ ■ The -user parameter specifies the user name of the directory user who has permission to add CRLs to the CRL subtree in the directory. The -wallet parameter specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL. This is an optional parameter. Using it causes the tool to verify the validity of the CRL against the CA's certificate prior to uploading it to the directory. The -summary parameter is also optional. Using it causes the tool to display the CRL issuer's name and the LDAP entry where the CRL is stored in the directory. orapki wallet add The following sections describe this command. Purpose Use the orapki wallet add command to add certificate requests and certificates to an Oracle wallet. Syntax To add certificate requests, use the following command: orapki wallet add -wallet wallet_location -dn user_dn -keySize 512|1024|2048 ■ The -wallet parameter specifies the location of the wallet to which you want to add a certificate request. ■ The -dn parameter specifies the distinguished name of the certificate owner. ■ The -keySize parameter specifies the key size for the certificate. ■ To sign the request, export it with the export option. Refer to "orapki wallet export" on page E-13 To add trusted certificates, use the following command: orapki wallet add -wallet wallet_location -trusted_cert -cert certificate_location ■ The -trusted_cert parameter causes the tool to add the trusted certificate, at the location specified with -cert, to the wallet. To add root certificates, use the following command: orapki wallet add -wallet wallet_location -dn certificate_dn -keySize 512|1024|2048 -self_signed -validity number_of_days ■ ■ The -self_signed parameter causes the tool to create a root certificate. The -validity parameter is mandatory. Use it to specify the number of days, starting from the current date, that this root certificate will be valid. To add user certificates, use the following command: orapki wallet add -wallet wallet_location -user_cert -cert certificate_location ■ The -user_cert parameter causes the tool to add the user certificate at the location specified with the -cert parameter to the wallet. Before you add a user certificate to a wallet, you must add all the trusted certificates that make up the certificate E-12 Oracle Database Advanced Security Administrator's Guide orapki Utility Commands Summary chain. If all trusted certificates are not installed in the wallet before you add the user certificate, then adding the user certificate will fail. orapki wallet create The following sections describe this command. Purpose Use the orapki wallet create command to create an Oracle wallet or to set auto login on for an Oracle wallet. Syntax orapki wallet create -wallet wallet_location [-auto_login|-auto_login_local] ■ ■ The -wallet parameter specifies a location for the new wallet or the location of the wallet for which you want to turn on auto login. The -auto_login parameter creates an auto login wallet, or it turns on automatic login for the wallet specified with the -wallet option. "Using Auto Login" on page 14-14 for details about auto login wallets See Also: ■ The -auto_login_local parameter creates a local auto login wallet, or it turns on local automatic login for the wallet specified with the -wallet option. orapki wallet display The following sections describe this command. Purpose Use the orapki wallet display command to view the certificate requests, user certificates, and trusted certificates in an Oracle wallet. Syntax orapki wallet display -wallet wallet_location ■ The -wallet parameter specifies a location for the wallet you want to open if it is not located in the current working directory. orapki wallet export The following sections describe this command. Purpose Use the orapki wallet export command to export certificate requests and certificates from an Oracle wallet. Syntax To export a certificate from an Oracle wallet, use the following command: orapki wallet export -wallet wallet_location -dn certificate_dn -cert certificate_ filename orapki Utility E-13 orapki Utility Commands Summary ■ ■ ■ The -wallet parameter specifies the location of the wallet from which you want to export the certificate. The -dn parameter specifies the distinguished name of the certificate. The -cert parameter specifies the name of the file that contains the exported certificate. To export a certificate request from an Oracle wallet, use the following command: orapki wallet export -wallet wallet_location -dn certificate_request_dn -request certificate_request_filename ■ The -request parameter specifies the name of the file that contains the exported certificate request. E-14 Oracle Database Advanced Security Administrator's Guide F F Entrust-Enabled Secure Sockets Layer Authentication Entrust Authority (formerly known as Entrust/PKI) is a suite of PKI products provided by Entrust, Inc., that provides certificate generation, certificate revocation, and key and certificate management. Oracle Advanced Security is integrated with Entrust Authority so both Entrust and Oracle users can enhance their Oracle environment security. This appendix contains the following topics: ■ Benefits of Entrust-Enabled Oracle Advanced Security ■ Required System Components for Entrust-Enabled Oracle Advanced Security ■ Entrust Authentication Process ■ Enabling Entrust Authentication ■ Issues and Restrictions that Apply to Entrust-Enabled SSL ■ Troubleshooting Entrust In Oracle Advanced Security Benefits of Entrust-Enabled Oracle Advanced Security Entrust-enabled Oracle Advanced Security provides: ■ Enhanced X.509-Based Authentication and Single Sign-On ■ Integration with Entrust Authority Key Management ■ Integration with Entrust Authority Certificate Revocation Oracle Advanced Security has been certified as Entrust-Ready by Entrust, Inc., as of Release 8.1.7. Note: See Also: http://www.entrust.com for more information Enhanced X.509-Based Authentication and Single Sign-On Entrust-enabled Oracle Advanced Security supports the use of Entrust credentials for X.509-based authentication and single sign-on. Instead of using an Oracle wallet to hold user PKI credentials, Oracle Advanced Security can access PKI credentials that are created by Entrust Authority and held in an Entrust profile (a.epf file). Users who have deployed Entrust software within their enterprise are able to use it for authentication and single sign-on to Oracle Database. Entrust-Enabled Secure Sockets Layer Authentication F-1 Required System Components for Entrust-Enabled Oracle Advanced Security Integration with Entrust Authority Key Management Entrust-enabled Oracle Advanced Security uses the extensive key management and rollover functionality provided by Entrust Authority, which shields users from the complexity of a PKI deployment. For example, users are automatically notified when their certificates are expiring, and certificates are reissued according to preferences that administrators can configure. Integration with Entrust Authority Certificate Revocation Entrust provides a certificate authority component, which natively checks certificate revocation status and enables the revocation of certificates. Users using Entrust credentials for authentication to Oracle are assured that the revocation status of the certificate is checked, and connections are prevented if the certificate is revoked. Required System Components for Entrust-Enabled Oracle Advanced Security To implement Entrust-enabled Oracle Advanced Security, the following system components are required: ■ Entrust Authority for Oracle ■ Entrust Authority Server Login Feature ■ Entrust Authority IPSec Negotiator Toolkit In the following sections, the term client refers to a client connecting to an Oracle database, and the term server refers to the host on which the Oracle database resides. Note: Contact your Entrust representative to get these components. Oracle Advanced Security supports Entrust Authority Security Manager, Entrust Authority Server Login Feature, and Entrust Authority IPSec Negotiator Toolkit versions 6.0 and later. Note: Contact your Entrust representative for the latest product classification and naming details. Entrust Authority for Oracle Entrust Authority for Oracle requires a database for storing information about Entrust users and the infrastructure, and a Lightweight Directory Access Protocol (LDAP)-compliant directory for information such as user names, public certificates, and certificate revocation lists. Entrust Authority for Oracle comprises the following software components: ■ Entrust Authority Security Manager ■ Entrust Authority Self-Administration Server ■ Entrust Entelligence Desktop Manager F-2 Oracle Database Advanced Security Administrator's Guide Required System Components for Entrust-Enabled Oracle Advanced Security Entrust Authority Security Manager Entrust Authority Security Manager is the centerpiece of Entrust's PKI technology. It performs core certificate authority, certificate, and user management functions, such as creating users and user profiles containing the user's credentials. Oracle only supports the use of Entrust-enabled Oracle Advanced Security with versions of Entrust Authority Security Manager that run on Oracle Database. Note: Chapter 13, "Configuring Secure Sockets Layer Authentication", for information about certificate authorities. See Also: Entrust Authority Security Manager supports unattended login, also called Server Login, which eliminates the need for a Database Administrator (DBA) to repeatedly enter a password for the Entrust profile on the server. With unattended login, the DBA need only enter a password once to open the Entrust profile for the server to authenticate itself to multiple incoming connections. Entrust Authority Self-Administration Server Entrust Authority Self-Administration Server is the administrator's secure interface to Entrust Authority Security Manager. Entrust Entelligence Desktop Manager Entrust Entelligence Desktop Manager provides support for user key management and single sign-on functionality on both clients and server by enabling Oracle Database server process access to incoming SSL connections. Do not install Entrust Entelligence Desktop Manager on the server computer because it uses unattended login credentials files with.ual extensions. Note: Refer to "Configuring Entrust on the Server" on page F-6 for information about creating.ual files. Entrust Authority Server Login Feature Entrust Authority Server Login Feature is required for single sign-on functionality on servers operating on UNIX platforms. Entrust Authority Server Login Feature provides single sign-on by enabling Oracle Database server process access to incoming SSL connections. Without this capability, a database administrator or other privileged user would have to enter the password for the Entrust profile on the server for every incoming connection. Contact your Entrust representative to get Entrust Authority Server Login Feature. Entrust Authority IPSec Negotiator Toolkit The Entrust Authority IPSec Negotiator Toolkit is required on both clients and servers for integrating the Oracle Advanced Security SSL stack with Entrust Authority, enabling SSL authentication to use Entrust profiles. Contact your Entrust representative to get Entrust Authority IPSec Negotiator Toolkit. Entrust-Enabled Secure Sockets Layer Authentication F-3 Entrust Authentication Process Entrust Authentication Process Figure F–1 illustrates the following Entrust authentication process: 1. The Entrust user on the Oracle client establishes a secure connection with the server using SSL and Entrust credentials. 2. The Oracle SSL adapter on the server communicates with the Entrust Authority to check the certificate revocation status of the Entrust user. Figure F–1 does not include client and server profiles creation, which is presumed. Note: Figure F–1 Entrust Authentication Process Entrust Authority and Administration User's Entrust Profile (Entrust Entelligence) Server's Entrust Profile (unattended login) 2 Oracle Client 1 SSL Oracle Oracle Recovery Server Catalog "How Secure Sockets Layer Works in an Oracle Environment: The SSL Handshake" on page 13-3 See Also: Enabling Entrust Authentication This section describes the following tasks, which are required to configure Entrust-enabled Oracle Advanced Security SSL authentication: ■ ■ Creating Entrust Profiles Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL ■ Configuring SSL on the Client and Server for Entrust-Enabled SSL ■ Configuring Entrust on the Client ■ Configuring Entrust on the Server ■ Creating Entrust-Enabled Database Users ■ Logging Into the Database Using Entrust-Enabled SSL Creating Entrust Profiles This section describes how to create Entrust profiles, which can be created by either administrators or users. On UNIX platforms, administrators create the Entrust profiles for all clients. On Windows platforms, users can create their own Entrust profiles. Administrator-Created Entrust Profiles Administrators create Entrust profiles as follows: F-4 Oracle Database Advanced Security Administrator's Guide Enabling Entrust Authentication 1. The Entrust administrator adds the Entrust user using the Entrust Authority Self-Administration Server. See Also: The Entrust administration documentation for information about creating Entrust Users 2. The administrator enters the user's name and password. 3. The Entrust Authority creates the profile, or.epf file. 4. The administrator securely sends all profile-related files to the user. The preset password can be changed by the user. User-Created Entrust Profiles Entrust users create their own Entrust profiles as follows: 1. The Entrust administrator adds the Entrust user using the Entrust Authority Self-Administration Server. In the New User dialog box, the Create Profile option should be deselected. See also The Entrust administration documentation for information about creating Entrust profiles. 2. The user receives a secure e-mail notification from the administrator that contains a reference number, authorization code, and expiration date. 3. The user navigates to the Create Entrust Profiles screen in Entrust Entelligence Desktop Manager as follows: Start, Programs, Entrust, Entrust Profiles, Create Entrust Profiles 4. The user enters the reference number, authorization code, and expiration date provided in the e-mail notification, creating a profile, or.epf file, and the Entrust initialization file. Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL For Oracle Advanced Security 11g Release 2 (11.2), Entrust support installs in Typical mode. A single Oracle installation supports the use of both Oracle Wallets and Entrust profiles. See Also: Oracle Database operating system-specific installation documentation Configuring SSL on the Client and Server for Entrust-Enabled SSL Configure SSL on the client and server. Chapter 13, "Configuring Secure Sockets Layer Authentication", for information about configuring SSL on the client and server and skip the section that describes the Oracle wallet location. See Also: Configuring Entrust on the Client The steps for configuring Entrust on the client vary according to the type of platform: ■ Configuring Entrust on a UNIX Client ■ Configuring Entrust on a Windows Client Entrust-Enabled Secure Sockets Layer Authentication F-5 Enabling Entrust Authentication Configuring Entrust on a UNIX Client If the client resides on a non-Windows platform, perform the following steps: 1. Set the JAVA_HOME variable to the JDK or JRE location. For example: >setenv JAVA_HOME $ORACLE_HOME/JRE 2. Set WALLET_LOCATION in the sqlnet.ora file. For example: WALLET_LOCATION= (SOURCE= (METHOD=entr) (METHOD_DATA = (PROFILE=profile_location) (INIFILE=initialization_file_location) ) ) Configuring Entrust on a Windows Client If the client resides on a Windows platform, ensure that the Entrust Entelligence Desktop Manager component is installed on the client and perform the following steps to set up the Entrust credentials. 1. Set the WALLET_LOCATION parameter in the sqlnet.ora file. For example: WALLET_LOCATION= (SOURCE= (METHOD=entr) (METHOD_DATA= (INIFILE=initialization_file_location) ) ) where initialization_file_location is the path to the.ini file. 2. Select the Entrust icon on the system tray to open the Entrust_Login dialog box. 3. Log on to Entrust by entering the profile name and password. Configuring Entrust on the Server The steps for configuring Entrust on the server vary according to the type of platform: ■ Configuring Entrust on a UNIX Server ■ Configuring Entrust on a Windows Server Configuring Entrust on a UNIX Server If the server is a UNIX platform, ensure that the Entrust/Server Login Toolkit component is installed on the server and perform the following steps: "Required System Components for Entrust-Enabled Oracle Advanced Security" on page F-2 for information about downloading the Entrust Server Login toolkit. See Also: 1. Stop the Oracle database instance. F-6 Oracle Database Advanced Security Administrator's Guide Enabling Entrust Authentication 2. Set the WALLET_LOCATION parameter in the sqlnet.ora and listener.ora files to specify the paths to the server's profile and the Entrust initialization file: WALLET_LOCATION = (SOURCE = (METHOD = ENTR) (METHOD_DATA = (PROFILE = profile_location) (INIFILE = initialization_file_location) ) ) 3. Set the CLASSPATH environment variable to include the following paths: $ORACLE_HOME/JRE/lib/rt.jar $ORACLE_HOME/JRE/lib/i18n.jar $ORACLE_HOME/jlib/ewt*.jar $ORACLE_HOME/jlib/help*.jar $ORACLE_HOME/jlib/share*.jar $ORACLE_HOME/jlib/swingall*.jar $ORACLE_HOME/network/jlib/netentrust.jar 4. Enter the etbinder command to create unattended login credentials, or.ual files by using the following steps: a. Set the PATH environment variable to include the path to the etbinder command, which is located in the /bin directory where the Server Login Toolkit is installed. b. Set the LD_LIBRARY_PATH to include the path to the Entrust libraries. c. Set the SSL_ENTRUST_INI environment variable to include the full path to the Entrust initialization file. d. Enter the command as follows: etbinder e. When prompted to enter the location of the profile file, enter the full path name, including the name of the file. Then, when prompted, type in the password. A message displays indicating that the credentials file (filename.ual) has been created. Ensure that the listener has a TCPS listening endpoint, then start the listener. Note: 5. Start the Oracle database instance. Configuring Entrust on a Windows Server If the server is on a Windows platform, perform the following steps: "Required System Components for Entrust-Enabled Oracle Advanced Security" for information about downloading Entrust Entelligence Desktop Manager. See Also: 1. Stop the Oracle database instance. Entrust-Enabled Secure Sockets Layer Authentication F-7 Enabling Entrust Authentication 2. Set the WALLET_LOCATION parameter in the sqlnet.ora and listener.ora files to specify the paths to the server's profile and the Entrust initialization file: WALLET_LOCATION = (SOURCE = (METHOD = ENTR) (METHOD_DATA = (PROFILE = profile_location) (INIFILE = initialization_file_location) ) ) 3. Run the Entrust binder command to create unattended login credentials, which are files with a.ual extension. Ensure that the owner of the.ual file is the same as the owner of the Oracle service. To run the binder command Select Start, Programs, Entrust Toolkit, Server Login, Entrust Binder Enter the path to the profile, the password, and the path to the Entrust initialization file. A message informs you that you have successfully created a credential file. 4. Start the Oracle database instance. For all Windows environments, Oracle recommends that you do not install Entrust Entelligence Desktop Manager on the server computer. Note: Creating Entrust-Enabled Database Users Create global users in the database based on the distinguished name (DN) of each Entrust user. For example: SQL> create user jdoe identified globally as 'cn=jdoe,o=oracle,c=us'; where "cn=jdoe, o=oracle, c=us" is the Entrust distinguished name of the user. Logging Into the Database Using Entrust-Enabled SSL 1. Use SQL*Plus to connect to the Oracle instance as follows: sqlplus /@net_service_name where net_service_name is the service name of the Oracle instance. The Entrust_Login dialog box is displayed. 2. Enter the path to the profile and the password. 3. If you did not specify a value for the WALLET_LOCATION parameter, you are prompted to enter the path to the Entrust initialization file. Oracle recommends that the initialization file be specified in the WALLET_LOCATION parameter file. Note: F-8 Oracle Database Advanced Security Administrator's Guide Troubleshooting Entrust In Oracle Advanced Security Issues and Restrictions that Apply to Entrust-Enabled SSL An application must be specifically modified to work with Entrust. If a product is designated as Entrust-ready, then it has been integrated with Entrust by using an Entrust toolkit. For example, Oracle has modified its SSL libraries to access an Entrust profile instead of an Oracle wallet. In addition, the following restrictions apply: ■ ■ ■ ■ ■ The use of Entrust components for digital signatures in applications based on Oracle is not supported. The Entrust-enabled Oracle Advanced Security integration is only supported with versions of Entrust Authority Release 6.0 and later running on Oracle Database. The use of earlier releases of Entrust Authority with Entrust-enabled Oracle Advanced Security is not supported. Interoperability between Entrust and non-Entrust PKIs is not supported. Entrust has certified Oracle Internet Directory version 2.1.1 for Release 8.1.7 and subsequent releases. Troubleshooting Entrust In Oracle Advanced Security This section describes how to diagnose errors returned from Entrust to Oracle Advanced Security users. Entrust returns the following generic error message to Oracle Advanced Security users: Note: ORA-28890 "Entrust Login Failed" This troubleshooting section describes how to get more details about the underlying error, and how to diagnose the problem. Error Messages Returned When Running Entrust on Any Platform You may encounter the following error messages regardless of what platform you are running Entrust on. ORA-28890 Entrust Login Failed Cause: SQL*Plus login on an Entrust-enabled Oracle client errors out with this generic error message. This error can be caused by a number of problems, including the following causes: ■ Entrust /Authority is not online ■ Invalid Entrust profile password specified ■ Invalid path to the Entrust profile specified ■ Invalid Entrust initialization file specified ■ Entrust Server Login program has not executed on the server Action: To get more detail on the Entrust error, turn on tracing for SQL*Plus and the trace output should indicate the Entrust failure code. Enable tracing by specifying the following parameters in the sqlnet.ora file: On the client: Entrust-Enabled Secure Sockets Layer Authentication F-9 Troubleshooting Entrust In Oracle Advanced Security ■ TRACE_LEVEL_CLIENT=16 ■ TRACE_DIRECTORY_CLIENT=valid_client_directory_name ■ TRACE_FILE_CLIENT=client ■ TRACE_UNIQUE_CLIENT=ON On the server: ■ TRACE_LEVEL_SERVER=16 ■ TRACE_DIRECTORY_SERVER=valid_server_directory name ■ TRACE_FILE_SERVER=server ■ TRACE_UNIQUE_SERVER=ON Search for and locate the string IKMP in the generated trace file. Adjacent to this string, error messages are listed that provide details about the problem you are encountering. This detailed error code information is returned by the Entrust API. The following are examples of valid client directory names for setting the TRACE_DIRECTORY_CLIENT or TRACE_DIRECTORY_ SERVER parameters in the sqlnet.ora file: Note: ■ (UNIX) /tmp ■ (Windows) C:\TEMP ORA-28890 Entrust Login Failed (GUI does not display on the client) Cause: The WALLET_LOCATION parameter does not specify the Entrust initialization file location in the client side sqlnet.ora file. Action: Ensure that the location of the Entrust initialization file is specified in the WALLET_LOCATION parameter in the sqlnet.ora file on the client. See Also: ■ "Configuring Entrust on a UNIX Client" on page F-6 ■ "Configuring Entrust on a Windows Client" on page F-6 Error Messages Returned When Running Entrust on Windows Platforms You may encounter the following error messages if you are running Entrust on a Windows platform. The software authentication failed. (error code - 162). Cause: Due to a known FIPS mode incompatibility, Entrust logins may fail and return this error message. Action: Contact Entrust support to resolve this issue. Algorithm self-test failed. (error code - 176). Cause: Due to a known symbol conflict between Entrust and Oracle libraries, Entrust login may fail and return this error message. Action: Contact Entrust support to resolve this issue. TNS-12560: TNS protocol adapter error TNS-00558> Entrust Login Failed ORACLE SERVER (host_name) F-10 Oracle Database Advanced Security Administrator's Guide Troubleshooting Entrust In Oracle Advanced Security This error may occur in the listener.log file on the server when you attempt to log in to Entrust. Cause: If you configure the client by making the following recommended changes: ■ Remove the.ual file ■ De-install the Server Login ■ Specify the Entrust initialization file location in the SSL_ENTRUST_INI_FILE parameter in the client sqlnet.ora file then the server may not be able to authenticate the client when you enter the following command: sqlplus/@net_service_name Action: Perform the following tasks to enable tracing on the server: 1. Select Control Panel, then Services. 2. In the Services dialog box, double click OracleTNSListener and change the Log On As from the System Account to the account that is currently logged in. This enables the server process to read the.ual file. Click OK to make the change and you are returned to the Services dialog box. In the Services dialog box, make the same changes for OracleService. 3. Make the following changes to the listener.ora file: – Specify only TCPS as the PROTOCOL in the listener ADDRESS. For example, change all of the PROTOCOL definitions to TCPS as follows: listener_name= (DESCRIPTION= (ADDRESS=(PROTOCOL=TCPS) (KEY=extproc0)) (ADDRESS=(PROTOCOL=TCPS) (HOST=sales-pc) (PORT=1521))) Bringing up the listener only using TCPS will show whether there is a problem accessing the Entrust profile when you turn on tracing. – Set the SSL_CLIENT_AUTHENTICATION parameter to FALSE as follows: SSL_CLIENT_AUTHENTICATION=FALSE – Turn on tracing by setting the following parameters: TRACE_LEVEL_LISTENER=16 TRACE_DIRECTORY_LISTENER=C:\temp The trace file is created in the C:\temp directory. 4. Make the following changes to the sqlnet.ora file to turn on tracing: TRACE_LEVEL_SERVER=16 TRACE_DIRECTORY_SERVER=C:\temp The trace file is created in the C:\temp directory. 5. Ensure that Entrust Entelligence Desktop Manager is not installed on the server. Search for and locate the string fail or ntz* function calls. Adjacent to these, error messages are listed that provide details about the problem you are encountering. Entrust-Enabled Secure Sockets Layer Authentication F-11 Troubleshooting Entrust In Oracle Advanced Security General Checklist for Running Entrust on Any Platform The following items apply to all platforms: 1. Confirm that the Entrust Authority is online. 2. Confirm that the.ual file is generated. These files are created for unattended login credentials. Oracle recommends that you generate an unattended login credential file (.ual file) for the server only. If you generate a.ual file for the server only, then when users attempt to log in, they are presented a GUI that prompts them for their password and their Entrust profile name. After users supply this information, the connection request is forwarded to the Entrust server, which looks up the revocation file and the.ual file to determine the permissions for granting the request. Note: 3. Confirm that the Entrust initialization file contains the following entry in the first section that specifies the Entrust Settings: IdentityLibrary=location The full path to the location of the libidapi.so file should be specified in the IdentityLibrary parameter. This parameter setting enables generating a.ual file on the server. 4. Ensure that all Entrust toolkits, including the Entrust IPSEC Negotiator toolkit and the Server Login toolkit, are the same version so they are compatible. 5. Ensure that you have specified TCP/IP with SSL in the SQLNET.AUTHENTICATION_ SERVICES parameter in the sqlnet.ora file as shown in the following example: SQLNET.AUTHENTICATION_SERVICES=(tcps, authentication_type1, authentication_ type2) Checklist for Entrust Installations on Windows The following checklist items apply only to Entrust installations on the Windows platform. 1. Ensure that you are logged into Entrust Entelligence Desktop Manager and retry. 2. Select Windows, then Control Panel, and click Services to confirm that the Entrust Login Interface service has started and is running. 3. Confirm that the Entrust initialization file location is specified in the SSL_ENTRUST_ INI_FILE parameter of the sqlnet.ora file. However, if you select not to specify the location there, then the Entrust initialization file must reside in c:\WINNT. 4. Ensure that you are not running Entrust Entelligence Desktop Manager if your database is running on a Microsoft platform. If this is the case, then only the.ual file, which enables unattended login, is required. Step 4 of "Configuring Entrust on a Windows Server" on page F-7 for information about creating a.ual file with the Entrust binder command. See Also: 5. F-12 Confirm that Entrust Authority, as specified in the Entrust Initialization file, is accessible and running. Oracle Database Advanced Security Administrator's Guide Troubleshooting Entrust In Oracle Advanced Security 6. Confirm that the profile password is correctly entered. 7. If an Oracle database server fails to log in to Entrust, confirm that the unattended login credential file (.ual) is generated using a valid password. Also, confirm that the versions for Entrust Server Login toolkit and Entrust IPSEC Negotiator toolkit match (that is, that the IPSec Toolkit 6.0 works with Server Login Toolkit 6.0). 8. Ensure that the Entrust initialization file has the following entry in the first section, Entrust Settings: IdentityLibrary = location where location is the location of libidapi.so, including the file name. Entrust-Enabled Secure Sockets Layer Authentication F-13 Troubleshooting Entrust In Oracle Advanced Security F-14 Oracle Database Advanced Security Administrator's Guide Glossary actual data In Oracle Data Redaction, the data in a protected table or view. An example of actual data could be the number 123456789, and the redacted data version of this number could appear to the user, depending on the Data Redaction policy, as 999996789. access control The ability of a system to grant or limit access to specific data for specific clients or groups of clients. Access Control Lists (ACLs) The group of access directives that you define. The directives grant levels of access to specific data for specific clients, or groups of clients, or both. Advanced Encryption Standard Advanced Encryption Standard (AES) is a new cryptographic algorithm that has been approved by the National Institute of Standards and Technology as a replacement for DES. The AES standard is available in Federal Information Processing Standards Publication 197. The AES algorithm is a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits. AES See Advanced Encryption Standard attribute An item of information that describes some aspect of an entry in an LDAP directory. An entry comprises a set of attributes, each of which belongs to an object class. Moreover, each attribute has both a type, which describes the kind of information in the attribute, and a value, which contains the actual data. authentication The process of verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to granting access to resources in a system. A recipient of an authenticated message can be certain of the message's origin (its sender). Authentication is presumed to preclude the possibility that another party has impersonated the sender. authentication method A security method that verifies a user's, client's, or server's identity in distributed environments. Network authentication methods can also provide the benefit of single sign-on (SSO) for users. The following authentication methods are supported in Glossary-1 authorization Oracle Database when Oracle Advanced Security is installed: ■ Kerberos ■ RADIUS ■ Secure Sockets Layer (SSL) ■ Windows native authentication authorization Permission given to a user, program, or process to access an object or set of objects. In Oracle, authorization is done through the role mechanism. A single person or a group of people can be granted a role or a group of roles. A role, in turn, can be granted other roles. The set of privileges available to an authenticated entity. auto login wallet An Oracle Wallet Manager feature that enables PKI- or password-based access to services without providing credentials at the time of access. This auto login access stays in effect until the auto login feature is disabled for that wallet. File system permissions provide the necessary security for auto login wallets. When auto login is enabled for a wallet, it is only available to the operating system user who created that wallet. Sometimes these are called "SSO wallets" because they provide single sign-on capability. base The root of a subtree search in an LDAP-compliant directory. CA See certificate authority certificate An ITU x.509 v3 standard data structure that securely binds an identify to a public key. A certificate is created when an entity's public key is signed by a trusted identity, a certificate authority. The certificate ensures that the entity's information is correct and that the public key actually belongs to that entity. A certificate contains the entity's name, identifying information, and public key. It is also likely to contain a serial number, expiration date, and information about the rights, uses, and privileges associated with the certificate. Finally, it contains information about the certificate authority that issued it. certificate authority A trusted third party that certifies that other entities—users, databases, administrators, clients, servers—are who they say they are. When it certifies a user, the certificate authority first seeks verification that the user is not on the certificate revocation list (CRL), then verifies the user's identity and grants a certificate, signing it with the certificate authority's private key. The certificate authority has its own certificate and public key which it publishes. Servers and clients use these to verify signatures the certificate authority has made. A certificate authority might be an external company that offers certificate services, or an internal organization such as a corporate MIS department. certificate chain An ordered list of certificates containing an end-user or subscriber certificate and its certificate authority certificates. Glossary-2 confidentiality certificate request A certificate request, which consists of three parts: certification request information, a signature algorithm identifier, and a digital signature on the certification request information. The certification request information consists of the subject's distinguished name, public key, and an optional set of attributes. The attributes may provide additional information about the subject identity, such as postal address, or a challenge password by which the subject entity may later request certificate revocation. See PKCS #10 certificate revocation lists (CRLs) Signed data structures that contain a list of revoked certificates. The authenticity and integrity of the CRL is provided by a digital signature appended to it. Usually, the CRL signer is the same entity that signed the issued certificate. checksumming A mechanism that computes a value for a message packet, based on the data it contains, and passes it along with the data to authenticate that the data has not been tampered with. The recipient of the data recomputes the cryptographic checksum and compares it with the cryptographic checksum passed with the data; if they match, it is "probabilistic" proof the data was not tampered with during transmission. Cipher Block Chaining (CBC) An encryption method that protects against block replay attacks by making the encryption of a cipher block dependent on all blocks that precede it; it is designed to make unauthorized decryption incrementally more difficult. Oracle Advanced Security employs outer cipher block chaining because it is more secure than inner cipher block chaining, with no material performance penalty. cipher suite A set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth. cipher suite name Cipher suites describe the kind of cryptographics protection that is used by connections in a particular session. ciphertext Message text that has been encrypted. cleartext Unencrypted plain text. client A client relies on a service. A client can sometimes be a user, sometimes a process acting on behalf of the user during a database link (sometimes called a proxy). confidentiality A function of cryptography. Confidentiality guarantees that only the intended recipient(s) of a message can view the message (decrypt the ciphertext). Glossary-3 connect descriptor connect descriptor A specially formatted description of the destination for a network connection. A connect descriptor contains destination service and network route information. The destination service is indicated by using its service name for Oracle9i or Oracle8i databases or its Oracle system identifier (SID) for Oracle databases version 8.0. The network route provides, at a minimum, the location of the listener through use of a network address. See connect identifier connect identifier A name, net service name, or service name that resolves to a connect descriptor. Users initiate a connect request by passing a user name and password along with a connect identifier in a connect string for the service to which they want to connect. For example: CONNECT username@connect_identifier Enter password: password connect string Information the user passes to a service to connect, such as user name, password and net service name. For example: CONNECT username@net_service_name Enter password: password credentials A user name, password, or certificate used to gain access to the database. CRL See certificate revocation lists CRL Distribution Point (CRL DP) An optional extension specified by the X.509 version 3 certificate standard, which indicates the location of the Partitioned CRL where revocation information for a certificate is stored. Typically, the value in this extension is in the form of a URL. CRL DPs allow revocation information within a single certificate authority domain to be posted in multiple CRLs. CRL DPs subdivide revocation information into more manageable pieces to avoid proliferating voluminous CRLs, thereby providing performance benefits. For example, a CRL DP is specified in the certificate and can point to a file on a Web server from which that certificate's revocation information can be downloaded. CRL DP See CRL Distribution Point cryptography The practice of encoding and decoding data, resulting in secure messages. data dictionary A set of read-only tables that provide information about a database. data redaction The ability to mask data with different values. Oracle Data Redaction enables you to mask data in real time, that is, at the moment a user tries to access the data. You can Glossary-4 decryption mask all the data, a partial subset of the data, or display random values in place of the data. See also redaction. Data Encryption Standard (DES) An older Federal Information Processing Standards encryption algorithm superseded by the Advanced Encryption Standard (AES). Database Administrator (1) A person responsible for operating and maintaining an Oracle Server or a database application. (2) An Oracle user name that has been given DBA privileges and can perform database administration functions. Usually the two meanings coincide. Many sites have multiple DBAs. database alias See net service name Database Installation Administrator Also called a database creator. This administrator is in charge of creating new databases. This includes registering each database in the directory using the Database Configuration Assistant. This administrator has create and modify access to database service objects and attributes. This administrator can also modify the Default domain. database link A network object stored in the local database or in the network definition that identifies a remote database, a communication path to that database, and optionally, a user name and password. Once defined, the database link is used to access the remote database. A public or private database link from one database to another is created on the local database by a DBA or user. A global database link is created automatically from each database to every other database in a network with Oracle Names. Global database links are stored in the network definition. database password verifier A database password verifier is an irreversible value that is derived from the user's database password. This value is used during password authentication to the database to prove the identity of the connecting user. Database Security Administrator The highest level administrator for database enterprise user security. This administrator has permissions on all of the enterprise domains and is responsible for: ■ Administering the Oracle DBSecurityAdmins and OracleDBCreators groups. Creating new enterprise domains. ■ Moving databases from one domain to another within the enterprise. decryption The process of converting the contents of an encrypted message (ciphertext) back into its original readable format (plaintext). Glossary-5 DES DES See Data Encryption Standard (DES) dictionary attack A common attack on passwords. The attacker creates a list of many common passwords and encrypts them. Then the attacker steals a file containing encrypted passwords and compares it to his list of encrypted common passwords. If any of the encrypted password values (called verifiers) match, then the attacker can steal the corresponding password. Dictionary attacks can be avoided by using salt on the password before encryption. Diffie-Hellman key negotiation algorithm This is a method that lets two parties communicating over an insecure channel to agree upon a random number known only to them. Though the parties exchange information over the insecure channel during execution of the Diffie-Hellman key negotiation algorithm, it is computationally infeasible for an attacker to deduce the random number they agree upon by analyzing their network communications. Oracle Advanced Security uses the Diffie-Hellman key negotiation algorithm to generate session keys. digital signature A digital signature is created when a public key algorithm is used to sign the sender's message with the sender's private key. The digital signature assures that the document is authentic, has not been forged by another entity, has not been altered, and cannot be repudiated by the sender. directory information tree (DIT) A hierarchical tree-like structure consisting of the DNs of the entries in an LDAP directory. See distinguished name (DN) directory naming A naming method that resolves a database service, net service name, or net service alias to a connect descriptor stored in a central directory server. A directory naming context A subtree which is of significance within a directory server. It is usually the top of some organizational subtree. Some directories only permit one such context which is fixed; others permit none to many to be configured by the directory administrator. distinguished name (DN) The unique name of a directory entry. It is comprised of all of the individual names of the parent entries back to the root entry of the directory information tree. See directory information tree (DIT) domain Any tree or subtree within the Domain Name System (DNS) namespace. Domain most commonly refers to a group of computers whose host names share a common suffix, the domain name. Domain Name System (DNS) A system for naming computers and network services that is organized into a hierarchy of domains. DNS is used in TCP/IP networks to locate computers through Glossary-6 FIPS user-friendly names. DNS resolves a friendly name into an IP address, which is understood by computers. In Oracle Net Services, DNS translates the host name in a TCP/IP address into an IP address. encrypted text Text that has been encrypted, using an encryption algorithm; the output stream of an encryption process. The text is not readable or decipherable, without first being subject to decryption. Also called ciphertext. Encrypted text ultimately originates as plaintext. encryption The process of disguising a message rendering it unreadable to any except for the intended recipient. enterprise domain A directory construct that consists of a group of databases and enterprise roles. A database should only exist in one enterprise domain at any time. Enterprise domains are different from Windows 2000 domains, which are collections of computers that share a common directory database. Enterprise Domain Administrator User authorized to manage a specific enterprise domain, including the authority to add new enterprise domain administrators. enterprise role Access privileges assigned to enterprise users. A set of Oracle role-based authorizations across one or more databases in an enterprise domain. Enterprise roles are stored in the directory and contain one or more global roles. enterprise user A user defined and managed in a directory. Each enterprise user has a unique identify across an enterprise. entry The building block of a directory, it contains information about an object of interest to directory users. external authentication Verification of a user identity by a third party authentication service, such as Kerberos or RADIUS. Federal Information Processing Standard (FIPS) A U.S. government standard that defines security requirements for cryptographic modules—employed within a security system protecting unclassified information within computer and telecommunication systems. Published by the National Institute of Standards and Technology (NIST). FIPS See Federal Information Processing Standard (FIPS) Glossary-7 forest forest A group of one or more Active Directory trees that trust each other. All trees in a forest share a common schema, configuration, and global catalog. When a forest contains multiple trees, the trees do not form a contiguous namespace. All trees in a given forest trust each other through transitive bidirectional trust relationships. forwardable ticket-granting ticket In Kerberos. A service ticket with the FORWARDABLE flag set. This flag enables authentication forwarding without requiring the user to enter a password again. global role A role managed in a directory, but its privileges are contained within a single database. A global role is created in a database by using the following syntax: CREATE ROLE role_name IDENTIFIED GLOBALLY; grid computing A computing architecture that coordinates large numbers of servers and storage to act as a single large computer. Oracle Grid Computing creates a flexible, on-demand computing resource for all enterprise computing needs. Applications running on the Oracle 10g grid computing infrastructure can take advantage of common infrastructure services for failover, software provisioning, and management. Oracle Grid Computing analyzes demand for resources and adjusts supply accordingly. HTTP Hypertext Transfer Protocol: The set of rules for exchanging files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. Relative to the TCP/IP suite of protocols (which are the basis for information exchange on the Internet), HTTP is an application protocol. HTTPS The use of Secure Sockets Layer (SSL) as a sublayer under the regular HTTP application layer. identity The combination of the public key and any other public information for an entity. The public information may include user identification data such as, for example, an e-mail address. A user certified as being the entity it claims to be. identity management The creation, management, and use of online, or digital, entities. Identity management involves securely managing the full life cycle of a digital identity from creation (provisioning of digital identities) to maintenance (enforcing organizational policies regarding access to electronic resources), and, finally, to termination. identity management realm A subtree in Oracle Internet Directory, including not only an Oracle Context, but also additional subtrees for users and groups, each of which are protected with access control lists. inference A query that is designed to find data by repeatedly trying queries. For example, to find the users who earn the highest salaries, an intruder could use the following query: SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE SALARY > 16000 ORDER Glossary-8 KDC BY SALARY DESC; FIRST_NAME -------------------Steven Neena Lex LAST_NAME SALARY ------------------------- ---------King 24000 Kochhar 17000 De Haan 17000 initial ticket In Kerberos authentication, an initial ticket or ticket granting ticket (TGT) identifies the user as having the right to ask for additional service tickets. No tickets can be obtained without an initial ticket. An initial ticket is retrieved by running the okinit program and providing a password. instance Every running Oracle database is associated with an Oracle instance. When a database is started on a database server (regardless of the type of computer), Oracle allocates a memory area called the System Global Area (SGA) and starts an Oracle process. This combination of the SGA and an Oracle process is called an instance. The memory and the process of an instance manage the associated database's data efficiently and serve the one or more users of the database. integrity The guarantee that the contents of the message received were not altered from the contents of the original message sent. java code obfuscation Java code obfuscation is used to protect Java programs from reverse engineering. A special program (an obfuscator) is used to scramble Java symbols found in the code. The process leaves the original program structure intact, letting the program run correctly while changing the names of the classes, methods, and variables in order to hide the intended behavior. Although it is possible to decompile and read non-obfuscated Java code, the obfuscated Java code is sufficiently difficult to decompile to satisfy U.S. government export controls. Java Database Connectivity (JDBC) An industry-standard Java interface for connecting to a relational database from a Java program, defined by Sun Microsystems. JDBC See Java Database Connectivity (JDBC) KDC Key Distribution Center. In Kerberos authentication, the KDC maintains a list of user principals and is contacted through the kinit (okinit is the Oracle version) program for the user's initial ticket. Frequently, the KDC and the Ticket Granting Service are combined into the same entity and are simply referred to as the KDC. The Ticket Granting Service maintains a list of service principals and is contacted when a user wants to authenticate to a server providing such a service. The KDC is a trusted third party that must run on a secure host. It creates ticket-granting tickets and service tickets. Glossary-9 Kerberos Kerberos A network authentication service developed under Massachusetts Institute of Technology's Project Athena that strengthens security in distributed environments. Kerberos is a trusted third-party authentication system that relies on shared secrets and assumes that the third party is secure. It provides single sign-on capabilities and database link authentication (MIT Kerberos only) for users, provides centralized password storage, and enhances PC security. key When encrypting data, a key is a value which determines the ciphertext that a given algorithm will produce from given plaintext. When decrypting data, a key is a value required to correctly decrypt a ciphertext. A ciphertext is decrypted correctly only if the correct key is supplied. With a symmetric encryption algorithm, the same key is used for both encryption and decryption of the same data. With an asymmetric encryption algorithm (also called a public-key encryption algorithm or public-key cryptosystem), different keys are used for encryption and decryption of the same data. key pair A public key and its associated private key. See public and private key pair keytab file A Kerberos key table file containing one or more service keys. Hosts or services use keytab files in the same way as users use their passwords. kinstance An instantiation or location of a Kerberos authenticated service. This is an arbitrary string, but the host Computer name for a service is typically specified. kservice An arbitrary name of a Kerberos service object. LDAP See Lightweight Directory Access Protocol (LDAP) ldap.ora file A file created by Oracle Net Configuration Assistant that contains the following directory server access information: ■ Type of directory server ■ Location of the directory server ■ Default identity management realm or Oracle Context (including ports) that the client or server will use Lightweight Directory Access Protocol (LDAP) A standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. The framework of design conventions supporting industry-standard directory products, such as the Oracle Internet Directory. Glossary-10 net service alias listener A process that resides on the server whose responsibility is to listen for incoming client connection requests and manage the traffic to the server. Every time a client requests a network session with a server, a listener receives the actual request. If the client information matches the listener information, then the listener grants a connection to the server. listener.ora file A configuration file for the listener that identifies the: ■ Listener name ■ Protocol addresses that it is accepting connection requests on ■ Services it is listening for The listener.ora file typically resides in $ORACLE_HOME/network/admin on UNIX platforms and ORACLE_BASE\ORACLE_HOME\network\admin on Windows. man-in-the-middle A security attack characterized by the third-party, surreptitious interception of a message, wherein the third-party, the man-in-the-middle, decrypts the message, re-encrypts it (with or without alteration of the original message), and re-transmits it to the originally-intended recipient—all without the knowledge of the legitimate sender and receiver. This type of security attack works only in the absence of authentication. message authentication code Also known as data authentication code (DAC). A checksumming with the addition of a secret key. Only someone with the key can verify the cryptographic checksum. message digest See checksumming naming method The resolution method used by a client application to resolve a connect identifier to a connect descriptor when attempting to connect to a database service. National Institute of Standards and Technology (NIST) An agency within the U.S. Department of Commerce responsible for the development of security standards related to the design, acquisition, and implementation of cryptographic-based security systems within computer and telecommunication systems, operated by a Federal agency or by a contractor of a Federal agency or other organization that processes information on behalf of the Federal Government to accomplish a Federal function. net service alias An alternative name for a directory naming object in a directory server. A directory server stores net service aliases for any defined net service name or database service. A net service alias entry does not have connect descriptor information. Instead, it only references the location of the object for which it is an alias. When a client requests a directory lookup of a net service alias, the directory determines that the entry is a net service alias and completes the lookup as if it was actually the entry it is referencing. Glossary-11 net service name net service name A simple name for a service that resolves to a connect descriptor. Users initiate a connect request by passing a user name and password along with a net service name in a connect string for the service to which they want to connect: CONNECT username@net_service_name Enter password: password Depending on your needs, net service names can be stored in a variety of places, including: ■ Local configuration file, tnsnames.ora, on each client ■ Directory server ■ External naming service, such as NIS network authentication service A means for authenticating clients to servers, servers to servers, and users to both clients and servers in distributed environments. A network authentication service is a repository for storing information about users and the services on different servers to which they have access, as well as information about clients and servers on the network. An authentication server can be a physically separate computer, or it can be a facility co-located on another server within the system. To ensure availability, some authentication services may be replicated to avoid a single point of failure. network listener A listener on a server that listens for connection requests for one or more databases on one or more protocols. See listener NIST See National Institute of Standards and Technology (NIST) non-repudiation Incontestable proof of the origin, delivery, submission, or transmission of a message. obfuscation A process by which information is scrambled into a non-readable form, such that it is extremely difficult to de-scramble if the algorithm used for scrambling is not known. obfuscator A special program used to obfuscate Java source code. See obfuscation object class A named group of attributes. When you want to assign attributes to an entry, you do so by assigning to that entry the object classes that hold those attributes. All objects associated with the same object class share the same attributes. Oracle Context 1. An entry in an LDAP-compliant internet directory called cn=OracleContext, under which all Oracle software relevant information is kept, including entries for Oracle Net Services directory naming and checksumming security. There can be one or more Oracle Contexts in a directory. An Oracle Context is usually located in an identity management realm. Glossary-12 PKCS #11 Oracle Data Redaction A set of features that enables you to mask data in realtime, using either full masking, partial masking, random masking, or no masking. See also actual data, redacted data, and redaction. Oracle Net Services An Oracle product that enables two or more computers that run the Oracle server or Oracle tools such as Designer/2000 to exchange data through a third-party network. Oracle Net Services support distributed processing and distributed database capability. Oracle Net Services is an open system because it is independent of the communication protocol, and users can interface Oracle Net to many network environments. Oracle PKI certificate usages Defines Oracle application types that a certificate supports. Password-Accessible Domains List A group of enterprise domains configured to accept connections from password-authenticated users. PCMCIA cards Small credit card-sized computing devices that comply with the Personal Computer Memory Card International Association (PCMCIA) standard. These devices, also called PC cards, are used for adding memory, modems, or as hardware security modules. PCMCIA cards that are used as hardware security modules securely store the private key component of a public and private key pair and some also perform the cryptographic operations as well. peer identity SSL connect sessions are between a particular client and a particular server. The identity of the peer may have been established as part of session setup. Peers are identified by X.509 certificate chains. PEM The Internet Privacy-Enhanced Mail protocols standard, adopted by the Internet Architecture Board to provide secure electronic mail over the Internet. The PEM protocols provide for encryption, authentication, message integrity, and key management. PEM is an inclusive standard, intended to be compatible with a wide range of key-management approaches, including both symmetric and public-key schemes to encrypt data-encrypting keys. The specifications for PEM come from four Internet Engineering Task Force (IETF) documents: RFCs 1421, 1422, 1423, and 1424. PKCS #10 An RSA Security, Inc., Public-Key Cryptography Standards (PKCS) specification that describes a syntax for certification requests. A certification request consists of a distinguished name, a public key, and optionally a set of attributes, collectively signed by the entity requesting certification. Certification requests are referred to as certificate requests in this manual. See certificate request PKCS #11 An RSA Security, Inc., Public-Key Cryptography Standards (PKCS) specification that defines an application programming interface (API), called Cryptoki, to devices which hold cryptographic information and perform cryptographic operations. See PCMCIA Glossary-13 PKCS #12 cards PKCS #12 An RSA Security, Inc., Public-Key Cryptography Standards (PKCS) specification that describes a transfer syntax for storing and transferring personal authentication credentials—typically in a format called a wallet. PKI See public key infrastructure (PKI) plaintext Message text that has not been encrypted. principal A string that uniquely identifies a client or server to which a set of Kerberos credentials is assigned. It generally has three parts: kservice/kinstance@REALM. In the case of a user, kservice is the user name. See also kservice, kinstance, and realm. private key In public-key cryptography, this key is the secret key. It is primarily used for decryption but is also used for encryption with digital signatures. See public and private key pair. proxy authentication A process typically employed in an environment with a middle tier such as a firewall, wherein the end user authenticates to the middle tier, which thence authenticates to the directory on the user's behalf—as its proxy. The middle tier logs into the directory as a proxy user. A proxy user can switch identities and, once logged into the directory, switch to the end user's identity. It can perform operations on the end user's behalf, using the authorization appropriate to that particular end user. public key One of two keys that are used in public key cryptography, the other key being the private key. In typical public key cryptography usage, the public key is used to encrypt data or verify digital signatures. The the private key is used to decrypt data or generate digital signatures. The public key, unlike the private key, can be made available to anyone whereas the private key must remain secret. See public and private key pair. public key encryption The process where the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the message is decrypted by the recipient using its private key. public key infrastructure (PKI) Information security technology utilizing the principles of public key cryptography. Public key cryptography involves encrypting and decrypting information using a shared public and private key pair. Provides for secure, private communications within a public network. Glossary-14 salt public and private key pair A set of two numbers used for encryption and decryption, where one is called the private key and the other is called the public key. Public keys are typically made widely available, while private keys are held by their respective owners. Though mathematically related, it is generally viewed as computationally infeasible to derive the private key from the public key. Public and private keys are used only with asymmetric encryption algorithms, also called public-key encryption algorithms, or public-key cryptosystems. Data encrypted with either a public key or a private key from a key pair can be decrypted with its associated key from the key-pair. However, data encrypted with a public key cannot be decrypted with the same public key, and data enwrapped with a private key cannot be decrypted with the same private key. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. redacted data In an Oracle Data Redaction policy, masked data that is displayed to the querying user. For example, if the actual data is 3714-4963-5398-431, then the redacted data could appear, depending on the Data Redaction policy, as XXXX-XXXX-XXXX-431. redaction In an Oracle Data Redaction policy, the action the server performs on the actual data, in order to present redacted data to the querying user. See also redaction. realm 1. Short for identity management realm. 2. A Kerberos object. A set of clients and servers operating under a single key distribution center/ticket-granting service (KDC/TGS). Services (see kservice) in different realms that share the same name are unique. realm Oracle Context An Oracle Context that is part of an identity management realm in Oracle Internet Directory. registry A Windows repository that stores configuration information for a computer. remote computer A computer on a network other than the local computer. root key certificate See trusted certificate salt 1. In cryptography, generally speaking, "salt" is a way to strengthen the security of encrypted data. Salt is a random string that is added to the data before it is encrypted. Then, it is more difficult for attackers to steal the data by matching patterns of ciphertext to known ciphertext samples. 2. Salt is also used to avoid dictionary attacks, a method that unethical hackers (attackers) use to steal passwords. It is added to passwords before the passwords are encrypted. Then it is difficult for attackers to Glossary-15 schema match the hash value of encrypted passwords (sometimes called verifiers) with their dictionary lists of common password hash values. See dictionary attack schema 1. Database schema: A named collection of objects, such as tables, views, clusters, procedures, packages, attributes, object classes, and their corresponding matching rules, which are associated with a particular user. 2. LDAP directory schema: The collection of attributes, object classes, and their corresponding matching rules. schema mapping See user-schema mapping Secure Hash Algorithm (SHA) An algorithm that assures data integrity by generating a 160-bit cryptographic message digest value from given data. If as little as a single bit in the data is modified, the Secure Hash Algorithm checksum for the data changes. Forgery of a given data set in a way that will cause the Secure Hash Algorithm to generate the same result as that for the original data is considered computationally infeasible. An algorithm that takes a message of less than 264 bits in length and produces a 160-bit message digest. The algorithm is slightly slower than the previously supported MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks. Secure Sockets Layer (SSL) An industry standard protocol designed by Netscape Communications Corporation for securing network connections. SSL provides authentication, encryption, and data integrity using public key infrastructure (PKI). The Transport Layer Security (TLS) protocol is the successor to the SSL protocol. server A provider of a service. service 1. A network resource used by clients; for example, an Oracle database server. 2. An executable process installed in the Windows registry and administered by Windows. Once a service is created and started, it can run even when no user is logged on to the computer. service name For Kerberos-based authentication, the kservice portion of a service principal. service principal See principal service key table In Kerberos authentication, a service key table is a list of service principals that exist on a kinstance. This information must be extracted from Kerberos and copied to the Oracle server computer before Kerberos can be used by Oracle. service ticket A service ticket is trusted information used to authenticate the client, to a specific service or server, for a predetermined period of time. It is obtained from the KDC Glossary-16 smart card using the initial ticket. session key A key shared by at least two parties (usually a client and a server) that is used for data encryption for the duration of a single communication session. Session keys are typically used to encrypt network traffic; a client and a server can negotiate a session key at the beginning of a session, and that key is used to encrypt all network traffic between the parties for that session. If the client and server communicate again in a new session, they negotiate a new session key. session layer A network layer that provides the services needed by the presentation layer entities that enable them to organize and synchronize their dialogue and manage their data exchange. This layer establishes, manages, and terminates network sessions between the client and server. An example of a session layer is Network Session. SHA See Secure Hash Algorithm (SHA) shared schema A database or application schema that can be used by multiple enterprise users. Oracle Advanced Security supports the mapping of multiple enterprise users to the same shared schema on a database, which lets an administrator avoid creating an account for each user in every database. Instead, the administrator can create a user in one location, the enterprise directory, and map the user to a shared schema that other enterprise users can also map to. Sometimes called user/schema separation. single key-pair wallet A PKCS #12-format wallet that contains a single user certificate and its associated private key. The public key is imbedded in the certificate. single password authentication The ability of a user to authenticate with multiple databases by using a single password. In the Oracle Advanced Security implementation, the password is stored in an LDAP-compliant directory and protected with encryption and Access Control Lists. single sign-on (SSO) The ability of a user to authenticate once, combined with strong authentication occurring transparently in subsequent connections to other databases or applications. Single sign-on lets a user access multiple accounts and applications with a single password, entered during a single connection. Single password, single authentication. Oracle Advanced Security supports Kerberos and SSL-based single sign-on. smart card A plastic card (like a credit card) with an embedded integrated circuit for storing information, including such information as user names and passwords, and also for performing computations associated with authentication exchanges. A smart card is read by a hardware device at any client or server. A smartcard can generate random numbers which can be used as one-time use passwords. In this case, smartcards are synchronized with a service on the server so that the server expects the same password generated by the smart card. Glossary-17 sniffer sniffer Device used to surreptitiously listen to or capture private data traffic from a network. sqlnet.ora file A configuration file for the client or server that specifies: ■ Client domain to append to unqualified service names or net service names ■ Order of naming methods the client should use when resolving a name ■ Logging and tracing features to use ■ Route of connections ■ Preferred Oracle Names servers ■ External naming parameters ■ Oracle Advanced Security parameters The sqlnet.ora file typically resides in $ORACLE_HOME/network/admin on UNIX platforms and in ORACLE_BASE\ORACLE_HOME\network\admin on Windows platforms. SSO See single sign-on (SSO) System Global Area (SGA) A group of shared memory structures that contain data and control information for an Oracle instance. system identifier (SID) A unique name for an Oracle instance. To switch between Oracle databases, users must specify the desired SID. The SID is included in the CONNECT DATA parts of the connect descriptor in a tnsnames.ora file, and in the definition of the network listener in a listener.ora file. ticket A piece of information that helps identify who the owner is. See initial ticket and service ticket. tnsnames.ora A file that contains connect descriptors; each connect descriptor is mapped to a net service name. The file may be maintained centrally or locally, for use by all or individual clients. This file typically resides in the following locations depending on your platform: ■ (UNIX) ORACLE_HOME/network/admin ■ (Windows) ORACLE_BASE\ORACLE_HOME\network\admin token card A device for providing improved ease-of-use for users through several different mechanisms. Some token cards offer one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the token card at any given time by contacting the authentication service. Other token cards operate on a challenge-response basis. In this case, the server offers a challenge (a number) which the user types into the token card. The token card then provides another number (cryptographically-derived from the challenge), which the user then offers to the server. Glossary-18 wallet obfuscation transport layer A networking layer that maintains end-to-end reliability through data flow control and error recovery methods. Oracle Net Services uses Oracle protocol supports for the transport layer. Transport Layer Security (TLS) An industry standard protocol for securing network connections. The TLS protocol is a successor to the SSL protocol. It provides authentication, encryption, and data integrity using public key infrastructure (PKI). The TLS protocol is developed by the Internet Engineering Task Force (IETF). trusted certificate A trusted certificate, sometimes called a root key certificate, is a third party identity that is qualified with a level of trust. The trusted certificate is used when an identity is being validated as the entity it claims to be. Typically, the certificate authorities you trust are called trusted certificates. If there are several levels of trusted certificates, a trusted certificate at a lower level in the certificate chain does not need to have all its higher level certificates reverified. trusted certificate authority See certificate authority trust point See trusted certificate user name A name that can connect to and access objects in a database. user-schema mapping An LDAP directory entry that contains a pair of values: the base in the directory at which users exist, and the name of the database schema to which they are mapped. The users referenced in the mapping are connected to the specified schema when they connect to the database. User-schema mapping entries can apply only to one database or they can apply to all databases in a domain. See shared schema user/schema separation See shared schema user search base The node in the LDAP directory under which the user resides. views Selective presentations of one or more tables (or other views), showing both their structure and their data. wallet A wallet is a data structure used to store and manage security credentials for an individual entity. A Wallet Resource Locator (WRL) provides all the necessary information to locate the wallet. wallet obfuscation Wallet obfuscation is used to store and access an Oracle wallet without querying the user for a password before access (supports single sign-on (SSO)). Glossary-19 Wallet Resource Locator Wallet Resource Locator A wallet resource locator (WRL) provides all of the necessary information to locate a wallet. It is a path to an operating system directory that contains a wallet. Windows native authentication An authentication method that enables a client single login access to a Windows server and a database running on that server. WRL See Wallet Resource Locator X.509 An industry-standard specification for digital certificates. Glossary-20 Index A accounting, RADIUS, 11-14 activating checksumming and encryption, 9-3 ad hoc tools Oracle Data Redaction, 3-3 adapters, 1-10 administrative access to policies, restricting, 7-2 aggregate functions affect on Data Redaction policy optimization, 6-2 ALTER SYSTEM SET command closing encryption wallets, 8-23 opening encryption wallets, 8-7, 8-23, 8-35 opening HSM wallets, 8-22 setting master encryption key, 8-6, 8-21, 8-35 anonymous, 13-11 APEX_UTIL.GET_NUMERIC_SESSION_STATE function Oracle Data Redaction policies (NV public function), 5-6 APEX_UTIL.GET_SESSION_STATE function Oracle Data Redaction policies (V public function), 5-6 applications database applications and Oracle Data Redaction, 3-2 asynchronous authentication mode in RADIUS, 11-4 authentication, 1-10 configuring multiple methods, 15-2 methods, 1-8 modes in RADIUS, 11-2 auto login wallets and Transparent Data Encryption (TDE), 8-5, 8-7 B benefits of Oracle Advanced Security, 1-3 BFILE, 8-15 browser certificates, using with Oracle Wallet Manager, 14-19 C certificate, 13-5 browser, using with Oracle Wallet Manager, 14-19 certificate authority, 13-4 certificate revocation lists, 13-5 manipulating with orapki tool, 13-29 uploading to LDAP directory, 13-29 where to store them, 13-25 certificate revocation status checking disabling on server, 13-26, 13-28 certificate validation error message CRL could not be found, 13-33 CRL date verification failed with RSA status, 13-33 CRL signature verification failed with RSA status, 13-32 Fetch CRL from CRL DP No CRLs found, 13-33 OID hostname or port number not set, 13-33 challenge-response authentication in RADIUS, 11-4 change data capture, synchronous, 8-15 cipher block chaining mode, 1-5 cipher suites procedure for specifying for server, 13-11 Secure Sockets Layer (SSL), B-6 client authentication in SSL, 13-13 compression of Transparent Data Encryption data, 8-31 configuration files Kerberos, B-1 configuring Entrust-enabled Secure Sockets Layer (SSL) on the client, F-5 Kerberos authentication service parameters, 12-4 Oracle server with Kerberos, 12-2 RADIUS authentication, 11-7 SSL, 13-8 on the client, 13-14 on the server, 13-9 thin JDBC support, 10-1 connecting with username and password, 15-1 CRL, 13-5 CRLAdmins directory administrative group, E-11 CRLs disabling on server, 13-26, 13-28 where to store them, 13-25 cryptographic hardware devices, 13-6 Index-1 D F data deduplication of Transparent Data Encryption data, 8-31 Data Encryption Standard (DES) Triple-DES encryption algorithm, 1-4, 9-2 data integrity, 1-5 data redaction See Oracle Data Redaction database links RADIUS not supported, 11-2 database roles Data Redaction policies, 5-6 DDL statements Oracle Data Redaction policies, 6-1 Diffie-Hellman, 13-11 Diffie-Hellman key negotiation algorithm, 9-2 DML statements Oracle Data Redaction policies, 6-1 Federal Information Processing Standard (FIPS), 1-5, D-3 sqlnet.ora parameters, D-3 FIPS 140-2 Level 2 certification, D-1 FIPS Parameter Configuring, D-2 FIPS. See Federal Information Processing Standard (FIPS) E encryption and checksumming activating, 9-3 negotiating, 9-4 parameter settings, 9-6 ENCRYPTION_WALLET_LOCATION parameter, 8-5, 8-16, 8-19, 8-24, 8-35 Entrust Authority creating database users, F-8 Entrust Authority for Oracle, F-2 Entrust Authority Software authentication, F-4 certificate revocation, F-2 components, F-2, F-3 configuring client, F-5 server, F-6 Entelligence, F-3 etbinder command, F-7 issues and restrictions, F-9 key management, F-2 profiles, F-4 administrator-created, F-4 user-created, F-5 Self-Administration Server, F-3 versions supported, F-2 Entrust, Inc., F-1 Entrust-enabled SSL troubleshooting, F-9 Entrust/PKI Software, 1-9 error messages ORA-12650, 9-3, 9-4, 9-5, A-5, A-6 ORA-28890, F-9 etbinder command, F-7 EXEMPT REDACTION POLICY privilege using with Database Vault, 7-2 external large objects (BFILE), 8-15 Index-2 G grid computing benefits, 1-1 defined, 1-1 guidelines ad hoc query attacks and Data Redaction, 7-1 application context value handling by Data Redaction policies, 7-1 day-to-day operations and Data Redaction, 7-1 DDL statements and Data Redaction policies, 7-1 exhaustive SQL queries and inference and Data Redaction, 7-1 materialized views and Data Redaction, 7-3 recycle bin and Data Redaction, 7-3 SYS_CONTEXT values and Data Redaction, 7-2 H handshake SSL, 13-3 HSMs (hardware security modules) PKCS#11 library, 8-20 sqlnet.ora file, 8-19 user_Id:password string, 8-21 I import/export utilities, original, 8-15 index range scans, 8-4 initialization parameter file parameters for clients and servers using Kerberos, B-1 parameters for clients and servers using RADIUS, B-1 parameters for clients and servers using SSL, B-5 inline views Data Redaction policies order of redaction, 6-2 Data Redaction redaction, 6-2 Internet Explorer certificates using with Oracle Wallet Manager, 14-19 intruders ad hoc query attacks, 7-1 J Java Byte Code Obfuscation, 10-3 Java Database Connectivity (JDBC) configuration parameters, 10-3 Oracle extensions, 10-1 thin driver features, 10-2 Java Database connectivity (JDBC) implementation of Oracle Advanced Security, 10-1 JDBC. See Java Database Connectivity K Kerberos, 1-8 authentication adapter utilities, 12-8 configuring authentication, 12-1, 12-4 fallback behavior, setting, 12-13 kinstance, 12-2 kservice, 12-2 realm, 12-2 SQLNET.FALLBACK_AUTHENTICATION parameter, 12-13 sqlnet.ora file sample, A-2 system requirements, 1-11 kinstance (Kerberos), 12-2 kservice (Kerberos), 12-2 L LAN environments vulnerabilities of, 1-2 large objects BFILE, 8-15 BLOB, 8-15 CLOB, 8-15 external, 8-15 LOB, 8-15 ldap.ora which directory SSL port to use for no authentication, 13-30 listener endpoint SSL configuration, 13-14 M managing roles with RADIUS server, 11-16 masking See Oracle Data Redaction materialized views Data Redaction guideline, 7-3 Microsoft Internet Explorer certificates using with Oracle Wallet Manager, 14-19 N nCipher hardware security module using Oracle Net tracing to troubleshoot, 13-37 nested functions Data Redaction policies order of redaction, 6-2 Netscape certificates using with Oracle Wallet Manager, 14-18 Netscape Communications Corporation, 13-1 NOMAC parameter (TDE), 8-10 NV public function (APEX_UTIL.GET_NUMERIC_ SESSION_STATE function), Data Redaction policies, 5-6 O obfuscation, 10-3 okdstry Kerberos adapter utility, 12-8 okinit Kerberos adapter utility, 12-8 oklist Kerberos adapter utility, 12-8 ORA-00979 not a GROUP BY expression error, 7-1 ORA-12650 error message, A-5 ORA-28081 Insufficient privileges - the command references a redacted object error, 6-1 ORA-28330, 8-38 ORA-28331, 8-38 ORA-28332, 8-38 ORA-28333, 8-38 ORA-28334, 8-38 ORA-28335, 8-38 ORA-28336, 8-38 ORA-28337, 8-38 ORA-28338, 8-38 ORA-28339, 8-38 ORA-28340, 8-39 ORA-28341, 8-39 ORA-28342, 8-39 ORA-28343, 8-39 ORA-28344, 8-39 ORA-28345, 8-39 ORA-28346, 8-39 ORA-28347, 8-39 ORA-28348, 8-39 ORA-28349, 8-39 ORA-28350, 8-40 ORA-28351, 8-40 ORA-28353, 8-40 ORA-28354, 8-40 ORA-28356, 8-40 ORA-28357, 8-40 ORA-28358, 8-40 ORA-28359, 8-40 ORA-28361, 8-40 ORA-28362, 8-40 ORA-28363, 8-41 ORA-28364, 8-41 ORA-28365, 8-41 ORA-28366, 8-41 ORA-28367, 8-41 ORA-28368, 8-41 ORA-28369, 8-41 ORA-28370, 8-41 ORA-28371, 8-41 ORA-28372, 8-41 ORA-28373, 8-42 ORA-28374, 8-42 ORA-28375, 8-42 Index-3 ORA-28376, 8-42 ORA-28377, 8-42 ORA-28378, 8-42 ORA-28885 error, 14-5 ORA-40300 error message, 13-37 ORA-40301 error message, 13-38 ORA-40302 error message, 13-38 Oracle Advanced Security checksum sample for sqlnet.ora file, A-2 configuration parameters, 10-3 disabling authentication, 15-1 encryption sample for sqlnet.ora file, A-1 Java implementation, 10-1, 10-3 SSL features, 13-2 Oracle Application Express filtering using by session state in Data Redaction policies, 5-6 Oracle Applications wallet location, 14-13 Oracle Data Pump exported data from Data Redaction policies, 6-3 Oracle Data Redaction about, 3-1 ad hoc tools, 3-3 aggregate functions, 6-2 benefits, 3-2 database applications, 3-2 DBMS_REDACT.ADD_POLICY procedure using, 5-2 DBMS_REDACT.ALTER_POLICY procedure about, 5-27 example, 5-29 parameters required for various actions, 5-28 syntax, 5-28 DBMS_REDACT.DISABLE_POLICY about, 5-31 example, 5-32 syntax, 5-31 DBMS_REDACT.DROP_POLICY about, 5-32 examples, 5-33 syntax, 5-33 DBMS_REDACT.ENABLE_POLICY about, 5-32 example, 5-32 syntax, 5-32 DBMS_REDACT.UPDATE_FULL_REDACTION_ VALUES procedure about, 5-9 editions, 6-2 exporting data using Data Pump Export, 6-3 full Data Redaction modifying LOB data type column default, 5-11 modifying non-LOB data type column default, 5-10 full data redaction about, 4-1 creating policy for, 5-7 examples, 5-8 modifying default value, 5-9 Index-4 syntax, 5-8 how differs from Oracle Virtual Private Database masking, 6-2 inline views order of redaction, 6-2 nested functions order of redaction, 6-2 no data redaction about, 4-6, 5-25 creating policies for, 5-25 example, 5-26 syntax, 5-26 Oracle Enterprise Manager Data Masking and Subsetting Pack, 6-3 partial data redaction about, 4-2 character types, policies for, 5-15 data-time data types, 5-17 example using character data type, 5-16 example using data-time data type, 5-18 example using fixed character shortcut, 5-14 example using number data type, 5-17 number data types, 5-16 shortcuts, fixed character, 5-13 syntax, 5-12 privileges for creating policies, 5-2 random data redaction about, 5-24 creating policies for, 5-24 example, 5-25 syntax, 5-24 randomized data redaction about, 4-4 regular expression data redaction creating policies for, 5-19 custom, creating policies for, 5-23 example, 5-22 example of custom, 5-24 settings for, 5-23 shortcuts, 5-20 shortcuts, creating policies for, 5-20 syntax, 5-19 regular expression redaction about, 4-3 SYS schema objects, 7-2 SYSTEM schema objects, 7-2 use cases, 3-2 when to use, 3-2 WHERE clause redaction, 6-2 Oracle Data Redaction partial redaction creating policies for, 5-12 Oracle Data Redaction policies, 5-6 about, 5-1 altering, 5-27 building reports, 5-36 creating examples, 5-9 general syntax, 5-3 procedure, 5-2 disabling, 5-31 dropping, 5-32 effect on view chain, 5-33 enabling, 5-32 exempting users from, 5-26 expressions by Application Express session state, 5-6 by database role, 5-6 by user environment, 5-6 filtering users about, 5-5 no filtering, 5-7 finding information about, 5-37 redacting multiple columns in one policy, 5-30 Oracle Database Vault using with Data Redaction, 7-2 Oracle Enterprise Manager Data Masking and Subsetting Pack Oracle Data Redaction impact, 6-3 Oracle Internet Directory Diffie-Hellman SSL port, 13-30 Oracle parameters authentication, 15-3 Oracle Password Protocol, 10-3 Oracle Virtual Private Database (VPD) Data Redaction, 6-2 Oracle Wallet Manager importing PKCS #7 certificate chains, 14-17 orapki adding a root certificate to a wallet with, E-5 adding a trusted certificate to a wallet with, E-5 adding user certificates to a wallet with, E-5 changing the wallet password with, E-4 creating a local auto login wallet with, E-4 creating a signed certificate for testing, E-2 creating a wallet with, E-3 creating an auto login wallet with, E-3 exporting a certificate from a wallet with, E-6 exporting a certificate request from a wallet with, E-6 viewing a test certificate with, E-2 viewing a wallet with, E-4 orapki tool, 13-29 original import/export utilities, 8-15 OS_AUTHENT_PREFIX parameter, 15-3 OSS.SOURCE.MY_WALLET parameter, 13-10, 13-17 P parameters authentication Kerberos, B-1 RADIUS, B-1 Secure Sockets Layer (SSL), B-5 configuration for JDBC, 10-3 encryption and checksumming, 9-6 PKCS #11 devices, 13-6 PKCS #11 error messages ORA-40300, 13-37 ORA-40301, 13-38 ORA-40302, 13-38 PKCS #7 certificate chain, 14-17 difference from X.509 certificate, 14-17 Public Key Infrastructure (PKI) certificate, 13-5 certificate authority, 13-4 certificate revocation lists, 13-5 PKCS #11 hardware devices, 13-6 wallet, 13-5 public key infrastructure (PKI), 1-9 R RAC (Real Application Clusters) and TDE (transparent data encryption), 8-23 RADIUS, 1-8 accounting, 11-14 asynchronous authentication mode, 11-4 authentication modes, 11-2 authentication parameters, B-1 challenge-response authentication, 11-4 user interface, C-1 configuring, 11-7 database links not supported, 11-2 location of secret key, 11-11 smartcards and, 1-8, 11-6, 11-11, C-1 sqlnet.ora file sample, A-2 synchronous authentication mode, 11-3 system requirements, 1-11 realm (Kerberos), 12-2 recycle bin Data Redaction policies and, 7-3 reports based Data Redaction policies, 5-36 restrictions, 1-11 revocation, F-2 roles managing with RADIUS server, 11-16 S salt (TDE) adding, 8-13 removing, 8-13 See also TDE (transparent data encryption) secret key location in RADIUS, 11-11 Secure Sockets Layer (SSL), 1-8 architecture, 13-7 authentication parameters, B-5 authentication process in an Oracle environment, 13-3 cipher suites, B-6 client authentication parameter, B-7 client configuration, 13-14 combining with other authentication methods, 13-6 configuring, 13-8 configuring Entrust-enabled SSL on the client, F-5 enabling, 13-8 enabling Entrust-enabled SSL, F-4 Index-5 filtering certificates, 13-20 handshake, 13-3 industry standard protocol, 13-1 multiple certificates, filtering, 13-20 requiring client authentication, 13-13 server configuration, 13-9 sqlnet.ora file sample, A-2 system requirements, 1-11 version parameter, B-7 wallet location, parameter, B-9 SecurID, 11-3 token cards, 11-3 security Internet, 1-2 Intranet, 1-2 threats, 1-2 data tampering, 1-2 dictionary attacks, 1-3 eavesdropping, 1-2 falsifying identities, 1-3 password-related, 1-3 Security Sockets Layer (SSL) use of term includes TLS, 13-2 single sign-on (SSO), 1-9, F-1 smartcards, 1-8 and RADIUS, 1-8, 11-6, 11-11, C-1 SQLNET.AUTHENTICATION_KERBEROS5_ SERVICE parameter, 12-5 SQLNET.AUTHENTICATION_SERVICES parameter, 11-8, 12-5, 13-14, 13-20, 15-2, 15-3 SQLNET.CRYPTO_CHECKSUM_CLIENT parameter, 9-8 SQLNET.CRYPTO_CHECKSUM_SERVER parameter, 9-8 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter, 9-8, A-6 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter, 9-8, A-6 SQLNET.ENCRYPTION_CLIENT parameter, 9-7, A-4 SQLNET.ENCRYPTION_SERVER parameter, 9-7, A-3 SQLNET.ENCRYPTION_TYPES_CLIENT parameter, 9-7, A-5 SQLNET.ENCRYPTION_TYPES_SERVER parameter, 9-7, A-5 SQLNET.FALLBACK_AUTHENTICATION parameter, 12-13 SQLNET.FIPS_140 parameter, D-5 SQLNET.KERBEROS5_CC_NAME parameter, 12-6 SQLNET.KERBEROS5_CLOCKSKEW parameter, 12-6 SQLNET.KERBEROS5_CONF parameter, 12-6 SQLNET.KERBEROS5_CONF_MIT parameter, 12-6 SQLNET.KERBEROS5_KEYTAB parameter, 12-7 SQLNET.KERBEROS5_REALMS parameter, 12-7 sqlnet.ora file Common sample, A-2 FIPS 140-1 parameters, D-3 Kerberos sample, A-2 Index-6 Oracle Advanced Security checksum sample, A-2 Oracle Advanced Security encryption sample, A-1 OSS.SOURCE.MY_WALLET parameter, 13-10, 13-17 parameters for clients and servers using Kerberos, B-1 parameters for clients and servers using RADIUS, B-1 parameters for clients and servers using SSL, B-5 RADIUS sample, A-2 sample, A-1 SQLNET.AUTHENTICATION_KERBEROS5_ SERVICE parameter, 12-5 SQLNET.AUTHENTICATION_SERVICES parameter, 12-5, 13-14, 13-20, 15-2, 15-3 SQLNET.CRYPTO_CHECKSUM_CLIENT parameter, 9-8 SQLNET.CRYPTO_CHECKSUM_SERVER parameter, 9-8 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter, 9-8, A-6 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter, 9-8, A-6 SQLNET.ENCRYPTION_CLIENT parameter, A-4 SQLNET.ENCRYPTION_SERVER parameter, 9-7, A-3 SQLNET.ENCRYPTION_TYPES_CLIENT parameter, 9-7, A-5 SQLNET.ENCRYPTION_TYPES_SERVER parameter, 9-7, A-5 SQLNET.FIPS_140 parameter, D-5 SQLNET.KERBEROS5_CC_NAME parameter, 12-6 SQLNET.KERBEROS5_CLOCKSKEW parameter, 12-6 SQLNET.KERBEROS5_CONF parameter, 12-6 SQLNET.KERBEROS5_CONF_MIT parameter, 12-6 SQLNET.KERBEROS5_KEYTAB parameter, 12-7 SQLNET.KERBEROS5_REALMS parameter, 12-7 SQLNET.SSL_EXTENDED_KEY_USAGE, 13-20 SSL sample, A-2 SSL_CLIENT_AUTHENTICATION parameter, 13-13 SSL_CLIENT_AUTHETNICATION parameter, 13-17 SSL_VERSION parameter, 13-12, 13-20 Trace File Set Up sample, A-1 sqlnet.ora file, TDE (transparent data encryption), 8-7, 8-16, 8-19, 8-35, 8-41 SQLNET.RADIUS_ALTERNATE parameter, 11-12 SQLNET.RADIUS_ALTERNATE_PORT parameter, 11-12 SQLNET.RADIUS_ALTERNATE_RETRIES parameter, 11-12 SQLNET.RADIUS_ALTERNATE_TIMEOUT parameter, 11-12 SQLNET.RADIUS_SEND_ACCOUNTING parameter, 11-15 SQLNET.SSL_EXTENDED_KEY_USAGE, A-4 SQLNET.SSL_EXTENDED_KEY_USAGE parameter, 13-20 SSL. See Secure Sockets Layer (SSL) SSL wallet location, 14-8, 14-13 SSL_CLIENT_AUTHENTICATION parameter, 13-13, 13-17 SSL_VERSION parameter, 13-12, 13-20 SSO. See single sign-on (SSO) SSO wallets, 14-14 synchronous authentication mode, RADIUS, 11-3 synchronous change data capture, 8-15 SYS user Data Redaction policies, 7-2 SYS_CONTEXT function Data Redaction policies, 7-2 SYS_SESSION_ROLES namespace used in Data Redaction, 5-6 SYS_SESSION_ROLES SYS_CONTEXT namespace Data Redaction, 5-6 system requirements, 1-10 Kerberos, 1-11 RADIUS, 1-11 SSL, 1-11 SYSTEM user Data Redaction policies, 7-2 T tablespace encryption creating encrypted tablespaces, 8-17 editing the sqlnet.ora file, 8-16 opening wallet, 8-16 setting tablespace key, 8-16 tablespace master encryption key, 8-16 TDE (transparent data encryption) and Oracle RAC (Real Application Clusters), 8-23 concepts, 8-1 figure, 8-4 HSMs (hardware security modules) PKCS#11 library, 8-20 user_Id:password string, 8-21 managing, 8-23 to 8-33 backing up and recovering keys, 8-25 managing wallets, 8-24 reference, 8-42 to 8-43 restrictions, 8-15 tablespace encryption creating encrypted tablespaces, 8-17 opening wallet, 8-16 setting tablespace key, 8-16 troubleshooting, 8-38 to 8-42 using, 8-5 to 8-14 creating tables, 8-9 editing the sqlnet.ora file, 8-35 encrypting columns, 8-12 opening wallet, 8-7 setting master encryption key, 8-6 thin JDBC support, 10-1 TLS See Secure Sockets Layer (SSL) token cards, 1-8 trace file set up sample for sqlnet.ora file, A-1 transparent data encryption See TDE Transparent Data Encryption (TDE) compression of encrypted data, 8-31 data deduplication of encrypted data, 8-31 multi-database environments, 8-30, 8-31 transportable tablespaces, 8-15 Triple-DES encryption algorithm, 1-4 troubleshooting, 12-14 Entrust-enabled SSL, F-9 U utilities, import/export, 8-15 V V public function (APEX_UTIL.GET_SESSION_ STATE function), Data Redaction policies, 5-6 views Data Redaction, 5-37 W wallet, 13-5 wallets auto login, 8-5, 8-7, 14-14 changing a password, 14-13 closing, 8-22, 8-23, 14-10 creating, 14-8 deleting, 14-13 managing, 14-7 managing certificates, 14-14 managing trusted certificates, 14-20 opening, 8-7, 8-22, 8-23, 8-35, 8-43, 14-9 Oracle Applications wallet location, 14-13 saving, 14-12 setting location, 13-10 SSL wallet location, 14-8, 14-13 SSO wallets, 14-14 X X.509 certificate difference from PKCS #7 certificate chain, 14-17 X.509 PKI certificate standard, F-1 Index-7 Index-8
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.6 Linearized : Yes Tagged PDF : Yes XMP Toolkit : Adobe XMP Core 5.2-c001 63.139439, 2010/10/03-12:08:50 Format : application/pdf Creator : Oracle Corporation Description : Oracle Database Advanced Security Title : Oracle Database Advanced Security Administrator’s Guide Create Date : 2016:03:03 15:46:47Z Creator Tool : FrameMaker 10.0.2 Modify Date : 2016:03:03 15:53:30-08:00 Metadata Date : 2016:03:03 15:53:30-08:00 Producer : Acrobat Elements 9.0.0 (Windows) Marked : True Document ID : uuid:6619a563-590e-47a8-a779-5977a30e2f4b Instance ID : uuid:850934b7-2f16-4f0b-8c25-1ed7663e8e43 Page Mode : UseOutlines Page Count : 366 Author : Oracle Corporation Subject : Oracle Database Advanced SecurityEXIF Metadata provided by EXIF.tools