Enterprise User Security supports the following authentication methods:
Password-based authentication
SSL-based authentication
Kerberos-based authentication
Each authentication method has advantages and disadvantages. Table 1-1 summarizes the criteria for selecting which authentication method is best for your Enterprise User Security implementation.
Table 1-1 Enterprise User Security Authentication: Selection Criteria
Password Authentication | SSL Authentication | Kerberos Authentication |
---|---|---|
Password-based authentication |
Provides strong authentication over SSL |
Provides strong authentication by using Kerberos, version 5 tickets |
Provides centralized user and password management |
Provides centralized user and PKI credential/wallet management |
Provides centralized user and Kerberos credential management |
Separate authentications required for each database connection |
Supports single sign-on (SSO) using SSL |
Supports SSO using Kerberos, version 5 encrypted tickets and authenticators, and authentication forwarding |
Retains users' current authentication methods |
Initial configuration maybe more difficult because PKI credentials must be generated for all users. (Dependent on administrators' PKI knowledge) |
Initial configuration maybe more difficult because Kerberos must be installed and configured to authenticate database users |
User identity can be used in two-tier or multitier applications. OracleAS Single Sign-On users and enterprise users use the same stored password |
Compatible with either a two-tier or multitier environment |
Compatible with either a two-tier or multitier environment |
Supports Oracle Release 7.3 and later clients with Oracle Database 10g and later |
Supports Oracle8i and later clients with Oracle Database 10g and later |
Supports Oracle Database 10g and later clients with Oracle Database 10g and later |
Supports current user database links only if the connection between databases is over SSL |
Supports current user database links |
Supports current user database links only if the connection between databases is over SSL |
Can use third-party directories to store users if synchronized with Oracle Internet Directory1 |
Can use third-party directories to store users if synchronized with Oracle Internet Directory2 |
Can use third-party directories to store users if synchronized with Oracle Internet Directory3 |
Note:
Enterprise User Security supports three-tier environments. Oracle Database proxy authentication features enable
(i) proxy of user names and passwords through multiple tiers, and
(ii) proxy of X.509 certificates and distinguished names through multiple tiers.
See Also:
Enterprise User Security Configuration Tasks and Troubleshooting for information about configuring the various authentication types for enterprise user security
Oracle Database Security Guide, for information about using proxy authentication
If third-party directory is Microsoft Active Directory, then when user passwords change, they must be changed in both Active Directory and in Oracle Internet Directory.
Must modify the Directory Integration Services agent to synchronize user PKCS #12 attributes.
If third-party directory is Microsoft Active Directory, then login to Windows gives you single sign-on login to databases. However, you must modify the Directory Integration Services agent for other third-party directories to synchronize the KrbPrincipalName
attribute. This synchronization is automatic for Microsoft Active Directory.