You can use a set of strong authentication administration tools for network encryption and public key infrastructure credentials. Administrators responsible for strong authentication have a special set of duties that they must follow.
Topics:
Tools that you must use enable you to configure and administer the encryption, integrity (checksumming), and strong authentication methods for Oracle Net Services.
Strong authentication method configuration can include third-party software, as is the case for Kerberos or RADIUS, or it may entail configuring and managing a public key infrastructure for using digital certificates with Secure Sockets Layer (SSL).
You can configure Oracle Net Services to encrypt data using standard encryption algorithms, and for strong authentication methods, such as Kerberos, RADIUS, and SSL.
Topics:
Oracle Net Manager is a graphical user interface tool, primarily used to configure Oracle Net Services for an Oracle home on a local client or server host.
Although you can use Oracle Net Manager to configure Oracle Net Services, such as naming, listeners, and general network settings, it also enables you to configure the following features, which use the Oracle Net protocol:
Strong authentication (Kerberos, RADIUS, and Secure Sockets Layer)
Network encryption (RC4, DES, Triple-DES, and AES)
Checksumming for data integrity (MD5, SHA-1, SHA-2)
The Kerberos adapter provides three command-line utilities that enable you to obtain, cache, display, and remove Kerberos credentials.
Table 16-1 briefly describes these utilities.
Table 16-1 Kerberos Adapter Command-Line Utilities
| Utility Name | Description |
|---|---|
|
|
Obtains Kerberos tickets from the Key Distribution Center (KDC) and caches them in the user's credential cache |
|
|
Displays a list of Kerberos tickets in the specified credential cache |
|
|
Removes Kerberos credentials from the specified credential cache |
See Also:
"Utilities for the Kerberos Authentication Adapter" for complete descriptions of these utilities, their syntax, and available optionsNote:
The Cybersafe adapter is not supported beginning with this release. You should use Oracle's Kerberos adapter in its place. Kerberos authentication with the Cybersafe KDC (Trust Broker) continues to be supported when using the Kerberos adapter.The security provided by a public key infrastructure (PKI) depends on how effectively you store, manage, and validate your PKI credentials. Oracle Wallet Manager and orapki are used to manage certificates, wallets, and certificate revocation lists so your PKI credentials can be stored securely and your certificate validation mechanisms kept current.
Topics:
Oracle Wallet Manager is an application that wallet owners and security administrators use to manage and edit the security credentials in their Oracle wallets. A wallet is a password-protected container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. You can use Oracle Wallet Manager to perform the following tasks:
Create public and private key pairs
Store and manage user credentials
Generate certificate requests
Store and manage certificate authority certificates (root key certificate and certificate chain)
Upload and download wallets to and from an LDAP directory
Create wallets to store hardware security module credentials
Note:
In previous releases of Oracle Database, you could use Oracle Wallet Manager to configure wallets for Transparent Data Encryption. In this release, you can use theADMINISTER KEY MANAGEMENT SQL statement instead. For more information, see Oracle Database Advanced Security Guide.The orapki utility is a command-line tool that you can use to manage certificate revocation lists (CRLs), create and manage Oracle wallets, and to create signed certificates for testing purposes.
The basic syntax for this utility is as follows:
orapki module command -option_1 argument ... -option_n argument
For example, the following command lists all CRLs in the CRL subtree in an instance of Oracle Internet Directory that is installed on machine1.us.example.com and that uses port 389:
orapki crl list -ldap machine1.us.example.com:389
Note:
The use oforapki to configure Transparent Data Encryption has been deprecated. Instead, use the ADMINISTER KEY MANAGEMENT SQL statement. For more information, see Oracle Database Advanced Security Guide.See Also:
"Certificate Revocation List Management" for information about how to use orapki to manage CRLs in the directory
Appendix F, "Using the orapki Utility to Manage PKI Elements" for reference information on all available orapki commands
Most of the tasks of a security administrator involve ensuring that the connections to and from Oracle databases are secure.
Table 16-2 describes the primary tasks of security administrators who are responsible for strong authentication, the tools used to perform the tasks, and links to where the tasks are documented.
Table 16-2 Common Security Administrator/DBA Configuration and Administrative Tasks
| Task | Tools Used | See Also |
|---|---|---|
|
Configure encrypted Oracle Net connections between database servers and clients |
Oracle Net Manager |
|
|
Configure checksumming on Oracle Net connections between database servers and clients |
Oracle Net Manager |
|
|
Configure database clients to accept RADIUS authentication |
Oracle Net Manager |
|
|
Configure a database to accept RADIUS authentication |
Oracle Net Manager |
|
|
Create a RADIUS user and grant them access to a database session |
SQL*Plus |
|
|
Configure Kerberos authentication on a database client and server |
Oracle Net Manager |
|
|
Create a Kerberos database user |
|
|
|
Manage Kerberos credentials in the credential cache |
|
|
|
Create a wallet for a database client or server |
Oracle Wallet Manager |
Oracle Database Enterprise User Security Administrator's Guide |
|
Request a user certificate from a certificate authority (CA) for SSL authentication |
|
|
|
Import a user certificate and its associated trusted certificate (CA certificate) into a wallet |
|
|
|
Configuring SSL connections for a database client |
|
|
|
Configuring SSL connections for a database server |
Oracle Net Manager |
|
|
Enabling certificate validation with a certificate revocation list (CRL) |
Oracle Net Manager |
"Configuring Certificate Validation with Certificate Revocation Lists" |