Using Strong Authentication

Copyright © 2009, Oracle. All rights reserved.

Objectives
After completing this lesson, you should be able to do the following: • Describe strong authentication that uses:
– Certificates – Kerberos – Remote authentication dial-in service (RADIUS)

Describe a setup for strong authentication that uses:
– Certificates – Kerberos – Key Distribution Center (KDC)

Implement the secure external password store

7-2

Copyright © 2009, Oracle. All rights reserved.

All rights reserved. . Oracle.User Authentication Identify the user in the following ways: • Basic authentication • Database user identified by a password • Database user identified by the operating system • • • Strong authentication Enterprise User Security Proxy authentication 7-3 Copyright © 2009.

Strong User Authentication Strong authentication: • Is stronger than password authentication • Often includes the single sign-on functionality • Is supported by the following authentication technologies: – Certificates. public key infrastructure (PKI) – RADIUS. Oracle. . token. All rights reserved. and smart cards – Kerberos • • Integrates with Oracle Net Services Requires Oracle Advanced Security (ASO) 7-4 Copyright © 2009.

Client Authentication server Server 7-6 Copyright © 2009. Servers authenticate users through the central service. All rights reserved. Oracle. The user has a single username and password.Single Sign-On • • • Single sign-on is a centralized authentication service. .

Public Key Infrastructure (PKI) Tools The Oracle database PKI implementation includes: • Components: – Oracle Wallet – Oracle Advanced Security – Oracle Identity Management infrastructure • Management tools: – Oracle Wallet Manager 7-7 Copyright © 2009. . All rights reserved. Oracle.

All rights reserved. Oracle.509 v3 • Certificate use: – Requires a secure sockets layer (SSL) – Requires a level of trust in the signing authority 7-8 Copyright © 2009.Certificates • Certificates: – Are digital documents – Provide proof of identity – Are stored in Oracle Wallets • Certificate authority: – Is a trusted organization (trust point) – Attests the identity of the certificate – Issues trusted certificates X. .

All rights reserved. 5.How to Use Certificates for Authentication 1. Configure the server-side Oracle Net files: – listener.ora – tnsnames. 7. 7-9 Copyright © 2009. Configure the server for SSL.ora – sqlnet.ora 4. Create a user that is authenticated with a certificate. 2. Oracle. Configure the client-side Oracle Net files: – sqlnet. Connect to the database.ora 6. Configure the client for SSL. Install the required components. 3. .

Configuring SSL on the Server 7 . All rights reserved. .10 Copyright © 2009. Oracle.

11 Copyright © 2009. All rights reserved. Oracle. .Configuring Oracle Net Files on the Server 7 .

12 Copyright © 2009. . All rights reserved. Oracle.Configuring SSL on the Client 7 .

All rights reserved. . specify: • The server’s distinguished name • The TCPS protocol listener port • The client wallet location 7 . Oracle.13 Copyright © 2009.Configuring Oracle Net Files on the Client On the client.

7 . • You can create a shared schema that allows any user identified to the directory and mapped to the schema: CREATE USER global_user2 IDENTIFIED GLOBALLY AS ''. . Oracle. you can specify the X. C=US'.OU=division1.509 name that identifies this user at the enterprise directory server: CREATE USER global_user1 IDENTIFIED GLOBALLY AS 'CN=analyst.Creating a User Identified by Certificate • When you create a global user.15 Copyright © 2009. All rights reserved. O=oracle.

16 Copyright © 2009. 7 .Connecting to the Database The user that owns the client wallet may connect to the database by using: CONNECT /@SSL_ORCL. Oracle. . All rights reserved.

. All rights reserved.orapki Utility orapki is a command-line utility for scripting common PKI management tasks.17 Copyright © 2009. Oracle. It can be used for: • Creating and viewing signed certificates for testing purposes • Managing Oracle wallets • Creating and displaying Oracle wallets • Renaming CRLs with a hash value for certificate validation 7 .

9. 7. Create an externally authenticated Oracle user. Configure a service principal for the database server. 5. 7 . 6. 10. 3. All rights reserved. Install an Oracle database server and a client. 4. 2. Configure Kerberos authentication. Create a Kerberos user. Oracle. Get an initial ticket for the Kerberos and Oracle user. Configure Oracle Net Services and the Oracle database. 8. Install Oracle components.18 Copyright © 2009. . Install Kerberos.How to Use Kerberos for Authentication 1. Extract a service table from Kerberos.

Configure an Oracle database to interoperate with a Windows 2000 domain controller KDC.How to Use KDC with Windows 2000 for Authentication 1. Configure a Windows 2000 domain controller KDC to interoperate with an Oracle client. 2. 7 . . Configure an Oracle Kerberos client to interoperate with a Windows 2000 domain controller KDC. All rights reserved. 4. Oracle.20 Copyright © 2009. Get an initial ticket for the Kerberos and Oracle user. 3.

You may use any authentication method that supports the RADIUS standard.RADIUS Authentication: Overview • • • • RADIUS is a protocol for remote authentication and access. Oracle. . All rights reserved. The user is defined in the database as IDENTIFIED EXTERNALLY. 7 . You may change authentication methods without changing the database or client configuration.22 Copyright © 2009.

Oracle. All rights reserved. .com PROD 7 .23 Copyright © 2009.External Secure Password Store vkrama/?????@DEV DEV RAMA CONNECT /@DEV ramav/????@prod_db.acme.

Oracle. the command-line input must be on one line. .Configuring the Wallet Use the mkstore command: • Create the wallet: mkstore -wrl $HOME/admin/orcl/wallets -create • Add credentials to the wallet: mkstore -wrl $HOME/admin/orcl/wallets -createCredential dev hr [hr] Note: User password is not required on the command line. 7 .24 Copyright © 2009. All rights reserved.

WALLET_OVERRIDE = TRUE 7 . All rights reserved.ora: • WALLET_LOCATION • SQLNET.ora Set the following in sqlnet. Oracle.WALLET_OVERRIDE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /home/rama/admin/orcl/wallet))) SQLNET.Configuring sqlnet.25 Copyright © 2009. .

Oracle. All rights reserved.26 Copyright © 2009. .Managing the External Password Store For the external password store: • List contents • Add credentials • Modify credentials • Delete credentials 7 .

Practice 7 Overview: Configuring the External Secure Password Store This practice covers the following topics: • Configuring the external secure password store • Implementing a user connecting remotely without a password • Viewing the contents of the wallet 7 . Oracle. .27 Copyright © 2009. All rights reserved.

All rights reserved.28 Copyright © 2009. you should have learned how to: • Describe strong authentication that uses: – Certificates – Kerberos – RADIUS • Describe a setup for strong authentication that uses: – Certificates – Kerberos – Key Distribution Center (KDC) • Implement an external secure password store 7 . Oracle.Summary In this lesson. .