08 les 07 strong auth

8/13/2019 08 Les 07 Strong Auth

1/24

Copyright 2009, Oracle. All rights reserved.

Using Strong Authentication


2/24

Copyright 2009, Oracle. All rights reserved.7 - 2

Objectives

After completing this lesson, you should be able to do thefollowing:

Describe strong authentication that uses:

Certificates

Kerberos Remote authentication dial-in service (RADIUS)

Describe a setup for strong authentication that uses:

Certificates

Kerberos

Key Distribution Center (KDC)

Implement the secure external password store


3/24


User Authentication

Identify the user in the following ways: Basic authentication

Database user identified by a password

Database user identified by the operating system

Strong authentication Enterprise User Security

Proxy authentication


4/24


Strong User Authentication

Strong authentication: Is stronger than password authentication

Often includes the single sign-on functionality

Is supported by the following authentication technologies:

Certificates, public key infrastructure (PKI) RADIUS, token, and smart cards

Kerberos

Integrates with Oracle Net Services

Requires Oracle Advanced Security (ASO)


5/24


Single Sign-On

Single sign-on is a centralized authentication service. The user has a single username and password.

Servers authenticate users through the central service.

ServerAuthentication server

Client


6/24


Public Key Infrastructure (PKI) Tools

The Oracle database PKI implementation includes: Components:

Oracle Wallet

Oracle Advanced Security

Oracle Identity Management infrastructure Management tools:

Oracle Wallet Manager


7/24


8/24Copyright 2009, Oracle. All rights reserved.7 - 9

How to Use Certificates for Authentication

1. Install the required components.2. Configure the server for SSL.

3. Configure the server-side Oracle Net files:

listener.ora

sqlnet.ora4. Configure the client for SSL.

5. Configure the client-side Oracle Net files:

sqlnet.ora

tnsnames.ora6. Create a user that is authenticated with a certificate.

7. Connect to the database.



Configuring SSL on the Server


10/24



Configuring SSL on the Client



Configuring Oracle Net Files on the Client

On the client, specify: The servers distinguished name

The TCPS protocol listener port

The client wallet location



Creating a User Identified

by Certificate

When you create a global user, you can specify the X.509name that identifies this user at the enterprise directory

server:

You can create a shared schema that allows any user

identified to the directory and mapped to the schema:

CREATE USER global_user1 IDENTIFIED GLOBALLY AS

'CN=analyst,OU=division1, O=oracle, C=US';

CREATE USER global_user2 IDENTIFIED GLOBALLY AS

'';



Connecting to the Database

The user that owns the client wallet may connect to thedatabase by using:

CONNECT /@SSL_ORCL;



orapkiUtility

orapkiis a command-line utility for scripting common PKImanagement tasks. It can be used for:

Creating and viewing signed certificates for testing

purposes

Managing Oracle wallets Creating and displaying Oracle wallets

Renaming CRLs with a hash value for certificate validation



How to Use Kerberos for Authentication

1. Install Kerberos.2. Configure a service principal for the database server.

3. Extract a service table from Kerberos.

4. Install an Oracle database server and a client.

5. Install Oracle components.6. Configure Oracle Net Services and the Oracle database.

7. Configure Kerberos authentication.

8. Create a Kerberos user.

9. Create an externally authenticated Oracle user.10. Get an initial ticket for the Kerberos and Oracle user.



How to Use KDC with Windows 2000

for Authentication

1. Configure an Oracle Kerberos client to interoperate with aWindows 2000 domain controller KDC.

2. Configure a Windows 2000 domain controller KDC to

interoperate with an Oracle client.

3. Configure an Oracle database to interoperate with aWindows 2000 domain controller KDC.

4. Get an initial ticket for the Kerberos and Oracle user.



RADIUS Authentication: Overview

RADIUS is a protocol for remote authentication andaccess.

You may use any authentication method that supports the

RADIUS standard.

You may change authentication methods without changingthe database or client configuration.

The user is defined in the database as IDENTIFIED

EXTERNALLY.



External Secure Password Store

RAMA

DEV

PRODramav/????@prod_db.acme.com

vkrama/?????@DEV

CONNECT /@DEV



Configuring the Wallet

Use the mkstorecommand: Create the wallet:

Add credentials to the wallet:

Note: User password is not required on the command line; the

command-line input must be on one line.

mkstore -wrl $HOME/admin/orcl/wallets-createCredential dev hr [hr]

mkstore -wrl $HOME/admin/orcl/wallets -create



Configuring sqlnet.ora

Set the following in sqlnet.ora: WALLET_LOCATION

SQLNET.WALLET_OVERRIDE

WALLET_LOCATION =

(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY =/home/rama/admin/orcl/wallet)))

SQLNET.WALLET_OVERRIDE = TRUE



Managing the External Password Store

For the external password store: List contents

Add credentials

Modify credentials

Delete credentials



Practice 7 Overview:

Configuring the External Secure Password Store

This practice covers the following topics: Configuring the external secure password store

Implementing a user connecting remotely without a

password

Viewing the contents of the wallet


24/24

08 les 07 strong auth

Documents