Oracle Advanced Security Administrator's Guide
Release 8.1.5






Prev Next

Introduction to Oracle Advanced Security

This chapter introduces the Oracle Advanced Security option encryption, checksumming, and authentication features. These features are available to network products using Net8, including Oracle8i, Designer 2000, Developer 2000, and any other Oracle or third-party products that support Net8.

Topics covered in this chapter:

About the Oracle Advanced Security Option

The Oracle Advanced Security option (formerly Secure Network Services and Oracle Advanced Networking Option) provides a comprehensive suite of security features to protect enterprise networks and securely extend corporate networks to the Internet. The Oracle Advanced Security option provides a single source of integration with network encryption and authentication solutions, single sign-on services, and security protocols. By integrating industry standards, it delivers unparalleled security to the Oracle network and beyond.

Network Security in a Distributed Environment

Organizations around the world are deploying distributed databases and client/server applications in record numbers, often on a national or global scale, based on Net8 and Oracle8i. This proliferation of distributed computing has been matched by an increase in the amount of information that organizations now place on computers. Employee records, financial records, product testing information, and other sensitive or critical data have moved from filing cabinets into file structures. The volume of critical or sensitive information on computers has increased the value of data that may be compromised.

The increased distribution of data in these environments brings with it some serious security threats:

Features of the Oracle Advanced Security Option

The Oracle Advanced Security option protects against these threats to the security of distributed environments. Specifically, the Oracle Advanced Security option provides the following features, each of which is described in the next few pages.

Data Integrity

To ensure that data has not been modified, deleted, or replayed during transmission, the Oracle Advanced Security option optionally generates a cryptographically secure message digest--through cryptographic checksums using the MD5 algorithm--and includes it with each packet sent across the network.

Moreover, the SSL feature of the Oracle Advanced Security option allows the use of the Secure Hash Algorithm (SHA). SHA is slightly slower than MD5, but produces a larger message digest to make it more secure against brute-force collision and inversion attacks.

Data Privacy

The Oracle Advanced Security option ensures data privacy through both RSA and DES encryption.


Establishing user identity is also of primary concern in distributed environments; otherwise, there can be little confidence in limiting privileges by user. The Oracle Advanced Security option release 8.1.5 provides authentication through Oracle authentication adapters that support third-party authentication services such as Kerberos, CyberSafe TrustBroker (a Kerberos-based authentication server), SecurID, Identix TouchNet II, and RADIUS. These adapters are described later in this chapter.

Centralized Authentication

Many of the Oracle Advanced Security option authentication methods use centralized authentication. This can give you high confidence in the identity of users, clients, and servers in distributed environments. Having a central facility authenticate all members of the network (clients to servers, servers to servers, users to both clients and servers) is one effective way to address the threat of nodes on a network faking their identities.

Centralized authentication can also provide the benefit of single sign-on for users. Single sign-on allows users to access multiple accounts and applications with a single password, eliminates the need for multiple passwords, and simplifies management of user accounts and passwords for system administrators.


Oracle Corporation does not provide centralized authentication servers. Rather, it supports only the authentication services provided through other vendors' security services or third-party Kerberos-based servers such as CyberSafe. For a list and brief description of authentication methods supported by the Oracle Advanced Security option, see "Authentication Methods Supported".  

How Centralized Authentication Works

Figure 1-1 illustrates how a centralized network authentication service typically operates.

Figure 1-1 How a Network Authentication Service Authenticates a User

Authentication Methods Supported

The Oracle Advanced Security option supports the following authentication methods:

SSL--SSL (Secure Sockets Layer) is an industry standard protocol for securing network connections. SSL provides for authentication, encryption, and data integrity.

You can use the SSL feature of the Oracle Advanced Security option to secure communications between any client and any server. Specifically, you can use SSL to authenticate:

You can use SSL features by themselves or in combination with other authentication methods supported by the Oracle Advanced Security option. For example, you can use SSL along with Kerberos, using the encryption provided by SSL in combination with the Kerberos authentication method.

You can configure SSL to require server authentication only, or both client and server authentication.

RADIUS--RADIUS (Remote Authentication Dial-In User Service), a client-server security protocol, is most widely known for enabling remote authentication and access. The Oracle Advanced Security option uses this emerging standard in a client-server network environment to enable use of any authentication method that supports the RADIUS protocol. You can use RADIUS with a variety of authentication methods, including token cards and smartcards.

Kerberos and CyberSafe--The Oracle Advanced Security option support for Kerberos and CyberSafe provides the benefits of single sign-on and centralized authentication in an Oracle environment. Kerberos is a trusted third-party authentication system that relies on shared secrets. It assumes that the third party is secure. It provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. It does this through Kerberos authentication and through the CyberSafe TrustBroker, a Kerberos-based authentication server.


Oracle authentication for Kerberos provides database link authentication (also called "proxy authentication"). CyberSafe and SecurID do not provide support for proxy authentication.  

Smartcards (RADIUS-Compliant)--This authentication method uses a hardware device that looks much like a credit card. It has memory and a processor and is read by a smartcard reader located at the client workstation.

Smartcards offer the following benefits:

Token Cards (SecurID and RADIUS-Compliant)--Token cards can provide improved ease-of-use through several different mechanisms. Some token cards dynamically display one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the token card at any given time by contacting the authentication service. Other token cards have a keypad and operate on a challenge-response basis. In this case, the server offers a challenge (a number) which the user then types into a token card. The token card provides a response, namely, another number cryptographically-derived from the challenge, which the user then offers to the server.

Token cards provide the following benefits:

You can use SecurID tokens through either SecurID or through RADIUS.

Bull ISM--ISM (Integrated System Management) is an offering of Bull Worldwide Information Systems that provides system administrators with a variety of management tools. This authentication method is available on the AIX platform only. See your AIX-specific documentation for more information.

Biometric Authentication (Identix)--Identix Biometric Authentication is used on both the clients and Oracle servers to communicate biometric authentication data between the authentication server and the clients.


User authorization, already a standard features of Oracle8i, is significantly enhanced by using the authentication methods supported by the Oracle Advanced Security option. For example, on certain platforms such as Solaris, the Oracle Advanced Security option supports authorization with DCE.

Architecture of the Oracle Advanced Security Option

The Oracle Advanced Security option is an add-on product to a standard Net8 Server or Net8 Client. Figure 1-2 shows the location of the Oracle Advanced Security option within a typical stack in an Oracle networking environment.

More Information:

For more information on stack communications in an Oracle networking environment, see Net8 Administrator's Guide.  

Figure 1-2 Oracle Advanced Security in an Oracle Networking Environment

The Oracle Advanced Security option supports authentication through adapters that are very much like the existing Oracle protocol adapters. As Figure 1-3 shows, authentication adapters integrate below the Net8 interface and allow existing applications to take advantage of new authentication systems transparently, without any changes to the application.

Figure 1-3 Net8 with Authentication Adapters

Secure Data Transfer Across Network Protocol Boundaries

The Oracle Advanced Security option is fully supported by the Oracle Connection Manager, making secure data transfer a reality across network protocol boundaries. Clients using LAN protocols such as NetWare (SPX/IPX), for instance, can now securely share data with large servers using different network protocols such as LU6.2, TCP/IP, or DECnet. To eliminate potential weak points in the network infrastructure and to maximize performance, Connection Manager passes encrypted data from protocol to protocol without the cost and exposure of decryption and re-encryption.

System Requirements

The Oracle Advanced Security option is an add-on product to standard Net8 Server or Net8 Client. It is an extra cost item, and, to be functional, must be purchased on both the client and the server.

The Oracle Advanced Security option release 8.1.5 requires Net8 release 8.1.5.

The Oracle Advanced Security option release 8.1.5 supports Oracle 8i Enterprise Edition.

TrustBrokerInstall the Oracle Advanced Security option on all clients and servers where the Oracle Advanced Security option is required.


The Oracle Advanced Security option release 8.1.5 provides secure communication when used with earlier releases (such as 1.0 and 1.1); however, the security functionality defaults to that provided by the earlier release.  

Authentication Method   System Requirements  


A wallet that is compatible with the Oracle Wallet Manager, release 1.3-beta. Wallets created on earlier releases of the Oracle Wallet Manager are not forward compatible.  

CyberSafe TrustBroker  

CyberSafe GSS Runtime Library, version 1.1 or later, installed on both the machine that runs the Oracle client and on the machine that runs the Oracle server.

CyberSafe TrustBroker, release 1.2 or later installed on a physically secure machine that will run the authentication server.

CyberSafe TrustBroker Client, release 1.2 or later installed on the machine that runs the Oracle client.  


MIT Kerberos Version 5, release 1.0

The Kerberos authentication server must be installed on a physically secure machine.  


ACE/Server 1.2.4 or higher running on the authentication server.  

Identix Biometric  

Identix hardware and driver installed on each Biometric Manager station and client.  


A RADIUS server that is compliant with the standards in the Internet Engineering Task Force (IETF) RFC #2138, Remote Authentication Dial In User Service (RADIUS) and RFC #2139 RADIUS Accounting.

If you want to enable challenge-response authentication, you must run RADIUS on a platform which supports the Java Native Interface as specified in release 1.1 of the Java Development Kit from JavaSoft.  

Oracle Configuration for Network Authentication

This section discusses parameters you set when configuring Oracle for network authentication. Specifically, it discusses the following tasks:


For clients and servers to be able to use an Oracle authentication method, the following parameter must be in the sqlnet.ora file:


For example, the following parameter must be set in the sqlnet.ora files on all clients and servers that use the Kerberos Authentication:


Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE


Setting REMOTE_OS_AUTHENT to TRUE may create a security hole, because it allows someone using a non-secure protocol (for example, TCP) to perform an operating system-authorized login (formerly referred to as an OPS$ login).  

It is strongly recommended that, when configuring the Oracle authentication methods, you add the following parameter to the initialization file used for the database instance:


If REMOTE_OS_AUTHENT is set to FALSE, and the server cannot support any of the authentication methods requested by the client, the authentication service negotiation will fail, and the connection will be terminated.

If the following parameter is set in the sqlnet.ora file on either the client or server side:


the database will attempt to use the provided user name and password to log the user in. However, if REMOTE_OS_AUTHENT is set to FALSE, the connection will fail.

Setting OS_AUTHENT_PREFIX to a Null Value

Authentication service-based user names can be long, and Oracle user names are limited to 30 characters. Oracle strongly recommends that you enter a null value for the OS_AUTHENT_PREFIX parameter in the init.ora file used for the database instance:



The default value for OS_AUTHENT_PREFIX is OPS$; however, you can set it to any string.  


If a database already has the OS_AUTHENT_PREFIX set to a value other than NULL ("") do not change it, since it could result in previously created externally-identified users not being able to connect to the Oracle server.  

To create a user, launch SQL*Plus and type:

SQL> CREATE USER os_authent_prefix username IDENTIFIED EXTERNALLY;

When OS_AUTHENT_PREFIX is set to a null value (""), you would create the user "king" with the following command:


The advantage of creating a user in this way is that the administrator no longer needs to maintain different user names for externally-identified users.


This applies to creating Oracle users for use with all Oracle authentication methods.  

More Information:

See Oracle8i Administrator's Guide and Oracle8i Distributed Database Systems.  

Oracle Products Not Yet Supported

The Oracle Advanced Security option requires Net8 to transmit data securely. Accordingly, the Oracle Advanced Security option's authentication features are not currently supported by some parts of Oracle Financial, Human Resource, and Manufacturing Applications when they are running on the Windows platform. The portions of these products that use Oracle Display Manager (ODM) cannot yet take advantage of the Oracle Advanced Security option, since ODM does not currently use Net8.


Copyright © 1999 Oracle Corporation.

All Rights Reserved.