4
Configuring CyberSafe Authentication

This chapter contains information on how to configure Oracle for use with CyberSafe, as well as a brief overview of the steps to configure CyberSafe to authenticate Oracle users.

This chapter covers the following topics:

• Enabling CyberSafe Authentication

• Troubleshooting the Configuration of the CyberSafe Authentication Adapter

Enabling CyberSafe Authentication

You enable CyberSafe authentication by performing the following tasks, each of which is fully described in the next few pages:

Note: Perform these tasks in the order in which they are listed.

Step 1: Install the CyberSafe server

Step 2: Install the CyberSafe TrustBroker client

Step 3: Install the CyberSafe Application Security Toolkit

Step 4: Configure a service principal for an Oracle server

Step 5: Extract the service table from CyberSafe

Step 6: Install an Oracle server

Step 7: Install the Oracle Advanced Security and the CyberSafe adapter

Step 8: Configure Net8 and Oracle on your server and client

Step 9: Configure CyberSafe authentication

Step 10: Create a CyberSafe User on the authentication server

Step 11: Create an externally authenticated Oracle user on the Oracle server

Step 12: Get the initial ticket for the Kerberos/Oracle user

Step 13: Connect to an Oracle server authenticated by CyberSafe

Step 1: Install the CyberSafe server

Do this on the machine that will act as the authentication server.

More Information: See the CyberSafe documentation listed in the "Related Publications" in the Preface of this guide.

Step 2: Install the CyberSafe TrustBroker client

Do this on the machine that runs the Oracle server and the client.

More Information: See the CyberSafe documentation listed in "Related Publications" in the Preface of this guide.

Step 3: Install the CyberSafe Application Security Toolkit

Do this on the client and on the server.

More Information: See the CyberSafe documentation listed in "Related Publications" in the Preface of this guide.

Step 4: Configure a service principal for an Oracle server

For the Oracle server to validate the identity of clients, you need to configure a service principal for an Oracle server on the machine running the CyberSafe TrustBroker Master Server. If necessary, you must also configure a realm.

The name of the principal should have the following format:

kservice/kinstance@REALM

kservice	a string that represents the Oracle service. This may or may not be the same as the database service name
kinstance	typically the fully-qualified name of the machine on which Oracle is running
REALM	the domain of the server

For example, if kservice is "oracle", and the fully-qualified name of the machine on which Oracle is running is "dbserver.someco.com", and the realm is "SOMECO.COM", the principal name would be:

oracle/dbserver.someco.com@SOMECO.COM

Note: It is a common convention to use the DNS domain name as the name of the realm.

Run kdb5_edit as root to create the service principal.

# cd /krb5/admin
# ./kdb5_edit

To add a principal called "oracle/dbserver.someco.com@SOMECO.COM" to the list of server principals known by CyberSafe, from kdb5_edit type the following:

kdb5_edit:  ark oracle/dbserver.someco.com@SOMECO.COM

Step 5: Extract the service table from CyberSafe

You need to extract a service table from CyberSafe and copy it to both the Oracle server and CyberSafe TrustBroker client machines. For example, to extract a service table for dbserver.someco.com, type the following from kdb5_edit:

kdb5_edit:  xst dbserver.someco.com oracle 
'oracle/dbserver.someco.com@SOMECO.COM' added to keytab 
'WRFILE:dbserver.someco.com-new-srvtab' 
kdb5_edit:  exit
# /krb5/bin/klist -k -t dbserver.someco.com-new-srvtab

Note: If you do not enter a REALM (in the example, SOMECO.COM) when using xst, kdb5_edit uses the realm of the current host and displays it in the command output, as shown above.

After the service table has been extracted, verify that the new entries are in the table in addition to the old entries. If the new entries are not in the service table, or if you need to add additional new entries, use kdb5_edit to append the additional entries.

At this point, you need to move the CyberSafe service table to the CyberSafe TrustBroker client machine. If the service table is on the same machine as the CyberSafe client, you can simply move it (using a command such as that shown below). If the service table is on a different machine from the CyberSafe TrustBroker client, you must transfer the file with a program like FTP. For example, to move it, type the following:

# mv dbserver.someco.com-new-srvtab /krb5/v5srvtab

Remember to transfer the file in binary mode when you use FTP.

Ensure that the Oracle Server Can Read the Service Table

Make sure that the owner of the Oracle Server executable can read the service table (in the previous example, /krb5/v5srvtab). Set the file owner to the Oracle user or make the file readable by the group to which Oracle belongs. Do not make the file readable to all users, since this would allow a security breach.

Step 6: Install an Oracle server

Do this on the same machine that is running the CyberSafe TrustBroker client.

More Information: See the Oracle8i installation documentation for your platform.

Step 7: Install the Oracle Advanced Security and the CyberSafe adapter

You install the CyberSafe adapter--along with the Oracle Advanced Security option--during a typical installation of Oracle8i. Oracle Universal Installer guides you through the entire installation process.

More Information: See the Oracle installation documentation for your platform.

Step 8: Configure Net8 and Oracle on your server and client

More Information: See your operating system-specific documentation.

Step 9: Configure CyberSafe authentication

You must set certain parameters in the Oracle server and client sqlnet.ora files. The next few pages explain the following tasks.

• Configure the authentication service on the client and the server

• Configure CyberSafe authentication service parameters on the client and the server

• Set INIT.ORA Parameter

You can modify the sqlnet.ora file either by using the Net8 Assistant or by using any text editor. The following pages explain both methods. You modify the init.ora file by using a text editor.

Using Net8 Assistant

This graphical interface tool makes it easy to set parameters in the sqlnet.ora file and other Oracle8i configuration files.

To launch Net8 Assistant:

• On UNIX, run the script netasst at $ORACLE_HOME/bin.

• On Windows platforms, click the Start button > Programs > Oracle for Windows NT--HOME_NAME > Net8 Assistant.

To begin configuring the Oracle Advanced Security option using Net8 Assistant:

In the Net8 Assistant's left pane, click the Profile folder. Then go to the drop down list box at the top of the right pane, and select Advanced Security Option. The tabbed pages for the Oracle Advanced Security option appear.

To save changes with Net8 Assistant:

Go to the menu bar and click File > Save Network Configuration.

Configure the authentication service on the client and the server

Do this by setting the SQLNET.AUTHENTICATION_SERVICES parameter.

Figure 4-1 Using Net8 Assistant to Configure Authentication

Use the Net8 Assistant...

...or modify SQLNET.ORA

Refer to Figure 4-1. Select the Authentication tab. In the Available Methods list, select CyberSafe. Click the [>] button to move the service over to the Selected Methods list. Move any other methods you want to use in the same way. Arrange the selected methods in order of desired use. Select a method, then click [Promote] or [Demote] to position it in the list. For example, put CyberSafe at the top of the list if you want that service to be the first one used.

Set the following parameter: SQLNET.AUTHENTICATION_SERVICES= (CYBERSAFE)

Configure CyberSafe authentication service parameters on the client and the server

Do this by setting the SQLNET.AUTHENTICATION_GSSAPI_ SERVICE parameter.

Figure 4-2 Using Net8 Assistant to Configure Authentication Service Parameters

Use the Net8 Assistant...	...or modify SQLNET.ORA
Refer to Figure 4-2. Select the Other Params tab. In the Authentication Service list box, select CYBERSAFE. Type the name of the GSSAPI Service in the following format: oracle/dbserver.someco.com @SOMECO.COM	Set the following parameter: SQLNET.AUTHENTICATION_GSSAPI_ SERVICE=KSERVICE/KINSTANCE@REALMNote: You must insert the principal name, using the format described in "Step 4: Configure a service principal for an Oracle server".

Set INIT.ORA Parameter

Oracle strongly recommends that you add the following parameter to the init<sid>.ora file used for the database instance:

REMOTE_OS_AUTHENT=FALSE

where sid is the database system identifier.

Note: Setting REMOTE_OS_AUTHENT to TRUE may create a security hole because it allows someone using a non-secure protocol (for example, TCP) to perform an operating system-authorized login (formerly referred to as an OPS$ login).

Because CyberSafe user names can be long, and Oracle user names are limited to 30 characters, Oracle recommends using the following null value for the value of OS_AUTHENT_PREFIX:

OS_AUTHENT_PREFIX=""

Restart the Oracle server after modifying the configuration files, so the changes will take effect.

More Information: For information on how to restart the Oracle server, see your operating system-specific documentation and Oracle8i Administrator's Guide.

Step 10: Create a CyberSafe User on the authentication server

In order for CyberSafe to authenticate Oracle users, you must create them on the CyberSafe authentication server where the administration tools are installed. The following steps assume that the realm already exists.

More Information: For information on creating the realm, see "Related Publications" in the Preface of this guide.

Note: The utility names in this section are actual programs that you run. However, the CyberSafe user name "cyberuser" and realm "SOMECO.COM" are examples only; these may vary among systems.

Run /krb5/admin/kdb5_edit as root on the authentication server to create the new CyberSafe user, that is, "cyberuser". Type the following:

1. # kdb5_edit

2. kdb5_edit: ank cyberuser

3. Enter password: <password not echoed to screen>

4. Re-enter password for verification: <password...>

5. kdb5_edit: quit

Step 11: Create an externally authenticated Oracle user on the Oracle server

Run SQL*Plus to create the Oracle user and perform the following commands on the Oracle server machine:

SQL> CONNECT INTERNAL; 
SQL> CREATE USER "USNERNAME" IDENTIFIED EXTERNALLY; 
SQL> GRANT CREATE SESSION TO "USERNAME";

In this example, OS_AUTHENT_PREFIX is set to:

""

Note: When you create the Oracle user, the name must be in upper case and double-quoted.

In the following example, OS_AUTHENT_PREFIX is set to "".

SQL> CREATE USER "JDOE" IDENTIFIED EXTERNALLY
SQL> GRANT CREATE SESSION TO "JDOE"

More Information: See Oracle8i Administrator's Guide.

Step 12: Get the initial ticket for the Kerberos/Oracle user

Before users can connect to the database, they need to run kinit on the clients for an initial ticket.

% kinit (user name)
Password for CYBERUSER@US.ORACLE.COM:
<password not echoed to screen>

Use klist on the Client to Display Credentials

Users should run klist on the clients to list the tickets currently owned.

% klist

Creation Date	Expiration Date	Service
11-Aug-95 16:29:51	12-Aug-95 00:29:21	krbtgt/SOMECO.COM@SOMECO.COM
11-Aug-95 16:29:51	12-Aug-95 00:29:21	oracledbserver.someco.com@SOMECO.COM

Step 13: Connect to an Oracle server authenticated by CyberSafe

After running kinit to get an initial ticket, users can connect to an Oracle server without using a user name or password. Enter a command like the following:

%  sqlplus /@net_service_name

where net_service_name is a Net8 service name.

For example:

% sqlplus /@npddoc_db

More Information: See Chapter 1, "Introduction to Oracle Advanced Security" and Oracle8i Distributed Database Systems.

Troubleshooting the Configuration of the CyberSafe Authentication Adapter

Following are some common configuration problems and tips to help resolve them:

If you cannot get your ticket-granting ticket using kinit:

• Make sure the default realm is correct by looking at krb.conf.

• Make sure the TrustBroker Master Server is running on the host specified for the realm.

• Make sure that the Master Server has an entry for your user principal and that the passwords match.

• Make sure the krb.conf and krb.realms files are readable by Oracle.

If you have an initial ticket, but still cannot connect:

• After trying to connect, check for a service ticket.

• Check that the sqlnet.ora file on the server side has a service name that corresponds to a service known to the CyberSafe Master Server.

• Check that the clocks on all the involved machines are within a few minutes of each other.

If you have a service ticket and you still cannot connect:

• Check the clocks on the client and server.

• Check that the v5srvtab exists in the correct location and is readable by
  Oracle.

• Check that the v5srvtab has been generated for the service named in the profile (sqlnet.ora) on the server side.

If everything seems to work fine, but then you issue another query and it fails:

• Check that the initial ticket is forwardable. (You must have obtained the initial ticket by running kinit -f.)

• Check the expiration date on the credentials.

• If your credentials have expired, close your connection and run kinit to get a new initial ticket.

---