Scribd Logo
Upload

Welcome to Scribd!

  • 08 Les 07 Strong Auth

    Uploaded by

    Ashok Thiyagarajan
    123 views24 pages
    Strong authentication uses certificates, Public Key Infrastructure (PKI), tokens, and smart cards. Strong authentication Requires a level of trust in the signing authority. Describe a setup for strong authentication that uses: - certificates - Kerberos - Remote authentication dial-in service (RADIUS) implement the secure external password store Copyright (c) 2009, Oracle. All rights reserved.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Strong authentication uses certificates, Public Key Infrastructure (PKI), tokens, and smart cards. Strong authentication Requires a level of trust in the signing authority. Describe a setup for strong authentication that uses: - certificates - Kerberos - Remote authentication dial-in service (RADIUS) implement the secure external password store Copyright (c) 2009, Oracle. All rights reserved.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    123 views24 pages

    08 Les 07 Strong Auth

    Uploaded by

    Ashok Thiyagarajan
    Strong authentication uses certificates, Public Key Infrastructure (PKI), tokens, and smart cards. Strong authentication Requires a level of trust in the signing authority. Describe a setup for strong authentication that uses: - certificates - Kerberos - Remote authentication dial-in service (RADIUS) implement the secure external password store Copyright (c) 2009, Oracle. All rights reserved.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Using Strong Authentication

    Copyright 2009, Oracle. All rights reserved.

    Objectives
    After completing this lesson, you should be able to do the following: Describe strong authentication that uses:
    Certificates Kerberos Remote authentication dial-in service (RADIUS)

    Describe a setup for strong authentication that uses:


    Certificates Kerberos Key Distribution Center (KDC)

    Implement the secure external password store

    7-2

    Copyright 2009, Oracle. All rights reserved.

    User Authentication
    Identify the user in the following ways: Basic authentication
    Database user identified by a password Database user identified by the operating system

    Strong authentication Enterprise User Security Proxy authentication

    7-3

    Copyright 2009, Oracle. All rights reserved.

    Strong User Authentication


    Strong authentication: Is stronger than password authentication Often includes the single sign-on functionality Is supported by the following authentication technologies:
    Certificates, public key infrastructure (PKI) RADIUS, token, and smart cards Kerberos

    Integrates with Oracle Net Services Requires Oracle Advanced Security (ASO)

    7-4

    Copyright 2009, Oracle. All rights reserved.

    Single Sign-On
    Single sign-on is a centralized authentication service. The user has a single username and password. Servers authenticate users through the central service.

    Client

    Authentication server

    Server

    7-6

    Copyright 2009, Oracle. All rights reserved.

    Public Key Infrastructure (PKI) Tools


    The Oracle database PKI implementation includes: Components:
    Oracle Wallet Oracle Advanced Security Oracle Identity Management infrastructure

    Management tools:
    Oracle Wallet Manager

    7-7

    Copyright 2009, Oracle. All rights reserved.

    Certificates
    Certificates:
    Are digital documents Provide proof of identity Are stored in Oracle Wallets

    Certificate authority:
    Is a trusted organization (trust point) Attests the identity of the certificate Issues trusted certificates X.509 v3

    Certificate use:
    Requires a secure sockets layer (SSL) Requires a level of trust in the signing authority

    7-8

    Copyright 2009, Oracle. All rights reserved.

    How to Use Certificates for Authentication


    1. Install the required components. 2. Configure the server for SSL. 3. Configure the server-side Oracle Net files:
    listener.ora sqlnet.ora

    4. Configure the client for SSL. 5. Configure the client-side Oracle Net files:
    sqlnet.ora tnsnames.ora

    6. Create a user that is authenticated with a certificate. 7. Connect to the database.

    7-9

    Copyright 2009, Oracle. All rights reserved.

    Configuring SSL on the Server

    7 - 10

    Copyright 2009, Oracle. All rights reserved.

    Configuring Oracle Net Files on the Server

    7 - 11

    Copyright 2009, Oracle. All rights reserved.

    Configuring SSL on the Client

    7 - 12

    Copyright 2009, Oracle. All rights reserved.

    Configuring Oracle Net Files on the Client


    On the client, specify: The servers distinguished name The TCPS protocol listener port The client wallet location

    7 - 13

    Copyright 2009, Oracle. All rights reserved.

    Creating a User Identified by Certificate


    When you create a global user, you can specify the X.509 name that identifies this user at the enterprise directory server:

    CREATE USER global_user1 IDENTIFIED GLOBALLY AS 'CN=analyst,OU=division1, O=oracle, C=US';

    You can create a shared schema that allows any user identified to the directory and mapped to the schema:

    CREATE USER global_user2 IDENTIFIED GLOBALLY AS '';

    7 - 15

    Copyright 2009, Oracle. All rights reserved.

    Connecting to the Database


    The user that owns the client wallet may connect to the database by using:
    CONNECT /@SSL_ORCL;

    7 - 16

    Copyright 2009, Oracle. All rights reserved.

    orapki Utility
    orapki is a command-line utility for scripting common PKI management tasks. It can be used for: Creating and viewing signed certificates for testing purposes Managing Oracle wallets Creating and displaying Oracle wallets Renaming CRLs with a hash value for certificate validation

    7 - 17

    Copyright 2009, Oracle. All rights reserved.

    How to Use Kerberos for Authentication


    1. Install Kerberos. 2. Configure a service principal for the database server. 3. Extract a service table from Kerberos. 4. Install an Oracle database server and a client. 5. Install Oracle components. 6. Configure Oracle Net Services and the Oracle database. 7. Configure Kerberos authentication. 8. Create a Kerberos user. 9. Create an externally authenticated Oracle user. 10. Get an initial ticket for the Kerberos and Oracle user.

    7 - 18

    Copyright 2009, Oracle. All rights reserved.

    How to Use KDC with Windows 2000 for Authentication


    1. Configure an Oracle Kerberos client to interoperate with a Windows 2000 domain controller KDC. 2. Configure a Windows 2000 domain controller KDC to interoperate with an Oracle client. 3. Configure an Oracle database to interoperate with a Windows 2000 domain controller KDC. 4. Get an initial ticket for the Kerberos and Oracle user.

    7 - 20

    Copyright 2009, Oracle. All rights reserved.

    RADIUS Authentication: Overview


    RADIUS is a protocol for remote authentication and access. You may use any authentication method that supports the RADIUS standard. You may change authentication methods without changing the database or client configuration. The user is defined in the database as IDENTIFIED EXTERNALLY.

    7 - 22

    Copyright 2009, Oracle. All rights reserved.

    External Secure Password Store

    vkrama/?????@DEV
    DEV RAMA

    CONNECT /@DEV

    ramav/????@prod_db.acme.com

    PROD

    7 - 23

    Copyright 2009, Oracle. All rights reserved.

    Configuring the Wallet


    Use the mkstore command: Create the wallet:

    mkstore -wrl $HOME/admin/orcl/wallets -create

    Add credentials to the wallet:

    mkstore -wrl $HOME/admin/orcl/wallets -createCredential dev hr [hr]

    Note: User password is not required on the command line; the command-line input must be on one line.

    7 - 24

    Copyright 2009, Oracle. All rights reserved.

    Configuring sqlnet.ora
    Set the following in sqlnet.ora: WALLET_LOCATION SQLNET.WALLET_OVERRIDE
    WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /home/rama/admin/orcl/wallet))) SQLNET.WALLET_OVERRIDE = TRUE

    7 - 25

    Copyright 2009, Oracle. All rights reserved.

    Managing the External Password Store


    For the external password store: List contents Add credentials Modify credentials Delete credentials

    7 - 26

    Copyright 2009, Oracle. All rights reserved.

    Practice 7 Overview: Configuring the External Secure Password Store


    This practice covers the following topics: Configuring the external secure password store Implementing a user connecting remotely without a password Viewing the contents of the wallet

    7 - 27

    Copyright 2009, Oracle. All rights reserved.

    Summary
    In this lesson, you should have learned how to: Describe strong authentication that uses:
    Certificates Kerberos RADIUS

    Describe a setup for strong authentication that uses:


    Certificates Kerberos Key Distribution Center (KDC)

    Implement an external secure password store

    7 - 28

    Copyright 2009, Oracle. All rights reserved.

    You might also like