7
Using the Advanced Networking Option

This chapter describes configuration for ANO:

• Introducing ANO
• Installing Net8 After Installing ANO
• Setting Up Network Security and Single Sign-On
• Identix Adapter Notes
• DCE Integration
• Using the NDS Native Naming Adapter

  Note: All ANO features are discussed in the Oracle Advanced Networking Option Administrator's Guide.

Introducing ANO

ANO consists of three components:

• Network Security
• Single Sign-On
• DCE Integration

Network Security

Network Security is an Oracle network data encryption and checksumming service to ensure secure transmission of data over networks. Network Security uses encryption and authentication engines from RSA Data Security, Incorporated.

These concepts are explained in the following sections:

• Encryption
• Public Key Cryptography
• Digital Signatures
• Digital Certificates
• Certificate Revocation Lists

Encryption

Encryption provides a way to ensure confidentiality of information. Encryption is the transformation of data so that it is unreadable by anyone without a (secret) decryption key. Encryption provides a means to ensure confidentiality of information by keeping its content hidden from anyone for whom it is not intended, even those who can see the encrypted data. For example, one may want to encrypt sensitive information stored on a laptop so that if the laptop is stolen, the data cannot be recovered by the thief.

In symmetric-key encryption, the sender of a message uses a secret key to encrypt the message, and the receiver uses the same secret key to decrypt the message. If Alice and Bob want to communicate, they must each know what the secret key is (and the key must be exchanged in a way that the secrecy of the key is preserved). If Bob and Steve want to communicate, they must also have a separate key (so that, for example, Alice cannot read their messages).

The main drawback of symmetric-key encryption is that, in a system with many users wanting to communicate, the management and distribution of keys becomes overwhelming.

Public Key Cryptography

Public key cryptography solves the key management problem of symmetric-key cryptography. In the public key scheme, each person receives a pair of keys:

• a public key
• a private key

Each person's public key is published, while the private key is confidential. Messages encrypted with a public key can only be decrypted with the corresponding private key. Messages encrypted with a private key can only be decrypted with the corresponding public key. Keys may not be deduced from each other. The sender and receiver of an encrypted message do not share confidential information, since all communications involve only public keys. Private keys are neither transmitted nor shared.

For example, Alice sends a message to Bob so that only Bob can read it. She encrypts the message with Bob's public key, which is public knowledge. Bob decrypts the message with his private key to read it. Only Bob owns the private key that is able to decrypt the message, and only Bob can read the message.

Digital Signatures

Public key cryptography can be used for authentication (digital signatures) as well as for privacy (encryption). A digital signature is a non-forgeable way of authenticating the sender of a message and supports non-repudiation of messages. Only the purported sender of a message could actually have sent the message. The sender cannot later claim that someone impersonated her or him.

For example, Alice orders equipment, and the purchasing department (where Bob works) requires a digital signature on the purchase order. To sign the purchase order, Alice performs a computation (hash) of the message, encrypts the hash with her private key, and attaches the encrypted hash (digital signature) to the order before sending it. To verify the signature, Bob decrypts the hash with the public key belonging to Alice, performs the same computation on the order, and compares the results with the decrypted hash that Alice sent to him. If the results are the same, then only Alice could have sent the message.

Digital Certificates

To establish confidence in the identity associated with a public key, public keys are incorporated into digital certificates. A digital certificate is a binding of a public key to a user by a trusted third party known as a Certificate Authority (CA). The public key and user identity, together with other information such as the certificate expiration date, are digitally signed by the CA. CAs serve as electronic notaries, attesting to the identity of users and the validity of their public keys.

Certificates may be issued in several ways. For instance, Alice may generate her own key pair and send the public key to an appropriate CA with some proof of her identification. The CA verifies the identification and takes other steps to ensure that Alice is really Alice. Next, the CA sends Alice a certificate attesting to the binding between Alice and her public key, along with a hierarchy of certificates verifying the CA's public key. Alice can present this certificate chain whenever necessary to demonstrate the legitimacy of her public key.

Alternatively, the key pair may be generated by an administrator in a way that the person generating the keys does not know the private key of Alice. The private key may be given to her on a diskette or embedded within a token. The public key belonging to Alice is bound to a certificate by the CA, a copy given to Alice and a copy stored in a public database for ready access.

Certificate Revocation Lists

Public keys are sometimes revoked before their expiration date. Such instances include compromised keys or employment termination. A Certificate Revocation List (CRL) lists such revoked public keys. CAs maintain CRLs and provide information about revoked keys originally certified by the CA. CRLs list only current keys, since expired keys are not valid. A revoked key past the expiration date is removed from the list. Although CRLs are maintained in a distributed manner, networked sites may provide a centralized location for the latest CRLs.

Note: See the RSA Data Security website at http://www.rsa.com for more information about public key cryptography and digital signatures.

Supported Algorithms

These algorithms are supported:

Encryption

• RC4_40 (US, Export & Upgrade versions of ANO)
• RC4_56 (US only)
• RC4_128 (US only)
• DES_56 (US & Upgrade)
• DES_40 (US, Export & Upgrade)

Checksumming

• MD5 (US, Export & Upgrade)

Single Sign-On

The single sign-on feature allows users to access multiple accounts and applications with a single password. This feature eliminates the need for multiple passwords for users and simplifies management of user accounts and passwords for system administrators.

Authentication Adapters

Centralized, secure authentication services increase your confidence in the identity of users, clients, and servers in distributed environments. Network authentication services also can provide the benefit of single sign-on for users.

ANO supports these authentication adapters:

• Kerberos
• CyberSAFE
• SecurID
• Biometric (Identix)

DCE Integration

Distributed Computing Environment (DCE) Integration enables users to transparently use Oracle tools and applications to access Oracle7 servers in a DCE environment. The Oracle DCE Integration product consists of two major components:

• DCE Communications/Security Adapter
• DCE CDS (Cell Directory Service) Naming Adapter

DCE Communication/Security Adapter

The DCE Communication/Security Adapter provides:

• authenticated Remote Procedure Call (RPC)

  RPC is the transport mechanism that enables multi-vendor interoperability for DCE Integration. RPC also uses additional DCE services, including directory and security services, to provide location transparency and secure distributed computing.

• integrated security

  DCE Integration works with the DCE Security Service to provide security within DCE cells. It enables a user logged onto DCE to securely access any Oracle application without specifying a username or password. This function is referred to as external authentication to the database. In addition, clients and servers not running DCE authentication services can interoperate with systems that have DCE security by specifying an Oracle password.

• data privacy and integrity

  DCE Integration uses multiple levels of security to ensure data authenticity, privacy, and integrity. For example, users have a range of choices, from no protection to full encryption for each connection, with a guarantee that no data has been modified in transit. For parts of your network that do not use DCE, you may want to use ANO-Network Security and Single Sign-On.

DCE CDS Naming Adapter

DCE Integration registers Oracle7 connect descriptors in the DCE CDS Naming Adapter, allowing them to be transparently accessed across the entire DCE environment. Users can connect to Oracle database servers in a DCE environment using familiar Oracle service names.

The DCE CDS Naming Adapter offers a distributed, replicated repository service for name, address, and attributes of objects across the network. Because servers register their name and address information in the DCE CDS Naming Adapter, Oracle clients can make location-independent connections to Oracle servers. Services can be relocated without any changes to the client configuration. An Oracle utility is provided to load the Oracle service names (with corresponding connect descriptors) into the DCE CDS Naming Adapter. After the names are loaded, Oracle connect descriptors can be viewed from a central location with standard DCE tools.

Installing Net8 After Installing ANO

Net8 and ANO have some DLLs that share the same name but not the same functionality. Therefore, do not install Net8 after installing ANO. If you do, ANO will not work because some DLLs will be overwritten.

Setting Up Network Security and Single Sign-On

This section describes specific platform-specific configuration steps to perform for Network Security and Single Sign-On.

Additional Information: General configuration instructions are described in detail in the Oracle Advanced Networking Option Administrator's Guide.

Configuring the Kerberos Authentication Adapter

To use the Kerberos Authentication Adapter, you need to have the root drive :\USR\TMP subdirectory present.

Note: You may experience difficulty executing SQL scripts from SQL*Plus if you use the Kerberos Authentication Adapter. Re-installing SQL*Plus for Windows NT and Windows 95 solves this problem.

Configuring the SecurID Authentication Adapter

To use the SecurID Authentication Adapter, you need the following from your SecurID administrator:

• SDCONF.REC file present in the root drive :\VAR\ACE
• port numbers and service names present in the Windows NT services file

Configuring the CyberSAFE Authentication Adapter

Before using the CyberSAFE Authentication Adapter:

• install the CyberSAFE Application Security Toolkit
• run the CyberSAFE Challenger Client to get your ticket-granting ticket

  Additional Information: See the CyberSAFE Application Security Toolkit documentation.

Identix Adapter Notes

This section describes the following:

• General Configuration Instructions
• Configuring the TouchSafe II Device Driver
• Non-NT Authentication Servers

General Configuration Instructions

See Oracle Advanced Networking Option Administrator's Guide.

Configuring the TouchSafe II Device Driver

If during the installation of Oracle Enterprise Manager Biometrics Manager, you chose not to allow the installer to set up your Identix TouchSafe II Device Driver, then you can configure it manually as follows.

Note: You need to know the IO Port that your Identix TouchSafe II is using before doing this. Please refer to the Identix TouchSafe II Hardware documentation.

To install the TouchSAFE II Encrypt device driver for Intel Windows NT:

1. Change directory to ORACLE_HOME\IDENTIX
2. Modify the IoPortAddress parameter in ETSIINT.INI to the current TouchSafe II Encrypt I/O port setting. For example:

   IoPortAddress = REG_DWORD 0x00000360  for I/O port 0x360 
   

3. Modify the Windows NT directory setting in ETSIINT.BAT.

   For example:

   copy etsiint.sys c:\winnt35\system32\drivers   
   -> copy etsiint.sys c:\winnt351\system32\drivers 
   

4. Run batch file ETSIINT.BAT.
5. Use the SetKey utility in the Identix demo program to set a hash key in Hex. Set the key to C001BABY for example (do not use this value!). Make sure the hash key matches exactly the one set in the DEFAULT Security policy.
6. Re-boot the system, and the device driver will start to work.
7. To make sure the device driver is running, check the Device Control Panel after re-boot. The device ETSIINT should be started already.

Non-NT Authentication Servers

Oracle Corporation does not support any native authentication when connecting from an Oracle Server on Windows NT to a UNIX authentication server. On the NT machine where the Oracle Server is located, modify the TNSNAMES.ORA file to include the following:

. . .

    (CONNECT_DATA =    
      (SID = <SID>))
                     (SECURITY=(AUTHENTICATION_SERVICES=NONE))

. . .

Note: If you want a secure connection, you can still use Kerberos, CyberSAFE, or SecurID. If you use one of these adapters, do not add this line.

DCE Integration

When using Digital DCE, do not start the listener with the LSNRCTL80 utility. Instead, use the Windows NT Services Control Panel to start the listener.

1. To start the listener with the Control Panel:
2. From the Start menu, select Settings > Control Panel.
3. Double-click Services.
4. Scroll to find the OracleTNSListener entry, and select by clicking the entry.
5. Click Start.
6. Click Close to dismiss the Control Panel.

Using the NDS Native Naming Adapter

Note: The NDS Native Naming Adapter is shipped as a part of Net8. To use the NDS Authentication Adapter, you must run NetWare 4.1 or above with NDS.

The NDS Native Naming Adapter for Windows NT clients uses the NDS naming environment to store service names and addresses of Oracle databases. This lets an NDS user view the entire network under a single NDS directory tree. You can use native name services in addition to or instead of Oracle Names or the TNSNAMES.ORA file.

If the NDS Authentication Adapter is also used, a single login can access a multi-server and multi-database network.

Additional Information: See: Oracle Advanced Networking Option Administrator's Guide for more information about the Native Naming Adapter Novell NetWare documentation for further information about NDS Oracle7 Getting Started for NetWare

To connect with the NDS Native Naming Adapter:

1. Install and configure the NDS Native Naming Adapter and Net8 on your client, using Oracle Net8 Assistant.

   Additional Information: See: Oracle Advanced Networking Option Administrator's Guide for other optional parameters Chapter 4, "Configuring the Network"

2. Install and configure Net8 for NetWare on your server.
3. Log into the NDS tree.
4. Open SQL*Plus on your client.
5. Enter the following command to access an Oracle7 Server for NetWare database:

   	CONNECT username/password@database_object_name
   

   where database_object_name identifies the Oracle7 Server in NDS.

Configuring ANO Using Oracle Net8 Assistant

1. Start Oracle Net8 Assistant.

   From the taskbar, select Start > Programs > Oracle for Windows NT or Windows 95 > Oracle Net8 Assistant.

2. Double-click Profiles.

   The profile details appear on the right side of the screen.

3. Choose Advanced Networking Option from the drop-down list.

4. Click the Authentication tab.
5. Select the authentication adapter you want to use from the Available Services list. Click < to add the adapter to the selected services list. Select only one authentication adapter to use.
6. Order the Selected Services items by using the Promote or Demote button to move the services up or down.
7. Click the Parameter tab.

   The default values appear in the fields. Modify the values as necessary.

8. Click the Encryption tab.

   

9. Enter:

   Field	Description
   Encryption	Select from the drop-down list: Server, Client
   Encryption Type	Select from the drop-down list: Requested, Required, Rejected
   Encryption Seed	Enter any character string, except the double quote character " ". This string will be used to encrypt your data. The encryption seed on the server must match the seed on the client.

   The available algorithms appear in the list box on the right side of the window.

10. Select as many algorithms as you want to use.

    The server and client negotiate to determine which algorithm was used to encrypt your data.

11. Click the Integrity tab.

    

12. Enter:

    Field	Description
    Server	Select Requested, Rejected, Required
    Client	Select Requested, Rejected, Required

---