7
Configuring Secure Sockets Layer Authentication

This chapter describes how to use the Secure Sockets Layer (SSL) protocol in Oracle Advanced Security. It contains the following topics:

• SSL in an Oracle Environment
• SSL between Non-Oracle Clients and Oracle Database Servers
• SSL Combined with Other Authentication Methods
• SSL and Firewalls
• SSL Usage Issues
• Enabling SSL
• Using an nCipher Secure Accelerator

SSL in an Oracle Environment

Secure Sockets Layer (SSL) is an industry standard protocol designed by Netscape Communications Corporation for securing network connections. SSL uses RSA public key cryptography to provide authentication, encryption, and data integrity in a public key infrastructure (PKI).

This section discusses the following topics:

• What You Can Do with SSL
• Components of SSL in an Oracle Environment
• How SSL Works in an Oracle Environment: The SSL Handshake

What You Can Do with SSL

Oracle Advanced Security supports authentication by using digital certificates over SSL in addition to the native encryption and data integrity capabilities of the SSL protocol.

By using Oracle Advanced Security SSL functionality to secure communications between clients and servers, you can

• Use SSL to encrypt the connection between clients and servers
• Authenticate any client or server to one or more Oracle database servers
• Authenticate an Oracle database server to any client

You can use SSL features by themselves or in combination with other authentication methods supported by Oracle Advanced Security. For example, you can use the encryption provided by SSL in combination with the authentication provided by Kerberos. SSL supports any of the following authentication modes:

• Only the server authenticates itself to the client
• Both client and server authenticate themselves to each other
• Neither the client nor the server authenticates itself to the other, thus using the SSL encryption feature by itself

  See Also: The SSL Protocol, Version 3.0, published by the Internet engineering Task Force, for a more detailed discussion of SSL Chapter 1, Introduction to Oracle Advanced Security, for more information about authentication methods

Components of SSL in an Oracle Environment

The components of SSL in an Oracle environment include the following:

• Certificate Authority
• Certificate
• Wallet

Certificate Authority

A certificate authority (CA) is a trusted third party that certifies the identity of third parties and other entities, such as users, databases, administrators, clients, and servers. The certificate authority verifies the party identity and grants a certificate, signing it with its private key.

Different CAs may have different identification requirements when issuing certificates. One may require the presentation of a user's driver's license, while others may require notarization of the certificate request form, or fingerprints of the requesting party.

The CA publishes its own certificate, which includes its public key. Each network entity has a list of certificates of the CAs it trusts. Before communicating with another entity, a given entity uses this list to verify that the signature on the other entity's certificate is from a known, trusted CA.

Network entities can obtain their certificates from the same or different CAs. By default, Oracle Advanced Security automatically installs trusted certificates from VeriSign, RSA, Entrust, and GTE CyberTrust when you install a new wallet.

Certificate

A certificate is created when a party's public key is signed by a trusted certificate authority (CA). A certificate ensures that a party's identification information is correct, and that the public key actually belongs to that party.

A certificate contains the party's name, public key, and an expiration date--as well as a serial number and certificate chain information. It can also contain information about the privileges associated with the certificate.

When a network entity receives a certificate, it verifies that it is a trusted certificate--one issued and signed by a trusted certificate authority. A certificate remains valid until it expires or until it is terminated.

Wallet

A wallet is a container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL. In an Oracle environment, every entity that communicates over SSL must have a wallet containing an X.509 version 3 certificate, private key, and list of trusted certificates.

Security administrators use the Oracle Wallet Manager to manage security credentials on the server. Wallet owners use it to manage security credentials on clients. Specifically, you use Oracle Wallet Manager to do the following:

• Generate a public-private key pair and create a certificate request for an identity to submit to a certificate authority
• Store a certificate for an entity in the wallet
• Configure trusted certificates for an entity

  Note: Installation of Oracle Advanced Security Release 2 (9.2) also installs Oracle Wallet Manager release 3.0 and Oracle Enterprise Login Assistant release 9.2.

  See Also: Chapter 17, Using Oracle Wallet Manager Creating a New Wallet . Managing Trusted Certificates .

How SSL Works in an Oracle Environment: The SSL Handshake

When a network connection over SSL is initiated, the client and server perform an SSL handshake that includes the following steps:

• The client and server establish which cipher suites to use. This includes which encryption algorithms are used for data transfers.
• The server sends its certificate to the client, and the client verifies that the server's certificate was signed by a trusted CA. This step verifies the identity of the server.
• Similarly, if client authentication is required, the client sends its own certificate to the server, and the server verifies that the client's certificate was signed by a trusted CA.
• The client and server exchange key information using public key cryptography. Based on this information, each generates a session key. All subsequent communications between the client and the server is encrypted and decrypted by using this set of session keys and the negotiated cipher suite.

In an Oracle environment, the authentication process consists of the following steps:

1. On a client, the user initiates an Oracle Net connection to the server by using SSL.
2. SSL performs the handshake between the client and the server.
3. If the handshake is successful, the server verifies that the user has the appropriate authorization to access the database.

SSL between Non-Oracle Clients and Oracle Database Servers

You can use the Oracle Advanced Security SSL feature to secure connections between non-Oracle clients and Oracle database servers. For example, SSL can grant secure access to a browser client outside an Oracle network to authorized data within the Oracle network.

Figure 7-1 shows how SSL is used to secure connections between Oracle and non-Oracle entities over the Internet. In this example, a Web server runs as an Oracle9i Java client. It receives messages over HTTPS (HTTP secured by SSL), and sends CORBA requests to the Oracle database server over IIOP/SSL (IIOP secured by SSL). In this example, the Web server passes its own certificate to the Oracle server, rather than the certificate of the Web client.

Figure 7-1 Connecting to an Oracle Server over the Internet

Text description of the illustration ano81017.gif

SSL Combined with Other Authentication Methods

You can configure Oracle Advanced Security to use SSL concurrently with other supported authentication methods, such as Kerberos, RADIUS, or CyberSafe, which are discussed in the following sections:

• Architecture: Oracle Advanced Security and SSL
• Using SSL with Other Authentication Methods

  See Also: Appendix A"Data Encryption and Integrity Parameters" for information about how to configure SSL with other supported authentication methods, including an example of a sqlnet.ora file with multiple authentication methods specified.

Architecture: Oracle Advanced Security and SSL

Figure 7-2, which displays the Oracle Advanced Security implementation architecture, shows that Oracle Advanced Security operates at the session layer on top of SSL and uses TCP/IP at the transport layer. This separation of functionality lets you employ SSL concurrently with other supported protocols.

Figure 7-2 SSL in Relation to Oracle Advanced Security

Text description of the illustration ano81015.gif

Using SSL with Other Authentication Methods

Figure 7-3 illustrates a configuration in which SSL is used in combination with another authentication method supported by Oracle Advanced Security. In this example, SSL is used to establish the initial handshake (server authentication), and an alternative authentication method is used to authenticate the client.

Figure 7-3 SSL in Relation to Other Authentication Methods

Text description of the illustration ano81018.gif

1. The client seeks to connect to the Oracle database server.
2. SSL performs a handshake during which the server authenticates itself to the client and both the client and server establish which cipher suite to use.
3. Once the SSL handshake is successfully completed, the user seeks access to the database.
4. The Oracle database server authenticates the user with the authentication server using a non-SSL authentication method such as Kerberos, CyberSafe, or RADIUS.
5. Upon validation by the authentication server, the Oracle database server grants access and authorization to the user.
6. The user accesses the Oracle database securely using SSL.

   See Also: "How SSL Works in an Oracle Environment: The SSL Handshake"

SSL and Firewalls

Oracle Advanced Security supports two types of firewalls:

• Application proxy-based firewalls, such as Network Associates Gauntlet, or Axent Raptor.
• Stateful packet inspection firewalls, such as Check Point Firewall-1, or Cisco PIX Firewall.

When you enable SSL, stateful inspection firewalls behave like application proxy firewalls because they do not decrypt encrypted packets.

Firewalls do not inspect encrypted traffic. When a firewall encounters data addressed to an SSL port on an intranet server, it checks the target IP address against its access rules and lets the SSL packet pass through to permitted SSL ports, rejecting all others.

With the Oracle Net Firewall Proxy kit, firewall applications can provide specific support for database network traffic. If the proxy kit is implemented in the firewall, the following processing takes place:

• The Net Proxy (a component of the Oracle Net Firewall Proxy kit) must know where to route its traffic.
• The database listener requires access to a certificate in order to participate in the SSL handshake. The listener inspects the SSL packet and identifies the target database, returning the port on which the target database listens to the client. This port must be designated as an SSL port.
• The client communicates on this server-designated port in all subsequent connections.
• The number of ports that are open in the firewall increase as a function of the number of database connections requested. This approach prohibits the database server from using randomly chosen SSL ports, because the SSL ports on the firewall must match those chosen by the database. You can avoid this condition by deploying Oracle Connection Manager, an application included with Oracle Advanced Security Enterprise Edition.

Oracle Connection Manager lets you route client connections over multiple Net Manager protocols. Each client connection request establishes an SSL connection between the client and Oracle Connection Manager, which in turn establishes a TCP/IP connection with the target database. Multiple clients can thus connect to multiple databases behind the firewall, using a single SSL port through the firewall.

SSL Usage Issues

Consider the following issues when using SSL:

• SSL use enables authorization retrieval from an LDAP-based directory service. Client-side SSL authentication is required in order to manage enterprise users and their privileges in a directory.
• Because SSL supports both authentication and encryption, the client database server connection is somewhat slower than the standard Oracle Net TCP/IP transport (using native encryption).
• Each SSL authentication mode requires configuration settings.

  Note: U.S. government regulations prohibit double encryption. Accordingly, if you configure Oracle Advanced Security to use SSL encryption and another encryption method concurrently, the connection fails (you also cannot configure SSL authentication concurrently with non-SSL authentication). If you configure SSL encryption, you must disable non-SSL encryption. To disable such encryption, see: Disabling Oracle Advanced Security Authentication.

  See Also: "Using an nCipher Secure Accelerator" for information about improving SSL performance with hardware accelerators "Enabling SSL"

Enabling SSL

To enable SSL:

• Task 1: Install Oracle Advanced Security and Related Products
• Task 2: Configure SSL on the Client
• Task 3: Configure SSL on the Server
• Task 4: Log on to the Database

Task 1: Install Oracle Advanced Security and Related Products

Install Oracle Advanced Security on both the client and server. When you do this, the Oracle Universal Installer automatically installs SSL libraries, Oracle Wallet Manager, and Oracle Enterprise Login Assistant on your system.

Task 2: Configure SSL on the Client

To configure SSL on the client:

• Step 1: Confirm Wallet Creation on the Client
• Step 2: Configure Service Name to Include Server DNs and Use TCP/IP with SSL
• Step 3: Specify Required Client Configuration (Wallet Location)
• Step 4: Set the SSL Cipher Suites on the Client (Optional)
• Step 5: Set the Required SSL Version (Optional)
• Step 6: Set SSL as an Authentication Service (Optional)

  See Also: Appendix B, "Authentication Parameters", for the dynamic parameter names.

Step 1: Confirm Wallet Creation on the Client

Before proceeding with the next step, you must confirm that a wallet has been created.

Step 2: Configure Service Name to Include Server DNs and Use TCP/IP with SSL

This step contains the following two parts:

• Step 2a. To configure the service name to include server DNs
• Step 2b. To configure the service name to use TCP/IP with SSL

Step 2a. To configure the service name to include server DNs

Oracle Advanced Security Release 2 (9.2) matches the server's global database name against the distinguished name (DN) from the server certificate. This protects against the threat of connections to a server potentially faking its identity, where the server has a valid X.509 v3 certificate, but not the proper certificate for the respective database.

To enable DN matching against server certificates, you must manually edit the tnsnames.ora file to specify the server's DN by defining the SSL_SERVER_CERT_DN parameter. The client uses this information to obtain the list of DNs it expects for each of the servers, enforcing the server's DN to match its service name. Example 7-1 shows an entry for the Finance database in the tnsnames.ora file.

Example 7-1 Sample tnsnames.ora File with Server Certificate DN and TCP/IP with SSL Specified

finance=
(DESCRIPTION=


(ADDRESS_LIST=

(ADDRESS= (PROTOCOL = tcps) (HOST = finance_server) (PORT = 1575)))

(CONNECT_DATA=

(SERVICE_NAME= Finance.us.acme.com))

(SECURITY=

(SSL_SERVER_CERT_DN="cn=finance,cn=OracleContext,c=us,o=acme"))

The tnsnames.ora file can be located on the client or in the LDAP directory.

Alternatively, the administrator can ensure that DNs in the certificates from a trusted certificate authority have a common name (CN) that matches the service name.

Step 2b. To configure the service name to use TCP/IP with SSL

Example 7-1 also shows an entry that specifies TCP/IP with SSL as the connecting protocol in the tnsnames.ora file. To specify TCP/IP with SSL, you must enter tcps as the PROTOCOL in the ADDRESS parameter of the tnsnames.ora file. In addition, you must enter the same information in the ADDRESS parameter of the listener.ora file. Example 7-2 shows an entry that specifies TCP/IP with SSL as the protocol.

Example 7-2 Sample listener.ora File with TCP/IP with SSL Specified as the Protocol

LISTENER=


(DESCRIPTION_LIST=

(DESCRIPTION=

(ADDRESS= (PROTOCOL = tcps) (HOST = finance_server) (PORT = 1575))))

Alternatively, the administrator can use Oracle Net Manager to configure TCP/IP with SSL.

Step 3: Specify Required Client Configuration (Wallet Location)

To specify required configuration parameters for the client:

1. Start Oracle Net Manager:
   • On UNIX, run netmgr from $ORACLE_HOME/bin.
   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Oracle Net Manager.
2. In the Navigator window, expand Local > Profile.
3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security SSL window appears (Figure 7-4):

Figure 7-4 Oracle Advanced Security SSL Window (Client)

Text description of the illustration ssl0001.gif

• Choose the SSL tab.
• Select Configure SSL for Client.
• In the Wallet Directory box, enter the directory in which the Oracle wallet is located, or click Browse to find it by searching the file system.

  Important: Use Oracle Wallet Manager to create the wallet. See "Step 1: Create a Database Wallet". Use Oracle Net Manager to set the wallet location in the sqlnet.ora file. Be sure to enter the same wallet location when you create it and when you set the location in the sqlnet.ora file.

• From the Match server X.509 name drop-down list, choose one of the following options:
  • Yes: Requires that the server's distinguished name (DN) match its service name. SSL ensures that the certificate is from the server and connections succeed only if there is a match.

    Note: This check can be made only when RSA ciphers are selected, which is the default setting.

  • No (default): SSL checks for a match between the DN and the service name, but does not enforce it. Connections succeed regardless of the outcome, but an error is logged if the match fails.
  • Let Client Decide: Enables the default.

    Note: The following alert appears when you select No: Security Alert Not enforcing the server X.509 name match allows a server to potentially fake its identity. Oracle Corporation recommends selecting YES for this option so that connections are refused when there is a mismatch.

• Choose File > Save Network Configuration.

  The sqlnet.ora file on the client is updated with the following entries:

  SSL_CLIENT_AUTHENTICATION =TRUE
  wallet_location = 
   (SOURCE=
    (METHOD=File)
    (METHOD_DATA=
     (DIRECTORY=wallet_location)))
  
  SSL_SERVER_DN_MATCH=(ON/OFF)
  
  

  Step 4: Set the SSL Cipher Suites on the Client (Optional)

  A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth.

  When you install Oracle Advanced Security, several SSL cipher suites are set for you by default. You can override the default by setting the SSL_CIPHER_SUITES parameter. For example, if you use Oracle Net Manager to add the cipher suite SSL_RSA_WITH_RC4_128_SHA, all other cipher suites in the default setting are ignored.

  You can prioritize the cipher suites. When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following:

  • The level of security you want to use. For example, triple-DES encryption is stronger than DES.
  • The impact on performance. For example, triple-DES encryption is slower than DES.
  • Administrative requirements:

    The cipher suites selected for a client must be compatible with those required by the server. For example, in the case of an Oracle Call Interface (OCI) user, the server requires the client to authenticate itself. You cannot, in this case, use a cipher suite employing Diffie-Hellman anonymous authentication which disallows the exchange of certificates. By contrast, in the case of an Enterprise JavaBeans (EJB) user, the server does not require the client to authenticate itself. In this case, you can use Diffie-Hellman anonymous authentication.

  You typically prioritize cipher suites starting with the strongest and moving to the weakest.

  Table 7-1 lists the SSL cipher suites supported in the current release of Oracle Advanced Security. These cipher suites are set by default when you install Oracle Advanced Security. This table also lists the authentication, encryption, and data integrity types each cipher suite uses.

  Table 7-1 Oracle Advanced Security Cipher Suites

  Cipher Suite	Authentication	Encryption	Data Integrity
  SSL_RSA_WITH_3DES_EDE_CBC_SHA	RSA	3DES EDE CBC	SHA
  SSL_RSA_WITH_RC4_128_SHA	RSA	RC4 128	SHA
  SSL_RSA_WITH_RC4_128_MD5	RSA	RC4 128	MD5
  SSL_RSA_WITH_DES_CBC_SHA	RSA	DES CBC	SHA
  SSL_DH_anon_WITH_3DES_EDE_CBC_SHA	DH anon	3DES EDE CBC	SHA
  SSL_DH_anon_WITH_RC4_128_MD5	DH anon	RC4 128	MD5
  SSL_DH_anon_WITH_DES_CBC_SHA	DH anon	DES CBC	SHA
  SSL_RSA_EXPORT_WITH_RC4_40_MD5	RSA	RC4 40	MD5
  SSL_RSA_EXPORT_WITH_DES40_CBC_SHA	RSA	DES40 CBC	SHA
  SSL_DH_anon_EXPORT_WITH_RC4_40_MD5	DH anon	RC4 40	MD5
  SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA	DH anon	DES40 CBC	SHA

  Note: If the SSL_CLIENT_AUTHENTICATION parameter is set to true in the sqlnet.ora file, then disable all cipher suites that use Diffie-Hellman anonymous authentication. Otherwise, the connection fails.

  To specify cipher suites for the client:

  1. Start Oracle Net Manager:
     • On UNIX, run netmgr from $ORACLE_HOME/bin.
     • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Oracle Net Manager.
  2. In the Navigator window, expand Local > Profile.
  3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security SSL window appears (Figure 7-4).
  4. Choose the SSL tab.
  5. Select Configure SSL for Client.
  6. Choose the Add button; a dialog box displays available cipher suites (Figure 7-5):

  Figure 7-5 SSL Cipher Suites Window

  

  Text description of the illustration ssl0002.gif

• Select a suite and choose OK; the Cipher Suite Configuration list is updated (Figure 7-6):

  Figure 7-6 Oracle Advanced Security SSL Window (Client)

  

  Text description of the illustration ssl0003.gif

• Use the up and down arrows to prioritize the cipher suites.
• Choose File > Save Network Configuration.

  The sqlnet.ora file is updated with the following entry:

  SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2])
  
  

Step 5: Set the Required SSL Version (Optional)

You can set the SSL_VERSION parameter in the sqlnet.ora file. This parameter defines the version of SSL that must run on the systems with which the client communicates. You can require these systems to use SSL 3.0, or any valid, future version. The default setting for this parameter in sqlnet.ora is undetermined, which is set by selecting Any from the list in the SSL tab of the Oracle Advanced Security window.

To set the SSL version for the client:

1. Start Oracle Net Manager:
   • On UNIX, run netmgr from $ORACLE_HOME/bin.
   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Oracle Net Manager.
2. In the Navigator window, expand Local > Profile.
3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security SSL window appears (Figure 7-4).
4. Choose the SSL tab.
5. Select Configure SSL for Client.
6. In the Require SSL Version scroll box the default is Any; accept this default or select the SSL version you want to configure.
7. Choose File > Save Network Configuration.

   The sqlnet.ora file is updated with the following entry:

   SSL_VERSION=UNDETERMINED
   

Step 6: Set SSL as an Authentication Service (Optional)

The SQLNET.AUTHENTICATION_SERVICES parameter in the sqlnet.ora file sets the SSL authentication service.

Set this parameter if you want to use SSL authentication in conjunction with another authentication method supported by Oracle Advanced Security. For example, use this parameter if you want the server to authenticate itself to the client by using SSL and the client to authenticate itself to the server by using Kerberos.

To set the SQLNET.AUTHENTICATION_SERVICES parameter:

Add TCP/IP with SSL (TCPS) to this parameter in the sqlnet.ora file by using a text editor. For example, if you want to use SSL authentication in conjunction with RADIUS authentication, set this parameter as follows:

 SQLNET.AUTHENTICATION_SERVICES = (TCPS, radius)

If you do not want to use SSL authentication in conjunction with another authentication method, then do not set this parameter.

Task 3: Configure SSL on the Server

During installation, Oracle sets defaults on both the Oracle database server and on the Oracle client for all SSL parameters except the location of the Oracle wallet. To configure SSL on the server, perform these steps:

• Step 1: Confirm Wallet Creation
• Step 2: Specify Required Server Configuration (Wallet Location)
• Step 3: Set the SSL Cipher Suites on the Server (Optional)
• Step 4: Set the Required SSL Version (Optional)
• Step 5: Set SSL Client Authentication (Optional)
• Step 6: Set SSL as an Authentication Service (Optional)
• Step 7: Create Listening Endpoint that Uses TCP/IP with SSL

  See Also: Appendix B, "Authentication Parameters" for the dynamic parameter names

Step 1: Confirm Wallet Creation

Before proceeding with the next step, you must confirm that a wallet has been created.

Step 2: Specify Required Server Configuration (Wallet Location)

To specify required configuration parameters for the server:

1. Start Oracle Net Manager:
   • On UNIX, run netmgr from $ORACLE_HOME/bin.
   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Oracle Net Manager.
2. In the Navigator window, expand Local > Profile.
3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security SSL window appears (Figure 7-4).
4. Choose the SSL tab.
5. Select Configure SSL for Server.
6. In the Wallet Directory box, enter the directory in which the Oracle wallet is located, or click the Browse button to find it by searching the file system.

   Important: Use Oracle Wallet Manager to create the wallet. See "Step 1: Create a Database Wallet". Use Oracle Net Manager to set the wallet location in the sqlnet.ora file. Be sure to enter the same wallet location when you create it and when you set the location in the sqlnet.ora file.

7. Choose File > Save Network Configuration.

   The sqlnet.ora and listener.ora files are updated with the following entries:

   wallet_location = 
    (SOURCE=
     (METHOD=File)
     (METHOD_DATA=
      (DIRECTORY=wallet_location)))
   

Step 3: Set the SSL Cipher Suites on the Server (Optional)

A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth.

When you install Oracle Advanced Security, several SSL cipher suites are set for you by default. You can override the default by setting the SSL_CIPHER_SUITES parameter. For example, if you use Oracle Net Manager to add the cipher suite SSL_RSA_WITH_RC4_128_SHA, all other cipher suites in the default setting are ignored.

You can prioritize the cipher suites. When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following:

• The level of security you want to use. For example, triple-DES encryption is stronger than DES.
• The impact on performance. For example, triple-DES encryption is slower than DES.
• Administrative requirements:

  The cipher suites selected for a server must be compatible with those required by the client.

  You typically prioritize cipher suites starting with the strongest and moving to the weakest.

  Note: In Oracle Advanced Security Release 2 (9.2), if you set a cipher suite employing Diffie-Hellman anonymous authentication on the server, you must also set the same cipher suite on the client. Otherwise, the connection fails. If you use a cipher suite employing Diffie-Hellman anonymous, you must set the SSL_CLIENT_AUTHENTICATION parameter to FALSE. See: Step 5: Set SSL Client Authentication (Optional).

Table 7-1 lists the SSL cipher suites supported in the current release of Oracle Advanced Security. These cipher suites are set by default when you install Oracle Advanced Security. This table also lists the authentication, encryption, and data integrity types each cipher suite uses.

To specify cipher suites for the server:

1. Start Oracle Net Manager:
   • On UNIX, run netmgr from $ORACLE_HOME/bin.
   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Oracle Net Manager.
2. In the Navigator window, expand Local > Profile.
3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security SSL window appears (Figure 7-4).
4. Choose the SSL tab.
5. Select Configure SSL for Server.
6. Choose the Add button; a dialog box displays available cipher suites (Figure 7-5).
7. Select a suite and choose OK; the Cipher Suite Configuration list is updated (Figure 7-7):

Figure 7-7 Oracle Advanced Security SSL Window (Server)

Text description of the illustration ssl0004.gif

• Use the up and down arrows to prioritize the cipher suites.
• Choose File > Save Network Configuration.

  The sqlnet.ora file is updated with the following entry:

  SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2])
  
  

Step 4: Set the Required SSL Version (Optional)

You can set the SSL_VERSION parameter in the sqlnet.ora file. This parameter defines the version of SSL that must run on the systems with which the client communicates. You can require these systems to use SSL 3.0, or any valid, future version. The default setting for this parameter in sqlnet.ora is undetermined, which is set by selecting Any from the list in the SSL tab of the Oracle Advanced Security window.

To set the SSL version for the server:

1. Start Oracle Net Manager:
   • On UNIX, run netmgr from $ORACLE_HOME/bin.
   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Oracle Net Manager.
2. In the Navigator window, expand Local > Profile.
3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security SSL window appears (Figure 7-4).
4. Choose the SSL tab.
5. Select Configure SSL for Server.
6. In the Require SSL Version scroll box the default is Any; accept this default or select the SSL version you want to configure.
7. Choose File > Save Network Configuration.

   The sqlnet.ora file is updated with the following entry:

   SSL_VERSION=UNDETERMINED
   

Step 5: Set SSL Client Authentication (Optional)

The SSL_CLIENT_AUTHENTICATION parameter in the sqlnet.ora file controls whether the client is authenticated using SSL. The default value is TRUE.

You must set this parameter to FALSE if you are using a cipher suite that contains Diffie-Hellman anonymous authentication (DH_anon). Also, you can set this parameter to FALSE for the client to authenticate itself to the server by using any of the non-SSL authentication methods supported by Oracle Advanced Security, such as Kerberos or CyberSafe.

To set this parameter to FALSE:

1. Start Oracle Net Manager:
   • On UNIX, run netmgr from $ORACLE_HOME/bin.
   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Oracle Net Manager.
2. In the Navigator window, expand Local > Profile.
3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security SSL window appears (Figure 7-8):

Figure 7-8 Oracle Advanced Security SSL Window (Server)

Text description of the illustration ssl0005.gif

• Choose the SSL tab.
• Select Configure SSL for Server.
• Deselect Require Client Authentication.
• Choose File > Save Network Configuration.

  The sqlnet.ora file is updated with the following entry:

  SSL_CLIENT_AUTHENTICATION=FALSE
  

Step 6: Set SSL as an Authentication Service (Optional)

The SQLNET.AUTHENTICATION_SERVICES parameter in the sqlnet.ora file sets the SSL authentication service.

Set this parameter if you want to use SSL authentication in conjunction with another authentication method supported by Oracle Advanced Security. For example, use this parameter if you want the server to authenticate itself to the client by using SSL and the client to authenticate itself to the server by using Kerberos.

To set the SQLNET.AUTHENTICATION_SERVICES parameter:

Add TCP/IP with SSL (TCPS) to this parameter in the sqlnet.ora file by using a text editor. For example, if you want to use SSL authentication in conjunction with RADIUS authentication, set this parameter as follows:

 SQLNET.AUTHENTICATION_SERVICES = (TCPS, radius)

If you do not want to use SSL authentication in conjunction with another authentication method, then do not set this parameter.

Step 7: Create Listening Endpoint that Uses TCP/IP with SSL

Configure the listener with a TCP/IP with SSL listening endpoint in the listener.ora file. Oracle Corporation recommends a port number 2484 for typical Oracle Net clients and 2482 for client connections to Oracle9i JServer.

Task 4: Log on to the Database

If you are using SSL authentication, launch SQL*Plus and enter the following:

CONNECT/@dnet_service_name

If you are not using SSL authentication, launch SQL*Plus and enter the following:

CONNECT username/password@net_service_name

Using an nCipher Secure Accelerator

SSL handshake operations make heavy processing demands on a system, which may result in slower server and transaction performance. SSL hardware accelerators offload SSL processing from the server, freeing the CPU to respond to other transactions. Oracle Advanced Security uses nCipher BSAFE Hardware APIs (BHAPI), to support SSL hardware acceleration. Using this interface, Oracle integrates with nCipher secure accelerators.

Required Oracle Components To Use an nCipher Secure Accelerator

To use an nCipher Secure Accelerator, you need the following components:

• nCipher Secure Accelerator
• Supporting nCipher BHAPI library for your platform as follows:
  • (Unix) libnfbhapi.so library
  • (Windows NT) nfbhapi.dll library

    Note: You must contact your nCipher representative to have the secure accelerator installed and to acquire the necessary library. These tasks must be performed before you can use an nCipher Secure Accelerator with Oracle Advanced Security.

Configuring Oracle Advanced Security To Use an nCipher Secure Accelerator

To use the secure accelerator, you must place the path to the directory that contains the nCipher BHAPI library in the following locations:

• (UNIX) user's LD_LIBRARY_PATH
• (Windows) user's PATH

This enables the library to be loaded at runtime. Typically, the nCipher card is installed at the following locations:

• (UNIX) /opt/nfast
• (Windows) C:\nfast

The nCipher BHAPI library is in the directory where the secure accelerator is installed at the following location:

/toolkits/nfbhapi/

Troubleshooting Using nCipher Secure Accelerator

To detect whether the nCipher accelerator is being used, you can turn on SQL*Net tracing. If nCipher software is being used, then you will see the following entries in the SQL*Net tracing file without error messages logged between entry and exit:

nzos_initbhapi: entry
nzos_initbhapi: exit

SQL*Net Tracing File Error Messages Associated with Using nCipher Secure Accelerator

If error messages are logged between the entry and exit entries in the SQL*Net tracing file, then check the following list of possible error messages for information about how to resolve them.

nzos_initbhapi: Failed to load libnfbhapi.so. BHAPI will not be used

Cause: The system cannot locate the nCipher BHAPI library.

Action: Ensure that the directory which contains the nCipher BHAPI library is present in the user's system path.

See Also: "Configuring Oracle Advanced Security To Use an nCipher Secure Accelerator" for information about where to include the path to the nCipher BHAPI library in the user's system path.

nzos_initbhapi: Error in B_CreateSessionChooser. Returned <err #>

Cause: The nCipher secure accelerator may not be running.

Action: Ensure that the secure accelerator is up by running the /bin/enquiry utility from the directory where the nCipher card is installed.

Note: The nCipher log file is in the directory where the secure accelerator is installed at the following location: /log/logfile

See Also: nCipher documentation for further information about troubleshooting.