Oracle Advanced Security Frequently Asked Questions

 

Oracle Advanced Security Frequently Asked Questions [ID 165465.1]

Oracle Advanced Security Frequently Asked Questions [ID 165465.1]

修改時間:2013-6-6型別:FAQ狀態:PUBLISHED優先順序:3

註釋 (0)

Advanced Networking Option - Version 9.0.1.0 to 11.2.0.3 [Release 9.0.1 to 11.2]
Information in this document applies to any platform.
Checked for relevance on 06-JUN-2013

This document groups some of the ASO Frequently Asked Questions

1. What is the Advanced Security Option ?

The Oracle Advanced Security option (formerly Secure Network Services and Oracle Advanced Networking Option) provides a comprehensive suite of security features to protect enterprise networks and securely extend corporate networks to the Internet. The Oracle Advanced Security option provides a single source of integration with network encryption and authentication solutions, single sign-on services, and security protocols. By integrating industry standards, it delivers unparalleled security to the Oracle network and beyond.

2. What features does the Advanced Security Option have ?

The Oracle Advanced Security option protects against these threats to the security of distributed environments. Specifically, the Oracle Advanced Security option provides the following features

• Data Integrity to ensure that data is not modified during transmission

• Data Privacy to ensure that data is not disclosed during transmission

• Authentication to ensure that users’, hosts’, and clients’ identities are correctly known, and to provide for single sign-on capability in place of using multiple passwords
• Authorization to ensure that a user, program, or process receives the appropriate privileges to access an object or set of objects

3. What Authentication methods are supported ?

SSL
RADIUS
Kerberos
Entrust
CyberSafe
SmartCards
TokenCards
Bull ISM
Biometric (Identix)

Note:Biometric authentication is not avilable from 9i

4. What products are not supported by the Advanced Security Option ?

The Oracle Advanced Security option requires Net8 to transmit data securely. Accordingly, the Oracle Advanced Security option’s authentication features are not currently supported by some parts of Oracle Financial, Human Resource, and Manufacturing Applications when they are running on the Windows platform. The portions of these products that use Oracle Display Manager (ODM) cannot yet take advantage of the Oracle Advanced Security option, since ODM does not currently use Net8.

5. What is the compatibility of different version of ASO ?

A mixture of Advanced Security versions is a supported configuration. However, certain features may not be available between different versions. Advanced Security clients and servers will negotiate to the first common encryption algorithm available to both machines. These algorithms are predefined as defaults, but may not provide the best encryption. For example, if a default list of algorithms is defined on a client as RC4_40, RC4_56 and a default list of algorithms is defined on a server as RC4_40, RC4_56, RC4_128, then the client and server will negotiate to use RC4_40. For negotiating to highest algorithm, explicitly define a list of algorithms using the sqlnet.encryption_types_[server | client] parameter. A client with sqlnet.encryption_types_client (RC4_56, RC4_40) and a server with sqlnet.encryption_types_server=(RC4_128, RC4_56,RC4_40) will negotiate to use RC4_56.



* Prior versions of Oracle Advanced Security provided three editions: Domestic, Upgrade, and Export—each with different key lengths. Release 8.1.7 now contains a complete complement of the available encryption algorithms and key lengths, previously only available in the Domestic edition.



Oracle 9.1

==========

* Oracle Advanced Security is not available with Oracle9i Standard Edition.
* Prior to Release 8.1.7, Oracle Advanced Security provided three editions: Domestic, Upgrade, and Export—each with different key lengths. This release now contains a complete complement of the available encryption algorithms and key lengths, previously only available in the Domestic edition.

6. What are the system requirements and other certifications of this product?

See NOTE 112241.1 - "Oracle Authentication Matrices"

7. How can I tell if ASO is installed ?

On a UNIX platform run the 'adapters' command at the shell. If you have ASO installed you will see something like,

Installed Oracle Advanced Security option/Security products are:

RC4 40-bit encryption algorithm
RC4 56-bit encryption algorithm
DES40 40-bit encryption algorithm
DES 56-bit encryption algorithm
MD5 crypto-checksumming algorithm

On Windows you will need to run the Oracle Universal Installer and click on installed products.

8. How can I check if encryption is enabled and working?

To confirm the network traffic is being encrypted enable either client or server side sqlnet tracing. From the client edit the sqlnet.ora and add a line,

trace_level_client=16

Then make a sqlplus connection to the database and perform a simple select such as,

select * from v$option

If the client trace file is then examined the clear-text select and results will not be visible. If you disable encryption in the sqlnet.ora and rerun the select you will be able to see the clear-text select and results.

Do not forget to remove trace_level_client when finished.

9. How do I add another authentication adapter?

To add an additional authentication adapter you need to rerun the Oracle Universal Installer and deinstall Oracle Advanced Security. Next reinstall it and you will prompted for which adapters to install.

10. What version of Oracle does ASO come with?

Oracle Advanced Security comes on the Oracle Enterprise Edition CD from 8.1.7 It is not on the Standard Edition CD. As a result of the change to the US export regulations strong encryption is now available outside the US.

Note 115384.1 - Changes to Strong Encryption Export Regulations for Non US Customers

11. Why isn't ASO installed?

The most common cause for this is because ASO is not installed as part of a default install of Oracle Enterprise Edition. You need to either do a custom install or add it after a default install.

12. Can I plug-in my own encryption algorithms into ASO?

There is no way, supported or unsupported, to do this. Oracle, as all US-based corporations, cannot ship pluggable crypto. This is an export compliance issue.

13. Are 3rd party adapters required to encrypt Net traffic?

No. Oracle Advanced Security has native encryption that can be used such as RC4.

14. Which encryption algorithms does Oracle Advanced Security support?

The following native encryption algorithms are supported from 11g,

RC4 Encryption
DES Encryption
Triple-DES Encryption
Advanced Encryption Standard

15. Is the latest release of ASO compatible with older versions?

ASO is backwards compatible with older verions of Oracle. The main issue is that algorithms introduced in 8.1.7 such as DES3 cannot be used on a connection to a 7.3.4 database. In cases suchs as this you should either adopt the 'lowest common denominator' approach and pick an algorithm common to all versions of your clients and servers, or specify multiple encryption types in your sqlnet.ora and all Oracle to pick the common type.

16. How can you enable encryption on some connections but not others?

This can be managed to a degree by how the SQLNET.ENCRYPTION_CLIENT is set in the sqlnet.ora on the client and SQLNET.ENCRYPTION_SERVER in the sqlnet.ora on the server.

This is detailed further in section 2-8 & 2-9 of the Oracle Advanced Security Administrator's Guide 8.1.7 & 9.0.1.

17. Are passwords encrypted?

Yes, if ASO native encryption is not used then passwords are still encrypted but other network traffic is not.

18. Is data encrypted over database links?

If ASO native encryption is enabled then data will be encrypted over database links.

19. Is ASO a licensable cost option?

Yes.

20. Can ASO authentication such as Kerberos or Radius be used for database links?

No, database links do not currently support the use of ASO authentication methods such as Kerberos or Radius.

21. Is it possible to uninstall ASO?

ASO can be uninstalled in all versions prior to 11.2. Starting with Oracle RDBMS 11.2 ASO is installed by default and there is no way to uninstall it. See Note 888934.1

NOTE:112241.1 - Oracle Authentication Matrices
NOTE:115384.1 - Changes to Strong Encryption Export Regulations for Non US Customers