Oracle Security Server Release 2.0.5 Release Notes ******************************************* Copyright (C) 1997 Oracle Corporation This software/documentation contains proprietary information of Oracle Corporation; it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of the software is prohibited. If this software/documentation is delivered to a U.S. Government Agency of the Department of Defense, then it is delivered with Restricted Rights and the following legend is applicable: RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of DFARS 252.227-7013, Rights in Technical Data and Computer Software (October 1988). If this software/documentation is delivered to a U.S. Government Agency not within the Department of Defense, then it is delivered with "Restricted Rights," as defined in FAR 52.227-14, Rights in Data - General, including Alternate III (June 1987). Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065. This version supports International Security with RSA Public Key Cryptography, MD2, MD5, and RC4. This product contains encryption and/or authentication engines from RSA Data Security, Inc. Copyright 1996 RSA Data Security, Inc. All rights reserved. Oracle and SQL*Net are registered trademarks of Oracle Corporation, Redwood City, California. Oracle Security Server, Oracle Enterprise Manager, Net8, and Oracle8 are trademarks of Oracle Corporation, Redwood City, California. All other products or company names are used for identification purposes only, and may be trademarks of their respective owners. ********************************************* Overview ======== Oracle Security Server provides a global, centralized authentication framework based on public key cryptography. Oracle Security Server uses certificates instead of passwords for user authentication, significantly raising the level of assurance that users are whom they claim to be. Oracle Security Server works with Oracle8 clients and servers, connecting with Net8. It requires Net8 between its component parts. For further information about the Oracle Security Server, see the Oracle Security Server Guide. Contents of This Read Me File ============================= - Installing the Oracle Security Server Repository - Oracle Security Server Manager Tool - Additional Information - Global User and Global Role Administration Installing the Oracle Security Server Repository ================================================ This section contains information on the following topics to supplement the Oracle Security Server Guide (Part #A54088-01) Oracle Security Server Repository Dependencies ---------------------------------------------- To use a given database as an Oracle Security Server Repository, that database must be running an Oracle804 Server or greater. Before proceeding with this installation, you must also make sure that Net8 release 8.0.4 or higher, is running on the given database. Configuring the Oracle Security Server Repository ------------------------------------------------- In order for Oracle clients and servers to access information on the Oracle Security Repository, the Repository must also be enabled for secure connections. Follow the same steps as for any Oracle Server as outlined in the section "Configuring Oracle Security Adapters on Clients and Servers". This includes setting up the Repository's sqlnet.ora file correctly and installing the Repository's wallet via the osslogin tool. Oracle Security Server Manager, an Enterprise Manager Tool ========================================================== Oracle Security Server Manager 2.0.5 for Oracle Enterprise Manager 1.6.0 Production. This section contains information on the following topics to supplement the Oracle Security Server Guide (Part #A54088-01) . Known problem with Oracle Security Server Manager 2.0.4 for Enterprise Manager 1.5.0 . Logging in to Oracle Security Server Manager . Creating and Deleting your Security Server Repository . Enterprise Authorizations Known problem with Oracle Security Server Manager 2.0.4 for Enterprise Manager 1.5.0 ----------------------------------------------------------- If you are using Enterprise Manager 1.5.0 (inclusive of Oracle Security Server Manager 2.0.4) you must always connect to your Oracle Security Server Repository using a Net8 Service Name configuresd as "oss" from your Enterprise Manager 1.5.0 client site. Net8 Client Service Names may be configured at your Enterprise Manager 1.5.0 site using the Net8 Assistant. Even if you are using a local database on your Windows NT PC, you must still connect to it from Oracle Security Server Manager under an "oss" Net8 Client Service Name. If you do not use "oss" as the Net8 Client Service Name then Oracle Security Server Manager may fail to generate certificates in your Repository Database. Note: As an alternative to using "oss" as your Net8 Client Service Name you may configure your oss.source.location parameter in your Net8 Client sqlnet.ora file to reference the Net8 Client Service Name that you wish to use for your Oracle Security Server Repository. For more information on the oss.source.location parameter please refer to the Oracle Security Server Administrators Guide. This problem has been fixed in Oracle Security Server Manager 2.0.5 for Enterprise Manager 1.6.0. Logging in to Oracle Security Server Manager -------------------------------------------- You must log into Oracle Security Server Manager as user "oracle_security_service_admin". This user is created when you run the Create Oracle Security Server utility and its password is defined when you install the product. Oracle Security Server Manager cannot operate under any other Oracle user. Therefore usernames like SYSTEM and INTERNAL are invalid. Note : If you try to run Oracle Security Server Manager as any other user, you will not be able to access the data in your Security Server Repository. Do not try to create a new Security Server Repository while logged in as any other user. Creating and Deleting your Security Server Repository ----------------------------------------------------- There is a utility named "Create Oracle Security Server" in the Oracle Security Server Program Group. This utility allows you to prepare a database for use as an Oracle Security Server Repository. Note : The Create utility adds two users, "oracle_security_service" and "oracle_security_service_admin" to your database. It also adds a tablespace and datafiles to your Oracle Server to support these users. You may inspect the file nzdocrt.sql in your OSS directory under the Oracle Home directory for the exact SQL used in these operations. There is also a utility named "Delete Oracle Security Server" in the Oracle Security Server Program Group. This utility allows you to undo the changes made to your database by the Create utility. WARNING: This utility will completely erase the contents of your Oracle Security Server Repository and should only be used if you are absolutely sure that you wish to destroy all the Identities and Authorizations held in it. Note : Do not use these utilities against an Oracle Server that has an existing oracle_security_service_admin user currently logged on. Both utilites ask you to provide log-on details for the database you wish to configure. You should supply the SYSTEM username, password and Net8 service name details. If you are not using a remote database then you need only supply the SYSTEM username and password. Known Problem : If you use the "Create Oracle Security Server" utility against a database where this operation has already been performed, or you run the utility against a database where you have already used the "Delete Oracle Security Server" utility, you may see the following error: XP-07016: A database error has occurred: create tablespace oss datafile 'oss.dbf' SIZE 10M ORA-01119: error in creating database file 'oss.dbf' ORA-27038: skgfrcre: file exists XP-07031: An error occurred while processing file C:\ORANT/OSS/nzdocrt.sql This error occurs because there is still a datafile present on your Oracle Server from the last time Oracle Security Server was installed. To remedy this problem, the Oracle DBA must delete the file "oss.dbf" from the DBS directory under the Oracle Server's Oracle Home directory. Note : As a precaution, the DBA should issue the command "drop tablespace oss;" on the Oracle Server before deleting this file. Creating an Identity for the Oracle Security Server Repository -------------------------------------------------------------- When a Net8 client and Oracle8 Server authenticate to eachother using Oracle Security Server, they do so by verifying eachother's credentials. These credentials are hosted in the Repository component of the Oracle Security Server Certificate Authority Since the database server used by the Oracle Security Server CA as a Repository may be seperate from the Enterprise Manager Console on which the Certificate Authroity is controled, Net8 clients and Oracle8 servers must authenticate this particular database to the same extent that they authenticate eachother. Therfore, the Oracle Security Server Repository database must itself be given an Identity by the Certificate Authority. Oracle Security Server Manager version 2.0.5 requires you to define an Identity for your Security Server Repository immediately after you have defined the Identity for the Certificate Authority itself. Before Oracle Net8 clients and Oracle8 Servers can use your Oracle Security Server, you must ensure that that you have : 1. Created an Identity for your Oracle Security Server Repository with Oracle Security Server Manager. 2. Created a certificate for this Identity with Oracle Security Server Manager. 3. Downloaded an Oracle Security Server Wallet at your Security Server Repository database. This wallet must use the Identity given to the Security Server Repository by the Certificate Authority at step 1. Enterprise Authorizations ------------------------- Security Server Enterprise Authorizations may only be granted and revoked from an Approved Identity in the Approved Identity Property Page (on the right hand side of the screen) if the "Advanced Mode" toggle button is selected in the toolbar. ************************************************************* Oracle Security Server 2.0.5 Production for Oracle Server 8.0.5 Production Global User and Global Role administration. ========================================== This section contains information on the following topics to supplement the Oracle Security Server Guide (Part #A54088-01). It does not relate to the Oracle Security Server Manager tool but rather to the operations required by an Oracle8 DBA to make use of the Security Server. . Creating Global Users in the Oracle 8.0.5 Server . Rules for defining distinguished names . Example correct and incorrect distinguished names . Securing a database where a Security Server is already running . Ending a single sign-on session Creating Global Users in the Oracle 8.0.5 Server ------------------------------------------------ Create Global Users in your database using the Oracle Security Manager, as part of Enterprise Manager 1.6.0. You are advised to use this tool in preference to creating Global Users manually with Server Manager. If you do choose to use Server Manager to add Global Users to your Oracle 8.0.5 Server you must be careful when specifying the Distinguished Name that the Global User will use on your database. The syntax for Global User creation is: create user identified globally as ; For example, create user LISTER identified globally as 'C=US,O=ORACLE,CN=LISTER'; The distinguished name used in this example would exist in your Oracle Security Server as an Oracle Security Server Approved Identity with exactly the same name. Furthermore, the distinguished name should be specifed between two single quotes as in the above example. Rules for defining distinguished names -------------------------------------- When specifying the distinguished name in the above syntax, there are six possible components: Country name, Organization name, Organizational Unit name, State, Locality, and Common Name. Each of these categories uses the following notation in the distinguished name respectively: C=, O=, OU=, ST=, L=, and CN=. This notation is known as X509, version 1. These categories are known as "attributes" within a distinguished name. 1. Attribute Order A distinguished name must have at least the Common Name and any or all of the other attributes specified in the following order: C=,O=,OU=,ST=,L=,CN= 2. Case Sensitivity The distinguished name used in a Global User definition must use upper case for each of the attribute names: C=, O=, OU=, ST=, L=, CN=. The values given to these attributes are case sensitive and must match, character for character, the values used in an Oracle Security Server Identity. 3. Separators The attributes in a distinguished name are separated only by a ','. You must not use spaces between the attributes. Example correct and incorrect distinguished names ------------------------------------------------- Assume there exists an Approved Identity in the Oracle Security Server named 'C=UK,CN=Chrissy Kochansky' The following are examples of INCORRECTLY specified distinguished names for this identity: 'CN=Chrissy Kochansky,C=UK' rule 1. Order 'cn=Chrissy Kochansky,c=UK' rule 2. Case Sensitivity 'C=UK, CN=Chrissy Kochansky' rule 3. Separators 'C=UK,CN=CHRISSY KOCHANSKY' rule 2. Case Sensitivity The following are all valid Distinguished Names; 'C=US,ST=CA,L=Belmont,CN=Arnold Johnson' 'O=Obsidian Corporation,ST=CA,CN=Laurence Liverpool' 'ST=AZ,CN=Paul Lee' 'C=UK,CN=Holly' Ending a single sign-on session ------------------------------- The "osslogin" utility supplied with the Oracle Net8 client allows you to download your wallet from the Oracle Security Server and decrypt your private credentials in order to access multiple databases as the same Global User. There is no accompanying "logout" utility with this release of Net8. When you are finished using your credentials, you are advised to delete the file "clearkey.oss". This file is located in your Oracle Security Server Wallet directory; it contains your private key. You may regenerate your private key again when needed by re-running the "osslogin" utility.