Release 2 (9.2)
Part Number A96582-01
 Home |
 Book List |
 Contents |
 Index |
 Master Index |
 Feedback |
| Oracle9i Security Overview Release 2 (9.2) Part Number A96582-01 |
|
This chapter introduces the Oracle products and special features which can protect your data using the latest security technology.
Database security entails permitting or denying user actions on the database and the objects within it. Oracle uses schemas and security domains to control access to data and to restrict the use of various database resources. This section describes the many intrinsic security mechanisms of the Oracle9i database.
For a thorough discussion of these features, see the Oracle9i documentation set.
Oracle9i contains many mechanisms to ensure the integrity of the database, and to provide concurrency, serializability of transactions, and to prevent data corruption. The access control mechanisms that enforce mandatory access control are also used to prevent unauthorized modification and deletion of data by users.
Oracle9i provides data integrity through the use of declarative entity and referential integrity constraints as defined in the ISO/ANSI SQL standards. Integrity rules are specified declaratively as part of the table definition, and are checked by the database server whenever transactions update, insert, or delete rows in the table. Defining and enforcing these rules in the server ensures that all applications consistently and reliably apply the same rules, which can be maintained centrally. Enforcement in the server also provides performance benefits over programmatic enforcement in the application.
More complex business rules can be enforced through the use of stored procedures and triggers. However, these mechanisms are not normally used to enforce entity, referential, or transaction integrity.
Database integrity mechanisms also guarantee that all steps in a transaction are committed as a complete unit, so that either all parts are committed or all parts are rolled back (transaction integrity).
Entity integrity enforcement guarantees that each row in a table is uniquely identified by non-null values contained in its primary key columns. An example of entity integrity would be ensuring that every employee number in the EMP table is unique.
Referential integrity constraints are used to enforce dependencies and relationships between rows in tables. An example of this occurs when an employee's department number in the EMP table (foreign key) must be a valid department as specified in the DEPT table (primary key). Primary key/foreign key relationships are defined as part of table creation.
Oracle9i provides user authentication to ensure that the identity of a user, host or client is correctly known. To access a database, a user must supply a valid username and associated password of the database. These prevent unauthorized use. Oracle9i also provides authorization, to ensure that a user, program, or process receives the appropriate privileges to access an object or set of objects
To prevent unauthorized use of a database username, Oracle provides user validation by several different methods for normal database users. You can perform authentication by:
Further, Oracle Enterprise Edition supports additional modes of authentication:
For simplicity, one method is usually used to authenticate all users of a database. However, Oracle permits use of all methods within the same database instance.
Oracle9i regulates all user access to data through privileges. It supports the concept of least privilege, which states that users should be granted the least number of privileges necessary to perform their jobs. Oracle9i enforces this concept by not automatically granting users any direct privileges when they are created. It supports both column-level and row-level privileges. Column-level privileges can be granted directly, and row-level privileges can be granted programmatically or through Oracle Label Security. The highly granular system and object privileges of Oracle9i enable you to grant users only the specific privileges they need, rather than having to grant them more encompassing privileges.
Oracle9i has extensive support of roles, to enable administrators to optimally manage users' privileges. Oracle9i Standard Edition supports
Note that Oracle Enterprise Edition supports additional roles:
Oracle9i permits selective auditing of user actions to provide accountability. Audit records can also be a useful tool in identification of suspicious user activity. Auditing can be performed at different levels: by user, by statement, by privilege (such as SELECT), and by schema object (such as SELECT FROM EMP).
Oracle9i views and stored program units can add an additional level of security to your system. Views can restrict user access to a predetermined set of rows and columns of a table. Stored program units (such as stored procedures, packages, and triggers) can be used for such purposes as performing a set of related tasks, enforcing complex security authorizations, or restricting certain DML operations.
Among other security technologies, Oracle protects data in eBusiness systems through strong, standards-based encryption. Oracle has supported encryption of network data through Oracle Advanced Security (formerly known as "Secure Network Services", and then "Advanced Networking Option") since Oracle7. Oracle9i also supports protection of selected data by means of encryption within the database.
To address the need for selective data encryption, Oracle9i provides a PL/SQL package to encrypt and decrypt stored data. The package, DBMS_OBFUSCATION_TOOLKIT, supports bulk data encryption using the Data Encryption Standard (DES) algorithm, and includes procedures to encrypt and decrypt using DES. In addition to single DES, Oracle's DBMS_OBFUSCATION_TOOLKIT supports triple DES (3DES) encryption, in both two and three key modes, for those who demand the strongest commercial available level of encryption. The toolkit also supports the MD5 secure cryptographic hash to ensure data integrity, and a random number generator for generating secure encryption keys.
Multiple Oracle9i mechanisms - including resource limits and user profiles, online backup and recovery, and advanced replication - help provide uninterrupted database processing and minimize denial of service in order to support today's on-line transaction processing and decision support environments.
Resource limitation and user profile mechanisms prevent "run-away" queries, or more deliberate and malicious manipulation of system resources by a particular user. A user profile is a set of administrator-defined resource limits assigned to a username; through the use of user profiles, Oracle9i enables the database administrator to define and limit the amount of certain system resource available to a user. System resources that can be limited include:
Through user profiles, Oracle9i prevents resource hogs from denying service to other users, either inadvertently or maliciously.
Oracle9i also ensures high availability by providing robust online backup and recovery, so that mission-critical applications are not inhibited by these necessary activities. Oracle9i provides an integrated method for creating, managing, and restoring backups of a database, providing greater ease of management and administration of the backup and recovery operations, while maintaining superior performance and increased availability of the database. Oracle9i databases can be backed up on-line, even during periods of peak transaction processing activity. Server-managed backup and recovery improves database administrator productivity as well as simplifying the backup and recovery process. Oracle9i backup and recovery permits backing up of the entire database, or a subset of the database, in one operation, and minimizes time needed for backup and restore operations by performing automatic parallelization of backups and restores. Oracle9i backup and recovery also supports sequential I/O devices for output during backup and for input during restore operations. Tape backups are supported in conjunction with vendor-provided tape management systems.
The advanced replication facilities of Oracle9i can be used to increase the availability of systems by off-loading large scale queries from transaction processing databases. For example, large tables of customer purchasing data may be replicated to customer service databases, so that data-intensive queries do not contend with transactions against the same tables. Advanced replication facilities can also be useful in protecting the availability of a mission-critical database. For example, symmetric replication can replicate an entire database to a failover site should the primary site be unavailable do to a system or network outage. Advanced replication for both read and write access ensures data consistency; refresh groups preserve referential integrity and transaction consistency and the table snapshots of related master tables. For example, customers, orders, order lines are all related, so could be refreshed as a group.
Data partitioning in Oracle9i is a powerful tool for dramatic improvements in the manageability, performance, and scale of applications deployed using the Oracle9i data server. Oracle9i permits range partitioning of tables and multiple partitioning strategies for indexes, providing very large database support, and improves administrative operations. In the real world, media failure, access balancing for performance, and table de-fragmentation are just a few of the areas where partitioning can reduce the impact of a outage or increase availability under high loads.
Oracle9i with the Partitioning option supports all DML operations in parallel today. In addition, scans of indexes, export and import of table data, and estimating and calculating statistics can also be performed in parallel on individual partitions. Partitions can be loaded individually and in parallel, with or without index pre-creation. Loading, backup, recovery, computing statistics, and import and export are all supported for each partition. These can be performed individually without interfering with operations underway on other partitions. With every operation available on a partition basis, it is possible to have truly dramatic performance improvements.
Real Application Clusters provide very high levels of availability for mission critical applications. In a Real Application Clusters environment, Oracle runs on two or more systems in a cluster, while concurrently accessing a single shared database. In the event of a failure of one of the systems, the surviving systems perform recovery of the failed Oracle instance. This provides some tremendous availability and scalability benefits over simple cold cluster failover.
This section describes Oracle9i support for proxy authentication.
The OCI proxy authentication feature was initially released in Oracle8i, and enabled a database client to set up, within a single database connection, a number of "lightweight" user sessions, each of which is associated with a different database user.
In Oracle9i proxy authentication, authentication of the client is supported in the following ways:
In Oracle9i this feature is designed so that a specific middle tier can be restricted to acting on behalf of a specified set of users. Once the middle tier has authenticated itself to the database, it can establish a lightweight session on behalf of those users without submitting user-specific authentication information such as passwords. Moreover, Oracle9i can be configured so that a specific middle tier can assume a specific set of database roles when acting at the database on behalf of a specific user. In other words, the database uses both middle tier identity and client user identity when determining what privileges to grant a middle tier acting for a user through a lightweight session.
In Oracle8i the proxy authentication feature was limited to communications to the database which used the Oracle Call Interface (OCI), but in Oracle9i the feature has been extended to Java Database Connectivity (JDBC) access to the database. A middle tier server can now access the Oracle9i database on behalf of a client user by establishing a lightweight session for that user through JDBC-OCI.
Oracle8i supported proxy authentication for database users authenticated by password only; the password could be passed as an attribute to be verified by the database, or not, depending on an organization's security preferences.
Oracle9i extends proxy authentication to include additional credential proxy of either the Distinguished Name (DN) or full X.509 certificate to the database. This provides strong, three-tier security by enabling an SSL credential--an X.509 certificate or DN--to be passed to the database for purpose of identifying (but not authenticating) the user. (SSL cannot be used to authenticate a user through multiple tiers, since it is a point-to-point protocol rather than an end-to-end protocol.) For example, a user can authenticate to a middle tier using SSL, the middle tier can extract the DN from the certificate and pass it (or the full certificate) to the database. As an additional benefit, the DN or certificate is available in the lightweight session and the elements contained therein can be used with Virtual Private Database to limit access. For example, an organization could restrict data access based on the Organizational Unit (OU) element in a user certificate presented to the database.
The database can use the DN or certificate to look up a user in Oracle Internet Directory or other LDAP-based directory certified for enterprise user security (an Oracle Advanced Security feature). Integration of proxy authentication with enterprise user security enables the user identity to be maintained throughout all tiers of an application, yet the user need only be created once, in the directory. This also enables enterprise user security to be used in three-tier applications, instead of merely client/server, as was the case with Oracle8i.
Many applications use session pooling to set up a number of sessions which are reused by multiple users. In this context, "application users" are users who are authenticated to the middle tier of an application, but are not known to the database. Oracle9i introduces application user proxy authentication for these types of applications.
In this model, the middle tier passes a client identifier to the database upon session establishment. (The client identifier could be anything that represents the client connecting to the middle tier; a cookie, for example, or an IP address.) The client identifier, representing the application user, is available in user session information and can also be accessed within an application context (using the USERENV naming context), thus enabling applications to use Virtual Private Database to limit user access, even if the application users are not known to the database. Applications can set up and reuse sessions, while still being able to keep track of the "application user" in the session.
Application user proxy authentication, available in JDBC-OCI, provides the benefits of connection pooling without the overhead of setting up and managing separate user sessions (even "lightweight" ones), and enables even those applications whose users are unknown to the database to utilize Virtual Private Database. Application user proxy authentication is thus particularly valuable in eBusiness applications with thousands of users, as it supports data access control by user while meeting user scalability requirements.
By providing deep data protection, Internet-scale security, and security mechanisms specifically targeted for hosting applications and exchanges, Oracle9i Enterprise Edition is an ideal platform on which to build and deploy eBusiness applications. It contains all of the powerful features of Oracle9i Standard Edition, and more. This section includes:
For a thorough discussion of these features, see the Oracle9i documentation set.
EBusiness depends on providing customers, partners, and employees with access to information, in a way that is controlled and secure. Oracle9i addresses eBusiness security challenges through deep data protection, internet-scale security, and secure hosting and data exchange.
Deep data protection, ensuring well-formed, comprehensive security from client to application server to data server, as well as throughout the layers of an application.
Deploying eBusiness systems on the Internet increases risk. Among the best ways to mitigate security risk is to provide multiple layers of security mechanisms, so that failure of a single mechanism does not result in compromise of critical information. We refer to this concept as deep data protection; Oracle9i provides it through Virtual Private Database (VPD), Oracle Label Security, selective data encryption, and extensive auditing.
Internet-scale security enables user and privilege management to scale to hundreds of thousands of users accessing data. Oracle9i Enterprise Edition is the foundation for the Oracle Advanced Security features of user management, PKI integration, and directory-based privilege management.
Security mechanisms must scale to Internet size--support many thousands or millions of users--and still be practical to administer. Oracle9i provides a number of security features tailored to building Internet-scale applications, including proxy authentication, support for Internet standards such as Secure Sockets Layer (SSL) and relevant public key infrastructure (PKI) standards, Java security, and enterprise user security.
Secure hosting and data exchange enable economical, secure partitioning of data access by customer or by user, while supporting secure data sharing among communities of interest. Oracle9i Enterprise Edition is the foundation for Virtual Private Database technology, for the Oracle Advanced Security features of public key infrastructure (PKI) and enterprise user security, and for Oracle Label Security.
Each database application can have its own security policies. It can have its own privileges, and one or more database roles that provide different levels of security when executing the application. The database roles can be granted to user roles, or directly to specific usernames.
Applications that potentially permit unrestricted SQL statement execution (through tools such as SQL*Plus) also can have security policies that prevent malicious access to confidential or important schema objects. In this way you can ensure that users do not misuse their roles and privileges when they are not actually using the application.
Oracle9i Enterprise Edition provides row-level access control through its Virtual Private Database (VPD) technology, which is available only from Oracle Corporation. In addition, it supports the Oracle Label Security product, built on the Virtual Private Database toolkit, which adds label based access control.
This section describes:
| See Also:
For a complete discussion of application context, fine-grained access control, and VPD, see Oracle9i Application Developer's Guide - Fundamentals |
Oracle8i set a new standard in database security with the introduction of Virtual Private Database (VPD): server-enforced, fine-grained access control, together with secure application context, enabling multiple customers and partners to have secure direct access to mission-critical data. Within a single database, the Virtual Private Database enables data access control by user or by customer with the assurance of physical data separation. For Internet access, the Virtual Private Database can ensure that online banking customers see only their own orders. Web hosting companies can maintain multiple companies' data in the same Oracle9i database, while permitting each company to see only its own data.
Within the enterprise, the Virtual Private Database results in lower cost of ownership in deploying applications. Security can be built once, in the data server, rather than in each application that accesses data. Security is stronger, because it is enforced by the database, no matter how a user accesses data. Security is no longer bypassed when a user accesses an ad hoc query tool or new report writer. Virtual Private Database is key enabling technology for organizations building hosted, web-based applications, as well as for Oracle itself. Multiple Oracle applications, including Oracle SalesOnline.com and Oracle Portal, use VPD to enforce data separation for hosting.
In Oracle8i the Virtual Private Database feature provided fine-grained access control and application context. It secured data in the database by providing security at the row level, across all applications, by attaching a security policy directly to a table or view.
Oracle9i expands the Virtual Private Database by adding several new enhancements:
The Virtual Private Database is enabled by associating one or more security policies with tables or views. A security policy is a restriction on the type of access or view that a user can aquire. Direct or indirect access to a table with an attached security policy causes the database to consult a function implementing the policy. The policy function returns an access condition known as a predicate (a WHERE clause) which the database appends to the user's SQL statement, thus dynamically modifying the user's data access.
You can implement VPD by writing a stored procedure to append a SQL predicate to each SQL statement to control row level access for that statement. Your security policy then links the function to the desired schema and table. For example, if John Doe (who belongs to Department 10) inputs the statement SELECT * FROM emp, you can use VPD to tack on the clause WHERE DEPT = 10. In this way query modification is used to restrict data access to certain rows.
A secure application context enables access conditions to be based on virtually any attributes an application deems significant, such as organization, cost center, account number, or position. For example, an Web order entry system can enforce access based on customer number, and whether the user is a customer or a sales representative. In this way, customers can view their order status online (but only for their own orders), while sales representatives can view multiple orders, but only for the their own customers.
The Virtual Private Database ensures that, no matter how a user gets to the data (through an application, a report writing tool, or SQL*Plus) the same strong access control policy is enforced. In this way, VPD can help banks ensure that customers see their own accounts (and nobody else's), that telecommunications firms can keep customer records safely segregated, and that human resources applications can support their complex rules of data access to employee records.
These fine-grained access control capabilities also apply when a synonym is used for the database name. Policy functions applied to a synonym can create the same constraints formerly imposed by creating views, without the costs in resources and processing that otherwise grow proportionately with the number of users.
Application context facilitates the implementation of fine-grained access control. It enables you to implement security policies with functions and then associate those security policies with applications. Each application can have its own application-specific context. Users are not permitted to arbitrarily change their context (for example, through SQL*Plus).
Application contexts permit flexible, parameter-based access control, based on attributes of interest to an application. For example, context attributes for a human resources application could include "position", "organizational unit", and "country" while attributes for an order-entry control might be "customer number" and "sales region".
Note that enterprise user security requires Oracle Advanced Security. This feature also supports Oracle Label Security labels and privileges.
Most applications contain information about the basis on which access is to be limited. In an order entry application, for example, customers should be limited to access their own orders (ORDER_NUMBER) and customer number (CUSTOMER_NUMBER). Application context is an underlying database feature that enables you to define, set, and access attributes that an application can use to enforce access control. You can securely store such user attributes as a user name, employee number, the set of books she is authorized to access, and her position in the management hierarchy. You can then retrieve that information later in the session and use it for fine-grained access control.
Application contexts can be initialized in four different ways:
The application context feature was introduced in Oracle8i. Within a local database environment, attribute values can be initialized from a user's session information. Each application can have its own context with its own attributes.
This feature lets you specify a special type of namespace that accepts initialization of attribute values from external resources. This enhances performance and enables the automatic propagation of attributes from one session to the other. Many applications store attributes used for fine-grained access control within a database metadata table that they use for access control. For example, an EMPLOYEES table could include cost center, title, signing authority, and other information useful for fine-grained access control. However, many organizations centralize user information and user management in an LDAP-based directory such as Oracle Internet Directory. These organizations also wish to centralize the information about users that is used for access control. Application context attributes can be stored in the directory and assigned to one or more enterprise users. They can be retrieved automatically upon login for an enterprise user, and used to initialize an application context.
This feature provides a centralized location to store the user's application context, enabling applications to set up the user's contexts during initialization based upon the user's identity. In particular, it supports Oracle Label Security labels and privileges. This feature makes it much easier for the administrator to manage contexts for large numbers of users and databases.
Application context initialized globally utilizes the Lightweight Directory Access Protocol (LDAP), which stores a list of users to which this application is assigned. Oracle9i can use Oracle Internet Directory as the directory service for authentication and authorization of enterprise users.
Global application context can be shared among trusted sessions. In addition to driving the enforcement of the fine-grained access control policies, applications (especially middle-tier products) can use this support to manage application attributes securely and globally.
Many web-based applications use connection pooling to achieve high scalability and thereby support hundreds of thousands of users. These applications set up and reuse connections instead of having different sessions for each user. For example, web user Jane and Ajit connect to a middle tier application, which establishes a session in the database used by the application on behalf of both users. The application is responsible for switching the username on the connection, so that, at any given time, it is either Jane or Ajit using the session.
Oracle9i VPD capabilities facilitate connection pooling by enabling multiple connections to access one or more global application contexts, instead of setting up an application context for each user session. Global application contexts provide additional flexibility for web-based applications to use Virtual Private Database, as well as enhanced performance through reuse of common application contexts among multiple sessions instead of setting up application contexts for each session.
Application user proxy authentication can be used with global application context for additional flexibility and high performance in building eBusiness applications. For example, suppose a web-based application that provides information to business partners has three types of users: Gold, Silver, and Bronze, representing different levels of information available. Instead of each user having his own session--with individual application contexts--set up, the application could set up global application contexts for Gold, Silver or Bronze and use the client identifier to point the session at the correct context, in order to retrieve the appropriate type of data. The application need only initialize the three global contexts once, and use the client identifier to access the correct application context to limit data access.
Fine-grained access control enables you to build applications that enforce security policies at a low level of granularity. You can use it, for example, to restrict a customer who is accessing an Oracle server to see only his own account, a physician to see only the records of her own patients, or a manager to see only the records of employees who work for him.
The ability to partition security policy enforcement by application facilitates VPD deployment. For example, suppose both an Order Entry and Inventory application access the Orders table. The Order Entry application limits access based on customer number, while the Inventory application limits access based on part number. It is very useful to be able to partition fine-grained access control so that different security policies apply, depending upon which application is accessing the data. Otherwise, application developers of the respective Order Entry and Inventory applications have to agree upon a mutual policy, which may not be feasible or possible. Applications can thus have different security policies based upon their individual application needs.
Oracle9i enables partitioning of Virtual Private Database through policy groups and a driving application context. A driving application context securely determines which application is accessing data, and policy groups facilitate managing the policies which apply by application. Oracle9i also supports default policy groups, which always apply to data access. For example, an application "striped" for application hosting using a subscriber ID could have a default policy, "Subscriber," that always enforces data separation by subscriber, and additional policy groups for Inventory and Order Entry-based access, which apply depending on the particular application accessing data.
Applications may have differing user models, but still want to use VPD to limit access by user. Oracle9i provides a number of ways in which applications can enforce fine-grained access control by user, regardless of whether the user is a database user, or an application user unknown to the database.
For applications in which the application users are also database users, VPD enforcement is relatively simple; users connect to the database, and the application can set up application contexts for each session. Each session is initiated under a different username, so that it is simple to enforce different fine-grained access control conditions for "Jane" and "John". This is also possible with use of proxy authentication, since each "lightweight" session in JDBC-OCI is still a distinct database session, and can have its own application context. Since proxy authentication can be integrated with Enterprise User Security, user roles can be retrieved from Oracle Internet Directory, as well as other attributes that can be used for VPD enforcement.
For applications in which a single user (such as OneBigApplicationUser) connects to the database on behalf of all users, fine-grained access control by user is still possible. An application developer can create a context attribute to represent the application user (such as "realuser"). While all database sessions (and thus all audit records) are initiated as OneBigApplicationUser, each session can nonetheless have attributes that vary, depending on who the "real user" is. This model works best for applications with a limited number of users where there is no requirement for session reuse. Of course, each session--from the database standpoint--is created as the same database user, so that the ability to use roles, database auditing, and so on, is greatly diminished for reasons previously enumerated.
Oracle9i offers improved management of VPD policies through Oracle Policy Manager, an easy-to-use graphical user interface (GUI) accessed through Oracle Enterprise Manager. Developers can use Oracle Policy Manager to apply security policies to schema objects, such as tables and views, as well as creating application contexts, thus making VPD much easier to develop and manage. Oracle Policy Manager is also the administration tool for Oracle Label Security, a VPD-based product that provides label-based access to data. Oracle Label Security is thus a generic solution to the problem of fine grained data access control.
This feature, unique to Oracle9i, enables you to base use of roles on user-defined criteria. A secure application role is a role which is implemented by a package. For example, you could write a package permitting use of a role by a user connecting only from a particular IP address, or accessing the database only through a particular middle tier.
In three-tier systems using proxy authentication, the package can validate that the user session was created by a middle tier, and thus that the user is accessing the database through the correct application. The secure application role can also ensure that a user connecting directly to the database is not able to access any data. A secure application role can enforce other security conditions, as well; for example, the user may not be permitted to access especially sensitive human resources data from the Internet.
A secure application role enhances the native strong authentication and fine-grained access control of the database to prevent users from assuming any privileges unless the correct access conditions are met. Secure application role solves a very difficult security issue and supports secure web-based application data access.
Oracle9i expands upon the existing robust, granular auditing capabilities of the database by introducing extensible, fine-grained auditing. Fine-grained auditing enables organizations to hone their auditing capabilities to capture and identify particular, specific data access of concern. In addition to providing more granular, targeted audit information, such as detecting misuse of legitimate access, fine-grained auditing can also serve as an intrusion detection system for the Oracle9i database itself.
Fine-grained auditing enables organizations to define audit policies, which specify the data access conditions that trigger the audit event, and use a flexible event handler to notify administrators that the triggering event has occurred. For example, an organization may permit HR clerks to access employee salary information, but audits access when salaries greater than $500K are accessed. The audit policy "where SALARY > 500000" is applied to the EMPLOYEES table through an audit policy interface (a PL/SQL package named DBMS_FGA).
For additional flexibility in implementation, organizations can employ a user-defined function to determine the policy condition, and identify a relevant column for auditing. For example, the function could permit unaudited access to any salary as long as the user is accessing data within the intranet, but audit access to executive-level salaries when they are accessed from the Internet. An audit column helps reduce the instances of false or unnecessary audit records, because the audit need only be triggered when a particular column is referenced in the query. For example, an organization may only wish to audit executive salary access when an employee name is accessed, because accessing salary information alone is not meaningful unless an HR clerk also selects the corresponding employee name.
Upon a triggering audit event, Oracle9i captures the exact SQL text of the statement the user executed in audit tables, along with additional information such as the user executing the query, a timestamp, and so on. In conjunction with other database features such as LogMiner, fine-grained auditing can be used to re-create the exact records returned to a user. This may be especially important to organizations which have especially sensitive information they wish to share, for which they require strict accountability. For example, many law enforcement organizations at the international, federal, state and local level are increasingly becoming "eBusinesses" by sharing information among themselves, yet it is more important than ever that they audit access to sensitive information, such as informant data, to know who accessed what exact data.
The event handler provides organizations with flexibility in determining how to handle a triggering audit event. A triggering audit event could be written into a special audit table for further analysis, or could activate a pager for the security administrator. The event handler enables organizations to fine-tune their audit response to appropriate levels of escalation.
With Oracle9i, Oracle customers are not only able to preserve the identity of the real client over the middle tier and enforce "least privilege" through a middle tier, but can also audit actions taken on behalf of the user by the middle tier. Oracle9i audit records capture both the logged-in user (that is, the middle tier) who initiated the connection, and the user on whose behalf an action is taken.
Oracle9i contains a Java security implementation in the server. The Java virtual machine (JVM) is the Java interpreter that converts the compiled Java bytecode into the machine language of the platform and runs it. JVMs can run on a client, in a browser, in a middle tier, on a Web, on an application server such as Oracle9i Application Server, or in a database server such as Oracle9i.
In the Oracle9i JVM implementation, the right to execute code in classes is controlled by execute privileges on the classes themselves. This is the same database privilege as execute privilege on a PL/SQL package, and is managed in the same way.
The Oracle9i JVM starts with the class java.lang.SecurityManager installed. The Oracle9i database is based on the Java Developer's Kit 1.2 release from Sun Microsystems, and implements the security features of that release. In this implementation, permissions are controlled by the contents of a database table. The table is normally managed by PL/SQL procedures (and Java methods). The table can be used to grant permissions to either users or roles, and the "code source" of a class is identified with the user in whose schema the class has been loaded. Specific Oracle permissions control the right to update the table and perform other security sensitive operations.
Oracle Advanced Security is the value-added Internet security bundle for Oracle9i. Its functionality falls into three categories: network security services, enterprise user security, and public key infrastructure (PKI). The features of this product are described in the following sections:
Oracle Advanced Security bundles security services for Oracle9i. It is provided as a separately priced option which may be purchased along with Oracle9i Enterprise Edition.
Although installed by default, Oracle Advanced Security is a separately priced option to Oracle9i Enterprise Edition, and must be purchased when used. This licensing requirement also affects customers wishing to use security features in combination with Java Beans (EJB over IIOP/SSL) or database enterprise users with Oracle Net/SSL. The exclusive exception is an HTTPS (HTTP/SSL) connection to the RDBMS, which does not require an Oracle Advanced Security license.
Figure 9-2 shows the Oracle Advanced Security architecture within an Oracle networking environment.
Oracle Advanced Security supports authentication through adapters that are very much like the existing Oracle protocol adapters.
| See Also:
for more information about stack communications in an Oracle networking environment, see Oracle9i Net Services Administrator's Guide |
Oracle Advanced Security provides several methods of protecting the privacy of data transmissions.
Oracle Advanced Security ensures data privacy by encrypting network traffic in order to prevent anyone from reading the data during transmission.
Oracle Advanced Security provides several industry-standard encryption and checksumming algorithms which can be selected based on the particular requirements of your system. Selection of the network encryption method offers varying levels of security and performance for different types of data transfers.
Note that the strength of cryptosystems depends on key management. Oracle Advanced Security uses the public-key based Diffie-Hellman key negotiation algorithm to perform secure key distribution for both encryption and data integrity. When encryption is used to protect the security of encrypted data, keys should be changed frequently to minimize the effects of a compromised key. For this reason, the Oracle Advanced Security key management facility changes the session key with every session. With Oracle Advanced Security, Diffie-Hellman Key Exchange is automatic, eliminating administration issues associated with encryption systems.
Prior versions of Oracle Advanced Security provided three editions: Domestic, Upgrade, and Export--each with different encryption key lengths. Release 9.0.1 now contains a full complement of the available encryption algorithms and key lengths for Oracle customers worldwide, previously only available in the U.S. Domestic edition. Users deploying prior versions of the product can obtain the U.S. Domestic edition for a specific product release.
Oracle Advanced Security comes out of the box with industry-standard algorithms and a FIPS-compliant implementation of cryptography, which help to simplify the often difficult task of implementing encryption. The following industry-standard encryption algorithms are supported:
Oracle Advanced Security hides the complexity of key management and encryption from the administrator and the users. Users need only perform a few simple steps to configure Oracle Advanced Security encryption. You can either use the Oracle Net Manager graphical user interface tool to select encryption algorithms, or else manually set six sqlnet.ora parameters. Once configured, the encryption is transparent to users.
Very little overhead is associated with Oracle Advanced Security encryption. Performance varies (depending on the operating system, the encryption algorithm chosen, and other factors); however, performance tests show a degradation of approximately one-tenth of a second.
Oracle Advanced Security ensures data integrity with sequenced, cryptographic checksums. To ensure that data has not been modified, deleted, or replayed during transmission, Oracle Advanced Security optionally generates a cryptographically secure message digest--through cryptographic checksums using the MD5 algorithm--and includes it with each packet sent across the network. Alternatively, Oracle Advanced Security can use SHA-1 (with SSL). Data integrity algorithms add little overhead, and protect against data modification attacks, deleted packets, and replay attacks.
Oracle Advanced Security provides SSL encryption capabilities, as described in this section.
The Oracle Advanced Security SSL feature can be used to secure communications between any client and any server. This includes data in Oracle Net Services, LDAP, JDBC-OCI, and IIOP format. SSL encryption provides users with an alternative to the native Oracle Net Services encryption protocol which is supported in Oracle Advanced Security. A benefit of SSL is that it is a de facto Internet standard, and can be used with clients which use protocols other than Oracle Net Services.
SSL support in Oracle Advanced Security encrypts network traffic and provides integrity checking, authenticates Oracle clients and servers, and brings public key-based single sign-on to the Oracle environment. SSL provides encryption and data integrity through the use of cipher suites, which are sets of authentication, encryption, and data integrity types. The client and server each have a list of cipher suites they support (such as RSA for authentication, with 3DES for encryption and SHA-1 for data integrity). They negotiate which one is to be used during connection.
The SSL feature of Oracle Advanced Security permits the use of the Secure Hash Algorithm (SHA) as well as MD5. SHA is slightly slower than MD5, but produces a larger message digest to make it more secure against brute-force collision and inversion attacks.
Oracle9i Application Server supports SSL encryption between thin clients and the Oracle9i Application Server, as well as between Oracle9i Application Server and Oracle9i Data Server.
| See Also:
"Secure Sockets Layer (SSL) Protocol" "Secure Sockets Layer Authentication and X.509v3 Digital Certificates" |
Sun Microsystems defined the Java Database Connectivity (JDBC) standard, and Oracle Corporation, as an individual provider, implements and extends the standard with its own JDBC drivers. Oracle offers 4 kinds of JDBC driver:
Since the JDBC-OCI driver uses the full Oracle Net Services communications stack on both client and server, it can take advantage of existing Oracle Advanced Security encryption and authentication mechanisms. In Oracle9i, proxy authentication has been extended to Java Database Connectivity (JDBC-OCI), which enables a middle tier server to access the Oracle9i database on behalf of a client user by establishing a lightweight session for the user.
Because the thin JDBC driver is designed to be used with downloadable applets used over the Internet, Oracle9i includes a 100% Java implementation of Oracle Advanced Security encryption and integrity algorithms for use with thin clients. Several benefits enable eBusinesses deploying Oracle and other components to securely transmit a variety of information over a variety of channels:
The Oracle JDBC Thin driver implements the Oracle password protocol for authentication. It does not support Oracle Advanced Security SSL implementation, nor does it support third party authentication features such as RADIUS or Kerberos. The Oracle JDBC-OCI driver supports all Oracle Advanced Security features.
Oracle Advanced Security continues to encrypt and provide integrity checking of Oracle Net Services traffic between Oracle Net Services clients and Oracle servers using algorithms written in C. The Oracle Advanced Security Java implementation for Thin JDBC provides Java versions of the following encryption algorithms:
On the server, the negotiation of algorithms and the generation of keys function exactly the same as Oracle Advanced Security Oracle Net Services encryption, thus enabling backward and forward compatibility of clients and servers. On the clients, the algorithm negotiation and key generation occur in exactly the same manner as C-based Oracle Advanced Security encryption. The client and server negotiate encryption algorithms, generate random numbers, use Diffie-Hellman to exchange session keys, and use the Oracle Password Protocol, in the same manner as traditional Oracle Net Services clients. Thin JDBC contains a complete implementation of a Oracle Net Services client in pure Java. Consistent with other encryption implementations, the Java implementation of Oracle Advanced Security prevents access to the cryptographic algorithms, makes it impossible to double encrypt data, and encrypts data as it passes through the network. Users cannot alter the keyspace nor alter the encryption algorithms themselves.
Oracle Java SSL is a commercial-grade implementation of Java Secure Socket Extension (JSSE). In order to create a secure, fast implementation of SSL, Oracle Java SSL uses native code to improve the performance of critical components. In addition to the functionality included in the JSSE specifications, Oracle Java SSL supports the following:
Oracle Advanced Security provides enhanced user authentication through several third-party authentication services, and through the use of SSL with digital certificates. Many of these options use centralized authentication, which can give you high confidence in the identity of users, clients, and servers in distributed environments. It also provides for enhanced authentication by integrating technologies such as token cards to prove users' identities. User authentication, a function of Oracle9i, is significantly enhanced by using the authentication methods supported by Oracle Advanced Security.
Supported authentication methods include:
Figure 9-4 shows some of the strong authentication components of Oracle Advanced Security. The authentication adapters integrate below the Oracle Net Services interface and permit existing applications to take advantage of new authentication systems transparently, without any changes to the application.
Oracle provides a public key infrastructure (PKI) for using public keys and certificates. This section summarizes the Oracle PKI authentication capabilities.
Standard PKI Support in Oracle Advanced Security
Oracle9i supports standard X.509 version 3 certificates and relevant Public Key Certificate Standards (PKCS) for certificate request and installation. This enables users to request certificates from any certificate authority (CA) which also supports these standards. It also enables users to install trusted root certificates from their choice of CAs, enabling the server to recognize and validate certificates issued by those CAs. Oracle works with leading PKI service and product vendors, including VeriSign and Baltimore Technologies, to ensure that their CA trusted roots are pre-installed in Oracle9i, enabling customers to use certificates from those vendors to authenticate to Oracle9i out-of-the-box.
Secure Sockets Layer (SSL) Authentication in Oracle Advanced Security
Oracle Advanced Security SSL can be used to authenticate:
As in Oracle9i, anonymous, server-only, and client/server authentication by X.509 certificates are supported.
SSL features can be used by themselves or in combination with other authentication methods supported by Oracle Advanced Security. For example, SSL can be used with Kerberos, using the encryption provided by SSL in combination with the Kerberos authentication method.
Users and administrators use Oracle Wallet Manager to manage digital certificates for use with SSL. Oracle Wallet Manager gives users and database administrators control over the contents of their wallets. The administrator can centrally manage wallets on an LDAP-compliant directory. Oracle Enterprise Login Assistant, an easy-to-use tool, is provided for end users to open the wallet and perform the login over SSL. This tool enables users to achieve single sign-on, simply and transparently, using certificates for authentication. The wallet and management tools are used together to securely store and manage certificates, private keys, and requests to certificate server.
Entrust/PKI Support in Oracle Advanced Security
Oracle Advanced Security enables customers of both Oracle Corporation and Entrust Technologies, Inc. to incorporate Entrust-based single sign-on into their Oracle applications. By integrating with Entrust/PKI, Oracle enhances its ability to provide X.509-based single sign-on to large customers who require the extensive key management, certificate revocation, and other features that Entrust provides.
Oracle Advanced Security supports Entrust Profile, which is the Entrust mechanism for storage of certificates and private keys and for secure credential management. Instead of accessing user credentials (private key and certificate) from an Oracle wallet, Oracle Advanced Security can access a user's Entrust Profile for authentication and single sign-on. Entrust integration requires Entrust Authority 5.
Oracle Advanced Security support for Kerberos and CyberSafe provides the benefits of single sign-on and centralized authentication of Oracle users.
|
Note: Oracle authentication for Kerberos provides database link authentication (also called proxy authentication). CyberSafe does not support proxy authentication. |
RADIUS (the Remote Authentication Dial-In User Service) support provides two major benefits for Oracle customers. First, it enables support for authentication technologies including token cards, smart cards, and challenge-response. Second, it readily integrates into existing systems by making the Oracle9i data server a RADIUS client, thus capitalizing on the infrastructure and investment that organizations have already made.
With RADIUS you can choose virtually any mechanism available to authenticate network users. Many token and smart card manufacturers support RADIUS, and any RADIUS-compliant device can integrate with Oracle Advanced Security to authenticate Oracle users with little modification required by the authentication provider. Since many organizations have implemented RADIUS for remote access to their networks, Oracle easily integrates into existing systems and takes advantage of the investments that an organization has already made.
Any third party authentication vendor can implement the client graphical user interface by customizing the Java interface class that ships with Oracle Advanced Security. Products from the following vendors integrate with Oracle Advanced Security by means of the RADIUS interface:
Token card technologies enhance user authentication. Oracle Advanced Security supports SecurID tokens from RSA, which strengthen security through two-factor authentication: the user must know the PIN and have the SecurID electronic token card. In addition, RADIUS support in Oracle Advanced Security permits integration with a variety of token cards. Organizations can choose which token(s) they would like to use to protect networks from unauthorized use.
Oracle Advanced Security integrates with RADIUS-compliant smart cards, in order to authenticate Oracle users. Smart cards are becoming popular as strong security devices. Since they contain a processor, they can generate dynamic passwords. Because they have memory, they are useful for storing data such as a username, a certificate, or a medical record. Smart cards are being widely deployed, and organizations relying on them for proof of user identities can do so when users connect to Oracle.
A biometric device vendor who supports RADIUS can integrate with Oracle Advanced Security. The biometric device, deployed on clients and/or servers requiring strong authentication, provides user authentication based on a physical characteristic of an individual.
Distributed Computing Environment (DCE) integration enables users to transparently use Oracle tools and applications to access Oracle9i databases in a DCE environment. Oracle Advanced Security supports DCE 1.0 from OSF, on certain platforms, such as Solaris, Windows, HP, AIX.
You can integrate your Oracle network with any or all of the DCE services, which include security services, authentication and single sign-on, and mapping of Oracle roles to DCE groups for central authorization management.
Oracle Advanced Security minimizes maintenance of multiple passwords by supporting secure, single sign-on capabilities in a distributed environment. A user only needs to log on once a day, and can automatically connect to other services without having to give a user name and password again. This eliminates both the need for the user to remember and administer multiple passwords, and the time spent logging into multiple services. Single sign-on also simplifies management of user accounts and passwords for system administrators.
Centralized authentication makes single sign-on possible. Different configurations are supported:
Oracle Advanced Security is integrated with several different technologies to support single sign-on functionality. These include Kerberos, CyberSafe, and DCE.
Oracle Advanced Security provides SSL-based single sign-on and Entrust-based single sign-on for Oracle users by integrating with LDAP v3-compliant directory services. The combination of integrated directory services and the Oracle PKI implementation enable SSL-based single sign-on to Oracle9i databases. Single sign-on lets users be authenticated once, with subsequent connections relying on the user's digital certificate.
Enterprise User Security addresses user, administrative, and security challenges by centralizing storage and management of user-related information in an LDAP-compliant directory service. When an employee changes jobs in such an environment, the administrator need only modify information in one location--the directory--to make effective changes in multiple databases and systems. This centralization can substantially lower administrative costs while materially improving enterprise security.
This release extends Enterprise User Security support into three-tier environments. Oracle9i proxy authentication features enable:
Note that this combination applies to both SSL-authenticated and password-authenticated enterprise users.
This section describes:
Oracle Advanced Security enables two types of enterprise users: those authenticated by SSL, and those authenticated with passwords.
SSL-authenticated users benefit from single sign-on to Oracle9i using industry-standard, interoperable X.509 v3 certificates over Secure Sockets Layer v3.
Oracle Advanced Security also implements password-based authentication for enterprise users, eliminating the requirement for client-side wallets and most Secure Socket Layer (SSL) processing. (SSL is still required to secure connections between the database and Oracle Internet Directory.) Password-authenticated enterprise users can use the same password, securely stored in the LDAP-compliant directory, to authenticate to multiple databases. Administrators can manage both types of user within one directory.
With its reduced processing overhead, improved ease-of-use, and simplified setup and administration, password-authenticated enterprise users are particularly useful for large user communities accessing multiple applications. Oracle Advanced Security supports enterprise user logins with password-based authentication for all prior Oracle client versions. Furthermore, enterprise users can use a single enterprise username and password to connect to multiple
