F Entrust-Enabled SSL Authentication</ title> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <meta http-equiv="Content-Language" content="EN"> <me ta http-equiv="Content-Style-Type" content="text/css"> <meta http-equiv="Content-Script-Type" content="text/javascript"> <meta name=" robots" content="all" scheme="http://www.robotstxt.org/"> <meta name="doctitle" content="Oracle® Database Advanced Security Admin istrator's Guide 10g Release 1 (10.1)"> <meta name="partno" content="B10772-01"> <meta name="docid" content="ASOAG"> <link rel="Start " href="../../index.htm" title="Home" type="text/html"> <link rel="Copyright" href="../../dcommon/html/cpyr.htm" title="Copyright" ty pe="text/html"> <link rel="Stylesheet" href="../../dcommon/css/doccd.css" title="Default" type="text/css"> <link rel="Contents" href= "toc.htm" title="Contents" type="text/html"> <link rel="Index" href="index.htm" title="Index" type="text/html"> <link rel="Prev" href ="asoappe.htm" title="Previous" type="text/html"> <link rel="Next" href="asoappg.htm" title="Next" type="text/html"> <link rel="alter nate" href="../b10772.pdf" title="PDF version" type="application/pdf"> </head> <body> <div class="header"> <p><a name="top" id="top" href="#BEGIN">Skip Headers</a></p> <table summary="" cellspacing="0" cellpadding="0" width="100%"> <tr> <td align="left" valign="top" ><font color="#330099" face="Helvetica, Arial, sans-serif"><strong>Oracle® Database Advanced Security Administrator's Guide<br> 1 0<i>g</i> Release 1 (10.1)</strong><br> Part Number B10772-01</font></td> <td valign="bottom" align="right"> <table summary="" cells pacing="0" cellpadding="0" width="270"> <tr> <td align="center" valign="top"><a href="../../index.htm"><img src="../../dcommon/gifs/p rodicon.gif" alt="Go to Documentation Home" border="0"><br> <font size="-2">Home</font></a></td> <td align="center" valign="top"><a h ref="../../nav/portal_3.htm"><img src="../../dcommon/gifs/bookicon.gif" alt="Go to Book List" border="0"><br> <font size="-2">Book Li st</font></a></td> <td align="center" valign="top"><a href="toc.htm"><img src="../../dcommon/gifs/conticon.gif" alt="Go to Table of C ontents" border="0"><br> <font size="-2">Contents</font></a></td> <td align="center" valign="top"><a href="index.htm"><img src="../.. /dcommon/gifs/indxicon.gif" alt="Go to Index" border="0"><br> <font size="-2">Index</font></a></td> <td align="center" valign="top">< a href="../../mix$101/b12039/toc.htm"><img src="../../dcommon/gifs/mix.gif" alt="Go to Master Index" border="0"><br> <font size="-2"> Master Index</font></a></td> <td align="center" valign="top"><a href="../../dcommon/html/feedback.htm"><img src="../../dcommon/g ifs/feedback.gif" alt="Go to Feedback page" border="0"><br> <font size="-2">Feedback</font></a></td></tr></table></td></tr></table> < hr> <table summary="layout table" cellspacing="0" cellpadding="0" width="100%"> <tr> <td align="left" valign="top"> <table summary="l ayout table" cellspacing="0" cellpadding="0" align="left" width="90"> <tr> <td align="center" valign="top"><a href="asoappe.htm"><img src="../../dcommon/gifs/larrow.gif" alt="Go to previous page" border="0"><br> <font size="-2">Previous</font></a></td> <td align="ce nter" valign="top"><a href="asoappg.htm"><img src="../../dcommon/gifs/rarrow.gif" alt="Go to next page" border="0"><br> <font size="- 2">Next</font></a></td></tr></table></td> <td align="right" valign="top"><a href="../b10772.pdf"><font size="-2">View PDF</font></a>< /td></tr></table> <a name="BEGIN"></a></div> <div class="IND"> <a name="620714"></a>  <h1 class="Title"><font face="Arial, Helvetica, sans-serif" color="#330099">F<br> <a name="ASOAG080">Entrust-Enabled SSL Authentication </a></font></h1>  <a name="635458"></a> <p class="BP">Entrust Authority (formerly known as Entrust/PKI) is a suite of PKI products provided by Entrust, Inc., that provides certificate generation, certificate revocation, and key and certificate mana gement. Oracle Advanced Security is integrated with Entrust Authority so both Entrust and Oracle users can enhance their Oracle envir onment security.</p> <a name="635208"></a> <p class="BP">This appendix contains the following topics:</p> <ul class="LB1"> <li class ="LB1" type="disc"><a name="635209"></a><a href="asoappf.htm#635282">Benefits of Entrust-Enabled Oracle Advanced Security</a></li> <l i class="LB1" type="disc"><a name="635216"></a><a href="asoappf.htm#634521">Required System Components for Entrust-Enabled Oracle Adv anced Security</a></li> <li class="LB1" type="disc"><a name="635220"></a><a href="asoappf.htm#634643">Entrust Authentication Process< /a></li> <li class="LB1" type="disc"><a name="635224"></a><a href="asoappf.htm#634676">Enabling Entrust Authentication</a></li> <li c lass="LB1" type="disc"><a name="635229"></a><a href="asoappf.htm#634953">Issues and Restrictions that Apply to Entrust-Enabled SSL</a ></li> <li class="LB1" type="disc"><a name="635233"></a><a href="asoappf.htm#634974">Troubleshooting Entrust In Oracle Advanced Secur ity</a></li></ul> <a name="635282"></a>  <h2 class="H1"><font face="Arial, Helvetica, sans-serif" color="#33009 9">Benefits of Entrust-Enabled Oracle Advanced Security</font></h2>  <a name="634461"></a> <p class="BP">Entrust-enabl ed Oracle Advanced Security provides:</p> <ul class="LB1"> <li class="LB1" type="disc"><a name="634465"></a><a href="asoappf.htm#6344 89">Enhanced X.509-Based Authentication and Single Sign-On</a></li> <li class="LB1" type="disc"><a name="634469"></a><a href="asoappf .htm#634505">Integration with Entrust Authority Key Management</a></li> <li class="LB1" type="disc"><a name="634473"></a><a href="aso appf.htm#634513">Integration with Entrust Authority Certificate Revocation</a> <p><a name="634485"></a></p> <div align="center"> <ta ble class="Note" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" t itle="This is a layout table to format a note"> <tr class="Note"> <td class="Note"> <hr> <a name="634476"></a><font face="Arial, Helv etica, sans-serif"><strong class="NH"><strong class="Bold">Note</strong>:</strong></font> <a name="634477"></a> <ul class="NL"> <li class="NL" type="disc"><a name="634481"></a>Oracle Advanced Security has been certified as <em class="Italic">Entrust-Ready</em> by E ntrust, Inc., as of Release 8.1.7.</li> <li class="NL" type="disc"><a name="634484"></a>See Also: <a href="http://www.entrust.com"><c ode>http://www.entrust.com</code></a></li></ul> <hr></td></tr></table></div></li></ul> <a name="634489"></a>  < h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Enhanced X.509-Based Authentication and Single Sign-On</font> </h3>  <a name="634493"></a> <p class="BP">Entrust-enabled Oracle Advanced Security supports the use of Entrust creden tials for <a href="asogls.htm#997543"><strong class="Bold">X.509</strong></a>-based authentication and single sign-on. Instead of usi ng an Oracle wallet to hold user PKI credentials, Oracle Advanced Security can access PKI credentials that are created by Entrust Aut hority and held in an Entrust profile (a<code>.epf</code> file). Users who have deployed Entrust software within their enterprise are thus able to use it for authentication and single sign-on to Oracle Database.</p> <a name="634505"></a>  <h3 c lass="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Integration with Entrust Authority Key Management</font></h3> <!- -/TOC=h2--> <a name="634509"></a> <p class="BP">Entrust-enabled Oracle Advanced Security uses the extensive key management and rollo ver functionality provided by Entrust Authority, which shields users from the complexity of a PKI deployment. For example, users are automatically notified when their certificates are expiring, and certificates are reissued according to preferences that administrato rs can configure.</p> <a name="634513"></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#3 30099">Integration with Entrust Authority Certificate Revocation</font></h3>  <a name="634514"></a> <p class="BP">Entr ust provides a certificate authority component, which natively checks certificate revocation status and enables the revocation of cer tificates.</p> <a name="634515"></a> <p class="BP">Users using Entrust credentials for authentication to Oracle are assured that the revocation status of the certificate is checked, and connections are prevented if the certificate is revoked.</p> <a name="634521">< /a>  <h2 class="H1"><font face="Arial, Helvetica, sans-serif" color="#330099">Required System Components for En trust-Enabled Oracle Advanced Security</font></h2>  <a name="634525"></a> <p class="BP">To implement Entrust-enabled O racle Advanced Security, the following system components are required:</p> <ul class="LB1"> <li class="LB1" type="disc"><a name="6345 29"></a><a href="asoappf.htm#634565">Entrust Authority for Oracle</a></li> <li class="LB1" type="disc"><a name="634533"></a><a href=" asoappf.htm#634626">Entrust Authority Server Login Feature</a></li> <li class="LB1" type="disc"><a name="634537"></a><a href="asoappf .htm#634634">Entrust Authority IPSec Negotiator Toolkit</a> <p><a name="634548"></a></p> <div align="center"> <table class="Note" bo rder="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a lay out table to format a note"> <tr class="Note"> <td class="Note"> <hr> <a name="634540"></a><font face="Arial, Helvetica, sans-serif"> <strong class="NH">Note:</strong></font> <a name="634544"></a> <p class="NB">In the following sections, the term <a href="asogls.htm #996811"><strong class="Bold">client</strong></a> refers to a client connecting to an Oracle database, and the term <a href="asogls.h tm#997339"><strong class="Bold">server</strong></a> refers to the host on which the Oracle database resides.</p> <hr></td></tr></tabl e></div></li></ul> <a name="634549"></a> <p class="BP">Contact your Entrust representative to get these components.</p> <a name="635 673"></a> <div align="center"> <table class="Note" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="Note"> <td class="Note"> <hr> <a name=" 634556"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">Note:</strong></font> <a name="634561"></a> <p class="NB">O racle Advanced Security supports Entrust Authority Security Manager, Entrust Authority Server Login Feature, and Entrust Authority IP Sec Negotiator Toolkit versions 6.0 and later. <a name="635729"></a></p> <p class="NB">Contact your Entrust representative for the la test product classification and naming details.</p> <hr></td></tr></table></div> <a name="634565"></a>  <h3 cla ss="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Entrust Authority for Oracle</font></h3>  <a name="63 4567"></a> <p class="BP">Entrust Authority for Oracle requires a database for storing information about Entrust users and the infras tructure, and a Lightweight Directory Access Protocol (LDAP)-compliant directory for information such as user names, public certifica tes, and certificate revocation lists.</p> <a name="634568"></a> <p class="BP">Entrust Authority for Oracle is comprised of the foll owing software components:</p> <ul class="LB1"> <li class="LB1" type="disc"><a name="634572"></a><a href="asoappf.htm#634583">Entrust Authority Security Manager</a></li> <li class="LB1" type="disc"><a name="634576"></a><a href="asoappf.htm#634610">Entrust Authority Self-Administration Server</a></li> <li class="LB1" type="disc"><a name="634580"></a><a href="asoappf.htm#634614">Entrust Entelligenc e Desktop Manager</a></li></ul> <a name="634583"></a>  <h4 class="H3"><font face="Arial, Helvetica, sans-serif" color="#330099">Entrust Authority Security Manager</font></h4>  <a name="634584"></a> <p class="BP">Entrust Authority Security Manager is the centerpiece of Entrust's PKI technology. It performs core certificate authority, certificate, and user manag ement functions, such as creating users and user profiles containing the user's credentials.</p> <a name="634595"></a> <div align="c enter"> <table class="Note" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to forma t a note" title="This is a layout table to format a note"> <tr class="Note"> <td class="Note"> <hr> <a name="634587"></a><font face=" Arial, Helvetica, sans-serif"><strong class="NH">Note:</strong></font> <a name="634588"></a> <p class="NB">Oracle only supports the use of Entrust-enabled Oracle Advanced Security with versions of Entrust Authority Security Manager that run on Oracle Database.</p> <hr></td></tr></table></div> <a name="634603"></a> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpadding=" 0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr c lass="NoteAlso"> <td class="NoteAlso"><a name="634598"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</st rong></font> <a name="634601"></a> <p class="NB"><a href="asossl.htm#1006083">Chapter 7, "Configuring Secure Sockets Layer Auth entication"</a>, for information about certificate authorities.</p></td></tr></table></div> <a name="634604"></a> <p class="BP">Entr ust Authority Security Manager supports unattended login, also called Server Login, which eliminates the need for a <a href="asogls.h tm#996858"><strong class="Bold">Database Administrator</strong></a> (DBA) to repeatedly enter a password for the Entrust profile on t he server. With unattended login, the DBA need only enter a password once to open the Entrust profile for the server to authenticate itself to multiple incoming connections.</p> <a name="634610"></a>  <h4 class="H3"><font face="Arial, Helvetica , sans-serif" color="#330099">Entrust Authority Self-Administration Server</font></h4>  <a name="634611"></a> <p class ="BP">Entrust Authority Self-Administration Server is the administrator's secure interface to Entrust Authority Security Manager.</p> <a name="634614"></a>  <h4 class="H3"><font face="Arial, Helvetica, sans-serif" color="#330099">Entrust Entell igence Desktop Manager</font></h4>  <a name="634615"></a> <p class="BP">Entrust Entelligence Desktop Manager provides support for user key management and single sign-on functionality on both clients and server by enabling Oracle Database server proces s access to incoming SSL connections.</p> <a name="634623"></a> <div align="center"> <table class="Note" border="0" width="80%" cell padding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a not e"> <tr class="Note"> <td class="Note"> <hr> <a name="634621"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">Note:< /strong></font> <a name="634622"></a> <p class="NB">Do not install Entrust Entelligence Desktop Manager on the server computer becau se it uses unattended login credentials files with <code>.ual</code> extensions. See <a href="asoappf.htm#634832">"Configuring Entrus t on the Server"</a><a href="asoappf.htm#634832"></a> for information about creating <code>.ual</code> files.</p> <hr></td></tr></tab le></div> <a name="634626"></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Entru st Authority Server Login Feature</font></h3>  <a name="634627"></a> <p class="BP">Entrust Authority Server Login Feat ure is required for single sign-on functionality on servers operating on UNIX platforms.</p> <a name="634628"></a> <p class="BP">Ent rust Authority Server Login Feature provides single sign-on by enabling Oracle Database server process access to incoming SSL connect ions. Without this capability, a database administrator or other privileged user would have to enter the password for the Entrust pro file on the server for every incoming connection.</p> <a name="634632"></a> <p class="BP">Contact your Entrust representative to get Entrust Authority Server Login Feature.</p> <a name="634634"></a>  <h3 class="H2"><font face="Arial, Helvetica , sans-serif" color="#330099">Entrust Authority IPSec Negotiator Toolkit</font></h3>  <a name="634635"></a> <p class=" BP">The Entrust Authority IPSec Negotiator Toolkit is required on both clients and servers for integrating the Oracle Advanced Securi ty SSL stack with Entrust Authority, enabling SSL authentication to use Entrust profiles.</p> <a name="634639"></a> <p class="BP">Co ntact your Entrust representative to get Entrust Authority IPSec Negotiator Toolkit.</p> <a name="634643"></a>  <h2 class="H1"><font face="Arial, Helvetica, sans-serif" color="#330099">Entrust Authentication Process</font></h2>  < a name="634647"></a> <p class="BP"><a href="asoappf.htm#634659">Figure F-1</a> illustrates the following Entrust authentication process:</p> <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="634648"></a>The Entrust user on the Oracle client establishes <strong class="Bold">a secure connection with the server using SSL and Entrust credentials.</strong></li> <li class="LN1 " type="1" value="2"><a name="634649"></a>The Oracle SSL adapter on the server communicates with the Entrust Authority to check the c ertificate revocation status of the Entrust user. <p><a name="634657"></a></p> <div align="center"> <table class="Note" border="0" w idth="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="Note"> <td class="Note"> <hr> <a name="634652"></a><font face="Arial, Helvetica, sans-serif"><strong cl ass="NH">Note:</strong></font> <a name="634656"></a> <p class="NB"><a href="asoappf.htm#634659">Figure F-1</a> does not include client and server profiles creation, which is presumed.</p> <hr></td></tr></table></div></li></ol> <a name="634659"></a> <h4 class= "FT"><font face="Arial, Helvetica, sans-serif"><em>Figure F-1 Entrust Authentication Process</em></font></h4> <a name="634663"><img s rc="asoag025.gif" alt="Text description of asoag025.gif follows"></a> <p><a href="img_text/asoag025.htm">Text description of the ill ustration asoag025.gif</a></p> <a name="634674"></a> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpadding ="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="NoteAlso"> <td class="NoteAlso"><a name="634666"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</ strong></font> <a name="634669"></a> <p class="NB"><a href="asossl.htm#1009602">"How SSL Works in an Oracle Environment: The SSL Han dshake"</a><a href="asossl.htm#1009602"></a></p></td></tr></table></div> <a name="634676"></a>  <h2 class="H1"> <font face="Arial, Helvetica, sans-serif" color="#330099">Enabling Entrust Authentication</font></h2>  <a name="634677" ></a> <p class="BP">This section describes the following tasks, which are required to configure Entrust-enabled Oracle Advanced Secu rity SSL authentication:</p> <ul class="LB1"> <li class="LB1" type="disc"><a name="634685"></a><a href="asoappf.htm#634714">Creating Entrust Profiles</a></li> <li class="LB1" type="disc"><a name="634688"></a><a href="asoappf.htm#634743">Installing Oracle Advanced Se curity and Related Products for Entrust-Enabled SSL</a></li> <li class="LB1" type="disc"><a name="634693"></a><a href="asoappf.htm#63 4774">Configuring SSL on the Client and Server for Entrust-Enabled SSL</a></li> <li class="LB1" type="disc"><a name="634697"></a><a h ref="asoappf.htm#634788">Configuring Entrust on the Client</a></li> <li class="LB1" type="disc"><a name="634701"></a><a href="asoappf .htm#634832">Configuring Entrust on the Server</a></li> <li class="LB1" type="disc"><a name="634705"></a><a href="asoappf.htm#634928" >Creating Entrust-Enabled Database Users</a></li> <li class="LB1" type="disc"><a name="634709"></a><a href="asoappf.htm#634938">Loggi ng Into the Database Using Entrust-Enabled SSL</a></li></ul> <a name="634714"></a>  <h3 class="H2"><font face=" Arial, Helvetica, sans-serif" color="#330099">Creating Entrust Profiles</font></h3>  <a name="634715"></a> <p class="B P">This section describes how to create Entrust profiles, which can be created by either administrators or users. On UNIX platforms, administrators create the Entrust profiles for all clients. On Windows platforms, users can create their own Entrust profiles.</p> <a name="634716"></a>  <h4 class="H3"><font face="Arial, Helvetica, sans-serif" color="#330099">Administrator-Cre ated Entrust Profiles</font></h4>  <a name="634717"></a> <p class="BP">Administrators create Entrust profiles as follo ws:</p> <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="634718"></a>The Entrust administrator adds the Entrust user using the Entrust Authority Self-Administration Server. <p><a name="634723"></a></p> <div align="center"> <table class="NoteAls o" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="NoteAlso"> <td class="NoteAlso"><a name="634721"></a><font face="Arial, Helvetica, sans- serif"><strong class="NH">See Also:</strong></font> <a name="634722"></a> <p class="NB">The Entrust administration documentation for information about creating Entrust Users</p></td></tr></table></div></li></ol> <a name="635798"></a> <ol class="LN1" type="1"> <li class="LN1" type="1" value="2"><a name="634724"></a>The administrator enters the user's name and password.</li> <li class="LN1" type= "1" value="3"><a name="634725"></a>The Entrust Authority creates the profile, or<code>.epf</code> file.</li> <li class="LN1" type="1" value="4"><a name="634726"></a>The administrator securely sends all profile-related files to the user. The preset password can be ch anged by the user.</li></ol> <a name="634728"></a>  <h4 class="H3"><font face="Arial, Helvetica, sans-serif" co lor="#330099">User-Created Entrust Profiles</font></h4>  <a name="634729"></a> <p class="BP">Entrust users create thei r own Entrust profiles as follows:</p> <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="634730"></a>The Entrust administrator adds the Entrust user using the Entrust Authority Self-Administration Server. In the New User dialog box, the Create Pr ofile option should be deselected. <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing=" 0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="NoteAlso"> <td class="NoteAlso"><a name="634733"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></font> <a name="634734"></a> <p class="NB">The Entrust administration documentation for information about creating Entrust profiles</p></td></ tr></table></div></li> <li class="LN1" type="1" value="2"><a name="634735"></a>The user receives a secure e-mail notification from th e administrator that contains a reference number, authorization code, and expiration date.</li> <li class="LN1" type="1" value="3"><a name="634736"></a>The user navigates to the Create Entrust Profiles screen in Entrust Entelligence Desktop Manager as follows: <p>< a name="634737"></a></p> <p class="BP1"><strong class="Bold">Start</strong> <code>></code> <strong class="Bold">Programs</strong> <code>></code> <strong class="Bold">Entrust</strong> <code>></code> <strong class="Bold">Entrust Profiles</strong> <code>></ code> <strong class="Bold">Create Entrust Profiles</strong></p></li> <li class="LN1" type="1" value="4"><a name="634738"></a>The user enters the reference number, authorization code, and expiration date provided in the e-mail notification, creating a profile, or<cod e>.epf</code> file, and the Entrust initialization file.</li></ol> <a name="634743"></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL< /font></h3>  <a name="634750"></a> <p class="BP">For Oracle Advanced Security 10<em class="Italic">g</em> Release 1 (1 0.1), Entrust support installs in Typical mode. A single Oracle installation supports the use of both Oracle Wallets and Entrust prof iles.</p> <a name="634758"></a> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="NoteAlso"> <t d class="NoteAlso"><a name="635497"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></font> <a nam e="634753"></a> <p class="NB">Oracle Database operating system-specific installation documentation</p></td></tr></table></div> <a na me="634774"></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Configuring SSL on t he Client and Server for Entrust-Enabled SSL</font></h3>  <a name="634776"></a> <p class="BP">Configure SSL on the cli ent and server.</p> <a name="634785"></a> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cellsp acing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="Not eAlso"> <td class="NoteAlso"><a name="634779"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></fo nt> <a name="634782"></a> <p class="NB"><a href="asossl.htm#1006083">Chapter 7, "Configuring Secure Sockets Layer Authenticatio n"</a>, for information about configuring SSL on the client and server; skip the section that describes the Oracle wallet location.</ p></td></tr></table></div> <a name="634788"></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" colo r="#330099">Configuring Entrust on the Client</font></h3>  <a name="634789"></a> <p class="BP">The steps for configuri ng Entrust on the client vary according to the type of platform:</p> <ul class="LB1"> <li class="LB1" type="disc"><a name="634793"></ a><a href="asoappf.htm#634799">Configuring Entrust on a UNIX Client</a></li> <li class="LB1" type="disc"><a name="634797"></a><a href ="asoappf.htm#634816">Configuring Entrust on a Windows Client</a></li></ul> <a name="634799"></a>  <h4 class="H 3"><font face="Arial, Helvetica, sans-serif" color="#330099">Configuring Entrust on a UNIX Client</font></h4>  <a name= "634800"></a> <p class="BP">If the client resides on a non-Windows platform, perform the following steps:</p> <ol class="LN1" type=" 1"> <li class="LN1" type="1" value="1"><a name="634801"></a>Set the <code>JAVA_HOME</code> variable to the JDK or JRE location. <p>< a name="634802"></a></p> <p class="BP1"><strong class="Bold">For example:</strong></p> <pre class="CE1"><a name="634803"></a>>sete nv JAVA_HOME $ORACLE_HOME/JRE <a name="634804"></a> </pre> </li> <li class="LN1" type="1" value="2"><a name="634805"></a>Set <code>WA LLET_LOCATION</code> in the <code>sqlnet.ora</code> file. <p><a name="634806"></a></p> <p class="BP1"><strong class="Bold">For examp le:</strong></p> <pre class="CE1"><a name="634807"></a>WALLET_LOCATION= </pre> <pre class="CE2"><a name="634808"></a>(SOURCE= </pr e> <pre class="CE3"><a name="634809"></a>(METHOD=entr) <a name="634810"></a>(METHOD_DATA = <a name="634811"></a> (PROFILE=<em class ="Italic">profile_location</em>) <a name="634812"></a> (INIFILE=<em class="Italic">initialization_file_location</em>) <a name="634813 "></a>) </pre> <pre class="CE2"><a name="634814"></a>) </pre> </li></ol> <a name="634816"></a> <h4 class="H3 "><font face="Arial, Helvetica, sans-serif" color="#330099">Configuring Entrust on a Windows Client</font></h4>  <a nam e="634817"></a> <p class="BP">If the client resides on a Windows platform, ensure that the Entrust Entelligence Desktop Manager comp onent is installed on the client and perform the following steps to set up the Entrust credentials.</p> <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="634818"></a>Set the <code>WALLET_LOCATION</code> parameter in the <code>sqlnet.ora</code> fi le. <p><a name="634819"></a></p> <p class="BP1"><strong class="Bold">For example:</strong></p> <pre class="CE1"><a name="634820"></a >WALLET_LOCATION= </pre> <pre class="CE2"><a name="634821"></a>(SOURCE= </pre> <pre class="CE3"><a name="634822"></a>(METHOD=entr ) <a name="634823"></a>(METHOD_DATA= <a name="634824"></a> (INIFILE=<em class="Italic">initialization_file_location</em>) <a name="6 34825"></a>) </pre> <pre class="CE2"><a name="634826"></a>) </pre> </li></ol> <a name="634827"></a> <p class="BP">where <em class= "Italic">initialization_file_location</em> is the path to the <code>.ini</code> file.</p> <ol class="LN1" type="1"> <li class="LN1" t ype="1" value="2"><a name="634828"></a>Choose the Entrust icon on the system tray to open the Entrust_Login dialog box.</li> <li clas s="LN1" type="1" value="3"><a name="634829"></a>Log on to Entrust by entering the profile name and password.</li></ol> <a name="63483 2"></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Configuring Entrust on the Se rver</font></h3>  <a name="634833"></a> <p class="BP">The steps for configuring Entrust on the server vary according t o the type of platform:</p> <ul class="LB1"> <li class="LB1" type="disc"><a name="634837"></a><a href="asoappf.htm#634843">Configurin g Entrust on a UNIX Server</a></li> <li class="LB1" type="disc"><a name="634841"></a><a href="asoappf.htm#634892">Configuring Entrust on a Windows Server</a></li></ul> <a name="634843"></a>  <h4 class="H3"><font face="Arial, Helvetica, sans-ser if" color="#330099">Configuring Entrust on a UNIX Server</font></h4>  <a name="634844"></a> <p class="BP">If the serve r is a UNIX platform, ensure that the Entrust/Server Login Toolkit component is installed on the server and perform the following ste ps:</p> <a name="634855"></a> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0" di r="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="NoteAlso"> <td class="NoteAlso"><a name="634847"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></font> <a name= "634850"></a> <p class="NB"><a href="asoappf.htm#634521">"Required System Components for Entrust-Enabled Oracle Advanced Security"</ a> <a href="asoappf.htm#634521"></a> for information about downloading the Entrust Server Login toolkit.</p></td></tr></table></div> <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="634856"></a>Stop the Oracle database instance.</li> <li class=" LN1" type="1" value="2"><a name="634857"></a>Set the <code>WALLET_LOCATION</code> parameter in the <code>sqlnet.ora</code> and <code> listener.ora</code> files to specify the paths to the server's profile and the Entrust initialization file: <pre class="CE1"><a name ="634858"></a>WALLET_LOCATION = <a name="634859"></a>(SOURCE = <a name="634860"></a> (METHOD = ENTR) <a name="634861"></a> (METHO D_DATA = <a name="634862"></a> (PROFILE = <em class="Italic">profile_location</em>) <a name="634863"></a> (INIFILE = <em class="Italic">initialization_file_location</em>) <a name="634864"></a> ) <a name="634865"></a>) </pre> </li> <li class="LN1" typ e="1" value="3"><a name="634866"></a>Set the <code>CLASSPATH</code> environment variable to include the following paths: <pre class= "CE2"><a name="634867"></a>$ORACLE_HOME/JRE/lib/rt.jar <a name="634868"></a>$ORACLE_HOME/JRE/lib/i18n.jar <a name="634869"></a>$ORACL E_HOME/jlib/ewt*.jar <a name="634870"></a>$ORACLE_HOME/jlib/help*.jar <a name="634871"></a>$ORACLE_HOME/jlib/share*.jar <a name="6348 72"></a>$ORACLE_HOME/jlib/swingall*.jar <a name="634873"></a>$ORACLE_HOME/network/jlib/netentrust.jar <a name="634874"></a> </pre> </ li> <li class="LN1" type="1" value="4"><a name="634876"></a>Enter the <code>etbinder</code> command to create unattended login creden tials, or<code>.ual</code> files by using the following steps: <ol class="LA2" type="a"> <li class="LA2" type="a" value="1"><a name= "634877"></a>Set the <code>PATH</code> environment variable to include the path to the <code>etbinder</code> command, which is locate d in the <code>/bin</code> directory where the Server Login Toolkit is installed.</li> <li class="LA2" type="a"><a name="634878"></a> Set the <code>LD_LIBRARY_PATH</code> to include the path to the Entrust libraries.</li> <li class="LA2" type="a"><a name="634879"></a >Set the <code>SSL_ENTRUST_INI</code> environment variable to include the full path to the Entrust initialization file.</li> <li clas s="LA2" type="a"><a name="634880"></a>Enter the command as follows: <pre class="CE2"><a name="634881"></a>etbinder <a name="634882"> </a> </pre> </li> <li class="LA2" type="a"><a name="634883"></a>When prompted to enter the location of the profile file, enter the fu ll path name, including the name of the file. Then, when prompted, type in the password. <p><a name="634884"></a></p> <p class="BP2" >A message displays indicating that the credentials file (<em><code>filename</code></em><code>.ual</code>) has been created.</p> <a n ame="634889"></a> <div align="center"> <table class="Note" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary= "This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="Note"> <td class="Note"> <hr> < a name="634887"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">Note:</strong></font> <a name="634888"></a> <p clas s="NB">Ensure that the listener has a TCPS listening endpoint, then start the listener.</p> <hr></td></tr></table></div></li></ol></l i> <li class="LN1" type="1" value="5"><a name="634890"></a>Start the Oracle database instance.</li></ol> <a name="634892"></a>  <h4 class="H3"><font face="Arial, Helvetica, sans-serif" color="#330099">Configuring Entrust on a Windows Server</fo nt></h4>  <a name="634893"></a> <p class="BP">If the server is on a Windows platform, perform the following steps:</p> <a name="634901"></a> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="NoteAlso"> <td class=" NoteAlso"><a name="634896"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></font> <a name="634899 "></a> <p class="NB"><a href="asoappf.htm#634521">"Required System Components for Entrust-Enabled Oracle Advanced Security"</a> for information about downloading Entrust Entelligence Desktop Manager.</p></td></tr></table></div> <ol class="LN1" type="1"> <li class=" LN1" type="1" value="1"><a name="634902"></a>Stop the Oracle database instance.</li> <li class="LN1" type="1" value="2"><a name="6349 03"></a>Set the <code>WALLET_LOCATION</code> parameter in the <code>sqlnet.ora</code> and <code>listener.ora</code> files to specify the paths to the server's profile and the Entrust initialization file: <pre class="CE1"><a name="634904"></a>WALLET_LOCATION = </pr e> <pre class="CE2"><a name="634905"></a>(SOURCE = </pre> <pre class="CE3"><a name="634906"></a>(METHOD = ENTR) <a name="634907">< /a>(METHOD_DATA = <a name="634908"></a> (PROFILE = <em class="Italic">profile_location</em>) <a name="634909"></a> (INIFILE = <em cl ass="Italic">initialization_file_location</em>) <a name="634910"></a>) </pre> <pre class="CE2"><a name="634911"></a>) </pre> <pre class="CE1"><a name="634912"></a> </pre> </li> <li class="LN1" type="1" value="3"><a name="634913"></a>Run the Entrust binder comman d to create unattended login credentials, which are files with a<code>.ual</code> extension. Ensure that the owner of the <code>.ual< /code> file is the same as the owner of the Oracle service. <p><a name="634914"></a></p> <p class="BP1">To run the binder command ch oose</p> <a name="634915"></a> <p class="BP1"><strong class="Bold">Start</strong> <code>></code> <strong class="Bold">Programs</s trong> <code>></code> <strong class="Bold">Entrust Toolkit</strong> <code>></code> <strong class="Bold">Server Login</strong> < code>></code> <strong class="Bold">Entrust Binder</strong></p> <a name="634916"></a> <p class="BP1">Enter the path to the profile , the password, and the path to the Entrust initialization file. A message informs you that you have successfully created a credentia l file.</p></li> <li class="LN1" type="1" value="4"><a name="634917"></a>Start the Oracle database instance. <p><a name="634925"></a ></p> <div align="center"> <table class="Note" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a la yout table to format a note" title="This is a layout table to format a note"> <tr class="Note"> <td class="Note"> <hr> <a name="63492 0"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">Note:</strong></font> <a name="634921"></a> <p class="NB">For al l Windows environments, Oracle Corporation recommends that you do not install Entrust Entelligence Desktop Manager on the server comp uter.</p> <hr></td></tr></table></div></li></ol> <a name="634928"></a>  <h3 class="H2"><font face="Arial, Helve tica, sans-serif" color="#330099">Creating Entrust-Enabled Database Users</font></h3>  <a name="634932"></a> <p class= "BP">Create global users in the database based on the <strong class="Bold"><a href="asogls.htm#996930">distinguished name (DN)</a></s trong> of each Entrust user.</p> <a name="634933"></a> <p class="BP"><strong class="Bold">For example:</strong></p> <pre class="CE"> <a name="634934"></a>SQL> create user jdoe identified globally as 'cn=jdoe,o=oracle,c=us'; <a name="634935"></a> </pre> <a name=" 634936"></a> <p class="BP">where <code>"cn=jdoe, o=oracle, c=us"</code> is the Entrust distinguished name of the user.</p> <a name="6 34938"></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Logging Into the Database Using Entrust-Enabled SSL</font></h3>  <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="634939">< /a>Use SQL*Plus to connect to the Oracle instance as follows: <pre class="CE1"><a name="634940"></a>sqlplus /@net_service_name <a na me="634941"></a> </pre> <a name="634942"></a> <p class="BP1">where <code>net_service_name</code> is the service name of the Oracle i nstance.</p> <a name="634943"></a> <p class="BP1">The Entrust_Login dialog box appears.</p></li> <li class="LN1" type="1" value="2"> <a name="634944"></a>Enter the path to the profile and the password.</li> <li class="LN1" type="1" value="3"><a name="634945"></a>If you did not specify a value for the <code>WALLET_LOCATION</code> parameter, you are prompted to enter the path to the Entrust initial ization file. <p><a name="634950"></a></p> <div align="center"> <table class="Note" border="0" width="80%" cellpadding="0" cellspaci ng="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="Note"> <td class="Note"> <hr> <a name="634948"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">Note:</strong></font> <a na me="634949"></a> <p class="NB">Oracle Corporation recommends that the initialization file be specified in the <code>WALLET_LOCATION< /code> parameter file.</p> <hr></td></tr></table></div></li></ol> <a name="634953"></a>  <h2 class="H1"><font f ace="Arial, Helvetica, sans-serif" color="#330099">Issues and Restrictions that Apply to Entrust-Enabled SSL</font></h2>  <h2 class="H1"><font face="Arial, Helvetica, sans-serif" color="#330099">Troubleshoo ting Entrust In Oracle Advanced Security</font></h2>  <a name="634977"></a> <p class="BP">This section describes how t o diagnose errors returned from Entrust to Oracle Advanced Security users.</p> <a name="634989"></a> <div align="center"> <table cla ss="Note" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="T his is a layout table to format a note"> <tr class="Note"> <td class="Note"> <hr> <a name="634981"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">Note:</strong></font> <a name="634982"></a> <p class="NB">Entrust returns the following generic error message to Oracle Advanced Security users: <a name="634987"></a></p> <p class="NB"><code>ORA-28890 "Entrust Login Failed"</code> <a name="634988"></a></p> <p class="NB">This troubleshooting section describes how to get more details about the underlying error, and h ow to diagnose the problem.</p> <hr></td></tr></table></div> <a name="634990"></a>  <h3 class="H2"><font face=" Arial, Helvetica, sans-serif" color="#330099">Error Messages Returned When Running Entrust on Any Platform</font></h3>  <a name="634991"></a> <p class="BP">You may encounter the following error messages regardless of what platform you are running Entr ust on.</p> <dl class="M"> <dt class="M"><a name="634992"></a><br> <strong>ORA-28890 Entrust Login Failed</strong><br></dt> <dd class ="MH1"><a name="634993"></a> <p><strong>Cause:</strong> SQL*Plus login on an Entrust-enabled Oracle client errors out with this gene ric error message. This error can be caused by a number of problems, including the following causes:</p> <ul class="LB2"> <li class=" LB2" type="disc"><a name="634994"></a>Entrust /Authority is not online</li> <li class="LB2" type="disc"><a name="634995"></a>Invalid Entrust profile password specified</li> <li class="LB2" type="disc"><a name="634996"></a>Invalid path to the Entrust profile specifie d</li> <li class="LB2" type="disc"><a name="634997"></a>Invalid Entrust initialization file specified</li> <li class="LB2" type="disc "><a name="634998"></a>Entrust Server Login program has not executed on the server</li></ul></dd> <dd class="MH2"><a name="634999"></ a> <p><strong>Action:</strong> To get more detail on the Entrust error, turn on tracing for SQL*Plus and the trace output should ind icate the Entrust failure code. Enable tracing by specifying the following parameters in the <code>sqlnet.ora</code> file:</p> <a nam e="635000"></a> <p class="BP1"><strong class="Bold">On the client:</strong></p> <ul class="LB2"> <li class="LB2" type="disc"><a name ="635001"></a><code>TRACE_LEVEL_CLIENT=16</code></li> <li class="LB2" type="disc"><a name="635002"></a><code>TRACE_DIRECTORY_CLIENT=& lt;</code>valid_client_directory_name<code>></code></li> <li class="LB2" type="disc"><a name="635003"></a><code>TRACE_FILE_CLIENT= client</code></li> <li class="LB2" type="disc"><a name="635004"></a><code>TRACE_UNIQUE_CLIENT=ON</code></li></ul> <a name="635005"></ a> <p class="BP1"><strong class="Bold">On the server:</strong></p> <ul class="LB2"> <li class="LB2" type="disc"><a name="635006"></a ><code>TRACE_LEVEL_SERVER=16</code></li> <li class="LB2" type="disc"><a name="635007"></a><code>TRACE_DIRECTORY_SERVER=<</code>val id_server_directory name<code>></code></li> <li class="LB2" type="disc"><a name="635008"></a><code>TRACE_FILE_SERVER=server</code> </li> <li class="LB2" type="disc"><a name="635009"></a><code>TRACE_UNIQUE_SERVER=ON</code></li></ul> <a name="635010"></a> <p class= "BP1">Search for and locate the string <code>IKMP</code> in the generated trace file. Adjacent to this string, error messages are lis ted that provide details about the problem you are encountering. This detailed error code information is returned by the Entrust API. </p> <a name="635017"></a> <div align="center"> <table class="Note" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="Note"> <td class="Note "> <hr> <a name="635013"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">Note:</strong></font> <a name="635014"></a> <p class="NB">The following are examples of valid client directory names for setting the <code>TRACE_DIRECTORY_CLIENT</code> or <co de>TRACE_DIRECTORY_SERVER</code> parameters in the <code>sqlnet.ora</code> file:</p> <ul class="NL"> <li class="NL" type="disc"><a na me="635015"></a>(UNIX) <code>/tmp</code></li> <li class="NL" type="disc"><a name="635016"></a>(Windows) <code>C:\TEMP</code></li></ul > <hr></td></tr></table></div></dd> <dt class="M"><a name="635018"></a><br> <strong>ORA-28890 Entrust Login Failed</strong><br></dt> <dt class="M"><a name="635019"></a><br> <strong>(GUI does not display on the client)</strong><br></dt> <dd class="MH1"><a name="63502 0"></a> <p><strong>Cause:</strong> The <code>WALLET_LOCATION</code> parameter does not specify the Entrust initialization file locat ion in the client side <code>sqlnet.ora</code> file.</p></dd> <dd class="MH2"><a name="635021"></a> <p><strong>Action:</strong> Ensu re that the location of the Entrust initialization file is specified in the <code>WALLET_LOCATION</code> parameter in the <code>sqlne t.ora</code> file on the client.</p> <a name="635040"></a> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellp adding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note "> <tr class="NoteAlso"> <td class="NoteAlso"><a name="635024"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See A lso:</strong></font> <a name="635025"></a> <ul class="NL"> <li class="NL" type="disc"><a name="635032"></a><a href="asoappf.htm#6347 99">"Configuring Entrust on a UNIX Client"</a><a href="asoappf.htm#634799"></a></li> <li class="NL" type="disc"><a name="635039"></a> <a href="asoappf.htm#634816">"Configuring Entrust on a Windows Client"</a><a href="asoappf.htm#634816"></a></li></ul></td></tr></tabl e></div></dd></dl> <a name="635041"></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#3300 99">Error Messages Returned When Running Entrust on Windows Platforms</font></h3>  <a name="635042"></a> <p class="BP" >You may encounter the following error messages if you are running Entrust on a Windows platform.</p> <dl class="M"> <dt class="M"><a name="635043"></a><br> <strong>The software authentication failed. (error code - 162).</strong><br></dt> <dd class="MH1"><a name="63 5044"></a> <p><strong>Cause:</strong> Due to a known FIPS mode incompatibility, Entrust logins may fail and return this error messag e.</p></dd> <dd class="MH2"><a name="635045"></a> <p><strong>Action:</strong> Contact Entrust support to resolve this issue.</p></dd > <dt class="M"><a name="635046"></a><br> <strong>Algorithm self-test failed. (error code - 176).</strong><br></dt> <dd class="MH1">< a name="635047"></a> <p><strong>Cause:</strong> Due to a known symbol conflict between Entrust and Oracle libraries, Entrust login m ay fail and return this error message.</p></dd> <dd class="MH2"><a name="635048"></a> <p><strong>Action:</strong> Contact Entrust su pport to resolve this issue.</p></dd> <dt class="M"><a name="635049"></a><br> <strong>TNS-12560: TNS protocol adapter error</strong>< br></dt> <dt class="M"><a name="635050"></a><br> <strong>TNS-00558> Entrust Login Failed</strong><br></dt> <dt class="M"><a name=" 635051"></a><br> <strong>ORACLE SERVER (<em class="Italic">host_name</em>)</strong><br></dt> <dd class="ML"><a name="635052"></a> <p ><em class="ML">This error may occur in the <code>listener.log</code> file on the server when you attempt to log in to Entrust.</em>< /p></dd> <dd class="MH1"><a name="635053"></a> <p><strong>Cause:</strong> If you configure the client by making the following recomm ended changes:</p> <ul class="LB2"> <li class="LB2" type="disc"><a name="635054"></a>Remove the <code>.ual</code> file</li> <li class ="LB2" type="disc"><a name="635055"></a>De-install the Server Login</li> <li class="LB2" type="disc"><a name="635056"></a>Specify the Entrust initialization file location in the <code>SSL_ENTRUST_INI_FILE</code> parameter in the client <code>sqlnet.ora</code> file</ li></ul> <a name="635057"></a> <p class="BP1">then the server may not be able to authenticate the client when you enter the followin g command:</p> <pre class="CE1"><a name="635058"></a>sqlplus/@<em>net_service_name </em><a name="635059"></a> </pre> </dd> <dd class= "MH2"><a name="635060"></a> <p><strong>Action:</strong> Perform the following tasks to enable tracing on the server:</p> <ol class="L N2" type="1"> <li class="LN2" type="1" value="1"><a name="635061"></a>Choose Control Panel <code>></code> Services.</li> <li class ="LN2" type="1" value="2"><a name="635062"></a>In the Services dialog box, double click OracleTNSListener and change the Log On As fr om the System Account to the account that is currently logged in. This enables the server process to read the <code>.ual</code> file. Click OK to make the change and you are returned to the Services dialog box. <p><a name="635063"></a></p> <p class="BP2">In the Ser vices dialog box, make the same changes for OracleService.</p></li> <li class="LN2" type="1" value="3"><a name="635064"></a>Make the following changes to the <code>listener.ora</code> file: <ul class="LD3"> <li class="LD3" type="CIRCLE"><a name="635065"></a> Specif y only <code>TCPS</code> as the <code>PROTOCOL</code> in the listener <code>ADDRESS</code>. For example, change all of the <code>PROT OCOL</code> definitions to <code>TCPS</code> as follows: <pre class="CE3"><a name="635066"></a><em>listener_name</em>= <a name="6350 67"></a> (DESCRIPTION= <a name="635068"></a> (ADDRESS=(<strong>PROTOCOL=TCPS</strong>) (KEY=extproc0)) <a name="635069"></a> (ADDRESS=(<strong>PROTOCOL=TCPS</strong>) (HOST=<em>sales-pc</em>) (PORT=<em>1521</em>))) <a name="635070"></a> </pre> <a name=" 635071"></a> <p class="BP3">Bringing up the listener only using <code>TCPS</code> will show whether there is a problem accessing the Entrust profile when you turn on tracing.</p></li> <li class="LD3" type="CIRCLE"><a name="635072"></a>Set the <code>SSL_CLIENT_AUTHEN TICATION</code> parameter to <code>FALSE</code> as follows: <pre class="CE3"><a name="635073"></a>SSL_CLIENT_AUTHENTICATION=FALSE <a name="635074"></a> </pre> </li> <li class="LD3" type="CIRCLE"><a name="635075"></a>Turn on tracing by setting the following paramete rs: <pre class="CE3"><a name="635076"></a>TRACE_LEVEL_LISTENER=16 <a name="635077"></a>TRACE_DIRECTORY_LISTENER=C:\temp <a name="635 078"></a> </pre> <a name="635079"></a> <p class="BP3">The trace file is created in the <code>C:\temp</code> directory.</p></li></ul> </li> <li class="LN2" type="1" value="4"><a name="635080"></a>Make the following changes to the sqlnet.ora file to turn on tracing: <pre class="CE2"><a name="635081"></a>TRACE_LEVEL_SERVER=16 <a name="635082"></a>TRACE_DIRECTORY_SERVER=C:\temp <a name="635083"></a> </pre> <a name="635084"></a> <p class="BP2">The trace file is created in the <code>C:\temp</code> directory.</p></li> <li class="LN 2" type="1" value="5"><a name="635085"></a>Ensure that Entrust Entelligence Desktop Manager is not installed on the server.</li></ol> </dd></dl> <a name="635086"></a> <p class="BP">Search for and locate the string "<code>fail</code>" or "<code>ntz*</code>" function calls. Adjacent to these, error messages are listed that provide details about the problem you are encountering.</p> <a name="635087" ></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">General Checklist for Running E ntrust on Any Platform</font></h3>  <a name="635088"></a> <p class="BP">The following items apply to all platforms:</p > <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="635089"></a>Confirm that the Entrust Authority is online.</li > <li class="LN1" type="1" value="2"><a name="635090"></a>Confirm that the <code>.ual</code> file is generated. These files are creat ed for unattended login credentials. <p><a name="635095"></a></p> <div align="center"> <table class="Note" border="0" width="80%" ce llpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a n ote"> <tr class="Note"> <td class="Note"> <hr> <a name="635093"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">Note :</strong></font> <a name="635094"></a> <p class="NB">Oracle recommends that you generate an unattended login credential file (<code >.ual</code> file) for the server only. If you generate a <code>.ual</code> file for the server only, then when users attempt to log in, they are presented a GUI that prompts them for their password and their Entrust profile name. After users supply this information , the connection request is forwarded to the Entrust server, which looks up the revocation file and the <code>.ual</code> file to det ermine the permissions for granting the request.</p> <hr></td></tr></table></div></li> <li class="LN1" type="1" value="3"><a name="63 5096"></a>Confirm that the Entrust initialization file contains the following entry in the first section that specifies the Entrust S ettings: <pre class="CE1"><a name="635097"></a>IdentityLibrary=<em class="Variable">location </em><a name="635098"></a> </pre> <a n ame="635099"></a> <p class="BP1">The full path to the location of the <code>libidapi.so</code> file should be specified in the <code> IdentityLibrary</code> parameter. This parameter setting enables generating a <code>.ual</code> file on the server.</p></li> <li clas s="LN1" type="1" value="4"><a name="635100"></a>Ensure that all Entrust toolkits, including the Entrust IPSEC Negotiator toolkit and the Server Login toolkit, are the same version so they are compatible.</li> <li class="LN1" type="1" value="5"><a name="635101"></a>E nsure that you have specified TCP/IP with SSL in the <code>SQLNET.AUTHENTICATION_SERVICES</code> parameter in the <code>sqlnet.ora</c ode> file as shown in the following example: <pre class="CE1"><a name="635102"></a>SQLNET.AUTHENTICATION_SERVICES=(<strong>tcps</str ong>, <em>authentication_type1</em>, <em>authentication_ type2</em>) </pre> </li></ol> <a name="635103"></a> <h4 class="H3"><font face="Arial, Helvetica, sans-serif" color="#330099">Checklist for Entrust Installations on Windows</font></h4>  <a name="635104"></a> <p class="BP">The following checklist items apply only to Entrust installations on the Windows platform.</p> <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="635105"></a>Ensure that you are logged into Entru st Entelligence Desktop Manager and retry.</li> <li class="LN1" type="1" value="2"><a name="635106"></a>Choose Windows <code>></co de> Control Panel <code>></code> Services to confirm that the Entrust Login Interface service has started and is running.</li> <li class="LN1" type="1" value="3"><a name="635107"></a>Confirm that the Entrust initialization file location is specified in the <code> SSL_ENTRUST_INI_FILE</code> parameter of the <code>sqlnet.ora</code> file. However, if you choose not to specify the location there, then the Entrust initialization file must reside in <code>c:\WINNT</code>.</li> <li class="LN1" type="1" value="4"><a name="635108">< /a>Ensure that you are not running Entrust Entelligence Desktop Manager if your database is running on a Microsoft platform. If this is the case, then only the <code>.ual</code> file, which enables unattended login, is required. <p><a name="635119"></a></p> <div al ign="center"> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout tabl e to format a note" title="This is a layout table to format a note"> <tr class="NoteAlso"> <td class="NoteAlso"><a name="635111"></a> <font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></font> <a name="635117"></a> <p class="NB">Step 4 of <a href="asoappf.htm#634892">"Configuring Entrust on a Windows Server"</a><a href="asoappf.htm#634892"></a> for information about cr eating a <code>.ual</code> file with the Entrust binder command.</p></td></tr></table></div></li> <li class="LN1" type="1" value="5"> <a name="635120"></a>Confirm that Entrust Authority, as specified in the Entrust Initialization file, is accessible and running.</li> <li class="LN1" type="1" value="6"><a name="635121"></a>Confirm that the profile password is correctly entered.</li> <li class="LN1" type="1" value="7"><a name="635122"></a>If an Oracle database server fails to log in to Entrust, confirm that the unattended login c redential file (<code>.ual</code>) is generated using a valid password. Also, confirm that the versions for Entrust Server Login tool kit and Entrust IPSEC Negotiator toolkit match (that is, that the IPSec Toolkit 6.0 works with Server Login Toolkit 6.0).</li> <li cl ass="LN1" type="1" value="8"><a name="635123"></a>Ensure that the Entrust initialization file has the following entry in the first se ction, Entrust Settings: <pre class="CE1"><a name="635124"></a>IdentityLibrary = <em class="Italic">location </em><a name="635125">< /a> </pre> <a name="635126"></a> <p class="BP1">where <em><code>location</code></em> is the location of <code>libidapi.so</code>, in cluding the file name.</p></li></ol> <a name="634387"></a></div> <div class="footer"> <hr> <table summary="" cellspacing="0" cellpadd ing="0" width="100%"> <tr> <td style="width: 33%;" align="left"> <table summary="layout table" cellspacing="0" cellpadding="0" align= "left" width="90"> <tr> <td align="center" valign="top"><a href="asoappe.htm"><img src="../../dcommon/gifs/larrow.gif" alt="Go to pre vious page" border="0"><br> <font size="-2">Previous</font></a></td> <td align="center" valign="top"><a href="asoappg.htm"><img src=" ../../dcommon/gifs/rarrow.gif" alt="Go to next page" border="0"><br> <font size="-2">Next</font></a></td></tr></table></td> <td style ="width: 34%;" align="center"><img src="../../dcommon/gifs/oracle.gif" alt="Oracle"><br> <a href="../../dcommon/html/cpyr.htm"><font size="-2">Copyright © 1996, 2003 Oracle Corporation</font></a><br> <font size="-2">All Rights Reserved.</font></td> <td style="w idth: 33%;" align="right"> <table summary="" cellspacing="0" cellpadding="0" width="270"> <tr> <td align="center" valign="top"><a hre f="../../index.htm"><img src="../../dcommon/gifs/prodicon.gif" alt="Go to Documentation Home" border="0"><br> <font size="-2">Home</f ont></a></td> <td align="center" valign="top"><a href="../../nav/portal_3.htm"><img src="../../dcommon/gifs/bookicon.gif" alt="Go to Book List" border="0"><br> <font size="-2">Book List</font></a></td> <td align="center" valign="top"><a href="toc.htm"><img src="../. ./dcommon/gifs/conticon.gif" alt="Go to Table of Contents" border="0"><br> <font size="-2">Contents</font></a></td> <td align="center " valign="top"><a href="index.htm"><img src="../../dcommon/gifs/indxicon.gif" alt="Go to Index" border="0"><br> <font size="-2">Index </font></a></td> <td align="center" valign="top"><a href="../../mix$101/b12039/toc.htm"><img src="../../dcommon/gifs/mix.gif" alt="Go to Master Index" border="0"><br> <font size="-2">Master Index</font></a></td> <td align="center" valign="top"><a href="../../dc ommon/html/feedback.htm"><img src="../../dcommon/gifs/feedback.gif" alt="Go to Feedback page" border="0"><br> <font size="-2">Feedbac k</font></a></td></tr></table></td></tr></table></div> </body> </html>