5 C onfiguring RADIUS Authentication</ title> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <meta http-equiv="Content-Language" content="EN"> <meta http-equiv="Content-Style-Type" content="text/css"> <meta http-equiv="Content-Script-Type" content="text/javascript"> <meta name="ro bots" content="all" scheme="http://www.robotstxt.org/"> <meta name="doctitle" content="Oracle® Database Advanced Security Adminis trator's Guide 10g Release 1 (10.1)"> <meta name="partno" content="B10772-01"> <meta name="docid" content="ASOAG"> <link rel="Start" href="../../index.htm" title="Home" type="text/html"> <link rel="Copyright" href="../../dcommon/html/cpyr.htm" title="Copyright" type ="text/html"> <link rel="Stylesheet" href="../../dcommon/css/doccd.css" title="Default" type="text/css"> <link rel="Contents" href="t oc.htm" title="Contents" type="text/html"> <link rel="Index" href="index.htm" title="Index" type="text/html"> <link rel="Prev" href=" asopart3.htm" title="Previous" type="text/html"> <link rel="Next" href="asokerb.htm" title="Next" type="text/html"> <link rel="altern ate" href="../b10772.pdf" title="PDF version" type="application/pdf"> </head> <body> <div class="header"> <p><a name="top" id="top" h ref="#BEGIN">Skip Headers</a></p> <table summary="" cellspacing="0" cellpadding="0" width="100%"> <tr> <td align="left" valign="top"> <font color="#330099" face="Helvetica, Arial, sans-serif"><strong>Oracle® Database Advanced Security Administrator's Guide<br> 10 <i>g</i> Release 1 (10.1)</strong><br> Part Number B10772-01</font></td> <td valign="bottom" align="right"> <table summary="" cellspa cing="0" cellpadding="0" width="270"> <tr> <td align="center" valign="top"><a href="../../index.htm"><img src="../../dcommon/gifs/pro dicon.gif" alt="Go to Documentation Home" border="0"><br> <font size="-2">Home</font></a></td> <td align="center" valign="top"><a hre f="../../nav/portal_3.htm"><img src="../../dcommon/gifs/bookicon.gif" alt="Go to Book List" border="0"><br> <font size="-2">Book List </font></a></td> <td align="center" valign="top"><a href="toc.htm"><img src="../../dcommon/gifs/conticon.gif" alt="Go to Table of Con tents" border="0"><br> <font size="-2">Contents</font></a></td> <td align="center" valign="top"><a href="index.htm"><img src="../../d common/gifs/indxicon.gif" alt="Go to Index" border="0"><br> <font size="-2">Index</font></a></td> <td align="center" valign="top"><a href="../../mix$101/b12039/toc.htm"><img src="../../dcommon/gifs/mix.gif" alt="Go to Master Index" border="0"><br> <font size="-2">Ma ster Index</font></a></td> <td align="center" valign="top"><a href="../../dcommon/html/feedback.htm"><img src="../../dcommon/gif s/feedback.gif" alt="Go to Feedback page" border="0"><br> <font size="-2">Feedback</font></a></td> </tr> </table> </td> </tr> </table > <hr> <table summary="layout table" cellspacing="0" cellpadding="0" width="100%"> <tr> <td align="left" valign="top"> <table summary ="layout table" cellspacing="0" cellpadding="0" align="left" width="90"> <tr> <td align="center" valign="top"><a href="asopart3.htm"> <img src="../../dcommon/gifs/larrow.gif" alt="Go to previous page" border="0"><br> <font size="-2">Previous</font></a></td> <td align ="center" valign="top"><a href="asokerb.htm"><img src="../../dcommon/gifs/rarrow.gif" alt="Go to next page" border="0"><br> <font siz e="-2">Next</font></a></td> </tr> </table> </td> <td align="right" valign="top"><a href="../b10772.pdf"><font size="-2">View PDF</fon t></a></td> </tr> </table> <a name="BEGIN"></a></div> <div class="IND"> <a name="1006084"></a>  <h1 class="Title"><font face="Arial, Helvetica, sans-serif" color="#330099">5<br> C<a name="ASOAG040">onfiguring RADIUS Authe ntication</a></font></h1>  <a name="1007227"></a> <p class="BP">This chapter describes how to configure an Oracle Da tabase server for use with RADIUS (Remote Authentication Dial-In User Service). This chapter contains the following topics:</p> <ul c lass="LB1"> <li class="LB1" type="disc"><a name="1006095"></a><a href="asoradus.htm#1006123">RADIUS Overview</a></li> <li class="LB1" type="disc"><a name="1006099"></a><a href="asoradus.htm#1006195">RADIUS Authentication Modes</a></li> <li class="LB1" type="disc"><a name="1006103"></a><a href="asoradus.htm#1006290">Enabling RADIUS Authentication, Authorization, and Accounting</a></li> <li class=" LB1" type="disc"><a name="1006107"></a><a href="asoradus.htm#1006862">Using RADIUS to Log In to a Database</a></li> <li class="LB1" t ype="disc"><a name="1006111"></a><a href="asoradus.htm#1006877">RSA ACE/Server Configuration Checklist</a> <p><a name="1006121"></a>< /p> <div align="center"> <table class="Note" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layo ut table to format a note" title="This is a layout table to format a note"> <tr class="Note"> <td class="Note"> <hr> <a name="1006115 "></a><font face="Arial, Helvetica, sans-serif"><strong class="NH"><strong class="Bold">Note</strong>:</strong></font> <a name="10061 16"></a> <p class="NB">SecurID, an authentication product of RSA Security, Inc., though not directly supported by Oracle Advanced Sec urity, has been certified as RADIUS-compliant. You can therefore run SecurID under RADIUS. <a name="1006120"></a></p> <p class="NB">S ee the RSA Security SecurID documentation for further information.</p> <hr></td> </tr> </table> </div> </li> </ul> <a name="1006123"> </a>  <h2 class="H1"><font face="Arial, Helvetica, sans-serif" color="#330099">RADIUS Overview</font></h2> <!- -/TOC=h1--> <a name="1006124"></a> <p class="BP">RADIUS is a client/server security protocol widely used to enable remote authenticat ion and access. Oracle Advanced Security uses this industry standard in a client/server network environment.</p> <a name="1006128"></ a> <p class="BP">You can enable the network to use any authentication method that supports the RADIUS standard, including token cards and smart cards, by installing and configuring the RADIUS protocol. Moreover, when you use RADIUS, you can change the authentication method without modifying either the Oracle client or the Oracle database server.</p> <a name="1006129"></a> <p class="BP">From the u ser's perspective, the entire authentication process is transparent. When the user seeks access to an Oracle database server, the Ora cle database server, acting as the RADIUS client, notifies the RADIUS server. The RADIUS server:</p> <ul class="LB1"> <li class="LB1" type="disc"><a name="1006130"></a>Looks up the user's security information.</li> <li class="LB1" type="disc"><a name="1006131"></a>P asses authentication and authorization information between the appropriate authentication server or servers and the Oracle database s erver.</li> <li class="LB1" type="disc"><a name="1006132"></a>Grants the user access to the Oracle database server.</li> <li class="L B1" type="disc"><a name="1006133"></a>Logs session information, including when, how often, and for how long the user was connected to the Oracle database server. <p><a name="1007286"></a></p> <div align="center"> <table class="Note" border="0" width="80%" cellpaddin g="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <t r class="Note"> <td class="Note"> <hr> <a name="1007289"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">Note:</stro ng></font> <a name="1007290"></a> <p class="NB">Oracle Advanced Security does not support RADIUS authentication over database links.< /p> <hr></td> </tr> </table> </div> </li> </ul> <a name="1006138"></a> <p class="BP">The Oracle/RADIUS environment is displayed in <a href="asoradus.htm#1006140">Figure 5-1</a>:</p> <a name="1006140"></a> <h4 class="FT"><font face="Arial, Helvetica, sans-serif" ><em>Figure 5-1 RADIUS in an Oracle Environment</em></font></h4> <a name="1006144"><img src="asoag003.gif" alt="Text description of a soag003.gif follows"></a> <p><a href="img_text/asoag003.htm">Text description of the illustration asoag003.gif</a></p> <a name="10061 45"></a> <p class="BP">The Oracle database server acts as the RADIUS client, passing information between the Oracle client and the RA DIUS server. Similarly, the RADIUS server passes information between the Oracle database server and the appropriate authentication se rvers. The authentication components are listed in <a href="asoradus.htm#1006153">Table 5-1</a>:</p> <a name="1006181"></a> <h5 class="TT"><a name="1006181"></a><a name="1006153"></a> <strong><font face="Arial, Helvetica, sans-serif"><em>Table 5-1 RADIUS Authentication Components</em></font></strong></h5> <table summary="" class="RuleFormal" border="1" width="100%" cellpadding="3" cell spacing="0" dir="ltr" title=""> <thead> <tr class="Formal"> <th class="Formal" align="left" valign="bottom" scope="col"><a name="1006 157"></a> <font face="Arial, Helvetica, sans-serif"><strong>Component</strong></font></th> <th class="Formal" align="left" valign="bo ttom" scope="col"><a name="1006159"></a> <font face="Arial, Helvetica, sans-serif"><strong>Stored Information</strong></font></th> </ tr> </thead> <tbody> <tr class="Formal" align="left" valign="top"> <td class="Formal"><a name="1006161"></a> <p class="TB">Oracle cli ent</p> </td> <td class="Formal"><a name="1006163"></a> <p class="TB">Configuration setting for communicating through RADIUS.</p> </t d> </tr> <tr class="Formal" align="left" valign="top"> <td class="Formal"><a name="1006165"></a> <p class="TB">Oracle database server /RADIUS client</p> </td> <td class="Formal"><a name="1006167"></a> <p class="TB">Configuration settings for passing information betwe en the Oracle client and the RADIUS server. <a name="1006168"></a></p> <p class="TB">The secret key file.</p> </td> </tr> <tr cl ass="Formal" align="left" valign="top"> <td class="Formal"><a name="1006170"></a> <p class="TB">RADIUS server</p> </td> <td class="Fo rmal"><a name="1006172"></a> <p class="TB">Authentication and authorization information for all users. <a name="1006173"></a></p> <p class="TB">Each client's name or IP address. <a name="1006174"></a></p> <p class="TB">Each client's shared secret. <a name="1006175"> </a></p> <p class="TB">Unlimited number of menu files enabling users already authenticated to select different login options without reconnecting.</p> </td> </tr> <tr class="Formal" align="left" valign="top"> <td class="Formal"><a name="1006177"></a> <p class="TB">A uthentication server or servers</p> </td> <td class="Formal"><a name="1006179"></a> <p class="TB">User authentication information suc h as pass codes and PINs, depending on the authentication method in use. <a name="1006180"></a></p> <p class="TB"><strong class= "Bold">Note</strong>: The RADIUS server can also be the authentication server.</p> </td> </tr> </tbody> </table> <a name="1006182"></ a> <p class="BP">A RADIUS server vendor is often the authentication server vendor as well, in which case authentication can be proces sed on the RADIUS server. For example, the RSA ACE/Server is both a RADIUS server and an authentication server. It thus authenticates the user's pass code.</p> <a name="1006192"></a> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr cla ss="NoteAlso"> <td class="NoteAlso"><a name="1006185"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</str ong></font> <a name="1006191"></a> <p class="NB"><em class="Italic"><a class="olinkSRC NETAG" href="../../network$101/b10775/toc.htm" >Oracle Net Services Administrator's Guide,</a></em> for information about the <code>sqlnet.ora</code> file</p> </td> </tr> </table> </div> <a name="1006195"></a>  <h2 class="H1"><font face="Arial, Helvetica, sans-serif" color="#330099">RADIUS Authentication Modes</font></h2>  <a name="1006196"></a> <p class="BP">User authentication can take place in either of two ways:</p> <ul class="LB1"> <li class="LB1" type="disc"><a name="1006200"></a><a href="asoradus.htm#1006207">Synchronous Authenti cation Mode</a></li> <li class="LB1" type="disc"><a name="1006204"></a><a href="asoradus.htm#1006250">Challenge-Response (Asynchronou s) Authentication Mode</a></li> </ul> <a name="1006207"></a>  <h3 class="H2"><font face="Arial, Helvetica, san s-serif" color="#330099">Synchronous Authentication Mode</font></h3>  <a name="1006208"></a> <p class="BP">In the synch ronous mode, RADIUS lets you use various authentication methods, including passwords and SecurID token cards. <a href="asoradus.htm#1 006213">Figure 5-2</a> shows the sequence in which synchronous authentication occurs:</p> <a name="1006213"></a> <h4 class="FT"> <font face="Arial, Helvetica, sans-serif"><em>Figure 5-2 Synchronous Authentication Sequence</em></font></h4> <a name="1006217"><img src="asoag010.gif" alt="Text description of asoag010.gif follows"></a> <p><a href="img_text/asoag010.htm">Text description of the ill ustration asoag010.gif</a></p> <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="1006218"></a>A user logs in by e ntering a connect string, pass code, or other value. The client system passes this data to the Oracle database server.</li> <li class ="LN1" type="1" value="2"><a name="1006219"></a>The Oracle database server, acting as the RADIUS client, passes the data from the Ora cle client to the RADIUS server.</li> <li class="LN1" type="1" value="3"><a name="1006220"></a>The RADIUS server passes the data to t he appropriate authentication server, such as Smart Card or SecurID ACE for validation.</li> <li class="LN1" type="1" value="4"><a na me="1006221"></a>The authentication server sends either an Access Accept or an Access Reject message back to the RADIUS server.</li> <li class="LN1" type="1" value="5"><a name="1006222"></a>The RADIUS server passes this response to the Oracle database server / RADIU S client.</li> <li class="LN1" type="1" value="6"><a name="1006223"></a>The Oracle database server / RADIUS client passes the respons e back to the Oracle client.</li> </ol> <a name="1006226"></a> <h4 class="SH1"><font face="Arial, Helvetica, sans-serif">Example: Syn chronous Authentication with SecurID Token Cards</font></h4> <a name="1006227"></a> <p class="BP">With SecurID authentication, each u ser has a token card that displays a dynamic number that changes every sixty seconds. To gain access to the Oracle database server/RA DIUS client, the user enters a valid pass code that includes both a personal identification number (PIN) and the dynamic number curre ntly displayed on the user's SecurID card. The Oracle database server passes this authentication information from the Oracle client t o the RADIUS server, which in this case is the authentication server for validation. Once the authentication server (RSA ACE/Server) validates the user, it sends an "accept" packet to the Oracle database server, which, in turn, passes it to the Oracle client. The us er is now authenticated and able to access the appropriate tables and applications.</p> <a name="1006247"></a> <div align="center"> < table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a n ote" title="This is a layout table to format a note"> <tr class="NoteAlso"> <td class="NoteAlso"><a name="1006230"></a><font face="Ar ial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></font> <a name="1006231"></a> <ul class="NL"> <li class="NL" type=" disc"><a name="1006238"></a><a href="asointro.htm#1008721">Chapter 1, "Introduction to Oracle Advanced Security"</a></li> <li cl ass="NL" type="disc"><a name="1006245"></a><a href="asointro.htm#1007996">"Token Cards"</a><a href="asointro.htm#1007996"></a></li> < li class="NL" type="disc"><a name="1006246"></a>Documentation provided by RSA Security, Inc.</li> </ul> </td> </tr> </table> </div> < a name="1006250"></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Challenge-Resp onse (Asynchronous) Authentication Mode</font></h3>  <a name="1006251"></a> <p class="BP">When the system uses the asyn chronous mode, the user does not need to enter a user name and password at the SQL*Plus CONNECT string. Instead, a graphical user int erface asks the user for this information later in the process.</p> <a name="1006255"></a> <p class="BP"><a href="asoradus.htm#100626 5">Figure 5-3</a> shows the sequence in which challenge-response (asynchronous) authentication occurs.</p> <a name="1006263"></a > <div align="center"> <table class="Note" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="Note"> <td class="Note"> <hr> <a name="1006258"> </a><font face="Arial, Helvetica, sans-serif"><strong class="NH">Note:</strong></font> <a name="1006259"></a> <p class="NB">If the RA DIUS server is the authentication server, Steps 3, 4, and 5, and Steps 9, 10, and 11 in <a href="asoradus.htm#1006265">Figure 5- 3</a> are combined.</p> <hr></td> </tr> </table> </div> <a name="1006265"></a> <h4 class="FT"><font face="Arial, Helvetica, sans-seri f"><em>Figure 5-3 Asynchronous Authentication Sequence</em></font></h4> <a name="1006269"><img src="asoag011.gif" alt="Text descripti on of asoag011.gif follows"></a> <p><a href="img_text/asoag011.htm">Text description of the illustration asoag011.gif</a></p> <ol cla ss="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="1006270"></a>A user seeks a connection to an Oracle database server. T he client system passes the data to the Oracle database server.</li> <li class="LN1" type="1" value="2"><a name="1006271"></a>The Ora cle database server, acting as the RADIUS client, passes the data from the Oracle client to the RADIUS server.</li> <li class="LN1" t ype="1" value="3"><a name="1006272"></a>The RADIUS server passes the data to the appropriate authentication server, such as a Smart C ard, SecurID ACE, or token card server.</li> <li class="LN1" type="1" value="4"><a name="1006273"></a>The authentication server sends a challenge, such as a random number, to the RADIUS server.</li> <li class="LN1" type="1" value="5"><a name="1006274"></a>The RADIUS server passes the challenge to the Oracle database server / RADIUS client.</li> <li class="LN1" type="1" value="6"><a name="1006275" ></a>The Oracle database server / RADIUS client, in turn, passes it to the Oracle client. A graphical user interface presents the cha llenge to the user.</li> <li class="LN1" type="1" value="7"><a name="1006276"></a>The user provides a response to the challenge. To f ormulate a response, the user can, for example, enter the received challenge into the token card. The token card provides a dynamic p assword to be entered into the graphical user interface. The Oracle client passes the user's response to the Oracle database server / RADIUS client.</li> <li class="LN1" type="1" value="8"><a name="1006277"></a>The Oracle database server / RADIUS client sends the us er's response to the RADIUS server.</li> <li class="LN1" type="1" value="9"><a name="1006278"></a>The RADIUS server passes the user's response to the appropriate authentication server for validation.</li> <li class="LN1" type="1" value="10"><a name="1006279"></a>The authentication server sends either an Access Accept or an Access Reject message back to the RADIUS server.</li> <li class="LN1" type ="1" value="11"><a name="1006280"></a>The RADIUS server passes the response to the Oracle database server / RADIUS client.</li> <li c lass="LN1" type="1" value="12"><a name="1006281"></a>The Oracle database server / RADIUS client passes the response to the Oracle cli ent.</li> </ol> <a name="1006283"></a> <h4 class="SH1"><font face="Arial, Helvetica, sans-serif">Example: Asynchronous Authentication with Smart Cards</font></h4> <a name="1006284"></a> <p class="BP">With smart card authentication, the user logs in by inserting the smart card--a plastic card (like a credit card) with an embedded integrated circuit for storing information--into a hardware device w hich reads the card. The Oracle client sends the login information contained in the smart card to the authentication server by way of the Oracle database server/RADIUS client and the RADIUS server. The authentication server sends back a challenge to the Oracle clien t, by way of the RADIUS server and the Oracle database server, prompting the user for authentication information. The information cou ld be, for example, a PIN as well as additional authentication information contained on the smart card.</p> <a name="1006285"></a> <p class="BP">The Oracle client sends the user's response to the authentication server by way of the Oracle database server and the RAD IUS server. If the user has entered a valid number, the authentication server sends an "accept" packet back to the Oracle client by w ay of the RADIUS server and the Oracle database server. The user is now authenticated and authorized to access the appropriate tables and applications. If the user has entered incorrect information, the authentication server sends back a message rejecting the user's access.</p> <a name="1006286"></a> <h4 class="SH1"><font face="Arial, Helvetica, sans-serif">Example: Asynchronous Authentication wi th ActivCard Tokens</font></h4> <a name="1006287"></a> <p class="BP">One particular ActivCard token is a hand-held device with a keyp ad and which displays a dynamic password. When the user seeks access to an Oracle database server by entering a password, the informa tion is passed to the appropriate authentication server by way of the Oracle database server/RADIUS client and the RADIUS server. The authentication server sends back a challenge to the client--by way of the RADIUS server and the Oracle database server. The user typ es that challenge into the token, and the token displays a number for the user to send in response.</p> <a name="1006288"></a> <p cla ss="BP">The Oracle client then sends the user's response to the authentication server by way of the Oracle database server and the RA DIUS server. If the user has typed a valid number, the authentication server sends an "accept" packet back to the Oracle client by wa y of the RADIUS server and the Oracle database server. The user is now authenticated and authorized to access the appropriate tables and applications. If the user has entered an incorrect response, the authentication server sends back a message rejecting the user's access.</p> <a name="1006290"></a>  <h2 class="H1"><font face="Arial, Helvetica, sans-serif" color="#330099">E nabling RADIUS Authentication, Authorization, and Accounting</font></h2>  <a name="1006291"></a> <p class="BP">To enabl e RADIUS authentication and accounting, perform the following tasks:</p> <ul class="LB1"> <li class="LB1" type="disc"><a name="100629 5"></a><a href="asoradus.htm#1006329">Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client</a></li> <li clas s="LB1" type="disc"><a name="1006299"></a><a href="asoradus.htm#1006347">Task 2: Configure RADIUS Authentication</a></li> <li class=" LB1" type="disc"><a name="1006303"></a><a href="asoradus.htm#1006638">Task 3: Create a User and Grant Access</a></li> <li class="LB1" type="disc"><a name="1006307"></a><a href="asoradus.htm#1006670">Task 4: Configure External RADIUS Authorization (optional)</a></li> <li class="LB1" type="disc"><a name="1006311"></a><a href="asoradus.htm#1006741">Task 5: Configure RADIUS Accounting</a></li> <li cl ass="LB1" type="disc"><a name="1006315"></a><a href="asoradus.htm#1006775">Task 6: Add the RADIUS Client Name to the RADIUS Server Da tabase</a></li> <li class="LB1" type="disc"><a name="1006319"></a><a href="asoradus.htm#1006791">Task 7: Configure the Authentication Server for Use with RADIUS</a>.</li> <li class="LB1" type="disc"><a name="1006323"></a><a href="asoradus.htm#1006805">Task 8: Config ure the RADIUS Server for Use with the Authentication Server</a></li> <li class="LB1" type="disc"><a name="1006327"></a><a href="asor adus.htm#1006809">Task 9: Configure Mapping Roles</a></li> </ul> <a name="1006329"></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Task 1: Install RADIUS on the Oracle Database Server and on the Oracle Client</fo nt></h3>  <a name="1006333"></a> <p class="BP">RADIUS is installed with Oracle Advanced Security during a typical insta llation of Oracle Database.</p> <a name="1006344"></a> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpaddin g="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <t r class="NoteAlso"> <td class="NoteAlso"><a name="1006339"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also: </strong></font> <a name="1006343"></a> <p class="NB">Oracle Database operating system-specific installation documentation, for infor mation about installing Oracle Advanced Security and the RADIUS adapter</p> </td> </tr> </table> </div> <a name="1006347"></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Task 2: Configure RADIUS Authentication</f ont></h3>  <a name="1006348"></a> <p class="BP">This task includes the following steps:</p> <ul class="LB1"> <li class= "LB1" type="disc"><a name="1006352"></a><a href="asoradus.htm#1006363">Step 1: Configure RADIUS on the Oracle Client</a></li> <li cla ss="LB1" type="disc"><a name="1006356"></a><a href="asoradus.htm#1006393">Step 2: Configure RADIUS on the Oracle Database Server</a>< /li> <li class="LB1" type="disc"><a name="1006360"></a><a href="asoradus.htm#1006487">Step 3: Configure Additional RADIUS Features</a ></li> </ul> <a name="1006361"></a> <p class="BP">Unless otherwise indicated, perform these configuration tasks by using Oracle Net M anager or by using any text editor to modify the <code>sqlnet.ora</code> file.</p> <a name="1006363"></a>  <h4 class="H3"><font face="Arial, Helvetica, sans-serif" color="#330099">Step 1: Configure RADIUS on the Oracle Client</font></h4>  <a name="1007421"></a> <p class="BP">Use Oracle Net Manager to configure RADIUS on the Oracle client (See <a href="asotools .htm#1006955">"Starting Oracle Net Manager"</a><a href="asotools.htm#1006955"></a>):</p> <ol class="LN1" type="1"> <li class="LN1" ty pe="1" value="1"><a name="1006364"></a>Navigate to the Oracle Advanced Security profile (See <a href="asotools.htm#1006960">"Navigati ng to the Oracle Advanced Security Profile"</a><a href="asotools.htm#1006960"></a>) The Oracle Advanced Security tabbed window appear s (<a href="asoradus.htm#1007717">Figure 5-4</a>):</li> </ol> <a name="1007717"></a> <h4 class="FT"><font face="Arial, Helvetica , sans-serif"><em>Figure 5-4 Oracle Advanced Security Authentication Window</em></font></h4> <a name="1007718"><img src="radu0001.gif " alt="Text description of radu0001.gif follows."></a> <p><a href="img_text/radu0001.htm">Text description of the illustration radu00 01.gif</a></p> <a name="1007823"></a> <ol class="LN1" type="1"> <li class="LN1" type="1" value="2"><a name="1007719"></a>Choose the A uthentication tab.</li> <li class="LN1" type="1" value="3"><a name="1006385"></a>From the <strong class="Bold">Available Methods</str ong> list, select <strong class="Bold">RADIUS</strong>.</li> <li class="LN1" type="1" value="4"><a name="1006386"></a>Choose the righ t-arrow [<strong class="Bold">></strong>] to move RADIUS to the <strong class="Bold">Selected Methods</strong> list. Move any othe r methods you want to use in the same way.</li> <li class="LN1" type="1" value="5"><a name="1006387"></a>Arrange the selected methods in order of required usage by selecting a method in the Selected Methods list, and clicking <strong class="Bold">Promote</strong> or <strong class="Bold">Demote</strong> to position it in the list. For example, put RADIUS at the top of the list for it to be the fir st service used.</li> <li class="LN1" type="1" value="6"><a name="1006388"></a>Choose <strong class="Bold">File</strong> > <strong class="Bold">Save Network Configuration</strong>. <p><a name="1006389"></a></p> <p class="BP1">The <code>sqlnet.ora</code> file is u pdated with the following entry:</p> <pre class="CE1"> <a name="1006391"></a>SQLNET.AUTHENTICATION_SERVICES=(RADIUS) </pre></li> </o l> <a name="1006393"></a> <h4 class="H3"><font face="Arial, Helvetica, sans-serif" color="#330099">Step 2: Con figure RADIUS on the Oracle Database Server</font></h4>  <ul class="LB1"> <li class="LB1" type="disc"><a name="1006397" ></a><a href="asoradus.htm#1006407">Create the RADIUS Secret Key File on the Oracle Database Server</a></li> <li class="LB1" type="di sc"><a name="1006401"></a><a href="asoradus.htm#1006419">Configure RADIUS Parameters on the Server (sqlnet.ora file)</a></li> <li cla ss="LB1" type="disc"><a name="1006405"></a><a href="asoradus.htm#1006454">Set Oracle Database Server Initialization Parameters</a></l i> </ul> <a name="1006407"></a> <h5 class="SH2"><font face="Arial, Helvetica, sans-serif">Create the RADIUS Secret Key File on the Or acle Database Server</font></h5> <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="1006408"></a>Obtain the RADIUS secret key from the RADIUS server. For each RADIUS client, the administrator of the RADIUS server creates a shared secret key, which must be longer than 16-characters.</li> <li class="LN1" type="1" value="2"><a name="1006409"></a>On the Oracle database server, crea te a directory: <ul class="LB2"> <li class="LB2" type="disc"><a name="1007734"></a>(UNIX) <code>$ORACLE_HOME/network/security</code>< /li> <li class="LB2" type="disc"><a name="1007735"></a>(Windows) <em><code>ORACLE_HOME</code></em><code>\network\security</code></li> </ul> </li> <li class="LN1" type="1" value="3"><a name="1006410"></a>Create the file <code>radius.key</code> to hold the shared secr et copied from the RADIUS server. Place the file in the directory you just created in Step 2.</li> <li class="LN1" type="1" value="4" ><a name="1006411"></a>Copy the shared secret key and paste it (and nothing else) into the radius.key file created on the Oracle data base server.</li> <li class="LN1" type="1" value="5"><a name="1006412"></a>For security purposes, change the file permission of <code >radius.key</code> to read only, accessible only by the Oracle owner (Oracle relies on the file system to keep this file secret). <p> <a name="1006417"></a></p> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0" dir="l tr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="NoteAlso"> <td clas s="NoteAlso"><a name="1006415"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></font> <a name="10 06416"></a> <p class="NB">The RADIUS server administration documentation, for information about obtaining the secret key</p> </td> </ tr> </table> </div> </li> </ol> <a name="1006419"></a> <h5 class="SH2"><font face="Arial, Helvetica, sans-serif">Configure RADIUS Par ameters on the Server (sqlnet.ora file)</font></h5> <a name="1007467"></a> <p class="BP">Use Oracle Net Manager to configure RADIUS p arameters on the server (See <a href="asotools.htm#1006955">"Starting Oracle Net Manager"</a><a href="asotools.htm#1006955"></a>):</p > <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="1006420"></a>Navigate to the Oracle Advanced Security profile . (See <a href="asotools.htm#1006960">"Navigating to the Oracle Advanced Security Profile"</a><a href="asotools.htm#1006960"></a>) Th e Oracle Advanced Security tabbed window appears (<a href="asoradus.htm#1007717">Figure 5-4</a>).</li> <li class="LN1" type="1" value="2"><a name="1006431"></a>Choose the Authentication tab.</li> <li class="LN1" type="1" value="3"><a name="1006432"></a>From the <strong class="Bold">Available Methods</strong> list, select <strong class="Bold">RADIUS</strong>.</li> <li class="LN1" type="1" val ue="4"><a name="1006433"></a>Move RADIUS to the <strong class="Bold">Selected Methods</strong> list by choosing the right-arrow [<str ong class="Bold">></strong>].</li> <li class="LN1" type="1" value="5"><a name="1006434"></a>To arrange the selected methods in ord er of desired use, select a method in the Selected Methods list, and choose <strong class="Bold">Promote</strong> or <strong class="B old">Demote</strong> to position it in the list. For example, if you want RADIUS to be the first service used, put it at the top of t he list.</li> <li class="LN1" type="1" value="6"><a name="1006438"></a>Choose the Other Params tab. The Other Params window appears ( <a href="asoradus.htm#1006440">Figure 5-5</a>):</li> </ol> <a name="1006440"></a> <h4 class="FT"><font face="Arial, Helvetica, s ans-serif"><em>Figure 5-5 Oracle Advanced Security Other Params Window</em></font></h4> <a name="1006444"><img src="radu0002.gif" alt ="Text description of radu0002.gif follows."></a> <p><a href="img_text/radu0002.htm">Text description of the illustration radu0002.gi f</a></p> <a name="1007824"></a> <ol class="LN1" type="1"> <li class="LN1" type="1" value="7"><a name="1006445"></a>From the Authenti cation Service list, select <strong class="Bold">RADIUS</strong>.</li> <li class="LN1" type="1" value="8"><a name="1006446"></a>In th e <strong class="Bold">Host Name</strong> field, accept the <strong class="Bold">localhost</strong> as the default primary RADIUS ser ver, or enter another host name.</li> <li class="LN1" type="1" value="9"><a name="1006447"></a>Ensure that the default value of the < strong class="Bold">Secret File</strong> field is valid.</li> <li class="LN1" type="1" value="10"><a name="1006448"></a>Choose <stron g class="Bold">File</strong> > <strong class="Bold">Save Network Configuration</strong>. <p><a name="1006449"></a></p> <p class="B P1">The <code>sqlnet.ora</code> file is updated with the following entries:</p> <pre class="CE1"> <a name="1006450"></a>SQLNET.AUTHEN TICATION_SERVICES=RADIUS <a name="1006451"></a>SQLNET.RADIUS_AUTHENTICATION=RADIUS_server_{hostname|IP_address} </pre> <a name="1006 454"></a> <h5 class="SH2"><font face="Arial, Helvetica, sans-serif">Set Oracle Database Server Initialization Parameters</font></h5> <a name="1006455"></a> <p class="BP">Configure the initialization parameter file, located in</p> <ul class="LB1"> <li class="LB1" typ e="disc"><a name="1006456"></a>(UNIX) <code>$ORACLE_BASE/admin/</code><em><code>db_name</code></em><code>/pfile</code></li> <li class ="LB1" type="disc"><a name="1006457"></a>(Windows) <em><code>ORACLE_BASE</code></em><code>\admin\</code><em><code>db_name</code></em> <code>\pfile</code></li> </ul> <a name="1006458"></a> <p class="BP">with the following values:</p> <pre class="CE"> <a name="1006460" ></a>REMOTE_OS_AUTHENT=FALSE <a name="1006461"></a>OS_AUTHENT_PREFIX="" </pre> <a name="1006462"></a><a name="1006467"></a> <div ali gn="center"> <table class="NoteWarn" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a warning" title="This is a layout table to format a warning"> <tr class="NoteWarn"> <td class="NoteWarn"> <hr> <a name="1 006465"></a><font face="Arial, Helvetica, sans-serif"><strong class="NHW">Caution:</strong></font> <a name="1006466"></a> <p class="N B">Setting <code>REMOTE_OS_AUTHENT</code> to TRUE can enable a security breach because it lets someone using a non-secure protocol, s uch as TCP, perform an operating system-authorized login (formerly called an <code>OPS$</code> login).</p> <hr></td> </tr> </table> < /div> <a name="1006485"></a> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0" dir= "ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="NoteAlso"> <td cl ass="NoteAlso"><a name="1006470"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></font> <a name=" 1006479"></a> <p class="NB"><em class="Italic"><a class="olinkSRC REFRN" href="../../server$101/b10755/toc.htm">Oracle Database Refer ence</a></em> and the <em class="Italic"><a class="olinkSRC ADMIN" href="../../server$101/b10739/toc.htm">Oracle Database Administrat or's Guide</a>,</em> for information about setting initialization parameters on an Oracle Database server</p> </td> </tr> </table> </ div> <a name="1006487"></a> </li> </ol> <h4 class="H3"><font face="Arial, Helvetica, sans-serif" color="#33009 9">Step 3: Configure Additional RADIUS Features</font></h4>  <ul class="LB1"> <li class="LB1" type="disc"><a name="1006 491"></a><a href="asoradus.htm#1006501">Change Default Settings</a></li> <li class="LB1" type="disc"><a name="1006495"></a><a href="a soradus.htm#1006563">Configure Challenge-Response</a></li> <li class="LB1" type="disc"><a name="1006499"></a><a href="asoradus.htm#10 06627">Set Parameters for an Alternate RADIUS Server</a></li> </ul> <a name="1006501"></a> <h5 class="SH2"><font face="Arial, Helveti ca, sans-serif">Change Default Settings</font></h5> <a name="1007492"></a> <p class="BP">Use Oracle Net Manager to change default set tings (See <a href="asotools.htm#1006955">"Starting Oracle Net Manager"</a><a href="asotools.htm#1006955"></a>):</p> <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="1006502"></a>Navigate to the Oracle Advanced Security profile (See <a href="aso tools.htm#1006960">"Navigating to the Oracle Advanced Security Profile"</a><a href="asotools.htm#1006960"></a>) The Oracle Advanced S ecurity tabbed window appears (<a href="asoradus.htm#1006440">Figure 5-5</a>).</li> <li class="LN1" type="1" value="2"><a name=" 1006516"></a>Choose the Other Params tab.</li> <li class="LN1" type="1" value="3"><a name="1006517"></a>From the <strong class="Bold" >Authentication Service</strong> list, select <strong class="Bold">RADIUS</strong>.</li> <li class="LN1" type="1" value="4"><a name=" 1006518"></a>Change the default setting for any of the following fields: <p><a name="1006554"></a></p> <table summary="" class="RuleI nformal" border="1" width="100%" cellpadding="3" cellspacing="0" dir="ltr" title=""> <thead> <tr class="Informal"> <th class="Informa l" align="left" valign="bottom" scope="col"><a name="1006521"></a> <font face="Arial, Helvetica, sans-serif"><strong>Field</strong></ font></th> <th class="Informal" align="left" valign="bottom" scope="col"><a name="1006523"></a> <font face="Arial, Helvetica, sans-se rif"><strong>Description</strong></font></th> </tr> </thead> <tbody> <tr class="Informal" align="left" valign="top"> <td class="Infor mal"><a name="1006525"></a> <p class="TB">Port Number</p> </td> <td class="Informal"><a name="1006527"></a> <p class="TB">Specifies t he listening port of the primary RADIUS server. The default value is 1645.</p> </td> </tr> <tr class="Informal" align="left" valign=" top"> <td class="Informal"><a name="1006529"></a> <p class="TB">Timeout (seconds)</p> </td> <td class="Informal"><a name="1006531"></ a> <p class="TB">Specifies the time the Oracle database server waits for a response from the primary RADIUS server. The default is 15 seconds.</p> </td> </tr> <tr class="Informal" align="left" valign="top"> <td class="Informal"><a name="1006533"></a> <p class="TB">N umber of Retries</p> </td> <td class="Informal"><a name="1006535"></a> <p class="TB">Specifies the number of times the Oracle databas e server resends messages to the primary RADIUS server. The default is three retries. <a name="1006538"></a></p> <p class="TB">For in structions on configuring RADIUS accounting, see: <a href="asoradus.htm#1006741">Task 5: Configure RADIUS Accounting</a><a href="asor adus.htm#1006741"></a>.</p> </td> </tr> <tr class="Informal" align="left" valign="top"> <td class="Informal"><a name="1006544"></a> < p class="TB">Secret File</p> </td> <td class="Informal"><a name="1006546"></a> <p class="TB">Specifies the location of the secret key on the Oracle database server. The field specifies the location of the secret key file, not the secret key itself. <a name="1006549" ></a></p> <p class="TB">For information about specifying the secret key, see: <a href="asoradus.htm#1006407">Create the RADIUS Secret Key File on the Oracle Database Server</a><a href="asoradus.htm#1006407"></a>.</p> </td> </tr> </tbody> </table> </li> <li class="LN 1" type="1" value="5"><a name="1006556"></a>Choose <strong class="Bold">File</strong> > <strong class="Bold">Save Network Configur ation</strong>. <p><a name="1006557"></a></p> <p class="BP1">The <code>sqlnet.ora</code> file is updated with the following entries:< /p> <pre class="CE1"> <a name="1006558"></a>SQLNET.RADIUS_AUTHENTICATION_PORT=(PORT) <a name="1006559"></a>SQLNET.RADIUS_AUTHENTICATI ON_TIMEOUT= (NUMBER OF SECONDS TO WAIT FOR response) <a name="1006560"></a>SQLNET.RADIUS_AUTHENTICATION_RETRIES= (NUMBER OF TIMES TO RE-SEND TO RADIUS server) <a name="1006561"></a>SQLNET.RADIUS_SECRET=(path/radius.key) </pre></li> </ol> <a name="1006563"></a> <h5 class="SH2"><font face="Arial, Helvetica, sans-serif">Configure Challenge-Response</font></h5> <a name="1006565"></a> <p class="BP">T he challenge-response (asynchronous) mode presents the user with a graphical interface requesting first a password, then additional i nformation--for example, a dynamic password that the user obtains from a token card. With the RADIUS adapter, this interface is Java- based to provide optimal platform independence.</p> <a name="1006571"></a> <div align="center"> <table class="Note" border="0" width= "80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to fo rmat a note"> <tr class="Note"> <td class="Note"> <hr> <a name="1006568"></a><font face="Arial, Helvetica, sans-serif"><strong class= "NH">Note:</strong></font> <a name="1006569"></a> <p class="NB">Third party vendors of authentication devices must customize this gra phical user interface to fit their particular device. For example, a smart card vendor would customize the Java interface so that the Oracle client reads data, such as a dynamic password, from the smart card. When the smart card receives a challenge, it responds by prompting the user for more information, such as a PIN.</p> <hr></td> </tr> </table> </div> <a name="1006582"></a> <div align="center "> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="NoteAlso"> <td class="NoteAlso"><a name="1006574"></a><font face ="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></font> <a name="1006580"></a> <p class="NB"><a href="asoappc.ht m#634412">Appendix C, "Integrating Authentication Devices Using RADIUS"</a>, for information about how to customize the challeng e-response user interface</p> </td> </tr> </table> </div> <a name="1006583"></a> <p class="BP">To configure challenge-response:</p> < ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="1006584"></a>If you are using JDK 1.1.7 or JRE 1.1.7, set the JA VA_HOME environment variable to the JRE or JDK location on the system where the Oracle client is run: <ul class="LB2"> <li class="LB2 " type="disc"><a name="1006585"></a>On UNIX, enter this command at the prompt: <pre class="CE2"> <a name="1006586"></a>% setenv JAVA_ HOME /usr/local/packages/jre1.1.7B <a name="1006587"></a> </pre></li> <li class="LB2" type="disc"><a name="1006588"></a>On Windows, c hoose <strong class="Bold">Start</strong>> <strong class="Bold">Settings</strong> > <strong class="Bold">Control Panel</strong> > <strong class="Bold">System</strong> > <strong class="Bold">Environment</strong>, and set the JAVA_HOME variable as follows: <pre class="CE2"> <a name="1007540"></a>c:\java\jre1.1.7B </pre> <a name="1007548"></a> <div align="center"> <table class="Note" bo rder="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a lay out table to format a note"> <tr class="Note"> <td class="Note"> <hr> <a name="1007543"></a><font face="Arial, Helvetica, sans-serif" ><strong class="NH">Note:</strong></font> <a name="1007544"></a> <p class="NB">This step is not required for any other JDK / JRE vers ion.</p> <hr></td> </tr> </table> </div> </li> </ul> </li> </ol> <a name="1007829"></a> <ol class="LN1" type="1"> <li class="LN1" typ e="1" value="2"><a name="1007552"></a>Navigate to the Oracle Advanced Security profile in Oracle Net Manager (See <a href="asotools.h tm#1006960">"Navigating to the Oracle Advanced Security Profile"</a><a href="asotools.htm#1006960"></a>) The Oracle Advanced Security Other Params window appears (<a href="asoradus.htm#1006440">Figure 5-5</a>).</li> <li class="LN1" type="1" value="3"><a name="1 006611"></a>From the <strong class="Bold">Authentication Service</strong> list, select <strong class="Bold">RADIUS</strong>.</li> <li class="LN1" type="1" value="4"><a name="1006612"></a>In the <strong class="Bold">Challenge Response</strong> field, enter <strong cl ass="Bold">ON</strong> to enable challenge-response.</li> <li class="LN1" type="1" value="5"><a name="1006613"></a>In the <strong cla ss="Bold">Default Keyword</strong> field, accept the default value of the challenge or enter a keyword for requesting a challenge fro m the RADIUS server. <p><a name="1006619"></a></p> <div align="center"> <table class="Note" border="0" width="80%" cellpadding="0" ce llspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class= "Note"> <td class="Note"> <hr> <a name="1006616"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">Note:</strong></fon t> <a name="1006617"></a> <p class="NB">The keyword feature is provided by Oracle and supported by some, but not all, RADIUS servers. You can use this feature only if your RADIUS server supports it. <a name="1006618"></a></p> <p class="NB">By setting a keyword, you let the user avoid using a password to verify identity. If the user does <em class="Italic">not</em> enter a password, the keyword yo u set here is passed to the RADIUS server which responds with a challenge requesting, for example, a driver's license number or birth date. If the user <em class="Italic">does</em> enter a password, the RADIUS server may or may not respond with a challenge, dependin g upon the configuration of the RADIUS server.</p> <hr></td> </tr> </table> </div> </li> </ol> <a name="1007830"></a> <ol class="LN1" type="1"> <li class="LN1" type="1" value="6"><a name="1006620"></a>In the <strong class="Bold">Interface Class Name</strong> field, accept the default value of <strong class="Bold">DefaultRadiusInterface</strong> or enter the name of the class you have created to h andle the challenge-response conversation. If other than the default RADIUS interface is used, you also must edit the <code>sqlnet.or a</code> file to enter <code>SQLNET.RADIUS_CLASSPATH=(location)</code>, where <code>location</code> is the complete path name of the jar file. It defaults to<br> <em><code>$ORACLE_HOME</code></em><code>/network/jlib/netradius.jar:</code> <em><code>$ORACLE_HOME</code ></em><code>/JRE/lib/vt.jar</code></li> <li class="LN1" type="1" value="7"><a name="1006621"></a>Choose <strong class="Bold">File</st rong> > <strong class="Bold">Save Network Configuration</strong>. <p><a name="1006622"></a></p> <p class="BP1">The <code>sqlnet.or a</code> file is updated with the following entries:</p> <pre class="CE1"> <a name="1006623"></a>SQLNET.RADIUS_CHALLENGE_RESPONSE=([O N | OFF]) <a name="1006624"></a>SQLNET.RADIUS_CHALLENGE_KEYWORD=(KEYWORD) <a name="1006625"></a>SQLNET.RADIUS_AUTHENTICATION_INTERFAC E=(<em class="Italic">name of interface including the package name delimited by "/" for "."</em>) </pre> <a name="1006627"></a> <h5 class="SH2"><font face="Arial, Helvetica, sans-serif">Set Parameters for an Alternate RADIUS Server</font></h5> <a name="1006628"></a > <p class="BP">If you are using an alternate RADIUS server, set these parameters in the <code>sqlnet.ora</code> file using any text editor.</p> <pre class="CE"> <a name="1006630"></a>SQLNET.RADIUS_ALTERNATE=(<em class="Italic">hostname or ip address of alternate ra dius server) </em><a name="1006632"></a>SQLNET.RADIUS_ALTERNATE_PORT=(<em class="Italic">1812</em>) <a name="1006634"></a>SQLNET.RADI US_ALTERNATE_TIMEOUT=(<em class="Italic">number of seconds to wait for response) </em><a name="1006636"></a>SQLNET.RADIUS_ALTERNATE_R ETRIES=(<em class="Italic">number of times to re-send to radius server) </em> </pre></li> </ol> <a name="1006638"></a> <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Task 3: Create a User and Grant Access</font></h3>  <a name="1006639"></a> <p class="BP">To grant user access:</p> <ol class="LN1" type="1"> <li class="LN1" type="1" valu e="1"><a name="1006640"></a>Launch SQL*Plus and execute these commands to create and grant access to a user identified externally on the Oracle database server. <pre class="CE1"> <a name="1006641"></a>SQL> CONNECT system/manager@database_name; <a name="1006642">< /a>SQL> CREATE USER username IDENTIFIED EXTERNALLY; <a name="1006643"></a>SQL> GRANT CREATE SESSION TO USER username; <a name=" 1006644"></a>SQL> EXIT </pre> <a name="1006645"></a> <p class="BP1">If you are using Windows, you can use the Security Manager to ol in the Oracle Enterprise Manager.</p> <a name="1006662"></a> <div align="center"> <table class="NoteAlso" border="0" width="80%" c ellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="NoteAlso"> <td class="NoteAlso"><a name="1006648"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH"> See Also:</strong></font> <a name="1006649"></a> <ul class="NL"> <li class="NL" type="disc"><a name="1006655"></a><a class="olinkSRC ADMIN" href="../../server$101/b10739/toc.htm"><em class="Italic">Oracle Database Administrator's Guide</em></a></li> <li class="NL" t ype="disc"><a name="1006661"></a><a class="olinkSRC HETER" href="../../server$101/b10764/toc.htm"><em class="Italic">Oracle Database Heterogeneous Connectivity Administrator's Guide</em></a></li> </ul> </td> </tr> </table> </div> </li> </ol> <a name="1007831"></a> < ol class="LN1" type="1"> <li class="LN1" type="1" value="2"><a name="1006663"></a>Enter the same user in the RADIUS server's users fi le. <p><a name="1006668"></a></p> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="NoteAlso"> < td class="NoteAlso"><a name="1006666"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></font> <a n ame="1006667"></a> <p class="NB">Administration documentation for the RADIUS server</p> </td> </tr> </table> </div> </li> </ol> <a na me="1006670"></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Task 4: Configure External RADIUS Authorization (optional)</font></h3>  <a name="1006671"></a> <p class="BP">If you require external RADI US authorization for RADIUS users who connect to an Oracle database, then you must perform the following steps to configure the Oracl e server, the Oracle client, and the RADIUS server:</p> <a name="1006672"></a> <h5 class="SH2"><font face="Arial, Helvetica, sans-ser if"><strong class="Bold">To configure the Oracle server (RADIUS client):</strong></font></h5> <ol class="LN1" type="1"> <li class="LN 1" type="1" value="1"><a name="1006673"></a>Add the <code>OS_ROLE</code> parameter to the <code>init.ora</code> file and set this par ameter to <code>TRUE</code> as follows: <pre class="CE1"> <a name="1006674"></a>OS_ROLE=TRUE <a name="1006675"></a> </pre> <a name="1 006676"></a> <p class="BP1">Then restart the database so the system can read the change to the <code>init.ora</code> file.</p> </li> <li class="LN1" type="1" value="2"><a name="1006677"></a>Set the RADIUS challenge-response mode to <code>ON</code> for the server if you have not already done so by following the steps listed in <a href="asoradus.htm#1006563">"Configure Challenge-Response"</a><a hre f="asoradus.htm#1006563"></a>.</li> <li class="LN1" type="1" value="3"><a name="1006684"></a>Add externally identified users and role s.</li> </ol> <a name="1006685"></a> <h5 class="SH2"><font face="Arial, Helvetica, sans-serif"><strong class="Bold">To configure the Oracle client (where users log in):</strong></font></h5> <a name="1006686"></a> <p class="BP">Set the RADIUS challenge-response mode to <code>ON</code> for the client if you have not already done so by following the steps listed in <a href="asoradus.htm#1006563">"Co nfigure Challenge-Response"</a><a href="asoradus.htm#1006563"></a>.</p> <a name="1006693"></a> <h5 class="SH2"><font face="Arial, Hel vetica, sans-serif">To configure the RADIUS server:</font></h5> <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name= "1006694"></a>Add the following attributes to the RADIUS server attribute configuration file: <p><a name="1006714"></a></p> <table su mmary="" class="Informal" border="1" frame="HSIDES" rules="GROUPS" width="100%" cellpadding="3" cellspacing="0" dir="ltr" title=""> < thead> <tr class="Informal"> <th class="Informal" align="left" valign="bottom" scope="col"><a name="1006697"></a> <font face="Arial, Helvetica, sans-serif"><strong>ATTRIBUTE NAME</strong></font></th> <th class="Informal" align="left" valign="bottom" scope="col"><a n ame="1006699"></a> <font face="Arial, Helvetica, sans-serif"><strong>CODE</strong></font></th> <th class="Informal" align="left" vali gn="bottom" scope="col"><a name="1006701"></a> <font face="Arial, Helvetica, sans-serif"><strong>TYPE</strong></font></th> </tr> </th ead> <tbody> <tr class="Informal" align="left" valign="top"> <td class="Informal"><a name="1006703"></a> <p class="TB"><code>VENDOR_S PECIFIC</code></p> </td> <td class="Informal"><a name="1006705"></a> <p class="TB">26</p> </td> <td class="Informal"><a name="1006707 "></a> <p class="TB">Integer</p> </td> </tr> <tr class="Informal" align="left" valign="top"> <td class="Informal"><a name="1006709">< /a> <p class="TB"><code>ORACLE_ROLE</code></p> </td> <td class="Informal"><a name="1006711"></a> <p class="TB">1</p> </td> <td class= "Informal"><a name="1006713"></a> <p class="TB">String</p> </td> </tr> </tbody> </table> </li> </ol> <a name="1007836"></a> <ol class ="LN1" type="1"> <li class="LN1" type="1" value="2"><a name="1006715"></a>Assign a Vendor ID for Oracle in the RADIUS server attribut e configuration file that includes the SMI Network Management Private Enterprise Code of 111. <p><a name="1006716"></a></p> <p class= "BP1">For example, enter the following in the RADIUS server attribute configuration file:</p> <a name="1006717"></a> <p class="BP1">< code>VALUE VENDOR_SPECIFIC ORACLE 111</code></ p> </li> <li class="LN1" type="1" value="3"><a name="1006719"></a>Using the following syntax, add the <code>ORACLE_ROLE</code> attrib ute to the user profile of the users who will use external RADIUS authorization: <p><a name="1006720"></a></p> <p class="BP1"><code>O RA_</code><em><code>databaseSID</code></em><code>_</code><em><code>rolename</code></em><code>[_[A]|[D]]</code></p> <a name="1006722"> </a> <p class="BP1">where:</p> <ul class="LB2"> <li class="LB2" type="disc"><a name="1006723"></a><code>ORA</code> designates that th is role is used for Oracle purposes</li> <li class="LB2" type="disc"><a name="1006724"></a><code>databaseSID</code> is the Oracle sys tem identifier that is configured in the database server's <code>init.ora</code> file</li> <li class="LB2" type="disc"><a name="10067 25"></a><code>rolename</code> is the name of role as it is defined in the data dictionary. For example, <code>SYSDBA</code></li> <li class="LB2" type="disc"><a name="1006726"></a><code>A</code> is an optional character that indicates the user has administrator's pri vileges for this role</li> <li class="LB2" type="disc"><a name="1006727"></a><code>D</code> is an optional character that indicates t his role is to be enabled by default</li> </ul> <a name="1006728"></a> <p class="BP1">Ensure that RADIUS groups which map to Oracle r oles adhere to the <code>ORACLE_ROLE</code> syntax.</p> <a name="1006729"></a> <p class="BP1">For example:</p> <pre class="CE1"> <a n ame="1006730"></a><em>USERNAME</em> USERPASSWD="<em>user_password</em>", <a name="1006731"></a> SERVICE_TYPE=login_us er, <a name="1006732"></a> VENDOR_SPECIFIC=ORACLE, <a name="1006733"></a> ORACLE_ROLE=ORA_<em>ora920</em>_<em >sysdba </em> </pre> <a name="1006738"></a> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cells pacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="No teAlso"> <td class="NoteAlso"><a name="1006736"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></ font> <a name="1006737"></a> <p class="NB">The RADIUS server administration documentation for information about configuring the serve r.</p> </td> </tr> </table> </div> <a name="1006741"></a> </li> </ol> <h3 class="H2"><font face="Arial, Helvet ica, sans-serif" color="#330099">Task 5: Configure RADIUS Accounting</font></h3>  <a name="1006742"></a> <p class="BP"> RADIUS accounting logs information about access to the Oracle database server and stores it in a file on the RADIUS accounting server . Use this feature only if both the RADIUS server and authentication server support it.</p> <a name="1006743"></a>  <h4 class="H3"><font face="Arial, Helvetica, sans-serif" color="#330099">Set RADIUS Accounting on the Oracle Database Server</f ont></h4>  <a name="1006744"></a> <p class="BP">Use Oracle Net Manager to enable or disable RADIUS accounting (See <a h ref="asotools.htm#1006955">"Starting Oracle Net Manager"</a><a href="asotools.htm#1006955"></a>):</p> <ol class="LN1" type="1"> <li c lass="LN1" type="1" value="1"><a name="1006745"></a>Navigate to the Oracle Advanced Security profile. (See <a href="asotools.htm#1006 960">"Navigating to the Oracle Advanced Security Profile"</a><a href="asotools.htm#1006960"></a>) The Other Params window appears (<a href="asoradus.htm#1006440">Figure 5-5</a>).</li> <li class="LN1" type="1" value="2"><a name="1006760"></a>From the <strong cla ss="Bold">Authentication Service</strong> list, select <strong class="Bold">RADIUS</strong>.</li> <li class="LN1" type="1" value="3"> <a name="1006761"></a>In the <strong class="Bold">Send Accounting</strong> field, enter <strong class="Bold">ON</strong> to enable ac counting or <strong class="Bold">OFF</strong> to disable accounting.</li> <li class="LN1" type="1" value="4"><a name="1006762"></a>Ch oose <strong class="Bold">File</strong> > <strong class="Bold">Save Network Configuration</strong>. <p><a name="1006763"></a></p> <p class="BP1">The <code>sqlnet.ora</code> file is updated with the following entry:</p> <pre class="CE1"> <a name="1006765"></a>SQLN ET.RADIUS_SEND_ACCOUNTING= ON </pre></li> </ol> <a name="1006767"></a> <h4 class="H3"><font face="Arial, Helv etica, sans-serif" color="#330099">Configure the RADIUS Accounting Server</font></h4>  <a name="1006768"></a> <p class= "BP">RADIUS Accounting consists of an accounting server residing on either the same host as the RADIUS authentication server or on a separate host.</p> <a name="1006773"></a> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspa cing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="Note Also"> <td class="NoteAlso"><a name="1006771"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></fo nt> <a name="1006772"></a> <p class="NB">Administration documentation for the RADIUS server, for information about configuring RADIUS accounting</p> </td> </tr> </table> </div> <a name="1006775"></a>  <h3 class="H2"><font face="Arial, Helvetic a, sans-serif" color="#330099">Task 6: Add the RADIUS Client Name to the RADIUS Server Database</font></h3>  <a name="1 006776"></a> <p class="BP">You can use virtually any RADIUS server that complies with the standards in the Internet Engineering Task Force (IETF) RFC #2138, <em class="Italic">Remote Authentication Dial In User Service (RADIUS)</em> and RFC #2139 <em class="Italic"> RADIUS Accounting</em>. Because RADIUS servers vary, consult the documentation for your particular RADIUS server for any unique inter operability requirements.</p> <a name="1006777"></a> <p class="BP">Perform the following steps to add the RADIUS client name to a Liv ingston RADIUS server:</p> <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="1006778"></a>Open the clients file, which can be found at /etc/raddb/clients. The following text and table appear: <pre class="CE1"> <a name="1006779"></a>@ (#) clients 1.1 2/21/96 Copyright 1991 Livingston Enterprises Inc <a name="1006780"></a>This file contains a list of clients which are allowed to make authentication requests and their encryption key. The first field is a valid hostname. The second field (separated by blanks or tabs) is the encryption key. <a name="1006781"></a>Client Name Key </pre></li> <li class="LN1" type="1" valu e="2"><a name="1006782"></a>In the <code>CLIENT NAME</code> column, enter the host name or IP address of the host on which the Oracle database server is running. In the <code>KEY</code> column, type the shared secret. <p><a name="1006783"></a></p> <p class="BP1">The value you enter in the CLIENT NAME column, whether it is the client's name or IP address, depends on the RADIUS server.</p> </li> <l i class="LN1" type="1" value="3"><a name="1006784"></a>Save and close the clients file. <p><a name="1006789"></a></p> <div align="cen ter"> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to for mat a note" title="This is a layout table to format a note"> <tr class="NoteAlso"> <td class="NoteAlso"><a name="1006787"></a><font f ace="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></font> <a name="1006788"></a> <p class="NB">Administration d ocumentation for the RADIUS server</p> </td> </tr> </table> </div> </li> </ol> <a name="1006791"></a>  <h3 cla ss="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Task 7: Configure the Authentication Server for Use with RADIUS</fo nt></h3>  <a name="1006792"></a> <p class="BP">See the authentication server documentation for instructions about confi guring the authentication servers.</p> <a name="1006803"></a> <div align="center"> <table class="NoteAlso" border="0" width="80%" cel lpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a no te"> <tr class="NoteAlso"> <td class="NoteAlso"><a name="1006795"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">Se e Also:</strong></font> <a name="1006802"></a> <p class="NB"><a href="preface.htm#970178">"Related Documentation"</a><a href="preface .htm#970178"></a>, which contains a list of possible resources.</p> </td> </tr> </table> </div> <a name="1006805"></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Task 8: Configure the RADIUS Server for Use with t he Authentication Server</font></h3>  <a name="1006806"></a> <p class="BP">See the RADIUS server documentation.</p> <a name="1006809"></a>  <h3 class="H2"><font face="Arial, Helvetica, sans-serif" color="#330099">Task 9: Configur e Mapping Roles</font></h3>  <a name="1006810"></a> <p class="BP">If the RADIUS server supports vendor type attributes, you can manage roles by storing them in the RADIUS server. The Oracle database server downloads the roles when there is a CONNECT re quest using RADIUS.</p> <a name="1006811"></a> <p class="BP">To use this feature, configure roles on both the Oracle database server and the RADIUS server.</p> <a name="1006812"></a> <p class="BP">Perform these steps to configure roles on the Oracle database server: </p> <ol class="LN1" type="1"> <li class="LN1" type="1" value="1"><a name="1006813"></a>Use a text editor to set the <code>OS_ROLES</ code> parameter in the initialization parameters file on the Oracle database server.</li> <li class="LN1" type="1" value="2"><a name= "1006814"></a>Stop and restart the Oracle database server.</li> <li class="LN1" type="1" value="3"><a name="1006815"></a>Create each role the RADIUS server is to manage on the Oracle database server with IDENTIFIED EXTERNALLY. <p><a name="1006819"></a></p> <p class= "BP1">To configure roles on the RADIUS server, refer to <a href="asoradus.htm#1006153">Table 5-1</a> and use the following synta x:</p> <pre class="CE1"> <a name="1006820"></a>ORA_DatabaseName.DatabaseDomainName_RoleName <a name="1007030"></a> </pre> <a name="10 06821"></a> <p class="BP1"><strong class="Bold">Example:</strong></p> <pre class="CE1"> <a name="1006822"></a>ORA_USERDB.US.ORACLE.CO M_MANAGER </pre> <a name="1007034"></a> <h5 class="TT"><a name="1007034"></a><a name="1007037"></a> <strong><font face="Arial, Helve tica, sans-serif"><em>Table 5-2 RADIUS Configuration Parameters</em></font></strong></h5> <table summary="" class="RuleFormal" border ="1" width="100%" cellpadding="3" cellspacing="0" dir="ltr" title=""> <thead> <tr class="Formal"> <th class="Formal" align="left" val ign="bottom" scope="col"><a name="1007041"></a> <font face="Arial, Helvetica, sans-serif"><strong>Parameter</strong></font></th> <th class="Formal" align="left" valign="bottom" scope="col"><a name="1007043"></a> <font face="Arial, Helvetica, sans-serif"><strong>Desc ription</strong></font></th> </tr> </thead> <tbody> <tr class="Formal" align="left" valign="top"> <td class="Formal"><a name="1007068 "></a> <p class="TB">DatabaseName</p> </td> <td class="Formal"><a name="1007070"></a> <p class="TB">The name of the Oracle database s erver for which the role is being created. This is the same as the value of the DB_NAME initialization parameter.</p> </td> </tr> <tr class="Formal" align="left" valign="top"> <td class="Formal"><a name="1007072"></a> <p class="TB">DatabaseDomainName</p> </td> <td c lass="Formal"><a name="1007074"></a> <p class="TB">The name of the domain to which the Oracle database server belongs. The value is t he same as the value of the DB_DOMAIN initialization parameter.</p> </td> </tr> <tr class="Formal" align="left" valign="top"> <td cla ss="Formal"><a name="1007076"></a> <p class="TB">RoleName</p> </td> <td class="Formal"><a name="1007078"></a> <p class="TB">The name of the role created in the Oracle database server.</p> </td> </tr> </tbody> </table> </li> <li class="LN1" type="1" value="4"><a name ="1006845"></a>Configure RADIUS challenge-response mode. <p><a name="1007085"></a></p> <div align="center"> <table class="NoteAlso" b order="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This is a la yout table to format a note"> <tr class="NoteAlso"> <td class="NoteAlso"><a name="1007088"></a><font face="Arial, Helvetica, sans-ser if"><strong class="NH">See Also:</strong></font> <a name="1007089"></a> <ul class="NL"> <li class="NL" type="disc"><a name="1007090"> </a><a href="asoradus.htm#1006250">Challenge-Response (Asynchronous) Authentication Mode</a><a href="asoradus.htm#1006250"></a></li> <li class="NL" type="disc"><a name="1007103"></a><a href="asoradus.htm#1006563">Configure Challenge-Response</a><a href="asoradus.htm #1006563"></a></li> </ul> <a name="1007116"></a> <p class="NB">These sections describe how to configure challenge-response mode.</p> </td> </tr> </table> </div> </li> </ol> <a name="1006862"></a>  <h2 class="H1"><font face="Arial, Helvetica, s ans-serif" color="#330099">Using RADIUS to Log In to a Database</font></h2>  <a name="1006863"></a> <p class="BP">If yo u are using the synchronous authentication mode, launch SQL*Plus and enter the following command at the prompt:</p> <pre class="CE"> <a name="1006864"></a>CONNECT username/password@database_alias <a name="1006865"></a> </pre> <a name="1006866"></a> <p class="BP">Not e that you can log in with this command only when challenge-response is not turned to ON.</p> <a name="1006867"></a> <p class="BP">If you are using the challenge-response mode, launch SQL*Plus and, at the prompt, enter the command that follows:</p> <pre class="CE"> <a name="1006868"></a>CONNECT /@database_alias <a name="1006869"></a> </pre> <a name="1006870"></a> <p class="BP">Note that you can l og in with this command only when challenge-response is turned to ON.</p> <a name="1006875"></a> <div align="center"> <table class="N ote" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a note" title="This i s a layout table to format a note"> <tr class="Note"> <td class="Note"> <hr> <a name="1006873"></a><font face="Arial, Helvetica, sans -serif"><strong class="NH">Note:</strong></font> <a name="1006874"></a> <p class="NB">The challenge-response mode can be configured f or all login cases.</p> <hr></td> </tr> </table> </div> <a name="1006877"></a>  <h2 class="H1"><font face="Ari al, Helvetica, sans-serif" color="#330099">RSA ACE/Server Configuration Checklist</font></h2>  <a name="1006878"></a> < p class="BP">If you are using an RSA ACE/Server as a RADIUS server, check the following items before making your initial connection:< /p> <ul class="LB1"> <li class="LB1" type="disc"><a name="1006879"></a>Ensure that the host agent in the RSA ACE/Server is set up to send a node secret. In version 5.0, this is done by leaving the SENT Node secret box unchecked. If the RSA ACE/Server fails to send a node secret to the agent, then a node verification failure message will be written to the RSA ACE/Server log.</li> <li class="LB1" t ype="disc"><a name="1006880"></a>If you are using RSA SecurID tokens, then ensure that the token is synchronized with the RSA ACE/Ser ver. <p><a name="1006885"></a></p> <div align="center"> <table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0 " dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note"> <tr class="NoteAlso"> <td class="NoteAlso"><a name="1006883"></a><font face="Arial, Helvetica, sans-serif"><strong class="NH">See Also:</strong></font> <a name="1006884"></a> <p class="NB">RSA ACE/Server documentation for specific information about troubleshooting.</p> </td> </tr> </tabl e> </div> </li> </ul> </div> <div class="footer"> <hr> <table summary="" cellspacing="0" cellpadding="0" width="100%"> <tr> <td style ="width: 33%;" align="left"> <table summary="layout table" cellspacing="0" cellpadding="0" align="left" width="90"> <tr> <td align="c enter" valign="top"><a href="asopart3.htm"><img src="../../dcommon/gifs/larrow.gif" alt="Go to previous page" border="0"><br> <font s ize="-2">Previous</font></a></td> <td align="center" valign="top"><a href="asokerb.htm"><img src="../../dcommon/gifs/rarrow.gif" alt= "Go to next page" border="0"><br> <font size="-2">Next</font></a></td> </tr> </table> </td> <td style="width: 34%;" align="center"><i mg src="../../dcommon/gifs/oracle.gif" alt="Oracle"><br> <a href="../../dcommon/html/cpyr.htm"><font size="-2">Copyright © 1996, 2003 Oracle Corporation</font></a><br> <font size="-2">All Rights Reserved.</font></td> <td style="width: 33%;" align="right"> <tabl e summary="" cellspacing="0" cellpadding="0" width="270"> <tr> <td align="center" valign="top"><a href="../../index.htm"><img src=".. /../dcommon/gifs/prodicon.gif" alt="Go to Documentation Home" border="0"><br> <font size="-2">Home</font></a></td> <td align="center" valign="top"><a href="../../nav/portal_3.htm"><img src="../../dcommon/gifs/bookicon.gif" alt="Go to Book List" border="0"><br> <font size="-2">Book List</font></a></td> <td align="center" valign="top"><a href="toc.htm"><img src="../../dcommon/gifs/conticon.gif" alt ="Go to Table of Contents" border="0"><br> <font size="-2">Contents</font></a></td> <td align="center" valign="top"><a href="index.ht m"><img src="../../dcommon/gifs/indxicon.gif" alt="Go to Index" border="0"><br> <font size="-2">Index</font></a></td> <td align="cent er" valign="top"><a href="../../mix$101/b12039/toc.htm"><img src="../../dcommon/gifs/mix.gif" alt="Go to Master Index" border="0"><br > <font size="-2">Master Index</font></a></td> <td align="center" valign="top"><a href="../../dcommon/html/feedback.htm"><img sr c="../../dcommon/gifs/feedback.gif" alt="Go to Feedback page" border="0"><br> <font size="-2">Feedback</font></a></td> </tr> </table> </td> </tr> </table> </div> </body> </html>