What's New in Oracle Advanced Security ?

This section describes new features of Oracle Advance d Security 10g Release 1 (10.1) and provides pointers to additional information. New features information fro m the previous release is also retained to help those users migrating to the current release.

The following sections describe the new features in Oracle Advanced Security:

Oracle Database 10g Release 1 (10.1) New Features in Oracle Advanced Security

Oracle A dvanced Security 10g Release 1 (10.1) includes new features in the following areas:

New Features in Strong Authentication

Oracle Advanced Security provides several strong authentication options, including support for RADIUS, Kerbe ros, and PKI (public key infrastructure). This release provides the following new features for strong authentication:

Support for TLS (Transport Layer Security), version 1.0
< /a>

TLS is an industry-standard protocol which provides effective security for transactions conducted on the Web. It has been developed by the Internet Engineering Task Force (IETF) to be the successor to SSL version 3.0. TLS is a configurable opt ion provided in Oracle Net Manager.

Se e Also:
Chapter 7, "Configuring Secure Sockets Layer Authentication" for configuration details
Support for Hardware Security Modules, including Oracle Wallet Manager Integration

In this release, Oracle Advanced Security supports hardware security modules which use APIs that conform to the RSA Security, Inc., Publ ic-Key Cryptography Standards (PKCS) #11. In addition, it is now possible to create Oracle Wallets that can store credentials on a ha rdware security module for servers, or private keys on tokens for clients. This provides roaming authentication to the database.

Hardware security modules can be used for the following functions:
- Store cryptographic information, such as private keys, which provides stronger security
- Perform cryptographic operations to off load RSA operations from the server, f reeing the CPU to respond to other transactions
  See Also:
  
  "Configuring Your System to Use Hardware Security Modules" for configurati on details
  
  "Creating a Wallet to Store Hardware S ecurity Module Credentials"
CRL (Certificate Revocation Lists) and CRLDP (CRL Distribution Point) Support for Certificate Validat ion

In the current release, you now have the option to configure certificate revocation status checking for both the client and the server. Certificate revocation status is checked against CRLs which are located in file system directories, Oracle Internet Direct ory, or downloaded from the location specified in the CRL Distribution Point (CRL DP) extension on the certificate. The orapki utility has also been added for CRL management and for managing Oracle wallets and certificates.
See A lso:

"Certificate Validation with Certificate Revocation Lists" for details

Appendix E, "orapki Utility" for details about orapki command line utility

New Features in Enterprise User Security

< /a>Kerberos Authenticated Enterprise Users

Kerberos-based authentication to the database is available for users managed in an LDAP directory. This includes Oracle Internet Directory or any other third-party directory that is synchronized to work with Oracle Internet Directory by using the Directory Integration Platform. To use this feature, all directo ry users, including those synchronized from third-party directories, must include the Kerberos principal name attribute (krbPri ncipalName attribute).

See Also :
"Configuring Enterprise User Security for Kerbe ros Authentication" for configuration details
Public Key Infrastructure (PKI) Credentials No Longer Required for Database-to-Oracle Internet Dire ctory Connections

In this release, a database can bind to Oracle Internet Directory by u sing password/SASL-based authentication, eliminating the overhead of setting up PKI credentials for the directory and multiple databa ses. SASL (Simple Authentication and Security Layer) is a standard defined in the Internet Engineering Task Force RFC 2222. It is a m ethod for adding authentication support to connection-based protocols such as LDAP.

< table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a n ote" title="This is a layout table to format a note"> See Also:
"Configuring Enterprise User Security for Password Authentication" for configuration de tails
Support for User Management in Third-Party LD AP Directories

In the current release of Enterprise User Security, you can store and man age your users and their passwords in third-party LDAP directories. This feature is made possible with
- Directory Integration Platform, which automatically synchronizes third-party directories wi th Oracle Internet Directory, and
- Oracle Database recognition of standard pas sword verifiers, which is also new in this release.

Tool Changes

New Tool: Enterprise Security Manager Console
< /a>

The Enterprise Security Manager Console, which is based on the Oracle Internet Directory Delegated Administrat ion Service (DAS), is new in this release. Administrators can use this tool to create enterprise users, enterprise user security grou ps, and to configure identity management realm attributes in the directory that relate to Enterprise User Security.

In this release, Oracle Enterprise Login Assistant functionality has been migrated to the new Enterprise Security Manager Console and Oracle Wallet Manager. The following table lists which tool you should now use to perform tasks that you previously performed by using Oracle Enterprise Login Assistant:

If you used Oracle Enterpris e Login Assistant to...	Then now you should use...
Change the directory-to-database password	Enterprise Security Manager Console
Change an Oracle wallet password	Oracle Wallet Manager
Enable auto login for an Oracle wallet	< a name="971049"> Oracle Wallet Manager

See Also:
The following sections for information about Enterprise Security Manager Console and how to use it:

"Enterprise Securit y Manager Console Overview", which provides a brief introduction to the tool.

Chapter 13, "Administering Enterprise User Security", wh ich provides procedural information for using the tool to manage enterprise users.

Oracle9i Release 2 (9.2) New Features in Orac le Advanced Security

The new features for Oracle Advanced Security in release 2 (9.2 ) include the following:

Support for Advanced Encryption Standa rd (AES)

AES is a new cryptographic algorithm standard developed to replace Data Encrypt ion Standard (DES).

See Also:

"Advanc ed Encryption Standard" for a brief overview of this encryption algorithm
Chapter 3, "Configuring Network Data Encryption and Integrity fo r Oracle Servers and Clients" for configuration details

SSL Hardware Accelerator Support

In release 2 (9.2), complex public key c ryptographic operations can be off loaded to hardware accelerators to improve the performance of SSL transactions.

See Also:
"Configuring Your System to Use Hardware Security Modules" f or configuration details
New Enterprise User Securi ty Tool: User Migration Utility

This utility enables administrators to perform bulk migr ations of database users to Oracle Internet Directory for centralized user storage and management.

See Also:
Appendix G, "Using the User Migration Utility" for information about this tool and how to use it.