6
Advanced Security Option

This chapter provides Alpha OpenVMS-specific installation information for the current release of Advanced Security Option (ASO) for Security and Single Sign-On.

The topics covered are as follows:

• Documentation Set

• Requirements

• Installation

• De-Installation

• Usage Notes for the Authentication Adapters

Documentation Set

Use this section to install ASO, then see the Administrator's Guide for operating instructions. For further information about installing Oracle SQL*Net products, see the Oracle8 for Alpha OpenVMS Installation Guide.

Requirements

This section details installation requirements for ASO on Alpha OpenVMS.

The topics covered in this section are:

• What's in this Release?

• Installation Requirements

What's in this Release?

The Advanced Security Option for Security and Single Sign-On (ASO) is the new name for the product released earlier under the name: Secure Network Services. This release of ASO Alpha OpenVMS supports the following features:

• Encryption (to RSA and DES standards)

• Checksumming (MD5)

• Authentication (SecurID and Kerberos5 adapters)

• Secure Socket Layer (SSL)

  Note:: At this time, there is NO support for SQL*Net/DCE and Native Naming Adapters.

Installation Requirements

This section summarizes all the requirements necessary before installing ASO Alpha OpenVMS.

System Requirements

This section summarizes the hardware and software requirements for installing ASO Alpha OpenVMS.

For complete information on hardware and software requirements for Oracle8, see the Oracle8 for Alpha OpenVMS Installation Guide.

Hardware:

See Chapter 1 of the Oracle8 for Alpha OpenVMS Installation Guide.

Software:

OpenVMS Version 7.2 (minimum)

Oracle Software Requirements

The table below specifies the software requirements for ASO:

Table 6-1 ASO Software Requirements

Software Requirements	Version	State During Installation
Oracle8i Enterprise Edition	8.1.7	Installed
SQL*Net	8.1.7	Installed (see Note below)
Note: At least one network protocol adapter must be installed.

Server Authentication Adapter Requirements

The table below specifies the software requirements for Authentication Adapters:

Table 6-2 Adapter Requirements for ASO

Adapter	Version
MIT Kerberos5	Kerberos v5.4.2 or higher. The Kerberos authentication server must be installed on a physically secure machine.
SecurID	ACE/Server v1.2.4 or higher
Note: No additional authentication adapter software is required to relink Oracle products. However, Oracle does not provide an authentication server for Kerberos5, or SecurID. You must separately install and configure the appropriate authentication server.

Installation

This section describes the steps necessary to install ASO Alpha OpenVMS.

The topics covered in this section are:

• Installation Warning

• Installation Tasks

For more information about installing Oracle products using the Installer, see also the Oracle8 for Alpha OpenVMS Installation Guide.

Any reference to ASO in the following pages signifies one or more of the following options while choosing to build NETCONFIG using the Oracle Installer:

• Install ASO encryption

• Install SecurID Authentication Adapter

• Install Kerberos5 Authentication Adapter

Installation Warning

When you install ASO, the Installer automatically relinks all Oracle products.

• NETCONFIG (lsnrctl, tnslsnr, names, namesctl)

• RDBMS (srv, imp, exp, sqlldr, ...)

• SVRMGR

• UTIL

• PROGINT

• SQLPLUS

• OEMAGENT (if installed)

• and the rest

If you do not wish to relink these executables, do not choose the options to install ASO.

Installation Tasks

• Task 1: Responding to Installer Prompts

• Task 2: Using with Oracle Names

• Task 3: Manual Steps for the Authentication Adapters

Task 1: Responding to Installer Prompts

1. At command prompt type:

   $ORACLEINS
   

2. Choose option 3 to go to Main Menu.

3. Login as the 'oracle' software owner, for example:

   Username: ORACLE8
   Password: <password>
   

4. ORAUSER.COM in your UTIL directory under ORA_ROOT. This will define the symbols and logicals for your oracle installation environment.

The following build option screen is displayed:

 NETCONFIG.DEF Configuration Options
 Option                                         Current Value

 1. System or Group Installation? [S/G] 	             S
 2. Install TCP/IP adapter? [Y/N]                    Y
 3. Build Oracle Names Server? [Y/N]                 N
 4. Install ASO encryption? [Y/N]                    N
 5. Install SecurID Authentication Adapter? [Y/N]    N
 6. Install Kerberos5 Authentication Adapter? [Y/N]  N
 
 Enter (A)LL to select all options.
 Enter (E)XIT to exit this menu with selected options.
 Enter (Q)UIT to quit this menu with no action.

 Enter the number of the option that you want to change:

Options 4, 5, and 6 are related to ASO.

If you are using OUI, SSL and Oracle Wallet Manager are installed with a Typical Server Installation. These and other security/encryption options may be specifically selected or excluded for installation by using the Custom Install option.

Task 2: Using with Oracle Names

The Oracle Names executables are automatically relinked during the ASO build. To use ASO with Oracle Names, modify the file TNS_ADMIN:NAMES.ORA by adding an entry for the NET8.CRYPTO_SEED parameter. You can do this by copying the line that begins with "NET8.CRYPTO_SEED=" from your TNS_ADMIN:NET8.ORA file into your TNS_ADMIN:NAMES.ORA file.

Task 3: Manual Steps for the Authentication Adapters

In the database server's local INIT.ORA file, set the following parameters:

remote_os_authent = false
os_authent_prefix = ""

For SecurID Adapter

The logical ORA_VAR_ACE should point to the directory where the configuration file SDCONF.REC is available. By default, this logical will point to the [NETWORK.ACE] directory under ORA_ROOT. If your configuration file is located somewhere else, modify the logical definition in ORA_ROOT:[NETCONFIG]SECURID_USER.COM to point to the correct directory.

Make sure that the directory is readable by all Oracle Server processes.

For Kerberos5 Adapter

The following file is required on the client side:

• KRB.CONF (configuration file that specifies the default realm of the client and maps all known realms to Key Distribution Centers (KDCs))

The following files are required on the server side:

• KRB.REALMS (maps hostnames and domains into realms)

• V5SRVTAB (contains key that the KDC uses to encrypt a service ticket for the client)

The location of all of the above files must be specified using corresponding parameters in NET8.ORA.

Additionally, the SQL*Net client also creates a credential cache file whose location needs to be specified in NET8.ORA on the client side.

The following is an example of the parameters in NET8.ORA for an installation that can act as both client and server:

NET8.AUTHENTICATION_KERBEROS5_SERVICE=ORACLE
NET8.AUTHENTICATION_SERVICES = (BEQ,KERBEROS5)
NET8.KERBEROS5_KEYTAB = DISK:[TST816.NETWORK.ETC]V5SRVTAB.
NET8.KERBEROS5_CONF = DISK:[TST816.NETWORK.KRB5]KRB.CONF
NET8.KERBEROS5_REALMS = DISK:[TST816.NETWORK.KRB5]KRB.REALMS
NET8.KERBEROS5_CC_NAME = DISK:[TST816.NETWORK.CCACHE]CCFILE.DAT

De-Installation

This section describes the steps necessary to de-install ASO from your system.

The topics covered in this section are:

• De-Installation Warning

• De-Installation Tasks

De-Installation Warning

De-Installation Tasks

• Task 1: Preparing Your System

• Task 2: De-install

Task 1: Preparing Your System

To prepare your system to de-install ASO, do the following:

1. Shut down all running database instances normally.

2. Shut down all SQL*Net listener processes.

3. Login as the 'oracle' software owner, for example:

   Username: ORACLE8
   Password: <password>
   

4. ORAUSER.COM in your UTIL directory under ORA_ROOT. This will define the symbols and logicals for your Oracle installation environment.

Task 2: De-install

De-installing ASO does NOT result in automatic relinking of the executables that were linked during ASO install. You need to relink these using ORACLEINS.

1. At the command prompt, type:

   $ ORACLEINS
   
   

2. Choose option 3 to go to the Main Menu.

3. Choose option 1 to go to the "Software Installation and Upgrade Menu".

4. Choose option 2 "Select Build Configuration Options". Then select product "NetConfig". Your previous install options are remembered by ORACLEINS.

   The following build option screen is displayed:

    NETCONFIG.DEF Configuration Options
    Option                                         Current Value
   
    1. System or Group Installation? [S/G]             S
    2. Install TCP/IP adapter? [Y/N]                   Y
    3. Build Oracle Names Server? [Y/N]                N
    4. Install ASO encryption? [Y/N]                   N
    5. Install SecurID Authentication Adapter? [Y/N]   N
    6. Install Kerberos5 Authentication Adapter? [Y/N] N
   
    Enter (A)LL to select all options.
    Enter (E)XIT to exit this menu with selected options.
    Enter (Q)UIT to quit this menu with no action.
   
    Enter the number of the option that you want to change:
   
   

   Options 4, 5, and 6 are related to ASO. Choose N for the options that you want to de-install.

5. Exit back to the "Software Installation and Upgrade Menu" and choose option 4 to build the selected products. This causes the following products to be relinked:
   • NetConfig (lsnrctl, tnslsnr, names, namesctl, ...)

   • RDBMS (srv, imp, exp, sqlldr, ...)

   • SVRMGR

   • UTIL

   • PROGINT

   • SQLPLUS

   • OEMAgent (if installed)

   • and the rest.

If you are using OUI, use the Custom Install option to de-install the specific products desired.

Usage Notes for the Authentication Adapters

The usage notes are categorized into the following areas:

• General Information

• SecurID

• Kerberos5

General Information

Include the following line in your LISTENER.ORA file:

NET8.AUTHENTICATION_SERVICES=(NONE)

The listener should not participate in the authentication service.

It is recommended that you always include BEQ as one of the authentication services in your NET8.ORA file. Here is an example:

NET8.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)

In this way, connections within the server machine through the default bequeath adapter do not have to go through the authentication. This is especially important during database startups and shutdowns.

SecurID

If you expect excessive delays in your relink to access the ACE server from your client machine, use the following syntax to connect to the database, for example:

$ SQLPLUS USERNAME/"<nnnn><pppppp>+<qqqqqq>"@DATABASE

where:

<nnnn> is the PIN number of your SecurID card.

<pppppp> and <qqqqqq> are two successive codes displayed on the card.

Kerberos5

1. Make sure that the clock skew between the client machine and the machine running the KDC is less than one minute.

2. Oracle client and server processes use the Coordinated Universal Time (UTC) format (time elapsed since 00:00:00 Jan. 1, 1970 in records). Make sure that your system is set to the correct time zone in terms of deviation from Greenwich Mean Time (GMT). Otherwise you will get the error "Clock skew too great" in your SQL*Net trace file.

3. Make sure that the value of the parameter NET8.AUTHENTICATION_KERBEROS5_SERVICE that you specify in NET8.ORA matches exactly, including case, with the value specified in the KDC.