Oracle Advanced Security Administrator's Guide
Release 8.1.7

Part Number A85430-01

Library

Product

Contents

Index

Go to previous page Go to next page

7
Configuring SecurID Authentication

This chapter describes how to configure Oracle Advanced Security for Oracle8i, or for the Oracle8i server, for use with SecurID authentication. It assumes that you are familiar with the RSA Data Security, Inc. ACE/Server, and that the ACE/Server is installed and running. This chapter contains the following sections:

Prerequisites

The following are prerequisites for configuring and using SecurID authentication:

Known Limitations

Because SecurID card codes can be used only once, SecurID authentication does not support database links, also known as proxy authentication.

When using SecurID authentication, password encryption is disabled. This means that the SecurID card code and, if you use standard cards, the PIN, are sent over to the Oracle database server in plain text. This can be a security problem. Consequently, Oracle Corporation recommends that you enable Oracle Advanced Security encryption, which ensures that the PIN is encrypted when it is sent to the Oracle database server.

See Also:

Chapter 2, Configuring Data Encryption and Integrity 

Enabling SecurID Authentication

Enable SecurID authentication by performing these tasks:

Task 1: Register Oracle as a SecurID Client

Register the system on which the Oracle server resides as a SecurID client with the ACE server. You can do this with the RSA Data Security tool sdadmin. To create a client:

  1. Navigate to the client menu.

  2. On ACE/Server 1.2.4: select Create Client

  3. On ACE/Server 2.0: select Add Client

    See Also:

    RSA Data Security ACE/Server Instruction manual, version 1.2.4, or the ACE/Server version 2.0 Administration manual 

Task 2: Install Oracle Advanced Security

Install Oracle Advanced Security on the Oracle database server and Oracle client when you install Oracle8i using the Oracle Installer.

See Also:

Oracle8i operating system specific installation instructions 

Task 3: Ensure that Oracle Can Find the Correct UDP Port

  1. Verify that the ACE/Server, the Oracle database server, and Oracle Advanced Security are installed.

  2. Ensure that the Oracle database server can discover the correct UDP port for contacting the ACE/Server.

    Port numbers are typically stored in a file called services. On UNIX-based operating systems, the file is typically located in the /etc directory. If you are using Network Information Services (NIS) as a naming service, ensure that the services map contains the correct entries for SecurID.


    Note:

    You can verify which port the ACE server is using by running the RSA Data Security tool Kitconts, for ACE/Server 1.2.4, or sdinfo, for ACE/Server 2.0. 


Task 4: Configure Oracle as a SecurID Client

This section provides separate instructions for:

Windows NT and Windows 95/98 Platforms

Ask the SecurID administrator to ensure that:

UNIX-based Platforms and ACE/Server Release 1.2.4

  1. Install the SecurID configuration files on the Oracle8i database server system.

    You can obtain the files from any other SecurID client or from the system that runs the ACE/Server.

  2. Create a directory (typically /var/ace) on the Oracle8i database server system and copy the configuration files to it; the sdconf.rec file must be present.

  3. Ensure that the owner of the oracle executable, such as the user oracle8, is able to read all the files in /var/ace and can create new files in this directory.

    The configuration files are used by both Oracle and the standard SecurID tools. Because the SecurID tools run setuid root, there can be a problem with the access permissions on the directory /var/ace and the files in this directory.


    Caution:

    Do not attempt to overcome access problems by running the Oracle executable setuid root. It is not necessary, and it is dangerous to do so. 


    There are two methods (Method 1, Method 2) for configuring Oracle8i as a SecurID client without compromising security. Both methods work, and each allows you to use Oracle8i with SecurID authentication, but Method 1 is the preferred method.

Method 1

The owner of the oracle executable should also own the /var/ace directory and the files in /var/ace. For example, if the owner of the oracle executable is the user Oracle8, execute these commands as root:

# chown oracle8 /var/ace

# chmod 0770 /var/ace

# chown oracle8 /var/ace/*

# chmod 0660 /var/ace/*

Method 2

The other option is to have root own the /var/ace directory and the files in /var/ace, but give the Oracle group read and write access. If the Oracle group is dba, execute the following commands as root:

# chown root /var/ace

# chmod 0770 /var/ace

# chgrp dba /var/ace

# chown root /var/ace/*

# chmod 0660 /var/ace/*

# chgrp dba /var/ace/*

UNIX-based Platforms and ACE/Server Release 2.0

The VAR_ACE environment variable is not supported. You must store the configuration data in the /var/ace directory. If you currently have the ACE configuration data in a different location, create a symbolic link using the following command:

# ln -s $VAR_ACE /var/ace


Oracle8i must be able to read and write the ACE configuration data. This data is stored in the directory /var/ace, or $VAR_ACE if you use the preceding symbolic link.

Whether Oracle can read the configuration data depends on how the ACE client software is installed on the Oracle database server. During the installation of the ACE client software, specify which administrator should own the configuration files.


Attention:

Whether you use Method 1 or Method 2, described next, ensure that you do not install Oracle8i as root. 


Method 1

If root is the owner of the ACE server configuration data files, change the UNIX file permissions so that the owner of the oracle executable can read and write to these files. For example, the following commands give Oracle access to the files, and all the RSA Data Security tools that run as setuid root can still access the files.

# chown oracle8 /var/ace

# chown oracle8 /var/ace/*

# chmod 0770 /var/ace

# chmod 0660 /var/ace/*


If the environment variable VAR_ACE is set to a different location than /var/ace, you should instead execute the following commands:

# ln -s $VAR_ACE /var/ace

# chown oracle8 $VAR_ACE

# chown oracle8 $VAR_ACE/*

# chmod 0770 $VAR_ACE

# chmod 0660 $VAR_ACE/*

Method 2

If the ACE files are not owned by root, you have the following options:

For the change to take effect (Method 1 or Method 2), do the following:

  1. Log out and log in again as the Oracle owner.

  2. Restart the listener.

  3. Restart the Oracle database server.

Task 5: Configure SecurID Authentication

To configure the SecurID authentication service:

  1. Start Net8 Assistant:

    • On UNIX, run netasst from $ORACLE_HOME/bin.

    • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.

  2. In the Navigator window, expand Local > Profile.

  3. From the list in the right pane, select Oracle Advanced Security; the Oracle Advanced Security tabbed window appears:


  4. Choose the Authentication tab.

  5. From the Available Methods list, select SECURID.

  6. Move SECURID to the Selected Methods list by choosing the right-arrow [>].

  7. Arrange the selected methods in order of desired use. To do this, select a method in the Selected Methods list, then choose Promote or Demote to position it in the list. For example, for SECURID to be the first service used, move it to the top of the list.

  8. Choose File > Save Network Configuration.

    The sqlnet.ora file is updated with the following entries:

    SQLNET.AUTHENTICATION_SERVICES=(SECURID)

Creating Users for SecurID Authentication

You create users for SecurID authentication by performing the following steps:

Task 1: Assign a Card Using RSA Data Security sdadmin Program

  1. When you create a new user and the sdadmin tool asks for a login name, enter the same name you will use later to create the Oracle user.

    See Also:

    RSA Data Security documentation listed under Related Documents  

  2. If the user should have authority to specify a new PIN to the card using the Oracle tools, choose the option that lets the user define a PIN. If you do not do this, the user will have to use the RSA Data Security tools to generate a PIN if the card is in new-PIN mode.

  3. Activate the user on the Oracle8i database server; the server should already be registered as a SecurID client.

Task 2: Create an Oracle Server Account for the User

You can create an Oracle database server account using SQL*Plus connected as a user with the CREATE USER database privilege. Enter the following to create an account:

SQL> CONNECT system/manager

SQL> CREATE USER os_authent_prefix username IDENTIFIED EXTERNALLY


The OS_AUTHENT_PREFIX Oracle initialization parameter has a default value of OPS$. The user name should be the same as the name you assigned to the card in Task 1: Assign a Card Using RSA Data Security sdadmin Program.


Note:

Because user names can be long and Oracle user names are limited to 30 characters, Oracle Corporation strongly recommends that OS_AUTHENT_PREFIX be set to a null value as follows:

OS_AUTHENT_PREFIX=""

At this point, an Oracle user with username should not yet exist. 


For example, if you have assigned a card to the user king, and
OS_AUTHENT_PREFIX has been set to a null value (""), create an Oracle user account using the following script:

SQL> CREATE USER king IDENTIFIED EXTERNALLY;

Task 3: Grant the User Database Privileges

Grant the user the required database privileges. At a minimum, the user should be granted the CREATE SESSION privilege, as in the following example:

SQL> GRANT CREATE SESSION TO king;


The user king can now connect to Oracle8i using the appropriate SecurID card.

See Also:

"Logging On to the Oracle Server", for information about how to log on to an Oracle8i database server after SecurID authentication has been installed and configured 

Using SecurID Authentication

This section describes how to use SecurID authentication with the Oracle client tools. It assumes that you are already familiar with SecurID concepts, and that you have configured Oracle for use with the SecurID authentication.

This section contains the following topics:

Preparing to Use SecurID Authentication

Before using SecurID authentication to verify passwords, ensure that the following tasks have been completed:

Logging On to the Oracle Server

SecurID authentication allows users to log on to the Oracle database server with the passcode that is generated by the SecurID card. The passcode replaces the password in the Oracle connect statement.

There are two types of SecurID cards:

Standard (model SD200) 

Enter the PIN as part of the Oracle connect statement. 

PINPAD (model SD520) 

Enter the PIN directly onto the card. 

Using Standard Cards

The standard cards generate and display a passcode. When logging in to Oracle, specify the user name, PIN, and current passcode as follows:

sqlplus username/pin><passcode>@net_service_name


For example, if the card is assigned to user king, the PIN is 3511, and the card shows the number 698244, log into Oracle using SQL*Plus as follows:

% sqlplus king/3511698244@oracle_database


or

% sqlplus king@oracle_database

% enter password: 3511698244


Note:

The RSA Data Security tools support the following characters as delimiters between the PIN and the passcode:

" " <tab> \ / ; :

Do not use these characters, because Oracle interprets these characters differently. 


Using PINPAD Cards

If you have a PINPAD card, you must enter the PIN on the card and generate a new passcode. Use the passcode to connect to Oracle as follows:

sqlplus username/passcode@net_service_name


For example, if the card is assigned to user king, first generate a passcode by entering the PIN on the PINPAD card as described in the RSA Data Security documentation.

For example, if the generated passcode is 698244, connect to Oracle using SQL*Plus as follows:

% sqlplus king/698244@oracle_dbname

Assigning a New PIN to a SecurID Card

If you are logging in for the first time or the administrator has put the card in the new-PIN mode, you must assign a PIN to the card. You can tell that this is the case if, while trying to connect to Oracle8i, you receive the following error message:

ORA-12681 "Login failed: the SecurID card does not have a pincode yet"

Select a PIN

To assign a PIN to a card you must connect to the Oracle Server using a special syntax. First select a PIN, which is typically four to eight digits long. Depending on the type of SecurID card you have, you may be able to use letters as well.

Old PIN Cleared

If you have cleared the old PIN, use the following the syntax while connecting to the Oracle database:

sqlplus username/+"new_pin+tokencode"@oracle_dbname


Note:

You must add the two plus (+) characters in the connect string, because they tell Oracle8i that this is an attempt to assign a PIN to the card. Also, they separate the new PIN from the passcode.

You must also enclose the PIN+passcode combination in double quotes. Some Oracle tools such as SQL*Plus truncate the password string (PIN+passcode) just before the + character. Surrounding the password string (PIN+passcode) in double
quotes (" ") prevents the password string from being truncated. 


For the tokencode, enter the card code that is currently displayed on the SecurID card's LCD. If you have a PINPAD card, do not enter the PIN on the card.

For example, if the card is assigned to user king, the new PIN is 45618, and the SecurID card currently displays number 564728, enter the following:

% sqlplus king/"+45618+564728"@oracle_dbname

Old PIN Not Cleared

If the old PIN was not cleared, use the following syntax while connecting to the database. Otherwise, the administrator must select the new PIN for you.

sqlplus username/+new_pin+old_pintokencode@oracle_dbname


For the tokencode, enter the card code that is currently displayed on the SecurID card. If you have a PINPAD card, do not enter the PIN on the card.

If the new PIN is accepted, you are connected to Oracle8i. The next time you want to connect to Oracle, use the procedure described in Logging On to the Oracle Server. If the new PIN is rejected, you receive the following error:

ORA-12688 "Login failed: the SecurID server rejected the new pincode"

Possible Reasons for PIN Rejection

The PIN may be rejected for the following reasons:

  • The new PIN is less than 4 or more than 8 characters long.

  • The PIN contains invalid characters. Valid characters are numeric digits, and for some SecurID cards, the letters a through z.

  • You are not allowed to make up your own PIN. The RSA Data Security ACE/Server can be configured in such a way that you cannot make up your own PIN. If this is the case, you will have to use one of the RSA Data Security tools to generate a new PIN for your card.

Logging on When the SecurID Card is in Next Code Mode

As an additional safety step, the ACE/Server sometimes asks for the next card code, to ensure that the person who is trying to log on actually has possession of the card. This is the case if you get the following error message when you try to log into Oracle:

ORA-12682, "Login failed: the SecurID card is in next PRN mode"

The next time you want to log on to Oracle8i, you must specify the next two card codes. The syntax you use to log on depends on the kind of SecurID card you have.

Logging on with a Standard Card

If you have a standard card, specify the following:

  1. The PIN

  2. The current card code

  3. A plus (+) character and the next card code

Steps 1, 2, and 3 replace the password. The + character is important, because it separates the first card code (passcode) from the second one. Use the following syntax:

sqlplus <username>/ "pincodepasscode+next_passcode"@<net_service_name>


Note:

You must enclose the PIN+passcode+next passcode combination in double quotes. Some Oracle tools such as SQL*Plus truncate the password combination just before the plus (+) character. Surrounding the PIN and passcode in double quotes ("") prevents the password combination from being truncated. 


For example, if the card is assigned to user king, the PIN is 3511, and the card first shows the number 98244 and the next number is 563866, enter the following:

% sqlplus king/"3511698244+563866"@oracle_dbname


This connects you to the Oracle8i database server and puts the card back into normal mode. The next time you want to log on to the Oracle server, use the procedure described in Logging On to the Oracle Server .

Logging on with a PINPAD Card

If you have a PINPAD card, perform the following steps to log on to the Oracle database server:

  1. Enter the PIN on the card to generate the first passcode.

  2. Clear the card's memory by pressing P and wait for the next passcode.

  3. Log on to the Oracle database server with the two passcodes, separated by a plus (+) character as follows:

sqlplus username/ "<first passcode+second passcode"@net_service_name


For example, if the card is assigned to user king, perform the following steps:

  1. Enter the PIN on the PINPAD card to generate a passcode, such as 231003.

  2. Clear the card's memory. The next displayed number might be 831234.

  3. To log in, use the following syntax, entering the two passcodes generated in steps 1 and 2:

% sqlplus king/"231003+831234"@oracle_dbname


This connects you to Oracle8i and puts the card back into normal mode. The next time you want to log in to Oracle, use the procedure described in Logging On to the Oracle Server.

Troubleshooting

If you experience problems while configuring SecurID authentication, verify the following:

  • The services map should have an entry for the RSA Data Security ACE server. The service name is typically securid, but the SecurID administrator can choose any name.

    Use the SecurID tool kitconts (for ACE/Server 1.2.4) or sdinfo (for ACE/Server 2.0) to verify the name of the authentication service and the port numbers that SecurID is expecting to use. Verify that these port numbers match those in /etc/services, or the services map if you are using NIS.

    ACE/Server release 1.2.4 only: Verify that the /var/ace/sdconf.rec file is present on the system running the Oracle database server. Also verify that the permissions on the /var/ace/sdconf.rec file and the directory /var/ace are set so that the Oracle process can read and write in the directory.

    ACE/Server release 2.0 only: Make sure the ACE configuration data is in the /var/ace directory. Use of the VAR_ACE environment variable is not supported. Also make sure that the owner of the oracle executable can read and write the files in this directory.

  • Check to see if the Oracle database server system is registered as a SecurID client. You can do this by using the RSA Data Security tool sdadmin.

  • The user who is trying to connect to Oracle should be activated on the Oracle database server, either as a direct user or as part of a group of users. Verify this using the SecurID tool sdadmin.

  • RSA Data Security, Inc. has developed a few logging facilities that can help you find problems. By using sdadmin, you can see a log of the recent system activities, including failed authentication with the reason for the failure. You can also use sdlogmon to get a similar log listing.

  • Turn on tracing by adding the following line to the sqlnet.ora file on the Oracle side:

    trace_level_server = admin

    Turning tracing on at the client side is less informative, because all interaction between the Oracle database server and the ACE server happens at the Oracle database server side of the Net8 connection. Be sure to turn off tracing when you have completed your check.

  • Ensure that the user has been created in the Oracle database as an externally-identified user with the correct prefix (which defaults to OPS$). When connected as system, enter the following:

    SQL> SELECT * FROM all_users;

    to get a list of all database users.


Go to previous page Go to next page
Oracle
Copyright © 1996-2000, Oracle Corporation.

All Rights Reserved.

Library

Product

Contents

Index