Drivers Data Encryption Others

 admin



Encrypted data, on the other hand, provides an obstacle and a layer of risk mitigation against loss, since the data is not easily readable without the right encryption key. Encrypted data involves. An RDP driver (Wdtshare.sys) for UI transfer, compression, encryption, framing, and so on. A transport driver (Tdtcp.sys) to package the protocol onto the underlying network protocol, TCP/IP.

-->

Applies to

  • Windows 10
  • Windows Server 2019
  • Windows Server 2016

Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.

By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

The Lenovo Mobile USB Driver version 1.1.16.0 package you to connect your mobile smartphone and tablet to your PC. If the driver is already installed on your system, updating (overwrite-installing) may. To encrypt data in-transit between clients and DB2 databases, you can use the DATAENCRYPT authentication type, or, the DB2 database system support of Secure Sockets Layer (SSL). Note: DATAENCRYPT and SERVERENCRYPT. Download Jetico's latest data encryption software. The free trial license will function for 21 days from the date of installation. After purchasing the software, we will email you a license file to enter in the registration area in the Help Menu.

Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. You can install Windows to Encrypted Hard Drives without additional modification beginning with Windows 8 and Windows Server 2012.

Encrypted Hard Drives provide:

  • Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
  • Strong security based in hardware: Encryption is always 'on' and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system
  • Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
  • Lower cost of ownership: There is no need for new infrastructure to manage encryption keys, since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.

Encrypted Hard Drives are supported natively in the operating system through the following mechanisms:

Data encryption software
  • Identification: The operating system can identify that the drive is an Encrypted Hard Drive device type
  • Activation: The operating system disk management utility can activate, create and map volumes to ranges/bands as appropriate
  • Configuration: The operating system can create and map volumes to ranges/bands as appropriate
  • API: API support for applications to manage Encrypted Hard Drives independently of BitLocker Drive Encryption (BDE)
  • BitLocker support: Integration with the BitLocker Control Panel provides a seamless BitLocker end user experience.

Warning

Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment.

If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the Encrypted Hard Drive Device Guide.

System Requirements

To use Encrypted Hard Drives, the following system requirements apply:

For an Encrypted Hard Drive used as a data drive:

  • The drive must be in an uninitialized state.
  • The drive must be in a security inactive state.

For an Encrypted Hard Drive used as a startup drive:

  • The drive must be in an uninitialized state.
  • The drive must be in a security inactive state.
  • The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).
  • The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
  • The computer must always boot natively from UEFI.

Warning

All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.

Technical overview

Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later, Encrypted Hard Drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an Encrypted Hard Drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk.

Configuring Encrypted Hard Drives as Startup drives

Configuration of Encrypted Hard Drives as startup drives is done using the same methods as standard hard drives. These methods include:

  • Deploy from media: Configuration of Encrypted Hard Drives happens automatically through the installation process.
  • Deploy from network: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component is not present, configuration of Encrypted Hard Drives will not work.
  • Deploy from server: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the TCGSecurityActivationDisabled setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives.
  • Disk Duplication: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators will not work.

Configuring hardware-based encryption with Group Policy

There are three related Group Policy settings that help you manage how BitLocker uses hardware-based envryption and which encryption algorithms to use. If these settings are not configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption:

Encrypted Hard Drive Architecture

Encrypted Hard Drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the Data Encryption Key (DEK) and the Authentication Key (AK).

The Data Encryption Key is the key used to encrypt all of the data on the drive. The drive generates the DEK and it never leaves the device. It is stored in an encrypted format at a random location on the drive. If the DEK is changed or erased, data encrypted using the DEK is irrecoverable.

The Authentication Key is the key used to unlock data on the drive. A hash of the key is stored on drive and requires confirmation to decrypt the DEK.

When a computer with an Encrypted Hard Drive is in a powered off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the Authentication Key decrypts the Data Encryption Key. Once the Authentication Key decrypts the DataEncryption Key, read-write operations can take place on the device.

When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. In the event that the DEK needs to be changed or erased, the data on the drive does not need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK and read-writes to the volume can continue.

Re-configuring Encrypted Hard Drives

Many Encrypted Hard Drive devices come pre-configured for use. If reconfiguration of the drive is required, use the following procedure after removing all available volumes and reverting the drive to an uninitialized state:

  1. Open Disk Management (diskmgmt.msc)
  2. Initialize the disk and select the appropriate partition style (MBR or GPT)
  3. Create one or more volumes on the disk.
  4. Use the BitLocker setup wizard to enable BitLocker on the volume.

This chapter discusses support in the Oracle Java Database Connectivity (JDBC) Oracle Call Interface (OCI) and JDBC Thin drivers for login authentication, data encryption, and data integrity, particularly, with respect to features of the Oracle Advanced Security option.

Oracle Advanced Security, previously known as the Advanced Networking Option (ANO) or Advanced Security Option (ASO), provides industry standards-based data encryption, data integrity, third-party authentication, single sign-on, and access authorization. From 11g release 1 (11.1), both the JDBC OCI and Thin drivers support all the Oracle Advanced Security features. Earlier releases of the JDBC drivers did not support some of the ASO features.

Note:

This discussion is not relevant to the server-side internal driver, given that all communication through that driver is completely internal to the server.

This chapter contains the following sections:

Support for Oracle Advanced Security

Oracle Advanced Security provides the following security features:

  • Data Encryption

    Sensitive information communicated over enterprise networks and the Internet can be protected by using encryption algorithms, which transform information into a form that can be deciphered only with a decryption key. Some of the supported encryption algorithms are RC4, DES, 3DES, and AES.

    To ensure data integrity during transmission, Oracle Advanced Security generates a cryptographically secure message digest, using MD5 or SHA-1 hashing algorithms, and includes it with each message sent across a network. This protects the communicated data from attacks, such as data modification, deleted packets, and replay attacks.

  • Strong Authentication

    To ensure network security in distributed environments, it is necessary to authenticate the user and check his credentials. Password authentication is the most common means of authentication. Oracle Advanced Security enables strong authentication with Oracle authentication adapters, which support various third-party authentication services, including SSL with digital certificates. Oracle Advanced Security supports the following industry-standard authentication methods:

    • Kerberos

    • Remote Authentication Dial-In User Service (RADIUS)

    • Distributed Computing Environment (DCE)

    • Secure Sockets Layer (SSL)

Tip:

Oracle Database Advanced Security Administrator's Guide

JDBC OCI Driver Support for Oracle Advanced Security

If you are using the JDBC OCI driver, which presumes you are running from a computer with an Oracle client installation, then support for Oracle Advanced Security and incorporated third-party features is fairly similar to the support provided by in any Oracle client situation. Your use of Advanced Security features is determined by related settings in the sqlnet.ora file on the client computer.

Starting from Oracle Database 11g Release 1 (11.1), the JDBC OCI driver attempts to use external authentication if you try connecting to a database without providing a password. The following are some examples using the JDBC OCI driver to connect to a database without providing a password:

SSL Authentication

Example 9-1 uses SSL authentication to connect to the database.

Using Data Source

Example 9-2 uses a data source to connect to the database.

Example 9-2

Note:

The key exception to the preceding, with respect to Java, is that the Secure Sockets Layer (SSL) protocol is supported by the Oracle JDBC OCI drivers only if you use native threads in your application. This requires special attention, because green threads are generally the default.

JDBC Thin Driver Support for Oracle Advanced Security

The JDBC Thin driver cannot assume the existence of an Oracle client installation or the presence of the sqlnet.ora file. Therefore, it uses a Java approach to support Oracle Advanced Security. Java classes that implement Oracle Advanced Security are included in the ojdbc5.jar and ojdbc6.jar files. Security parameters for encryption and integrity, usually set in sqlnet.ora, are set using a Java Properties object or through system properties.

Support for Login Authentication

Basic login authentication through JDBC consists of user names and passwords, as with any other means of logging in to an Oracle server. Specify the user name and password through a Java properties object or directly through the getConnection method call. This applies regardless of which client-side Oracle JDBC driver you are using, but is irrelevant if you are using the server-side internal driver, which uses a special direct connection and does not require a user name or password.

Starting with 11g release 1 (11.1), the Oracle JDBC Thin driver implements a challenge-response protocol to authenticate the user.

Support for Strong Authentication

Oracle Advanced Security enables Oracle Database users to authenticate externally. External authentication can be with RADIUS, KERBEROS, Certificate-Based Authentication, Token Cards, Smart Cards, and DCE. This is called strong authentication. Oracle JDBC drivers provide support for the following strong authentication methods:

  • Kerberos

  • RADIUS

  • SSL (certificate-based authentication)

Support for OS Authentication

Operating System (OS) authentication allows Oracle to pass control of user authentication to the operating system. It allows the users to connect to the database by authenticating their OS username in the database. No password is associated with the account since it is assumed that OS authentication is sufficient. In other words, the server delegates the authentication to the client OS. You need to perform the following steps to achieve this:

  • Use the following command to check the value of the Oracle OS_AUTHENT_PREFIX initialization parameter:

    Note:

    Remember the OS authentication prefix. You need to create a database user to allow an OS authenticated connection, where the username must be the prefix value concatenated to the OS username.

  • Add the following line in the t_init1.ora file:

When a connection is attempted from the local database server, the OS username is passed to the Oracle server. If the username is recognized, the Oracle the connection is accepted, otherwise the connection is rejected.

Configuration Steps for Linux

The configuration steps necessary to set up OS authentication on Linux are the following:

  1. Use the following commands to create an OS user w_rose:

  2. Use the following command to create a database user to allow an OS authenticated connection:

  3. Use the following commands to test the OS authentication connection:

Configuration Steps for Windows

The configuration steps necessary to set up OS authentication on Windows are the following:

  1. Create a local user, say, w_rose, using the Computer Management dialog box. For this you have to do the following:

    1. Click Start.

    2. From the Start menu, select Programs, then select Administrative Tools and then select Computer Management.

    3. Expand Local Users and Groups by clicking on the Plus ('+') sign.

    4. Click Users.

    5. Select New User from the Action menu.

    6. Enter details of the user in the New User dialog box and click Create.

    Note:

    The preceding steps are only for creating a local user. Domain users can be created in Active Directory.

  2. Use the following command to create a database user to allow an OS authenticated connection:

    Note:

    When you create the database user in Windows environment, the user name should be in the following format:

    When using a Windows server, there is an additional consideration. The following option must be set in the %ORACLE_HOME%networkadminsqlnet.ora file:

  3. Use the following commands to test the OS authentication connection:

JDBC Code Using OS Authentication

Now that you have set up OS authentication to connect to the database, you can use the following JDBC code for connecting to the database:

The preceding code assumes that it is executed by p_floyd on the client machine. The JDBC drivers retrieve the OS username from the user.name system property that is set by the JVM. As a result, the following thin driver-specific error no longer exists:

Note:

By default, the JDBC driver retrieves the OS username from the user.name system property, which is set by the JVM. If the JDBC driver is unable to retrieve this system property or if you want to override the value of this system property, then you can use the OracleConnection.CONNECTION_PROPERTY_THIN_VSESSION_OSUSER connection property. For more information, see Oracle Javadoc.

Support for Data Encryption and Integrity

You can use Oracle Advanced Security data encryption and integrity features in your Java database applications, depending on related settings in the server. When using the JDBC OCI driver, set parameters as you would in any Oracle client situation. When using the Thin driver, set parameters through a Java properties object.

Encryption is enabled or disabled based on a combination of the client-side encryption-level setting and the server-side encryption-level setting. Similarly, integrity is enabled or disabled based on a combination of the client-side integrity-level setting and the server-side integrity-level setting.

Encryption and integrity support the same setting levels, REJECTED, ACCEPTED, REQUESTED, and REQUIRED. Table 9-1 shows how these possible settings on the client-side and server-side combine to either enable or disable the feature. By default, remote OS authentication (through TCP) is disabled in the database for obvious security reasons.

Table 9-1 Client/Server Negotiations for Encryption or Integrity


Client RejectedClient Accepted (default)Client RequestedClient Required

Server Rejected

OFF

OFF

OFF

connection fails

Server Accepted (default)

OFF

OFF

ON

ON

Server Requested

OFF

ON

ON

ON

Server Required

connection fails

ON

ON

ON


Table 9-1 shows, for example, that if encryption is requested by the client, but rejected by the server, it is disabled. The same is true for integrity. As another example, if encryption is accepted by the client and requested by the server, it is enabled. And, again, the same is true for integrity.

See Also:

Oracle Database Advanced Security Administrator's Guide

Note:

The term checksum still appears in integrity parameter names, but is no longer used otherwise. For all intents and purposes, checksum and integrity are synonymous.

This section covers the following topics:

JDBC OCI Driver Support for Encryption and Integrity

If you are using the JDBC OCI driver, which presumes an Oracle-client setting with an Oracle client installation, then you can enable or disable data encryption or integrity and set related parameters as you would in any Oracle client situation, through settings in the SQLNET.ORA file on the client.

To summarize, the client parameters are shown in Table 9-2:

Table 9-2 OCI Driver Client Parameters for Encryption and Integrity

Parameter DescriptionParameter NamePossible Settings

Client encryption level

SQLNET.ENCRYPTION_CLIENT

REJECTED ACCEPTED REQUESTED REQUIRED

Client encryption selected list

SQLNET.ENCRYPTION_TYPES_CLIENT

RC4_40, RC4_56, DES, DES40, AES128, AES192, AES256, 3DES112, 3DES168

(see Note)

Client integrity level

SQLNET.CRYPTO_CHECKSUM_CLIENT

REJECTED ACCEPTED REQUESTED REQUIRED

Client integrity selected list

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT

MD5, SHA-1


Note:

For the Oracle Advanced Security domestic edition only, settings of RC4_128 and RC4_256 are also possible.

See Also:

Data encryption softwareOracle Database Advanced Security Administrator's Guide

JDBC Thin Driver Support for Encryption and Integrity

The JDBC Thin driver support for data encryption and integrity parameter settings parallels the JDBC OCI driver support discussed in the preceding section. Corresponding parameters can be set through a Java properties object that you would then be used when opening a database connection.

Table 9-3 lists the parameter information for the JDBC Thin driver. These parameters are defined in the oracle.jdbc.OracleConnection interface.

Table 9-3 Thin Driver Client Parameters for Encryption and Integrity

Parameter NameParameter TypePossible Settings

CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL

String

REJECTED ACCEPTED REQUESTED REQUIRED

CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES

String

AES256, AES192, AES128, 3DES168, 3DES112, DES56C, DES40C, RC4_256, RC4_128, RC4_40, RC4_56

CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL

String

REJECTED ACCEPTED REQUESTED REQUIRED

CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES

String

MD5, SHA1


Data

Note:

  • Because Oracle Advanced Security support for the Thin driver is incorporated directly into the JDBC classes JAR file, there is only one version, not separate domestic and export editions. Only parameter settings that would be suitable for an export edition are possible.

  • The letter C in DES40C and DES56C refers to Cipher Block Chaining (CBC) mode.

Setting Encryption and Integrity Parameters in Java

Use a Java properties object, that is, an instance of java.util.Properties, to set the data encryption and integrity parameters supported by the JDBC Thin driver.

The following example instantiates a Java properties object, uses it to set each of the parameters in Table 9-3, and then uses the properties object in opening a connection to the database:

The parentheses around the values encryption type and checksum type allow for lists of values. When multiple values are supplied, the server and the client negotiate to determine which value is to be actually used.

Example

Example 9-3 is a complete class that sets data encryption and integrity parameters before connecting to a database to perform a query.

Note:

In the example, the string 'REQUIRED' is retrieved dynamically through functionality of the AnoServices and Service classes. You have the option of retrieving the strings in this manner or hardcoding them as in the previous examples

Before running this example, you must turn on encryption in the sqlnet.ora file. For example, the following lines will turn on AES256, AES192, and AES128 for the encryption and MD5 and SHA1 for the checksum:

Example 9-3 Setting Data Encryption and Integrity Parameters

Support for SSL

Oracle Database 11g provides support for the Secure Sockets Layer (SSL) protocol. SSL is a widely used industry standard protocol that provides secure communication over a network. SSL provides authentication, data encryption, and data integrity. It provides a secure enhancement to the standard TCP/IP protocol, which is used for Internet communication..

SSL uses digital certificates that comply with the X.509v3 standard for authentication and a public and private key pair for encryption. SSL also uses secret key cryptography and digital signatures to ensure privacy and integrity of data. When a network connection over SSL is initiated, the client and server perform an SSL handshake that includes the following steps:

  • Client and server negotiate about the cipher suites to use. This includes deciding on the encryption algorithms to be used for data transfer.

  • Server sends its certificate to the client, and the client verifies that the certificate was signed by a trusted certification authority (CA). This step verifies the identity of the server.

  • If client authentication is required, the client sends its own certificate to the server, and the server verifies that the certificate was signed by a trusted CA.

  • Client and server exchange key information using public key cryptography. Based on this information, each generates a session key. All subsequent communications between the client and the server is encrypted and decrypted by using this set of session keys and the negotiated cipher suite.

Note:

In Oracle Database 11g Release 1 (11.1), SSL authentication is supported in the thin driver. So, you do not need to provide a username/password pair if you are using SSL authentication.

SSL Terminology

The following terms are commonly used in the SSL context:

  • certificate: A certificate is a digitally signed document that binds a public key with an entity. The certificate can be used to verify that the public key belongs to that individual.

  • certification authority: A certification authority (CA), also known as certificate authority, is an entity which issues digitally signed certificates for use by other parties.

  • cipher suite: A cipher suite is a set of cryptographic algorithms and key sizes used to encrypt data sent over an SSL-enabled network.

  • private key: A private key is a secret key, which is never transmitted over a network. The private key is used to decrypt a message that has been encrypted using the corresponding public key. It is also used to sign certificates. The certificate is verified using the corresponding public key.

  • public key: A public key is an encryption key that can be made public or sent by ordinary means such as an e-mail message. The public key is used for encrypting the message sent over SSL. It is also used to verify a certificate signed by the corresponding private key.

  • wallet: A wallet is a password-protected container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates required by SSL.

Java Version of SSL

The Java Secure Socket Extension (JSSE) provides a framework and an implementation for a Java version of the SSL and TLS protocols. JSSE provides support for data encryption, server and client authentication, and message integrity. It abstracts the complex security algorithms and handshaking mechanisms and simplifies application development by providing a building block for application developers, which they can directly integrate into their applications. JSSE is integrated into Java Development Kit (JDK) 1.4 and later, and supports SSL version 2.0 and 3.0.

Oracle strongly recommends that you have a clear understanding of the JavaTM Secure Socket Extension (JSSE) framework by Sun Microsystems before using SSL in the Oracle JDBC drivers.

The JSSE standard application programming interface (API) is available in the javax.net, javax.net.ssl, and javax.security.cert packages. These packages provide classes for creating and configuring sockets, server sockets, SSL sockets, and SSL server sockets. The packages also provide a class for secure HTTP connections, a public key certificate API compatible with JDK1.1-based platforms, and interfaces for key and trust managers.

Software

SSL works the same way, as in any networking environment, in Oracle Database 11g. This section covers the following:

Managing Certificates and Wallets

To establish an SSL connection with a JDBC client, Thin or OCI, Oracle database server sends its certificate, which is stored in its wallet. The client may or may not need a certificate or wallet depending on the server configuration.

The Oracle JDBC Thin driver uses the JSSE framework to create an SSL connection. It uses the default provider (SunJSSE) to create an SSL context. However you can provide your own provider.

You do not need a certificate for the client, unless the SSL_CLIENT_AUTHENTICATION parameter is set on the server.

Keys and certificates containers

Java clients can use multiple types of containers such as Oracle wallets, JKS, PKCS12, and so on, as long as a provider is available. For Oracle wallets, OraclePKI provider must be used because the PKCS12 support provided by SunJSSE provider does not support all the features of PKCS12. In order to use OraclePKI provider, the following JARs are required:

Data Encryption Standard

  • oraclepki.jar

  • osdt_cert.jar

  • osdt_core.jar

All these JAR files should be under $ORACLE_HOME/jlib directory.

Support for Kerberos

Oracle Database 11g Release 1 (11.1) introduces support for Kerberos. Kerberos is a network authentication protocol that provides the tools of authentication and strong cryptography over the network. Kerberos helps you secure your information systems across your entire enterprise by using secret-key cryptography. The Kerberos protocol uses strong cryptography so that a client or a server can prove its identity to its server or client across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

The Kerberos architecture is centered around a trusted authentication service called the key distribution center, or KDC. Users and services in a Kerberos environment are referred to as principals; each principal shares a secret, such as a password, with the KDC. A principal can be a user such as scott or a database server instance.

Configuring Oracle Database to Use Kerberos

Perform the following steps to configure Oracle Database to use Kerberos:

Drivers data encryption others decryption

  1. Use the following command to connect to the database:

  2. Use the following commands to create a user CLIENT@US.ORACLE.COM that is identified externally:

  3. Use the following commands to connect to the database as sysdba and dismount it:

  4. Add the following line to $T_WORK/t_init1.ora file:

  5. Use the following command to restart the database:

  6. Modify the sqlnet.ora file to include the following lines:

  7. Use the following commands to verify that you can connect through SQL*Plus:

Code Example

This following example demonstrates the new Kerberos authentication feature that is part of Oracle Database 11g Release 1 (11.1) JDBC thin driver. This demo covers two scenarios:

  • In the first scenario, the OS maintains the user name and credentials. The credentials are stored in the cache and the driver retrieves the credentials before trying to authenticate to the server. This scenario is in the module connectWithDefaultUser().

    Note:

    1. Before you run this part of the demo, use the following command to verify that you have valid credentials:

    2. Use the following command to list your tickets:

  • The second scenario covers the case where the application wants to control the user credentials. This is the case of the application server where multiple web users have their own credentials. This scenario is in the module connectWithSpecificUser().

    Note:

    To run this demo, you need to have a working setup, that is, a Kerberos server up and running, and an Oracle database server that is configured to use Kerberos authentication. You then need to change the URLs used in the example to compile and run it.

Support for RADIUS

Oracle Database 11g Release 1 (11.1) introduces support for Remote Authentication Dial-In User Service (RADIUS). RADIUS is a client/server security protocol that is most widely known for enabling remote authentication and access. Oracle Advanced Security uses this standard in a client/server network environment to enable use of any authentication method that supports the RADIUS protocol. RADIUS can be used with a variety of authentication mechanisms, including token cards and smart cards. This section contains the following sections:

Configuring Oracle Database to Use RADIUS

Perform the following steps to configure Oracle Database to use RADIUS:

  1. Use the following command to connect to the database:

  2. Use the following commands to create a new user aso from within a database:

  3. Use the following commands to connect to the database as sysdba and dismount it:

  4. Add the following lines to the t_init1.ora file:

    Note:

    Once the test is over, you need to revert the preceding changes made to the t_init1.ora file.

  5. Use the following command to restart the database:

  6. Modify the sqlnet.ora file so that it contains only these lines:

  7. Use the following command to verify that you can connect through SQL*Plus:

Data Encryption Definition

Code Example

This example demonstrates the new RADIUS authentication feature that is a part of Oracle Database 11g Release 1 (11.1) JDBC thin driver. You need to have a working setup, that is, a RADIUS server up and running, and an Oracle database server that is configured to use RADIUS authentication. You then need to change the URLs given in the example to compile and run it.

Secure External Password Store

Data Encryption Policy

As an alternative for large-scale deployments where applications use password credentials to connect to databases, it is possible to store such credentials in a client-side Oracle wallet. An Oracle wallet is a secure software container that is used to store authentication and signing credentials.

Storing database password credentials in a client-side Oracle wallet eliminates the need to embed user names and passwords in application code, batch jobs, or scripts. This reduces the risk of exposing passwords in the clear in scripts and application code, and simplifies maintenance because you need not change your code each time user names and passwords change. In addition, not having to change application code also makes it easier to enforce password management policies for these user accounts.

When you configure a client to use the external password store, applications can use the following syntax to connect to databases that use password authentication:

Data Encryption Techniques

Note that you need not specify database login credentials in this CONNECT statement. Instead your system looks for database login credentials in the client wallet.

See Also:

Oracle Database Advanced Security Administrator's Guide for information about configuring your client to use secure external password store and for information about managing credentials in it.