Understanding SQL*Net
Support for Network Authentication Adapters in Release 2.2
With SQL*Net release 2.2 and Oracle7 Server release 7.2, the ability to use network authentication services for single sign-on and smart card authentication is provided. Use Oracle Network Manager to configure these authentication adapters. A site will have a choice of which adapters to link into their SQL*Net configuration. The Secure Network Services version 2 product is required to enable these authentication adapters. For information on configuring network authentication adapters, see the Secure Network Services Administrator's Guide.
A discussion of security issues in networked systems is in Chapter 6 of Oracle7 Server Distributed Systems, Volume I.
Authentication Services
Authentication services for single sign-on servers or smart cards are usually part of a Network Operating System (NOS) which overlays several machines. Administration of a network with many machines can be centralized by creating "network users" who have the same identity and privileges no matter which machine they are actually using.
Network Identity
All authentication services provide the concept of a network identity so that no matter which machine a user is logged into, he or she can log onto the network and be identified as the same person. This method of authentication ensures that a user is who he or she claims to be.
Network Roles
Because most operating systems support some concept of roles, groups, or identifiers, many authentication services such as single sign-on servers based on Kerberos can support the concept of network roles. For example, an administrator creates the role and then assigns it to certain network users. Role definitions are consistent across all machines linked by the authentication service.
Secure External Authentication Logins
Using the network identity provided by the authentication service, the database can provide secure external authentication over a non-secure protocol such as TCP/IP.
Note: External authentication refers to authentication by either a network service or the operating system. OS authentication refers to operating system authorization only.
Users request external authentication using the same method they used previous to release 7.2. Users requesting external authentication still use a '/' to indicate the lack of a username and password.
SVRMGR> CONNECT /@ny
Connected.
If an authentication adapter is available, the server will use it to find the user's network identity. If an authentication adapter is not available, operating system authorization will be performed. If the connection is not secure, the value of REMOTE_OS_AUTHENT will be used to determine if the login may proceed.
Note: It is highly recommended that REMOTE_OS_AUTHENT be set to FALSE, because most protocols are not secure.
Secure Database Links
Proxy authentication (secure database links, that is, secure server-to-server connections) are used when a user who has been externally authenticated by a network service attempts to use an anonymous database link (one without a username or password specified). However, the network service must support some type of credential that can make use of a proxy login. When a connection is requested, the credentials are passed from the local database server to the remote server. The remote server uses the credentials to obtain the network identity of the originating client process.
Network Roles and Privileges
Similar to the secure authentication behavior, if an authentication adapter is linked in, any external roles are retrieved from the network and not the operating system. If an authentication adapter is available (installed and linked into SQL*Net configuration), then it is used to authenticate the user; if not, then the operating system is used. If network roles are supported by the authentication service, they are used.
Configuring external roles varies depending on the authentication service. Instead of using the SID to name network roles (as OS roles does), network roles use the global database name. For example, for DCE authentication, something similar to the following naming convention to configure roles would be used:
ORA_<global_database_name>_<role_name>[_[A][D]]
Note: Exact syntax to define network roles and privileges may vary depending on the authentication adapter in use.
Remote authentication provides a network version of the OSDBA and OSOPER privileges: SYSDBA and SYSOPER refer to the privileges necessary to perform an internal connection, whether verified by the operating system, password file, or network. A format similar to the following would be used to define network privileges:
ORA_<global_database_name>_[DBA|OPER]_SYS
See Secure Network Services Administrator's Guide for information on configuring network roles and privileges for specific authentication adapters.