Oracle7 Server Distributed Systems Volume I: Distributed Data

Authentication Services Provide Enhanced Security

In Secure Network Services version 2.0, it will be possible to use network authentication services to authenticate connections to the database. An authentication service is usually part of a network operating system (NOS) that overlays several machines. The purpose of authentication services is to provide enhanced security in a distributed environment with network authentication.

Network administration of machines can be centralized by creating a group of network users that have the same identity and privileges, verified by authentication services.

Secure External Authentication

Users need to use a slash (/) to indicate the lack of a username when requesting external authentication. If an authentication adapter is available (installed and linked into the SQL*Net configuration), then the server will use it to find the user's network identity. Alternatively, leave the username and password fields in the pop-up login box of an application (such as SQL*Plus) empty.

SVRMGR> CONNECT /@ny
Connected.

Following are some important points related to secure external authentication:

The connection fails and an error is returned if the user does not have a valid externally-authenticated database account.

It is recommended that you do not set REMOTE_OS_AUTHENT=TRUE initialization parameter because this exposes the database to certain security risks.

Set REMOTE_OS_AUTHENT to TRUE only when migrating from a non-secure connection to an authentication service (that is, where some users still need to connect to this database based on the operating system authentication of their host client system.

Note: The REMOTE_OS_AUTHENT parameter only applies to operating system authentication, not to NOS authentication.

Using the network identity from the authentication service, the Oracle7 Server can provide secure external authentication over a non-secure protocol such as TCP/IP.

There is no change in connection syntax from Oracle7 Release 7.1.

Whether or not an authentication is available in Network Manager, the operating system username is retrieved by prepending the OS_AUTHENT_PREFIX for Oracle7. If the account exists, then login succeeds. If the connection is not secure, then the value of REMOTE_OS_AUTHENT checks if access should be granted.

Proxy Authentication for Remote Login

Proxy authentication provides the client with a credential or token that identifies a user with valid network access by proxy authentication. See Figure 6 - 1 for an illustration of proxy authentication.

Proxy authentication enables a database link to inherit the security credentials established in the initial login.

Following are some important points related to proxy authentication:

Proxy authentication is not supported by all network authentication services.

Proxy authentication is used when an externally authenticated user attempts to use an anonymous database link.

Secure database links also do not require any change in syntax from Oracle7 Server Release 7.1. Proxy authentication offers a secure and authenticated login, whereas operating system authentication will fail if no authentication service is available and REMOTE_OS_AUTHENT is not set to TRUE.

Figure 6 - 1. Proxy Authentication for Remote Login

Authorization Using Network Roles

Network roles, verified by the authentication service, allow users valid network-wide access to database objects.

Use the global database name to specify roles that are valid on the various databases in the network, instead of using the SID as operating system roles do.

Defining Oracle Network Roles

Some authentication services, such as DCE, use the following syntax to define Oracle Network roles. For example, using DCE syntax:

ORA_<global_db_name>_<rolename>[_[A]{D]]

ORA_global_<rolename>[_[A][D]]

"ORA_" indicates that this token applies to Oracle products.

<global_db_name>: specifies the database on which the token is valid.

The example shows how the literal constant "global" can be used as a valid token on all databases served by this authentication service.

[A]: represents the administrative capability for this role.

[D]: indicates this role is active by default.

Notes:

The method of naming network roles can vary, depending on the authentication adapter. The previous example is the naming method for DCE authentication. However, an authentication service may use some other method than strings to denote privileges.

Network roles are obtained from the network and not the operating system.

The global database name consists of the local database name and the domain name.

For example, the global database name HR.US.ACME.COM consists of the database name HR and the domain name US.ACME.COM. It must be unique within the enterprise.

The consequences of having two databases with the same network role is that the same role could be accessed on two different databases.

The database reads all the user's network roles at connection time. Therefore, if the network administrator revokes a role from a user then this is not reflected until the user reconnects to the database.

Authentication Through Network Privileges

Authentication through network privileges alleviates the need to maintain a password file by providing network privileges that map to the operating system privileges (SYSDBA and SYSOPER). The DBA or network administrator can make remote administration over a non-secure connection possible by using network privileges. See Figure 6 - 2 for an illustration of authentication through network privileges.

How a Remote User is Authenticated through Network Privileges

The benefit of authentication through network privileges is that it removes the need to maintain a password file by providing network privileges that map to the operating system privileges (SYSDBA and SYSOPER). This makes secure remote administration possible over a non-secure network connection.

Figure 6 - 2. Authentication Through Network Privileges

If a remote user tries to connect to a local database through a non-secure connection, the local database checks whether it should use network authentication (by checking the appropriate parameters). If the parameters indicate that network authentication should be used, then the database attempts to authenticate the user by looking for SYSDBA/SYSOPER authentication.

If a remote user tries to connect over a secure connection by using a password, the password is verified using the authentication service first. If that fails, the database performs the verification.

Following are some points related to authentication through network privileges:

Some authentication adapters implement network privileges in the same manner that operating systems implement the SYSOPER and SYSDBA roles.

Use the global database name to promote consistency, and prevent overlap with the namespace set aside for external roles. See Secure Network Services Administrator's Guide for more information.

Example:

ORA_<global db name>_[DBA|OPER]_SYS

This naming convention eases administration of multi- instance configurations. Note: The method of naming network privileges can vary, depending on the authentication adapter. The previous example is the naming method for DCE authentication.

Use the global database name to request internal connections.

For successful internal connections, the database instance should be up and running. Otherwise, the database name cannot be read from the control file.

The following points relate to authentication through network privileges:

To verify initial connection, the name defined in the CONNECT_DATA string is used to fetch the proper privileges when the instance is down.

Because the connect descriptor is clear text and can be changed, the Oracle startup code performs a consistency check and does not allow the connection to pass through if a match is not found.