Oracle7 Server Distributed Systems Volume I: Distributed Data

Contents Index Home Previous Next

Authentication Services Provide Enhanced Security

In Secure Network Services version 2.0, it will be possible to use network authentication services to authenticate connections to the database. An authentication service is usually part of a network operating system (NOS) that overlays several machines. The purpose of authentication services is to provide enhanced security in a distributed environment with network authentication.

Network administration of machines can be centralized by creating a group of network users that have the same identity and privileges, verified by authentication services.

Secure External Authentication

Users need to use a slash (/) to indicate the lack of a username when requesting external authentication. If an authentication adapter is available (installed and linked into the SQL*Net configuration), then the server will use it to find the user's network identity. Alternatively, leave the username and password fields in the pop-up login box of an application (such as SQL*Plus) empty.

SVRMGR> CONNECT /@ny
Connected. 

Following are some important points related to secure external authentication:

Note: The REMOTE_OS_AUTHENT parameter only applies to operating system authentication, not to NOS authentication.

Using the network identity from the authentication service, the Oracle7 Server can provide secure external authentication over a non-secure protocol such as TCP/IP.

There is no change in connection syntax from Oracle7 Release 7.1.

Whether or not an authentication is available in Network Manager, the operating system username is retrieved by prepending the OS_AUTHENT_PREFIX for Oracle7. If the account exists, then login succeeds. If the connection is not secure, then the value of REMOTE_OS_AUTHENT checks if access should be granted.

Proxy Authentication for Remote Login

Proxy authentication provides the client with a credential or token that identifies a user with valid network access by proxy authentication. See Figure 6 - 1 for an illustration of proxy authentication.

Proxy authentication enables a database link to inherit the security credentials established in the initial login.

Following are some important points related to proxy authentication:

Figure 6 - 1. Proxy Authentication for Remote Login

Authorization Using Network Roles

Network roles, verified by the authentication service, allow users valid network-wide access to database objects.

Use the global database name to specify roles that are valid on the various databases in the network, instead of using the SID as operating system roles do.

Defining Oracle Network Roles

Some authentication services, such as DCE, use the following syntax to define Oracle Network roles. For example, using DCE syntax:

ORA_<global_db_name>_<rolename>[_[A]{D]]

or

ORA_global_<rolename>[_[A][D]]

"ORA_" indicates that this token applies to Oracle products.

<global_db_name>: specifies the database on which the token is valid.

The example shows how the literal constant "global" can be used as a valid token on all databases served by this authentication service.

[A]: represents the administrative capability for this role.

[D]: indicates this role is active by default.

Notes:

Authentication Through Network Privileges

Authentication through network privileges alleviates the need to maintain a password file by providing network privileges that map to the operating system privileges (SYSDBA and SYSOPER). The DBA or network administrator can make remote administration over a non-secure connection possible by using network privileges. See Figure 6 - 2 for an illustration of authentication through network privileges.

How a Remote User is Authenticated through Network Privileges

The benefit of authentication through network privileges is that it removes the need to maintain a password file by providing network privileges that map to the operating system privileges (SYSDBA and SYSOPER). This makes secure remote administration possible over a non-secure network connection.

Figure 6 - 2. Authentication Through Network Privileges

If a remote user tries to connect to a local database through a non-secure connection, the local database checks whether it should use network authentication (by checking the appropriate parameters). If the parameters indicate that network authentication should be used, then the database attempts to authenticate the user by looking for SYSDBA/SYSOPER authentication.

If a remote user tries to connect over a secure connection by using a password, the password is verified using the authentication service first. If that fails, the database performs the verification.

Following are some points related to authentication through network privileges:

Note: The method of naming network privileges can vary, depending on the authentication adapter. The previous example is the naming method for DCE authentication.

For successful internal connections, the database instance should be up and running. Otherwise, the database name cannot be read from the control file.

The following points relate to authentication through network privileges:


Contents Index Home Previous Next