Doc ID: Note:165465.1 Content Type: TEXT/X-HTMLSubject: Oracle Advanced Security Frequently

Asked QuestionsCreation Date: 21-NOV-2001

Type: FAQ Last Revision Date: 24-MAY-2004Status: PUBLISHED

Oracle Advance Security Frequently Asked Questions 1. What is the Advanced Security Option ?2. What features does the Advanced Security Option have ?3. What Authentication methods are supported ?4. What products are not supported by the Advanced Security Option ?5. What is the compatibility of different versions of ASO ?6. What are the system requirements and other certifications of this product ?7. How can I tell if ASO is installed ?8. How can I check if encryption is enabled and working ?9. How do I add another authentication adapter ?10. What version of Oracle does ASO come with ?11. Why isn't ASO installed ?12. Can I plug-in my own encryption algorithms into ASO ?13. Are 3rd party adapters required to encrypt Net traffic ?14. Which encryption algorithms does ASO support ?15. Is the latest release of ASO compatible with older versions ?16. How can you enable encryption on some connections but not others ?17. Are passwords encrypted ?18. Is data encrypted over database links ?19. Is ASO a licensable cost option ?

1. What is the Advanced Security Option ?The Oracle Advanced Security option (formerly Secure Network Services andOracle Advanced Networking Option) provides a comprehensive suite of securityfeatures to protect enterprise networks and securely extend corporate networks tothe Internet. The Oracle Advanced Security option provides a single source ofintegration with network encryption and authentication solutions, single sign-onservices, and security protocols. By integrating industry standards, it deliversunparalleled security to the Oracle network and beyond.

2. What features does the Advanced Security Option have ?The Oracle Advanced Security option protects against these threats to the securityof distributed environments. Specifically, the Oracle Advanced Security optionprovides the following features.Data Integrity to ensure that data is not modified during transmissionData Privacy to ensure that data is not disclosed during transmissionAuthentication to ensure that users’, hosts’, and clients’ identities are correctly known, and to provide for single sign-on capability in place of using multiple passwordsAuthorization to ensure that a user, program, or process receives theappropriate privileges to access an object or set of objects

3. What Authentication methods are supported ?SSLRADIUSKerberosEntrustCyberSafeSmartCardsTokenCardsBull ISMBiometric (Identix)

4. What products are not supported by the Advanced Security Option ?The Oracle Advanced Security option requires Net8 to transmit data securely.Accordingly, the Oracle Advanced Security option’s authentication features are notcurrently supported by some parts of Oracle Financial, Human Resource, andManufacturing Applications when they are running on the Windows platform. The

portions of these products that use Oracle Display Manager (ODM) cannot yet takeadvantage of the Oracle Advanced Security option, since ODM does not currentlyuse Net8.

5. What is the compatibility of different version of ASO ?A mixture of Advanced Security versions is a supported configuration.However, certain features may not be available between different versions.Advanced Security clients and servers will negotiate to the first commonencryption algorithm available to both machines. These algorithms arepredefined as defaults, but may not provide the best encryption. For example, if a default list of algorithms is defined on a client asRC4_40, RC4_56 and a default list of algorithms is defined on a server asRC4_40, RC4_56, RC4_128, then the client and server will negotiate touse RC4_40. For negotiating to highest algorithm, explicitly definea list of algorithms using the sqlnet.encryption_types_[server | client] parameter. A client with sqlnet.encryption_types_client=(RC4_56, RC4_40)and a server with sqlnet.encryption_types_server=(RC4_128, RC4_56, RC4_40)will negotiate to use RC4_56.

Oracle 8.1.7============* Oracle Advanced Security is not available with Oracle 8iStandard Edition.* Prior versions of Oracle Advanced Security provided threeeditions: Domestic, Upgrade, and Export—each with different keylengths. Release 8.1.7 now contains a complete complement of theavailable encryption algorithms and key lengths, previously onlyavailable in the Domestic edition.

Oracle 9.1==========* Oracle Advanced Security is not available with Oracle9iStandard Edition.* Prior to Release 8.1.7, Oracle Advanced Security providedthree editions: Domestic, Upgrade, and Export—each with differentkey lengths. This release now contains a complete complement ofthe available encryption algorithms and key lengths, previouslyonly available in the Domestic edition.

6. What are the system requirements and other certifications of this product?See <NOTE:112241.1> "Oracle Authentication Matrices"

7. How can I tell if ASO is installed ?On a UNIX platform run the 'adapters' command at the shell. If you have ASO installed you will see something like, Installed Oracle Advanced Security option/Security products are: RC4 40-bit encryption algorithm RC4 56-bit encryption algorithm DES40 40-bit encryption algorithm DES 56-bit encryption algorithm MD5 crypto-checksumming algorithm On Windows you will need to run the Oracle Universal Installer and click on installed products.

8. How can I check if encryption is enabled and working?To confirm the network traffic is being encrypted enable either client or server side sqlnet tracing. From the client edit the sqlnet.ora and add a line, trace_level_client=16 Then make a sqlplus connection to the database and perform a simple select such as, select * from v$option If the client trace file is then examined the clear-text select and results will not be visible. If you disable encryption in the sqlnet.ora and rerun the select you will be able to see the clear-text select and results. Do not forget to remove trace_level_client when finished.

9. How do I add another authentication adapter? To add an additional authentication adapter you need to rerun the Oracle Universal Installer and deinstallOracle Advanced Security. Next reinstall it and you will prompted for which adapters to install.

10. What version of Oracle does ASO come with? Oracle Advanced Security comes on the Oracle Enterprise Edition CD for 8.1.7 and 9.0.1. It is not on theStandard Edition CD. As a result of the change to the US export regulations strong encryption is nowavailable outside the US.Note: 115384.1 Changes to Strong Encryption Export Regulations for Non USCustomers 11. Why isn't ASO installed? The most common cause for this is because ASO is not installed as part of a default install of OracleEnterprise Edition. You need to either do a custom install or add it after a default install.

12. Can I plug-in my own encryption algorithms into ASO? There is no way, supported or unsupported, to do this. Oracle, as all US-based corporations, cannot shippluggable crypto. This is an export compliance issue.

13. Are 3rd party adapters required to encrypt Net traffic? No. Oracle Advanced Security has native encryption that can be used such as RC4.

14. Which encryption algorithms does Oracle Advanced Security support? The following native encryption algorithms are supported in 9i, RC4 256-bit key RC4 128-bit key RC4 56-bit key RC4 40-bit key 3-key 3DES 2-key 3DES DES 56-bit key DES 40-bit key

15. Is the latest release of ASO compatible with older versions? ASO is backwards compatible with older verions of Oracle. The main issue is that algorithms introduced in8.1.7 such as DES3 cannot be used on a connection to a 7.3.4 database. In cases suchs as this youshould either adopt the 'lowest common denominator' approach and pick an algorithm common to allversions of your clients and servers, or specify multiple encryption types in your sqlnet.ora and all Oracleto pick the common type.

16. How can you enable encryption on some connections but not others? This can be managed to a degree by how the SQLNET.ENCRYPTION_CLIENT is set in the sqlnet.ora onthe client and SQLNET.ENCRYPTION_SERVER in the sqlnet.ora on the server. This is detailed further in section 2-8 & 2-9 of the Oracle Advanced Security Administrator's Guide 8.1.7 &9.0.1.

17. Are passwords encrypted? Yes, if ASO native encryption is not used then passwords are still encrypted but other network traffic isnot.

18. Is data encrypted over database links? If ASO native encryption is enabled then data will be encrypted over database links.

19. Is ASO a licensable cost option? Yes.