Enterprise User Security
Password Based Enterprise User Security
Administering user accounts is a very time consuming and costly activity in many organizations. For example, users may lose their  passwords, change roles or leave the company. Without timely user administration, the field is open for data misuse and data loss. By introducing password-based authentication, Oracle 9i Advanced Security has improved the ease-of-use and simplified enterprise user setup and administration. Password based enterpise user security reduces the huge overhead of managing not only the users but also eliminates certificate administration overhead thereby reducing the time and costs inolved in user administration. This release is particularly useful for large user communities accessing multiple applications in a heterogeneous environment using password based authentication. Furthermore, applications using prior versions of Oracle Database client can take advantage of this feature without code modification or any upgrade activities on the client. As the users and their credentials are stored in the Oracle Internet Directory, a lightweight directory server, they enjoy the same level of protection and security as when they were stored in the database. The communication between the Oracle Internet Directory and the database(s) continue to be rigorously secured by SSL so that the users experience end-to-end security.

User Migration Utility
In Oracle 9i  Advanced Security Release 2, user administration is further simplified with the user migration utility tool. It allows administrators to migrate users defined in  the database to Oracle Internet Directory. These migrated users are now referred to as "password authenticated enterprise users". The administrators and the end users enjoy the benefits of centralized user management and single password login to the database respectively.

Three-Tier Enterprise User Security
Oracle 9i Advanced Security Release 2 continues its support for Enterprise User Security in three-tier environments. User identity can now be proxied through a middle-tier by means of a X.509 certificate, a Distinguished Name(DN), or a user name and password. Authorizations and access control features are implemented in a single repository allowing applications to leverage the benefits of a single user identity. Maintaining user identity throughout all the tiers of an application allows enterprises to write scalable applications while providing benefits of fine grained auditing and simplified access control policies.

Advanced Encryption Standard
Advanced Encryption Standard is a new Federal Information Processing Standard (FIPS) publication that all US Government organizations can use to protect sensitive information. Oracle 9i Advanced Security Release 2 provides Government agencies and businesses the opportunity to leverage the strength of this cryptographic algorithm to protect sensitive information on the wire.

Strong Authentication with Flexibility
Oracle 9i  Advanced Security's authentication adapters such as RADIUS, Entrust, Cybersafe and Kerberos are dynamically loaded. Administrators need no longer make the authentication services decision at the time of installation. Instead, an administrator can select the desired authentication service such as RADIUS, Entrust, Cybersafe or Kerberos at any time. Oracle Advanced Security loads the appropriate authentication adapter dynamically, thereby eliminating the need for performing complex recompilation or relinking of the libraries. 

Kerberos
Kerberos is currently enjoying another surge in popularity as many operating systems now include a Kerberos Security Server. Oracle 9i  Advanced Security continues to provide an Oracle Kerberos client that can use a Kerberos V5  ticket to be authetnicated to the database. Oracle 9i  Advanced Security Release 2's Kerberos adapter can be used between a middle tier server and the database in order to provide end-to-end  security with kerberos security service in a 3 tier environment. As kerberos credentials can be leveraged for enabling single sign-on capabilities, this release continues to assist in single sign-on in  2 tier and  3 tier environments.

Support for RADIUS Authorizations
New in Oracle 9i Advanced Security Release 2 is the support for external RADIUS authorizations in addition to the database roles for a RADIUS user connecting to the Oracle databse. 

SecurID support using RADIUS
Oracle Advanced Security 9i supports SecurID using the two-factor authentication mode of RADIUS. 

Public Key Infrastructure (PKI)
Oracle 9i Advanced Security Release 2 can be used to authenticate users with digital certificates in a PKI environment. It continues to allow clients and servers to authenticate over SSL using X.509v3 certificates. The private keys and the certificates are stored in an Oracle Wallet, a secure container to safegaurd the identity of the client and/or the server.

SSL Hardware Acceleration
Oracle 9i Advanced Security Release 2 allows enterprises to delegate complex public key cryptographic operations to hardware accelerator devices to speed up SSL transactions.

Oracle Wallet Manager
Oracle Wallet Manager is a GUI tool that allows the administrator to create wallets for users in their enterprise. Using this tool, the administrator and/user can optionally store and retrieve their wallets from Oracle Internet Directory. Users have the ability to store multiple certificates in a wallet as well. The wallet management tools are enhanced to provide stronger encryption using the Triple-DES (3DES) algorithm for securing the wallets. 

PKCS #12 Support 
Oracle Advanced Security supports X.509 certificates in PKCS #12 format to be stored in an Oracle Wallet. This allows the user's  PKI credential to be shared between the Oracle Wallet and third party applications like Netscape Communicator 4.x and Microsoft Internet Explorer 5.x. By allowing the ability to share credentials stored in the browser, enterprises benefit from tremendous cost savings as well as improved ease of use and administration. Storing certificates in P12 format make the Oracle Wallet interoperable across Operating Systems as well.

Roaming Support 
PKCS #12 support provides machine and location independence. Oracle Advanced Security release 9i supports storage and retrieval of user wallets in Oracle Internet Directory. Thus, users can access their applications from multiple locations ensuring consistent and reliable user authentication, while providing centralized wallet management throughout the wallet life cycle.

Multiple Certificate Support
In this release,  Oracle Wallet Manager and Oracle Enterprise Login Assistant support multiple certificates for each wallet, including:
   S/MIME signing certificate
   S/MIME encryption certificate
   code-signing certificate
This allows other applications shipped by Oracle Corporation such as Oracle9iAS Email and Oracle 9iAS Unified Messaging to differentiate certificate usages such as code-signing or encryption certificates. This differentiation is critical to these applications to comply with their industry-standards.

Strong Wallet Encryption
The wallet and therefore the private keys associated with X.509 certificates are encrypted  with 3-key Triple-DES (3DES), which is a strong industry-standard encryption algorithm thereby providing  even better security for Oracle wallets.

Wallet Password Management
The wallet password management module in Oracle Wallet Manager enforces Password Policy Guidelines to improve the security of the wallet password.

Support for Multiple Wallet Formats in the SSL stack
Oracle 9i  Advanced Security can store multiple wallet formats including X509v3 certificate, Entrust Profiles and Microsoft Certificate Store in Oracle Wallets. This enables organizations to leverage their existing PKI infrastructure while incorporating the latest standards. 

Summary
Oracle 9i Advanced Security Release 2 enables enterprises to implement sound security practices at a lower total cost of ownership while adhering to industry standards. By implementing newly approved FIPS Publication for encryption, Oracle 9i  Advanced Security provides assurance to businesses about its ability to keep their network data private and confidential. Support for standards such as PKCS #12 wallets provides users interoperability of PKI credentials with non-Oracle applications and third party implementations. Enterprise User Security using digital certificates or password-based authentication reduces the total cost of deploying security throughout  the organization. Oracle 9i Advanced Security Release 2 builds upon a popular and widely-used security product to bring to users an industry-leading, scalable and interoperable security solution. 

 

KEY FEATURES
ENTERPRISE USER SECURITY Oracle 9i Advanced Security Release 2 allows you to manage enterprise users in a robust manner using  NEW! User Migration Utility NEW! simplified user set-up and administration password-based authentication reducing processing overhead client-side wallets (using SSL end-to-end) Oracle Internet Directory to store users, roles and credentials  backward compatibility for non-SSL clients.  Prior Oracle clients such as  8i can transparently use the password-based single login feature without any changes. three-tier proxy authentication support	INDUSTRY STANDARD ENCRYPTION ALGORITHMS Oracle 9i Advanced Security is known for its encryption capabilities. This release NEW! provides Advanced Encryption Standard support continues to implement highly optimized industry-standard strong data encryption algorithms to protect all communications with the Oracle9i database. The encryption algorithms supported are RC4_40, RC4_56, RC4_128, RC4_256, DES_40, 2-Key 3DES and 3-Key 3DES. continues to support encryption of communication over Oracle Net, Net/SSL, IIOP/SSL and  thin JDBC clients to the database. All communications to the database server, including client-server, middle-tier-server and between servers can be encrypted. secures communication packets by protecting against data modification, transaction replay and transaction removal using industry standard algorithms MD5 and SHA-1. Violations are recorded in log files and therefore available for analysis.
STRONG AUTHENTICATION Oracle 9i Advanced Security Release 2 improves upon the strong password management feature in the Oracle9i Enterprise Edition Release 2 (9.2) by integrating with several external authentication services. This release provides NEW! RADIUS AUTHORIZATIONS support in addition to database roles for RADIUS users  support for the external authentication services is achieved by using shared libraries. The benefit is that there is no need to  re-compile or re-link in order to use a different authentication method than what was decided at the time of install. support for authentication using SecurID token cards is via RADIUS support for third party authentication services including Kerberos, Cybersafe, RADIUS and DCE support for third party authentication devices such as smart cards, token cards and any other authentication device that are RADIUS compliant. support for PKI authentication using X.509v3 digital certificates and  Entrust Profiles stored in Oracle Wallets. Oracle Advanced Security 9i supports authentication using Entrust/PKI, Verisign and Baltimore certificates.	PUBLIC KEY INFRASTRUCTURE Oracle 9i Advanced Security allows you to manage public-key security credentials using the Oracle Wallet Manager and LDAP compliant directory. NEW! SSL Hardware acceleration PKCS#12 support wallets can be stored in an LDAP compliant directory, Microsoft Windows Registry or in the filesystem Strong Wallet Encryption using 3DES encryption  Wallet Password Management Module enforcing Password Management Policies  support for storing multiple wallet formats such as X.509V3 certificates,  Entrust Profiles and  Microsoft Certificate Store in the wallet
RELATED PRODUCTS AND SERVICES Oracle 9i Advanced Security Release 2 leverages Oracle Internet Directory (3.0 and higher)  features to enable Enterprise User Security Oracle Internet Directory ( version 3.0 and higher)  is an LDAP v3 server that combines the mission-critical strength of Oracle's database technology with the flexibility and compatibility of the LDAP v3 directory standard. With the purchase of Oracle Advanced Security, you have limited use of Oracle Internet Directory for facilitating Enterprise User Security management. For more detai;ls, please contact your Oracle Representative.	GETTING STARTED Oracle 9i Advanced Security Release 2 is available as an option to license  with the Oracle 9i Enterprise Edition Release 2 (9.2) of the database. Oracle 9i  Advanced Security Release 2 is available on all platforms that the Enterprise Edition is available on. Not all third party authentication services are available on all platforms. Check with your Oracle Representative for detailed availability information. With recent changes in Export Regulations, there is only one version of Oracle 9i Advanced Security available worldwide.  Oracle 9i Advanced Security Release 2 installs with a typical or custom install of the Oracle 9i Enterprise Edition Release 2(9.2),