Oracle9i

In addition to the security features available in Oracle8i, Oracle9i provides and supports scalable and flexible strong user authentication, audit, encryption, highly granular discretionary access control and a host of even more cutting-edge security features geared toward robust Internet computing in a variety of environments.

Authentication Audit Encryption Access Control

Authentication

Oracle9isupports strong user identification and authorization and offers a variety of choices for user authentication.

Server Password-based Authentication
Password-based schemes, to be secure, must ensure that passwords can be changed regularly, are of sufficient complexity, and cannot easily guessed.

Oracle9i provides built-in, robust password management facilities to enable administrators to:

	Enforce minimal password length.
	Ensure password complexity (i.e., that passwords contain symbols or numbers as well as alphabetic characters) and password reuse.
	Disallow passwords that are easily guessed words, such as a user�s last name or company name.
	Lock accounts automatically after a certain number of incorrect password entries or "on the fly" if a security breach is detected.

Certificate-based Authentication
Oracle Advanced Security, an option to Oracle9i offers enhanced PKI-based single sign-on to Oracle9i through the use of interoperable X.509 (version 3) certificates for authentication over Secure Sockets Layer (SSL), the standard for Internet authentication. In addition to strong user authentication, SSL also provides network data confidentiality and data integrity for multiple types of connections: LDAP (Lightweight Directory Access Protocol), IIOP (Internet Intra-ORB Protocol), and Net (formerly known as Net8).

The primary component of the PKI infrastructure offered by Oracle is the Oracle Wallet Manager which provides secure management of PKI-based user credentials. Once users have securely opened their wallets, they can then connect to multiple Oracle9i servers over SSL, without providing additional passwords. Such a technology provides the benefit of strong authentication as well as single sign-on.

Host-based Authentication
Oracle9i also allows users to be authenticated by the underlying host, or operating system mechanisms, thereby consolidating username and password information. During this process, Oracle9i identifies a user, whereas the host, or the underlying operating system, authenticates that user by supplying Oracle9i the password that the user provided during initial login to the operating system.

Third Party Authentication
Oracle9i third party authentication. Oracle Advanced Security, an option to Oracle9i, supports multiple third party authentication technologies, such as Kerberos, DCE, smart cards and biometric authentication (Identix) and RADIUS. These hardware and software technologies verify a user�s identity in a stronger manner than conventional passwords.

N-tier Authentication
For applications and systems that rely on a middle tier, Oracle9i offers n-tier authentication, that is - "lightweight session" creation via the Oracle Call Interface (OCI), so that applications can have multiple user sessions within a single database server session. These "lightweight sessions" allow each user to be authenticated by a database password, without the overhead of a separate database connection, as well as preserving the identity of the real user through the middle tier.

A critical aspect of any system security policy is the monitoring and recording of activities within that system - a concept better known as �auditing�. To address this requirement, Oracle9i provides a number of features and functions to enable accountability of actions taken by users of the database. Oracle9i does this by providing accounting and auditing features which are designed to be as granular and flexible as possible to ensure that exactly what needs to be accounted and audited, as dictated by the application or system security policy, is recorded, but nothing more. This helps to ensure that the size of audit trails remain manageable and the important records easily accessible. Oracle9i also provides capabilities to permit accounting and auditing plans to be quickly enabled to implement crisis plans.

By default, Oracle9i records no accounting or auditing information, except for a few privileged operations by administrators. However, Oracle9i can be configured to write accounting and auditing information to its own database audit trail or to the underlying operating system�s audit trail (or to a specified operating system file if no official operating system audit trail exists). If configured to write information to its own database audit trail, the powerful SQL data manipulation facilities of the database can be used by appropriately privileged users to perform selective accounting and audit analysis quickly and efficiently. Alternatively, if configured to write to the audit trail (or specified file) in the underlying operating system, platform services may be used to consolidate and analyse the audit trail from the database with audit trails from other system components to provide a comprehensive accounting and auditing portrait for the system as a whole. In a system with two or more physical databases, whether standalone or distributed, Oracle undertakes accounting and auditing of actions performed in each database in accordance with the accounting and auditing instructions specified in that database.

The ability to natively encrypt data in the server enables applications to guard their sensitive data. Oracle9i offers server-based encryption (and decryption) via PL/SQL packages using industry-standard Data Encryption Standard (DES) in exportable keylengths and Triple-DES (3DES).

Access control deals with the concept of who has access to what information and what type of operations can accessed. Oracle9i provides a strong set of access control security mechanisms through privileges. Oracle9i enforces the Principle of Least Privilege - that is, granting only those privileges to a user which allow him to perform his job functions, but no more.

As one of its most cutting-edge security options, Oracle9i extends the product known as Oracle Label Security (introduced in Oracle8i, Release 8.1.7) to the concept of the Virtual Private Database - that is, server-enforced, flexible, configurable and highly granular discretionary access control together with a secure application context, to enforce fine-grained data security in the database server.