Enterprise User Security
Password Based Enterprise User Security
Organizations often spend immense amount of time and effort in administering user accounts. For example, users may lose their  passwords, change roles or leave the company. Without timely user administration, the field is open for data misuse or data loss. By introducing password-based authentication, Oracle Advanced Security has improved the ease-of-use and simplified enterprise setup and administration. By extending enterprise user security to password-authenticated users as well as SSL authenticated users, Oracle Advanced Security enables simple, rapid integration with existing password-based applications. It is no longer necessary to request and renew digital certificates for every enterprise user. This reduces the huge overhead of managing not only the users but also their certificates thereby reducing the time to roll out a new application. This release is particularly useful for large user communities accessing multiple applications in a heterogeneous environment using password based authentication. Furthermore, applications using prior versions of Oracle Client can take advantage of this feature without modification, thus integrating centralized user management with password-based single login into their applications. Since the users and their credentials are stored in the Oracle Internet Directory,  a lightweight database server, they have the same level of protection and security as being stored in the database. The communication between the Oracle Internet Directory and the database(s) continue to be rigorously secured by SSL so that the users experience end-to-end security.

Three-Tier Enterprise User Security
Oracle Advanced Security 9i  enhances Enterprise User Security with support for three-tier environments. User identity can now be proxied through a middle-tier by means of a X.509 certificate, a Distinguished Name(DN), or a user name and password. The database validates the user identity and password or defers the validation to the Oracle Internet Directory if defined there. Thus, authorizations and access control features can now be implemented in a single repository since applications can take advantage of the distinct user identity. User identity is maintained throughout all the tiers of an application with centralized user, role and credential management resident in Oracle Internet Directory. 

Oracle Wallet Manager

Oracle Advanced Security supports industry standard Public Key Certificate Standard (PKCS) #12 wallet formats and provides the ability to store and retrieve wallets from Oracle Internet Directory. In this release users have the ability to store multiple certificates in a wallet as well. The wallet management tools are enhanced to provide stronger encryption using the Triple-DES (3DES) algorithm for securing the wallets. 

PKCS #12 Support 
Oracle Advanced Security now supports X.509 certificates stored in PKCS #12 format which enables PKI credential sharing between the Oracle Wallet and third party applications like Netscape Communicator 4.x and Microsoft Internet Explorer 5.x. Organizations can use the same PKI credentials to access both web-based and database applications, which translates to tremendous cost savings as well as improved ease of use and administration. This also allows the wallets to be interoperable across different platforms.

Roaming Support 
PKCS #12 support provides machine and location independence. Oracle Advanced Security release 9i supports storage and retrieval of user wallets in Oracle Internet Directory. Thus, users can access their applications from multiple locations ensuring consistent and reliable user authentication, while providing centralized wallet management throughout the wallet life cycle.

Multiple Certificate Support
In this release,  Oracle Wallet Manager and Oracle Enterprise Login Assistant support multiple certificates for each wallet, including:
   S/MIME signing certificate
   S/MIME encryption certificate
   code-signing certificate
This allows other applications shipped by Oracle Corporation such as Oracle9iAS Email and Oracle 9iAS Unified Messaging to differentiate certificate usages such as code-signing or encryption certificates. This differentiation is critical to these applications to comply with their industry-standards.

Strong Wallet Encryption
The wallet and therefore the private keys associated with X.509 certificates are encrypted  with 3-key Triple-DES (3DES), which is a strong industry-standard encryption algorithm thereby providing  even better security for Oracle wallets.

Wallet Password Management
The wallet password management module in Oracle Wallet Manager enforces Password Policy Guidelines to improve the security of the wallet password.

Strong Authentication with Flexibility
Oracle Advanced Security 9i authentication adapters such as RADIUS, Entrust, Cybersafe and Kerberos are now dynamically loaded. Administrators need no longer make the authentication services decision at the time of installation. Instead, an administrator can select the desired authentication service such as RADIUS, Entrust, Cybersafe or Kerberos at any time. Oracle Advanced Security loads the appropriate authentication adapter dynamically, thereby eliminating the need for performing complex recompilation or relinking of the libraries. 

SecurID support using RADIUS
Oracle Advanced Security 9i supports SecurID using the two-factor authentication mode of RADIUS. 

Support for Multiple Wallet Formats in the SSL stack
Oracle Advanced Security 9i can store multiple wallet formats including X509v3 certificate, Entrust Profiles and Microsoft Certificate Store in Oracle Wallets. This enables organizations to leverage their existing PKI infrastructure while incorporating the latest standards. 

Summary
Oracle Advanced Security Release 9i provides improved interoperability, performance, ease-of-use and security. Support for standards such as PKCS #12 wallets provides users interoperability of PKI credentials with non-Oracle applications and third party implementations. Enterprise User Security using digital certificates or password-based authentication reduces the total cost of deploying security throughout  the organization. Release 9i builds upon a popular and widely-used security product to bring to users an industry-leading, scalable and interoperable security bundle. 

 

KEY FEATURES
ENTERPRISE USER SECURITY Oracle Advanced Security 9i allows you to manage enterprise users in a robust manner using  NEW! simplified user set-up and administration NEW! password-based authentication reducing processing overhead client-side wallets (using SSL end-to-end) Oracle Internet Directory to store users, roles and credentials  NEW! backward compatibility for non-SSL clients.  Prior Oracle clients such as 7.3, 8, 8i can transparently use the password-based single login feature without any changes. NEW! three-tier proxy authentication support	WALLET MANAGER Oracle Advanced Security 9i allows you to manage public-key security credentials using the Oracle Wallet Manager and LDAP compliant directory. NEW! PKCS#12 support wallets can be stored in an LDAP compliant directory, Microsoft Windows Registry or in the filesystem Strong Wallet Encryption using 3DES encryption  Wallet Password Management Module enforcing Password Management Policies  NEW!  support for storing multiple wallet formats such as X.509V3 certificates,  Entrust Profiles and  Microsoft Certificate Store in the wallet
STRONG AUTHENTICATION Oracle Advanced Security 9i improves upon  the strong password management feature in the Oracle9i database by integrating with several external authentication services. NEW! support for the external authentication services is achieved by using shared libraries. The benefit is that there is no need to  re-compile or re-link in order to use a different authentication method than what was decided at the time of install. support for authentication using SecurID token cards is via RADIUS support for third party authentication services including Kerberos, Cybersafe, RADIUS and DCE support for third party authentication devices such as smart cards, token cards and any other authentication device that are RADIUS compliant. support for PKI authentication using X.509v3 digital certificates and  Entrust Profiles stored in Oracle Wallets. Oracle Advanced Security 9i supports authentication using Entrust/PKI, Verisign and Baltimore certificates.	ENCRYPTION  Oracle Advanced Security  is known for its encryption capabilities. This release  continues to implement highly optimized industry-standard strong data encryption algorithms to protect all communications with the Oracle9i database. The encryption algorithms supported are RC4_40, RC4_56, RC4_128, RC4_256, DES, DES_40, 2-Key 3DES and 3-Key 3DES. continues to support encryption of communication over Oracle Net, Net/SSL, IIOP/SSL and  thin JDBC clients to the database. All communications to the database server, including client-server, middle-tier-server and between servers can be encrypted. secures communication packets by protecting against data modification, transaction replay and transaction removal using industry standard algorithms MD5 and SHA. Violations are recorded in log files and therefore available for analysis.
RELATED PRODUCTS AND SERVICES Oracle Advanced Security 9i leverages Oracle Internet Directory (3.0)  features to enable Enterprise User Security Oracle Internet Directory ( version 3.0)  is an LDAP v3 server that combines the mission-critical strength of Oracle's database technology with the flexibility and compatibility of the LDAP v3 directory standard. With the purchase of Oracle Advanced Security, you have limited use of Oracle Internet Directory for facilitating Enterprise User Security management. You can use it as a store of Distinguished Names of the database, enterprise users roles and credentials.	GETTING STARTED Oracle Advanced Security 9i is available as an option to license  with the Oracle 9i Enterprise Edition of the database. Oracle Advanced Security release 9i  is available on all platforms that the Enterprise Edition is available on. Not all third party authentication services are available on all platforms. Check with your Oracle Representative for detailed availability information. With recent changes in Export Regulations, there is only one version of Oracle Advanced Security 9i available worldwide.  Oracle Advanced Security 9i installs with a typical or custom install of the 9i Enterprise Edition of the database.