The (OAS) Oracle Advanced Security option provides a framework of security features to protect Oracle networks.
This option provides a single source of integration with network encryption and authentication solutions, single sign-on services, and security protocols.
The Advanced Security option is an additional product available from Oracle. Oracle now provides interfaces for popular third-party authentication products, most notably SSL and Kerberos. These authentication servers can be linked into the Oracle framework to guarantee external authentication. The second course in this series Features for Database Administration contains details on setting up these kinds of authentications.
Within the area of improved connection security, we see efforts to integrate Oracle with several important third-party authentication products.
These third-party products were rolled into the new Oracle RADIUS[1] product.
The Oracle Advanced Security option, a vast improvement over security in Oracle8, uses this emerging standard in a client-server network environment.
Authentication with RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a standard lightweight protocol used for user authentication, authorization, and accounting.
RADIUS also enables users to use the RSA One-Time Password Specifications (OTPS) to authenticate to the Oracle database.
Authentication with Directory-Based Services
Using a central directory can make authentication and its administration efficient. Directory-based services include the following:
Oracle Internet Directory, which uses the Lightweight Directory Access Protocol (LDAP), uses a central repository to store and manage information about users (called enterprise users) whose accounts were created in a distributed environment. Although database users must be created (with passwords) in each database that they need to access, enterprise user information is accessible centrally in the Oracle Internet Directory.
You can also integrate this directory with Microsoft Active Directory and SunOne.
Oracle Enterprise Security Manager lets you store and retrieve roles from Oracle Internet Directory, which provides centralized privilege management to make administration easier and increase security levels.
Radius Overview
RADIUS is a client/server security protocol widely used to enable remote authentication and access. Oracle Advanced Security uses this industry standard in a client/server network environment. You can enable the network to use any authentication method that supports the RADIUS standard, including token cards and smart cards, by installing and configuring the RADIUS protocol. Moreover, when you use RADIUS, you can change the authentication method without modifying either the Oracle client or the Oracle database server.
From the user's perspective, the entire authentication process is transparent. When the user seeks access to an Oracle database server, the Oracle database server, acting as the RADIUS client, notifies the RADIUS server. The RADIUS server:
Looks up the user's security information
Passes authentication and authorization information between the appropriate authentication server or servers and the Oracle database server
Grants the user access to the Oracle database server
Logs session information, including when, how often, and for how long the user was connected to the Oracle database server
[1]RADIUS: Acronym for Remote Authentication Dial-In User Service, a client-server security protocol that is used primarily with the Internet.