Doc ID: Note:165465.

1 Content Type: TEXT/X-HTML

Subject: Oracle Advanced Security FrequentlyCreation Date:
21-NOV-2001
Asked Questions
Type: FAQ Last Revision Date: 24-MAY-2004
Status: PUBLISHED

Oracle Advance Security Frequently Asked Questions

1. What is the Advanced Security Option ?
2. What features does the Advanced Security Option have ?
3. What Authentication methods are supported ?
4. What products are not supported by the Advanced Security Option ?
5. What is the compatibility of different versions of ASO ?
6. What are the system requirements and other certifications of this product ?
7. How can I tell if ASO is installed ?
8. How can I check if encryption is enabled and working ?
9. How do I add another authentication adapter ?
10. What version of Oracle does ASO come with ?
11. Why isn't ASO installed ?
12. Can I plug-in my own encryption algorithms into ASO ?
13. Are 3rd party adapters required to encrypt Net traffic ?
14. Which encryption algorithms does ASO support ?
15. Is the latest release of ASO compatible with older versions ?
16. How can you enable encryption on some connections but not others ?
17. Are passwords encrypted ?
18. Is data encrypted over database links ?
19. Is ASO a licensable cost option ?

1. What is the Advanced Security Option ?

The Oracle Advanced Security option (formerly Secure Network Services and
Oracle Advanced Networking Option) provides a comprehensive suite of security
features to protect enterprise networks and securely extend corporate networks to
the Internet. The Oracle Advanced Security option provides a single source of
integration with network encryption and authentication solutions, single sign-on
services, and security protocols. By integrating industry standards, it delivers
unparalleled security to the Oracle network and beyond.

2. What features does the Advanced Security Option have ?

The Oracle Advanced Security option protects against these threats to the security
of distributed environments. Specifically, the Oracle Advanced Security option
provides the following features.
Data Integrity to ensure that data is not modified during transmission
Data Privacy to ensure that data is not disclosed during transmission
Authentication to ensure that users’, hosts’, and clients’ identities are
correctly known, and to provide for single sign-on
capability in place of using multiple passwords
Authorization to ensure that a user, program, or process receives the
appropriate privileges to access an object or set of objects

3. What Authentication methods are supported ?

SSL
RADIUS
Kerberos
Entrust
CyberSafe
SmartCards
TokenCards
Bull ISM
Biometric (Identix)

4. What products are not supported by the Advanced Security Option ?

The Oracle Advanced Security option requires Net8 to transmit data securely.
Accordingly, the Oracle Advanced Security option’s authentication features are not
currently supported by some parts of Oracle Financial, Human Resource, and
Manufacturing Applications when they are running on the Windows platform. The
portions of these products that use Oracle Display Manager (ODM) cannot yet take
advantage of the Oracle Advanced Security option, since ODM does not currently
use Net8.

5. What is the compatibility of different version of ASO ?

A mixture of Advanced Security versions is a supported configuration.
However, certain features may not be available between different versions.
Advanced Security clients and servers will negotiate to the first common
encryption algorithm available to both machines. These algorithms are
predefined as defaults, but may not provide the best encryption. For
example, if a default list of algorithms is defined on a client as
RC4_40, RC4_56 and a default list of algorithms is defined on a server as
RC4_40, RC4_56, RC4_128, then the client and server will negotiate to
use RC4_40. For negotiating to highest algorithm, explicitly define
a list of algorithms using the sqlnet.encryption_types_[server | client]
parameter. A client with sqlnet.encryption_types_client=(RC4_56, RC4_40)
and a server with sqlnet.encryption_types_server=(RC4_128, RC4_56, RC4_40)
will negotiate to use RC4_56.

Oracle 8.1.7
============
* Oracle Advanced Security is not available with Oracle 8i
Standard Edition.
* Prior versions of Oracle Advanced Security provided three
editions: Domestic, Upgrade, and Export—each with different key
lengths. Release 8.1.7 now contains a complete complement of the
available encryption algorithms and key lengths, previously only
available in the Domestic edition.

Oracle 9.1
==========
* Oracle Advanced Security is not available with Oracle9i
Standard Edition.
* Prior to Release 8.1.7, Oracle Advanced Security provided
three editions: Domestic, Upgrade, and Export—each with different
key lengths. This release now contains a complete complement of
the available encryption algorithms and key lengths, previously
only available in the Domestic edition.

6. What are the system requirements and other certifications of this product?
See <NOTE:112241.1> "Oracle Authentication Matrices"

7. How can I tell if ASO is installed ?

On a UNIX platform run the 'adapters' command at the shell. If you have ASO installed
you will see something like,
Installed Oracle Advanced Security option/Security products are:
RC4 40-bit encryption algorithm
RC4 56-bit encryption algorithm
DES40 40-bit encryption algorithm
DES 56-bit encryption algorithm
MD5 crypto-checksumming algorithm
On Windows you will need to run the Oracle Universal Installer and click on installed products.

8. How can I check if encryption is enabled and working?

To confirm the network traffic is being encrypted enable either client or server side
sqlnet tracing. From the client edit the sqlnet.ora and add a line,
trace_level_client=16
Then make a sqlplus connection to the database and perform a simple select such as,
select * from v$option
If the client trace file is then examined the clear-text select and results will not be
visible. If you disable encryption in the sqlnet.ora and rerun the select you will be
able to see the clear-text select and results.
Do not forget to remove trace_level_client when finished.
9. How do I add another authentication adapter?
To add an additional authentication adapter you need to rerun the Oracle Universal Installer and deinstall
Oracle Advanced Security. Next reinstall it and you will prompted for which adapters to install.

10. What version of Oracle does ASO come with?

Oracle Advanced Security comes on the Oracle Enterprise Edition CD for 8.1.7 and 9.0.1. It is not on the
Standard Edition CD. As a result of the change to the US export regulations strong encryption is now
available outside the US.
Note: 115384.1 Changes to Strong Encryption Export Regulations for Non US
Customers

11. Why isn't ASO installed?

The most common cause for this is because ASO is not installed as part of a default install of Oracle
Enterprise Edition. You need to either do a custom install or add it after a default install.

12. Can I plug-in my own encryption algorithms into ASO?

There is no way, supported or unsupported, to do this. Oracle, as all US-based corporations, cannot ship
pluggable crypto. This is an export
compliance issue.

13. Are 3rd party adapters required to encrypt Net traffic?

No. Oracle Advanced Security has native encryption that can be used such as RC4.

14. Which encryption algorithms does Oracle Advanced Security support?

The following native encryption algorithms are supported in 9i,
RC4 256-bit key
RC4 128-bit key
RC4 56-bit key
RC4 40-bit key
3-key 3DES
2-key 3DES
DES 56-bit key
DES 40-bit key

15. Is the latest release of ASO compatible with older versions?

ASO is backwards compatible with older verions of Oracle. The main issue is that algorithms introduced in
8.1.7 such as DES3 cannot be used on a connection to a 7.3.4 database. In cases suchs as this you
should either adopt the 'lowest common denominator' approach and pick an algorithm common to all
versions of your clients and servers, or specify multiple encryption types in your sqlnet.ora and all Oracle
to pick the common type.

16. How can you enable encryption on some connections but not others?
This can be managed to a degree by how the SQLNET.ENCRYPTION_CLIENT is set in the sqlnet.ora on
the client and SQLNET.ENCRYPTION_SERVER in the sqlnet.ora on the server.
This is detailed further in section 2-8 & 2-9 of the Oracle Advanced Security Administrator's Guide 8.1.7 &
9.0.1.

17. Are passwords encrypted?

Yes, if ASO native encryption is not used then passwords are still encrypted but other network traffic is
not.

18. Is data encrypted over database links?

If ASO native encryption is enabled then data will be encrypted over database links.

19. Is ASO a licensable cost option?

Yes.