Oracle® Database Enterprise User Administrator's Guide 10g Release 2 (10.2) Part Number B14269-01 |
|
|
View PDF |
This section describes new features of Enterprise User Security 10g Release 2 (10.2) and provides pointers to additional information. New features information from the previous release is also retained to help those users migrating to the current release.
The following sections describe the new features in Enterprise User Security:
Oracle Database 10g Release 2 (10.2) New Features in Enterprise User Security
Oracle Database 10g Release 1 (10.1) New Features in Enterprise User Security
Oracle9i Release 2 (9.2) New Feature in Enterprise User Security
Enterprise User Security 10g Release 2 (10.2) includes the following new features:
Enterprise User Security 10g Release 2 (10.2) includes new functionality for sharing sqlnet.ora
files among multiple databases. Databases can share a single sqlnet.ora
file while maintaining separate wallets. This makes Enterprise User Security configuration easier and improves Secure Sockets Layer (SSL) usability. See "Sharing Wallets and sqlnet.ora Files Among Multiple Databases" for more information.
Password policies are created for every identity management realm in Oracle Internet Directory. These policies apply to all enterprise users who reside in the realm. Password policies include settings for password complexity, minimum password length, and the like. They also include account lockout and password expiration settings. Enterprise User Security honors the realm wide password policies which are set in Oracle Internet Directory.
The database communicates with Oracle Internet Directory when authenticating an enterprise user. It checks to see whether the user's account is locked, disabled, expired, or about to expire. It displays appropriate warnings or error messages in these cases.
See Also:
"Password Policies" for more information on password policies and their managementThe Distinguished Name (DN) in the user certificate no longer needs to match the DN in Oracle Internet Directory. This feature is useful if your Public Key Infrastructure (PKI) certificate authority does not support the use of two common names (cn) in the DN. This also enables you to restructure your Directory without requiring new certificates for users or databases. See "Configuring Enterprise User Security for SSL Authentication" for more information.
Enterprise User Security 10g Release 2 (10.2) also introduces several new proxying features that enhance both security and ease of use:
Proxy permissions for specific enterprise users (or lists of enterprise users) can now be created and stored in Oracle Internet Directory. Formerly, proxy permissions could be granted only to a shared schema, necessarily enabling any enterprise user in that shared schema to proxy as the target user.
Establishing a proxy session results in a single-user session. Formerly, switching from the original connected session to proxy as the target user created a second, independent session, with the first one also remaining active.
Proxy access is now possible through SQLPLUS as well as Oracle Call Interface (OCI). Formerly, proxy access could be established only through OCI.
New proxying features are described in "Enterprise User Proxy".
Enterprise User Security 10g Release 1 (10.1) included the following new features:
Kerberos Authenticated Enterprise Users
Kerberos-based authentication to the database is available for users managed in an LDAP directory. This includes Oracle Internet Directory or any other third-party directory that is synchronized to work with Oracle Internet Directory by using the Directory Integration Platform. To use this feature, all directory users, including those synchronized from third-party directories, must include the Kerberos principal name attribute (krbPrincipalName
attribute).
See Also:
"Configuring Enterprise User Security for Kerberos Authentication" for configuration detailsPublic Key Infrastructure (PKI) Credentials No Longer Required for Database-to-Oracle Internet Directory Connections
In this release, a database can bind to Oracle Internet Directory by using password/SASL-based authentication, eliminating the overhead of setting up PKI credentials for the directory and multiple databases. SASL (Simple Authentication and Security Layer) is a standard defined in the Internet Engineering Task Force RFC 2222. It is a method for adding authentication support to connection-based protocols such as LDAP.
See Also:
"Configuring Enterprise User Security for Password Authentication" for configuration detailsSupport for User Management in Third-Party LDAP Directories
In the current release of Enterprise User Security, you can store and manage your users and their passwords in third-party LDAP directories. This feature is made possible with
Directory Integration Platform, which automatically synchronizes third-party directories with Oracle Internet Directory, and
Oracle Database recognition of standard password verifiers, which is also new in this release.
Tool Changes
New Tool: Enterprise Security Manager Console
The Enterprise Security Manager Console, which is based on the Oracle Internet Directory Delegated Administration Service (DAS), is new in this release. Administrators can use this tool to create enterprise users, enterprise user security groups, and to configure identity management realm attributes in the directory that relate to Enterprise User Security.
In this release, Oracle Enterprise Login Assistant functionality has been migrated to the new Enterprise Security Manager Console and Oracle Wallet Manager. The following table lists which tool you should now use to perform tasks that you previously performed by using Oracle Enterprise Login Assistant:
If you usedOracle Enterprise Login Assistant to... | Then now you should use... |
---|---|
Change the directory password | Enterprise Security Manager Console |
Change an Oracle wallet password | Oracle Wallet Manager |
Enable auto login for an Oracle wallet | Oracle Wallet Manager |
See Also:
The following sections for information about Enterprise Security Manager Console and how to use it:"Enterprise Security Manager Console Overview", which provides a brief introduction to the tool
Chapter 4, "Administering Enterprise User Security" that provides procedural information for using the tool to manage enterprise users
Enterprise User Security was a feature of Oracle Advanced Security in Oracle9i Release 2 (9.2), and it contained the following new feature for that release:
New Tool: User Migration Utility
This utility enables administrators to perform bulk migrations of database users to Oracle Internet Directory for centralized user storage and management.
See Also:
Appendix A, "Using the User Migration Utility" for information about this tool and how to use it