What's New in Oracle Advanced Security?

This section describes new features of Oracle Advanced Security 10g Release 1 (10.1) and provides pointers to additional information. New features information from the previous release is also retained to help those users migrating to the current release.

The following sections describe the new features in Oracle Advanced Security:

Oracle Database 10g Release 1 (10.1) New Features in Oracle Advanced Security

Oracle Advanced Security 10g Release 1 (10.1) includes new features in the following areas:

New Features in Strong Authentication

Oracle Advanced Security provides several strong authentication options, including support for RADIUS, Kerberos, and PKI (public key infrastructure). This release provides the following new features for strong authentication:

Support for TLS (Transport Layer Security), version 1.0

TLS is an industry-standard protocol which provides effective security for transactions conducted on the Web. It has been developed by the Internet Engineering Task Force (IETF) to be the successor to SSL version 3.0. TLS is a configurable option provided in Oracle Net Manager.

See Also:
Chapter 7, "Configuring Secure Sockets Layer Authentication" for configuration details
Support for Hardware Security Modules, including Oracle Wallet Manager Integration

In this release, Oracle Advanced Security supports hardware security modules which use APIs that conform to the RSA Security, Inc., Public-Key Cryptography Standards (PKCS) #11. In addition, it is now possible to create Oracle Wallets that can store credentials on a hardware security module for servers, or private keys on tokens for clients. This provides roaming authentication to the database.

Hardware security modules can be used for the following functions:
- Store cryptographic information, such as private keys, which provides stronger security
- Perform cryptographic operations to off load RSA operations from the server, freeing the CPU to respond to other transactions
  See Also:
  
  "Configuring Your System to Use Hardware Security Modules" for configuration details
  
  "Creating a Wallet to Store Hardware Security Module Credentials"
CRL (Certificate Revocation Lists) and CRLDP (CRL Distribution Point) Support for Certificate Validation

In the current release, you now have the option to configure certificate revocation status checking for both the client and the server. Certificate revocation status is checked against CRLs which are located in file system directories, Oracle Internet Directory, or downloaded from the location specified in the CRL Distribution Point (CRL DP) extension on the certificate. The orapki utility has also been added for CRL management and for managing Oracle wallets and certificates.
See Also:

"Certificate Validation with Certificate Revocation Lists" for details

Appendix E, "orapki Utility" for details about orapki command line utility

New Features in Enterprise User Security

Kerberos Authenticated Enterprise Users

Kerberos-based authentication to the database is available for users managed in an LDAP directory. This includes Oracle Internet Directory or any other third-party directory that is synchronized to work with Oracle Internet Directory by using the Directory Integration Platform. To use this feature, all directory users, including those synchronized from third-party directories, must include the Kerberos principal name attribute (krbPrincipalName attribute).

See Also:
"Configuring Enterprise User Security for Kerberos Authentication" for configuration details
Public Key Infrastructure (PKI) Credentials No Longer Required for Database-to-Oracle Internet Directory Connections

In this release, a database can bind to Oracle Internet Directory by using password/SASL-based authentication, eliminating the overhead of setting up PKI credentials for the directory and multiple databases. SASL (Simple Authentication and Security Layer) is a standard defined in the Internet Engineering Task Force RFC 2222. It is a method for adding authentication support to connection-based protocols such as LDAP.

See Also:
"Configuring Enterprise User Security for Password Authentication" for configuration details
Support for User Management in Third-Party LDAP Directories

In the current release of Enterprise User Security, you can store and manage your users and their passwords in third-party LDAP directories. This feature is made possible with
- Directory Integration Platform, which automatically synchronizes third-party directories with Oracle Internet Directory, and
- Oracle Database recognition of standard password verifiers, which is also new in this release.

Tool Changes

New Tool: Enterprise Security Manager Console

The Enterprise Security Manager Console, which is based on the Oracle Internet Directory Delegated Administration Service (DAS), is new in this release. Administrators can use this tool to create enterprise users, enterprise user security groups, and to configure identity management realm attributes in the directory that relate to Enterprise User Security.

In this release, Oracle Enterprise Login Assistant functionality has been migrated to the new Enterprise Security Manager Console and Oracle Wallet Manager. The following table lists which tool you should now use to perform tasks that you previously performed by using Oracle Enterprise Login Assistant:

If you used Oracle Enterprise Login Assistant to...	Then now you should use...
Change the directory-to-database password	Enterprise Security Manager Console
Change an Oracle wallet password	Oracle Wallet Manager
Enable auto login for an Oracle wallet	Oracle Wallet Manager

See Also:

The following sections for information about Enterprise Security Manager Console and how to use it:

"Enterprise Security Manager Console Overview", which provides a brief introduction to the tool.
Chapter 13, "Administering Enterprise User Security", which provides procedural information for using the tool to manage enterprise users.

Oracle9i Release 2 (9.2) New Features in Oracle Advanced Security

The new features for Oracle Advanced Security in release 2 (9.2) include the following:

Support for Advanced Encryption Standard (AES)

AES is a new cryptographic algorithm standard developed to replace Data Encryption Standard (DES).

See Also:

"Advanced Encryption Standard" for a brief overview of this encryption algorithm
Chapter 3, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" for configuration details

SSL Hardware Accelerator Support

In release 2 (9.2), complex public key cryptographic operations can be off loaded to hardware accelerators to improve the performance of SSL transactions.

See Also:
"Configuring Your System to Use Hardware Security Modules" for configuration details
New Enterprise User Security Tool: User Migration Utility

This utility enables administrators to perform bulk migrations of database users to Oracle Internet Directory for centralized user storage and management.

See Also:
Appendix G, "Using the User Migration Utility" for information about this tool and how to use it.