Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

Intended Audience
Documentation Accessibility
Related Documents
Conventions

What's New in Enterprise User Security?

Oracle Database 10g Release 2 (10.2) New Features in Enterprise User Security
Oracle Database 10g Release 1 (10.1) New Features in Enterprise User Security
Oracle9i Release 2 (9.2) New Feature in Enterprise User Security

1 Getting Started with Oracle Database Enterprise User Security

1.1 Introduction to Enterprise User Security
1.1.1 The Challenges of User Management
1.1.2 Enterprise User Security: The Big Picture
1.1.2.1 How Oracle Internet Directory Implements Identity Management
1.1.2.2 Enterprise Users Compared to Database Users
1.1.2.3 About Enterprise User Schemas
1.1.2.4 How Enterprise Users Access Database Resources with Database Links
1.1.2.5 How Enterprise Users Are Authenticated
1.1.3 About Enterprise User Security Directory Entries
1.1.3.1 Enterprise Users
1.1.3.2 Password Policies
1.1.3.3 Enterprise Roles
1.1.3.4 Enterprise Domains
1.1.3.5 Database Server Entries
1.1.3.6 User-Schema Mappings
1.1.3.7 Administrative Groups
1.2 About Using Shared Schemas for Enterprise User Security
1.2.1 Overview of Shared Schemas Used in Enterprise User Security
1.2.2 How Shared Schemas Are Configured for Enterprise Users
1.2.3 How Enterprise Users Are Mapped to Schemas
1.3 Enterprise User Proxy
1.4 About Using Current User Database Links for Enterprise User Security
1.5 Enterprise User Security Deployment Considerations
1.5.1 Security Aspects of Centralizing Security Credentials
1.5.1.1 Security Benefits Associated with Centralized Security Credential Management
1.5.1.2 Security Risks Associated with Centralized Security Credential Management
1.5.2 Security of Password-Authenticated Enterprise User Database Login Information
1.5.2.1 What Is Meant by Trusted Databases
1.5.2.2 Protecting Database Password Verifiers
1.5.3 Considerations for Defining Database Membership in Enterprise Domains
1.5.4 Choosing Authentication Types between Clients, Databases, and Directories for Enterprise User Security
1.5.4.1 Typical Configurations

2 Configuration and Administration Tools Overview

2.1 Enterprise User Security Tools Overview
2.2 Database Configuration Assistant
2.2.1 Starting Database Configuration Assistant
2.3 Oracle Wallet Manager
2.3.1 Starting Oracle Wallet Manager
2.3.2 The orapki Command-Line Utility
2.4 Enterprise Security Manager and Enterprise Security Manager Console
2.4.1 Enterprise Security Manager Initial Installation and Configuration Overview
2.4.2 Starting Enterprise Security Manager
2.4.3 Navigating the Enterprise Security Manager User Interface
2.4.3.1 Navigator Pane
2.4.3.2 Right Pane
2.4.3.3 Toolbar
2.4.3.4 Menus
2.4.3.5 File Menu
2.4.3.6 Operations Menu
2.4.3.7 Help Menu
2.4.4 Enterprise Security Manager Console Overview
2.4.5 Logging In to Enterprise Security Manager Console
2.4.5.1 Configuring Enterprise Security Manager Console for Kerberos-Authenticated Enterprise Users
2.4.6 Navigating Enterprise Security Manager Console User Interface
2.4.6.1 Home Tabbed Window
2.4.6.2 Users and Groups Tabbed Window
2.4.6.3 Realm Configuration Tabbed Window
2.4.7 Enterprise Security Manager Command-Line Utility
2.4.7.1 Accessing Enterprise Security Manager Command-Line Utility Help
2.5 Oracle Net Configuration Assistant
2.5.1 Starting Oracle Net Configuration Assistant
2.6 User Migration Utility
2.7 Duties of an Enterprise User Security Administrator/DBA

3 Enterprise User Security Configuration Tasks and Troubleshooting

3.1 Enterprise User Security Configuration Overview
3.2 Enterprise User Security Configuration Roadmap
3.3 Preparing the Directory for Enterprise User Security (Phase One)
3.3.1 About the Database Wallet and Password
3.3.1.1 Sharing Wallets and sqlnet.ora Files Among Multiple Databases
3.4 Configuring Enterprise User Security Objects in the Database and the Directory (Phase Two)
3.5 Configure Enterprise User Security for the Authentication Method You Require (Phase Three)
3.5.1 Configuring Enterprise User Security for Password Authentication
3.5.2 Configuring Enterprise User Security for Kerberos Authentication
3.5.3 Configuring Enterprise User Security for SSL Authentication
3.5.3.1 Viewing the Database DN in the Wallet and in the Directory
3.6 Enabling Current User Database Links
3.7 Troubleshooting Enterprise User Security
3.7.1 ORA-# Errors for Password-Authenticated Enterprise Users
3.7.2 ORA-# Errors for Kerberos-Authenticated Enterprise Users
3.7.3 ORA-# Errors for SSL-Authenticated Enterprise Users
3.7.4 NO-GLOBAL-ROLES Checklist
3.7.5 USER-SCHEMA ERROR Checklist
3.7.6 DOMAIN-READ-ERROR Checklist

4 Administering Enterprise User Security

4.1 Enterprise User Security Administration Tools Overview
4.2 Realms: Administering Realms in Identity Management
4.2.1 Identity Management Realm Versions
4.2.2 Setting Properties of an Identity Management Realm
4.2.2.1 Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base Identity Management Realm Attributes
4.2.2.2 Setting the Default Database-to-Directory Authentication Type for an Identity Management Realm
4.2.3 Managing Identity Management Realm Administrators
4.3 Users: Administering Enterprise Users
4.3.1 Creating New Enterprise Users
4.3.2 Setting Enterprise User Passwords
4.3.3 Defining an Initial Enterprise Role Assignment
4.3.4 Browsing Users in the Directory
4.4 Domains: Administering Enterprise Domains
4.4.1 Creating a New Enterprise Domain
4.4.2 Defining Database Membership of an Enterprise Domain
4.4.3 Managing Database Security Options for an Enterprise Domain
4.4.4 Managing Enterprise Domain Administrators
4.4.5 Managing Enterprise Domain Database Schema Mappings
4.4.6 Managing Password-Accessible Domains
4.4.7 Managing Database Administrators
4.4.8 Managing Proxy Permissions in Enterprise Domains
4.4.8.1 Granting Enterprise Users Access to Local Database Schemas
4.4.8.2 Listing Specific Enterprise Users Who Will Proxy
4.4.8.3 Linking Those Enterprise Users to the Target Database Schemas
4.5 Roles: Administering Enterprise Roles
4.5.1 Creating a New Enterprise Role
4.5.2 Assigning Database Global Role Membership to an Enterprise Role
4.5.3 Granting Enterprise Roles to Users

A Using the User Migration Utility

A.1 Benefits of Migrating Local or External Users to Enterprise Users
A.2 Introduction to the User Migration Utility
A.2.1 Bulk User Migration Process Overview
A.2.1.1 Step 1: (Phase One) Preparing for the Migration
A.2.1.2 Step 2: Verify User Information
A.2.1.3 Step 3: (Phase Two) Completing the Migration
A.2.2 About the ORCL_GLOBAL_USR_MIGRATION_DATA Table
A.2.2.1 Which Interface Table Column Values Can Be Modified Between Phase One and Phase Two?
A.2.3 Migration Effects on Users' Old Database Schemas
A.2.4 Migration Process
A.3 Prerequisites for Performing Migration
A.3.1 Required Database Privileges
A.3.2 Required Directory Privileges
A.3.3 Required Setup to Run the User Migration Utility
A.4 User Migration Utility Command-Line Syntax
A.5 Accessing Help for the User Migration Utility
A.6 User Migration Utility Parameters
A.6.1 Keyword: HELP
A.6.2 Keyword: PHASE
A.6.3 Keyword: DBLOCATION
A.6.4 Keyword: DIRLOCATION
A.6.5 Keyword: DBADMIN
A.6.6 Keyword: ENTADMIN
A.6.7 Keyword: USERS
A.6.8 Keyword: USERSLIST
A.6.9 Keyword: USERSFILE
A.6.10 Keyword: KREALM
A.6.11 Keyword: MAPSCHEMA
A.6.12 Keyword: MAPTYPE
A.6.13 Keyword: CASCADE
A.6.14 Keyword: CONTEXT
A.6.15 Keyword: LOGFILE
A.6.16 Keyword: PARFILE
A.7 User Migration Utility Usage Examples
A.7.1 Migrating Users While Retaining Their Own Schemas
A.7.2 Migrating Users and Mapping to a Shared Schema
A.7.2.1 Mapping Users to a Shared Schema Using Different CASCADE Options
A.7.2.2 Mapping Users to a Shared Schema Using Different MAPTYPE Options
A.7.3 Migrating Users Using the PARFILE, USERSFILE, and LOGFILE Parameters
A.8 Troubleshooting Using the User Migration Utility
A.8.1 Common User Migration Utility Error Messages
A.8.1.1 Resolving Error Messages Displayed for Both Phases
A.8.1.2 Resolving Error Messages Displayed for Phase One
A.8.1.3 Resolving Error Messages Displayed for Phase Two
A.8.2 Common User Migration Utility Log Messages
A.8.2.1 Common Log Messages for Phase One
A.8.2.2 Common Log Messages for Phase Two
A.8.3 Summary of User Migration Utility Error and Log Messages

B SSL External Users Conversion Script

B.1 Using the SSL External Users Conversion Script
B.2 Converting Global Users into External Users

C Integrating Enterprise User Security with Microsoft Active Directory

C.1 Set Up Synchronization Between Active Directory and Oracle Internet Directory
C.2 Set Up a Windows 2000 Domain Controller to Interoperate with Oracle Client
C.3 Set Up Oracle Database to Interoperate with a Windows 2000 Domain Controller
C.4 Set Up Oracle Database Client to Interoperate with a Windows 2000 KDC
C.5 Obtain an Initial Ticket for the Client
C.6 Configure Enterprise User Security for Kerberos Authentication

D Upgrading from Oracle9i to Oracle Database 10g Release 2 (10.2)

D.1 Upgrading Oracle Internet Directory from Release 9.2 to Release 9.0.4
D.2 Upgrading Oracle Database from Release 9.2 to Release 10.2

Glossary

Index