Oracle Advanced Security Option and Kerberos

[Douglas E. Engert]

Oracle has had Kerberos support for about 10 years via the Oracle Advanced
Security Option (ASO) formally know as Oracle Advanced Networking Option.
There are a lot of articles from 1998-2003 on using the ASO but very
little after.

A few simple changes could vastly improve the usability of the ASO.

The code appears to not have been kept up to date, as it only does single DES,
and uses a type 2 ticket cache. But some selective features have been made,
including TCP support for the KDC, and on a Windows box, the client can use
the Microsoft ticket cache (and maybe SSPI) to the server on Unix using GSSAPI.
It can delegate credentials to the server so one database server can
authenticate to another as the user. Yet it has a simple bug with parsing
of the KRB5CCNAME variable.

It is not clear what Kerberos code base is used, as the libs don't match
the MIT or Heimdal.  Articles refer to CyberSafe Trust Broker interoperability
so it may be CyberSafe.

The ASO uses the full principal name with realm as the Oracle username without
any mapping from principal to Oracle username. The name is also limited to 30
characters. The lack of a mapping makes it very difficult to add Kerberos support
to an existing database.




I am looking for other Kerberos sites that use Oracle with or without the ASO
who would like to see the ASO improved. I would also be interested to know if
you have approached Oracle on improvements, and what was their response.

Personally I believe there has been a lot of customer interest in improvements
especially from the security people, but this may not have been communicated
to Oracle by the DBAs that deal with Oracle. Or if it has, Oracle has not been
able to see the big picture, and thus not much has changed in the last few years.


-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444