Oracle Advanced Security Option and Kerberos

Tim Alsop Tim.Alsop at CyberSafe.Com
Fri Feb 24 11:48:06 EST 2006 

Douglas,

Some more info for you :

In Oracle 7,8 and 9 there are 2 ASO adapters, one called "KERBEROS5" and
the other called "CYBERSAFE". You can determine which adapter is used
when you configure sqlnet.

The CyberSafe ASO Kerberos adapter uses GSSAPI. This is because we don't
expose our native K5 protocol API to partners, or to any customers, and
also (perhaps more importantly) it allows the CyberSafe Kerberos product
installed to be changed/updated without having to install a new Oracle
database/client. In this case, the GSSAPI library takes care of
interfaces with the cred cache, additional protocols, KDC differences
etc. 

The other ASO adapter called KERBEROS5 is implemented by Oracle, using
an old version of MIT Kerberos code which is embedded inside the Oracle
product, so you don't have to install any Kerberos libraries yourself.
This has many disadvantages because you cannot update the MIT code to
the latest version, and have to rely on Oracle updating their code,
which they did when they moved to Oracle 10.

I hope you will agree, that the more appropriate architecture moving
forwards would be to use GSSAPI, and have some sort of configuration
parameter in sqlnet, so that the GSS library name can be specified. This
will mean customers can use any GSSAPI library with Oracle software,
apply their own mods, updates etc. without (a) waiting for Oracle to
make same changes, and (b) installing a new version of Oracle just so
they can improve security. Of course, it will also mean that Oracle
won't need to 'embed' any Kerberos libraries in their product, and this
will make supporting new customer requirements much easier than it is
today. This is the approach used by Sybase and IBM with database
products - both of them support Kerberos using a configurable GSS-API
library. I talked to Oracle about 3 years ago, suggesting that they made
these changes, but the product manager at that time was not able to
convince others in Oracle development team that this was the 'way to
go'. Maybe you will have more luck if you try again ?

I agree that the mapping needs to be improved. Our experience is that
customers have difficultly with the way it works today because they
cannot use existing database users, instead they have to create new
users using the realm name as part of the username, and it has to be
uppercase. This means, that a Kerberos principal user1 at DOMAIN and a
principal User1 at DOMAIN would have their own unique passwords, but Oracle
would authenticate them both as USER1 at DOMAIN (the Oracle username) even
though they are different principals with different passwords :-)

I hope this helps ?

Thanks, 
Tim

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Douglas E. Engert
Sent: 24 February 2006 16:16
To: kerberos at mit.edu
Subject: Oracle Advanced Security Option and Kerberos


Oracle has had Kerberos support for about 10 years via the Oracle
Advanced
Security Option (ASO) formally know as Oracle Advanced Networking
Option.
There are a lot of articles from 1998-2003 on using the ASO but very
little after.

A few simple changes could vastly improve the usability of the ASO.

The code appears to not have been kept up to date, as it only does
single DES,
and uses a type 2 ticket cache. But some selective features have been
made,
including TCP support for the KDC, and on a Windows box, the client can
use
the Microsoft ticket cache (and maybe SSPI) to the server on Unix using
GSSAPI.
It can delegate credentials to the server so one database server can
authenticate to another as the user. Yet it has a simple bug with
parsing
of the KRB5CCNAME variable.

It is not clear what Kerberos code base is used, as the libs don't match
the MIT or Heimdal.  Articles refer to CyberSafe Trust Broker
interoperability
so it may be CyberSafe.

The ASO uses the full principal name with realm as the Oracle username
without
any mapping from principal to Oracle username. The name is also limited
to 30
characters. The lack of a mapping makes it very difficult to add
Kerberos support
to an existing database.




I am looking for other Kerberos sites that use Oracle with or without
the ASO
who would like to see the ASO improved. I would also be interested to
know if
you have approached Oracle on improvements, and what was their response.

Personally I believe there has been a lot of customer interest in
improvements
especially from the security people, but this may not have been
communicated
to Oracle by the DBAs that deal with Oracle. Or if it has, Oracle has
not been
able to see the big picture, and thus not much has changed in the last
few years.


-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list