Oracle Advanced Security Option and Kerberos

Tim Alsop Tim.Alsop at CyberSafe.Com
Fri Feb 24 16:05:35 EST 2006 

Douglas,

In Oracle 10, Oracle decided to remove the GSS functionality (i.e. The
CyberSafe adapter), and just maintain 1 adapter - namely the MIT
Kerberos adapter, which they took time to make some improvements to at
the same time, based on what they previously had in Oracle 9. Clearly it
has a long way to go still, and it would be worth them removing it,
going back to the GSS adapter, thus providing the capabililies that
customers are asking for without them having to support (or not ?) their
own Kerberos implementation.

We have customers using our products with Oracle 9, and these customers
cannot upgrade to Oracle 10 due to the fact that the GSS adapter has
been removed, so I have a desire to help you with this, hoping that our
customers will then be able to continue to enjoy the benefits of our
commercially supported product and also be able to upgrade to a new
Oracle version.

I doubt that threatening to use Sybase or IBM's database will help,
unless you are Oracle's biggest customer :-)

Please feel free to pass on my email to Oracle.

The product manager I talked with previously was Sudha Iyer. I prepared
a presentation for here, trying to explain why they should not 'take a
step backwards' with Oracle 10, but it didn't work :-( I believe Sudha
is still with Oracle, but is not involved with ASO anymore.

Thanks, Tim

-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov] 
Sent: 24 February 2006 20:50
To: Tim Alsop
Cc: kerberos at mit.edu
Subject: Re: Oracle Advanced Security Option and Kerberos

Thanks, Tim, this does explain a lot, and I like the gssapi plugin
approach. We need to try and get Oracle to do this.

Tim Alsop wrote:

> Douglas,
> 
> Some more info for you :
> 
> In Oracle 7,8 and 9 there are 2 ASO adapters, one called "KERBEROS5"
and
> the other called "CYBERSAFE". You can determine which adapter is used
> when you configure sqlnet.

What about 10? In the Netmanager? On windows, I only see KERBEROS5, NTS
and RADIUS as choices. Does it have to have CyberSafe installed before
it will show it?

> 
> The CyberSafe ASO Kerberos adapter uses GSSAPI. This is because we
don't
> expose our native K5 protocol API to partners, or to any customers,
and
> also (perhaps more importantly) it allows the CyberSafe Kerberos
product
> installed to be changed/updated without having to install a new Oracle
> database/client. In this case, the GSSAPI library takes care of
> interfaces with the cred cache, additional protocols, KDC differences
> etc. 

Yes, that would solve many of the the problems, like more DES only,
the KRB5CCNAME parsing, and ticket cache type.

> 
> The other ASO adapter called KERBEROS5 is implemented by Oracle, using
> an old version of MIT Kerberos code which is embedded inside the
Oracle
> product, so you don't have to install any Kerberos libraries yourself.

Doing an nm on the library, and looking at routine names. it does not
look like any MIT release I have even seen. That was why I was
speculating
that it was from your product.

> This has many disadvantages because you cannot update the MIT code to
> the latest version, and have to rely on Oracle updating their code,
> which they did when they moved to Oracle 10.
> 

Yes, the DES only, cache type = 2  and KRB5CCNAME parsing are good
examples
of where this had an effect.


> I hope you will agree, that the more appropriate architecture moving
> forwards would be to use GSSAPI, and have some sort of configuration
> parameter in sqlnet, so that the GSS library name can be specified.
This
> will mean customers can use any GSSAPI library with Oracle software,
> apply their own mods, updates etc. without (a) waiting for Oracle to
> make same changes, and (b) installing a new version of Oracle just so
> they can improve security. Of course, it will also mean that Oracle
> won't need to 'embed' any Kerberos libraries in their product, and
this
> will make supporting new customer requirements much easier than it is
> today. This is the approach used by Sybase and IBM with database
> products - both of them support Kerberos using a configurable GSS-API
> library.

I full agree! You say Sybase and IBM do this... That might be an option
if Oracle does not make some improvements.


> I talked to Oracle about 3 years ago, suggesting that they made
> these changes, but the product manager at that time was not able to
> convince others in Oracle development team that this was the 'way to
> go'.

I think a lot of people have talked to Oracle, over the years, and get
the same response...

> Maybe you will have more luck if you try again ?

Thats what this threadis all about.

> 
> I agree that the mapping needs to be improved. Our experience is that
> customers have difficultly with the way it works today because they
> cannot use existing database users, instead they have to create new
> users using the realm name as part of the username, and it has to be
> uppercase. 

Yes this is a show stopper. There is no way that we could transition
from one to another.


> This means, that a Kerberos principal user1 at DOMAIN and a
> principal User1 at DOMAIN would have their own unique passwords, but
Oracle
> would authenticate them both as USER1 at DOMAIN (the Oracle username)
even
> though they are different principals with different passwords :-)

That is sort of the the way Windows AD treats Kerberos, as case
insensitive,
and we are learning to live with it.

> 
> I hope this helps ?

Sure does, OK, if we forward your note ot Oracle?

> 
> Thanks, 
> Tim
> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Douglas E. Engert
> Sent: 24 February 2006 16:16
> To: kerberos at mit.edu
> Subject: Oracle Advanced Security Option and Kerberos
> 
> 
> Oracle has had Kerberos support for about 10 years via the Oracle
> Advanced
> Security Option (ASO) formally know as Oracle Advanced Networking
> Option.
> There are a lot of articles from 1998-2003 on using the ASO but very
> little after.
> 
> A few simple changes could vastly improve the usability of the ASO.
> 
> The code appears to not have been kept up to date, as it only does
> single DES,
> and uses a type 2 ticket cache. But some selective features have been
> made,
> including TCP support for the KDC, and on a Windows box, the client
can
> use
> the Microsoft ticket cache (and maybe SSPI) to the server on Unix
using
> GSSAPI.
> It can delegate credentials to the server so one database server can
> authenticate to another as the user. Yet it has a simple bug with
> parsing
> of the KRB5CCNAME variable.
> 
> It is not clear what Kerberos code base is used, as the libs don't
match
> the MIT or Heimdal.  Articles refer to CyberSafe Trust Broker
> interoperability
> so it may be CyberSafe.
> 
> The ASO uses the full principal name with realm as the Oracle username
> without
> any mapping from principal to Oracle username. The name is also
limited
> to 30
> characters. The lack of a mapping makes it very difficult to add
> Kerberos support
> to an existing database.
> 
> 
> 
> 
> I am looking for other Kerberos sites that use Oracle with or without
> the ASO
> who would like to see the ASO improved. I would also be interested to
> know if
> you have approached Oracle on improvements, and what was their
response.
> 
> Personally I believe there has been a lot of customer interest in
> improvements
> especially from the security people, but this may not have been
> communicated
> to Oracle by the DBAs that deal with Oracle. Or if it has, Oracle has
> not been
> able to see the big picture, and thus not much has changed in the last
> few years.
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list