- Integrated Systems
- About Us
- Integrated Systems
- About Us
03-13-2001 09:36 AM
03-14-2001 12:29 AM
You can go for external authentication of users in the database. If you do a create user identified externally your user will be able to connect directly to the database. Please check this possibility in the Oracle documentation. Then the user administration will be on the NT side. But you have to be sure, that there are no violations like handing userid's and passwords to other users.
Alexander M. Ermes
03-14-2001 12:55 AM
Kerberos Products on HP-UX
HP-UX supports Kerberos clients with a set of three software packages for HP-UX
11.0 and 11i. These products are: PAM Kerberos, KRB5 Client Software, and the
Generic Security Service Application Programming Interface (GSS-API).
All HP-UX Kerberos products conform to the IETF specification for Kerberos Version
5 and are compliant with IETF RFC 1510.
Application programmers can create "Kerberized" applications using either the
GSS-APIs or Kerberos APIs. However, HP recommends that GSS-APIs be used for
application development. HP provides the following Kerberized applications through
Secure Internet Services (SIS): ftp, rcp, remsh, rlogin, and telnet.
PAM Kerberos Product
GSS-API, Kerberos Client are in 11i
core. PAM Kerberos is at 11i
GSS-API, Kerberos Client and PAM
Kerberos in AP1200 Dart CD for 11.0
PAM Kerberos in AP0300 Dart CD for
03-14-2001 03:56 AM
Remember that this will effect Oracle performance greatly, and may not work at all.
Why will it effect performance? The Oracle server will have to move data from the local host, to a remote host for AUTH. Kerberos is very secure, but not the fastest AUTH their is. Kerberos requires key exchange and token exchange prior to performing ANY task.
As it is set up now, oracle AUTH happens locally, so there is absolutely no wait for AUTH (well a couple of system calls wait as opposed to lots of network traffic and system calls).
The other logistics problem that I see is that Oracle will rely now on an external machine as opposed to being self sufficient. Pretty scary!
There are a few web server utilities that can authenticate client's off of NT and using a bit of CGI this could get your users AUTH'ed before hitting your web front ends to oracle.
NOTE: HP says it uses NT for it's global auth, but their the only one I have ever heard of. NT is pretty slow even for AUTH, and not very secure at all. Go to href="http://packetstorm.securify.com" and look at all the nice publicly available security hacks for NT as opposed to HP and SunOS.
Look also at how MS implemented Sun's Kerberos. It is not very different from NT4's mechs...
03-14-2001 08:44 AM
Thanks Alex, but I currently have hp 10.20. I must first set it up on that, then after we upgrade in a few months set it up on hp 11.0. I've heard kerberos v5 is for hp 11.0 not for hp 10.20.
Shannon, thanks for you input on the oracle side. I had not realized that external authentication would affect performance that much.
Let me try to add to what I need to know now. I am looking into setting up external authentication, using nt authentication. Oracle documentation is vague on what needs to be done on the unix side. It mentions briefly kerberos or other security services like it must be installed and configured. I have hp 10.20 at the moment. There is no kerberos installed on our box. What security services would be installed that Oracle would use? Is PAM the same thing as kerberos, just an earlier version? The reason why I was asking about kerberos was because the document I downloaded from Oracle said to install kerberos, but never said where to get it from or what it is. If there is something else that I could use instead that is already on the box, I would prefer to do that. So please help with the following questions:
1. What security services would be installed that Oracle would use other than Kerberos?
2. Is PAM the same thing as kerberos, just an earlier version?
3. Has anyone else set up external authentication using NT Authentication on HP-Unix 10.20? If so what all should I be concerned with and what documentation did you use?