readme_aso.htm

Debian中文参考手册,系统介绍了Debian系统

</TD>
</TR>

</TABLE>


</DIV>

</A>
<P>  
<LI CLASS="LB1" TYPE="DISC"><A NAME="563087"></A>Interoperability with Windows 2000 Domain Controller KDC
<P>
  
<A NAME="563118">
<DIV ALIGN="CENTER">
<P>
<TABLE CLASS="NoteAlso" BORDER="0" WIDTH="80%" CELLPADDING="0" CELLSPACING="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note">
<TR CLASS="NoteAlso"><TD CLASS="NoteAlso">
<A NAME="563121"></A><FONT FACE="Arial, Helvetica, sans-serif"><STRONG CLASS="NH">See Also:</STRONG></FONT>

<A NAME="563122"></A>
<P CLASS="NB">
"Configuring Interoperability with a Windows 2000 Domain Controller KDC," <EM CLASS="Italic">Oracle Advanced Security Administrator's Guide</EM>, Chapter 6
</TD>
</TR>

</TABLE>


</DIV>

</A>

<A NAME="563114">
</A>
<P>  
<LI CLASS="LB1" TYPE="DISC"><A NAME="563090"></A>Command line tool for Enterprise Security Manager
<P>
  
<A NAME="563065">
<DIV ALIGN="CENTER">
<P>
<TABLE CLASS="NoteAlso" BORDER="0" WIDTH="80%" CELLPADDING="0" CELLSPACING="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note">
<TR CLASS="NoteAlso"><TD CLASS="NoteAlso">
<A NAME="563689"></A><FONT FACE="Arial, Helvetica, sans-serif"><STRONG CLASS="NH">See Also:</STRONG></FONT>

<A NAME="563690"></A>
<P CLASS="NB">
<A HREF="README_ASO.htm#563452">"Command Line Tool for Enterprise Security Manager 9.2"</a><A HREF="README_ASO.htm#563452"></a>
</TD>
</TR>

</TABLE>


</DIV>

</A>
  </UL>

<A NAME="563631"></A>
<!--TOC=h1-"563631"-->
<H2 CLASS="H1"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">3&#32; INSTALLATION</FONT></H2>


<!--/TOC=h1-->
<A NAME="563638"></A>
<P CLASS="BP">
During Oracle Advanced Security installation, three <CODE>.bak</CODE> files are created: <CODE>naeet.o.bak</CODE>, <CODE>naect.o.bak</CODE>, and <CODE>naedhs.o.bak</CODE>. They are located in <CODE>$ORACLE_HOME/lib</CODE>. Do not delete these files because they are required when executables are relinked during the de-installation of Oracle Advanced Security.
</P>
<A NAME="563639"></A>
<P CLASS="BP">
If using Oracle Advanced Security on a "client only" machine (that is, with no database present), then it is mandatory to set the <CODE>TWO_TASK</CODE> environment variable before starting the installation. The <CODE>TWO_TASK</CODE> variable points to an alias representing the database on a server machine. Setting the <CODE>TWO_TASK</CODE> environment variable enables Oracle Advanced Security to be installed in "Client Only" mode.
</P>
   
<A NAME="563679">
<DIV ALIGN="CENTER">
<P>
<TABLE CLASS="NoteAlso" BORDER="0" WIDTH="80%" CELLPADDING="0" CELLSPACING="0" dir="ltr" summary="This is a layout table to format a note" title="This is a layout table to format a note">
<TR CLASS="NoteAlso"><TD CLASS="NoteAlso">
<A NAME="563683"></A><FONT FACE="Arial, Helvetica, sans-serif"><STRONG CLASS="NH">See Also:</STRONG></FONT>

<A NAME="563684"></A>
<P CLASS="NB">
<EM CLASS="Italic">Oracle9i Administrator's Guide</EM> for more information about the <CODE>TWO_TASK</CODE> environment variable.
</TD>
</TR>

</TABLE>


</DIV>

</A>
   
<A NAME="561813"></A>
<!--TOC=h1-"561813"-->
<H2 CLASS="H1"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4&#32; DATA ENCRYPTION AND INTEGRITY</FONT></H2>


<!--/TOC=h1-->
<A NAME="563141"></A>
<P CLASS="BP">
In this release, the configuration tool, Oracle Net Manager, does not provide a default seed for generating cryptographic keys. You must manually enter an arbitrary string between 10 and 70 characters in length. Enter different seeds on every client and every server. The seed is one of the elements used to generate random numbers used in the Diffie-Hellman key exchange.
</P>
<A NAME="563142"></A>
<P CLASS="BP">
In this release, the NS features of Multiplexing and Connection Pooling do not work if SSL transport is being used.
</P>

<A NAME="563712"></A>
<!--TOC=h2-"563712"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">4.1&#32; Known Bugs and Workarounds</FONT></H3>
<!--/TOC=h2-->

<DL CLASS="A1">

<DT CLASS="A1"><FONT SIZE="-1" FACE="Arial, Helvetica, sans-serif"><A NAME="563713"></A><STRONG>Bug 2285343</STRONG></FONT>
</DL>
<A NAME="563143"></A>
<P CLASS="BP">
There is a known problem in which Oracle clients (<CODE>sqlplus</CODE> or <CODE>svrmgrl</CODE>) fail when the RADIUS adapter is configured for <CODE>CHAP</CODE> (challenge-response) mode.
</P>

<A NAME="563714"></A>
<H5 CLASS="SH3"><FONT FACE="Arial, Helvetica, sans-serif">Workaround</FONT></H5>
<A NAME="563715"></A>
<P CLASS="BP">
To workaround this problem, set the <CODE>LD_LIBRARY_PATH</CODE> environment variable to include <CODE>$ORACLE_HOME/JRE/lib/sparc/native_threads</CODE>.
</P>

<A NAME="562235"></A>
<!--TOC=h1-"562235"-->
<H2 CLASS="H1"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">5&#32; EXTERNAL AUTHENTICATION AND SINGLE SIGN-ON</FONT></H2>


<!--/TOC=h1-->
<A NAME="563161"></A>
<P CLASS="BP">
In order to require external authentication and disable username/ password authentication, set the <CODE>sqlnet.ora</CODE> parameter to <CODE>SQLNET.AUTHENTICATION_REQUIRED=TRUE</CODE>. The default is false.
</P>
<A NAME="563162"></A>
<P CLASS="BP">
The Identix adapter is desupported as of Oracle Advanced Security 9.0.1.
</P>
<A NAME="563163"></A>
<P CLASS="BP">
Since the previous release of Oracle Advanced Security 9.0.1, the RSA ACE/Server and tokens can authenticate Oracle users only through the RADIUS adapter. Using the RADIUS plug-in to the ACE/Server, the ACE/Server acts as the RADIUS server and authentication server. Functionality remains the same as in previous releases.
</P>
<A NAME="563164"></A>
<P CLASS="BP">
Oracle Advanced Security supports RADIUS-compliant servers and authentication devices. To use the Java-based client interface for RADIUS, you must include <CODE>$ORACLE_HOME/JRE/lib/sparc/native_threads</CODE> in <CODE>LD_LIBRARY_PATH</CODE>. To use RADIUS, you must use native threads. Set the variable <CODE>THREADS_FLAG</CODE> to "<CODE>native</CODE>" within the Java runtime environment (JRE).
</P>
<A NAME="563165"></A>
<P CLASS="BP">
During installation on a Windows platform, if you configured the RADIUS adapter, then please reboot the machine to get the JRE location. [Reference Bug 2212844]
</P>
<A NAME="563166"></A>
<P CLASS="BP">
In this release, Oracle extends support for RADIUS authorizations in Challenge-Response mode for servers brought up in either Dedicated or MTS mode.
</P>

<A NAME="563167"></A>
<!--TOC=h2-"563167"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">5.1&#32; Changes to the Startup Command</FONT></H3>
<!--/TOC=h2-->
<A NAME="563172"></A>
<P CLASS="BP">
In this release, if external authentication (using Kerberos, Cybersafe, or RADIUS) is not enabled, then please verify that you have issued the startup command with a <CODE>PFILE</CODE> option so that the parameters from your <CODE>init&lt;</CODE><EM><CODE>SID</CODE></EM><CODE>&gt;.ora</CODE> are picked up.
</P>
<A NAME="563168"></A>
<P CLASS="BP">
With Oracle 9.0.1, we introduced the server managed parameter file (<CODE>SPFILE</CODE>). The <CODE>SPFILE</CODE> can be used to store parameters that are automatically tuned by the server. When a startup command is issued without a <CODE>PFILE</CODE> option, the client requests that the server starts up using an <CODE>SPFILE</CODE>. The server looks for the <CODE>SPFILE</CODE> (<CODE>?/dbs/spfile.ora</CODE>) and reads parameters from it. If the <CODE>SPFILE</CODE> is not found, the server tries to use a default <CODE>PFILE</CODE> (<CODE>?/dbs/init@.ora</CODE>) on the server side.
</P>
<A NAME="563169"></A>
<P CLASS="BP">
If the startup command is issued with a <CODE>PFILE</CODE> option, then the existing behavior is retained.
</P>

<A NAME="561192"></A>
<!--TOC=h1-"561192"-->
<H2 CLASS="H1"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">6&#32; ENTRUST SUPPORT</FONT></H2>


<!--/TOC=h1-->
<A NAME="563212"></A>
<P CLASS="BP">
This release supports Entrust version 5.0.2, 5.1, and 6.0 components including IPSEC Negotiator Toolkit, Entrust/Authority, and Server Login. On HP-UX 64-bit, Solaris 64-bit, and Compaq Tru 64 platforms, Oracle Advanced Security supports Entrust 6.0 PKI.
</P>
<A NAME="563213"></A>
<P CLASS="BP">
On Windows, you must install Entrust Entelligence on the client.
</P>
<A NAME="563214"></A>
<P CLASS="BP">
You must have the same version of Entrust tool kits and the Entrust Authority if you are using 5.x versions of Entrust. For example, you can use 5.1 version everywhere or 5.0.2 version for the tool kits and the Entrust/Authority. 
</P>
<A NAME="563215"></A>
<P CLASS="BP">
However, you can have Entrust 6.0 IPSEC Negotiator and Server Login tool kit with 5.1 Entrust/Authority.
</P>
<A NAME="563216"></A>
<P CLASS="BP">
In this release (just as in 9.0.1), you do not have to choose between Entrust or SSL upon installation. You can use both together since this release allows SSL and Entrust on the same machine without relinking.
</P>
<A NAME="563217"></A>
<P CLASS="BP">
You must set the <CODE>CLASSPATH</CODE> environment variable on the client (Windows or UNIX) to include the following jar files in the order they are listed:
</P>
<A NAME="563218"></A>
<P CLASS="BP">
<CODE>$ORACLE_HOME/JRE/lib/i18n.jar $ORACLE_HOME/JRE/lib/rt.jar $ORACLE_HOME/network/jlib/netentrust.jar $ORACLE_HOME/jlib/swingall-1_1_1.jar $ORACLE_HOME/jlib/ewt-3_3_18.jar $ORACLE_HOME/jlib/share-1_1_9.jar</CODE>
</P>
<A NAME="563225"></A>
<P CLASS="BP">
[Reference Bug 1794800]
</P>

<A NAME="563230"></A>
<!--TOC=h2-"563230"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">6.1&#32; Enterprise User Security Support for Entrust Users</FONT></H3>
<!--/TOC=h2-->
<A NAME="563233"></A>
<P CLASS="BP">
 Entrust users can now be managed centrally in Oracle Internet Directory. The database and Oracle Internet Directory must have Entrust <CODE>UAL</CODE> files to permit unattended login when configuring for enterprise user security. You cannot have a mixed environment such as X.509v3 certificates for some clients/servers and entrust profiles for the others. The configuration set used to set up LDAP for SSL should specify a WRL to locate the entrust <CODE>UAL</CODE> file. The WRL should have the following format:
</P>
    
<PRE CLASS="CE">
<A NAME="563234"></A>entr:&lt;UAL directory path&gt;/*.ual::&lt;ini file directory path&gt;/*.ini::1
<A NAME="563244"></A>
</PRE>    <A NAME="563235"></A>
<P CLASS="BP">
Because the Oracle Internet Directory server and the database communicate on the SSL port, the specific SSL configuration set has to be configured to use client and server authentication for <CODE>orclauthentication</CODE>. If you do not do this, then the database distinguished name (DN) will bind as <CODE>NULL</CODE>.
</P>

<A NAME="520998"></A>
<!--TOC=h1-"520998"-->
<H2 CLASS="H1"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">7&#32; SECURE SOCKETS LAYER</FONT></H2>


<!--/TOC=h1-->
<A NAME="563261"></A>
<P CLASS="BP">
For the SSL adapter, dynamic specification of <CODE>sqlnet.ora</CODE> parameters such as <CODE>SSL_VERSION</CODE>, <CODE>SSL_CIPHER_SUITES</CODE>, and <CODE>SSL_CLIENT_AUTHENTICATION</CODE>, as part of <CODE>TNS</CODE> aliases, do not have any effect on the redirected connections made to the database server.
</P>

<A NAME="563724"></A>
<!--TOC=h2-"563724"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">7.1&#32; Known Bugs</FONT></H3>
<!--/TOC=h2-->

<DL CLASS="A1">

<DT CLASS="A1"><FONT SIZE="-1" FACE="Arial, Helvetica, sans-serif"><A NAME="563725"></A><STRONG>Bug 1661031</STRONG></FONT>
</DL>
<A NAME="563262"></A>
<P CLASS="BP">
An OCI client requires a wallet even when using a cipher suite with <CODE>DH_anon</CODE>, which does not authenticate the client. Such cipher suites are known to be vulnerable to person-in-the-middle attacks. If you use a cipher suite with <CODE>DH_anon</CODE>, then you should use Oracle Advanced Security native encryption and checksumming to protect against the attack.
</P>

<DL CLASS="A1">

<DT CLASS="A1"><FONT SIZE="-1" FACE="Arial, Helvetica, sans-serif"><A NAME="563732"></A><STRONG>Bug 2267857</STRONG></FONT>
</DL>
<A NAME="563263"></A>
<P CLASS="BP">
Certificate size limits.
</P>

<A NAME="563284"></A>
<!--TOC=h2-"563284"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">7.2&#32; Secure Sockets Layer Distinguished Name Match</FONT></H3>
<!--/TOC=h2-->
<A NAME="563287"></A>
<P CLASS="BP">
In this release (as in the previous release 9.0.1), the SSL client matches the server's global database name against the distinguished name (DN) from the server certificate. This check protects against the threat of connections to a server potentially faking its identity, in which the server has a valid X.509 v3 certificate, but not the proper certificate for this database.
</P>
<A NAME="563288"></A>
<P CLASS="BP">
Setting the <CODE>sqlnet.ora</CODE> parameter <CODE>SSL_SERVER_DN_MATCH</CODE> to <CODE>ON</CODE> or <CODE>OFF</CODE> controls the system's behavior when there is a mismatch between the service name and the DN. When set to <CODE>OFF</CODE>, if the DN matches the service name, then the connection succeeds. If the DN does not match the service name, then the connection succeeds but an error is written to <CODE>sqlnet.log</CODE>. When the parameter is set to <CODE>ON</CODE>, if the DN matches the service name, the connection succeeds. If it does not match, then the connection fails. <CODE>ON</CODE>, <CODE>OFF</CODE>, <CODE>TRUE</CODE>, <CODE>FALSE</CODE>, <CODE>YES</CODE>, <CODE>NO</CODE> are all acceptable values.
</P>
<A NAME="563289"></A>
<P CLASS="BP">
The corresponding Oracle Net Manager parameter "Match server X.509 name" can be set to Yes, No, or Let the Client Decide. Yes and No correspond to the <CODE>sqlnet.ora</CODE> parameter described above, while Let the Client Decide bases the behavior on the version of the client.
</P>
<A NAME="563290"></A>
<P CLASS="BP">
The following describes the two ways to properly set up the system. Oracle Corporation recommends the first.
</P>

<UL CLASS="LB1">

<LI CLASS="LB1" TYPE="DISC"><A NAME="563291"></A>The client can obtain the expected DNs for the servers it expects to connect to from tnsnames.ora. Tnsnames.ora can be on the client or in the LDAP directory. The parameter is <CODE>SSL_SERVER_CERT_DN</CODE>. A sample <CODE>tnsnames.ora</CODE> for this check is as follows:
<P>
    
<PRE CLASS="CE1">
<A NAME="563292"></A>dbalias = (description = address_list = (address = (protocol = tcps) (host = hostname) (port 
= portnum))) (connect_data = (service_name = Finance)) (security=(SSL_SERVER_
DN="CN=Finance,CN=OracleContext,C=US,O=Acme"))
<A NAME="563330"></A>
</PRE>
    
<LI CLASS="LB1" TYPE="DISC"><A NAME="563294"></A> Alternatively, the administrator can ensure that DNs in the certificates from a trusted certificate authority have a common name (CN) that matches the service name.
<P>
</UL>
<A NAME="563295"></A>
<P CLASS="BP">
Oracle Corporation recommends using Oracle Wallet Manager to remove the trusted certificates in your Oracle wallet for all of the certificate authorities that you do not use.
</P>

<A NAME="478226"></A>
<!--TOC=h1-"478226"-->
<H2 CLASS="H1"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">8&#32; ORACLE WALLET MANAGER 3.0</FONT></H2>


<!--/TOC=h1-->

<A NAME="563349"></A>
<!--TOC=h2-"563349"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">8.1&#32; Known Bugs</FONT></H3>
<!--/TOC=h2-->

<DL CLASS="A1">

<DT CLASS="A1"><FONT SIZE="-1" FACE="Arial, Helvetica, sans-serif"><A NAME="563739"></A><STRONG>Bug 1077099</STRONG></FONT>
</DL>
<A NAME="563353"></A>
<P CLASS="BP">
Certificate request creation fails with some multibyte character sets.
</P>

<DL CLASS="A1">

<DT CLASS="A1"><FONT SIZE="-1" FACE="Arial, Helvetica, sans-serif"><A NAME="563354"></A><STRONG>Bug 1114710</STRONG></FONT>
</DL>
<A NAME="563742"></A>
<P CLASS="BP">
Oracle Wallet Manager Online Help becomes unresponsive when modal dialog boxes, such as the one to enter Certificate Request Information, pop up. The Online Help becomes responsive once the modal dialog box is closed.
</P>

<A NAME="563384"></A>
<!--TOC=h2-"563384"-->
<H3 CLASS="H2"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">8.2&#32; Oracle Wallet Manager on Solaris</FONT></H3>
<!--/TOC=h2-->
<A NAME="563391"></A>
<P CLASS="BP">
When trying to copy or paste certificates in Oracle Wallet Manager you need to use Shift+Insert and Ctrl+Insert respectively. The extended Sun keyboard keys ("Cut, Copy, Paste") will not work on Solaris.
</P>

<A NAME="521179"></A>
<!--TOC=h1-"521179"-->
<H2 CLASS="H1"><FONT FACE="Arial, Helvetica, sans-serif" COLOR="#330099">9&#32; ORACLE JAVASSL AND JSSE</FONT></H2>


<!--/TOC=h1-->
<A NAME="563408"></A>
<P CLASS="BP">