Monday, March 28, 2005
Use a RADIUS server for biometric authentication
Biometric technology is now cost-effective and functional enough for developers to use it in many application environments.
The Oracle database supports some of the protocols that are commonly used for biometric authentication. This e-newsletter will teach you how to configure biometric authentication without customization.
When researching biometric devices, you need to know that Oracle's SQL*Net authentication layer mainly uses Remote Authentication Dial-In User Service (RADIUS) and client/server protocol (RFC 2138 and RFC 2139). (Oracle 8 did support Identix and SecurID authentication, but Oracle now recommends upgrading to CyberSafe, RADIUS, Kerberos, or SSL.) Many RADIUS servers use LDAP directories to store related biometric data, but there are also many that can store data in a SQL RDBMS.
First, install RADIUS-compliant client software on the same machine as the Oracle database server and each client that will be using this kind of authentication. Both the database client and database server must be able to access the RADIUS authentication server and any client utility windows (prompting for a PIN number or password confirmation) when activated.
On the database client side, you install Oracle Advanced Security and select the RADIUS method. You can do this with the UNIX utility netmgr, or by choosing Oracle | Network Administration | Net Manager from Windows' Start | Programs menu.
Once you install it, you can also manually configure the SQL*Net client to use RADIUS authentication by adding the following line to the local sqlnet.ora file:
SQLNET.AUTHENTICATION_SERVICES=(RADIUS)
On the database server side, you must generate a radius.key file from the RADIUS server. You should copy this file to the $ORACLE_HOME/network/security directory. Then, you need to use the netmgr program on the database server machine to configure the RADIUS server's host name, port number, timeout, number of retries, and location of radius.key file options. You can do this manually by adding the following lines to the database sqlnet.ora file:
SQLNET.AUTHENTICATION_SERVICES=(RADIUS)
SQLNET.RADIUS_AUTHENTICATION=localhost
SQLNET.RADIUS_AUTHENTICATION_PORT=(1645)
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=(15)
SQLNET.RADIUS_AUTHENTICATION_RETRIES=(3)
SQLNET.RADIUS_SECRET=(?/network/security/radius.key)
SQLNET.RADIUS_CHALLENGE_RESPONSE=(OFF)
SQLNET.RADIUS_CHALLENGE_KEYWORD=(challenge)
SQLNET.RADIUS_CLASSPATH
=($ORACLE_HOME/network/jlib/netradius.jar:$ORACLE_HOME/JRE/lib/vt.jar)
SQLNET.RADIUS_AUTHENTICATION_INTERFACE="DefaultRadiusInterface"
SQLNET.RADIUS_SEND_ACCOUNT=OFF
You can replace the string localhost in the example above with the hostname or IP address of the machine running the RADIUS server. Unless specified, the rest of the values are the default settings. If you use PIN or password "challenges" with RADIUS, a small window should pop up asking a user for the information. This is typically in Java; you can customize it for your applications using the SQLNET.RADIUS_CLASSPATH and SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameters.
Next, you need to create or alter database user accounts to use external authentication:
SQL> CREATE USER username IDENTIFIED EXTERNALLY;
SQL> ALTER USER username IDENTIFIED EXTERNALLY;
You also need to modify the database startup parameters (init.ora) to use external/OS authentication with:
OS_ROLE=TRUE
REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""
The last two parameters ensure that users cannot connect to the database using OS-authenticated accounts (those starting an "OPS$" prefix by default).
When using biometrics (with optional challenge-response), instead of a username/password to connect to a database, you should always connect to the database using connect /@database or connect / if you configure the database as the default database connect string. Since RADIUS authentication is in the SQL*Net layer, all application programs (even Oracle Forms, Reports, and OCI or PL/SQL programs) will automatically start using RADIUS and biometric authentication.
Scott Stephens worked for Oracle for more than 13 years in technical support, e-commerce, marketing, and software development.
The Oracle database supports some of the protocols that are commonly used for biometric authentication. This e-newsletter will teach you how to configure biometric authentication without customization.
When researching biometric devices, you need to know that Oracle's SQL*Net authentication layer mainly uses Remote Authentication Dial-In User Service (RADIUS) and client/server protocol (RFC 2138 and RFC 2139). (Oracle 8 did support Identix and SecurID authentication, but Oracle now recommends upgrading to CyberSafe, RADIUS, Kerberos, or SSL.) Many RADIUS servers use LDAP directories to store related biometric data, but there are also many that can store data in a SQL RDBMS.
First, install RADIUS-compliant client software on the same machine as the Oracle database server and each client that will be using this kind of authentication. Both the database client and database server must be able to access the RADIUS authentication server and any client utility windows (prompting for a PIN number or password confirmation) when activated.
On the database client side, you install Oracle Advanced Security and select the RADIUS method. You can do this with the UNIX utility netmgr, or by choosing Oracle | Network Administration | Net Manager from Windows' Start | Programs menu.
Once you install it, you can also manually configure the SQL*Net client to use RADIUS authentication by adding the following line to the local sqlnet.ora file:
SQLNET.AUTHENTICATION_SERVICES=(RADIUS)
On the database server side, you must generate a radius.key file from the RADIUS server. You should copy this file to the $ORACLE_HOME/network/security directory. Then, you need to use the netmgr program on the database server machine to configure the RADIUS server's host name, port number, timeout, number of retries, and location of radius.key file options. You can do this manually by adding the following lines to the database sqlnet.ora file:
SQLNET.AUTHENTICATION_SERVICES=(RADIUS)
SQLNET.RADIUS_AUTHENTICATION=localhost
SQLNET.RADIUS_AUTHENTICATION_PORT=(1645)
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=(15)
SQLNET.RADIUS_AUTHENTICATION_RETRIES=(3)
SQLNET.RADIUS_SECRET=(?/network/security/radius.key)
SQLNET.RADIUS_CHALLENGE_RESPONSE=(OFF)
SQLNET.RADIUS_CHALLENGE_KEYWORD=(challenge)
SQLNET.RADIUS_CLASSPATH
=($ORACLE_HOME/network/jlib/netradius.jar:$ORACLE_HOME/JRE/lib/vt.jar)
SQLNET.RADIUS_AUTHENTICATION_INTERFACE="DefaultRadiusInterface"
SQLNET.RADIUS_SEND_ACCOUNT=OFF
You can replace the string localhost in the example above with the hostname or IP address of the machine running the RADIUS server. Unless specified, the rest of the values are the default settings. If you use PIN or password "challenges" with RADIUS, a small window should pop up asking a user for the information. This is typically in Java; you can customize it for your applications using the SQLNET.RADIUS_CLASSPATH and SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameters.
Next, you need to create or alter database user accounts to use external authentication:
SQL> CREATE USER username IDENTIFIED EXTERNALLY;
SQL> ALTER USER username IDENTIFIED EXTERNALLY;
You also need to modify the database startup parameters (init.ora) to use external/OS authentication with:
OS_ROLE=TRUE
REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""
The last two parameters ensure that users cannot connect to the database using OS-authenticated accounts (those starting an "OPS$" prefix by default).
When using biometrics (with optional challenge-response), instead of a username/password to connect to a database, you should always connect to the database using connect /@database or connect / if you configure the database as the default database connect string. Since RADIUS authentication is in the SQL*Net layer, all application programs (even Oracle Forms, Reports, and OCI or PL/SQL programs) will automatically start using RADIUS and biometric authentication.
Scott Stephens worked for Oracle for more than 13 years in technical support, e-commerce, marketing, and software development.
# posted by MiDBA @ 3/28/2005 06:15:00 PM 
