de Años Mesoz
II.4. La Familia Hadrosauridae en México
Use Oracle Net Manager to specify required configuration parameters for the server (Refer to "Starting Oracle Net Manager" on page 2-2):
1. Navigate to the Oracle Advanced Security profile. (Refer to "Navigating to the Oracle Advanced Security Profile" on page 2-2) The Oracle Advanced Security SSL window is displayed. (Figure 8–5).
2. Click the SSL tab and select Configure SSL for: Server.
3. In the Wallet Directory box, enter the directory in which the Oracle wallet is located or click Browse to find it by searching the file system.
Note that if you are configuring the database-to-directory SSL connection for Enterprise User Security, then Database Configuration Assistant automatically creates a database wallet while registering the database with the directory. You must use that wallet to store the database PKI credentials for SSL-authenticated Enterprise User Security.
1. Select File, Save Network Configuration.
The sqlnet.ora and listener.ora files are updated with the following entries: wallet_location = (SOURCE= (METHOD=File) (METHOD_DATA= (DIRECTORY=wallet_location))) See Also:
■ "Opening an Existing Wallet" on page 9-9 ■ "Creating a New Wallet" on page 9-8 ■ "Using Auto Login" on page 9-14
Important:
■ Use Oracle Wallet Manager to create the wallet. Refer to "Creating a New Wallet" on page 9-8.
■ Use Oracle Net Manager to set the wallet location in the sqlnet.ora file.
Ensure that you enter the same wallet location when you create it and when you set the location in the sqlnet.ora file.
Note: The listener uses the wallet defined in the listener.ora file. It can use any database wallet. When SSL is configured for a server using Net Manager, the wallet location is entered into the listener.ora and the sqlnet.ora files. The listener.ora file is not relevant to the Oracle client.
To change the listener wallet location so that the listener has its own wallet, you can edit listener.ora to enter the new location.
Enabling SSL
Configuring Secure Sockets Layer Authentication 8-11
Step 3: Set the SSL Cipher Suites on the Server (Optional)
A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network entities. During an SSL handshake, two entities negotiate to see which cipher suite they will use when transmitting messages back and forth.
When you install Oracle Advanced Security, the SSL cipher suites listed in Table 8–1 are set for you by default and negotiated in the order they are listed. You can override the default order by setting the SSL_CIPHER_SUITES parameter. For example, if you use Oracle Net Manager to add the cipher suite SSL_RSA_WITH_RC4_128_SHA, all other cipher suites in the default setting are ignored.
You can prioritize the cipher suites. When the client negotiates with servers regarding which cipher suite to use, it follows the prioritization you set. When you prioritize the cipher suites, consider the following:
■ Compatibility. Server and client must be configured to use compatible cipher suites for a successful connection.
■ Cipher priority and strength. Prioritize cipher suites starting with the strongest and moving to the weakest to ensure the highest level of security possible. ■ The level of security you want to use. For example, triple-DES encryption is
stronger than DES
■ The impact on performance. For example, triple-DES encryption is slower than DES.
Table 8–1 lists the SSL cipher suites supported in the current release of Oracle Advanced Security. These cipher suites are set by default when you install Oracle Advanced Security. The following table also lists the authentication, encryption, and data integrity types each cipher suite uses.
Notes: Regarding Diffie-Hellman anonymous authentication: 1. If you set the server to employ this cipher suite, then you must also set
the same cipher suite on the client. Otherwise, the connection fails.
2. If you use a cipher suite employing Diffie-Hellman anonymous, then you must set the SSL_CLIENT_AUTHENTICATION parameter to FALSE. For more information, refer to "Step 5: Set SSL Client Authentication on the Server (Optional)" on page 8-13.
3. There is a known bug in which an OCI client requires a wallet even when using a cipher suite with DH_ANON, which does not authenticate the client.
Table 8–1 SSL Cipher Suites
Cipher Suites Authentication Encryption Data Integrity
SSL_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES EDE CBC SHA-1
SSL_RSA_WITH_RC4_128_SHA RSA RC4 128 SHA-1
SSL_RSA_WITH_RC4_128_MD5 RSA RC4 128 MD5
SSL_RSA_WITH_DES_CBC_SHA RSA DES CBC SHA-1
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA DH anon 3DES EDE CBC SHA-1
SSL_DH_anon_WITH_RC4_128_MD5 DH anon RC4 128 MD5
Enabling SSL
To specify cipher suites for the server:
1. Click Add. A dialog box displays available cipher suites (Figure 8–2).
Figure 8–2 SSL Cipher Suites Window
2. Select a suite and click OK. The Cipher Suite Configuration list is updated (Figure 8–3):
SSL_RSA_EXPORT_WITH_RC4_40_MD5 RSA RC4 40 MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA RSA DES40 CBC SHA-1
SSL_RSA_WITH_AES_128_CBC_SHA1 RSA AES 128 CBC SHA-1
SSL_RSA_WITH_AES_256_CBC_SHA1 RSA AES 256 CBC SHA-1
1 AES ciphers work with Transport Layer Security (TLS 1.0) only
Table 8–1 (Cont.) SSL Cipher Suites
Enabling SSL
Configuring Secure Sockets Layer Authentication 8-13 Figure 8–3 Oracle Advanced Security SSL Window (Server)
3. Use the up and down arrows to prioritize the cipher suites. 4. Select File, Save Network Configuration.
The sqlnet.ora file is updated with the following entry: SSL_CIPHER_SUITES= (SSL_cipher_suite1 [,SSL_cipher_suite2])