What is the process of determining the identity of a client usually by a login process?
Authentication means verifying the identity of someone (a user, device, or an entity) who wants to access data, resources, or applications. Validating that identity establishes a trust relationship for further interactions. Authentication also enables accountability by making it possible to link access and actions to specific identities. After authentication, authorization processes can allow or limit the levels of access and action permitted to that entity as described in Chapter 5, "Authorization: Privileges, Roles, Profiles, and Resource Limitations". Show
Oracle allows a single database instance to use any or all methods. Oracle requires special authentication procedures for database administrators, because they perform special database operations. Oracle also encrypts passwords during transmission to ensure the security of network authentication. To validate the identity of database users and prevent unauthorized use of a database user name, you can authenticate users by using any combination of the methods described in the following sections: See Also:
Authentication by the Operating SystemSome operating systems permit Oracle to use information they maintain to authenticate users. This has the following benefits:
When an operating system is used to authenticate database users, managing distributed database environments and database links requires special care. See Also:
Authentication by the NetworkAuthentication over a network is handled by the SSL protocol or by third-party services as described in the following subsections:
Authentication Using SSLThe Secure Socket Layer (SSL) protocol is an application layer protocol. It can be used for user authentication to a database, and it is independent of global user management in Oracle Internet Directory. That is, users can use SSL to authenticate to the database even without a directory server in place. Authentication Using Third-Party ServicesAuthentication over a network makes use of third-party network authentication services. Prominent examples include Kerberos, Public Key Infrastructure (PKI), the Remote Authentication Dial-In User Service (RADIUS), and directory-based services, as described in the following subsections. If network authentication services are available to you, then Oracle can accept authentication from the network service. If you use a network authentication service, then some special considerations arise for network roles and database links. Note: To use a network authentication service with Oracle, you need Oracle Enterprise Edition with the Oracle Advanced Security option. See Also:
Kerberos AuthenticationKerberos is a trusted third-party authentication system that relies on shared secrets. It presumes that the third party is secure, and provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. It does this through a Kerberos authentication server, or through Cybersafe Active Trust, a commercial Kerberos-based authentication server. PKI-Based AuthenticationAuthentication systems based on PKI issue digital certificates to user clients, which use them to authenticate directly to servers in the enterprise without directly involving an authentication server. Oracle provides a PKI for using public keys and certificates, consisting of the following components:
Oracle public key infrastructure is illustrated in Figure 4-1. Authentication with RADIUSOracle supports remote authentication of users through the Remote Authentication Dial-In User Service (RADIUS), a standard lightweight protocol used for user authentication, authorization, and accounting. Directory-Based ServicesUsing a central directory can make authentication and its administration extremely efficient. Directory-based sevices include the following:
Authentication by Oracle DatabaseOracle Database can authenticate users attempting to connect to a database, by using information stored in that database itself. To set up Oracle Database to use database authentication, you must create each user with an associated password. The user must provide this user name and password when attempting to establish a connection. This process prevents unauthorized use of the database, because the connection will be denied if the user provides an incorrect password. Oracle Database stores user passwords in the data dictionary in an encrypted format to prevent unauthorized alteration. Users can change their passwords at any time. To identify the authentication protocols that are allowed by a client or a database, a DBA can explicitly set the Database authentication includes the following features:
Password Encryption While ConnectingPasswords are always automatically and transparently encrypted during network (client/server and server/server) connections, using AES (Advanced Encryption Standard) before sending them across the network. Account LockingOracle can lock a user's account after a specified number of consecutive failed login attempts. You can configure the account to unlock automatically after a specified time interval or to require database administrator intervention to be unlocked. Use the The database administrator can also lock accounts manually, so that they cannot unlock automatically but must be unlocked explicitly by the database administrator. Note: Failed login attempts will be limited by default in future Oracle Database releases. Password Lifetime and ExpirationThe database administrator can specify a lifetime for passwords, after which they expire and must be changed before account login is again permitted. A grace period can be established, during which each attempt to login to the database account receives a warning message to change the password. If it is not changed by the end of that period, then the account is locked. No further logins to that account are allowed without assistance by the database administrator. The database administrator can also set the password state to expired, causing the user account status to change to expired. The user or the database administrator must then change the password before the user can log in to the database. Password HistoryThe password history option checks each newly specified password to ensure that a password is not reused for a specified amount of time or for a specified number of password changes. The database administrator can configure the rules for password reuse with
See Also:
Password Complexity VerificationComplexity verification checks that each password is complex enough to provide reasonable protection against intruders who try to break into the system by guessing passwords. The sample Oracle password complexity verification routine (the PL/SQL script
Multitier Authentication and AuthorizationIn a multitier environment, Oracle controls the security of middle-tier applications by limiting their privileges, preserving client identities through all tiers, and auditing actions taken on behalf of clients. In applications that use a heavy middle tier, such as a transaction processing monitor, the identity of the clients connecting to the middle tier must be preserved. One advantage of using a middle tier is connection pooling, which allows multiple users to access a data server without each of them needing a separate connection. In such environments, you need to be able to set up and break down connections very quickly. For these environments, Oracle database administrators can use the Oracle Call Interface to create lightweight sessions, which allow database password authentication for each user. This method preserves the identity of the real user through the middle tier without the overhead of a separate database connection for each user. You can create lightweight sessions with or without passwords. However, if a middle tier is outside or on a firewall, then security is better when each lightweight session has its own password. For an internal application server, lightweight sessions without passwords might be appropriate. Issues of administration and security in multitier environments are discussed in the following sections:
Clients, Application Servers, and Database ServersIn a multitier environment, an application server provides data for clients and serves as an interface from them to one or more database servers. The application server can validate the credentials of a client, such as a web browser, and the database server can audit operations performed by the application server. These auditable operations include actions performed by the application server on behalf of clients, such as requests that information be displayed on the client. A request to connect to the database server is an example of an application server operation not related to a specific client. Note: While client-side authentication is possible, Oracle strongly recommends disabling it by setting the Authentication in a multitier environment is based on trust regions. Client authentication is the domain of the application server. The application server itself is authenticated by the database server. The following operations are performed:
Application servers can also enable roles for a client on whose behalf they connect. The application server can obtain these roles from a directory, which thus serves as an authorization repository. The application server can only request that these roles be enabled. The database verifies the following requirements:
Figure 4-2 shows an example of multitier authentication. Security Issues for Middle-Tier ApplicationsSecurity for middle-tier applications must address the following key issues:
Identity Issues in a Multitier EnvironmentMultitier authentication maintains the identity of the client through all tiers of the connection in order to maintain useful audit records. If the identity of the originating client is lost, then specific accountability of that client is lost. It becomes impossible to distinguish operations performed by the application server on behalf of the client from those done by the application server by itself. Restricted Privileges in a Multitier EnvironmentPrivileges in a multitier environment must be limited to those necessary to perform the requested operation. Client PrivilegesClient privileges must be as limited as possible in a multitier environment. Operations are performed on behalf of the client by the application server. Application Server PrivilegesApplication server privileges in a multitier environment must also be limited, so that the application server cannot perform unwanted or unneeded operations while performing a client operation. Authentication of Database AdministratorsDatabase administrators perform special operations (such as shutting down or starting up a database) that should not be performed by normal database users. Oracle provides for secure authentication of database administrator user names, for which you can choose either operating system authentication or password files. Figure 4-3 illustrates the choices you have for database administrator authentication schemes. Different choices apply to administering your database locally (on the machine where the database resides) and to administering many different database machines from a single remote client. Operating system authentication for a database administrator typically involves establishing a group on the operating system, assigning DBA privileges to that group, and then adding the names of persons who should have those privileges to that group. On UNIX systems, the special group is called the dba group. On Microsoft Windows systems, users who connect with the The database uses password files to keep track of those database user names that have been granted the
Oracle Database 10g Release 2 (10.2) enhances password file based authentication by making it easier to use. The following enhancements have been made:
What is the process that determines the identity of a user?Definition: Authentication is the process of recognizing a user's identity. It is the mechanism of associating an incoming request with a set of identifying credentials.
What is the process of authentication?Authentication is a term that refers to the process of proving that some fact or some document is genuine. In computer science, this term is typically associated with proving a user's identity.
What is a user login procedure?The process is fairly simple; users input their credentials on the website's login form. That information is then sent to the authentication server where the information is compared with all the user credentials on file. When a match is found, the system will authenticate users and grant them access to their accounts.
Which are the 3 ways of authenticating user identity?5 Common Authentication Types. Password-based authentication. Passwords are the most common methods of authentication. ... . Multi-factor authentication. ... . Certificate-based authentication. ... . Biometric authentication. ... . Token-based authentication.. |