Oracle® Database Advanced Security Administrator's Guide 11g Release 2 (11.2) Part Number E10746-01 |
|
|
View PDF |
The cryptographic libraries for SSL included in Oracle Database 10g are designed to meet FIPS 140-2 Level 2 certification. Oracle Advanced Security makes use of these cryptographic libraries for SSL authentication. Please verify the current status of the certification at the Cryptographic Modules Validation Program Web site address:
http://csrc.nist.gov/cryptval/
The security policy, which would be available at the NIST site upon successful certification, includes requirements for secure configuration of the host operating system.
The following topics are covered in this appendix:
Oracle Advanced Security SSL adapter can be configured to run in FIPS mode by setting the SSLFIPS_140
parameter to TRUE
in the fips.ora
file.
SSLFIPS_140=TRUE
This parameter is set to FALSE
by default. It must be set to TRUE
on both the client and the server for FIPS mode operation.
Make sure that the fips.ora
file is either located in the $ORACLE_HOME
/ldap/admin
directory, or is pointed to by the FIPS_HOME
environment variable. This procedure can be repeated in any Oracle home for any database server or client.
Note:
TheSSLFIPS_140
parameter replaces the SQLNET.SSLFIPS_140
parameter used in Oracle Database 10g Release 2 (10.2). The parameter needs to be set in the fips.ora
file, and not the sqlnet.ora
file.A cipher suite is a set of authentication, encryption and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see as to which cipher suite they will use when transmitting messages back and forth.
Only the following cipher suites are approved for FIPS validation:
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
Oracle Advanced Security SSL cipher suites are automatically set to FIPS approved cipher suites. If you wish to configure specific cipher suites, you can do so by editing the SSL_CIPHER_SUITES
parameter in the sqlnet.ora
or the listener.ora
file.
SSL_CIPHER_SUITES=(SSL_cipher_suite1[,SSL_cipher_suite2[,..]])
You can also use Oracle Net Manager to set this parameter on the server and the client.
See Also:
"Step 3: Set the SSL Cipher Suites on the Server (Optional)" and "Step 4: Set the Client SSL Cipher Suites (Optional)" for more information on setting cipher suites.After installation, the following permissions must be verified in the operating system:
Execute permissions must be set on all Oracle executable files so as to prevent execution of Oracle Cryptographic Libraries by users who are unauthorized to do so in accordance with the system security policy.
Read and write permissions must be set on all Oracle executable files so as to prevent accidental or deliberate reading or modification of Oracle Cryptographic Libraries by any user.
To comply with FIPS 140-2 Level 2 requirements, the security policy must include procedures to prevent unauthorized users from reading, modifying or executing Oracle Cryptographic Libraries processes and the memory they are using in the operating system.
To check if FIPS mode is enabled, tracing can be added to the sqlnet.ora
file. FIPS self-test messages can be found in the trace file. Add the following lines to sqlnet.ora
to enable tracing:
trace_directory_server=trace_dir trace_file_server=trace_file trace_level_server=trace_level
For example:
trace_directory=/private/oracle/owm trace_file_server=fips_trace.trc trace_level_server=6
Trace level 6 is the minimum trace level required to check the results of the FIPS self-tests.