The Secure Sockets Layer, commonly referred to as SSL, is another method of authentication based on externally stored credentials. The mechanism is very similar to that used in authentication based on external stores. The major difference is that in authentication based on external stores, we are still using passwords, and the normal user authentication is unaltered. In SSL-based authentication, users are defined externally or globally, and authorization is based on certificates.
In this recipe we will re-use the SSL-based connection setup that was described in Chapter 2, Securing the Network and Data in Transit. Additionally we will create a user named ssluser defined with an external identification. Before starting with the steps, set up the SSL communication as instructed in Chapter 2, Securing the Network and Data in Transit.
- Edit
$ORACLE_HOME/network/admin/sqlnet.oraand setSSL_CLIENT_AUTHENTICATIONtoTRUE, as follows:SSL_CLIENT_AUTHENTICATION = TRUE - Include TCPS if it is used as the authentication method in
SQLNET.AUTHENTICATION_SERVICES, as follows:SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS) - Repeat steps 2 and 3 on the client host.
- On the server host, bounce the listener.
- Connect as the user
systemand create the userssluserthat is identified externally, as follows:SQL> create user ssluser identified externally as 'CN=PacktPub_C,C=GB'; User created.
- Grant the
create sessionprivilege to the userssluser, as follows:SQL> grant create session to ssluser; Grant succeeded.
- From the client side, authenticate the user without the password, as follows:
SQL> conn /@hackdb_ssl Connected