This article originally appeared in the Oracle e-newsletter. Click here to subscribe automatically.

Biometric technology is now cost-effective
and functional enough for developers to use it in many application
environments. The Oracle database supports some of the protocols
that are commonly used for biometric authentication. This
e-newsletter will teach you how to configure biometric
authentication without customization.

When researching biometric devices, you need to
know that Oracle’s SQL*Net authentication layer mainly uses Remote
Authentication Dial-In User Service (RADIUS) and client/server
protocol (RFC 2138 and RFC 2139). (Oracle 8 did support Identix and
SecurID authentication, but Oracle now recommends upgrading to
CyberSafe, RADIUS, Kerberos, or SSL.) Many RADIUS servers use LDAP
directories to store related biometric data, but there are also
many that can store data in a SQL RDBMS.

First, install RADIUS-compliant client software
on the same machine as the Oracle database server and each client
that will be using this kind of authentication. Both the database
client and database server must be able to access the RADIUS
authentication server and any client utility windows (prompting for
a PIN number or password confirmation) when activated.

On the database client side, you install Oracle
Advanced Security and select the RADIUS method. You can do this
with the UNIX utility netmgr, or by choosing Oracle | Network
Administration | Net Manager from Windows’ Start | Programs menu.
Once you install it, you can also manually configure the SQL*Net
client to use RADIUS authentication by adding the following line to
the local sqlnet.ora file:

SQLNET.AUTHENTICATION_SERVICES=(RADIUS)

On the database server side, you must generate
a radius.key file from the RADIUS server. You should copy this file
to the $ORACLE_HOME/network/security directory. Then, you need to
use the netmgr program on the database server machine to configure
the RADIUS server’s host name, port number, timeout, number of
retries, and location of radius.key file options. You can do this
manually by adding the following lines to the database sqlnet.ora
file:

SQLNET.AUTHENTICATION_SERVICES=(RADIUS)
SQLNET.RADIUS_AUTHENTICATION=localhost
SQLNET.RADIUS_AUTHENTICATION_PORT=(1645)
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=(15)
SQLNET.RADIUS_AUTHENTICATION_RETRIES=(3)
SQLNET.RADIUS_SECRET=(?/network/security/radius.key)
SQLNET.RADIUS_CHALLENGE_RESPONSE=(OFF)
SQLNET.RADIUS_CHALLENGE_KEYWORD=(challenge)
SQLNET.RADIUS_CLASSPATH
 = $ORACLE_HOME/network/jlib/netradius.jar:$ORACLE_HOME/JRE/lib/vt.jar)

SQLNET.RADIUS_AUTHENTICATION_INTERFACE=”DefaultRadiusInterface

SQLNET.RADIUS_SEND_ACCOUNT=OFF

You can replace the string localhost in
the example above with the hostname or IP address of the machine
running the RADIUS server. Unless specified, the rest of the values
are the default settings. If you use PIN or password “challenges”
with RADIUS, a small window should pop up asking a user for the
information. This is typically in Java; you can customize it for
your applications using the SQLNET.RADIUS_CLASSPATH and
SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameters.

Next, you need to create or alter database user
accounts to use external authentication:

SQL> CREATE USER username IDENTIFIED
EXTERNALLY;
SQL> ALTER USER username IDENTIFIED EXTERNALLY;

You also need to modify the database startup
parameters (init.ora) to use external/OS authentication with:

OS_ROLE=TRUE
REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=””

The last two parameters ensure that users
cannot connect to the database using OS-authenticated accounts
(those starting an “OPS$” prefix by default).

When using biometrics (with optional
challenge-response), instead of a username/password to connect to a
database, you should always connect to the database using connect /@database or connect / if you configure
the database as the default database connect string. Since RADIUS
authentication is in the SQL*Net layer, all application programs
(even Oracle Forms, Reports, and OCI or PL/SQL programs) will
automatically start using RADIUS and biometric authentication.

Scott Stephens worked for Oracle for more than 13 years in technical support, e-commerce, marketing, and software development. For more of his Oracle tips, visit our Oracle Dev Tips Library.