DO0360-ORACLE11 - Connections by mid-tier web and application systems to the Oracle DBMS should be protected, encrypted and authenticated according to database, web, application, enclave and network requirements.

Information

Multi-tier systems may be configured with the database and connecting middle-tier system located on an internal network, with the database located on an internal network behind a firewall and the middle-tier system located in a DMZ. In cases where systems are located in the DMZ, network communications between both systems must be encrypted. In all cases, the application account requires PKI authentication. IP address restriction to the backend database system, under a separate requirement, provides an additional level of protection.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure PKI authentication to help protect access to the shared account.

PKI authentication may be accomplished using Oracle Advanced Security on most platforms.

On a Windows host, user authentication using PKI may be used with Active Directory or NTS authentication using the DoD CAC.

On UNIX and other hosts, Oracle Advanced Security may be used to authenticate via LDAP or SSL.

The application may require storage of the authentication certificate in the Oracle Wallet or on a hardware security module (HSM) to authenticate.

Please see the Oracle Security Guides and the Oracle Advanced Security Guides for instructions on configuring PKI authentication.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

References: CAT|II, Rule-ID|SV-24537r3_rule, STIG-ID|DO0360-ORACLE11, Vuln-ID|V-3440

Plugin: Unix

Control ID: 32e14518653887305b39b60a56800d03d8469a59e944053cea7c7300fa2196aa