B
Authentication Parameters
This appendix shows some sample configuration files with the necessary profile (sqlnet.ora) and database initialization file (init.ora) authentication parameters when using the CyberSafe, Kerberos, SecurID, RADIUS, or SSL authentication. It includes the following sections:
Parameters for Clients and Servers using CyberSafe Authentication
Following is a list of parameters to insert into your configuration files for clients and servers using CyberSafe.
SQLNET.ORA Parameters
SQLNET.AUTHENTICATION_SERVICES=(cybersafe)
SQLNET.AUTHENTICATION_GSSAPI_SERVICE=oracle/dbserver.someco.com@SOMECO.COM
INIT.ORA Parameters
REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""
Parameters for Clients and Servers using Kerberos Authentication
Following is a list of parameters to insert into your configuration files for clients and servers using Kerberos.
SQLNET.ORA Parameters
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
SQLNET.KERBEROS5_CC_NAME=/usr/tmp/DCE-CC
SQLNET.KERBEROS5_CLOCKSKEW=1200
SQLNET.KERBEROS5_CONF=/krb5/krb.conf
SQLNET.KERBEROS5_REALMS=/krb5/krb.realms
SQLNET.KERBEROS5_KEYTAB=/krb5/v5srvtab
INIT.ORA Parameters
REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""
Parameters for Clients and Servers using SecurID Authentication
Following is list of parameters to insert into your configuration files for clients
and servers using SecurID.
SQLNET.ORA Parameters
SQLNET.AUTHENTICATION_SERVICES=(securid)
INIT.ORA Parameters
REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""
Parameters for Clients and Servers using RADIUS Authentication
The following table provides a list of parameters to insert into your configuration files for clients and servers using RADIUS.
SQLNET.ORA Parameters
- SQLNET.RADIUS_AUTHENTICATION
Description |
To set the location of the primary RADIUS server, either host name or dotted decimal format. If the RADIUS server is on a different machine from the Oracle server, you must specify either the host name or the IP address of that machine. |
Default |
localhost |
- SQLNET.RADIUS_AUTHENTICATION_PORT
Description |
To set the listening port of the primary RADIUS server. |
Default |
1645 |
- SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
Description |
To set the time to wait for response. |
Default |
5 |
- SQLNET.RADIUS_AUTHENTICATION_RETRIES
Description |
To set the number of times to re-send. |
Default |
3 |
- SQLNET.RADIUS_SEND_ACCOUNTING
Description |
To set the turn accounting ON/OFF. If you enable accounting, packets will be sent to the active RADIUS server at listening port plus one. Default port is 1646. You need to turn this feature on only when your RADIUS server supports accounting and you want to keep track of the number of times the user is logging on to the system. |
Default |
OFF |
- SQLNET.RADIUS_ALTERNATE
Description |
To set the location of alternate RADIUS server to be used in case the primary server is unavailable. This feature is set to OFF by default. If you want to set up a second RADIUS server for fault tolerance, you need to specify the host name or the IP address of the host where the second RADIUS server is located. |
Default |
NONE |
- SQLNET.RADIUS_ALTERNATE_PORT
Description |
To set the listening port for the alternate RADIUS server. |
Default |
1645 |
- SQLNET.RADIUS_ALTERNATE_TIMEOUT
Description |
To set the time to wait for response. |
Default |
5 |
- SQLNET.RADIUS_ALTERNATE_RETRIES
Description |
To set the number of times to re-send messages. |
Default |
3 |
- SQLNET.RADIUS_CHALLENGE_RESPONSE
Description |
To turn challenge/response support ON/OFF. |
Default |
OFF |
- SQLNET.RADIUS_CHALLENGE_KEYWORD
Description |
To set the keyword to request a challenge from the RADIUS server. User types no password on client. |
Default |
challenge |
- SQLNET.RADIUS_AUTHENTICATION_INTERFACE
Description |
To set the name of the Java class that contains the graphical user interface when RADIUS is in the challenge-response (asynchronous) mode. |
Default |
DefaultRadiusInterface |
- SQLNET.RADIUS_CLASSPATH
Description |
If you decide to use the challenge-response authentication mode, RADIUS presents the user with a Java-based graphical interface requesting first a password, then additional information--for example, a dynamic password that the user obtains from a token card. Add the SQLNET.RADIUS_CLASSPATH parameter in the sqlnet.ora file to set the path for the Java classes for that graphical interface. |
Default |
There is no default. You must add this parameter to the sqlnet.ora file. |
INIT.ORA Parameters
REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""
Parameters for Clients and Servers using SSL
There are two ways to configure a parameter:
- Static--the name of the parameter in sqlnet.ora
- Dynamic--the name of the parameter used in the security subsection of the Net8 address.
Authentication
Parameter Name (static): |
SQLNET.AUTHENTICATION_SERVICES |
Parameter Name (dynamic): |
AUTHENTICATION |
Parameter Type: |
String LIST |
Parameter Class: |
Static |
Allowable Values: |
Add TCPS to the list of available authentication services. |
Default Value: |
No default value. |
Description: |
To control which authentication services a user wants to use.
Note: the dynamic version supports only the setting of one type. |
Existing/New Parameter |
Existing |
Syntax (static): |
SQLNET.AUTHENTICATION_SERVICES = (TCPS, selected_method_1, selected_method_2) |
Example (static): |
SQLNET.AUTHENTICATION_SERVICES = (TCPS, cybersafe, securid |
Syntax (dynamic): |
AUTHENTICATION = string |
Example (dynamic): |
AUTHENTICATION = (TCPS) |
Cipher Suites
Parameter Name (static): |
SSL_CIPHER_SUITES |
Parameter Name (dynamic): |
SSL_CIPHER_SUITES |
Parameter Type: |
String LIST |
Parameter Class: |
Static |
Allowable Values: |
Any known SSL cipher suite |
Default Value: |
No default |
Description: |
To controls what combination of encryption and data integrity is used by SSL. |
Existing/New Parameter |
New |
Syntax (static): |
SSL_CIPHER_SUITES=(SSL cipher suite1
[, SSL cipher suite2, ...
SSL cipher suiteN]) |
Example (static): |
SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA) |
Syntax (dynamic): |
SSL_CIPHER_SUITES=(SSL cipher suite1
[, SSL cipher suite2, ...
SSL cipher suiteN]) |
Example (dynamic): |
SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA) |
Supported SSL Cipher Suites
- SSL_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_RSA_WITH_RC4_128_SHA
- SSL_RSA_WITH_RC4_128_MD5
- SSL_RSA_WITH_DES_CBC_SHA
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
- SSL_DH_anon_WITH_RC4_128_MD5
- SSL_DH_anon_WITH_DES_CBC_SHA
- SSL_RSA_EXPORT_WITH_RC4_40_MD5
- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
- SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL Version
Parameter Name (static): |
SSL_VERSION |
Parameter Name (dynamic): |
SSL_VERSION |
Parameter Type: |
string |
Parameter Class: |
Static |
Allowable Values: |
Any version which is valid to SSL. (0, 3.0) |
Default Value: |
"0" |
Description: |
To force the version of the SSL connection. |
Existing/New Parameter |
New |
Syntax (static): |
SSL_VERSION=version |
Example (static): |
SSL_VERSION=3.0 |
Syntax (static): |
SSL_VERSION=version |
Example (dynamic): |
SSL_VERSION=3.0 |
SSL Client Authentication
Parameter Name (static): |
SSL_CLIENT_AUTHENTICATION |
Parameter Name (dynamic): |
SSL_CLIENT_AUTHENTICATION |
Parameter Type: |
Boolean |
Parameter Class: |
Static |
Allowable Values: |
TRUE/FALSE |
Default Value: |
TRUE |
Description: |
To control whether a client--in addition to the server--is authenticated using SSL. |
Existing/New Parameter |
New |
Syntax (static): |
SSL_CLIENT_AUTHENTICATION={TRUE | FALSE} |
Example (static): |
SSL_CLIENT_AUTHENTICATION=FALSE |
Syntax (dynamic): |
SSL_CLIENT_AUTHENTICATION={TRUE | FALSE} |
Example (dynamic): |
SSL_CLIENT_AUTHENTICATION=FALSE |
Wallet Location
For any application that needs to access a wallet for loading the security credentials into the process space, you must specify the wallet location in the parameter file it reads. The syntax of the parameter for static configuration is as follows:
oss.source.my_wallet =
(SOURCE=
(METHOD=File)
(METHOD_DATA=
(DIRECTORY=your wallet location)
)
)
The dynamic way of specifying this parameter is:
MY_WALLET_DIRECTORY = your wallet dir
The default wallet location is $HOME/oracle directory.