Oracle Advanced Security Administrator's Guide
Release 8.1.5

A67766-01

Library

Product

Contents

Index

Prev Next

B
Authentication Parameters

This appendix shows some sample configuration files with the necessary profile (sqlnet.ora) and database initialization file (init.ora) authentication parameters when using the CyberSafe, Kerberos, SecurID, RADIUS, or SSL authentication. It includes the following sections:

Parameters for Clients and Servers using CyberSafe Authentication

Following is a list of parameters to insert into your configuration files for clients and servers using CyberSafe.

SQLNET.ORA Parameters

SQLNET.AUTHENTICATION_SERVICES=(cybersafe)
SQLNET.AUTHENTICATION_GSSAPI_SERVICE=oracle/dbserver.someco.com@SOMECO.COM

INIT.ORA Parameters

REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using Kerberos Authentication

Following is a list of parameters to insert into your configuration files for clients and servers using Kerberos.

SQLNET.ORA Parameters

SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
SQLNET.KERBEROS5_CC_NAME=/usr/tmp/DCE-CC
SQLNET.KERBEROS5_CLOCKSKEW=1200
SQLNET.KERBEROS5_CONF=/krb5/krb.conf
SQLNET.KERBEROS5_REALMS=/krb5/krb.realms
SQLNET.KERBEROS5_KEYTAB=/krb5/v5srvtab

INIT.ORA Parameters

REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using SecurID Authentication

Following is list of parameters to insert into your configuration files for clients
and servers using SecurID.

SQLNET.ORA Parameters

SQLNET.AUTHENTICATION_SERVICES=(securid)

INIT.ORA Parameters

REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using RADIUS Authentication

The following table provides a list of parameters to insert into your configuration files for clients and servers using RADIUS.

SQLNET.ORA Parameters

SQLNET.RADIUS_AUTHENTICATION

Description  

To set the location of the primary RADIUS server, either host name or dotted decimal format. If the RADIUS server is on a different machine from the Oracle server, you must specify either the host name or the IP address of that machine.  

Default  

localhost  

SQLNET.RADIUS_AUTHENTICATION_PORT

Description  

To set the listening port of the primary RADIUS server.  

Default  

1645  

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT

Description  

To set the time to wait for response.  

Default  

5  

SQLNET.RADIUS_AUTHENTICATION_RETRIES

Description  

To set the number of times to re-send.  

Default  

3  

SQLNET.RADIUS_SEND_ACCOUNTING

Description  

To set the turn accounting ON/OFF. If you enable accounting, packets will be sent to the active RADIUS server at listening port plus one. Default port is 1646. You need to turn this feature on only when your RADIUS server supports accounting and you want to keep track of the number of times the user is logging on to the system.  

Default  

OFF  

SQLNET.RADIUS_ALTERNATE

Description  

To set the location of alternate RADIUS server to be used in case the primary server is unavailable. This feature is set to OFF by default. If you want to set up a second RADIUS server for fault tolerance, you need to specify the host name or the IP address of the host where the second RADIUS server is located.  

Default  

NONE  

SQLNET.RADIUS_ALTERNATE_PORT

Description  

To set the listening port for the alternate RADIUS server.  

Default  

1645  

SQLNET.RADIUS_ALTERNATE_TIMEOUT

Description  

To set the time to wait for response.  

Default  

5  

SQLNET.RADIUS_ALTERNATE_RETRIES

Description  

To set the number of times to re-send messages.  

Default  

3  

SQLNET.RADIUS_CHALLENGE_RESPONSE

Description  

To turn challenge/response support ON/OFF.  

Default  

OFF  

SQLNET.RADIUS_CHALLENGE_KEYWORD

Description  

To set the keyword to request a challenge from the RADIUS server. User types no password on client.  

Default  

challenge  

SQLNET.RADIUS_AUTHENTICATION_INTERFACE

Description  

To set the name of the Java class that contains the graphical user interface when RADIUS is in the challenge-response (asynchronous) mode.  

Default  

DefaultRadiusInterface  

SQLNET.RADIUS_CLASSPATH

Description  

If you decide to use the challenge-response authentication mode, RADIUS presents the user with a Java-based graphical interface requesting first a password, then additional information--for example, a dynamic password that the user obtains from a token card. Add the SQLNET.RADIUS_CLASSPATH parameter in the sqlnet.ora file to set the path for the Java classes for that graphical interface.  

Default  

There is no default. You must add this parameter to the sqlnet.ora file.  

INIT.ORA Parameters

REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using SSL

There are two ways to configure a parameter:

Authentication

Parameter Name (static):  

SQLNET.AUTHENTICATION_SERVICES  

Parameter Name (dynamic):  

AUTHENTICATION  

Parameter Type:  

String LIST  

Parameter Class:  

Static  

Allowable Values:  

Add TCPS to the list of available authentication services.  

Default Value:  

No default value.  

Description:  

To control which authentication services a user wants to use.

Note: the dynamic version supports only the setting of one type.  

Existing/New Parameter  

Existing  

Syntax (static):  

SQLNET.AUTHENTICATION_SERVICES = (TCPS,
selected_method_1,
selected_method_2)  

Example (static):  

SQLNET.AUTHENTICATION_SERVICES = (TCPS,
cybersafe,
securid  

Syntax (dynamic):  

AUTHENTICATION = string  

Example (dynamic):  

AUTHENTICATION = (TCPS)  

Cipher Suites

Parameter Name (static):  

SSL_CIPHER_SUITES  

Parameter Name (dynamic):  

SSL_CIPHER_SUITES  

Parameter Type:  

String LIST  

Parameter Class:  

Static  

Allowable Values:  

Any known SSL cipher suite  

Default Value:  

No default  

Description:  

To controls what combination of encryption and data integrity is used by SSL.  

Existing/New Parameter  

New  

Syntax (static):  

SSL_CIPHER_SUITES=(SSL cipher suite1

[, SSL cipher suite2, ...

SSL cipher suiteN])  

Example (static):  

SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA)  

Syntax (dynamic):  

SSL_CIPHER_SUITES=(SSL cipher suite1

[, SSL cipher suite2, ...

SSL cipher suiteN])  

Example (dynamic):  

SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA)  

Supported SSL Cipher Suites

SSL Version

Parameter Name (static):  

SSL_VERSION  

Parameter Name (dynamic):  

SSL_VERSION  

Parameter Type:  

string  

Parameter Class:  

Static  

Allowable Values:  

Any version which is valid to SSL. (0, 3.0)  

Default Value:  

"0"  

Description:  

To force the version of the SSL connection.  

Existing/New Parameter  

New  

Syntax (static):  

SSL_VERSION=version  

Example (static):  

SSL_VERSION=3.0  

Syntax (static):  

SSL_VERSION=version  

Example (dynamic):  

SSL_VERSION=3.0  

SSL Client Authentication

Parameter Name (static):  

SSL_CLIENT_AUTHENTICATION  

Parameter Name (dynamic):  

SSL_CLIENT_AUTHENTICATION  

Parameter Type:  

Boolean  

Parameter Class:  

Static  

Allowable Values:  

TRUE/FALSE  

Default Value:  

TRUE  

Description:  

To control whether a client--in addition to the server--is authenticated using SSL.  

Existing/New Parameter  

New  

Syntax (static):  

SSL_CLIENT_AUTHENTICATION={TRUE | FALSE}  

Example (static):  

SSL_CLIENT_AUTHENTICATION=FALSE  

Syntax (dynamic):  

SSL_CLIENT_AUTHENTICATION={TRUE | FALSE}  

Example (dynamic):  

SSL_CLIENT_AUTHENTICATION=FALSE  

Wallet Location

For any application that needs to access a wallet for loading the security credentials into the process space, you must specify the wallet location in the parameter file it reads. The syntax of the parameter for static configuration is as follows:

oss.source.my_wallet = 
(SOURCE=
  (METHOD=File)
  (METHOD_DATA=
    (DIRECTORY=your wallet location)
      )
    )

The dynamic way of specifying this parameter is:

MY_WALLET_DIRECTORY = your wallet dir

The default wallet location is $HOME/oracle directory.




Prev

Next
Oracle
Copyright © 1999 Oracle Corporation.

All Rights Reserved.

Library

Product

Contents

Index