Oracle provides sample configuration files with the profile file (sqlnet.ora
) and the database initialization file authentication parameters, when using Kerberos, RADIUS, or SSL authentication.
Topics:
Parameters for Clients and Servers Using Kerberos Authentication
Parameters for Clients and Servers Using Secure Sockets Layer
Parameters for Clients and Servers Using RADIUS Authentication
Table C-1 lists parameters to insert into the configuration files for clients and servers using Kerberos.
Table C-1 Kerberos Authentication Parameters
File Name | Configuration Parameters |
---|---|
|
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle SQLNET.KERBEROS5_CC_NAME=/usr/tmp/DCE-CC SQLNET.KERBEROS5_CLOCKSKEW=1200 SQLNET.KERBEROS5_CONF=/krb5/krb.conf SQLNET.KERBEROS5_CONF_MIT=(FALSE) SQLNET.KERBEROS5_REALMS=/krb5/krb.realms SQLNET.KERBEROS5_KEYTAB=/krb5/v5srvtab |
|
OS_AUTHENT_PREFIX="" |
There are two ways to configure a parameter for Secure Sockets Layer (SSL).
Static: The name of the parameter that exists in the sqlnet.ora
file. Parameters like SSL_CIPHER_SUITES
and SSL_VERSION
can also be configured using the listener.ora
file.
Dynamic: The name of the parameter used in the security subsection of the Oracle Net address.
Table C-2 describes the static and dynamic parameters for configuring SSL on the server.
Table C-2 SSL Authentication Parameters for Clients and Servers
Attribute | Description |
---|---|
Parameter Name (static) |
|
Parameter Name (dynamic) |
|
Parameter Type |
String |
Parameter Class |
Static |
Permitted Values |
Add TCPS to the list of available authentication services. |
Default Value |
No default value. |
Description |
To control which authentication services a user wants to use. Note: The dynamic version supports only the setting of one type. |
Existing/New Parameter |
Existing |
Syntax (static) |
|
Example (static) |
|
Syntax (dynamic) |
|
Example (dynamic) |
|
Table C-3 describes the static and dynamic parameters for configuring cipher suites.
Table C-3 Cipher Suite Parameters for Secure Sockets Layer
Attribute | Description |
---|---|
Parameter Name (static) |
|
Parameter Name (dynamic) |
|
Parameter Type |
String |
Parameter Class |
Static |
Permitted Values |
Any known SSL cipher suite |
Default Value |
No default |
Description |
Controls the combination of encryption and data integrity used by SSL. |
Existing/New Parameter |
Existing |
Syntax (static) |
|
Example (static) |
|
Syntax (dynamic) |
|
Example (dynamic) |
|
Oracle Database supports a large number of cipher suites.
The cipher suites are as follows:
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_128_GCM_SHA256
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
Note that the cipher suites that use Advanced Encryption Standard (AES
) work with Transport Layer Security (TLS 1.0) only.
Table C-4 describes the static and dynamic parameters for configuring the version of SSL to be used.
Table C-4 Secure Sockets Layer Version Parameters
Attribute | Description |
---|---|
Parameter Name (static) |
|
Parameter Name (dynamic) |
|
Parameter Type |
string |
Parameter Class |
Static |
Permitted Values |
Any version which is valid to SSL. (0, 1.0 (for TLS), 2.0, and 3.0) |
Default Value |
"0" |
Description |
To force the version of the SSL connection. |
Existing/New Parameter |
New |
Syntax (static) |
|
Example (static) |
|
Syntax (dynamic) |
|
Example (dynamic) |
|
Table C-5 describes the static and dynamic parameters for configuring SSL on the client.
Table C-5 Secure Sockets Layer Client Authentication Parameters
Attribute | Description |
---|---|
Parameter Name (static) |
|
Parameter Name (dynamic) |
|
Parameter Type |
Boolean |
Parameter Class |
Static |
Permitted Values |
|
Default Value |
|
Description |
To control whether a client, in addition to the server, is authenticated using SSL. |
Existing/New Parameter |
New |
Syntax (static) |
|
Example (static) |
|
Syntax (dynamic) |
|
Example (dynamic) |
|
Several parameters are used to validate the identity of a server that the client connects to.
Table C-6 describes the SSL_SERVER_DN_MATCH
parameter.
Table C-6 SSL_SERVER_DN_MATCH Parameter
Attribute | Description |
---|---|
Parameter Name |
|
Where stored |
|
Purpose |
Use this parameter to force the server's distinguished name (DN) to match its service name. If you force the match verifications, SSL ensures that the certificate is from the server. If you choose not to enforce the match verification, SSL performs the check but permits the connection, regardless of whether there is a match. Not forcing the match lets the server potentially fake its identity. |
Values |
|
Default |
Oracle8i, or later:.FALSE. SSL client (always) checks server DN. If it does not match the service name, the connection succeeds but an error is logged to |
Usage Notes |
Additionally configure the |
Table C-7 describes the SSL_SERVER_CERT_DN
parameter.
Table C-7 SSL_SERVER_CERT_DN Parameter
Attribute | Description |
---|---|
Parameter Name |
|
Where stored |
|
Purpose |
This parameter specifies the distinguished name (DN) of the server. The client uses this information to obtain the list of DNs it expects for each of the servers to force the server's DN to match its service name. |
Values |
Set equal to distinguished name (DN) of the server. |
Default |
N/A |
Usage Notes |
Additionally configure the |
Example |
|
For any application that must access an Oracle wallet for loading the security credentials into the process space, you must specify the wallet location parameters.
Table C-8 lists the configuration files in which you must specify the wallet locations.
sqlnet.ora
listener.ora
Table C-8 Wallet Location Parameters
Static Configuration | Dynamic Configuration |
---|---|
WALLET_LOCATION = (SOURCE= (METHOD=File) (METHOD_DATA= (DIRECTORY=your_wallet_dir) ) ) |
MY_WALLET_DIRECTORY
= your_wallet_dir
|
The default wallet location is the ORACLE_HOME
directory.
Oracle provides parameters for RADIUS authentication.
The sqlnet.ora
file enables you to you include parameters that are used to specify RADIUS authentication.
The SQLNET.AUTHENTICATION_SERVICES
parameter configures the client or the server to use the RADIUS adapter.
Table C-9 describes the SQLNET.AUTHENTICATION_SERVICES
parameter attributes.
The SQLNET.RADIUS_AUTHENTICATION
parameter sets the location of the primary RADIUS server, either host name or dotted decimal format. If the RADIUS server is on a different computer from the Oracle server, you must specify either the host name or the IP address of that computer.
Table C-10 describes the SQLNET.RADIUS_AUTHENTICATION
parameter attributes.
The SQLNET.RADIUS_AUTHENTICATION_PORT
parameter sets the listening port of the primary RADIUS server.
Table C-11 describes the SQLNET.RADIUS_AUTHENTICATION_PORT
parameter attributes.
The SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
parameter sets the time to wait for response.
Table C-12 describes the SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
parameter attributes.
The SQLNET.RADIUS_AUTHENTICATION_RETRIES
parameter sets the number of times to resend authentication information.
Table C-13 describes the SQLNET.RADIUS_AUTHENTICATION_RETRIES
parameter attributes.
The SQLNET.RADIUS_SEND_ACCOUNTING
parameter turns accounting on and off. If you enable accounting, packets will be sent to the active RADIUS server at the listening port plus one. By default, packets are sent to port 1646. You need to turn this feature on only when your RADIUS server supports accounting and you want to keep track of the number of times the user is logging on to the system.
Table C-14 describes the SQLNET.RADIUS_SEND_ACCOUNTING
parameter attributes.
The SQLNET.RADIUS_SECRET
parameter specifies the file name and location of the RADIUS secret key.
Table C-15 describes the SQLNET.RADIUS_SECRET
parameter attributes.
The SQLNET.RADIUS_ALTERNATE
parameter sets the location of an alternate RADIUS server to be used in case the primary server becomes unavailable for fault tolerance.
Table C-16 describes the SQLNET.RADIUS_ALTERNATE
parameter attributes.
The SQLNET.RADIUS_ALTERNATE_PORT
parameter sets the listening port for the alternate RADIUS server.
Table C-17 describes the SQLNET.RADIUS_ALTERNATE_PORT
parameter attributes.
The SQLNET.RADIUS_ALTERNATE_TIMEOUT
parameter sets the time to wait for response for the alternate RADIUS server.
Table C-18 describes the SQLNET.RADIUS_ALTERNATE_TIMEOUT
parameter attributes.
The SQLNET.RADIUS_ALTERNATE_RETRIES
parameter sets the number of times that the alternate RADIUS server resends messages.
Table C-19 describes the SQLNET.RADIUS_ALTERNATE_RETRIES
parameter attributes.
The SQLNET.RADIUS_CHALLENGE_RESPONSE
parameter turns on or turns off the challenge-response or asynchronous mode support.
Table C-20 describes the SQLNET.RADIUS_CHALLENGE_RESPONSE
parameter attributes.
The SQLNET.RADIUS_CHALLENGE_KEYWORD
parameter sets the keyword to request a challenge from the RADIUS server. User types no password on the client.
Table C-21 describes the SQLNET.RADIUS_CHALLENGE_KEYWORD
parameter attributes.
The SQLNET.RADIUS_AUTHENTICATION_INTERFACE
parameter sets the name of the Java class that contains the graphical user interface when RADIUS is in the challenge-response (asynchronous) mode.
Table C-22 describes the SQLNET.RADIUS_AUTHENTICATION_INTERFACE
parameter attributes.
If you decide to use the challenge-response authentication mode, then RADIUS presents the user with a Java-based graphical interface requesting first a password, then additional information, for example, a dynamic password that the user obtains from a token card. Add the SQLNET.RADIUS_CLASSPATH
parameter in the sqlnet.ora
file to set the path for the Java classes for that graphical interface, and to set the path to the JDK Java libraries.
Table C-23 describes the SQLNET.RADIUS_CLASSPATH
parameter attributes.
At minimum, you should use the sqlnet.authentication_services
and sqlnet.radius.authentication
parameters.
sqlnet.authentication_services = (radius) sqlnet.radius.authentication = IP-address-of-RADIUS-server