20 Customizing the Use of Strong Authentication

You can configure multiple authentication methods under Oracle Database network encryption and strong authentication, and use conventional user name and password authentication, even if you have configured another authentication method. You also can configure your network so that Oracle clients can use a specific authentication method and Oracle servers can accept any method specified.

Topics:

Connecting with User Name and Password

To connect to an Oracle database server using a user name and password when an Oracle network and strong authentication method has been configured, then you must disable the external authentication.

With the external authentication disabled, a user can connect to a database using the following format:

% sqlplus username@net_service_name
Enter password: password

For example:

% sqlplus hr@emp
Enter password: password

Note:

You can configure multiple authentication methods, including both externally authenticated users and password authenticated users, on a single database.

Disabling Network Encryption and Strong Authentication

You can use Oracle Net Manager to disable network encryption and strong authentication.

  1. Start Oracle Net Manager.

    • (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line:

      netmgr
      
    • (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager.

  2. Expand Oracle Net Configuration, and from Local, select Profile.

  3. From the Naming list, select Network Security.

    The Network Security tabbed window appears.

  4. Select the Authentication tab (which is selected by default).

  5. Sequentially move all authentication methods from the Selected Method list to the Available Methods list by selecting a method and choosing the left arrow [<].

    Description of auth0001.gif follows
    Description of the illustration auth0001.gif

  6. From the File menu, select Save Network Configuration.

    The sqlnet.ora file is updated with the following entry:

    SQLNET.AUTHENTICATION_SERVICES = (NONE)
    

    Be aware that in a multitenant environment, the settings in the sqlnet.ora file apply to all pluggable databases (PDBs).

Configuring Multiple Authentication Methods

Many networks use more than one authentication method on a single security server. Accordingly, Oracle Database lets you configure your network so that Oracle clients can use a specific authentication method, and Oracle database servers can accept any method specified.

You can set up multiple authentication methods on both client and server systems either by using Oracle Net Manager, or by using any text editor to modify the sqlnet.ora file. Use Oracle Net Manager to add authentication methods to both clients and servers.

  1. Start Oracle Net Manager.

    • (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line:

      netmgr
      
    • (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager.

  2. Expand Oracle Net Configuration, and from Local, select Profile.

  3. From the Naming list, select Network Security.

    The Network Security tabbed window appears.

  4. Select the Authentication tab.

  5. Select a method listed in the Available Methods list.

  6. Sequentially move selected methods to the Selected Methods list by clicking the right arrow (>).

  7. Arrange the selected methods in order of desired use.

    To do this, select a method in the Selected Methods list, and select Promote or Demote to position it in the list.

  8. From the File menu, select Save Network Configuration.

    The sqlnet.ora file is updated with the following entry, listing the selected authentication methods:

    SQLNET.AUTHENTICATION_SERVICES = (KERBEROS5, RADIUS)
    

Note:

SecurID functionality is available through RADIUS; RADIUS support is built into the RSA ACE/Server.

See Also:

Chapter 19, "Configuring RADIUS Authentication" for more information

Configuring Oracle Database for External Authentication

You can use parameters to configure Oracle Database for network authentication.

Topics:

See Also:

Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in the sqlnet.ora File

You must set the SQLNET.AUTHENTICATION_SERVICES parameter in the sqlnet.ora file for all clients and servers to enable each to use a supported authentication method.

  • Set the SQLNET.AUTHENTICATION_SERVICES parameter using the following syntax:

    SQLNET.AUTHENTICATION_SERVICES=(oracle_authentication_method)
    

    For example, for all clients and servers using Kerberos authentication:

    SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
    

By default, the sqlnet.ora file is located in the ORACLE_HOME/network/admin directory or in the location set by the TNS_ADMIN environment variable. Ensure that you have properly set the TNS_ADMIN variable to point to the correct sqlnet.ora file. See SQL*Plus User's Guide and Reference for more information and examples of setting the TNS_ADMIN variable.

Setting OS_AUTHENT_PREFIX to a Null Value

Authentication service-based user names can be long, and Oracle user names are limited to 30 characters. Oracle strongly recommends that you set the OS_AUTHENT_PREFIX parameter to a null value.

  • In the initialization file for the database instance, set OS_AUTHENT_PREFIX as follows:

    OS_AUTHENT_PREFIX=""
    

Note:

The default value for OS_AUTHENT_PREFIX is OPS$; however, you can set it to any string.

Caution:

If a database already has the OS_AUTHENT_PREFIX set to a value other than NULL (" "), then do not change it, because it can inhibit previously created, externally identified users from connecting to the Oracle server.

After you have set OS_AUTHENT_PREFIX to null, then you can create external users by using the following syntax:

CREATE USER os_authent_prefix_username IDENTIFIED EXTERNALLY;

For example, to create the user king:

CREATE USER king IDENTIFIED EXTERNALLY;

The advantage of creating a user in this way is that you no longer need to maintain different user names for externally identified users. This is true for all supported authentication methods.