You can configure multiple authentication methods under Oracle Database network encryption and strong authentication, and use conventional user name and password authentication, even if you have configured another authentication method. You also can configure your network so that Oracle clients can use a specific authentication method and Oracle servers can accept any method specified.
Topics:
To connect to an Oracle database server using a user name and password when an Oracle network and strong authentication method has been configured, then you must disable the external authentication.
To disable external authentication, see "Disabling Network Encryption and Strong Authentication" .
With the external authentication disabled, a user can connect to a database using the following format:
% sqlplus username@net_service_name Enter password: password
For example:
% sqlplus hr@emp
Enter password: password
Note:
You can configure multiple authentication methods, including both externally authenticated users and password authenticated users, on a single database.You can use Oracle Net Manager to disable network encryption and strong authentication.
Start Oracle Net Manager.
(UNIX) From $ORACLE_HOME
/bin
, enter the following command at the command line:
netmgr
(Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager.
Expand Oracle Net Configuration, and from Local, select Profile.
From the Naming list, select Network Security.
The Network Security tabbed window appears.
Select the Authentication tab (which is selected by default).
Sequentially move all authentication methods from the Selected Method list to the Available Methods list by selecting a method and choosing the left arrow [<].
From the File menu, select Save Network Configuration.
The sqlnet.ora
file is updated with the following entry:
SQLNET.AUTHENTICATION_SERVICES = (NONE)
Be aware that in a multitenant environment, the settings in the sqlnet.ora
file apply to all pluggable databases (PDBs).
Many networks use more than one authentication method on a single security server. Accordingly, Oracle Database lets you configure your network so that Oracle clients can use a specific authentication method, and Oracle database servers can accept any method specified.
You can set up multiple authentication methods on both client and server systems either by using Oracle Net Manager, or by using any text editor to modify the sqlnet.ora
file. Use Oracle Net Manager to add authentication methods to both clients and servers.
Start Oracle Net Manager.
(UNIX) From $ORACLE_HOME
/bin
, enter the following command at the command line:
netmgr
(Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager.
Expand Oracle Net Configuration, and from Local, select Profile.
From the Naming list, select Network Security.
The Network Security tabbed window appears.
Select the Authentication tab.
Select a method listed in the Available Methods list.
Sequentially move selected methods to the Selected Methods list by clicking the right arrow (>).
Arrange the selected methods in order of desired use.
To do this, select a method in the Selected Methods list, and select Promote or Demote to position it in the list.
From the File menu, select Save Network Configuration.
The sqlnet.ora
file is updated with the following entry, listing the selected authentication methods:
SQLNET.AUTHENTICATION_SERVICES = (KERBEROS5, RADIUS)
Note:
SecurID functionality is available through RADIUS; RADIUS support is built into the RSA ACE/Server.See Also:
Chapter 19, "Configuring RADIUS Authentication" for more informationYou can use parameters to configure Oracle Database for network authentication.
Topics:
See Also:
The corresponding chapter in this guide for information about configuring a particular authentication method
Appendix C, "Kerberos, SSL, and RADIUS Authentication Parameters"
You must set the SQLNET.AUTHENTICATION_SERVICES
parameter in the sqlnet.ora
file for all clients and servers to enable each to use a supported authentication method.
Set the SQLNET.AUTHENTICATION_SERVICES
parameter using the following syntax:
SQLNET.AUTHENTICATION_SERVICES=(oracle_authentication_method)
For example, for all clients and servers using Kerberos authentication:
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
By default, the sqlnet.ora
file is located in the ORACLE_HOME
/network/admin
directory or in the location set by the TNS_ADMIN
environment variable. Ensure that you have properly set the TNS_ADMIN
variable to point to the correct sqlnet.ora
file. See SQL*Plus User's Guide and Reference for more information and examples of setting the TNS_ADMIN
variable.
Authentication service-based user names can be long, and Oracle user names are limited to 30 characters. Oracle strongly recommends that you set the OS_AUTHENT_PREFIX
parameter to a null value.
In the initialization file for the database instance, set OS_AUTHENT_PREFIX
as follows:
OS_AUTHENT_PREFIX=""
Note:
The default value forOS_AUTHENT_PREFIX
is OPS$
; however, you can set it to any string.Caution:
If a database already has theOS_AUTHENT_PREFIX
set to a value other than NULL
(" "), then do not change it, because it can inhibit previously created, externally identified users from connecting to the Oracle server.After you have set OS_AUTHENT_PREFIX
to null, then you can create external users by using the following syntax:
CREATE USER os_authent_prefix_username IDENTIFIED EXTERNALLY;
For example, to create the user king
:
CREATE USER king IDENTIFIED EXTERNALLY;
The advantage of creating a user in this way is that you no longer need to maintain different user names for externally identified users. This is true for all supported authentication methods.