This appendix describes Oracle Net Services configuration for Windows. For more generic information about Oracle Net Services configuration, see Oracle Database Net Services Administrator's Guide.
This appendix contains these topics:
About Configuring Oracle Database to Communicate with Oracle ASM
About Modifying Oracle Net Services Registry Parameters and Subkeys
Oracle Databases that use Oracle Automatic Storage Management (Oracle ASM) and the databases that are managed by Oracle Grid infrastructure must use Windows native authentication, which is enabled by default. To ensure that it is, check that the sqlnet.ora file, by default located in ORACLE_HOME\network\admin, has NTS enabled. For example:
sqlnet.authentication_services=(NTS)
See Also:
"About Windows Authentication Protocols"The registry contains entries for Oracle Net Services parameters and subkeys. To successfully add or modify Oracle Net Services configuration parameters, you must understand where they are located and the rules that apply to them.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services contains subkeys that correspond to services. Depending on what is installed, your Oracle Net Services consist of all or a subset of the following:
Each service subkey contains the parameters shown in Table B-1.
In Oracle Database, the listener is set to start automatically at system restart. You can verify the listener status by choosing the Windows Control Panel, then Administrative Tools, and then viewing the status of Services.
Oracle usually recommends that you only have a single net listener service running on a Windows computer at any one time. This single listener can support multiple databases. If you must have two different net listener services running on a Windows computer at the same time, ensure that they are configured to listen on different TCP/IP port numbers.
If the same IP address and port are used for different listeners, you might expect that the second and subsequent listeners would fail to bind. Instead, Windows allows them all to listen on the same IP address and port, resulting in unexpected behavior of the listeners. This is a suspected Windows operating system problem with TCP/IP and has been reported to Microsoft.
Starting with Oracle Database 12c Release 1 (12.1), Oracle Net Services such as Oracle Listener, CMADMIN, and CMAN Proxy Listener run under the specified Oracle Home User account (Windows User Account) specified during the installation. Oracle recommends that you specify the standard Windows User Account (not an Administrator) as the Oracle Home User. Oracle Universal Installer also has an option to create a new Windows User Account with limited privileges. When the Windows built-in account is used as the Oracle Home User, then Oracle Listener service runs under high-privileged Local System Account (LSA) for database installation. For CMAN installation, if Windows built-in account is used as the Oracle Home User, then CMADMIN and CMAN Proxy Listener runs under low privileged LocalService Account.
Note:
Starting with Oracle Database 12c Release 1 (12.1), lsnrctl start command or CMAN proxy start command may prompt for password when relevant service does not exist. This happens for the first time for a given alias. Once the service is created, all subsequent start commands do not prompt for password. However, there is no prompt for password if you select Use Built-in Account as Oracle Home User.See Also:
"User Accounts and Security" in Oracle Database Net Services Administrator's Guide for more information
"START" in Oracle Database Net Services Reference for more information
You can use the following parameters on Windows:
Oracle Net Service first checks for the parameters as environment variables, and uses the values defined. If environment variables are not defined, it searches for these parameters in the registry.
You can use parameter LOCAL to connect to Oracle Database without specifying a connect identifier in the connect string. The value of parameter LOCAL is any connect identifier, such as a net service name. For example, if parameter LOCAL is specified as finance, you can connect to a database from SQL*Plus with:
SQL> CONNECT SMITH
Enter password: password
rather than
SQL> CONNECT SMITH@finance
Enter password: password
Oracle Net checks if LOCAL is defined as an environment variable or as a parameter in the registry, and uses finance as the service name. If it exists, then Oracle Net connects.
You can add parameter TNS_ADMIN to change the directory path of Oracle Net Services configuration files from the default location of ORACLE_HOME\network\admin. For example, if you set TNS_ADMIN to ORACLE_HOME\test\admin, then the configuration files are used from ORACLE_HOME\test\admin.
You can set parameter USE_SHARED_SOCKET to true to enable use of shared sockets. If this parameter is set to true, the network listener passes the socket descriptor for client connections to the database thread. As a result, the client does not establish a new connection to the database thread and database connection time improves. Also, all database connections share the port number used by the network listener, which can be useful if you are setting up third-party proxy servers.
This parameter only works in dedicated server mode in a TCP/IP environment. If this parameter is set, you cannot use the Oracle database listener to spawn Oracle Database. To spawn a dedicated server for an instance of Oracle Database not associated with the same Oracle home as the listener and have shared socket enabled, you must also set parameter USE_SHARED_SOCKET for both Oracle homes.
The following sections describe advanced configuration procedures specifically for Oracle Net Services on Windows operating systems:
Oracle Net Services provides authentication methods for Windows operating systems using Windows Native Authentication.
The network listener service may be unable to open the Named Pipes created by Oracle Names unless service OracleHOMENAMETNSListener has a valid user name and password associated with it.
See Also:
Your operating system documentation for instructions on setting up network listener permissionsThis section supplements generic information provided in Oracle Database Net Services Administrator's Guide to configure a listener on Windows operating systems to exclusively handle external procedures. For a higher level of security, you are instructed to start the listener for external procedures from a user account with lower privileges than the oracle user. For Windows operating systems, this requires that you change the user account from LocalSystem to a local, unprivileged user for the OracleHOMENAMETNSListenerextproc_listener_name service.
Note:
The following instructions assume that you have performed steps 1 through 5 in the section "Modifying Configuration of External Procedures for Higher Security" and the procedure described in "Default Configuration for External Procedures" section in Oracle Database Net Services Administrator's Guide.To change the listener account:
Create a new user account and grant it Log on as a Service privilege.
Note:
Ensure that this user account does not have general access to files owned byoracle. Specifically, this user should not have permission to read or write to database files or to the Oracle Database server address space. In addition, this user should have read access to the listener.ora file, but must not have write access to it.Stop service OracleHOMENAMETNSListenerextproc_listener_name.
See Also:
Your operating system documentation for instructions on accessing the Services dialog and stopping servicesNote:
If theOracleHOMENAMETNSListenerextproc_listener_name service does not exist, issue the following command from the command prompt:
lsnrctl start extproc_listener_name
This creates the OracleHOMENAMETNSListenerextproc_listener_name service. When you return to the list of services, stop this service before proceeding to the next step of this procedure.
Select OracleHOMENAMETNSListenerextproc_listener_name service in the Services dialog and then display the properties of the service.
Select This Account and enter the user name and password.
Start the listener by clicking Start. You must start the listener in this way because you cannot use the Listener Control utility to start the listener running as an unprivileged local user.
Note:
You can also use NET STARTOracleHOMENAMETNSListenerextproc_listener_name to start the listener from the command prompt. Running the listener with lower privileges prevents you from using Listener Control utility SET commands to alter the configuration of this listener in file listener.ora. You can perform other administrative tasks on this listener with the Listener Control utility, including stopping the listener. Oracle recommends that you complete listener.ora file configuration before running the listener.