B
Authentication Parameters

This appendix illustrates some sample configuration files with the necessary profile file (sqlnet.ora) and database initialization file (init.ora) authentication parameters, when using CyberSafe, Kerberos, RADIUS, or SSL authentication.

This appendix contains the following topics:

Parameters for Clients and Servers using CyberSafe Authentication

Following is a list of parameters to insert into the configuration files for clients and servers using CyberSafe.

Table B-1 CyberSafe Configuration Parameters

File Name Configuration Parameters

File Name	Configuration Parameters
`sqlnet.ora`	SQLNET.AUTHENTICATION_SERVICES=(cybersafe) SQLNET.AUTHENTICATION_GSSAPI_SERVICE= oracle/dbserver.someco.com@SOMECO.COM SQLNET.AUTHENTICATION_KERBEROS5_SERVICES=oracle SQLNET.KERBEROS5_CONF=/krb5/krb.conf SQLNET.KERBEROS5_REALMS=/krb5/krb.realms SQLNET.KERBEROS5_KEYTAB=/krb5/v5srvtab
initialization parameter file (`init.ora`)	REMOTE_OS_AUTHENT=FALSE OS_AUTHENT_PREFIX=""

sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES=(cybersafe) 
SQLNET.AUTHENTICATION_GSSAPI_SERVICE= 
oracle/dbserver.someco.com@SOMECO.COM
SQLNET.AUTHENTICATION_KERBEROS5_SERVICES=oracle
SQLNET.KERBEROS5_CONF=/krb5/krb.conf
SQLNET.KERBEROS5_REALMS=/krb5/krb.realms
SQLNET.KERBEROS5_KEYTAB=/krb5/v5srvtab

initialization parameter file (init.ora)

REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using Kerberos Authentication

Following is a list of parameters to insert into the configuration files for clients and servers using Kerberos.

Table B-2 Kerberos Authentication Parameters

File Name Configuration Parameters

File Name	Configuration Parameters
`sqlnet.ora`	`SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracleSQLNET.KERBEROS5_CC_NAME=/usr/tmp/DCE-CCSQLNET.KERBEROS5_CLOCKSKEW=1200SQLNET.KERBEROS5_CONF=/krb5/krb.confSQLNET.KERBEROS5_CONF_MIT=(FALSE)SQLNET.KERBEROS5_REALMS=/krb5/krb.realmsSQLNET.KERBEROS5_KEYTAB=/krb5/v5srvtab`
`initialization parameter file (init.ora)`	`REMOTE_OS_AUTHENT=FALSEOS_AUTHENT_PREFIX=""`

sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)   
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle    
SQLNET.KERBEROS5_CC_NAME=/usr/tmp/DCE-CC  
SQLNET.KERBEROS5_CLOCKSKEW=1200   
SQLNET.KERBEROS5_CONF=/krb5/krb.conf  
SQLNET.KERBEROS5_CONF_MIT=(FALSE)
SQLNET.KERBEROS5_REALMS=/krb5/krb.realms  
SQLNET.KERBEROS5_KEYTAB=/krb5/v5srvtab

initialization parameter file (init.ora)

REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using RADIUS Authentication

The following sections describe the parameters for RADIUS authentication

sqlnet.ora File Parameters

SQLNET.AUTHENTICATION_SERVICES

This parameter configures the client or the server to use the RADIUS adapter. Table B-3 describes this parameter's attributes.

Table B-3 SQLNET.AUTHENTICATION_SERVICES Parameter Attributes

Attribute	Description
Syntax	`SQLNET.AUTHENTICATION_SERVICES=radius`
Default setting	None

SQLNET.RADIUS_AUTHENTICATION

This parameter sets the location of the primary RADIUS server, either host name or dotted decimal format. If the RADIUS server is on a different machine from the Oracle server, you must specify either the host name or the IP address of that machine. Table B-4 describes this parameter's attributes.

Table B-4 SQLNET.RADIUS_AUTHENTICATION Parameter Attributes

Attribute	Description
Syntax	`SQLNET.RADIUS_AUTHENTICATION=``RADIUS_server_IP_address`
Default setting	`localhost`

SQLNET.RADIUS_AUTHENTICATION_PORT

This parameter sets the listening port of the primary RADIUS server. Table B-5 describes this parameter's attributes.

Table B-5 SQLNET.RADIUS_AUTHENTICATION_PORT Parameter Attributes

Attribute	Description
Syntax	`SQLNET.RADIUS_AUTHENTICATION_PORT=``port_number`
Default setting	`1645`

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT

This parameter sets the time to wait for response. Table B-6 describes this parameter's attributes.

Table B-6 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter Attributes

Attribute	Description
Syntax	`SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=``time_in_seconds`
Default setting	`5`

SQLNET.RADIUS_AUTHENTICATION_RETRIES

This parameter sets the number of times to re-send. Table B-7 describes this parameter's attributes.

Table B-7 SQLNET.RADIUS_AUTHENTICATION_RETRIES Parameter Attributes

Attribute	Description
Syntax	`SQLNET.RADIUS_AUTHENTICATION_RETRIES=``n_times_to_resend`
Default setting	`3`

SQLNET.RADIUS_SEND_ACCOUNTING

This parameter turns accounting on and off. If you enable accounting, packets will be sent to the active RADIUS server at the listening port plus one. By default, packets are sent to port 1646. You need to turn this feature on only when your RADIUS server supports accounting and you want to keep track of the number of times the user is logging on to the system. Table B-8 describes this parameter's attributes.

Table B-8 SQLNET.RADIUS_SEND_ACCOUNTING Parameter Attributes

Attribute	Description
Syntax	`SQLNET.RADIUS_SEND_ACCOUNTING=``on`
Default setting	`off`

SQLNET.RADIUS_SECRET

This parameter specifies the file name and location of the RADIUS secret key. Table B-9 describes this parameter's attributes.

Table B-9 SQLNET.RADIUS_SECRET Parameter Attributes

Attribute	Description
Syntax	`SQLNET.RADIUS_SECRET=``path_to_RADIUS_secret_key`
Default setting	`$ORACLE_HOME/network/security/radius.key`

SQLNET.RADIUS_ALTERNATE

This parameter sets the location of an alternate RADIUS server to be used in case the primary server becomes unavailable for fault tolerance. Table B-10 describes this parameter's attributes.

Table B-10 SQLNET.RADIUS_ALTERNATE Parameter Attributes

Attribute	Description
Syntax	`SQLNET.RADIUS_ALTERNATE=``alternate_RADIUS_server_hostname_or_IP_address`
Default setting	`off`

SQLNET.RADIUS_ALTERNATE_PORT

This parameter sets the listening port for the alternate RADIUS server. Table B-11 describes this parameter's attributes.

Table B-11 SQLNET.RADIUS_ALTERNATE_PORT Parameter Attributes

Attribute	Description
Syntax	`SQLNET.RADIUS_ALTERNATE_PORT=``alternate_RADIUS_server_listening_port_number`
Default setting	`1645`

SQLNET.RADIUS_ALTERNATE_TIMEOUT

This parameter sets the time to wait for response for the alternate RADIUS server. Table B-12 describes this parameter's attributes.

Table B-12 SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter Attributes

Attribute	Description
Syntax	`SQLNET.RADIUS_ALTERNATE_TIMEOUT=``time_in_seconds`
Default setting	`5`

SQLNET.RADIUS_ALTERNATE_RETRIES

This parameter sets the number of times that the alternate RADIUS server re-sends messages. Table B-13 describes this parameter's attributes.

Table B-13 SQLNET.RADIUS_ALTERNATE_RETRIES Parameter Attributes

Attribute	Description
Syntax	`SQLNET.RADIUS_ALTERNATE_RETRIES=``n_times_to_resend`
Default setting	`3`

SQLNET.RADIUS_CHALLENGE_RESPONSE

This parameter turns on or turns off the challenge-response, or asynchronous, mode support. Table B-14 describes this parameter's attributes.

Table B-14 SQLNET.RADIUS_CHALLENGE_RESPONSE Parameter Attributes

Attribute	Description
Syntax	`SQLNET.RADIUS_CHALLENGE_RESPONSE=``on`
Default setting	`off`

SQLNET.RADIUS_CHALLENGE_KEYWORD

This parameter sets the keyword to request a challenge from the RADIUS server. User types no password on the client. Table B-15 describes this parameter's attributes.

Table B-15 SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter Attributes

Attribute	Description
Syntax	`SQLNET.RADIUS_CHALLENGE_KEYWORD=``keyword`
Default setting	`challenge`

SQLNET.RADIUS_AUTHENTICATION_INTERFACE

This parameter sets the name of the Java class that contains the graphical user interface when RADIUS is in the challenge-response (asynchronous) mode. Table B-16 describes this parameter's attributes.

Table B-16 SQLNET.RADIUS_AUTHENTICATION_INTERFACE Parameter Attributes

Attribute	Description
Syntax	`SQLNET.RADIUS_AUTHENTICATION_INTERFACE=``Java_class_name`
Default setting	`DefaultRadiusInterface (oracle/net/radius/DefaultRadiusInterface)`

SQLNET.RADIUS_CLASSPATH

If you decide to use the challenge-response authentication mode, RADIUS presents the user with a Java-based graphical interface requesting first a password, then additional information--for example, a dynamic password that the user obtains from a token card. Add the SQLNET.RADIUS_CLASSPATH parameter in the sqlnet.ora file to set the path for the Java classes for that graphical interface, and to set the path to the JDK Java libraries. Table B-17 describes this parameter's attributes.

Table B-17 SQLNET.RADIUS_CLASSPATH Parameter Attributes

Attribute	Description
Syntax	`SQLNET.RADIUS_CLASSPATH=``path_to_GUI_Java_classes`
Default setting	`$ORACLE_HOME/jlib/netradius.jar:$ORACLE_HOME/JRE/lib/sparc/native_threads`

Minimum RADIUS Parameters

sqlnet.authentication_services = (radius)
sqlnet.authentication = IP-address-of-RADIUS-server
sqlnet.radius_challenge_response = ON

Initialization File (init.ora) Parameters

REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using SSL

There are two ways to configure a parameter:

Static: The name of the parameter that exists in the sqlnet.ora file.
Dynamic: The name of the parameter used in the security subsection of the Oracle Net address.

SSL Authentication Parameters

This section describes the static and dynamic parameters for configuring SSL on the server.

Parameter Name (static):	SQLNET.AUTHENTICATION_SERVICES
Parameter Name (dynamic):	AUTHENTICATION
Parameter Type:	String LIST
Parameter Class:	Static
Permitted Values:	Add TCPS to the list of available authentication services.
Default Value:	No default value.
Description:	To control which authentication services a user wants to use. Note: The dynamic version supports only the setting of one type.
Existing/New Parameter	Existing
Syntax (static):	SQLNET.AUTHENTICATION_SERVICES = (TCPS, selected_method_1, selected_method_2)
Example (static):	SQLNET.AUTHENTICATION_SERVICES = (TCPS, cybersafe)
Syntax (dynamic):	AUTHENTICATION = string
Example (dynamic):	AUTHENTICATION = (TCPS)

Cipher Suite Parameters

This section describes the static and dynamic parameters for configuring cipher suites.

Parameter Name (static):	SSL_CIPHER_SUITES
Parameter Name (dynamic):	SSL_CIPHER_SUITES
Parameter Type:	String LIST
Parameter Class:	Static
Permitted Values:	Any known SSL cipher suite
Default Value:	No default
Description:	Controls the combination of encryption and data integrity used by SSL.
Existing/New Parameter	Existing
Syntax (static):	SSL_CIPHER_SUITES=(SSL_cipher_suite1[, SSL_cipher_suite2, ... SSL_cipher_suiteN])
Example (static):	SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA)
Syntax (dynamic):	SSL_CIPHER_SUITES=(SSL_cipher_suite1 [, SSL_cipher_suite2, ...SSL_cipher_suiteN])
Example (dynamic):	SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA)

Supported SSL Cipher Suites

Oracle Advanced Security supports the following cipher suites:

SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA

SSL Version Parameters

This section describes the static and dynamic parameters for configuring the version of SSL to be used.

Parameter Name (static):	SSL_VERSION
Parameter Name (dynamic):	SSL_VERSION
Parameter Type:	string
Parameter Class:	Static
Permitted Values:	Any version which is valid to SSL. (0, 3.0)
Default Value:	"0"
Description:	To force the version of the SSL connection.
Existing/New Parameter	New
Syntax (static):	SSL_VERSION=version
Example (static):	SSL_VERSION=3.0
Syntax (dynamic):	SSL_VERSION=version
Example (dynamic):	SSL_VERSION=3.0

SSL Client Authentication Parameters

This section describes the static and dynamic parameters for configuring SSL on the client.

Parameter Name (static):	SSL_CLIENT_AUTHENTICATION
Parameter Name (dynamic):	SSL_CLIENT_AUTHENTICATION
Parameter Type:	Boolean
Parameter Class:	Static
Permitted Values:	TRUE/FALSE
Default Value:	TRUE
Description:	To control whether a client, in addition to the server, is authenticated using SSL.
Existing/New Parameter	New
Syntax (static):	SSL_CLIENT_AUTHENTICATION={TRUE \| FALSE}
Example (static):	SSL_CLIENT_AUTHENTICATION=FALSE
Syntax (dynamic):	SSL_CLIENT_AUTHENTICATION={TRUE \| FALSE}
Example (dynamic):	SSL_CLIENT_AUTHENTICATION=FALSE

SSL X.509 Server Match Parameters

This section describes the parameters that are used to validate the identity of a server that the client connects to.

SSL_SERVER_DN_MATCH

Parameter Name	SSL_SERVER_DN_MATCH
Where stored	`sqlnet.ora`
Purpose	Use this parameter to force the server's distinguished name (DN) to match its service name. If you force the match verifications, SSL ensures that the certificate is from the server. If you choose to not enforce the match verification, SSL performs the check but permits the connection, regardless if there is a match. Not forcing the match lets the server potentially fake its identity.
Values	`yes\|on\|true`--Specify to enforce a match. If the DN matches the service name, the connection succeeds; otherwise, the connection fails.
Values	`no\|off\|false`--Specify to not enforce a match. If the DN does not match the service name, the connection is successful, but an error is logged to the `sqlnet.log` file.
Default	Oracle8i and Oracle9i:.FALSE. SSL client (always) checks server DN. If it does not match the service name, the connection succeeds but an error is logged to `sqlnet.log` file.
Usage Notes	Additionally configure the tnsnames.ora parameter `SSL_SERVER_CERT_DN` to enable server DN matching.

SSL_SERVER_CERT_DN

Parameter Name	SSL_SERVER_CERT_DN
Where stored	t`nsnames.ora`--Can be stored on the client, for every server it connects to, OR it can be stored in the LDAP directory, for every server it connects to, updated centrally.
Purpose	This parameter specifies the distinguished name (DN) of the server. The client uses this information to obtain the list of DNs it expects for each of the servers--to force the server's DN to match its service name.
Values	Set equal to distinguished name (DN) of the server.
Default	n/a
Usage Notes	Additionally configure the sqlnet.ora parameter `SSL_SERVER_DN_MATCH` to enable server DN matching.
Example	`dbalias=(description=address_list=(address=(protocol=tcps)(host=hostname)(port=portnum)))(connect_data=(sid=Finance))(security=(SSL_SERVER_DN="CN=Finance,CN=OracleContext,C=US,O=Acme"))`

Wallet Location

For any application that must access a wallet for loading the security credentials into the process space, you must specify the wallet location parameters defined by Table B-18 in each of the following configuration files:

sqlnet.ora
listener.ora

Table B-18 Wallet Location Parameters

Static Configuration Dynamic Configuration

Static Configuration	Dynamic Configuration
`WALLET_LOCATION =` `(SOURCE=` `(METHOD=File)` `(METHOD_DATA=` `(DIRECTORY=your wallet location)` `)` `)`	`MY_WALLET_DIRECTORY` `= your_wallet_dir`

WALLET_LOCATION =

(SOURCE=

(METHOD=File)

(METHOD_DATA=

(DIRECTORY=your wallet location)

)

MY_WALLET_DIRECTORY

= your_wallet_dir

The default wallet location is the $ORACLE_HOME directory.

B Authentication Parameters