Oracle® Database Advanced Security Administrator's Guide 10g Release 1 (10.1) Part Number B10772-01 |
|
|
View PDF |
This appendix illustrates some sample configuration files with the profile file (sqlnet.ora
) and the database initialization file authentication parameters, when using Kerberos, RADIUS, or SSL authentication.
This appendix contains the following topics:
Following is a list of parameters to insert into the configuration files for clients and servers using Kerberos.
The following sections describe the parameters for RADIUS authentication
This parameter configures the client or the server to use the RADIUS adapter. Table B-2 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
None |
This parameter sets the location of the primary RADIUS server, either host name or dotted decimal format. If the RADIUS server is on a different machine from the Oracle server, you must specify either the host name or the IP address of that machine. Table B-3 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
This parameter sets the listening port of the primary RADIUS server. Table B-4 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
This parameter sets the time to wait for response. Table B-5 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
This parameter sets the number of times to re-send. Table B-6 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
This parameter turns accounting on and off. If you enable accounting, packets will be sent to the active RADIUS server at the listening port plus one. By default, packets are sent to port 1646. You need to turn this feature on only when your RADIUS server supports accounting and you want to keep track of the number of times the user is logging on to the system. Table B-7 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
This parameter specifies the file name and location of the RADIUS secret key. Table B-8 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
This parameter sets the location of an alternate RADIUS server to be used in case the primary server becomes unavailable for fault tolerance. Table B-9 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
This parameter sets the listening port for the alternate RADIUS server. Table B-10 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
This parameter sets the time to wait for response for the alternate RADIUS server. Table B-11 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
This parameter sets the number of times that the alternate RADIUS server re-sends messages. Table B-12 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
This parameter turns on or turns off the challenge-response, or asynchronous, mode support. Table B-13 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
This parameter sets the keyword to request a challenge from the RADIUS server. User types no password on the client. Table B-14 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
This parameter sets the name of the Java class that contains the graphical user interface when RADIUS is in the challenge-response (asynchronous) mode. Table B-15 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
If you decide to use the challenge-response authentication mode, RADIUS presents the user with a Java-based graphical interface requesting first a password, then additional information--for example, a dynamic password that the user obtains from a token card. Add the SQLNET.RADIUS_CLASSPATH
parameter in the sqlnet.ora
file to set the path for the Java classes for that graphical interface, and to set the path to the JDK Java libraries. Table B-16 describes this parameter's attributes.
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
sqlnet.authentication_services = (radius) sqlnet.authentication = IP-address-of-RADIUS-server sqlnet.radius_challenge_response = ON
REMOTE_OS_AUTHENT=FALSE OS_AUTHENT_PREFIX=""
There are two ways to configure a parameter:
sqlnet.ora
file.This section describes the static and dynamic parameters for configuring SSL on the server.
This section describes the static and dynamic parameters for configuring cipher suites.
Oracle Advanced Security supports the following cipher suites:
Note that the cipher suites that use Advanced Encryption Standard (AES
) work with Transport Layer Security (TLS 1.0) only.
This section describes the static and dynamic parameters for configuring the version of SSL to be used.
This section describes the static and dynamic parameters for configuring SSL on the client.
This section describes the parameters that are used to validate the identity of a server that the client connects to.
Parameter Name |
SSL_SERVER_DN_MATCH |
Where stored |
|
Purpose |
Use this parameter to force the server's distinguished name (DN) to match its service name. If you force the match verifications, SSL ensures that the certificate is from the server. If you choose to not enforce the match verification, SSL performs the check but permits the connection, regardless if there is a match. Not forcing the match lets the server potentially fake its identity. |
Values |
|
| |
Default |
Oracle8i, or later:.FALSE. SSL client (always) checks server DN. If it does not match the service name, the connection succeeds but an error is logged to |
Usage Notes |
Additionally configure the tnsnames.ora parameter |
Parameter Name |
SSL_SERVER_CERT_DN |
Where stored |
t |
Purpose |
This parameter specifies the distinguished name (DN) of the server. The client uses this information to obtain the list of DNs it expects for each of the servers--to force the server's DN to match its service name. |
Values |
Set equal to distinguished name (DN) of the server. |
Default |
n/a |
Usage Notes |
Additionally configure the sqlnet.ora parameter |
Example |
|
For any application that must access a wallet for loading the security credentials into the process space, you must specify the wallet location parameters defined by Table B-17 in each of the following configuration files:
sqlnet.ora
listener.ora
Static Configuration | Dynamic Configuration |
---|---|
|
|
The default wallet location is the $ORACLE_HOME
directory.