Skip Headers
Oracle® Database Net Services Reference
10g Release 2 (10.2)

Part Number B14213-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Feedback

Go to previous page
Previous
Go to next page
Next
View PDF

5 Profile Parameters (sqlnet.ora)

This chapter provides complete listing of the sqlnet.ora file configuration parameters.

This chapter contains these topics:

Overview of Profile Configuration File

The sqlnet.ora file enables you to:

By default, sqlnet.ora is located in the $ORACLE_HOME/network/admin directory on UNIX operating systems and the ORACLE_HOME\network\admin directory on Windows operating systems. sqlnet.ora can also be stored in the directory specified by the TNS_ADMIN environment variable.

Profile Parameters

This section lists and describes the sqlnet.ora file parameters.

BEQUEATH_DETACH

Purpose

Use the parameter BEQUEATH_DETACH to turn signal handling on or off for UNIX systems.

Default

no

Values

  • yes to turn signal handling off

  • no to leave signal handling on

Example

BEQUEATH_DETACH=yes

DEFAULT_SDU_SIZE

Purpose

Use the parameter DEFAULT_SDU_SIZE to specify the session data unit (SDU) size, in bytes to connections.

Usage

Oracle Corporation recommends setting this parameter in both the clientside and serverside sqlnet.ora file to ensure the same SDU size is used throughout a connection. When the configured values of client and database server do not match for a session, the lower of the two values is used.

You can override this parameter for a particular client connection by specifying the SDU parameter in the connect descriptor for a client.


See Also:

Oracle Database Net Services Administrator's Guide for complete SDU usage and configuration information

Default

2048 bytes (2 KB)

Values

512 to 32768 bytes (32 KB)

Example

DEFAULT_SDU_SIZE=4096

DISABLE_OOB

Purpose

If turned off, the parameter DISABLE_OOB enables Oracle Net to send and receive "break" messages using urgent data provided by the underlying protocol.

If turned on, disables the ability to send and receive "break" messages using urgent data provided by the underlying protocol. Once enabled, this feature applies to all protocols used by this client.


See Also:

Operating system-specific documentation to determine if the protocols you are using support urgent data requests. TCP/IP is an example of a protocol that supports this feature.

Default

off

Example

DISABLE_OOB=on

LOG_DIRECTORY_CLIENT

Purpose

Use the parameter LOG_DIRECTORY_CLIENT to specify the destination directory for the client log file.

Default

Current directory from which the executable is started

Example

LOG_DIRECTORY_CLIENT=/oracle/network/log

LOG_DIRECTORY_SERVER

Purpose

Use the parameter LOG_DIRECTORY_SERVER to specify the destination directory for the database server log file.

Default

Current directory from which the executable is started

Example

LOG_DIRECTORY_SERVER=/oracle/network/log

LOG_FILE_CLIENT

Purpose

Use the parameter LOG_FILE_CLIENT to specify the name of the log file for the client.

Default

sqlnet.log

Example

LOG_FILE_CLIENT=client

LOG_FILE_SERVER

Purpose

Use the parameter LOG_FILE_SERVER to specify the name of the log file for the database server.

Default

sqlnet.log

Example

LOG_FILE_SERVER=svr.log

NAMES.DCE.PREFIX

Purpose

Use the parameter NAMES.DCE.PREFIX to specify the Distributed Computing Environment (DCE) cell name (prefix) to use for name lookups.

Default

/.:/subsys/oracle/names

Example

NAMES.DCE.PREFIX=/.:/subsys/oracle/names

NAMES.DEFAULT_DOMAIN

Purpose

Use the parameter NAMES.DEFAULT_DOMAIN to set the domain from which the client most often looks up names resolution requests. When this parameter is set, the default domain name is automatically appended to any unqualified net service name or service name.

For example, if the default domain is set to us.acme.com, the connect string CONNECT scott/tiger@sales gets searched as sales.us.acme.com. If the connect string includes the domain extension, such as CONNECT scott/tiger@sales.acme.com, the domain is not appended.

Default

None

Example

NAMES.DEFAULT_DOMAIN=acme.com

NAMES.DIRECTORY_PATH

Purpose

Use the parameter NAMES.DIRECTORY_PATH to specify the order of the naming methods used for client name resolution lookups.

Default

NAMES.DIRECTORY_PATH=(tnsnames, onames, hostname)

Values

Table 5-1 NAMES.DIRECTORY_PATH Values

Naming Method Value Description
tnsnames (local naming naming method) Set to resolve a net service name through the tnsnames.ora file on the client.

See Also: Oracle Database Net Services Administrator's Guide

ldap (directory naming naming method) Set to resolve a database service name, net service name, or net service alias through a directory server.

See Also: Oracle Database Net Services Administrator's Guide

ezconnect or hostname (easy connect naming or host naming method) Select to enable clients to use a TCP/IP connect identifier, consisting of a host name and optional port and service name.

See Also: Oracle Database Net Services Administrator's Guide

cds (CDS external naming method) Set to resolve an Oracle database name in a Distributed Computing Environment (DCE) environment.

See Also: Oracle Database Advanced Security Administrator's Guide

nis (Network Information Service (NIS) external naming method) Set to resolve service information through an existing NIS.

See Also: Oracle Database Net Services Administrator's Guide


Example

NAMES.DIRECTORY_PATH=(tnsnames, onames)

NAMES.NIS.META_MAP

Purpose

Use the parameter NAMES.NIS.META_MAP to specify the map file to be used to map Network Information Service (NIS) attributes to an NIS mapname

Default

sqlnet.maps

Example

NAMES.NIS.META_MAP=sqlnet.maps

RECV_BUF_SIZE

Purpose

Use the parameter RECV_BUF_SIZE to specify the buffer space limit for receive operations of sessions. This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.


Note:

Additional protocols might support this parameter on certain operating systems. Refer to operating-system specific documentation for information about additional protocols that support this parameter.


See Also:

Oracle Net Services Administrator's Guide for information about configuring this parameter

Default

The default value for this parameter is operating-system specific. The default for the Solaris 2.6 Operating System is 32768 bytes (32 KB).

Usage

You can override this parameter for a particular client connection by specifying the RECV_BUF_SIZE parameter in the connect descriptor for a client.

Example

RECV_BUF_SIZE=11784

SEND_BUF_SIZE

Purpose

Use the parameter SEND_BUF_SIZE to specify the buffer space limit for send operations of sessions. This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.


Note:

Additional protocols might support this parameter on certain operating systems. Refer to operating-system specific documentation for information about additional protocols that support this parameter.


See Also:

Oracle Database Net Services Administrator's Guide for information about configuring this parameter

Default

The default value for this parameter is operating-system specific. The default for the Solaris 2.6 Operating System is 8192 bytes (8 KB).

Usage

You can override this parameter for a particular client connection by specifying the SEND_BUF_SIZE parameter in the connect descriptor for a client.

Example

SEND_BUF_SIZE=11784

SQLNET_ALLOWED_LOGON_VERSIONS

Purpose

Use the parameter SQLNET_ALLOWED_LOGON_VERSIONS to specify which authentication protocols are allowed by the client or database. If the client and database server do not have at least one matching version, then authentication fails with an error.

Allowed Values

  • 10 for Oracle Database 10g authentication protocols

  • 9 for Oracle9i authentication protocols

  • 8 for Oracle8 authentication protocols

  • 7.3 for Oracle 7.3 authentication protocols

Any value other than 10 could expose vulnerabilities that may have existed in previous version of the authentication protocols. For complete compatibility, set the list of allowable versions for logon to include all versions of database in the system.

Default

10, 9, 8

Example

If both Oracle 8.1.7 and Oracle9i databases are present, then set the parameter as follows:

SQLNET_ALLOWED_LOGON_VERSIONS=(10,9,8)

SQLNET.AUTHENTICATION_KERBEROS5_SERVICE

Purpose

Use the parameter SQLNET.AUTHENTICATION_KERBEROS5_SERVICE to define the name of the service used to obtain a Kerberos service ticket.

Default

None

Example

SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle

SQLNET.AUTHENTICATION_SERVICES

Purpose

Use the parameter SQLNET.AUTHENTICATION_SERVICES to enable one or more authentication services. If authentication has been installed, it is recommended that this parameter be set to either none or to one of the authentication methods.

Default

None

Values

Authentication Methods Available with Oracle Net Services: 

  • none for no authentication methods. A valid username and password can be used to access the database.

  • all for all authentication methods

  • nts for Windows NT native authentication

Authentication Methods Available with Oracle Advanced Security:  

Example

SQLNET.AUTHENTICATION_SERVICES=(kerberos5)

SQLNET.CLIENT_REGISTRATION

Purpose

Use the parameter SQLNET.CLIENT_REGISTRATION to set a unique identifier for this client computer. This identifier is passed to the listener with any connection request and is included in the Audit Trail. The identifier can be any alphanumeric string up to 128 characters long.

Default

None

Example

SQLNET.CLIENT_REGISTRATION=1432

SQLNET.CRYPTO_CHECKSUM_CLIENT

Purpose

Use the parameter SQLNET.CRYPTO_CHECKSUM_CLIENT to specify the checksum behavior for the client.

Default

accepted

Values

  • accepted to enable the security service if required or requested by the other side

  • rejected to disable the security service, even if the required by the other side

  • requested to enable the security service if the other side allows it

  • required to enable the security service and disallow the connection if the other side is not enabled for the security service

Example

SQLNET.CRYPTO_CHECKSUM_CLIENT=accepted

SQLNET.CRYPTO_CHECKSUM_SERVER

Purpose

Use the parameter SQLNET.CRYPTO_CHECKSUM_SERVER to specify the checksum behavior for the database server.

Default

accepted

Values

  • accepted to enable the security service if required or requested by the other side

  • rejected to disable the security service, even if the required by the other side

  • requested to enable the security service if the other side allows it

  • required to enable the security service and disallow the connection if the other side is not enabled for the security service

Example

SQLNET.CRYPTO_CHECKSUM_SERVER=accepted

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT

Purpose

Use the parameter SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT to specify a list of crypto-checksum algorithms for the client to use.

Default

all available algorithms

Values

  • md5 for the RSA Data Security's MD5 algorithm

  • sha1 for the Secure Hash algorithm

Example

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(MD5)

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER

Purpose

Use the parameter SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER to specify a list of crypto-checksum algorithms for the database server to use.

Default

all available algorithms

Values

  • md5 for the RSA Data Security's MD5 algorithm

  • sha1 for the Secure Hash algorithm

Example

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(md5)

SQLNET.CRYPTO_SEED

Purpose

Use the parameter SQLNET.CRYPTO_SEED to specify the characters used when generating cryptographic keys. The more random the characters are, the stronger the keys are. The string should be 10-70 random characters. This optional parameter is required for when encryption or checksumming are turned on. Encryption is turned on if the SQLNET.ENCRYPTION_CLIENT parameter is specified for the client and the SQLNET.ENCRYPTION_SERVER parameter is specified for the database server; checksumming is turned on if the SQLNET.CRYPTO_CHECKSUM_CLIENT parameter is specified for the client and the SQLNET.CRYPTO_CHECKSUM_SERVER parameter is specified for the database server.

Default

qwertyuiopasdfghjkl;zxcvbnm,.s1

Example

SQLNET.CRYPTO_SEED="qwertyuiopasdfghjkl;zxcvbnm,.s1"

SQLNET.ENCRYPTION_CLIENT

Purpose

Use the parameter SQLNET.ENCRYPTION_CLIENT to turn encryption on for the client.

Default

accepted

Values

  • accepted to enable the security service if required or requested by the other side

  • rejected to disable the security service, even if the required by the other side

  • requested to enable the security service if the other side allows it

  • required to enable the security service and disallow the connection if the other side is not enabled for the security service

Example

SQLNET.ENCRYPTION_CLIENT=accepted

SQLNET.ENCRYPTION_SERVER

Purpose

Use the parameter SQLNET.ENCRYPTION_SERVER to turn encryption on for the database server.

Default

accepted

Values

  • accepted to enable the security service if required or requested by the other side

  • rejected to disable the security service, even if the required by the other side

  • requested to enable the security service if the other side allows it

  • required to enable the security service and disallow the connection if the other side is not enabled for the security service

Example

SQLNET.ENCRYPTION_SERVER=accepted

SQLNET.ENCRYPTION_TYPES_CLIENT

Purpose

Use the parameter SQLNET.ENCRYPTION_TYPES_CLIENT to specify a list of encryption algorithms for the client to use.

Default

All available algorithms.

Values

One or more of the following:

  • 3des112 for triple DES with a two-key (112 bit) option

  • 3des168 for triple DES with a three-key (168 bit) option

  • des for standard 56 bit key size

  • des40 for 40 bit key size

  • rc4_40 for 40 bit key size

  • rc4_56 for 56 bit key size

  • rc4_128 for 128 bit key size

  • rc4_256 for 256 bit key size

Example

SQLNET.ENCRYPTION_TYPES_CLIENT=(rc4_56)

SQLNET.ENCRYPTION_TYPES_SERVER

Purpose

Use the parameter SQLNET.ENCRYPTION_TYPES_SERVER to specify a list of encryption algorithms for the database server to use.

Default

All available algorithms

Values

One or more of the following:

  • 3des112 for triple DES with a two-key (112 bit) option

  • 3des168 for triple DES with a three-key (168 bit) option

  • des for standard 56 bit key size

  • des40 for 40 bit key size

  • rc4_40 for 40 bit key size

  • rc4_56 for 56 bit key size

  • rc4_128 for 128 bit key size

  • rc4_256 for 256 bit key size

Example

SQLNET.ENCRYPTION_TYPES_SERVER=(rc4_56, des, ...)

SQLNET.EXPIRE_TIME

Purpose

Use parameter SQLNET.EXPIRE_TIME to specify a the time interval, in minutes, to send a probe to verify that client/server connections are active. Setting a value greater than 0 ensures that connections are not left open indefinitely, due to an abnormal client termination. If the probe finds a terminated connection, or a connection that is no longer in use, it returns an error, causing the server process to exit. This parameter is primarily intended for the database server, which typically handles multiple connections at any one time.

Limitations on using this terminated connection detection feature are:

  • It is not allowed on bequeathed connections.

  • Though very small, a probe packet generates additional traffic that may downgrade network performance.

  • Depending on which operating system is in use, the server may need to perform additional processing to distinguish the connection probing event from other events that occur. This can also result in degraded network performance.

Default

0

Minimum Value

0

Recommended Value

10

Example

SQLNET.EXPIRE_TIME=10

SQLNET.INBOUND_CONNECT_TIMEOUT

Purpose

Use the SQLNET.INBOUND_CONNECT_TIMEOUT parameter to specify the time, in seconds, for a client to connect with the database server and provide the necessary authentication information.

If the client fails to establish a connection and complete authentication in the time specified, then the database server terminates the connection. In addition, the database server logs the IP address of the client and an ORA-12170: TNS:Connect timeout occurred error message to the sqlnet.log file. The client receives either an ORA-12547: TNS:lost contact or an ORA-12637: Packet receive failed error message.

Without this parameter, a client connection to the database server can stay open indefinitely without authentication. Connections without authentication can introduce possible denial-of-service attacks, whereby malicious clients attempt to flood database servers with connect requests that consume resources.

To protect both the database server and the listener, Oracle Corporation recommends setting this parameter in combination with the INBOUND_CONNECT_TIMEOUT_listener_name parameter in the listener.ora file. When specifying values for these parameters, consider the following recommendations:

  • Set both parameters to an initial low value.

  • Set the value of the INBOUND_CONNECT_TIMEOUT_listener_name parameter to a lower value than the SQLNET.INBOUND_CONNECT_TIMEOUT parameter.

For example, you can set INBOUND_CONNECT_TIMEOUT_listener_name to 2 seconds and INBOUND_CONNECT_TIMEOUT parameter to 3 seconds. If clients are unable to complete connections within the specified time due to system or network delays that are normal for the particular environment, then increment the time as needed.


See Also:

Oracle Net Services Administrator's Guide for information about configuring these parameters

Default

60 seconds

Example

SQLNET.INBOUND_CONNECT_TIMEOUT=3

SQLNET.KERBEROS5_CC_NAME

Purpose

Use the parameter SQLNET.KERBEROS5_CC_NAME to specify the complete path name to the Kerberos credentials cache file.

Default

/usr/tmp/krbcache on UNIX operating systems and c:\tmp\krbcache on Windows operating systems

Example

SQLNET.KERBEROS5_CC_NAME=/usr/tmp/krbcache

SQLNET.KERBEROS5_CLOCKSKEW

Purpose

Use the parameter SQLNET.KERBEROS5_CLOCKSKEW to specify how many seconds can pass before a Kerberos credential is considered out of date.

Default

300

Example

SQLNET.KERBEROS5_CLOCKSKEW=1200

SQLNET.KERBEROS5_CONF

Purpose

Use the parameter SQLNET.KERBEROS5_CONF to specify the complete path name to the Kerberos configuration file, which contains the realm for the default Key Distribution Center (KDC) and maps realms to KDC hosts. The KDC maintains a list of user principals and is contacted through the kinit program for the user's initial ticket.

Default

/krb5/krb.conf on UNIX operating systems and c:\krb5\krb.conf on Windows operating systems

Example

SQLNET.KERBEROS5_CONF=/krb5/krb.conf

SQLNET.KERBEROS5_KEYTAB

Purpose

Use the parameter SQLNET.KERBEROS5_KEYTAB to specify the complete path name to the Kerberos principal/secret key mapping file, which is used to extract keys and decrypt incoming authentication information.

Default

/etc/v5srvtab on UNIX operating systems and c:\krb5\v5srvtab on Windows operating systems

Example

SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab

SQLNET.KERBEROS5_REALMS

Purpose

Use the parameter SQLNET.KERBEROS5_REALMS to specify the complete path name to the Kerberos realm translation file, which provides a mapping from a host name or domain name to a realm.

Default

/krb5/krb.realms on UNIX operating systems and c:\krb5\krb.realms on Windows operating systems

Example

SQLNET.KERBEROS5_REALMS=/krb5/krb.realms

SQLNET.RADIUS_ALTERNATE

Purpose

Use the parameter SQLNET.RADIUS_ALTERNATE to specify an alternate RADIUS server to use in case the primary server is unavailable. The value can be either the IP address or host name of the server.

Default

None

Example

SQLNET.RADIUS_ALTERNATE=radius2

SQLNET.RADIUS_ALTERNATE_PORT

Purpose

Use the parameter SQLNET.RADIUS_ALTERNATE_PORT to specify the listening port of the alternate RADIUS server.

Default

1645

Example

SQLNET.RADIUS_ALTERNATE_PORT=1667

SQLNET.RADIUS_ALTERNATE_RETRIES

Purpose

Use the parameter SQLNET.RADIUS_ALTERNATE_RETRIES to specify the number of times the database server should resend messages to the alternate RADIUS server.

Default

3

Example

SQLNET.RADIUS_ALTERNATE_RETRIES=4

SQLNET.RADIUS_AUTHENTICATION

Purpose

Use the parameter SQLNET.RADIUS_AUTHENTICATION to specify the location of the primary RADIUS server, either by its host name or IP address.

Default

Local host

Example

SQLNET.RADIUS_AUTHENETICATION=officeacct

SQLNET.RADIUS_AUTHENTICATION_INTERFACE

Purpose

Use the parameter SQLNET.RADIUS_AUTHENTICATION_INTERFACE to specify the class containing the user interface used to interact with the user.

Default

DefaultRadiusInterface

Example

SQLNET.RADIUS_AUTHENTICATION_INTERFACE=DefaultRadiusInterface

SQLNET.RADIUS_AUTHENTICATION_PORT

Purpose

Use the parameter SQLNET.RADIUS_AUTHENTICATION_PORT to specify the listening port of the primary RADIUS server.

Default

1645

Example

SQLNET.RADIUS_AUTHENTICATION_PORT= 1667

SQLNET.RADIUS_AUTHENTICATION_RETRIES

Purpose

Use the parameter SQLNET.RADIUS_AUTHENTICATION_RETRIES to specify the number of times the database server should resend messages to the primary RADIUS server.

Default

3

Example

SQLNET.RADIUS_AUTHENTICATION_RETRIES=4

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT

Purpose

Use the parameter SQLNET.RADIUS_AUTHENTICATION_TIMEOUT to specify the time, in seconds, that the database server should wait for a response from the primary RADIUS server.

Default

5

Example

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=10

SQLNET.RADIUS_CHALLENGE_RESPONSE

Purpose

Use the parameter SQLNET.RADIUS_CHALLENGE_RESPONSE to turn challenge response on or off.

Default

off

Values

on | off

Example

SQLNET.RADIUS_CHALLENGE_RESPONSE=on

SQLNET.RADIUS_SECRET

Purpose:

Use the parameter SQLNET.RADIUS_SECRET to specify the location of the RADIUS secret key.

Default

The $ORACLE_HOME/network/security/radius.key file on UNIX operating systems and the ORACLE_HOME\network\security\radius.key file on Windows

Example

SQLNET.RADIUS_SECRET=oracle/bin/admin/radiuskey

SQLNET.RADIUS_SEND_ACCOUNTING

Purpose

Use the parameter SQLNET.RADIUS_SEND_ACCOUNTING to turn accounting on and off. If enabled, packets are sent to the active RADIUS server at listening port plus one. The default port is 1646.

Default

off

Values

on | off

Example

SQLNET.RADIUS_SEND_ACCOUNTING=on

SQLNET.RECV_TIMEOUT

Purpose

Use the parameter SQLNET.RECV_TIMEOUT to specify the time, in seconds, for a database server to wait for client data after connection establishment. A client must send some data within the time interval.

For environments in which clients shut down on occasion or abnormally, setting this parameter is recommended. If a client does not send any data in time specified, then the database server logs an ORA-12535: TNS:operation timed out and ORA-12609: TNS: Receive timeout occurred to the sqlnet.log file. Without this parameter, the database server may continue to wait for data from clients that may be down or are experiencing difficulties.

You can also set this parameter on the clientside to specify the time, in seconds, for a client to wait for response data from the database server after connection establishment. Without this parameter, the client may wait for a long period of time for a response from a database server saturated with requests.

Set the value for this parameter to an initial low value and adjust according to system and network capacity. If necessary, use this parameter in conjunction with the SQLNET.SEND_TIMEOUT parameter.


See Also:

Oracle Database Net Services Administrator's Guide for information about configuring these parameters

Default

None

Example

SQLNET.RECV_TIMEOUT=3

SQLNET.SEND_TIMEOUT

Purpose

Use to specify the time, in seconds, for a database server to complete a send operation to clients after connection establishment.

For environments in which clients shut down on occasion or abnormally, setting this parameter is recommended. If the database server is unable to complete a send operation in the time specified, then it logs an ORA-12535: TNS:operation timed out and ORA-12608: TNS: Send timeout occurred to the sqlnet.log file. Without this parameter, the database server may continue to send responses to clients that are unable to receive data due to a downed computer or a busy state.

You can also set this parameter on the clientside to specify the time, in seconds, for a client to complete send operations to the database server after connection establishment. Without this parameter, the client may continue to send requests to a database server already saturated with requests.

Set the value for this parameter to an initial low value and adjust according to system and network capacity. If necessary, use this parameter in conjunction with the SQLNET.RECV_TIMEOUT parameter.


See Also:

Oracle Database Net Services Administrator's Guide for information about configuring these parameters

Default

None

Example

SQLNET.SEND_TIMEOUT=3

SSL_CERT_REVOCATION

Purpose

Use the SSL_CRT_REVOCATION parameter to configure a revocation check for a certificate.

Default

none

Values

  • none to turn off certificate revocation checking

  • requested to perform certificate revocation in case a Certificate Revocation List (CRL) is available. Reject SSL connection if the certificate is revoked. If no appropriate CRL is found to determine the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection

  • required to perform certificate revocation when a certificate is available. If a certificate is revoked and no appropriate CRL is found, then reject the SSL connection If no appropriate CRL is found to ascertain the revocation status of the certificate and the certificate is not revoked. then accept the SSL connection.

Example

SSL_CERT_REVOCATION=required

SSL_CERT_FILE

Purpose

Use the parameter SSL_CRL_FILE to specify the name of the file where you can assemble the CRL of CAs for client authentication.

This file contains the PEM-encoded CRL files, in order of preference. You can use this file alternatively or in additional to the SSL_CERT_PATH parameter. This parameter is only valid if SSL_CERT_REVOCATION is set to either requested or required.

Default

None

SSL_CERT_PATH

Purpose

Use the parameter SSL_CRL_PATH to specify the destination directory of the CRL of CA. The files in this directory are hashed symbolic links created by Oracle Wallet Manager. This parameter is only valid if SSL_CERT_REVOCATION is set to either requested or required.

Default

None

Default

None

SSL_CIPHER_SUITES

Purpose

Use the parameter SSL_CIPHER_SUITES to control what combination of encryption and data integrity is used by the Secure Sockets Layer (SSL).

Default

None

Values


See Also:

Oracle Advanced Security Administrator's Guide for further information about cipher suite values

Example

SSL_CIPHER_SUITE=(ssl_rsa_with_rc4_138_md5)

SSL_CLIENT_AUTHENTICATION

Purpose

Use the parameter SSL_CLIENT_AUTHENTICATION to specify whether or not a client—in addition to the database server—is authenticated using SSL.

Default

true

Values

true | false

Example

SSL_CLIENT_AUTHENTICATION=true

SSL_SERVER_DN_MATCH

Purpose

Use the parameter SSL_SERVER_DN_MATCH to enforce that the distinguished name (DN) for the database server matches its service name. If you enforce the match verifications, then SSL ensures that the certificate is from the server. If you select to not enforce the match verification, then SSL performs the check but allows the connection, regardless if there is a match. Not enforcing the match allows the server to potentially fake its identify.

Default

no

Values

  • yes | on | true to specify to enforce a match. If the DN matches the service name, then the connection succeeds. If the DN does not match the service name, then the connection fails.

  • no | off | false to specify to not enforce a match. If does not match the service name, then the connection is successful, but an error is logged to the sqlnet.log file.

Usage Notes

In addition to the sqlnet.ora file, configure the tnsnames.ora parameter SSL_SERVER_CERT_DN to enable server DN matching.

Example

SSL_SERVER_DN_MATCH=yes

SSL_VERSION

Purpose

Use the parameter SSL_VERSION to force the version of the SSL connection.

Clients and database servers must use a compatible version.

Default

undetermined

Values

undetermined | 2.0 | 3.0

Example

SSL_VERSION=2.0

TCP.EXCLUDED_NODES

Purpose

Use the parameter TCP.EXCLUDED_NODES to specify which clients are denied access to the database.

Syntax

TCP.EXCLUDED_NODES=(hostname | ip_address, hostname | ip_address, ...)

Example

TCP.EXCLUDED_NODES=(finance.us.acme.com, mktg.us.acme.com, 144.25.5.25)

TCP.INVITED_NODES

Purpose

Use the parameter TCP.INVITED_NODES to specify which clients are allowed access to the database. This list takes precedence over the TCP.EXCLUDED_NODES parameter if both lists are present.

Syntax

TCP.INVITED_NODES=(hostname | ip_address, hostname | ip_address, ...)

Example

TCP.INVITED_NODES=(sales.us.acme.com, hr.us.acme.com, 144.185.5.73)

TCP.VALIDNODE_CHECKING

Purpose

Use the parameter TCP.VALIDNODE_CHECKING to check for the TCP.INVITED_NODES and TCP.EXCLUDED_NODES to determine which clients to allow or deny access.

Default

no

Values

yes | no

Example

TCP.VALIDNODE_CHECKING=yes

TCP.NODELAY

Purpose

Use the parameter TCP.NODELAY to preempt delays in buffer flushing within the TCP/IP protocol stack.

Default

yes

Values

yes | no

Example

TCP.NODELAY=yes

TNSPING.TRACE_DIRECTORY

Purpose

Use the parameter TNSPING.TRACE_DIRECTORY to specify the destination directory for the TNSPING utility trace file, tnsping.trc.

Default

The $ORACLE_HOME/network/trace directory on UNIX operating systems and the %ORACLE_HOME%\network\trace directory on Windows operating systems

Example

TNSPING.TRACE_DIRECTORY=/oracle/traces

TNSPING.TRACE_LEVEL

Purpose

Use the parameter TNSPING.TRACE_LEVEL to turn TNSPING utility tracing on, at a specific level, or off.

Default

off

Values

  • off for no trace output

  • user for user trace information

  • admin for administration trace information

  • support for Oracle Support Services trace information

Example

TNSPING.TRACE_LEVEL=admin

TRACE_DIRECTORY_CLIENT

Purpose

Use the parameter TRACE_DIRECTORY_CLIENT to specify the destination directory for the client trace file.

Default

The $ORACLE_HOME/network/trace directory on UNIX operating systems and the ORACLE_HOME\network\trace directory on Windows operating systems

Example

TRACE_DIRECTORY_CLIENT=/oracle/traces

TRACE_DIRECTORY_SERVER

Purpose

Use the parameter TRACE_DIRECTORY_SERVER to specify the destination directory for the database server trace file.

Default

The $ORACLE_HOME/network/trace directory on UNIX operating systems and the %ORACLE_HOME%\network\trace directory on Windows

Example

TRACE_DIRECTORY_SERVER=/oracle/traces

TRACE_FILE_CLIENT

Purpose

Use the parameter TRACE_FILE_CLIENT to specify the name of the client trace file.

Default

sqlnet.trc

Example

TRACE_FILE_CLIENT=clientsqlnet.trc

TRACE_FILE_SERVER

Purpose

Use the parameter TRACE_FILE_SERVER to specify the name of the database server trace file

Default

svr_pid.trc

Example

TRACE_FILE_SERVER=svrsqlnet.trc

TRACE_FILELEN_CLIENT

Purpose

Use the parameter TRACE_FILELEN_CLIENT to specify the size of the client trace files in kilobytes (KB). When the size is met, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_CLIENT parameter.

Example

TRACE_FILELEN_CLIENT=100

TRACE_FILELEN_SERVER

Purpose

Use the parameter TRACE_FILELEN_SERVER to specify the size of the database server trace files in kilobytes (KB). When the size is met, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_SERVER parameter.

Example

TRACE_FILELEN_SERVER=100

TRACE_FILENO_CLIENT

Purpose

Use the parameter TRACE_FILENO_CLIENT to specify the number of trace files for client tracing. When this parameter is set along with the TRACE_FILELEN_CLIENT parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, the first file is re-used, and so on.

The trace file names are distinguished from one another by their sequence number. For example, if the default trace file of sqlnet.trc is used, and this parameter is set to 3, the trace files would be named sqlnet1.trc, sqlnet2.trc and sqlnet3.trc.

In addition, trace events in the trace files are preceded by the sequence number of the file.

Default

None

Example

TRACE_FILENO_CLIENT=3

TRACE_FILENO_SERVER

Purpose

Use the parameter TRACE_FILENO_SERVER to specify the number of trace files for database server tracing. When this parameter is set along with the TRACE_FILELEN_SERVER parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, the first file is re-used, and so on.

The trace file names are distinguished from one another by their sequence number. For example, if the default trace file of svr_pid.trc is used, and this parameter is set to 3, the trace files would be named svr1_pid.trc, svr2_pid.trc and svr3_pid.trc.

In addition, trace events in the trace files are preceded by the sequence number of the file.

Default

None

Example

TRACE_FILENO_SERVER=3

TRACE_LEVEL_CLIENT

Purpose

Use the parameter TRACE_LEVEL_CLIENT to turn client tracing on, at a specific level, or off.

Default

off

Values

  • off for no trace output

  • user for user trace information

  • admin for administration trace information

  • support for Oracle Support Services trace information

Example

TRACE_LEVEL_CLIENT=user

TRACE_LEVEL_SERVER

Purpose

Use the parameter TRACE_LEVEL_SERVER to turn server tracing on, at a specific level, or off.

Default

off

Values

  • off for no trace output

  • user for user trace information

  • admin for administration trace information

  • support for Oracle Support Services trace information

Example

TRACE_LEVEL_SERVER=admin

TRACE_TIMESTAMP_CLIENT

Purpose

Use the parameter TRACE_TIMESTAMP_CLIENT to add a time stamp in the form of dd-mon-yyyy hh:mi:ss:mil to every trace event in the client trace file, which has a default name of sqlnet.trc.

Default

on

Values

on or true | off or false

Example

TRACE_TIMESTAMP_SERVER=true

TRACE_TIMESTAMP_SERVER

Purpose

Use the parameter TRACE_TIMESTAMP_SERVER to add a time stamp in form of dd-mon-yyyy hh:mi:ss:mil to every trace event in the database server trace file, which has a default name of svr_pid.trc.

Default

off

Values

on or true | off or false

Example

TRACE_TIMESTAMP_SERVER=true

TRACE_UNIQUE_CLIENT

Purpose

Use the parameter TRACE_UNIQUE_CLIENT to specify whether or not a unique trace file is created for each client trace session. When the value is set to on, a process identifier is appended to the name of each trace file, enabling several files to coexist. For example, trace files named sqlnetpid.trc are created if default trace file name sqlnet.trc is used. When the value is set to off, data from a new client trace session overwrites the existing file.

Default

on

Values

on or off

Example

TRACE_UNIQUE_CLIENT=on

USE_CMAN

Purpose

If set to true, the parameter USE_CMAN routes the client to a protocol address for an Oracle Connection Manager.

The following example shows two address lists. While the first address list routes the client to an Oracle Connection Manager, the second address list routes the client directly to a listener.

sales=
 (DESCRIPTION= 
   (LOAD_BALANCE=on) 
   (FAILOVER=on)
   (ADDRESS_LIST= 
     (SOURCE_ROUTE=yes) 
     (ADDRESS=(PROTOCOL=tcp)(HOST=host1)(PORT=1630)) 
     (ADDRESS=(PROTOCOL=tcp)(HOST=host2)(PORT=1521)))
   (ADDRESS_LIST= 
     (ADDRESS=(PROTOCOL=tcp)(HOST=host3)(PORT=1521)))
   (CONNECT_DATA=(SERVICE_NAME=sales.us.acme.com)))

Without USE_CMAN=true, the client picks one of the address lists at random and fails over to the other address list if the chosen ADDRESS_LIST fails. With USE_CMAN=true, the client always uses the first address list.

If no Oracle Connection Manager addresses are available, connections are routed through any available listener address.

Default

false

Values

true | false

Example

USE_CMAN=true

USE_DEDICATED_SERVER

Purpose

If set to on, the parameter USE_DEDICATED_SERVER automatically appends (SERVER=dedicated) to the connect data for a connect descriptor. This way connections from this client use a dedicated server process, even if shared server is configured.

This parameter adds (SERVER=dedicated) to the CONNECT_DATA section of the connect descriptor used by the client. It overrides the current value of the SERVER parameter in the tnsnames.ora file.


See Also:

Oracle Database Net Services Administrator's Guide for complete configuration information

Default

off

Values

  • on to append (SERVER=dedicated)

  • off to hand off requests to existing server processes

Example

USE_DEDICATED_SERVER=on

WALLET_LOCATION

Purpose

Use the parameter WALLET_LOCATION to specify the location of wallets. Wallets are certificates, keys, and trustpoints processed by SSL.

Syntax

Oracle wallets on the file system:

WALLET_LOCATION=
  (SOURCE=
    (METHOD=file)
    (METHOD_DATA=
       (DIRECTORY=directory)
       [(PKCS11=TRUE/FALSE)]))

Microsoft certificate store:

WALLET_LOCATION=
  (SOURCE=
     (METHOD=mcs))

Oracle wallets in the Windows registry:

WALLET_LOCATION=
   (SOURCE=
      (METHOD=reg)
      (METHOD_DATA=
         (KEY=registry_key)))

Entrust wallets:

WALLET_LOCATION=
   (SOURCE=
      (METHOD=entr)
      (METHOD_DATA=
         (PROFILE=file.epf)
         (INIFILE=file.ini)))

Subparameters

WALLET_LOCATION supports the following subparameters:

SOURCE: Specify the type of storage for wallets and storage location.

METHOD: Specify the type of storage.

METHOD_DATA: Specify the storage location.

DIRECTORY: Specify the location of Oracle wallets on file system.

KEY: Specify the wallet type and location in the Windows registry.

PROFILE: Specify the Entrust profile file (.epf).

INIFILE: Specify the Entrust initialization file (.ini).

Default

None

Usage Notes

  • The key/value pair for Microsoft's certificate store (MCS) omits the METHOD_DATA parameter because MCS does not use wallets. Instead, Oracle PKI (public key infrastructure) applications obtain certificates, trustpoints and private keys directly from the user's profile.

  • If an Oracle wallet is stored in the Windows registry and the wallet's key (KEY) is SALESAPP, the storage location of the encrypted wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\EWALLET.P12. The storage location of the decrypted wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\CWALLET.SSO.

Values

true | false

Examples

Oracle wallets on file system:

WALLET_LOCATION=  
  (SOURCE=
      (METHOD=file)
      (METHOD_DATA=  
         (DIRECTORY=/etc/oracle/wallets/databases)))

Microsoft certificate store:

WALLET_LOCATION=
   (SOURCE=
     (METHOD=mcs))
   

Oracle Wallets in the Windows registry:

WALLET_LOCATION=
   (SOURCE=
     (METHOD=REG)
     (METHOD_DATA=
        (KEY=SALESAPP)))

Entrust Wallets:

WALLET_LOCATION=
   (SOURCE=
     (METHOD=entr)
     (METHOD_DATA=
       (PROFILE=/etc/oracle/wallets/test.epf)
       (INIFILE=/etc/oracle/wallets/test.ini)))

WALLET_OVERRIDE

Purpose

This parameter determines whether the client should override the strong authentication credential with the password credential in the secret store to log into the database.

Syntax

None.

Subparameters

None.

Usage Notes

  • Users may have batch jobs that require logging into the database. There may be scripts that access databases and are shared by administrators. This project provides a way for them to use connect / instead of specifying username/password explicitly. It simplifies the maintenance of the scripts and secures the password management for the applications.

  • Middle-tier applications create an Oracle Applications wallet at install time to store the application's specific identity. The password may be randomly generated rather than hardcoded. When an Oracle application accesses the database, it sets appropriate values for SQLNET.AUTHENTICATION_SERVICES and WALLET_LOCATION. The new wallet-based password authentication code uses the password credential in the Oracle Applications wallet to log on to the database.

Examples

New commands will be implemented for mkstore to manage the entries in the secret store.

To create a wallet:

mkstore -wrl <wallet location> –create

To create an entry:

mkstore –wrl <wallet location> –createCredential <alias> <username> <password>

To modify an entry:

mkstore -wrl <wallet location> –modifyCredential <alias> <username> <password> 

To delete an entry:

mkstore -wrl <wallet location> –deleteCredential <alias>

To list all entries:

mkstore -wrl <wallet location> –listCredential