7
Choosing and Combining Authentication Services

This chapter describes how to use conventional username/password authentication even if you have configured another authentication service. It also discusses how to configure your network to use one or more authentication services in your network using the Oracle Advanced Networking Option and how to set up more than one authentication service on a client or on a server.

Authentication adapters available with this release include the following:

• CyberSAFE
  Refer to Chapter 3, "Configuring the CyberSAFE Authentication Adapter".
• Kerberos
  Refer to Chapter 4, "Configuring the Kerberos Authentication Adapter".
• SecurID
  Refer to Chapter 5, "Configuring Oracle for Use with the SecurID Adapter".
• Biometric (Identix)
  Refer to Chapter 6, "Configuring and Using the Identix Biometric Authentication Adapter".
• DCE GSSAPI
  Refer to Chapter 8, "Configuring the DCE GSSAPI Authentication Adapter".

Refer to the individual chapters and the platform-specific documentation listed above for details of configuring these adapters.

Note: Use the Oracle Net8 Assistant to edit client and server SQLNET.ORA files for CyberSAFE, Kerberos, SecurID, Biometric, and DCE GSSAPI adapters.

7.1 Connect with a Username/Password When Authentication Has Been Configured

To connect to an Oracle server using a username and password when an Oracle authentication adapter has been configured, you need to configure No Authentication in your profile (SQLNET.ORA). Use the Oracle Net8 Assistant to configure the profile (SQLNET.ORA).

7.1.1 Configure No Authentication

Configure the profile for no authentication when you want to disable authentication. For example, for users to be able to log into an Oracle database server using username/password, you must disable authentication by defining this value. If you do, the profile appears as follows:

SQLNET.AUTHENTICATION_SERVICES = (NONE)

A user can now connect to a database using the following username/password format:

% sqlplus username/password@service_name

For example:

% sqlplus scott/tiger@emp

Refer to Figure 7-1, "Select No Authentication", for an example of how you use the Oracle Net8 Assistant to configure No Authentication. To configure No Authentication:

1. Click the Profile folder on the Oracle Net8 Assistant Object Tree.
2. Click the Authentication tab in the right Properties window.
3. Click a service listed in the Selected Services area.
4. Click [>] to transfer the selected service to the Available Services area.
5. Repeat steps 3 and 4 above until all services are removed from the Selected Services area.

   Figure 7-1 Select No Authentication

   

7.2 Set Up an Oracle Server With Multiple Authentication Services

Many networks use more than one authentication service on a single security server. For this reason, the Oracle Advanced Networking Option allows you to configure your network so that Oracle clients can use a specific authentication service and Oracle Servers can accept any service specified.

This section describes how to set up an Oracle server that uses multiple authentication adapters. Depending on which authentication adapter the client is using, the server will pick one from the list of configured adapters. Following are examples of profiles (SQLNET.ORA) using multiple authentication adapters.

Server Side

The profile for the Oracle server that uses either SecurID or CyberSAFE for authentication must contain the line:

	SQLNET.AUTHENTICATION_SERVICES=(SECURID,CYBERSAFE)

Client Side Using SecurID

The profile for the Oracle client that uses SecurID must contain the line:

		SQLNET.AUTHENTICATION_SERVICES=(SECURID)

Using this configuration, the Oracle server will accept connections from clients using SecurID for the authentication service. This gives you flexibility in your network configuration.

Client Side Using CyberSAFE

The profile for the Oracle client that uses CyberSAFE must contain the line:

		SQLNET.AUTHENTICATION_SERVICES=(CYBERSAFE)

Using this configuration, the Oracle server will accept connections from clients using CyberSAFE for the authentication service. This gives you flexibility in your network configuration.

7.3 Set Up an Oracle Client to Use Multiple Authentication Services

This section describes how to set up clients to use multiple authentication adapters. Depending on which authentication adapter the server is configured to use, the client will pick one from the list of configured adapters. The following is an example of a profile using multiple authentication adapters.

Attention: Use the Oracle Net8 Assistant to modify your profile.

Client Side

The profile for the Oracle client that uses either SecurID or CyberSAFE for authentication must contain the line:

	SQLNET.AUTHENTICATION_SERVICES=(SECURID,CYBERSAFE)

Server Side Using SecurID

The profile for the Oracle server that uses SecurID to authenticate users must contain the line:

		SQLNET.AUTHENTICATION_SERVICES=(SECURID)

Server Side Using CyberSAFE

The profile for the Oracle server that uses CyberSAFE to authenticate users must contain the line:

		SQLNET.AUTHENTICATION_SERVICES=(CYBERSAFE)

Using this configuration, the Oracle client can connect to multiple Oracle servers using different authentication services.

7.4 Use the Oracle Net8 Assistant to Set Up Multiple Authentication Services

You can use the Oracle Net8 Assistant to set up multiple authentication services on both client and server machines. Refer to Figure 7-2, "Set Up Multiple Authentication Services Using Oracle Net8 Assistant", for a sample Oracle Net8 Assistant window you use to set up multiple authentication services on clients and servers. The following instructions apply to both clients and servers.

1. Click the Profile folder on the Oracle Net8 Assistant Object Tree.
2. Click the Authentication tab in the right Properties window.
3. Click a service listed in the Available Services area.
4. Click [<] to transfer the selected service to the Selected Services area.
5. Repeat steps 3 and 4 above until you have added all your required services to the Selected Services area.
6. Arrange the authentication services in the order of desired use by clicking a service and clicking either [Promote] or [Demote].
7. Authentication will occur starting with the first service listed at the top of the Selected Services list.

   Figure 7-2 Set Up Multiple Authentication Services Using Oracle Net8 Assistant

   

---