|Oracle Advanced Security Administrator's Guide
Release 2 (9.2)
Part Number A96573-01
This chapter describes how to configure multiple authentication methods under Oracle Advanced Security, and how to use conventional user name and password authentication, even if you have configured another authentication method. This also chapter describes how to configure your network so that Oracle clients can use a specific authentication method, and Oracle servers can accept any method specified.
This chapter contains the following topics:
To connect to an Oracle database server using a user name and password when an Oracle Advanced Security authentication method has been configured, disable the external authentication (See: Disabling Oracle Advanced Security Authentication ).
With the external authentication disabled, a user can connect to a database using the following format:
You can configure multiple authentication methods, including both externally authenticated users and password authenticated users, on a single database.
To disable authentication methods:
sqlnet.ora file is updated with the following entry:
Many networks use more than one authentication method on a single security server. Accordingly, Oracle Advanced Security lets you configure your network so that Oracle clients can use a specific authentication method, and Oracle database servers can accept any method specified.
You can set up multiple authentication methods on both client and server systems either by using Oracle Net Manager, or by using any text editor to modify the
To add authentication methods to both clients and servers:
The Oracle Advanced Security tabbed window appears (Figure 9-1).
sqlnet.ora file is updated with the following entry, listing the selected authentication methods:
SQLNET.AUTHENTICATION_SERVICES = (RADIUS|CYBERSAFE|KERBEROS5)
This section describes the parameters you must set to configure Oracle9i for network authentication, using the following tasks:
The following parameter must be set in the sqlnet.ora file for all clients and servers to enable each to use a supported authentication method:
For example, for all clients and servers using Kerberos authentication, the sqlnet.ora parameter must be set as follows:
To verify that REMOVE_OS_AUTHENT is not set to TRUE, add the following parameter to the initialization file--in each database instance--when you configure the authentication method:
Setting REMOTE_OS_AUTHENT to TRUE can cause a security exposure, because it lets someone using a non-secure protocol, such as TCP, perform an operating system-authorized login (formerly referred to as an OPS$ login).
If REMOTE_OS_AUTHENT is set to
FALSE, and the server cannot support any of the authentication methods requested by the client, the authentication service negotiation fails and the connection terminates.
If the parameter is set as follows in the sqlnet.ora file on either the client or server, the database attempts to use the supplied user name and password to login the user:
If REMOTE_OS_AUTHENT is set to
FALSE, however, the connection fails.
Authentication service-based user names can be long, and Oracle user names are limited to 30 characters. Oracle Corporation strongly recommends that you enter a null value for the OS_AUTHENT_PREFIX parameter in the initialization file used for the database instance as follows:
If a database already has the
To create a user, launch SQL*Plus and enter the following:
OS_AUTHENT_PREFIX is set to a null value (" "), enter the following to create the user king:
The advantage of creating a user in this way is that the administrator no longer needs to maintain different user names for externally identified users. This is true for all supported authentication methods.