Skip Headers
Oracle® Database Security Guide
12c Release 1 (12.1)

E17607-26
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

20 Customizing the Use of Strong Authentication

This chapter contains:

About Configuring Multiple Authentication Methods

This chapter describes how to configure multiple authentication methods under Oracle Database network encryption and strong authentication, and how to use conventional user name and password authentication, even if you have configured another authentication method. This chapter also describes how to configure your network so that Oracle clients can use a specific authentication method and Oracle servers can accept any method specified.

Connecting with User Name and Password

To connect to an Oracle database server using a user name and password when an Oracle network and strong authentication method has been configured, disable the external authentication (Refer to "Disabling Network Encryption and Strong Authentication" ).

With the external authentication disabled, a user can connect to a database using the following format:

% sqlplus username@net_service_name
Enter password: password

For example:

% sqlplus hr@emp
Enter password: password

Note:

You can configure multiple authentication methods, including both externally authenticated users and password authenticated users, on a single database.

Disabling Network Encryption and Strong Authentication

To disable authentication methods:

  1. Start Oracle Net Manager.

    • (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line:

      netmgr
      
    • (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager.

  2. Expand Oracle Net Configuration, and from Local, select Profile.

  3. From the Naming list, select Network Security.

    The Network Security tabbed window appears.

  4. Select the Authentication tab (which is selected by default).

  5. Sequentially move all authentication methods from the Selected Method list to the Available Methods list by selecting a method and choosing the left arrow [<].

    Description of auth0001.gif follows
    Description of the illustration auth0001.gif

  6. From the File menu, select Save Network Configuration.

    The sqlnet.ora file is updated with the following entry:

    SQLNET.AUTHENTICATION_SERVICES = (NONE)
    

    Be aware that in a multitenant environment, the settings in the sqlnet.ora file apply to all pluggable databases (PDBs).

Configuring Multiple Authentication Methods

Many networks use more than one authentication method on a single security server. Accordingly, Oracle Database lets you configure your network so that Oracle clients can use a specific authentication method, and Oracle database servers can accept any method specified.

You can set up multiple authentication methods on both client and server systems either by using Oracle Net Manager, or by using any text editor to modify the sqlnet.ora file.

Use Oracle Net Manager to add authentication methods to both clients and servers.

To configure multiple authentication methods.

  1. Start Oracle Net Manager.

    • (UNIX) From $ORACLE_HOME/bin, enter the following command at the command line:

      netmgr
      
    • (Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and Migration Tools, then Net Manager.

  2. Expand Oracle Net Configuration, and from Local, select Profile.

  3. From the Naming list, select Network Security.

    The Network Security tabbed window appears.

  4. Select the Authentication tab.

  5. Select a method listed in the Available Methods list.

  6. Sequentially move selected methods to the Selected Methods list by clicking the right arrow (>).

  7. Arrange the selected methods in order of desired use.

    To do this, select a method in the Selected Methods list, and select Promote or Demote to position it in the list.

  8. From the File menu, select Save Network Configuration.

    The sqlnet.ora file is updated with the following entry, listing the selected authentication methods:

    SQLNET.AUTHENTICATION_SERVICES = (KERBEROS5, RADIUS)
    

Note:

SecurID functionality is available through RADIUS; RADIUS support is built into the RSA ACE/Server.

See Also:

Chapter 19, "Configuring RADIUS Authentication" for more information

Configuring Oracle Database for External Authentication

This section describes the parameters you must set to configure Oracle Database for network authentication, using the following tasks:

See Also:

Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in the sqlnet.ora File

You must set the following parameter in the sqlnet.ora file for all clients and servers to enable each to use a supported authentication method:

SQLNET.AUTHENTICATION_SERVICES=(oracle_authentication_method)

For example, for all clients and servers using Kerberos authentication, the sqlnet.ora parameter must be set as follows:

SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)

By default, the sqlnet.ora file is located in the ORACLE_HOME/network/admin directory or in the location set by the TNS_ADMIN environment variable. Ensure that you have properly set the TNS_ADMIN variable to point to the correct sqlnet.ora file. See SQL*Plus User's Guide and Reference for more information and examples of setting the TNS_ADMIN variable.

Setting OS_AUTHENT_PREFIX to a Null Value

Authentication service-based user names can be long, and Oracle user names are limited to 30 characters. Oracle strongly recommends that you enter a null value for the OS_AUTHENT_PREFIX parameter in the initialization file used for the database instance as follows:

OS_AUTHENT_PREFIX=""

Note:

The default value for OS_AUTHENT_PREFIX is OPS$; however, you can set it to any string.

Caution:

If a database already has the OS_AUTHENT_PREFIX set to a value other than NULL (" "), then do not change it, because it can inhibit previously created, externally identified users from connecting to the Oracle server.

To create a user, start SQL*Plus as a user who has been granted the CREATE USER system privilege and enter the following:

SQL> CREATE USER os_authent_prefix username IDENTIFIED EXTERNALLY;

When OS_AUTHENT_PREFIX is set to a null value (" "), enter the following to create the user king:

SQL> CREATE USER king IDENTIFIED EXTERNALLY;

The advantage of creating a user in this way is that you no longer need to maintain different user names for externally identified users. This is true for all supported authentication methods.