B
Authentication Parameters

This appendix shows some sample configuration files with the necessary profile (sqlnet.ora) and database initialization file authentication parameters when using the CyberSafe, Kerberos, SecurID, RADIUS, or SSL authentication. It includes the following sections:

• Parameters for Clients and Servers using CyberSafe Authentication

• Parameters for Clients and Servers using Identix Authentication

• Parameters for Clients and Servers using Kerberos Authentication

• Parameters for Clients and Servers using SecurID Authentication

• Parameters for Clients and Servers using RADIUS Authentication

• Parameters for Clients and Servers using SSL

Parameters for Clients and Servers using CyberSafe Authentication

Following is a list of parameters to insert into the configuration files for clients and servers using CyberSafe.

Table B-1 CyberSafe Configuration Parameters

File Name	Configuration Parameters
sqlnet.ora	SQLNET.AUTHENTICATION_SERVICES=(cybersafe) SQLNET.AUTHENTICATION_GSSAPI_SERVICE= oracle/dbserver.someco.com@SOMECO.COM
initialization parameter file	REMOTE_OS_AUTHENT=FALSE OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using Identix Authentication

The following sections describe the parameters for Identix authentication

• sqlnet.ora File Parameters

• Recommended Minimum Sets of Identix Parameters

sqlnet.ora File Parameters

SQLNET.IDENTIX_USE_MD5HASH

Table B-2 SQLNET.IDENTIX_USE_MD5HASH

Description	The server uses MD5 hashing to validate the authentication decision made on the client PC: values are YES and NO.
Default	YES

SQLNET.IDENTIX_KEY_INDEX

Table B-3 SQLNET.IDENTIX_KEY_INDEX

Description	The Identix key index the client uses when it generates its MD5 checksum: 0 <= value <= 256.
Default	0

SQLNET.IDENTIX_VERIFICATION_THRESHOLD

Table B-4 SQLNET.IDENTIX_VERIFICATION_THRESHOLD

Description	This parameter specifies the verification threshold the server expects its Identix clients to use during fingerprint verification: 0 <= value <= 256.
Default	0

SQLNET.IDENTIX_FINGERPRINT_METHOD

Table B-5 SQLNET.IDENTIX_FINGERPRINT_METHOD

Description	This parameter specifies the storage method used for storing fingerprint template files: format = [file/oracle]
Default	None

SQLNET.IDENTIX_DATABASE_DIRECTORY

Table B-6 SQLNET.IDENTIX_DATABASE_DIRECTORY

Description	This file method specifies the file location in which the fingerprint templates are stored: format = <path-to-file>.
Default	None

SQLNET.IDENTIX_FINGERPRINT_DATABASE

Table B-7 SQLNET.IDENTIX_FINGERPRINT_DATABASE

Description	This paramter specifies the database SQL*NET alias for the Oracle fingerprint storage method: format = <db-alias>.
Default	None

SQLNET.IDENTIX_FINGERPRINT_DATABASE_USER

Table B-8 SQLNET.IDENTIX_FINGERPRINT_DATABASE_USER

Description	This parameter specifies the database user when using the Oracle fingerprint storage method: format = <username>.
Default	None

SQLNET.IDENTIX_FINGERPRINT_DATABASE_PASSWORD

Table B-9 SQLNET.IDENTIX_FINGERPRINT_DATABASE_PASSWORD

Description	This parameter specifies the database password when using the Oracle fingerprint storage method: format = <password>.
Default	None

Recommended Minimum Sets of Identix Parameters

Following are two sets of parameters: Oracle database method and file system method. You are presented with the minimum set of Identix parameters you need to define for each method.

Oracle Database Method

sqlnet.authentication_services = (beq, identix)
sqlnet.identix_fingerprint_method = oracle
sqlnet.identix_database_directory = identix_scanner
sqlnet.identix_fingerprint_database_user
sqlnet.identix_fingerprint_database_password

File System Method

sqlnet.authentication_services = (beq, identix)
sqlnet.identix_fingerprint_method = file
sqlnet.identix_database_directory = /etc/ofm_storage

Parameters for Clients and Servers using Kerberos Authentication

Following is a list of parameters to insert into the configuration files for clients and servers using Kerberos.

Table B-10 Kerberos Authentication Parameters

File Name	Configuration Parameters
sqlnet.ora	SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle SQLNET.KERBEROS5_CC_NAME=/usr/tmp/DCE-CC SQLNET.KERBEROS5_CLOCKSKEW=1200 SQLNET.KERBEROS5_CONF=/krb5/krb.conf SQLNET.KERBEROS5_REALMS=/krb5/krb.realms SQLNET.KERBEROS5_KEYTAB=/krb5/v5srvtab
initialization parameter file	REMOTE_OS_AUTHENT=FALSE OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using SecurID Authentication

Following is list of parameters to insert into the configuration files for clients and servers using SecurID.

Table B-11 SecurID Authentication Parameters

File Name	Configuration Parameters
sqlnet.ora	SQLNET.AUTHENTICATION_SERVICES=(securid)
initialization parameter file	REMOTE_OS_AUTHENT=FALSE OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using RADIUS Authentication

The following sections describe the parameters for Identix authentication

• sqlnet.ora File Parameters

• Recommended Minimum Sets of RADIUS Parameters

• Initialization File Parameters

sqlnet.ora File Parameters

SQLNET.AUTHENTICATION_SERVICES

Table B-12 SQLNET.AUTHENTICATION_SERVICES

Description	Configure the client or the server to use the RADIUS adapter: value = radius.
Default	None

SQLNET.RADIUS_AUTHENTICATION

Table B-13 SQLNET.RADIUS_AUTHENTICATION

Description	To set the location of the primary RADIUS server, either host name or dotted decimal format. If the RADIUS server is on a different machine from the Oracle server, you must specify either the host name or the IP address of that machine: format = IP_address_of RADIUS_Server.
Default	localhost

SQLNET.RADIUS_AUTHENTICATION_PORT

Table B-14 SQLNET.RADIUS_AUTHENTICATION_PORT

Description	To set the listening port of the primary RADIUS server.
Default	1645

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT

Table B-15 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT

Description	To set the time to wait for response.
Default	5

SQLNET.RADIUS_AUTHENTICATION_RETRIES

Table B-16 SQLNET.RADIUS_AUTHENTICATION_RETRIES

Description	To set the number of times to re-send.
Default	3

SQLNET.RADIUS_SEND_ACCOUNTING

Table B-17 SQLNET.RADIUS_SEND_ACCOUNTING

Description	To set the turn accounting ON/OFF. If you enable accounting, packets will be sent to the active RADIUS server at listening port plus one. Default port is 1646. You need to turn this feature on only when your RADIUS server supports accounting and you want to keep track of the number of times the user is logging on to the system.
Default	OFF

SQLNET.RADIUS_SECRET

Table B-18 SQLNET.RADIUS_SECRET

Description	The file name and location of the RADIUS secret key.
Default	$ORACLE_HOME/network/security/radius.key

SQLNET.RADIUS_ALTERNATE

Table B-19 SQLNET.RADIUS_ALTERNATE

Description	To set the location of alternate RADIUS server to be used in case the primary server becomes unavailable. This feature is set to OFF by default. If you want to set up a second RADIUS server for fault tolerance, you need to specify the host name or the IP address of the host where the second RADIUS server is located.
Default	NONE

SQLNET.RADIUS_ALTERNATE_PORT

Table B-20 SQLNET.RADIUS_ALTERNATE_PORT

Description	To set the listening port for the alternate RADIUS server.
Default	1645

SQLNET.RADIUS_ALTERNATE_TIMEOUT

Table B-21 SQLNET.RADIUS_ALTERNATE_TIMEOUT

Description	To set the time to wait for response.
Default	5

SQLNET.RADIUS_ALTERNATE_RETRIES

Table B-22 SQLNET.RADIUS_ALTERNATE_RETRIES

Description	To set the number of times to re-send messages.
Default	3

SQLNET.RADIUS_CHALLENGE_RESPONSE

Table B-23 SQLNET.RADIUS_CHALLENGE_RESPONSE

Description	To turn challenge/response support ON/OFF.
Default	OFF

SQLNET.RADIUS_CHALLENGE_KEYWORD

Table B-24 SQLNET.RADIUS_CHALLENGE_KEYWORD

Description	To set the keyword to request a challenge from the RADIUS server. User types no password on client.
Default	challenge

SQLNET.RADIUS_AUTHENTICATION_INTERFACE

Table B-25 SQLNET.RADIUS_AUTHENTICATION_INTERFACE

Description	To set the name of the Java class that contains the graphical user interface when RADIUS is in the challenge-response (asynchronous) mode.
Default	DefaultRadiusInterface

SQLNET.RADIUS_CLASSPATH

Table B-26 SQLNET.RADIUS_CLASSPATH

Description	If you decide to use the challenge-response authentication mode, RADIUS presents the user with a Java-based graphical interface requesting first a password, then additional information--for example, a dynamic password that the user obtains from a token card. Add the SQLNET.RADIUS_CLASSPATH parameter in the sqlnet.ora file to set the path for the Java classes for that graphical interface.
Default	There is no default. You must add this parameter to the sqlnet.ora file.

Recommended Minimum Sets of RADIUS Parameters

Following are two set of sample sqlnet.ora file RADIUS authentication parameters: one for "Static User Name and Password" and the other for "Challenge Response Mode".

Static User Name and Password

The following sample sqlnet.ora file shows the minimum set of RADIUS authentication parameters you need to configure for static user name and password PAP mode authentication with no accounting.

sqlnet.authentication_services = (radius)
sqlnet.authentication = IP-address-of-RADIUS-server
sqlnet.radius_secret = %ORACLE_HOME/network/security/radius.key (default value)

Challenge Response Mode

The following sample sqlnet.ora file shows the minimum set of RADIUS authentication parameters you need to configure for challenge response mode authentication using token cards or biometric authentication methods.

sqlnet.authentication_services = (radius)
sqlnet.authentication = IP-address-of-RADIUS-server
sqlnet.radius_challenge_response = ON
sqlnet.radius_secret = $ORACLE_HOME/network/security/radius.key (default value)
sqlnet.authentication_interface = oracle/net/radius/DefaultRadiusInterface 
(default value)
sqlnet.radius_classpath = %ORACLE_HOME/jlib/netradius.jar (default value)

Initialization File Parameters

REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using SSL

There are two ways to configure a parameter:

• Static: The name of the parameter that exists in the sqlnet.ora file.

• Dynamic: The name of the parameter used in the security subsection of the Net8 address.

Authentication Parameters

Table B-27 SSL Authentication Parameters

Parameter Name (static):	SQLNET.AUTHENTICATION_SERVICES
Parameter Name (dynamic):	AUTHENTICATION
Parameter Type:	String LIST
Parameter Class:	Static
Allowable Values:	Add TCPS to the list of available authentication services.
Default Value:	No default value.
Description:	To control which authentication services a user wants to use. Note: The dynamic version supports only the setting of one type.
Existing/New Parameter	Existing
Syntax (static):	SQLNET.AUTHENTICATION_SERVICES = (TCPS, selected_ method_1, selected_method_2)
Example (static):	SQLNET.AUTHENTICATION_SERVICES = (TCPS, cybersafe, securid)
Syntax (dynamic):	AUTHENTICATION = string
Example (dynamic):	AUTHENTICATION = (TCPS)

Cipher Suites

Table B-28 Cipher Suite Parameters

Parameter Name (static):	SSL_CIPHER_SUITES
Parameter Name (dynamic):	SSL_CIPHER_SUITES
Parameter Type:	String LIST
Parameter Class:	Static
Allowable Values:	Any known SSL cipher suite
Default Value:	No default
Description:	Controls the combination of encryption and data integrity used by SSL.
Existing/New Parameter	New
Syntax (static):	SSL_CIPHER_SUITES=(SSL_cipher_suite1[, SSL_cipher_ suite2, ... SSL_cipher_suiteN])
Example (static):	SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA)
Syntax (dynamic):	SSL_CIPHER_SUITES=(SSL_cipher_suite1 [, SSL_cipher_suite2, ...SSL_cipher_suiteN])
Example (dynamic):	SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA)

Supported SSL Cipher Suites

Oracle Advanced Security supports the following cipher suites:

• SSL_RSA_WITH_3DES_EDE_CBC_SHA

• SSL_RSA_WITH_RC4_128_SHA

• SSL_RSA_WITH_RC4_128_MD5

• SSL_RSA_WITH_DES_CBC_SHA

• SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

• SSL_DH_anon_WITH_RC4_128_MD5

• SSL_DH_anon_WITH_DES_CBC_SHA

• SSL_RSA_EXPORT_WITH_RC4_40_MD5

• SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

• SSL_DH_anon_EXPORT_WITH_RC4_40_MD5

• SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA

SSL Version

Table B-29 SSL Version Parameters

Parameter Name (static):	SSL_VERSION
Parameter Name (dynamic):	SSL_VERSION
Parameter Type:	string
Parameter Class:	Static
Allowable Values:	Any version which is valid to SSL. (0, 3.0)
Default Value:	"0"
Description:	To force the version of the SSL connection.
Existing/New Parameter	New
Syntax (static):	SSL_VERSION=version
Example (static):	SSL_VERSION=3.0
Syntax (static):	SSL_VERSION=version
Example (dynamic):	SSL_VERSION=3.0

SSL Client Authentication

Table B-30 SSL Client Authentication Parameters

Parameter Name (static):	SSL_CLIENT_AUTHENTICATION
Parameter Name (dynamic):	SSL_CLIENT_AUTHENTICATION
Parameter Type:	Boolean
Parameter Class:	Static
Allowable Values:	TRUE/FALSE
Default Value:	TRUE
Description:	To control whether a client, in addition to the server, is authenticated using SSL.
Existing/New Parameter	New
Syntax (static):	SSL_CLIENT_AUTHENTICATION={TRUE | FALSE}
Example (static):	SSL_CLIENT_AUTHENTICATION=FALSE
Syntax (dynamic):	SSL_CLIENT_AUTHENTICATION={TRUE | FALSE}
Example (dynamic):	SSL_CLIENT_AUTHENTICATION=FALSE

Wallet Location

For any application that needs to access a wallet for loading the security credentials into the process space, you must specify the wallet location in the parameter file it reads. The syntax of the parameter for static configuration is as follows:

oss.source.my_wallet = 
(SOURCE=
  (METHOD=File)
  (METHOD_DATA=
    (DIRECTORY=your wallet location)
      )
    )

The dynamic way of specifying this parameter is:

MY_WALLET_DIRECTORY = your_wallet_dir

The default wallet location is the $ORACLE_HOME directory.