Oracle Advanced Security Administrator's Guide Release 8.1.6 A76932-01 |
|
DCE Generic Security Services Application Programming Interface (GSSAPI) authentication enables you to use DCE authentication even if you do not use other components of the Oracle DCE Integration product in your environment.
This chapter describes how to configure and use DCE GSSAPI authentication.
Note: If you are already using Oracle DCE Integration, you do not also have to use the DCE GSSAPI authentication adapter. The Oracle DCE Integration product, described in Part II, "Oracle DCE Integration", includes DCE authentication. |
Note: The instructions in this chapter assume that you are familiar with DCE terminology. For more information about DCE, see:
|
To configure DCE GSSAPI authentication you follow these four general steps, each of which is explained below:
Task 1: Create the DCE Principal
Task 2: Configure the New DCE Principal and Enable DCE GSSAPI Authentication
Task 3: Set up the Account for Authenticating to the Database
Task 4: Connect to an Oracle Server using DCE GSSAPI Authentication
To create the DCE Principal used by the Oracle server to validate authentication, enter the commands below shown in bold typeface. These instructions assume the Oracle server principal is named oracle_server.
Enter the following commands on the database server.
% su
password: (root password is not echoed)
# dce_login cell_admin cell_admin_password
# rgy_edit
Current site is: registry server at
/.../cellname/subsys/dce/sec/master
rgy_edit=> do p
Domain changed to: principal
rgy_edit=> add oracle_server
rgy_edit=> do a
Domain changed to: account
rgy_edit=> add oracle_server -g none -o none -pw oracle_server_ password -mp cell_admin_password
rgy_edit=> ktadd -p oracle_server -pw oracle_server_password
rgy_edit=> quit
bye
The following instructions assume that the Oracle server principal is named oracle_server. This must be a fully qualified name, including the cell name.
Add the following lines to the sqlnet.ora file.
SQLNET.AUTHENTICATION_GSSAPI_SERVICE=/.../cellname/oracle_server
SQLNET.AUTHENTICATION_SERVICES=(DCEGSSAPI)
Create the DCE principal used by the Oracle client to connect to the database. The following instructions assume the Oracle client principal is named oracle.
Enter the following:
% dce_login cell_admin cell_admin_password
% rgy_edit
Current site is : registry server at /.../cellname/subsys/dce/sec/master
rgy_edit=> do p
Domain changed to: principal
rgy_edit=> add oracle
rgy_edit=> do a
Domain changed to: account
rgy_edit=> add oracle -g none -o none -pw oracle_client_password -mp cell_admin_password
rgy_edit=> quit
bye
Create the Oracle database user account. The following instructions show how to use SQL*Plus to do this.
Enter the following:
sqlplus SQL> connect internal Connected SQL> create user "/.../CELLNAME/ORACLE" identified externally;
Statement processed. SQL> grant connect to "/.../CELLNAME/ORACLE";
Statement processed. SQL> exit
The following instructions assume the Oracle server principal is oracle_server, the Oracle client principal is oracle, and the database service name is sales.
% dce_login oracle_client_principal oracle_client_password
For example:
% dce_login oracle oraclnt
% sqlplus /@<database_service_name>
For example:
%sqlplus /@sales
|
![]() Copyright © 1999 Oracle Corporation. All Rights Reserved. |
|