Oracle Advanced Security Administrator's Guide Release 8.1.6 A76932-01 |
|
This chapter discusses how to configure Oracle and Net8 to use Oracle DCE Integration after it has been successfully installed. The following sections describe the tasks you must perform for servers and clients.
DCE addresses in the listener.ora
and tnsnames.ora
configuration files are defined by DCE parameters. The parameters consist of both mandatory and optional fields, which are described below:
ADDRESS=(PROTOCOL=DCE)(SERVER_PRINCIPAL=server_name)(CELL_NAME=cell_name) (SERVICE=dce_service_name))
DCE address parameters and definitions are listed in Table 14-1.
You can specify a service as follows:
SERVICE=/.../cell_name/subsys/oracle/service_registry/dce_service_name
or
SERVICE=dce_service_name
provided that CELL_NAME=cell_name
is also specified.
You can also specify the following:
SERVICE=dce_service_name
in which case the cell name defaults to the local cell. However, this way of specifying service names only works well if you are working within a single cell.
To configure a server for DCE Integration, you need to configure the following Net8 files with DCE address and parameter information:
sqlnet.ora
) and protocol.ora
must be configured for servers in distributed systems that need to make database link connections to other servers.
Use the Net8 Assistant to create the necessary configuration files. For explanations of the configuration files, see the Net8 Administrator's Guide.
Note:
For a database server to receive connections from Net8 clients in a DCE environment, there must be a Net8 listener active on the server platform. A listener listens for connections on a network address that is defined in the listener configuration file, listener.ora
.
The SERVER_PRINCIPAL parameter designates what DCE principal the listener should be running under. In the sample below, the listener is running under principal oracle.
The following is a sample DCE address as it would appear in the listener.ora
file.
LSNR_DCE=
(ADDRESS=
(PROTOCOL=DCE) (SERVER_PRINCIPAL=oracle) (CELL_NAME=cell1) (SERVICE=dce_svc))
SID_LIST_LSNR_DCE=
(SID_DESC=
(SID_NAME=ORASID)
(ORACLE_HOME=/private/oracle8))
To use DCE authentication for logging onto the Oracle database, you must create database accounts that are authenticated externally.
To enable secure external authentication, do the following:
REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""
mts_dispatchers="dce, 3"
If users are connecting within a local cell, use the following format.
SQL> CREATE USER server_principal IDENTIFIED EXTERNALLY; SQL> GRANT CREATE SESSION TO server_principal;
For example:
SQL> CREATE USER oracle IDENTIFIED EXTERNALLY; SQL> GRANT CREATE SESSION TO oracle;
If connecting to the database across multiple cells, specify both the cell_name and the server_principal.
SQL> CREATE USER "CELL_NAME/SERVER_PRINCIPAL" IDENTIFIED EXTERNALLY; SQL> GRANT CREATE SESSION TO "CELL_NAME/SERVER_PRINCIPAL";
For example:
SQL> CREATE USER "CELL1/ORACLE" IDENTIFIED EXTERNALLY; SQL> GRANT CREATE SESSION TO "CELL1/ORACLE";
More Information:
For more information on external authentication, see Oracle8i Distributed Database Systems. |
This section explains the steps you follow to set up external roles for DCE integration, and how to connect to an Oracle database as SYSOPER or SYSDBA with DCE credentials.
Perform the following steps to set up external roles for DCE Integration:
OS_ROLES=TRUE
ORA_global_name_role[_[a][d]]
Table 14-2 provides a list of the syntax components
The following is sample output from the dce_login and klist commands:
% dce_login oracle Enter Password: % klist DCE Identity Information: Warning: Identity information is not certified Global Principal: /.../ilab1/oracle Cell: 001c3f90-01f5-1f72-ba65-02608c2c84f3 /.../ilab1 Principal: 00000068-0568-2f72-bd00-02608c2c84f3 oracle Group: 0000000c-01f5-2f72-ba01-02608c2c84f3 none Local Groups: 0000000c-01f5-2f72-ba01-02608c2c84f3 none 0000006a-0204-2f72-b901-02608c2c84f3 subsys/dce/cds-server 00000078-daf4-2fe1-a201-02608c2c84f3 ora_dce222_dba 00000084-89c8-2fe8-a201-02608c2c84f3 ora_dce222_connect_d 00000087-8a13-2fe8-a201-02608c2c84f3 ora_dce222_resource_d 00000080-f681-2fe1-a201-02608c2c84f3 ora_dce222_role1_ad . . .
The following is sample output showing a listing of external roles (DBA, CONNECT, RESOURCE, and ROLE1) that have been mapped to DCE groups.
SQL> SELECT * FROM session_roles;
ROLE
------------------------------
CONNECT
RESOURCE
ROLE1
SQL> SET ROLE all;
Role set.
SQL> >SELECT * FROM session_roles;
ROLE
------------------------------
DBA
EXP_FULL_DATABASE
IMP_FULL_DATABASE
CONNECT
RESOURCE
ROLE1
6 rows selected.
SQL> EXIT
To connect to an Oracle database as SYSOPER or SYSDBA with DCE credentials, perform the following steps:
$ dce_login cell_admin cell_admin password $rgy_edit rgy_edit=> domain group Domain changed to: group rgy_edit=> add ora_dce222_dba_ad rgy_edit=> add ora_dce222_operator_ad rgy_edit=> member ora_dce222_dba_ad -a oracle rgy_edit=> member ora_dce222_operator_ad -a oracle
tnsnames.ora
.
ORADCE= (ADDRESS= (PROTOCOL=DCE) (SERVER_PRINCIPAL=oracle) (CELL_NAME=cell1) (SERVICE=dce_svc)) (CONNECT_DATA= (SID=ORASID) (GLOBAL_NAME=dce222)))
$ dce_login oracle oracle_password $klist DCE Identity Information: Warning: Identity information is not certified Global Principal: /.../dce.dlsun685.us.oracle.com/oracle Cell: 00af8052-7e94-11d2-b261-9019b88baa77 /.../dce.dlsun685.us.ora cle.com Principal: 0000006d-88b9-21d2-9300-9019b88baa77 oracle Group: 0000000c-7e94-21d2-b201-9019b88baa77 none Local Groups: 0000000c-7e94-21d2-b201-9019b88baa77 none 0000006a-7e94-21d2-ad01-9019b88baa77 subsys/dce/cds-server 00000076-8b53-21d2-9301-9019b88baa77 ora_dce222_dba_ad 00000077-8b53-21d2-9301-9019b88baa77 ora_dce222_operator_ad Identity Info Expires: 1998-12-04-10:28:22 Account Expires: never Passwd Expires: never Kerberos Ticket Information: Ticket cache: /opt/dcelocal/var/security/creds/dcecred_43ae2600 Default principal: oracle@dce.dlsun685.us.oracle.com Server: krbtgt/dce.dlsun685.us.oracle.com@dce.dlsun685.us.oracle.com valid 1998-12-04-00:28:22 to 1998-12-04-10:28:22 Server: dce-rgy@dce.dlsun685.us.oracle.com valid 1998-12-04-00:28:22 to 1998-12-04-10:28:22 Server: dce-ptgt@dce.dlsun685.us.oracle.com valid 1998-12-04-00:28:26 to 1998-12-04-02:28:26 Client: dce-ptgt@dce.dlsun685.us.oracle.com Server: krbtgt/dce.dlsun685.us.o racle.com@dce.dlsun685.us.oracle.com valid 1998-12-04-00:28:26 to 1998-12-04-02:28:26 Client: dce-ptgt@dce.dlsun685.us.oracle.com Server: dce-rgy@dce.dlsun685.us. oracle.com valid 1998-12-04-00:28:27 to 1998-12-04-02:28:26
SQL> connect /@oradce as SYSDBA
To configure a client for DCE Integration, you need to configure the following Net8 files with DCE address and parameter information, as described in this section:
Typically, CDS is used for name resolution. Thus, a local naming configuration file (tnsnames.ora) is not used, except when loading names and addresses into CDS.
There are four DCE parameters located in the protocol.ora file
. Each parameter begins with the prefix "DCE." to distinguish it from parameters relevant to other protocols. If default values are used for these four parameters, DCE Integration does not require a protocol.ora
file. The parameters and their current defaults are as follows:
Configuration parameters are not case-sensitive: you can enter them in either uppercase or lowercase.
The DCE.AUTHENTICATION parameter is optional. It indicates the authentication value to be used for each DCE RPC. The client's DCE_AUTHENTICATION
value must be the same as the server's DEC_AUTHENTICATION
value. The options are as follows:
Option | Description |
---|---|
NONE |
No authentication |
DCE_SECRET |
DCE shared-secret key authentication (Kerberos) |
DCE_SECRET |
Default authentication level and recommended value |
DEFAULT |
Cell default |
DCE.PROTECTION is an optional field that specifies the data integrity protection levels for data transmission. The client's DCE_PROTECTION
level must be equal to or greater than the server's DCE_PROTECTION
level. The options are as follows:
DCE.TNS_ADDRESS_OID is an optional parameter that enables you to specify an alternative to the default DCE.TNS_ADDRESS_OID
as follows:
DCE.TNS_ADDRESS_OID=1.3.22.1.x.x
More Information:
For information on how to determine if you must include this parameter and how to specify it, see "Modify the CDS Attributes File and Restart the CDS" in this chapter. |
DCE.LOCAL_CELL_USERNAMES is an optional parameter that defines the format used to specify the principal name (username
) either with or without the cell name.
The options are as follows:
Clients typically use CDS to resolve Oracle service names to addresses. Follow the instructions in this section to configure CDS.
To use CDS for name resolution, the DCE Integration CDS Naming Adapter must be installed on all clients and servers that use CDS. Also, the CDS namespace must have been configured for use by DCE Integration.
More Information:
For instructions on how to install and configure the CDS Naming Adapter, see the DCE Integration installation instructions and "Task 3: Configure DCE CDS for Use by Oracle DCE Integration" in Chapter 13, "Configuring DCE for Oracle DCE Integration". |
For example, a service name such as ORADCE and its network address can be stored in DCE CDS.
Users can typically connect to Oracle services using the familiar Oracle service name if there are no domains or the database is in the user's default domain, as in the following example:
sqlplus /@ORADCE
This example assumes that DCE externally-authenticated accounts are in use.
As an alternative name resolution service, use a local naming configuration file, tnsnames.ora
, when CDS is inaccessible. To do so, locate names and addresses of all Oracle servers in the local tnsnames.ora
file.
On all DCE machines where CDS naming will be used, add the object ID (OID) for the CDS attribute TNS_Address to the CDS attributes file. (The object ID must be the same across all machines.)
/opt/dcelocal/etc/cds_attributes
file.
1.3.22.1.5.1 TNS_Address char
If the default TNS_Address object ID value 1.3.22.1.5.1 already exists in the cds_attributes file, you must specify a value for the object ID that is not already in use.
If you are unable to use the default value for the Object ID, you must specify the object ID in the protocol.ora
file on the client.
If you had to specify a value other than the default value 1.3.22.1.5.1, you must add the following parameter to the protocol.ora
file:
DCE.TNS_ADDRESS_OID=1.3.22.1.x.y
The command to restart CDS can vary from platform to platform. For example, on IBM AIX, you can use smit to restart the CDS as follows.
To load the Oracle service names and addresses into CDS, create or modify a local naming configuration file, tnsnames.ora, containing service names or aliases and addresses. A sample file is shown below. The local tnsnames.ora file is used to map service names to addresses for use by Net8.
This section describes the parameters that must be included in the tnsnames.ora
file. The file contains a list of Oracle service names mapped to connect descriptors of destinations or endpoints in the network. The sample DCE address below shows a network address for an Oracle server with the Oracle service name ORADCE. It is used to connect to the service registered as DCE_SVC in the CDS directory /.../
cell_name/subsys/oracle/names
.
ORADCE=(DESCRIPTION=(ADDRESS=(PROTOCOL=DCE)(SERVER_PRINCIPAL=oracle)(CELL_ NAME=cell1)(SERVICE=DCE_SVC))(CONNECT_DATA=(SID=ORASID)))
The keyword value pair PROTOCOL=DCE is mandatory. It appears in the address section of a listener configuration file, listener.ora, and in the address section of a local naming configuration file, tnsnames.ora. It must be the same in both places.
The DCE parameter SERVER_PRINCIPAL is optional in a local naming configuration file, tnsnames.ora.
The DCE parameter SERVICE is mandatory. The value given for the DCE parameter (SERVICE= dce_service_name) must be the same in the listener configuration file, listener.ora
, and the local naming configuration file, tnsnames.ora
.
The Oracle parameter SID is mandatory. It identifies the Oracle system ID; each SID value must be unique on a node. This parameter is strictly local and is not used in DCE CDS.
More Information:
For information on the local naming configuration file, tnsnames.ora, see the Net8 Administrator's Guide. |
A separate utility called tnnfg is provided with Oracle DCE Integration to load connect descriptors into CDS.
To load the Oracle service names or aliases into CDS, enter the following at the system prompt:
% dce_login cell_admin % tnnfg dceload full_pathname_to_tnsnames.ora % Enter Password:(password will not display)
This procedure loads the service names in tnsnames.ora into DCE CDS.
If you are using SQL*Net 2.2 or earlier, after having loaded the tnsnames.ora file into DCE's CDS, Oracle Corporation recommends that you rename the file to tnsnames.bak, for example, or delete it. Otherwise, tnsnames.ora might be searched instead of CDS to resolve the service name to an address.
If you are using SQL*Net 2.3 or Net8, you can keep tnsnames.ora available as a backup in case CDS becomes unavailable. To assure that CDS is routinely searched instead of tnsnames.ora
, configure the NAMES.DIRECTORY_PATH parameter in a profile (sqlnet.ora
), as described in "Modify the sqlnet.ora File to Resolve Names in CDS" in this chapter.
The parameters required in a profile (sqlnet.ora
) depend upon the version of SQL*Net or Net8 you are using.
For a client or server to use the DCE CDS Naming, the administrator needs to do the following:
sqlnet.ora
file:
NAMES.DIRECTORY_PATH=(dce, tnsnames, onames)
The first name resolution service listed as a value for this parameter is used. If it is unavailable for some reason, the next name resolution service is used, and so forth.
More Information:
For information on how to connect to Oracle databases in a DCE environment, see Chapter 15, "Connecting to an Oracle Database in DCE". |
|
![]() Copyright © 1999 Oracle Corporation. All Rights Reserved. |
|