Oracle Advanced Security Administrator's Guide Release 9.0.1 Part Number A90150-01 |
|
This appendix illustrates some sample configuration files with the necessary profile file (sqlnet.ora
) and database initialization file (init.ora
) authentication parameters, when using CyberSafe, Kerberos, RADIUS, or SSL authentication.
This appendix contains the following topics:
Following is a list of parameters to insert into the configuration files for clients and servers using CyberSafe.
Following is a list of parameters to insert into the configuration files for clients and servers using Kerberos.
The following sections describe the parameters for RADIUS authentication
Description |
Configure the client or the server to use the RADIUS adapter: value = radius. |
Default |
None |
Description |
To set the listening port of the primary RADIUS server. |
Default |
1645 |
Description |
To set the time to wait for response. |
Default |
5 |
Description |
To set the number of times to re-send. |
Default |
3 |
Description |
The file name and location of the RADIUS secret key. |
Default |
|
Description |
To set the listening port for the alternate RADIUS server. |
Default |
1645 |
Description |
To set the time to wait for response. |
Default |
|
Description |
To set the number of times to re-send messages. |
Default |
|
Description |
To turn challenge/response support ON/OFF. |
Default |
|
Description |
To set the keyword to request a challenge from the RADIUS server. User types no password on client. |
Default |
|
sqlnet.authentication_services = (radius) sqlnet.authentication = IP-address-of-RADIUS-server sqlnet.radius_challenge_response = ON
REMOTE_OS_AUTHENT=FALSE OS_AUTHENT_PREFIX=""
There are two ways to configure a parameter:
sqlnet.ora
file.
Oracle Advanced Security supports the following cipher suites:
Parameter Name |
SSL_SERVER_DN_MATCH |
Where stored |
|
Purpose |
Use this parameter to force the server's distinguished name (DN) to match its service name. If you force the match verifications, SSL ensures that the certificate is from the server. If you choose to not enforce the match verification, SSL performs the check but permits the connection, regardless if there is a match. Not forcing the match lets the server potentially fake its identity. |
Values |
|
|
|
Default |
Oracle8i and Oracle9i:.FALSE. SSL client (always) checks server DN. If it does not match the service name, the connection succeeds but an error is logged to |
Usage Notes |
Additionally configure the tnsnames.ora parameter |
Example |
|
Parameter Name |
SSL_SERVER_CERT_DN |
Where stored |
t |
Purpose |
This parameter specifies the distinguished name (DN) of the server. The client uses this information to obtain the list of DNs it expects for each of the servers--to force the server's DN to match its service name. |
Values |
Set equal to distinguished name (DN) of the server. |
Default |
n/a |
Usage Notes |
Additionally configure the sqlnet.ora parameter |
Example |
|
For any application that must access a wallet for loading the security credentials into the process space, you must specify the wallet location parameters defined by Table B-23 in each of the following configuration files:
Static Configuration | Dynamic Configuration |
---|---|
|
|
The default wallet location is the $ORACLE_HOME
directory.
|
Copyright © 1996-2001, Oracle Corporation. All Rights Reserved. |
|