B
Authentication Parameters

This appendix illustrates some sample configuration files with the necessary profile file (sqlnet.ora) and database initialization file (init.ora) authentication parameters, when using CyberSafe, Kerberos, RADIUS, or SSL authentication.

This appendix contains the following topics:

• Parameters for Clients and Servers using CyberSafe Authentication

• Parameters for Clients and Servers using Kerberos Authentication

• Parameters for Clients and Servers using RADIUS Authentication

• Parameters for Clients and Servers using SSL

Parameters for Clients and Servers using CyberSafe Authentication

Following is a list of parameters to insert into the configuration files for clients and servers using CyberSafe.

Table B-1 CyberSafe Configuration Parameters

File Name	Configuration Parameters
sqlnet.ora	SQLNET.AUTHENTICATION_SERVICES=(cybersafe) SQLNET.AUTHENTICATION_GSSAPI_SERVICE= oracle/dbserver.someco.com@SOMECO.COM SQLNET.AUTHENITCATION_KERBEROS5_SERVICES=oracle SQLNET.KERBEROS5_CONF=/krb5/krb.conf SQLNET.KERBEROS5_REALMS=/krb5/krb.realms SQLNET.KERBEROS5_KEYTAB=/krb5/v5srvtab
initialization parameter file (init.ora)	REMOTE_OS_AUTHENT=FALSE OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using Kerberos Authentication

Following is a list of parameters to insert into the configuration files for clients and servers using Kerberos.

Table B-2 Kerberos Authentication Parameters

File Name	Configuration Parameters
sqlnet.ora	SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5) SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle SQLNET.KERBEROS5_CC_NAME=/usr/tmp/DCE-CC SQLNET.KERBEROS5_CLOCKSKEW=1200 SQLNET.KERBEROS5_CONF=/krb5/krb.conf SQLNET.KERBEROS5_CONF_MIT=(FALSE) SQLNET.KERBEROS5_REALMS=/krb5/krb.realms SQLNET.KERBEROS5_KEYTAB=/krb5/v5srvtab
initialization parameter file (init.ora)	REMOTE_OS_AUTHENT=FALSE OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using RADIUS Authentication

The following sections describe the parameters for RADIUS authentication

• sqlnet.ora File Parameters

• Minimum RADIUS Parameters

• Initialization File (init.ora) Parameters

sqlnet.ora File Parameters

SQLNET.AUTHENTICATION_SERVICES

Table B-3 SQLNET.AUTHENTICATION_SERVICES

Description	Configure the client or the server to use the RADIUS adapter: value = radius.
Default	None

SQLNET.RADIUS_AUTHENTICATION

Table B-4 SQLNET.RADIUS_AUTHENTICATION

Description	To set the location of the primary RADIUS server, either host name or dotted decimal format. If the RADIUS server is on a different machine from the Oracle server, you must specify either the host name or the IP address of that machine: format = IP_address_of RADIUS_Server.
Default	localhost

SQLNET.RADIUS_AUTHENTICATION_PORT

Table B-5 SQLNET.RADIUS_AUTHENTICATION_PORT

Description	To set the listening port of the primary RADIUS server.
Default	1645

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT

Table B-6 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT

Description	To set the time to wait for response.
Default	5

SQLNET.RADIUS_AUTHENTICATION_RETRIES

Table B-7 SQLNET.RADIUS_AUTHENTICATION_RETRIES

Description	To set the number of times to re-send.
Default	3

SQLNET.RADIUS_SEND_ACCOUNTING

Table B-8 SQLNET.RADIUS_SEND_ACCOUNTING

Description	To set the turn accounting ON/OFF. If you enable accounting, packets will be sent to the active RADIUS server at listening port plus one. Default port is 1646. You need to turn this feature on only when your RADIUS server supports accounting and you want to keep track of the number of times the user is logging on to the system.
Default	OFF

SQLNET.RADIUS_SECRET

Table B-9 SQLNET.RADIUS_SECRET

Description	The file name and location of the RADIUS secret key.
Default	$ORACLE_HOME/network/security/radius.key

SQLNET.RADIUS_ALTERNATE

Table B-10 SQLNET.RADIUS_ALTERNATE

Description	To set the location of alternate RADIUS server to be used in case the primary server becomes unavailable. This feature is set to OFF by default. If you want to set up a second RADIUS server for fault tolerance, you need to specify the host name or the IP address of the host where the second RADIUS server is located.
Default	NONE

SQLNET.RADIUS_ALTERNATE_PORT

Table B-11 SQLNET.RADIUS_ALTERNATE_PORT

Description	To set the listening port for the alternate RADIUS server.
Default	1645

SQLNET.RADIUS_ALTERNATE_TIMEOUT

Table B-12 SQLNET.RADIUS_ALTERNATE_TIMEOUT

Description	To set the time to wait for response.
Default	5

SQLNET.RADIUS_ALTERNATE_RETRIES

Table B-13 SQLNET.RADIUS_ALTERNATE_RETRIES

Description	To set the number of times to re-send messages.
Default	3

SQLNET.RADIUS_CHALLENGE_RESPONSE

Table B-14 SQLNET.RADIUS_CHALLENGE_RESPONSE

Description	To turn challenge/response support ON/OFF.
Default	OFF

SQLNET.RADIUS_CHALLENGE_KEYWORD

Table B-15 SQLNET.RADIUS_CHALLENGE_KEYWORD

Description	To set the keyword to request a challenge from the RADIUS server. User types no password on client.
Default	challenge

SQLNET.RADIUS_AUTHENTICATION_INTERFACE

Table B-16 SQLNET.RADIUS_AUTHENTICATION_INTERFACE

Description	To set the name of the Java class that contains the graphical user interface when RADIUS is in the challenge-response (asynchronous) mode.
Default	DefaultRadiusInterface (oracle/net/radius/DefaultRadiusInterface)

SQLNET.RADIUS_CLASSPATH

Table B-17 SQLNET.RADIUS_CLASSPATH

Description

If you decide to use the challenge-response authentication mode, RADIUS presents the user with a Java-based graphical interface requesting first a password, then additional information--for example, a dynamic password that the user obtains from a token card. Add the SQLNET.RADIUS_CLASSPATH parameter in the sqlnet.ora file to set the path for the Java classes for that graphical interface, and to set the path to the JDK Libjava.

Default

$ORACLE_HOME/jlib/netradius.jar:$ORACLE_HOME/JRE/lib/sparc/native_threads

Minimum RADIUS Parameters

sqlnet.authentication_services = (radius)
sqlnet.authentication = IP-address-of-RADIUS-server
sqlnet.radius_challenge_response = ON

Initialization File (init.ora) Parameters

REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using SSL

There are two ways to configure a parameter:

• Static: The name of the parameter that exists in the sqlnet.ora file.

• Dynamic: The name of the parameter used in the security subsection of the Oracle Net address.

Authentication Parameters

Table B-18 SSL Authentication Parameters

Parameter Name (static):	SQLNET.AUTHENTICATION_SERVICES
Parameter Name (dynamic):	AUTHENTICATION
Parameter Type:	String LIST
Parameter Class:	Static
Permitted Values:	Add TCPS to the list of available authentication services.
Default Value:	No default value.
Description:	To control which authentication services a user wants to use. Note: The dynamic version supports only the setting of one type.
Existing/New Parameter	Existing
Syntax (static):	SQLNET.AUTHENTICATION_SERVICES = (TCPS, selected_ method_1, selected_method_2)
Example (static):	SQLNET.AUTHENTICATION_SERVICES = (TCPS, cybersafe)
Syntax (dynamic):	AUTHENTICATION = string
Example (dynamic):	AUTHENTICATION = (TCPS)

Cipher Suites

Table B-19 Cipher Suite Parameters

Parameter Name (static):	SSL_CIPHER_SUITES
Parameter Name (dynamic):	SSL_CIPHER_SUITES
Parameter Type:	String LIST
Parameter Class:	Static
Permitted Values:	Any known SSL cipher suite
Default Value:	No default
Description:	Controls the combination of encryption and data integrity used by SSL.
Existing/New Parameter	Existing
Syntax (static):	SSL_CIPHER_SUITES=(SSL_cipher_suite1[, SSL_cipher_ suite2, ... SSL_cipher_suiteN])
Example (static):	SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA)
Syntax (dynamic):	SSL_CIPHER_SUITES=(SSL_cipher_suite1 [, SSL_cipher_suite2, ...SSL_cipher_suiteN])
Example (dynamic):	SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA)

Supported SSL Cipher Suites

Oracle Advanced Security supports the following cipher suites:

• SSL_RSA_WITH_3DES_EDE_CBC_SHA

• SSL_RSA_WITH_RC4_128_SHA

• SSL_RSA_WITH_RC4_128_MD5

• SSL_RSA_WITH_DES_CBC_SHA

• SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

• SSL_DH_anon_WITH_RC4_128_MD5

• SSL_DH_anon_WITH_DES_CBC_SHA

• SSL_RSA_EXPORT_WITH_RC4_40_MD5

• SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

• SSL_DH_anon_EXPORT_WITH_RC4_40_MD5

• SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA

SSL Version

Table B-20 SSL Version Parameters

Parameter Name (static):	SSL_VERSION
Parameter Name (dynamic):	SSL_VERSION
Parameter Type:	string
Parameter Class:	Static
Permitted Values:	Any version which is valid to SSL. (0, 3.0)
Default Value:	"0"
Description:	To force the version of the SSL connection.
Existing/New Parameter	New
Syntax (static):	SSL_VERSION=version
Example (static):	SSL_VERSION=3.0
Syntax (dynamic):	SSL_VERSION=version
Example (dynamic):	SSL_VERSION=3.0

SSL Client Authentication

Table B-21 SSL Client Authentication Parameters

Parameter Name (static):	SSL_CLIENT_AUTHENTICATION
Parameter Name (dynamic):	SSL_CLIENT_AUTHENTICATION
Parameter Type:	Boolean
Parameter Class:	Static
Permitted Values:	TRUE/FALSE
Default Value:	TRUE
Description:	To control whether a client, in addition to the server, is authenticated using SSL.
Existing/New Parameter	New
Syntax (static):	SSL_CLIENT_AUTHENTICATION={TRUE | FALSE}
Example (static):	SSL_CLIENT_AUTHENTICATION=FALSE
Syntax (dynamic):	SSL_CLIENT_AUTHENTICATION={TRUE | FALSE}
Example (dynamic):	SSL_CLIENT_AUTHENTICATION=FALSE

Table B-22 SSL X.509 Server Match Parameters

Parameter Name	SSL_SERVER_DN_MATCH
Where stored	sqlnet.ora
Purpose	Use this parameter to force the server's distinguished name (DN) to match its service name. If you force the match verifications, SSL ensures that the certificate is from the server. If you choose to not enforce the match verification, SSL performs the check but permits the connection, regardless if there is a match. Not forcing the match lets the server potentially fake its identity.
Values	yes|on|true--Specify to enforce a match. If the DN matches the service name, the connection succeeds; otherwise, the connection fails.
	no|off|false--Specify to not enforce a match. If the DN does not match the service name, the connection is successful, but an error is logged to the sqlnet.log file.
Default	Oracle8i and Oracle9i:.FALSE. SSL client (always) checks server DN. If it does not match the service name, the connection succeeds but an error is logged to sqlnet.log file.
Usage Notes	Additionally configure the tnsnames.ora parameter SSL_SERVER_CERT_DN to enable server DN matching.
Example	SSL_SERVER_DN_MATCH=yes
Parameter Name	SSL_SERVER_CERT_DN
Where stored	tnsnames.ora--Can be stored on the client, for every server it connects to, OR it can be stored in the LDAP directory, for every server it connects to, updated centrally.
Purpose	This parameter specifies the distinguished name (DN) of the server. The client uses this information to obtain the list of DNs it expects for each of the servers--to force the server's DN to match its service name.
Values	Set equal to distinguished name (DN) of the server.
Default	n/a
Usage Notes	Additionally configure the sqlnet.ora parameter SSL_SERVER_DN_MATCH to enable server DN matching.
Example	dbalias=(description=address_list=(address=(protocol=tcps)(host=hostname)(port=portnum)))(connect_data=(sid=Finance))(security=(SSL_SERVER_DN="CN=Finance,CN=OracleContext,C=US,O=Acme"))

Wallet Location

For any application that must access a wallet for loading the security credentials into the process space, you must specify the wallet location parameters defined by Table B-23 in each of the following configuration files:

• sqlnet.ora

• listener.ora

Table B-23 Wallet Location Parameters

Static Configuration	Dynamic Configuration
WALLET_LOCATION = (SOURCE= (METHOD=File) (METHOD_DATA= (DIRECTORY=your wallet location) ) )	MY_WALLET_DIRECTORY = your_wallet_dir

The default wallet location is the $ORACLE_HOME directory.