This chapter provides complete listing of the sqlnet.ora
file configuration parameters.
This chapter includes the following topics:
The sqlnet.ora
file enables you to:
Specify the client domain to append to unqualified names
Prioritize naming methods
Enable logging and tracing features
Route connections through specific processes
Configure parameters for external naming
Configure Oracle Advanced Security
Use protocol-specific parameters to restrict access to the database
By default, sqlnet.ora
is located in the $ORACLE_HOME/network/admin
directory on UNIX operating systems and the %ORACLE_HOME%\network\admin
directory on Windows operating systems. sqlnet.ora
can also be stored in the directory specified by the TNS_ADMIN
environment variable.
This section lists and describes the following sqlnet.ora
file parameters:
Use the parameter BEQUEATH_DETACH
to turn signal handling on or off for UNIX systems.
no
yes
to turn signal handling off
no
to leave signal handling on
BEQUEATH_DETACH=yes
Use the parameter DEFAULT_SDU_SIZE
to specify the session data unit (SDU) size, in bytes to connections.
Oracle recommends setting this parameter in both the client-side and server-side sqlnet.ora
file to ensure the same SDU size is used throughout a connection. When the configured values of client and database server do not match for a session, the lower of the two values is used.
You can override this parameter for a particular client connection by specifying the SDU parameter in the connect descriptor for a client.
See Also:
Oracle Database Net Services Administrator's Guide for complete SDU usage and configuration information8192 bytes (8 KB)
512 to 32767 bytes
DEFAULT_SDU_SIZE=4096
If turned off
, the parameter DISABLE_OOB
enables Oracle Net to send and receive "break" messages using urgent data provided by the underlying protocol.
If turned on
, disables the ability to send and receive "break" messages using urgent data provided by the underlying protocol. Once enabled, this feature applies to all protocols used by this client.
See Also:
Operating system-specific documentation to determine if the protocols you are using support urgent data requests. TCP/IP is an example of a protocol that supports this feature.off
DISABLE_OOB=on
Use the parameter NAMES.DCE.PREFIX
to specify the Distributed Computing Environment (DCE) cell name (prefix) to use for name lookups.
/.:/subsys/oracle/names
NAMES.DCE.PREFIX=/.:/subsys/oracle/names
Use the parameter NAMES.DEFAULT_DOMAIN
to set the domain from which the client most often looks up names resolution requests. When this parameter is set, the default domain name is automatically appended to any unqualified net service name or service name.
For example, if the default domain is set to us.example.com
, then the connect string CONNECT hr@sales
gets searched as sales.us.example.com
. If the connect string includes the domain extension, such as CONNECT hr@sales.example.com
, the domain is not appended.
None
NAMES.DEFAULT_DOMAIN=example.com
Use the parameter NAMES.DIRECTORY_PATH
to specify the order of the naming methods used for client name resolution lookups.
NAMES.DIRECTORY_PATH=(tnsnames, ezconnect, ldap)
Table 5-1 NAMES.DIRECTORY_PATH Values
Naming Method Value | Description |
---|---|
|
Set to resolve a net service name through the See Also: Oracle Database Net Services Administrator's Guide |
|
Set to resolve a database service name, net service name, or net service alias through a directory server. See Also: Oracle Database Net Services Administrator's Guide |
|
Select to enable clients to use a TCP/IP connect identifier, consisting of a host name and optional port and service name. See Also: Oracle Database Net Services Administrator's Guide |
|
Set to resolve an Oracle database name in a Distributed Computing Environment (DCE) environment. See Also: Oracle Database Advanced Security Administrator's Guide |
|
Set to resolve service information through an existing NIS. See Also: Oracle Database Net Services Administrator's Guide |
NAMES.DIRECTORY_PATH=(tnsnames)
Use the NAMES.LADP_AUTHENTICATE_BIND
parameter to specify whether the LDAP naming adapter should attempt to authenticate using a specified wallet when it connects to the LDAP directory to resolve the name in the connect string.
The parameter value is boolean. If set to TRUE
, the LDAP connection will be authenticated using a wallet whose location must be specified in the WALLET_LOCATION parameter.
If the parameter is set to FALSE
, the LDAP connection will be established using an anonymous bind.
FALSE
NAMES.LDAP_AUTHENTICATE_BIND=TRUE
Use the NAMES.LDAP_PERSISTENT_SESSION
parameter to specify whether the LDAP naming adapter should leave the session with the LDAP server open after name lookup is complete.
The parameter value is boolean. If set to TRUE
, the connection to the LDAP server will be left open after the name lookup is complete; the connection will effectively stay open for the duration of the process. If the connection is lost, it will be reestablished as needed.
If FALSE
, the LDAP connection is terminated as soon as the name lookup completes. Every subsequent lookup opens the connection, performs the lookup, and closes the connection.
FALSE
NAMES.LDAP_PERSISTENT_SESSION=TRUE
Use the NAMES.NIS.META_MAP
parameter to specify the map file to be used to map Network Information Service (NIS) attributes to an NIS mapname.
sqlnet.maps
NAMES.NIS.META_MAP=sqlnet.maps
Use the RECV_BUF_SIZE
parameter to specify the buffer space limit for receive operations of sessions. This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.
Note:
Additional protocols might support this parameter on certain operating systems. Refer to operating-system specific documentation for information about additional protocols that support this parameter.See Also:
Oracle Net Services Administrator's Guide for information about configuring this parameterThe default value for this parameter is operating-system specific. The default for the Solaris 2.6 Operating System is 32768 bytes (32 KB).
You can override this parameter for a particular client connection by specifying the RECV_BUF_SIZE parameter in the connect descriptor for a client.
RECV_BUF_SIZE=11784
Use the SDP.PF_INET_SDP
parameter to specify the protocol family or address family constant for the SDP protocol on your system.
27
Any positive integer
SDP.PF_INET_SDP=30
Use the SEC_USER_AUDIT_ACTION_BANNER
parameter to specify a text file containing the banner contents that warn the user about possible user action auditing. The complete path of the text file must be specified in the sqlnet.ora
file on the server. OCI applications can make use of OCI features to retrieve this banner and display it to the user.
None
Name of the file for which the database owner has read permissions
SEC_USER_AUDIT_ACTION_BANNER=/opt/oracle/admin/data/auditwarning.txt
Use the SEC_USER_UNAUTHORIZED_ACCESS_BANNER
parameter to specify a text file containing the banner contents that warn the user about unauthorized access to the database. The complete path of the text file must be specified in the sqlnet.ora
file on the server. OCI applications can make use of OCI features to retrieve this banner and display it to the user.
None
Name of the file for which the database owner has read permissions
SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt
Use the SEND_BUF_SIZE
parameter to specify the buffer space limit for send operations of sessions. This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.
Note:
Additional protocols might support this parameter on certain operating systems. Refer to operating-system specific documentation for information about additional protocols that support this parameter.See Also:
Oracle Database Net Services Administrator's Guide for information about configuring this parameterThe default value for this parameter is operating-system specific. The default for the Solaris 2.6 Operating System is 8192 bytes (8 KB).
You can override this parameter for a particular client connection by specifying the SEND_BUF_SIZE parameter in the connect descriptor for a client.
SEND_BUF_SIZE=11784
To set the minimum authentication protocol allowed when connecting to Oracle Database instances. The term VERSION
in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.
If the client release does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol
error or an ORA-03134: Connections to this server version are no longer supported
error.
A setting of 8
permits most password versions, and allows any combination of the DBA_USERS.PASSWORD_VERSIONS
values 10G
, and 11G
.
A greater value means the server is less compatible in terms of the protocol that clients must understand in order to authenticate. The server is also more restrictive in terms of the password version that must exist to authenticate any specific account. The ability for a client to authenticate depends on the DBA_USERS.PASSWORD_VERSIONS
value on the server for that account.
Note the following implications of setting the value to 12
:
To take advantage of the password protections introduced in Oracle Database 11g, users must change their passwords. The new passwords are case sensitive. When an account password is changed, the earlier 10G
case-insensitive password version is automatically removed.
Releases of OCI clients before Oracle Database 10g and all versions of JDBC thin clients cannot authenticate to the Oracle database using password-based authentication.
If the client uses Oracle9i Database, then the client will receive an ORA-03134
error message. To allow the connection, remove the SQLNET.ALLOWED_LOGON_VERSION
setting to return to the default. Ensure the DBA_USERS.PASSWORD_VERSIONS
value for the account contains the value 10G
. It may be necessary to reset the password for that account.
The client must support certain abilities of an authentication protocol before the server will authenticate. If the client does not support a specified authentication ability, then the server rejects the connection with an ORA-28040: No matching authentication protocol
error message.
The following is the list of all client abilities. Some clients do not have all abilities. Clients that are more recent have all the capabilities of the older clients, but older clients tend to have less abilities than more recent clients.
O5L_NP
: The ability to perform the Oracle Database 10g authentication protocol using the 11G
password version, and generating a session key encrypted for critical patch update CPUOct2012.
O5L
: The ability to perform the Oracle Database 10g authentication protocol using the 10G
password version.
O4L
: The ability to perform the Oracle9i database authentication protocol using the 10G
password version.
O3L
: The ability to perform the Oracle8i database authentication protocol using the 10G
password version.
A higher ability value is more recent and secure than a lower ability value. Clients that are more recent have all the capabilities of the older clients.
The following table describes the allowed values, password versions, and descriptions:
Value of the ALLOWED_LOGON_VERSION Parameter | Generated Password Version | Ability Required of the Client | Meaning for Clients |
---|---|---|---|
12 Foot 1 |
11G |
O5L_NP |
Only clients which have applied critical patch update CPUOct2012 or later can connect to the server. |
11 |
10G , 11G |
O5L |
Clients using Oracle Database 10g and later can connect to the server.
Clients that have not applied critical patch update CPUOct2012 or later patches must use the |
10 |
10G , 11G |
O5L |
Clients using Oracle Database 10g and later can connect to the server.
Clients that have not applied critical patch update CPUOct2012 or later patches must use the |
9 |
10G , 11G |
O4L |
Oracle9i Database or later clients can connect to the server. |
8 |
10G , 11G |
O3L |
Oracle8i Database and later clients can connect to the server. |
Footnote 1 This is considered "Exclusive Mode" because it excludes the use of the 10G
password version.
12
for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (recommended)
11
for Oracle Database 11g authentication protocols
10
for Oracle Database 10g authentication protocols
9
for Oracle9i Database authentication protocols
8
for Oracle8i Database authentication protocols (default)
8
If both Oracle Database 11g and Oracle Database 10g are present, then set the parameter as follows:
SQLNET.ALLOWED_LOGON_VERSION=10
Use the parameter SQLNET.AUTHENTICATION_KERBEROS5_SERVICE
to define the name of the service used to obtain a Kerberos service ticket.
None
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
Use the parameter SQLNET.AUTHENTICATION_SERVICES
to enable one or more authentication services. If authentication has been installed, it is recommended that this parameter be set to either none
or to one of the authentication methods.
None
Note:
When installing the database with Database Configuration Assistant (DBCA), this parameter may be set tonts
in the sqlnet.ora
file.Authentication Methods Available with Oracle Net Services:
none
for no authentication methods, including Windows native operating system authentication (to use Windows native operating system authentication, set this parameter to nts
). When SQLNET.AUTHENTICATION_SERVICES
is set to none
, a valid user name and password can be used to access the database.
all
for all authentication methods
nts
for Windows native operating system authentication
Authentication Methods Available with Oracle Advanced Security:
kerberos5
for Kerberos authentication
radius
for RADIUS authentication
dcegssapi
for DCE GSSAPI authentication
SQLNET.AUTHENTICATION_SERVICES=(kerberos5)
Use the parameter SQLNET.CLIENT_REGISTRATION
to set a unique identifier for this client computer. This identifier is passed to the listener with any connection request and is included in the Audit Trail. The identifier can be any alphanumeric string up to 128 characters long.
None
SQLNET.CLIENT_REGISTRATION=1432
Use the parameter SQLNET.CRYPTO_CHECKSUM_CLIENT
to specify the checksum behavior for the client.
accepted
accepted
to enable the security service if required or requested by the other side
rejected
to disable the security service, even if the required by the other side
requested
to enable the security service if the other side allows it
required
to enable the security service and disallow the connection if the other side is not enabled for the security service
SQLNET.CRYPTO_CHECKSUM_CLIENT=accepted
Use the parameter SQLNET.CRYPTO_CHECKSUM_SERVER
to specify the checksum behavior for the database server.
accepted
accepted
to enable the security service if required or requested by the other side
rejected
to disable the security service, even if the required by the other side
requested
to enable the security service if the other side allows it
required
to enable the security service and disallow the connection if the other side is not enabled for the security service
SQLNET.CRYPTO_CHECKSUM_SERVER=accepted
Use the parameter SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT
to specify a list of crypto-checksum algorithms for the client to use.
all available algorithms
md5
for the RSA Data Security's MD5 algorithm
sha1
for the Secure Hash algorithm
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(MD5)
Use the parameter SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER
to specify a list of crypto-checksum algorithms for the database server to use.
all available algorithms
md5
for the RSA Data Security's MD5 algorithm
sha1
for the Secure Hash algorithm
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(md5)
Use the parameter SQLNET.CRYPTO_SEED
to specify the characters used when generating cryptographic keys. The more random the characters are, the stronger the keys are. The string should be 10-70 random characters. This optional parameter is required for when encryption or checksumming are turned on. Encryption is turned on if the SQLNET.ENCRYPTION_CLIENT parameter is specified for the client and the SQLNET.ENCRYPTION_SERVER parameter is specified for the database server; checksumming is turned on if the SQLNET.CRYPTO_CHECKSUM_CLIENT parameter is specified for the client and the SQLNET.CRYPTO_CHECKSUM_SERVER parameter is specified for the database server.
qwertyuiopasdfghjkl;zxcvbnm,.s1
SQLNET.CRYPTO_SEED="qwertyuiopasdfghjkl;zxcvbnm,.s1"
Use the parameter SQLNET.ENCRYPTION_CLIENT
to turn encryption on for the client.
accepted
accepted
to enable the security service if required or requested by the other side
rejected
to disable the security service, even if the required by the other side
requested
to enable the security service if the other side allows it
required
to enable the security service and disallow the connection if the other side is not enabled for the security service
SQLNET.ENCRYPTION_CLIENT=accepted
Use the parameter SQLNET.ENCRYPTION_SERVER
to turn encryption on for the database server.
accepted
accepted
to enable the security service if required or requested by the other side
rejected
to disable the security service, even if the required by the other side
requested
to enable the security service if the other side allows it
required
to enable the security service and disallow the connection if the other side is not enabled for the security service
SQLNET.ENCRYPTION_SERVER=accepted
Use the parameter SQLNET.ENCRYPTION_TYPES_CLIENT
to specify a list of encryption algorithms for the client to use.
All available algorithms.
One or more of the following:
3des112
for triple DES with a two-key (112 bit) option
3des168
for triple DES with a three-key (168 bit) option
des
for standard 56 bit key size
des40
for 40 bit key size
rc4_40
for 40 bit key size
rc4_56
for 56 bit key size
rc4_128
for 128 bit key size
rc4_256
for 256 bit key size
SQLNET.ENCRYPTION_TYPES_CLIENT=(rc4_56)
Use the parameter SQLNET.ENCRYPTION_TYPES_SERVER
to specify a list of encryption algorithms for the database server to use.
All available algorithms
One or more of the following:
3des112
for triple DES with a two-key (112 bit) option
3des168
for triple DES with a three-key (168 bit) option
des
for standard 56 bit key size
des40
for 40 bit key size
rc4_40
for 40 bit key size
rc4_56
for 56 bit key size
rc4_128
for 128 bit key size
rc4_256
for 256 bit key size
SQLNET.ENCRYPTION_TYPES_SERVER=(rc4_56, des, ...)
Use parameter SQLNET.EXPIRE_TIME
to specify a time interval, in minutes, to send a probe to verify that client/server connections are active. Setting a value greater than 0 ensures that connections are not left open indefinitely, due to an abnormal client termination. If the probe finds a terminated connection, or a connection that is no longer in use, it returns an error, causing the server process to exit. This parameter is primarily intended for the database server, which typically handles multiple connections at any one time.
Limitations on using this terminated connection detection feature are:
It is not allowed on bequeathed connections.
Though very small, a probe packet generates additional traffic that may downgrade network performance.
Depending on which operating system is in use, the server may need to perform additional processing to distinguish the connection probing event from other events that occur. This can also result in degraded network performance.
0
0
10
SQLNET.EXPIRE_TIME=10
Use the SQLNET.INBOUND_CONNECT_TIMEOUT
parameter to specify the time, in seconds, for a client to connect with the database server and provide the necessary authentication information.
If the client fails to establish a connection and complete authentication in the time specified, then the database server terminates the connection. In addition, the database server logs the IP address of the client and an ORA-12170: TNS:Connect timeout occurred
error message to the sqlnet.log
file. The client receives either an ORA-12547: TNS:lost contact
or an ORA-12637: Packet receive failed
error message.
The default value of this parameter is appropriate for typical usage scenarios. However, if you need to explicitly set a different value, Oracle recommends setting this parameter in combination with the INBOUND_CONNECT_TIMEOUT_listener_name parameter in the listener.ora
file. When specifying the values for these parameters, note the following recommendations:
Set both parameters to an initial low value.
Set the value of the INBOUND_CONNECT_TIMEOUT_
listener_name
parameter to a lower value than the SQLNET.INBOUND_CONNECT_TIMEOUT
parameter.
For example, you can set INBOUND_CONNECT_TIMEOUT_
listener_name
to 2 seconds and SQLNET.INBOUND_CONNECT_TIMEOUT
parameter to 3 seconds. If clients are unable to complete connections within the specified time due to system or network delays that are normal for the particular environment, then increment the time as needed.
See Also:
"Control Parameters" for more information about INBOUND_CONNECT_TIMEOUT_
listener_name
Oracle Net Services Administrator's Guide for information about configuring these parameters
60 seconds
SQLNET.INBOUND_CONNECT_TIMEOUT=3
Use the parameter SQLNET.KERBEROS5_CC_NAME
to specify the complete path name to the Kerberos credentials cache file.
/usr/tmp/krbcache
on UNIX operating systems and c:\tmp\krbcache
on Windows operating systems
SQLNET.KERBEROS5_CC_NAME=/usr/tmp/krbcache
Use the parameter SQLNET.KERBEROS5_CLOCKSKEW
to specify how many seconds can pass before a Kerberos credential is considered out of date.
300
SQLNET.KERBEROS5_CLOCKSKEW=1200
Use the parameter SQLNET.KERBEROS5_CONF
to specify the complete path name to the Kerberos configuration file, which contains the realm for the default Key Distribution Center (KDC) and maps realms to KDC hosts. The KDC maintains a list of user principals and is contacted through the kinit
program for the user's initial ticket.
/krb5/krb.conf
on UNIX operating systems and c:\krb5\krb.conf
on Windows operating systems
SQLNET.KERBEROS5_CONF=/krb5/krb.conf
Use the parameter SQLNET.KERBEROS5_KEYTAB
to specify the complete path name to the Kerberos principal/secret key mapping file, which is used to extract keys and decrypt incoming authentication information.
/etc/v5srvtab
on UNIX operating systems and c:\krb5\v5srvtab
on Windows operating systems
SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab
Use the parameter SQLNET.KERBEROS5_REALMS
to specify the complete path name to the Kerberos realm translation file, which provides a mapping from a host name or domain name to a realm.
/krb5/krb.realms
on UNIX operating systems and c:\krb5\krb.realms
on Windows operating systems
SQLNET.KERBEROS5_REALMS=/krb5/krb.realms
Use the SQLNET.OUTBOUND_CONNECT_TIMEOUT
parameter to specify the time, in seconds, for a client to establish an Oracle Net connection to the database instance.
If an Oracle Net connection is not established in the time specified, the connect attempt is terminated. The client receives an ORA-12170: TNS:Connect timeout occurred
error.
The outbound connect timeout interval is a superset of the TCP connect timeout interval, which specifies a limit on the time taken to establish a TCP connection. Additionally, the outbound connect timeout interval includes the time taken to be connected to an Oracle instance providing the requested service.
Without this parameter, a client connection request to the database server may block for the default TCP connect timeout duration (approximately 8 minutes on Linux) when the database server host system is unreachable.
The outbound connect timeout interval is only applicable for TCP, TCP with SSL, and IPC transport connections.
None
SQLNET.OUTBOUND_CONNECT_TIMEOUT=10
Use the SQLNET.RADIUS_ALTERNATE
parameter to specify an alternate RADIUS server to use in case the primary server is unavailable. The value can be either the IP address or host name of the server.
None
SQLNET.RADIUS_ALTERNATE=radius2
Use the parameter SQLNET.RADIUS_ALTERNATE_PORT
to specify the listening port of the alternate RADIUS server.
1645
SQLNET.RADIUS_ALTERNATE_PORT=1667
Use the parameter SQLNET.RADIUS_ALTERNATE_RETRIES
to specify the number of times the database server should resend messages to the alternate RADIUS server.
3
SQLNET.RADIUS_ALTERNATE_RETRIES=4
Use the parameter SQLNET.RADIUS_AUTHENTICATION
to specify the location of the primary RADIUS server, either by its host name or IP address.
Local host
SQLNET.RADIUS_AUTHENETICATION=officeacct
Use the parameter SQLNET.RADIUS_AUTHENTICATION_INTERFACE
to specify the class containing the user interface used to interact with the user.
DefaultRadiusInterface
SQLNET.RADIUS_AUTHENTICATION_INTERFACE=DefaultRadiusInterface
Use the parameter SQLNET.RADIUS_AUTHENTICATION_PORT
to specify the listening port of the primary RADIUS server.
1645
SQLNET.RADIUS_AUTHENTICATION_PORT= 1667
Use the parameter SQLNET.RADIUS_AUTHENTICATION_RETRIES
to specify the number of times the database server should resend messages to the primary RADIUS server.
3
SQLNET.RADIUS_AUTHENTICATION_RETRIES=4
Use the parameter SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
to specify the time, in seconds, that the database server should wait for a response from the primary RADIUS server.
5
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=10
Use the parameter SQLNET.RADIUS_CHALLENGE_RESPONSE
to turn challenge response on or off.
off
on | off
SQLNET.RADIUS_CHALLENGE_RESPONSE=on
Use the parameter SQLNET.RADIUS_SECRET
to specify the location of the RADIUS secret key.
The $ORACLE_HOME/network/security/radius.key
file on UNIX operating systems and the %ORACLE_HOME%\network\security\radius.key
file on Windows.
SQLNET.RADIUS_SECRET=oracle/bin/admin/radiuskey
Use the parameter SQLNET.RADIUS_SEND_ACCOUNTING
to turn accounting on
and off
. If enabled, packets are sent to the active RADIUS server at listening port plus one. The default port is 1646.
off
on | off
SQLNET.RADIUS_SEND_ACCOUNTING=on
Use the parameter SQLNET.RECV_TIMEOUT
to specify the time, in seconds, for a database server to wait for client data after connection establishment. A client must send some data within the time interval.
For environments in which clients shut down on occasion or abnormally, setting this parameter is recommended. If a client does not send any data in time specified, then the database server logs an ORA-12535: TNS:operation timed out
and ORA-12609: TNS: Receive timeout occurred
to the sqlnet.log
file. Without this parameter, the database server may continue to wait for data from clients that may be down or are experiencing difficulties.
You can also set this parameter on the client-side to specify the time, in seconds, for a client to wait for response data from the database server after connection establishment. Without this parameter, the client may wait for a long period of time for a response from a database server saturated with requests.
Set the value for this parameter to an initial low value and adjust according to system and network capacity. If necessary, use this parameter in conjunction with the SQLNET.SEND_TIMEOUT parameter.
See Also:
Oracle Database Net Services Administrator's Guide for information about configuring these parametersNone
SQLNET.RECV_TIMEOUT=3
Use to specify the time, in seconds, for a database server to complete a send operation to clients after connection establishment.
For environments in which clients shut down on occasion or abnormally, setting this parameter is recommended. If the database server is unable to complete a send operation in the time specified, then it logs an ORA-12535: TNS:operation timed out
and ORA-12608: TNS: Send timeout occurred
to the sqlnet.log
file. Without this parameter, the database server may continue to send responses to clients that are unable to receive data due to a downed computer or a busy state.
You can also set this parameter on the client-side to specify the time, in seconds, for a client to complete send operations to the database server after connection establishment. Without this parameter, the client may continue to send requests to a database server already saturated with requests.
Set the value for this parameter to an initial low value and adjust according to system and network capacity. If necessary, use this parameter in conjunction with the SQLNET.RECV_TIMEOUT parameter.
See Also:
Oracle Database Net Services Administrator's Guide for information about configuring these parametersNone
SQLNET.SEND_TIMEOUT=3
Use the SSL_CRT_REVOCATION
parameter to configure a revocation check for a certificate.
none
none
to turn off certificate revocation checking
requested
to perform certificate revocation in case a Certificate Revocation List (CRL) is available. Reject SSL connection if the certificate is revoked. If no appropriate CRL is found to determine the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection
required
to perform certificate revocation when a certificate is available. If a certificate is revoked and no appropriate CRL is found, then reject the SSL connection If no appropriate CRL is found to ascertain the revocation status of the certificate and the certificate is not revoked. then accept the SSL connection.
SSL_CERT_REVOCATION=required
Use the parameter SSL_CRL_FILE
to specify the name of the file where you can assemble the CRL of CAs for client authentication.
This file contains the PEM-encoded CRL files, in order of preference. You can use this file alternatively or in additional to the SSL_CERT_PATH parameter. This parameter is only valid if SSL_CERT_REVOCATION is set to either requested
or required
.
None
Use the parameter SSL_CRL_PATH
to specify the destination directory of the CRL of CA. The files in this directory are hashed symbolic links created by Oracle Wallet Manager. This parameter is only valid if SSL_CERT_REVOCATION is set to either requested
or required
.
None
Use the parameter SSL_CIPHER_SUITES
to control what combination of encryption and data integrity is used by the Secure Sockets Layer (SSL).
None
See Also:
Oracle Database Advanced Security Administrator's Guide for further information about cipher suite valuesSSL_CIPHER_SUITE=(ssl_rsa_with_rc4_138_md5)
Use the parameter SSL_CLIENT_AUTHENTICATION
to specify whether or not a client—in addition to the database server—is authenticated using SSL.
true
true | false
SSL_CLIENT_AUTHENTICATION=true
Use the parameter SSL_SERVER_DN_MATCH
to enforce that the distinguished name (DN) for the database server matches its service name. If you enforce the match verifications, then SSL ensures that the certificate is from the server. If you select to not enforce the match verification, then SSL performs the check but allows the connection, regardless if there is a match. Not enforcing the match allows the server to potentially fake its identify.
no
yes
| on
| true
to specify to enforce a match. If the DN matches the service name, then the connection succeeds. If the DN does not match the service name, then the connection fails.
no
| off
| false
to specify to not enforce a match. If does not match the service name, then the connection is successful, but an error is logged to the sqlnet.log
file.
In addition to the sqlnet.ora
file, configure the tnsnames.ora
parameter SSL_SERVER_CERT_DN to enable server DN matching.
SSL_SERVER_DN_MATCH=yes
Use the parameter SSL_VERSION
to force the version of the SSL connection.
Clients and database servers must use a compatible version.
undetermined
undetermined | 2.0 | 3.0
SSL_VERSION=2.0
Use the TCP.CONNECT_TIMEOUT
parameter to specify the time, in seconds, for a client to establish a TCP connection to the database server.
If a TCP connection to the database host is not established in the time specified, the connect attempt is terminated. The client receives an ORA-12170: TNS:Connect timeout occurred
error.
Without this parameter, a client connection request to the database server can block for the default duration of the TCP connect timeout (approximately 8 minutes on Linux) when the database server host system is unreachable.
This parameter only applies to TCP connections (PROTOCOL=tcp
in the TNS connect address).
None
TCP.CONNECT_TIMEOUT=10
Use the parameter TCP.EXCLUDED_NODES
to specify which clients are denied access to the database.
TCP.EXCLUDED_NODES=(hostname | ip_address, hostname | ip_address, ...)
TCP.EXCLUDED_NODES=(finance.us.example.com, mktg.us.example.com, 192.0.2.25)
Use the parameter TCP.INVITED_NODES
to specify which clients are allowed access to the database. This list takes precedence over the TCP.EXCLUDED_NODES
parameter if both lists are present.
TCP.INVITED_NODES=(hostname | ip_address, hostname | ip_address, ...)
TCP.INVITED_NODES=(sales.us.example.com, hr.us.example.com, 192.0.2.73)
The TCP.VALIDNODE_CHECKING
parameter creates a hard failure when any of the host names in the invited/excluded list fail to resolve to an IP address. This is to ensure that a customer's desired configuration is enforced, meaning that valid node checking cannot take place unless the host names are resolvable to IP addresses.
This is important especially in the context of the TCP.INVITED_NODES parameter, because it requires that every one of the client nodes be listed in the server's sqlnet.invited_nodes
list. When one of the clients is decommissioned, and thus removed from the host name database, it becomes unresolvable, and will cause the listener to fail to start.
Note:
In order to utilize theTCP.VALIDNODE_CHECKING
parameter's invited nodes, the host name database must be kept in sync with the sqlnet.invited_node
list.no
yes | no
TCP.VALIDNODE_CHECKING=yes
Use the parameter TCP.NODELAY
to preempt delays in buffer flushing within the TCP/IP protocol stack.
yes
yes | no
TCP.NODELAY=yes
Use the parameter TNSPING.TRACE_DIRECTORY
to specify the destination directory for the TNSPING utility trace file, tnsping.trc
.
The $ORACLE_HOME/network/trace
directory on UNIX operating systems and the %ORACLE_HOME%\network\trace
directory on Windows operating systems
TNSPING.TRACE_DIRECTORY=/oracle/traces
Use the parameter TNSPING.TRACE_LEVE
L to turn TNSPING utility tracing on, at a specific level, or off.
off
off
for no trace output
user
for user trace information
admin
for administration trace information
support
for Oracle Support Services trace information
TNSPING.TRACE_LEVEL=admin
If set to true
, the parameter USE_CMAN
routes the client to a protocol address for an Oracle Connection Manager.
The following example shows two address lists. While the first address list routes the client to an Oracle Connection Manager, the second address list routes the client directly to a listener.
sales= (DESCRIPTION= (LOAD_BALANCE=on) (FAILOVER=on) (ADDRESS_LIST= (SOURCE_ROUTE=yes) (ADDRESS=(PROTOCOL=tcp)(HOST=host1)(PORT=1630)) (ADDRESS=(PROTOCOL=tcp)(HOST=host2)(PORT=1521))) (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcp)(HOST=host3)(PORT=1521))) (CONNECT_DATA=(SERVICE_NAME=sales.us.example.com)))
Without USE_CMAN
=true
, the client picks one of the address lists at random and fails over to the other address list if the chosen ADDRESS_LIST
fails. With USE_CMAN
=true
, the client always uses the first address list.
If no Oracle Connection Manager addresses are available, connections are routed through any available listener address.
false
true | false
USE_CMAN=true
If set to on
, the parameter USE_DEDICATED_SERVER
automatically appends (SERVER=dedicated)
to the connect data for a connect descriptor. This way connections from this client use a dedicated server process, even if shared server is configured.
This parameter adds (SERVER=dedicated)
to the CONNECT_DATA
section of the connect descriptor used by the client. It overrides the current value of the SERVER parameter in the tnsnames.ora
file.
See Also:
Oracle Database Net Services Administrator's Guide for complete configuration informationoff
on
to append (SERVER=dedicated)
off
to hand off requests to existing server processes
USE_DEDICATED_SERVER=on
Use the parameter WALLET_LOCATION
to specify the location of wallets. Wallets are certificates, keys, and trustpoints processed by SSL.
Oracle wallets on the file system:
WALLET_LOCATION= (SOURCE= (METHOD=file) (METHOD_DATA= (DIRECTORY=directory) [(PKCS11=TRUE/FALSE)]))
Microsoft certificate store:
WALLET_LOCATION= (SOURCE= (METHOD=mcs))
Oracle wallets in the Windows registry:
WALLET_LOCATION=
(SOURCE=
(METHOD=reg)
(METHOD_DATA=
(KEY=registry_key)))
Entrust wallets:
WALLET_LOCATION= (SOURCE= (METHOD=entr) (METHOD_DATA= (PROFILE=file.epf) (INIFILE=file.ini)))
WALLET_LOCATION
supports the following subparameters:
SOURCE
: Specify the type of storage for wallets and storage location.
METHOD
: Specify the type of storage.
METHOD_DATA
: Specify the storage location.
DIRECTORY
: Specify the location of Oracle wallets on file system.
KEY
: Specify the wallet type and location in the Windows registry.
PROFILE
: Specify the Entrust profile file (.epf
).
INIFILE
: Specify the Entrust initialization file (.ini
).
None
The key/value pair for Microsoft's certificate store (MCS) omits the METHOD_DATA
parameter because MCS does not use wallets. Instead, Oracle PKI (public key infrastructure) applications obtain certificates, trustpoints and private keys directly from the user's profile.
If an Oracle wallet is stored in the Windows registry and the wallet's ke
y (KEY)
is SALESAPP
, the storage location of the encrypted wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\EWALLET.P12
. The storage location of the decrypted wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\CWALLET.SSO.
true | false
Oracle wallets on file system:
WALLET_LOCATION= (SOURCE= (METHOD=file) (METHOD_DATA= (DIRECTORY=/etc/oracle/wallets/databases)))
Microsoft certificate store:
WALLET_LOCATION= (SOURCE= (METHOD=mcs))
Oracle Wallets in the Windows registry:
WALLET_LOCATION= (SOURCE= (METHOD=REG) (METHOD_DATA= (KEY=SALESAPP)))
Entrust Wallets:
WALLET_LOCATION= (SOURCE= (METHOD=entr) (METHOD_DATA= (PROFILE=/etc/oracle/wallets/test.epf) (INIFILE=/etc/oracle/wallets/test.ini)))
This parameter determines whether the client should override the strong authentication credential with the password credential in the secret store to log in to the database.
None.
None.
Users may have batch jobs that require logging into the database. There may be scripts that access databases and are shared by administrators. This project provides a way for them to use CONNECT /
instead of specifying the user name and password explicitly. It simplifies the maintenance of the scripts and secures the password management for the applications.
Middle-tier applications create an Oracle Applications wallet at install time to store the application's specific identity. The password may be randomly generated rather than hardcoded. When an Oracle application accesses the database, it sets appropriate values for SQLNET.AUTHENTICATION_SERVICES
and WALLET_LOCATION
. The new wallet-based password authentication code uses the password credential in the Oracle Applications wallet to log on to the database.
New commands will be implemented for mkstore
to manage the entries in the secret store.
To create a wallet:
mkstore -wrl wallet_location –create
To create an entry:
mkstore –wrl wallet_location –createCredential alias user_name password
To modify an entry:
mkstore -wrl wallet_location –modifyCredential alias user_name password
To delete an entry:
mkstore -wrl wallet_location –deleteCredential alias
To list all entries:
mkstore -wrl wallet_location –listCredential
Beginning with Oracle Database 11g, Oracle Database includes an advanced fault diagnosability infrastructure for preventing, detecting, diagnosing, and resolving problems. The problems that are targeted in particular are critical errors such as those caused by database code bugs, metadata corruption, and customer data corruption.
When a critical error occurs, it is assigned an incident number, and diagnostic data for the error (traces, dumps, and more) are immediately captured and tagged with this number. The data is then stored in the automatic diagnostic repository (ADR)—a file based repository outside the database—where it can later be retrieved by incident number and analyzed.
ADR is enabled by default. The use of the following parameters depends on whether ADR is enabled.
This section is divided into those parameters used when ADR is enabled (when DIAG_ADR_ENABLED
is set to on
) and those used when ADR is disabled (when DIAG_ADR_ENABLED
is set to off
). Non-ADR parameters listed in the sqlnet.ora
file are ignored when ADR is enabled.
This section includes the following topics:
This section lists the parameters used when ADR is enabled (when DIAG_ADR_ENABLED
is set to on
):
Use the ADR_BASE
parameter to specify the base directory into which tracing and logging incidents are stored when ADR is enabled.
The default is $ORACLE_BASE
, or $ORACLE_HOME/log
on the server side, if $ORACLE_BASE
is not defined.
See Also:
Oracle Call Interface Programmer's Guide for the default on the client sideAny valid directory path to a directory with write permission.
ADR_BASE=/oracle/network/trace
The DIAG_ADR_ENABLED
parameter indicates whether ADR tracing is enabled.
When the DIAG_ADR_ENABLED
parameter is set to OFF
, non-ADR file tracing is used.
on
on
or off
DIAG_ADR_ENABLED=on
Use the parameter TRACE_LEVEL_CLIENT
to turn client tracing on, at a specific level, or off. This parameter is also applicable when non-ADR tracing is used.
off
or 0
off
or 0
for no trace output
user
or 4
for user trace information
admin
or 10
for administration trace information
support
or 16
for Oracle Support Services trace information
TRACE_LEVEL_CLIENT=user
Use the TRACE_LEVEL_SERVER
parameter to turn server tracing on, at a specific level, or off. This parameter is also applicable when non-ADR tracing is used.
off
or 0
off
or 0
for no trace output
user
or 4
for user trace information
admin
or 10
for administration trace information
support
or 16
for Oracle Support Services trace information
TRACE_LEVEL_SERVER=admin
Use the TRACE_TIMESTAMP_CLIENT
parameter to add a time stamp in the form of dd-mon-yyyy hh:mi:ss:mil
to every trace event in the client trace file, which has a default name of sqlnet.trc
. This parameter is also applicable when non-ADR tracing is used.
on
on
or true
| off
or false
TRACE_TIMESTAMP_SERVER=true
Use the TRACE_TIMESTAMP_SERVER
parameter to add a time stamp in the form of dd-mon-yyyy hh:mi:ss:mil
to every trace event in the database server trace file, which has a default name of svr_
pid
.trc
. This parameter is also applicable when non-ADR tracing is used.
on
on
or true
| off
or false
TRACE_TIMESTAMP_SERVER=true
This section lists the parameters used when ADR is disabled (when DIAG_ADR_ENABLED
is set to off
):
Notes:
The following parameters are used whether ADR is enabled or not:
The default value of DIAG_ADR_ENABLED is on
. Therefore, the DIAG_ADR_ENABLED
parameter must explicitly be set to off
in order for non-ADR tracing to be used.
Use the LOG_DIRECTORY_CLIENT
parameter to specify the destination directory for the client log file. Use this parameter when ADR is not enabled.
$ORACLE_HOME/network/log
Any valid directory path.
LOG_DIRECTORY_CLIENT=/oracle/network/log
Use the LOG_DIRECTORY_SERVER
parameter to specify the destination directory for the database server log file. Use this parameter when ADR is not enabled.
$ORACLE_HOME/network/trace
Any valid directory path to a directory with write permission.
LOG_DIRECTORY_SERVER=/oracle/network/trace
The LOG_FILE_CLIENT
parameter specifies the name of the log file for the client. Use this parameter when ADR is not enabled.
$ORACLE_HOME/network/log/sqlnet.log
The default value cannot be changed.
Use the LOG_FILE_SERVER
parameter to specify the name of the log file for the database server. Use this parameter when ADR is not enabled.
sqlnet.log
LOG_FILE_SERVER=svr.log
Use the parameter TRACE_DIRECTORY_CLIENT
to specify the destination directory for the client trace file. Use this parameter when ADR is not enabled.
The current working directory
Any valid directory path to a directory with write permission.
TRACE_DIRECTORY_CLIENT=/oracle/traces
Use the TRACE_DIRECTORY_SERVER
parameter to specify the destination directory for the database server trace file. Use this parameter when ADR is not enabled.
The $ORACLE_HOME/network/trace
directory on UNIX operating systems and the %ORACLE_HOME%\network\trace
directory on Windows
Any valid directory path to a directory with write permission.
TRACE_DIRECTORY_SERVER=/oracle/traces
Use the TRACE_FILE_CLIENT
parameter to specify the name of the client trace file. Use this parameter when ADR is not enabled.
Any valid file name.
$ORACLE_HOME/network/trace/cli.trc
TRACE_FILE_CLIENT=clientsqlnet.trc
Use the TRACE_FILE_SERVER
parameter to specify the name of the file to which the execution trace of the server program is written. Use this parameter when ADR is not enabled.
$ORACLE_HOME/network/trace/svr_pid.trc
Any valid file name.
TRACE_FILE_SERVER=svrsqlnet.trc
Use the TRACE_FILELEN_CLIENT
parameter to specify the size of the client trace files in kilobytes (KB). When the size is met, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_CLIENT parameter. Use this parameter when ADR is not enabled.
TRACE_FILELEN_CLIENT=100
Use the TRACE_FILELEN_SERVER
parameter to specify the size of the database server trace files in kilobytes (KB). When the size is met, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_SERVER parameter. Use this parameter when ADR is not enabled.
TRACE_FILELEN_SERVER=100
Use the TRACE_FILENO_CLIENT
parameter to specify the number of trace files for client tracing. When this parameter is set along with the TRACE_FILELEN_CLIENT parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, the first file is re-used, and so on.
The trace file names are distinguished from one another by their sequence number. For example, if the default trace file of sqlnet.trc
is used, and this parameter is set to 3, the trace files would be named sqlnet1.trc
, sqlnet2.trc
and sqlnet3.trc
.
In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.
None
TRACE_FILENO_CLIENT=3
Use the TRACE_FILENO_SERVER
parameter to specify the number of trace files for database server tracing. When this parameter is set along with the TRACE_FILELEN_SERVER parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, the first file is re-used, and so on.
The trace file names are distinguished from one another by their sequence number. For example, if the default trace file of svr_
pid
.trc
is used, and this parameter is set to 3, the trace files would be named svr1_
pid
.trc
, svr2_
pid
.trc
and svr3_
pid
.trc
.
In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.
None
TRACE_FILENO_SERVER=3
Use the TRACE_UNIQUE_CLIENT
parameter to specify whether or not a unique trace file is created for each client trace session. When the value is set to on
, a process identifier is appended to the name of each trace file, enabling several files to coexist. For example, trace files named sqlnet
pid
.trc
are created if default trace file name sqlnet.trc
is used. When the value is set to off
, data from a new client trace session overwrites the existing file. Use this parameter when ADR is not enabled.
on
on
or off
TRACE_UNIQUE_CLIENT=on