5 Parameters for sqlnet.ora Files

This chapter describes the sqlnet.ora file parameters.

5.1 Overview of Profile Configuration Files

Learn about profile configuration files.

The sqlnet.ora file is the Net Services profile configuration file. The sqlnet.ora file resides on clients and databases. You store and implement profiles using this file. You can also configure the database with access control parameters in the sqlnet.ora file. These parameters specify whether clients are allowed or denied access to a database based on the parameter settings.

The sqlnet.ora file enables you to:

  • Specify the client domain to append to unqualified names
  • Prioritize naming methods
  • Enable logging and tracing features
  • Route connections through specific processes
  • Configure parameters for external naming
  • Configure Oracle Advanced Security
  • Use protocol-specific parameters to restrict access to the database
Oracle Net searches for the sqlnet.ora file in the following locations and in the following order:
  • In the directory specified in the TNS_ADMIN environment variable, if it is set.
  • In the ORACLE_BASE_HOME/network/admin directory.
  • In the ORACLE_HOME/network/admin directory.

Note:

  • The settings in the sqlnet.ora file apply to all pluggable databases (PDBs) in multitenant container database environments.

  • Oracle Net Services supports the IFILE parameter in the sqlnet.ora file, with up to three levels of nesting. The parameter is added manually to the file. The following is an example of the syntax:

    IFILE=/tmp/listener_em.ora
    IFILE=/tmp/listener_cust1.ora
    IFILE=/tmp/listener_cust2.ora 
    

    Refer to Oracle Database Reference for additional information.

  • With Oracle Instant Client, the sqlnet.ora file is located in the subdirectory of the Oracle Instant Client software. For example, in the /opt/oracle/instantclient_release_number/network/admin directory.

  • In the read-only Oracle home mode, the sqlnet.ora file default location is ORACLE_BASE_HOME/network/admin.

  • In the read-only Oracle home mode, the parameters are stored in the ORACLE_BASE_HOME location by default.

5.2 Profile Parameters in sqlnet.ora Files

This section describes sqlnet.ora file parameters that you use to administer listeners.

This section describes the following sqlnet.ora file parameters:

5.2.1 ACCEPT_MD5_CERTS

The sqlnet.ora profile parameter ACCEPT_MD5_CERTS accepts MD5 signed certificates.

Purpose

To enable sqlnet to accept MD5 signed certificates. In addition to sqlnet.ora, you must also set this parameter must in listener.ora.

Default

FALSE

Values

  • TRUE to accept MD5 signed certificates

  • FALSE to not accept MD5 signed certficates

5.2.2 ACCEPT_SHA1_CERTS

Use the sqlnet.ora profile parameter ACCEPT_SHA1_CERTS to determine whether SQL Net accepts SHA1 signed certificates.

Purpose

To determine whether sqlnet accepts SHA1 signed certificates. In addition to setting this parameter in sqlnet.ora, you must also set this parameter in listener.ora.

The use of SHA-1 with DBMS_CRYPTO, SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT and SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER is deprecated.

Using SHA-1 (Secure Hash Algorithm 1) with the parameters SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT and SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER is deprecated in this release, and can be desupported in a future release. Using SHA-1 ciphers with DBMS_CRYPTO is also deprecated (HASH_SH1, HMAC_SH1). Instead of using SHA1, Oracle recommends that you start using a stronger SHA-2 cipher in place of the SHA-1 cipher.

Default

TRUE

Values

  • TRUE to accept SHA1 signed certificates

  • FALSE to not accept SHA1 signed certificates

5.2.3 ADD_SSLV3_TO_DEFAULT

The sqlnet.ora profile parameter ADD_SSLV3_TO_DEFAULT sets the secure sockets layer versions that your server accepts.

Purpose

To set the secure sockets layer versions that your server accepts.

To use SSL_VERSION=3.0 in your SSL_VERSION default list, set the value to TRUE. In addition to setting this parameter in sqlnet.ora, you must also set this parameter in listener.ora.

Default

FALSE

Values

  • If set to TRUE and if SSL_VERSION is not specified or is set to "undetermined", then SSL_VERSION includes versions 3.0, 1.2, 1.1, and 1.0.

  • If set to FALSE and if SSL_VERSION is not specified or is set to "undetermined", then SSL_VERSION includes versions 1.2, 1.1, and 1.0

5.2.4 EXADIRECT_FLOW_CONTROL

The sqlnet.ora profile parameter EXADIRECT_FLOW_CONTROL enables or disables Exadirect flow control.

Purpose

To enable or disable Exadirect flow control.

Usage Notes

Set to on, the parameter enables Oracle Net to broadcast the available receive window to the sender. The sender limits the sends based on the receiver broadcast window.

Default

off

Example

EXADIRECT_FLOW_CONTROL=on

5.2.5 EXADIRECT_RECVPOLL

Use the sqlnet.ora parameter EXADIRECT_RECVPOLL to specify the amount of time that a receiver polls for incoming data.

Purpose

To specify the amount of time that a receiver polls for incoming data.

Usage Notes

You can set the parameter to a fixed value or set the parameter to AUTO to automatically tune the polling value.

Default

0

Example

EXADIRECT_RECVPOLL = 10

EXADIRECT_RECVPOLL = AUTO

5.2.6 DEFAULT_SDU_SIZE

Use the sqlnet.ora profile parameter to specify the session data unit size (SDU) for connections.

Purpose

To specify the session data unit (SDU) size, in bytes, for connections.

Usage Notes

Oracle recommends setting this parameter in both the client-side and server-side sqlnet.ora files to ensure that the same SDU size is used throughout a connection. When the configured values of client and database server do not match for a session, the lower of the two values is used.

You can override this parameter for a particular client connection by specifying the SDU parameter in the connect descriptor for a client.

Default

8192 bytes (8 KB)

Values

512 to 2097152 bytes

Example 5-1 Example

DEFAULT_SDU_SIZE=4096

5.2.7 DISABLE_OOB

Use the sqlnet.ora profile parameter DISABLE_OOB to enable or disable Oracle Net to send or receive out-of-band break messages using urgent data from the underlying protocol.

Purpose

To enable or disable Oracle Net to send or receive out-of-band break messages using urgent data provided by the underlying protocol.

Usage Notes

Set to off, the parameter enables Oracle Net to send and receive break messages. Set to on, the parameter disables the ability to send and receive break messages. Once enabled, this feature applies to all protocols that the client uses.

Default

off

Example 5-2 Example

DISABLE_OOB=on

5.2.8 DISABLE_OOB_AUTO

Use the sqlnet.ora profile parameter DISABLE_OOB_AUTO to disable server path checks for out-of-band break messages at the time of the connection.

Purpose

To disable sqlnet.ora from checking for out-of-band (OOB) break messages in the server path at connection time.

Usage Notes

By default, the client determines if the server path supports out-of-band break messages at the time of establishing the connection. If DISABLE_OOB_AUTO is set to TRUE, then the client does not perform this check at connection time.

Default

FALSE

Example 5-3 Example

DISABLE_OOB_AUTO = TRUE

5.2.9 HTTPS_SSL_VERSION

Use the sqlnet.ora profile parameter HTTPS_SSL_VERSION to control the Secure Sockters Later (SSL) that XDB HTTPS connections use.

Purpose

Use HTTPS_SSL_VERSION to control the Secure Sockets Layer (SSL) version that XDB HTTPS connections use.

Usage Notes

Note that the SSL_VERSION parameter no longer controls the SSL version that HTTPS uses. You can set this parameter to any valid HTTPS_SSL_VERSION values.

Default

1.1 or 1.2, meaning TLSv1.1 or TLSv1.2.

Values

Any valid HTTPS_SSL_VERSION value.

5.2.10 IPC.KEYPATH

Use the sqlnet.ora profile parameter IPC.KEYPATH to specify the destination directory where the internal file is created for UNIX domain sockets.

Purpose

To specify the destination directory where the internal file is created for UNIX domain sockets.

Usage Notes

This parameter applies only to Oracle Net usage of UNIX domain sockets and does not apply to other uses of UNIX domain sockets in Oracle Database, such as in Oracle Clusterware. If you use the IPC.KEYPATH parameter, then you should use the same value for IPC_KEYPATH on both the client and the listener on Oracle Database versions that are greater than Oracle Database 18c.

Default

The directory path is either /var/tmp/.oracle for Oracle Linux, Oracle Solaris or /tmp/.oracle for other UNIX variants.

Example

ipc.keypath=/home/oracleuser.

5.2.11 NAMES.DEFAULT_DOMAIN

Use the sqlnet.ora profile parameter NAMES.DEFAULT_DOMAIN to set the name of the domain in which clients most often look up names resolution requests.

Purpose

To set the domain from which the client most often looks up names resolution requests.

Usage Notes

When you set NAMES.DEFAULT_DOMAIN, the default domain name is automatically appended to any unqualified net service name or service name.

For example, if you set the default domain to www.example.com, then Oracle searches the connect string CONNECT scott@sales as www.example.com. If the connect string includes the domain extension, such as CONNECT scott@sales.www.example.com, then the domain is not appended to the string.

Default

None

Example

NAMES.DEFAULT_DOMAIN=example.com

5.2.12 NAMES.DIRECTORY_PATH

Use the sqlnet parameter NAMES.DIRECTORY_PATH to specify the order of the naming methods for client name resolution lookups.

Purpose

To specify the order of the naming methods for client name resolution lookups.

Default

NAMES.DIRECTORY_PATH=(tnsnames, ldap, ezconnect)

Values

The following table shows the NAMES.DIRECTORY_PATH values for the naming methods.

Naming Method Value Description

tnsnames (local naming method)

Set to resolve a network service name through the tnsnames.ora file on the client.

ldap (directory naming method)

Set to resolve a database service name, net service name, or network service alias through a directory server.

ezconnect or hostname (Easy Connect naming method)

Select to enable clients to use a TCP/IP connect identifier that consists of a host name and optional port and service name.

nis (external naming method)

Set to resolve service information through an existing Network Information Service (NIS).

Example

NAMES.DIRECTORY_PATH=(tnsnames)

5.2.13 NAMES.LDAP_AUTHENTICATE_BIND

Use the sqlnet parameter NAMES.LDAP_AUTHENTICATE_BIND to specify whether the LDAP naming adapter should authenticate using a specified wallet when it connects to the LDAP directory to resolve connect string names.

Purpose

To specify whether the LDAP naming adapter should attempt to authenticate using a specified wallet when it connects to the LDAP directory to resolve the name in the connect string.

Usage Notes

The parameter value is Boolean.

If you set the parameter to TRUE, then the LDAP connection is authenticated using a wallet whose location must be specified in the WALLET_LOCATION parameter.

If you set the parameter to FALSE, then the LDAP connection is established using an anonymous bind.

Default

false

Example

NAMES.LDAP_AUTHENTICATE_BIND=true

5.2.14 NAMES.LDAP_CONN_TIMEOUT

Use the sqlnet parameter NAMES.LDAP_CONN_TIMEOUT to specify the number of seconds that indicates that a non-blocking connect timeout to the LDAP server occurred.

Purpose

The parameter value -1 is for infinite timeout.

Default

15 seconds

Values

Values are in seconds. The range is -1 to the number of seconds that is acceptable for your environment. There is no upper limit.

To specify the number of seconds for a non-blocking connect timeout to the LDAP server.

Usage Notes

Example

names.ldap_conn_timeout = -1

5.2.15 NAMES.LDAP_PERSISTENT_SESSION

Use the sqlnet parameter NAMES.LDAP_PERSISTENT_SESSION to specify whether the LDAP naming adapter should leave the session with the LDAP server open after name lookups are complete.

Purpose

To specify whether the LDAP naming adapter should leave the session with the LDAP server open after a name lookup is complete.

Usage Notes

The parameter value is Boolean.

If you set the parameter to TRUE, then the connection to the LDAP server is left open after the name lookup is complete. The connection remains open for the duration of the process. If the connection is lost, then it is re-established as needed.

If you set the parameter to FALSE, then the LDAP connection is terminated as soon as the name lookup completes. Every subsequent look-up opens the connection, performs the look-up, and closes the connection. This option prevents LDAP from having a large number of clients connected to it at any one time.

Default

false

Example

NAMES.LDAP_PERSISTENT_SESSION=true

5.2.16 NAMES.NIS.META_MAP

Use the sqlnet parameter NAMES.NIS.META_MAP to specify the map file to use to map Network Information Service (NIS) attributes to an NIS mapname.

Purpose

To specify the map file to be used to map Network Information Service (NIS) attributes to an NIS mapname.

Default

sqlnet.maps

Example

NAMES.NIS.META_MAP=sqlnet.maps

5.2.17 RECV_BUF_SIZE

Use the sqlnet parameter RECV_BUF_SIZE to specify the buffer space limit for session receive operations.

Purpose

To specify the buffer space limit for receive operations of sessions.

Usage Notes

You can override this parameter for a particular client connection by specifying the RECV_BUF_SIZE parameter in the connect descriptor for a client.

This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.

Note:

Additional protocols might support this parameter on certain operating systems. Refer to the operating system-specific documentation for additional information about additional protocols that support this parameter.

See Also:

Oracle Database Net Services Administrator's Guide for additional information about configuring this parameter

Default

The default value for this parameter is operating system specific. The default for Linux 2.6 operating system is 87380 bytes.

Example

RECV_BUF_SIZE=11784

5.2.18 SDP.PF_INET_SDP

Use the sqlnet parameter SDP.PF_INET_SDP to specify the protocol family or address family constant for the SDP protocol on your system.

Purpose

To specify the protocol family or address family constant for the SDP protocol on your system.

Default

27

Values

Any positive integer

Example

SDP.PF_INET_SDP=30

5.2.19 SEC_USER_AUDIT_ACTION_BANNER

Use the sqlnet parameter SEC_USER_AUDIT_ACTION_BANNER to specify a text file that contains the banner contents that warn users about user action auditing.

Purpose

To specify a text file containing the banner contents that warn users about possible user action auditing.

Usage Notes

You must specify the complete path of the text file in the sqlnet.ora file on the server. Oracle Call Interface (OCI) applications can use OCI features to retrieve this banner and display it to users.

Default

None

Values

Name of the file for which the database owner has read permissions.

Example

SEC_USER_AUDIT_ACTION_BANNER=/opt/oracle/admin/data/auditwarning.txt

5.2.20 SEC_USER_UNAUTHORIZED_ACCESS_BANNER

Use the sqlnet parameter SEC_USER_UNAUTHORIZED_ACCESS_BANNER to specify the file that contains the banner contents that warn users about unauthorized database access.

Purpose

To specify the name of a text file containing the banner contents that warn users about unauthorized access to the database.

Usage Notes

You must specify the complete path of the text file in the sqlnet.ora file on the server. OCI applications can use OCI features to retrieve this banner and display it to users.

Default

None

Values

Name of the banner file for which the database owner has read permissions.

Example

SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt

5.2.21 SEND_BUF_SIZE

Use the sqlnet parameter SEND_BUF_SIZE to specify the buffer space limit for session send operations.

Purpose

To specify the buffer space limit for send operations of sessions.

Usage Notes

You can override this parameter for a particular client connection by specifying the SEND_BUF_SIZE parameter in the connect descriptor for a client.

This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.

Note:

Additional protocols might support this parameter on certain operating systems. Refer to the operating system-specific documentation for additional information about additional protocols that support this parameter.

See Also:

Oracle Database Net Services Administrator's Guide for additional information about configuring this parameter

Default

The default value for this parameter is operating system specific. The default for Linux 2.6 operating systems is 16 KB.

Example

SEND_BUF_SIZE=11784

5.2.22 SQLNET.ALLOWED_LOGON_VERSION_CLIENT

Use the sqlnet parameter SQLNET.ALLOWED_LOGON_VERSION_CLIENT to define minimum authentication protocols that servers acting as clients to other servers can use to connect to Oracle Database instances.

Purpose

To set the minimum authentication protocol allowed for clients when a server is acting as a client, such as connecting over a database link, when connecting to Oracle Database instances.

Usage Notes

The term VERSION in the parameter name refers to the version of the authentication protocol, not the verison of the Oracle Database release.

If the version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error.

Values

  • 12a for Oracle Database 12c Release 1 (12.1.0.2) or later (strongest protection)

    Note:

    Using this setting, the clients can only authenticate using a de-optimized password version. For example, the 12C password version.
  • 12 for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (stronger protection)

    Note:

    Using this setting, the clients can only authenticate using a password hash value that uses salt. For example, the 11G or 12C password versions.
  • 11 for Oracle Database 11g authentication protocols (default)

  • 10 for Oracle Database 10g authentication protocols

Default

11

Example

If an Oracle Database 12c database hosts a database link to an Oracle Database 10g database, then set the SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameter as follows for the database link connection to proceed:

SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10

5.2.23 SQLNET.ALLOWED_LOGON_VERSION_SERVER

Use the sqlnet.ora parameter SQLNET.ALLOWED_LOGON_VERSION_SERVER to set the minimum authentication protocol that is permitted when connecting to Oracle Database instances.

Purpose

To set the minimum authentication protocol for connecting to Oracle Database instances.

Usage Notes

The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.

The authentication fails with the error ORA-28040: No matching authentication protocol error or an ORA-03134: Connections to this server version are no longer supported. This error appears if the client does not have the ability listed in the "Ability Required of the Client" column that corresponds to the row that matches the value of the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter in Table 1.

A setting of 8 enables all password versions, and enables any combination of the DBA_USERS.PASSWORD_VERSIONS values 10G, 11G, and 12C.

A setting of 12a enables only the 12C password version.

A greater value means that the server is less compatible in terms of the protocol that clients must understand in order to authenticate. The server is also more restrictive in terms of the password version that must exist to authenticate any specific account. Whether a client can authenticate to a specific account depends on both the server's setting of its SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter, as well as on the password versions that exist for the specified account. You can see the list of password versions in file DBA_USERS.PASSWORD_VERSIONS.

Note the following implications of setting the value to 12 or 12a:

  • Releases of OCI clients earlier than Oracle Database 10g cannot authenticate to the Oracle database using password-based authentication.

  • If the client uses Oracle Database 10g, then the client will receive an ORA-03134: Connections to this server version are no longer supported error message. To enable the connection, set the SQLNET.ALLOWED_LOGON_VERSION_SERVER value to 8. Ensure the DBA_USERS.PASSWORD_VERSIONS value for the account contains the value 10G. You may need to reset the password for that account.

Note the following implication of setting the value to 12a:

  • To take advantage of the new 12C password version introduced in Oracle Database release 12.2, user passwords should be expired to encourage users to change their passwords and cause the new 12C password version to be generated for their account. By default in this release, new passwords are treated in a case-sensitive fashion. When an account password is changed, the earlier 10g case-insensitive password version is automatically removed, and the new 12c password version is generated.

  • When an account password is changed, the earlier 10g case-insensitive password version and the 11g password version are both automatically removed.

  • JDBC Thin Client Support:

    In Oracle Database release 12.1.0.2 and later, if you set the sqlnet.ora parameter SQLNET.ALLOWED_LOGON_VERSION_SERVER to 12a and you create a new account or change the password of an existing account, then only the new 12c password version is generated. The 12c password version is based on a SHA-2 (Secure Hash Algorithm) SHA-512 salted cryptographic hash deoptimized using the PBKDF2 (Password-Based Key Derivation Function 2) algorithm. When the database server is running with ALLOWED_LOGON_VERSION_SERVER set to 12a, it is running in exclusive mode. In this mode, to log in using a JDBC client, the JRE version must be at least version 8. The JDBC client enables its O7L_MR capability flag only when it is running with at least version 8 of the JRE.

    Note:

    Check the PASSWORD_VERSIONS column of the DBA_USERS catalog view to see the list of password versions for any given account.

    If you set the sqlnet.ora parameter SQLNET.ALLOWED_LOGON_VERSION_SERVER to 12, then the server runs in exclusive mode and only the 11G and 12C password versions (the SHA-1 and PBKDF2 SHA-2 based hashes of the password, respectively) are generated and allowed to be used. In such cases, fully-patched JDBC clients having the CPUOct2012 patch can connect because these JDBC clients provide the O5L_NP client ability.

    Older JDBC clients that do not have the CPUOct2012 containing the fix for the stealth password cracking vulnerability CVE-2012-3132, do not provide the O5L_NP client ability. Therefore, ensure that all of the JDBC clients are patched properly.

The client must support certain abilities of the authentication protocol before the server will authenticate. If the client does not support a specified authentication ability, then the server rejects the connection with an ORA-28040: No matching authentication protocol error message.

The following is the list of all client abilities. Some clients do not have all abilities. Clients that are more recent have all of the capabilities of the older clients, but older clients tend to have fewer abilities than more recent clients.

  • O7L_MR: The ability to perform the Oracle Database 10g authentication protocol using the 12c password version. For JDBC clients, only those running on at least JRE version 8 offer the O7L_MR capability.

  • O5L_NP: The ability to perform Oracle Database 10g authentication protocols using the 11g password version, and generating a session key encrypted for critical patch update CPUOct2012.

  • O5L: The ability to perform the Oracle Database 10g authentication protocol using the 10G password version.

  • O4L: The ability to perform the Oracle9i database authentication protocol using the 10G password version.

  • O3L: The ability to perform the Oracle8i database authentication protocol using the 10G password version.

An ability that appears at the top in the above list is more recent and secure than an ability that appears lower toward the bottom in the list. Clients that are more recent have all of the capabilities of the older clients.

The following table describes:
  • The allowed settings of the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter

  • Its effect on the generated password versions when an account is created or a password is changed

  • The ability flag required of the client to authenticate while the server has this setting

  • Also indicates whether the setting is considered to be an exclusive mode.

Table 5-1 SQLNET.ALLOWED_LOGON_VERSION_SERVER Settings

Value of the ALLOWED_LOGON_VERSION_SERVER Parameter Generated Password Version Ability Required of the Client Meaning for Clients Server Runs in Exclusive Mode

12a

12C

O7L_MR

Only Oracle Database 12c release 1 (12.1.0.2 or later) clients can connect to the server.

Yes because it excludes the use of both 10g and 11g password versions.

12

11g, 12c

O5L_NP

Oracle Database 11g release 2 (11.2.0.3 or later) clients can connect to the server.

Older clients need the critical patch update CPUOct2012 or later, to gain the O5L_NP ability.

Only older clients that have applied critical patch update CPUOct2012 or later can connect to the server.

Yes because it excludes the use of the 10g password version.

11

10g, 11g, 12c

O5L

Clients using Oracle Database 10g and later can connect to the server.

Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10g password version.

No

10

10g, 11g, 12c

O5L

It has the same meaning as the earlier row.

No

9

10g, 11g, 12c

O4L

It has the same meaning as the earlier row.

No

8

10g, 11g, 12c

O3L

It has the same meaning as the earlier row.

No

Values

  • 12a for Oracle Database 12c release 12.1.0.2 or later authentication protocols (strongest protection)

  • 12 for Oracle Database 12c release 12.1 authentication protocols (default and recommended value)

  • 11 for Oracle Database 11g authentication protocols

  • 10 for Oracle Database 10g authentication protocols

  • 9 for Oracle9i Database authentication protocol

  • 8 for Oracle8i Database authentication protocol

Note:

  • Starting with Oracle Database 12c Release 2 (12.2), the default value is 12.

  • For earlier releases, the value 12 can be used after the critical patch updates CPUOct2012 and later are applied.

Default

12

Example

SQLNET.ALLOWED_LOGON_VERSION_SERVER=12

5.2.24 SQLNET.AUTHENTICATION_SERVICES

Use the sqlnet.ora parameter SQLNET.AUTHENTICATION_SERVICES to enable one or more authentication services.

Purpose

To enable one or more authentication services. If you installed authentication, then it is recommended that you set SQLNET.AUTHENTICATION_SERVICES to either none or to one of the listed authentication methods.

Usage Notes

When using the SQLNET.AUTHENTICATION_SERVICES value all, the server attempts to authenticate using each of the following methods. The server falls back to the authentication methods that appear futher down on the list if attempts to use the authentication methods appearing higher on the list were unsuccessful.

  • Authentication based on a service external to the database, such as a service on the network layer, Kerberos, or RADIUS.

  • Authentication based on the operating system user's membership in an administrative operating system group. Group names are platform-specific. This authentication applies to administrative connections only.

  • Authentication performed by the database.

  • Authentication based on credentials stored in a directory server.

Operating system authentication enables access to the database using any user name and any password when an administrative connection is attempted, such as using the AS SYSDBA clause when connecting using SQL*Plus. An example of a connection is as follows.

sqlplus ignored_username/ignored_password AS SYSDBA

When the operating-system user who issued the preceding command is already a member of the appropriate administrative operating system group, then the connection is successful. This is because the user name and password are ignored by the server because Oracle checks the group membership first.

See Also:

Oracle Database Security Guide for additional information about authentication methods

Default

all

Note:

When installing Oracle Database with Database Configuration Assistant (DBCA), this parameter may be set to nts in the sqlnet.ora file.

Values

Authentication methods that are available with Oracle Net Services:

  • none for no authentication methods, including Microsoft Windows native operating system authentication. When you set SQLNET.AUTHENTICATION_SERVICES to none, then you can use a valid user name and password to access the database.

  • all for all authentication methods

  • beq for native operating system authentication for operating systems other than Microsoft Windows

  • kerberos5 for Kerberos authentication

  • nts for Microsoft Windows native operating system authentication

  • radius for Remote Authentication Dial-In User Service (RADIUS) authentication

  • tcps for SSL authentication

Example

SQLNET.AUTHENTICATION_SERVICES=(kerberos5)

5.2.25 SQLNET.CLIENT_REGISTRATION

Use the sqlnet.ora parameter SQLNET.CLIENT_REGISTRATION to set a unique identifier for the client computer.

Purpose

To set a unique identifier for the client computer.

Usage Notes

This identifier is passed to the listener with any connection request and is included in the audit trail. The identifier can be any alphanumeric string up to 128 characters long.

Default

None

Example

SQLNET.CLIENT_REGISTRATION=1432

5.2.26 SQLNET.CLOUD_USER

Use the sqlnet.ora parameter SQLNET.CLOUD_USER to specify a user name for web server HTTP basic authentication.

Purpose

To specify a user name for web server HTTP basic authentication.

Usage Notes

When you use a secure websocket protocol, the client uses this user as the user name for authentication. The password for this user should be stored in a wallet using mkstore commands.

Perform the following configuration steps to use HTTP basic authentication with secure websockets:

  1. Create a wallet using the orapki utility.

    orapki wallet create -wallet wallet_directory

    Example

    orapki wallet create -wallet /app/wallet
  2. Add a web server public certificate.

    orapki wallet -wallet  wallet_directory  -trusted_cert -cert  web_server_public_certificate_in_pem_format

    Example

    orapki wallet -wallet  /app/wallet  -trusted_cert -cert  server_cert.txt
  3. Add the web server user name to sqlnet.ora. This user name is only used for authenticating the web server. This is not a database user name. After web server authentication, the web server connects to the back-end database server and database authentication is completed.

    Example

    sqlnet.cloud_user = dbuser1
  4. Add a web server user password to the wallet.

    mkstore -wrl wallet_location  -createEntry username password

    Example

    mkstore -wrl  /app/wallet  -createEntry  dbuser1  Secretdb#
  5. Make the wallet automatically log in and protect this wallet directory using operating system file permissions or any other means. Do this so that only the database client can have read access to it. Refer to the operating system utilities for information about changing the file permissions.

    orapki wallet create -wallet wallet_directory -auto_login

    Example

    orapki wallet create -wallet /app/wallet -auto_login
  6. Update the sqlnet.ora file with the wallet entry.

    Example

    wallet_location=(SOURCE=  (METHOD=file)  (METHOD_DATA=    (DIRECTORY=/app/wallet)))

Default

None

5.2.27 SQLNET.COMPRESSION

Use the sqlnet.ora parameter SQLNET.COMPRESSION to enable or disable data compression.

Purpose

To enable or disable data compression. If both the server and client have this parameter set to ON, then compression is used for the connection.

Note:

The SQLNET.COMPRESSION parameter applies to all database connections, except for Oracle Data Guard streaming redo and SecureFiles LOBs (Large Objects).

Default

off

Values

  • on to enable data compression.

  • off to disable data compression.

Example

SQLNET.COMPRESSION=on

5.2.28 SQLNET.COMPRESSION_ACCELERATION

Use the sqlnet.ora parameter SQLNET.COMPRESSION_ACCELERATION to specify the use of hardware accelerated version of compression using this parameter if it is available for that platform.

Purpose

To specify the use of hardware accelerated version of compression using this parameter if it is available for that platform.

Usage Notes

You can set this parameter in the Oracle Connection Manager alias description.

Default

on

Values

  • on

  • off

  • 0

  • 1

Example 5-4 Example

compression_acceleration = on

5.2.29 SQLNET.COMPRESSION_LEVELS

Use the sqlnet.ora parameter SQLNET.COMPRESSION_LEVELS to specify the compression level.

Purpose

To specify the compression level.

Usage Notes

The compression levels are used at the time of negotiation to verify which levels are used at both ends, and to select one level.

For Database Resident Connection Pooling (DRCP), only the compression level low is supported.

Default

low

Values

  • low to use low CPU usage and low compression ratio

  • high to use high CPU usage and high compression ratio

Example

SQLNET.COMPRESSION_LEVELS=(high)

5.2.30 SQLNET.COMPRESSION_THRESHOLD

Use the sqlnet.ora parameter SQLNET.COMPRESSION_THRESHOLD to specify the minimum data size for which compression is needed.

Purpose

To specify the minimum data size, in bytes, for which compression is needed.

Usage Notes

Compression is not to be performed if the size of the data you are sending is less than this value.

Default

1024 bytes

Example

SQLNET.COMPRESSION_THRESHOLD=1024

5.2.31 SQLNET.CRYPTO_CHECKSUM_CLIENT

Use the sqlnet.ora parameter SQLNET.CRYPTO_CHECKSUM_CLIENT to specify the checksum behavior for clients.

Purpose

To specify the checksum behavior for the client.

Default

accepted

Values

  • accepted to enable the security service if required or requested by the other side

  • rejected to disable the security service, even if required by the other side

  • requested to enable the security service if the other side allows it

  • required to enable the security service and disallow the connection if the other side is not enabled for the security service

Example

SQLNET.CRYPTO_CHECKSUM_CLIENT=accepted

5.2.32 SQLNET.CRYPTO_CHECKSUM_SERVER

Use the sqlnet.ora parameter SQLNET.CRYPTO_CHECKSUM_SERVER to specify the checksum behavior for the database.

Purpose

To specify the checksum behavior for the database.

Default

accepted

Values

  • accepted to enable the security service if required or requested by the other side

  • rejected to disable the security service, even if required by the other side

  • requested to enable the security service if the other side allows it

  • required to enable the security service and disallow the connection if the other side is not enabled for the security service

Example

SQLNET.CRYPTO_CHECKSUM_SERVER=accepted

5.2.33 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT

Use the sqlnet.ora parameter SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT to specify a list of crypto-checksum algorithms for the client to use.

Purpose

To specify a list of crypto-checksum algorithms for the client to use.

Default

All available algorithms

Values

  • MD5 for the RSA Data Security MD5 algorithm

  • SHA1 for the Secure Hash Algorithm

    The use of SHA-1 with DBMS_CRYPTO, SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT and SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER is deprecated.

    Using SHA-1 (Secure Hash Algorithm 1) with the parameters SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT and SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER is deprecated in this release, and can be desupported in a future release. Using SHA-1 ciphers with DBMS_CRYPTO is also deprecated (HASH_SH1, HMAC_SH1). Instead of using SHA1, Oracle recommends that you start using a stronger SHA-2 cipher in place of the SHA-1 cipher.

  • SHA256 for SHA-2 uses 256 bits with the hashing algorithm

  • SHA384 for SHA-2 uses 384 bits with the hashing algorithm

  • SHA512 for SHA-2 uses 512 bits with the hashing algorithm

Example

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(SHA256, MD5)

5.2.34 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER

Use the sqlnet.ora parameter SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER to specify a list of crypto-checksum algorithms for the database to use.

Purpose

To specify a list of crypto-checksum algorithms for the database to use.

Default

All available algorithms

Values

  • MD5 for the RSA Data Security's MD5 algorithm

  • SHA1 for the Secure Hash algorithm

    The use of SHA-1 with DBMS_CRYPTO, SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT and SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER is deprecated.

    Using SHA-1 (Secure Hash Algorithm 1) with the parameters SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT and SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER is deprecated in this release, and can be desupported in a future release. Using SHA-1 ciphers with DBMS_CRYPTO is also deprecated (HASH_SH1, HMAC_SH1). Instead of using SHA1, Oracle recommends that you start using a stronger SHA-2 cipher in place of the SHA-1 cipher.

  • SHA256 for SHA-2 uses 256 bits with the hashing algorithm

  • SHA384 for SHA-2 uses 384 bits with the hashing algorithm

  • SHA512 for SHA-2 uses 512 bits with the hashing algorithm

Example

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA256, MD5)

5.2.35 SQLNET.DBFW_PUBLIC_KEY

Use the sqlnet.ora parameter SQLNET.DBFW_PUBLIC_KEY to provide Oracle Database Firewall public keys to the Advanced Security Option (ASO) by specifying the file that stores the public keys.

Purpose

To provide Oracle Database Firewall public keys to Advanced Security Option (ASO) by specifying the name of the file that stores the Oracle Database Firewall public keys.

Default

None

Values

Full path name of the operating system file that has the public keys

Example

SQLNET.DBFW_PUBLIC_KEY="/path_to_file/dbfw_public_key_file.txt"

5.2.36 SQLNET.DOWN_HOSTS_TIMEOUT

Use the sqlnet.ora parameter SQLNET.DOWN_HOSTS_TIMEOUT to specify the amount of time in seconds that server hosts down state information remains in the client cache.

Purpose

To specify the amount of time in seconds that information about the down state of server hosts is kept in the client process cache.

Usage Notes

Clients discover the down state of server hosts when attempting connections. When a connection attempt fails, the information about the down state of the server host is added to the client process cache. Subsequent connection attempts by the same client process move the addresses of the down hosts to the end of the address list, thereby reducing the priority of down hosts. When the duration of time that is specified by the SQLNET.DOWN_HOSTS_TIMEOUT parameter has elapsed, the host is purged from the process cache and its priority in the address list is restored.

Default

600 seconds (10 minutes)

Values

Any positive integer

Example

SQLNET.DOWN_HOSTS_TIMEOUT=60

5.2.37 SQLNET.ENCRYPTION_CLIENT

Use the sqlnet.ora parameter SQLNET.ENCRYPTION_CLIENT to enable encryption for clients.

Purpose

To enable encryption for clients. Setting the tnsnames.ora parameter IGNORE_ANO_ENCRYPTION_FOR_TCPS to TRUE disables SQLNET.ENCRYPTION_CLIENT.

Default

accepted

Values

  • accepted to enable the security service if required or requested by the other side

  • rejected to disable the security service, even if required by the other side

  • requested to enable the security service if the other side allows it

  • required to enable the security service and disallow the connection if the other side is not enabled for the security service

Example

SQLNET.ENCRYPTION_CLIENT=accepted

5.2.38 SQLNET.ENCRYPTION_SERVER

Use the sqlnet.ora parameter SQLNET.ENCRYPTION_SERVER to enable database encryption.

Purpose

To enable encryption for the database. Setting SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS to FALSE disables SQLNET.ENCRYPTION_SERVER.

Default

accepted

Values

  • accepted to enable the security service if required or requested by the other side

  • rejected to disable the security service, even if required by the other side

  • requested to enable the security service if the other side allows it

  • required to enable the security service and disallow the connection if the other side is not enabled for the security service

Example

SQLNET.ENCRYPTION_SERVER=accepted

5.2.39 SQLNET.ENCRYPTION_TYPES_CLIENT

Use the sqlnet.ora parameter SQLNET.ENCRYPTION_TYPES_CLIENT to list encryption algorithms for clients to use.

Purpose

To specify a list of encryption algorithms for clients to use. .

Default

All available algorithms.

Values

One or more of the following:

  • 3des112 for triple DES with a two-key (112-bit) option

  • 3des168 for triple DES with a three-key (168-bit) option

  • aes128 for AES (128-bit key size)

  • aes192 for AES (192-bit key size)

  • aes256 for AES (256-bit key size)

  • des for standard DES (56-bit key size)

  • des40 for DES (40-bit key size)

  • rc4_40 for RSA RC4 (40-bit key size)

  • rc4_56 for RSA RC4 (56-bit key size)

  • rc4_128 for RSA RC4 (128-bit key size)

  • rc4_256 for RSA RC4 (256-bit key size)

    Starting with Oracle Database 21c, older encryption and hashing algorithms are deprecated.

    Deprecated algorithms include MD4, MD5, DES, and RC4-related algorithms. Removing older, less secure cryptography algorithms prevents accidental use of these APIs. To meet your security requirements, Oracle recommends that you use more modern cryptography algorithms such as AES. While 3DES is not deprecated at this time, AES provides stronger protection.

    As a consequence of this deprecation, Oracle recommends that you review your network encryption configuration to see if you have specified use of any of the deprecated algorithms. If any are found, then switch to using a more modern cipher, such as AES.

Example

SQLNET.ENCRYPTION_TYPES_CLIENT=(rc4_56)

5.2.40 SQLNET.ENCRYPTION_TYPES_SERVER

Use the sqlnet.ora parameter SQLNET.ENCRYPTION_TYPES_SERVER to list the encryption algorithms for the database to use

Purpose

To specify a list of encryption algorithms for the database to use.

Default

All available algorithms

Values

One or more of the following:

  • 3des112 for triple DES with a two-key (112-bit) option

  • 3des168 for triple DES with a three-key (168-bit) option

  • aes128 for AES (128-bit key size)

  • aes192 for AES (192-bit key size)

  • aes256 for AES (256-bit key size)

  • des for standard DES (56-bit key size)

  • des40 for DES40 (40-bit key size)

  • rc4_40 for RSA RC4 (40-bit key size)

  • rc4_56 for RSA RC4 (56-bit key size)

  • rc4_128 for RSA RC4 (128-bit key size)

  • rc4_256 for RSA RC4 (256-bit key size)

    Starting with Oracle Database 21c, older encryption and hashing algorithms are deprecated.

    Deprecated algorithms include MD4, MD5, DES, and RC4-related algorithms. Removing older, less secure cryptography algorithms prevents accidental use of these APIs. To meet your security requirements, Oracle recommends that you use more modern cryptography algorithms such as AES. While 3DES is not deprecated at this time, AES provides stronger protection.

    As a consequence of this deprecation, Oracle recommends that you review your network encryption configuration to see if you have specified use of any of the deprecated algorithms. If any are found, then switch to using a more modern cipher, such as AES.

Example

SQLNET.ENCRYPTION_TYPES_SERVER=(rc4_56, des, ...)

5.2.41 SQLNET.EXPIRE_TIME

Use the sqlnet.ora parameter SQLNET.EXPIRE_TIME to specify how often, in minutes, to verify that client and server connections are active.

Purpose

To specify time intervals, in minutes, for how often to verify that client and server connections are active.

Usage Notes

Setting a value greater than 0 ensures that connections are not left open indefinitely due to an abnormal client termination. If your environment supports TCP keepalive tuning, then Oracle Net Services automatically uses the enhanced detection model and tunes the TCP keepalive parameters.

If the verification check identifies a terminated connection or a connection that is no longer in use, then the check returns an error, causing the server process to exit.

The sqlnet.ora parameter SQLNET.EXPIRE_TIME is primarily intended for the database server, which typically handles multiple connections simultaneously.

You can also use this parameter for database clients to verify if the server connection is active.

Limitations on using the terminated connection detection feature are:

  • You cannot use it on bequeathed connections.

  • Though very small, a probe packet generates additional traffic that may degrade your network performance.

  • Depending on your operating system, the server may need to perform additional processing to distinguish the connection probing event from other events. This can also result in degraded network performance.

Default

0

Minimum Value

0

Recommended Value

10

Example

SQLNET.EXPIRE_TIME=10

5.2.42 SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS

Use the sqlnet.ora parameter SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS to ignore the value that is set for the parameter SQLNET.ENCRYPTION_SERVER for TCPS connections. This disables ANO encryption on the TCPS listener.

Purpose

Use SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS on your server to ignore the value that is set for SQLNET.ENCRYPTION_SERVER for TCPS connections. Doing this disables ANO encryption on the TCPS listener.

Default

FALSE

Example 5-5 Example

SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS=TRUE

5.2.43 SQLNET.INBOUND_CONNECT_TIMEOUT

Use the sqlnet.ora parameter SQLNET.INBOUND_CONNECT_TIMEOUT to specify the amount of time that clients have to connect with the database and authenticate.

Purpose

Use the parameter SQLNET.INBOUND_CONNECT_TIMEOUT to specify the time limit in ms, sec, or min, within which a client must connect with the database and provide authentication information.

Usage Notes

If the client fails to connect and complete the authentication within the specified timeframe, then the database terminates the connection. In addition, the database logs the IP address of the client and writes an ORA-12170: TNS:Connect timeout occurred error message to the sqlnet.log file. The client receives either an ORA-12547: TNS:lost contact or an ORA-12637: Packet receive failed error message.

The default value of SQLNET.INBOUND_CONNECT_TIMEOUT is appropriate for typical scenarios. However, if you need to set a different value, then Oracle recommends setting this parameter in combination with theINBOUND_CONNECT_TIMEOUT_listener_name parameter in the listener.ora file. When specifying the values for these parameters, note the following recommendations:

  • Set both parameters to a low value initially.

  • Set the value of the INBOUND_CONNECT_TIMEOUT_listener_name parameter to a lower value than the value that you have set for the SQLNET.INBOUND_CONNECT_TIMEOUT parameter.

It accepts different timeouts with or without space between the value and the unit. If you do not set a unit of measurement for SQLNET.INBOUND_CONNECT_TIMEOUT, then the default unit is sec. For example, you can set INBOUND_CONNECT_TIMEOUT_listener_name to 2 seconds and set the SQLNET.INBOUND_CONNECT_TIMEOUT parameter to 3 seconds. If clients are unable to complete the connections within the specified time due to system or network delays that are normal for the particular environment, then increase the value for SQLNET.INBOUND_CONNECT_TIMEOUT as needed.

Default

60 seconds

Example

SQLNET.INBOUND_CONNECT_TIMEOUT=3ms

5.2.44 SQLNET.FALLBACK_AUTHENTICATION

Use the sqlnet.ora parameter SQLNET.FALLBACK_AUTHENTICATION to specify whether to attempt password-based authentication if Kerberos authentication fails.

Purpose

To specify whether to attempt to use password-based authentication if Kerberos authentication fails. This is relevant for direct connections as well as database link connections.

Default

FALSE

Example

SQLNET.FALLBACK_AUTHENTICATION=TRUE

5.2.45 SQLNET.KERBEROS5_CC_NAME

Use the sqlnet.ora parameter SQLNET.KERBEROS5_CC_NAME to specify the complete path name to the Kerberos credentials cache file.

Purpose

To specify the complete path name to the Kerberos credentials cache file.

Usage Notes

The MSLSA option specifies that the file is on Microsoft Windows and is running Microsoft KDC.

The OS_MEMORY option specifies that an operating system-managed memory credential is used for the credential cache file. This option is supported for all operating systems with such a feature.

Default

/usr/tmp/krbcache on Linux and UNIX operating systems

c:\tmp\krbcache on Microsoft Windows operating systems

Examples

SQLNET.KERBEROS5_CC_NAME=/usr/tmp/krbcache

SQLNET.KERBEROS5_CC_NAME=MSLSA

SQLNET.KERBEROS5_CC_NAME=OS_MEMORY

Note:

If you want to authenticate multiple Kerberos principals, then you can specify additional Kerberos principals either through the connect string directly or in the tnsnames.ora file.

5.2.46 SQLNET.KERBEROS5_CLOCKSKEW

Use the sqlnet.ora parameter SQLNET.KERBEROS5_CLOCKSKEW to specify how much time elapses before a Kerberos credential is considered out-of-date.

Purpose

To specify how many seconds elapse before a Kerberos credential is considered out-of-date.

Default

300

Example

SQLNET.KERBEROS5_CLOCKSKEW=1200

5.2.47 SQLNET.KERBEROS5_CONF

Use the sqlnet.ora parameter SQLNET.KERBEROS5_CONF to specify the path name to the Kerberos configuration file that contains the realm for the default Key Distribution Center (KDC) and that maps realms to KDC hosts.

Purpose

To specify the complete path name to the Kerberos configuration file that contains the realm for the default Key Distribution Center (KDC) and that also maps realms to KDC hosts.

Usage Notes

KDC maintains a list of user principals and is contacted through the kinit program for the user's initial ticket.

The AUTO_DISCOVER option enables the automatic discovery of KDC and its realms. It is the default configuration for Kerberos clients. If there are multiple realms to specify, then Oracle recommends creating configuration files instead of using the AUTO_DISCOVER option. This option is supported for all operating systems with such a feature.

Default

/krb5/krb.conf on Linux and UNIX operating systems

c:\krb5\krb.conf on Microsoft Windows operating systems

Values

  • Directory path to krb.conf file

  • AUTO_DISCOVER

Example

SQLNET.KERBEROS5_CONF=/krb5/krb.conf

5.2.48 SQLNET.KERBEROS5_CONF_LOCATION

Use the sqlnet.ora parameter SQLNET.KERBEROS5_CONF_LOCATION to specify the directory for the Kerberos configuration file. The SQLNET.KERBEROS5_CONF_LOCATION parameter also specifies that the file is created by the system and not by the client.

Purpose

To specify the directory for the Kerberos configuration file. The parameter also specifies that the file is created by the system, and not by the client.

Usage Notes

The configuration file uses DNS look-up to obtain the realm for the default KDC, and it maps realms to the KDC hosts. This option is supported for all operating systems that support this feature.

Default

/krb5 on Linux and UNIX operating systems

c:\krb5 on Microsoft Windows operating systems

Example

SQLNET.KERBEROS5_CONF_LOCATION=/krb5

5.2.49 SQLNET.KERBEROS5_KEYTAB

Use the sqlnet.ora parameter SQLNET.KERBEROS5_KEYTAB to specify the path name to the Kerberos principal or, secret, key mapping file that extracts keys and decrypts incoming authentication information.

Purpose

To specify the complete path name to the Kerberos principal or, secret, key mapping file that extracts keys and decrypts incoming authentication information.

Default

/etc/v5srvtab on Linux and UNIX operating systems

c:\krb5\v5srvtab on Microsoft Windows operating systems

Example

SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab

5.2.50 SQLNET.KERBEROS5_REALMS

Use the sqlnet.ora parameter SQLNET.KERBEROS5_REALMS to specify the complete path name to the Kerberos realm translation file that maps a host name or domain name to a realm.

Purpose

To specify the complete path name to the Kerberos realm translation file that maps a host name or domain name to a realm.

Default

/krb5/krb.realms on Linux and UNIX operating systems

c:\krb5\krb.realms on Microsoft Windows operating systems

Example

SQLNET.KERBEROS5_REALMS=/krb5/krb.realms

5.2.51 SQLNET.KERBEROS5_REPLAY_CACHE

Use the sqlnet.ora parameter SQLNET.KERBEROS5_REPLAY_CACHE to specify that the replay cache is stored in operating system-managed memory on the server, and that file-based replay cache is not used.

Purpose

To specify that replay cache is stored in operating system-managed memory on the server and that file-based replay cache is not used.

Usage Notes

The OS_MEMORY option specifies that the replay cache is stored in operating system-managed memory on the server, and file-based replay cache is not used.

Example

SQLNET_KERBEROS5_REPLAY_CACHE=OS_MEMORY

5.2.52 SQLNET.OUTBOUND_CONNECT_TIMEOUT

Use the sqlnet.ora parameter SQLNET.OUTBOUND_CONNECT_TIMEOUT to specify the amount of time, in miliseconds, seconds, or minutes, in which clients must establish Oracle Net connections to database instances.

Purpose

To specify the time in ms, sec, or min for clients to establish an Oracle Net connection to the database instance.

Usage Notes

If an Oracle Net connection is not established in the time specified, then the connection attempt is terminated. The client receives an ORA-12170: TNS:Connect timeout occurred error.

The outbound connect timeout interval is a superset of the TCP connect timeout interval that specifies a limit on the time needed to establish a TCP connection. Additionally, the outbound connect timeout interval includes the time taken to be connected to an Oracle instance that is providing the service. It accepts different timeouts with or without space between the value and the unit.

Without this parameter, a client connection request to the database server may be blocked for the default TCP connect timeout duration (60 seconds) when the database server host system is unreachable. In this case, no unit is mentioned and the default unit is sec.

The outbound connect timeout interval is only applicable for TCP, TCP with SSL, and IPC transport connections.

This parameter is overridden by the CONNECT_TIMEOUT parameter in the address description.

If an Oracle Net connection is not established in the time specified, then the connect attempt is terminated. The client receives an ORA-12170: TNS:Connect timeout occurred error.

The outbound connect timeout interval is a superset of the TCP connect timeout interval, which specifies a limit on the time that is needed to establish a TCP connection. Additionally, the outbound connect timeout interval includes the time taken to be connected to an Oracle instance that is providing the requested service. It accepts different timeouts with or without space between the value and the unit.

Without this parameter, a client connection request to the database server may block for the default TCP connect timeout duration (60 seconds) when the database server host system is unreachable. In this case, no unit is mentioned and the default unit is sec.

The outbound connect timeout interval is only applicable for TCP, TCP with SSL, and IPC transport connections.

This parameter is overridden by the CONNECT_TIMEOUT parameter in the address description.

Default

None

Example

SQLNET.OUTBOUND_CONNECT_TIMEOUT=10 ms

5.2.53 SQLNET.RADIUS_ALTERNATE

Use the sqlnet.ora parameter SQLNET.RADIUS_ALTERNATE to specify an alternate RADIUS server if the primary server is unavailable.

Purpose

To specify an alternate RADIUS server to use in case the primary server is unavailable.

Usage Notes

The value can be either the IP address or the host name of the server.

Default

None

Example

SQLNET.RADIUS_ALTERNATE=radius2

5.2.54 SQLNET.RADIUS_ALTERNATE_PORT

Use the sqlnet.ora parameter SQLNET.RADIUS_ALTERNATE_PORT to specify the listening port of the alternate RADIUS server.

Purpose

To specify the listening port of the alternate RADIUS server.

Default

1645

Example

SQLNET.RADIUS_ALTERNATE_PORT=1667

5.2.55 SQLNET.RADIUS_ALTERNATE_RETRIES

Use the sqlnet.ora parameter SQLNET.RADIUS_ALTERNATE_RETRIES to specify the number of times that the database resends messages to alternate RADIUS servers.

Purpose

To specify the number of times that the database server should resend messages to an alternate RADIUS server.

Default

3

Example

SQLNET.RADIUS_ALTERNATE_RETRIES=4

5.2.56 SQLNET.RADIUS_AUTHENTICATION

Use the sqlnet.ora parameter SQLNET.RADIUS_AUTHENTICATION to specify a primary RADIUS server location, either by its host name or its IP address.

Purpose

To specify the location of a primary RADIUS server, either by its host name or IP address.

Default

Local host

Example

SQLNET.RADIUS_AUTHENETICATION=officeacct

5.2.57 SQLNET.RADIUS_AUTHENTICATION_INTERFACE

Use the sqlnet.ora parameter SQLNET.RADIUS_AUTHENTICATION_INTERFACE to specify the class that contains the user interface for interacting with users.

Purpose

To specify the class containing the user interface that is used to interact with the user.

Default

DefaultRadiusInterface

Example

SQLNET.RADIUS_AUTHENTICATION_INTERFACE=DefaultRadiusInterface

5.2.58 SQLNET.RADIUS_AUTHENTICATION_PORT

Use the sqlnet.ora parameter SQLNET.RADIUS_AUTHENTICATION_PORT to specify the listening port of a primary RADIUS server.

Purpose

To specify the listening port of a primary RADIUS server.

Default

1645

Example

SQLNET.RADIUS_AUTHENTICATION_PORT=1667

5.2.59 SQLNET.RADIUS_AUTHENTICATION_RETRIES

Use the sqlnet.ora parameter SQLNET.RADIUS_AUTHENTICATION_RETRIES to specify the number of times the database should resend messages to a primary RADIUS server.

Purpose

To specify the number of times the database should resend messages to a primary RADIUS server.

Default

3

Example

SQLNET.RADIUS_AUTHENTICATION_RETRIES=4

5.2.60 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT

Use the sqlnet.ora parameter SQLNET.RADIUS_AUTHENTICATION_TIMEOUT to specify the amount of time that the database should wait for a response from a primary RADIUS server.

Purpose

To specify the amount of time, in seconds, that the database should wait for a response from a primary RADIUS server.

Default

5

Example

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=10

5.2.61 SQLNET.RADIUS_CHALLENGE_RESPONSE

Use the sqlnet.ora parameter SQLNET.RADIUS_CHALLENGE_RESPONSE to enable or disable challenge responses.

Purpose

To turn the challenge responses on or off.

Default

off

Values

on | off

Example

SQLNET.RADIUS_CHALLENGE_RESPONSE=on

5.2.62 SQLNET.RADIUS_SECRET

Use the sqlnet.ora parameter SQLNET.RADIUS_SECRET to specify the location of a RADIUS secret key.

Purpose:

To specify the location of a RADIUS secret key.

Default

The ORACLE_HOME/network/security/radius.key file.

Example

SQLNET.RADIUS_SECRET=oracle/bin/admin/radiuskey

5.2.63 SQLNET.RADIUS_SEND_ACCOUNTING

Use the sqlnet.ora parameter SQLNET.RADIUS_SEND_ACCOUNTING to enable and disable accounting.

Purpose

To turn accounting on and off. When you enable accounting, packets are sent to the active RADIUS server at the listening port number's value plus one.

Usage Notes

The default port is 1646.

Default

off

Values

on | off

Example

SQLNET.RADIUS_SEND_ACCOUNTING=on

5.2.64 SQLNET.RECV_TIMEOUT

Use the sqlnet.ora parameter SQLNET.RECV_TIMEOUT to specify the duration of time that a database client or server should wait for data from a peer after establishing a connection.

Purpose

To specify the time, in ms, sec, or min, for a database client or server to wait for data from the peer after establishing a connection. The peer must send data within the time interval that you specify.

Usage Notes

Setting this parameter for clients ensures that receive operations are not left in a wait state indefinitely or for a long period due to an abnormal termination of the server process or server busy state. If a client does not receive response data in the time specified, then the client logs ORA-12535: TNS:operation timed out and ORA-12609: TNS: Receive timeout occurred messages to the sqlnet.log file. If you set the value, then set the value initially to a low value and adjust the value according to the system and network capacity. If necessary, use this parameter with the SQLNET.SEND_TIMEOUT parameter.

You can also set this parameter on the server-side to specify the time, in ms, sec, or min, for a server to wait for client data after a connection is established. If a client does not send data in time specified, then the database server logs ORA-12535: TNS:operation timed out and ORA-12609: TNS: Receive timeout occurred messages to the sqlnet.log file. Without this parameter, the database server might continue to wait for data from clients that may be down or are experiencing problems. The server usually blocks input from the client and gets these timeouts frequently if you set it to a low value. If you do not specify a unit of measurement, then the default unit is sec.

Default

None

Example

SQLNET.RECV_TIMEOUT=10ms

See Also:

Oracle Database Net Services Administrator's Guide for additional information about configuring these parameters

or

SQLNET.RECV_TIMEOUT=10 ms

5.2.65 SQLNET.SEND_TIMEOUT

Use the sqlnet.ora parameter SQLNET.SEND_TIMEOUT to specify the duration of time in which a database must complete send operations to clients after establishing connections.

Purpose

To specify the time in ms, sec, or min, for a database to complete send operations to clients after establishing connections.

Usage Notes

Setting this parameter is recommended for environments in which clients shut down occasionally or abnormally.

If the database server cannot complete a send operation in the time specified, then it logsORA-12608: TNS: Send timeout occurred messages to the sqlnet.log file. Without this parameter, the database server might continue to send responses to clients that are unable to receive data due to a downed computer or a busy state.

You can also set this parameter on the client-side to specify the duration of time in ms, sec, or min, in which client must complete send operations to the database server after connections are established. It accepts different timeouts with or without space between the value and the unit. If you do not specify a unit of measure, then the default unit is sec.Without this parameter, the client might continue to send requests to a database server that is saturated with requests. If you choose to set the value, then set the value initially to a low value and adjust the value according to system and network capacity. If necessary, then use this parameter with the SQLNET.RECV_TIMEOUT parameter.

Default

None

Example

SQLNET.SEND_TIMEOUT=3 ms

See Also:

Oracle Database Net Services Administrator's Guide for additional information about configuring this parameter

5.2.66 SQLNET.URI

Use the sqlnet.ora parameter SQLNET.URI to specify a database client URI mapping on a web server.

Purpose

To specify a database client URI mapping on a web server.

Usage Notes

Use this parameter to customize a URI for mapping the database websocket requests that come into a web server to the back-end database server. Secure websocket handshaking requests are sent with this URI.

Default

/sqlnet

Example 5-6 Example

sqlnet.uri="/my_uri_prefix/database/"

5.2.67 SQLNET.USE_HTTPS_PROXY

Use the sqlnet.ora parameter SQLNET.USE_HTTPS_PROXY to enable forward HTTP proxy tunneling for client connections.

Purpose

To enable forward HTTP proxy tunneling for client connections.

Usage Notes

If set to on, then clients can tunnel secure connections over forward HTTP proxy using the HTTP CONNECT method. This helps access the public cloud database service because it eliminates the requirement to open an outbound port on a client-side firewall. 

This parameter is applicable with Oracle Connection Manager on the server side.

Default

on

Example

SQLNET.USE_HTTPS_PROXY=on

5.2.68 SQLNET.WALLET_OVERRIDE

Use the sqlnet.ora parameter SQLNET.WALLET_OVERRIDE to determine whether a client should override strong authentication credentials with the password credential from the stored wallet.

OracleMetaLink note 340559.1.

Purpose

To determine whether a client should override strong authentication credentials with the password credential from the stored wallet to log in to a database.

Usage Notes

When you use wallets for authentication, the database credentials for user name and password are securely stored in an Oracle wallet. The auto-login feature of the wallet is enabled so that the database does not need a password to open the wallet. From the wallet, the database gets the credentials to access the database for the user.

Wallet use can simplify large-scale deployments that rely on password credentials for connecting to databases. When this feature is configured, application code, batch jobs, and scripts do not need embedded user names and passwords. Risk is reduced because such passwords are no longer exposed, and password management policies are more easily enforced without changing application code whenever user names or passwords change.

Users connect using the connect /@database_name command instead of specifying a user name and password explicitly. This simplifies the maintenance of the scripts and secures the password management for the applications.

Middle-tier applications create an Oracle Applications wallet during installation to store an application's identity. The password may be randomly generated rather than hardcoded. When an Oracle application accesses the database, it sets appropriate values for SQLNET.AUTHENTICATION_SERVICES and WALLET_LOCATION. The new wallet-based password authentication code uses the password credential in the Oracle Applications wallet to log in to the database.

Values

true | false

Examples

SQLNET.WALLET_OVERRIDE=true

See Also:

In order to use wallets, a wallet must be configured on the client. Refer to Oracle Database Security Guide for additional information about configuring the clients.

5.2.69 SSL_CERT_REVOCATION

Use the sqlnet.ora parameter SSL_CERT_REVOCATION to configure revocation checks for certificates.

Purpose

To configure a revocation check for a certificate.

Default

none

Values

  • none disables certificate revocation checking; this is the default setting.

  • requested to perform certificate revocation if a Certificate Revocation List (CRL) is available. Reject an SSL connection if the certificate is revoked. If no appropriate CRL is found to determine the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection.

  • required to perform certificate revocation when a certificate is available. If a certificate is revoked and no appropriate CRL is found, then reject the SSL connection. If no appropriate CRL is found to ascertain the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection.

Example

SSL_CERT_REVOCATION=required

5.2.70 SSL_CRL_FILE

Use the sqlnet.ora parameter SSL_CRL_FILE to specify the name of the file in which you assemble the CRL for client authentication.

Purpose

To specify the name of the file where you can assemble the CRL for client authentication.

Usage Notes

This file contains the PEM-encoded CRL files, in order of preference. You can use this file alternatively or in addition to the SSL_CERT_PATH parameter. This parameter is only valid if SSL_CERT_REVOCATION is set to either requested or required.

Default

None

Example

SSL_CRL_FILE=

5.2.71 SSL_CRL_PATH

Use the sqlnet.ora parameter SSL_CRL_PATH to

Purpose

To specify the destination directory of the CRL of CA.

Usage Notes

The files in this directory are hashed symbolic links that Oracle Wallet Manager creates.

Oracle Wallet Manager (OWM) is deprecated with Oracle Database 21c.

Instead of using Oracle Wallet Manager, Oracle recommends that you use the command line tools orapki and mkstore.

This parameter is only valid if you set SSL_CERT_REVOCATION to either requested or required.

Default

None

Example

SSL_CRL_PATH=

5.2.72 SSL_CIPHER_SUITES

Use the sqlnet.ora parameter SSL_CIPHER_SUITES to control which combination of encryption and data integrity that the Secure Sockets Layer (SSL) uses.

Purpose

To control which combination of encryption and data integrity is used by the Secure Sockets Layer (SSL). Cipher suites that use Advanced Encryption Standard (AES) only work with Transport Layer Security (TLS 1.2).

Starting with Oracle Database 21c, Transport Layer Security protocol version 1.0 (TLS 1.0) and 1.1 (TLS 1.1) are deprecated.

In accordance with security best practices, Oracle has deprecated the use of TLS 1.0 and TLS 1.1. To meet your security requirements, Oracle strongly recommends that you use TLS 1.2 instead.

Default

None

Values

  • SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • SSL_RSA_WITH_AES_128_CBC_SHA256

  • SSL_RSA_WITH_AES_128_GCM_SHA256

  • SSL_RSA_WITH_AES_128_CBC_SHA

  • SSL_RSA_WITH_AES_256_CBC_SHA

  • SSL_RSA_WITH_AES_256_CBC_SHA256

  • SSL_RSA_WITH_AES_256_GCM_SHA384

  • SSL_RSA_WITH_RC4_128_MD5

  • SSL_RSA_WITH_RC4_128_SHA

  • SSL_RSA_WITH_3DES_EDE_CBC_SHA

  • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

  • SSL_DH_anon_WITH_RC4_128_MD5

Note:

The SSL_DH_anon_WITH_3DES_EDE_CBC_SHA and SSL_DH_anon_WITH_RC4_128_MD5 parameters do not the provide authentication of the communicating parties, and can be vulnerable to man-in-the-middle attacks. Oracle recommends that you do not use these cipher suites to protect sensitive data. However, they are useful if the communicating parties want to remain anonymous or simply do not want the overhead caused by mutual authentication.

Example

SSL_CIPHER_SUITES=(ssl_rsa_with_aes_128_cbc_sha256)

See Also:

Oracle Database Security Guide for additional information about cipher suite values

5.2.73 SSL_EXTENDED_KEY_USAGE

Use the sqlnet.ora parameter SSL_EXTENDED_KEY_USAGE to specify the purpose certificate keys.

Purpose

To specify the purpose of the key in a certificate.

Usage Notes

When you specify this parameter, Oracle uses the certificate with the matching extended key.

Values

client authentication

Example

SSL_EXTENDED_KEY_USAGE="client authentication"

5.2.74 SSL_SERVER_DN_MATCH

Use the sqlnet.ora parameterSSL_SERVER_DN_MATCHto enforce server-side certification validation through distinguished name (DN) matching.

Purpose

To enforce server-side certification validation through distinguished name (DN) matching.

Usage Notes

If you enforce the DN matching, then in addition to verifying the server's certificate chain, the client performs another check through DN matching. There are two types of DN matching. Partial DN matching occurs if the server's DN contains its host name. Complete DN matching happens against the server's complete DN. Not enforcing the match enables the server to potentially fake its identity. You must set this parameter to TRUE to do both full or partial DN matching

In addition to the sqlnet.ora file, configure the tnsnames.ora parameter SSL_SERVER_CERT_DN to enable full DN matching.

Default

no

Values

  • yes | on | true to enforce a match. If the DN matches the service name, then the connection succeeds. If the DN does not match the service name, then the connection fails.

  • no | off | false to not enforce a match. If the DN does not match the service name, then the connection is successful, but an error is logged to the sqlnet.log file.

Example

SSL_SERVER_DN_MATCH=yes

5.2.75 SSL_VERSION

Use the sqlnet.ora parameter SSL_VERSION to limit the valid SSL or TLS versions that Oracle uses for connections.

Purpose

To limit the valid SSL or TLS versions that are used for connections.

Usage Notes

Clients and database servers must use compatible versions. You should only use this parameter when necessary for backward compatibility. The current default uses TLS version 1.2, which is the version required for multiple security compliance requirements.

If you set SSL_VERSION to undetermined, then by default it uses 3.0.

Default

1.2

Values

Note:

The sqlnet.ora parameter ADD_SSLV3_TO_DEFAULT has no impact on this parameter.
undetermined | 3.0 | 1.0| 1.1 | 1.2

To specify one version or another version, then use the or operator. The following values are permitted:

1.0 or 3.0 | 1.2 or 3.0 | 1.1 or 1.0 | 1.2 or 1.0 | 1.2 or 1.1 | 1.1 or 1.0 or 3.0 |
1.2 or 1.0 or 3.0 | 1.2 or 1.1 or 1.0 | 1.2 or 1.1 or 3.0 |1.2 or 1.1 or 1.0 or 3.0

Example

SSL_VERSION=1.2

The remaining version numbers correspond to the TLS versions, such as, TLSv1.0, TLSv1.1, and TLSv1.2.

5.2.76 TCP.CONNECT_TIMEOUT

Use the sqlnet.ora parameter TCP.CONNECT_TIMEOUT to specify the amount of time in which a client must establish TCP connections to database servers.

Purpose

To specify the time in ms, sec, or min, for a client to establish a TCP connection (PROTOCOL=tcp in the TNS connect address) to the database server.

Usage Notes

If a TCP connection to the database is not established in the specified amount of time, then the connection attempt ends. The client receives an ORA-12170: TNS:Connect timeout occurred error.

The timeout applies to each IP address that resolves to a host name. It accepts different timeouts with or without space between the value and the unit. For example, if a host name resolves to an IPv6 and an IPv4 address, and if the host is not reachable through the network, then the connection request times out twice because there are two IP addresses. In this example, the default timeout setting of 60 causes a timeout in 120 seconds. If you do not specify a unit of measure, then the default unit is sec.

Default

60

Example

TCP.CONNECT_TIMEOUT=10 ms

5.2.77 TCP.EXCLUDED_NODES

Use the sqlnet.ora parameter TCP.EXCLUDED_NODES to specify which clients are denied access to the database.

Purpose

To specify which clients are denied access to the database.

Usage Notes

This parameter is only valid when you set the TCP.VALIDNODE_CHECKING parameter to yes.

You can use wildcards in this parameter for IPv4 addresses and CIDR notation for IPv4 and IPv6 addresses.

Syntax

TCP.EXCLUDED_NODES=(hostname | ip_address, hostname | ip_address, ...)

Example

TCP.EXCLUDED_NODES=(finance.us.example.com, mktg.us.example.com, 192.0.2.25,
 172.30.*, 2001:DB8:200C:417A/32)

5.2.78 TCP.INVITED_NODES

Use the sqlnet.ora parameter TCP.INVITED_NODES to specify which clients are allowed access to the database.

Purpose

To specify which clients are allowed access to the database. This list takes precedence over the TCP.EXCLUDED_NODES parameter if both lists are present.

Syntax

TCP.INVITED_NODES=(hostname | ip_address, hostname | ip_address, ...)

Usage Notes

  • This parameter is only valid when you set the TCP.VALIDNODE_CHECKING parameter to yes.

  • This parameter accepts wildcards for IPv4 addresses and CIDR notation for IPv4 and IPv6 addresses.

Example

TCP.INVITED_NODES=(sales.us.example.com, hr.us.example.com, 192.0.*,
 2001:DB8:200C:433B/32)

5.2.79 TCP.NODELAY

Use the sqlnet.ora parameter TCP.NODELAY to preempt delays in buffer flushing within the TCP/IP protocol stack.

Purpose

To preempt delays in buffer flushing within the TCP/IP protocol stack.

Default

yes

Values

yes | no

Example

TCP.NODELAY=yes

5.2.80 TCP.QUEUESIZE

Use the sqlnet.ora parameter TCP.QUEUESIZE to configure the maximum length of queues for pending connections on TCP listening sockets.

Purpose

To configure the maximum length of the queue for pending connections on a TCP listening socket.

Default

System-defined maximum value. The defined maximum value for Linux is 128.

Values

Any integer value up to the system-defined maximum.

Examples

TCP.QUEUESIZE=100

5.2.81 TCP.VALIDNODE_CHECKING

Use the sqlnet.ora parameter TCP.VALIDNODE_CHECKING to enable and disable valid node checking for incoming connections.

Purpose

To enable and disable valid node checking for incoming connections.

Usage Notes

If you set this parameter to yes, then incoming connections are allowed only if the connections originate from a node that conforms to a list that you specified in the TCP.INVITED_NODES or TCP.EXCLUDED_NODES parameters.

The TCP.INVITED_NODES and TCP.EXCLUDED_NODES parameters are valid only when you set the TCP.VALIDNODE_CHECKING parameter to yes.

You must set this parameter and the dependent parameters, TCP.INVITED_NODES and TCP.EXCLUDED_NODES, in the sqlnet.ora file of the listener. This is important in Oracle RAC environments where listeners run from the Oracle Grid Infrastructure home. Setting the parameter in the database home does not have an effect in Oracle RAC environments. In such environments, you must include the address of all Single Client Access Name (SCANs), Virtual IPs (VIPs), local IP in the TCP.INVITED_NODES list.

In VLAN environments, the sqlnet.ora file present in the Oracle Grid Infrastructure homes should include all of the addresses of all of the VLANs. The VLANs perform the network segregation, whereas the values that are set for INVITED_NODES enables or restricts access to databases within the VLANs.

If multiple databases within the same VLAN require different INVITED_NODE lists, then you must configure separate listeners.

Default

no

Values

yes | no

Example

TCP.VALIDNODE_CHECKING=yes

5.2.82 TNSPING.TRACE_DIRECTORY

Use the sqlnet.ora parameter TNSPING.TRACE_DIRECTORY to specify the destination directory for the TNSPING utility trace file, tnsping.trc.

Purpose

To specify the destination directory for the TNSPING utility trace file, tnsping.trc.

Default

The ORACLE_HOME/network/trace directory.

Example

TNSPING.TRACE_DIRECTORY=/oracle/traces

5.2.83 TNSPING.TRACE_LEVEL

Use the sqlnet.ora parameter TNSPING.TRACE_LEVEL to enable or disable TNSPING utility tracing at a specified level.

Purpose

To enable or diable TNSPING utility tracing at a specified level.

Default

off

Values

  • off for no trace output

  • user for user trace information

  • admin for administration trace information

  • support for Oracle Support Services trace information

Example

TNSPING.TRACE_LEVEL=admin

5.2.84 USE_CMAN

Use the sqlnet.ora parameter USE_CMAN to specify client routing to Oracle Connection Manager.

Purpose

To specify client routing to Oracle Connection Manager.

Usage Notes

When set to true, the parameter routes the client to a protocol address for Oracle Connection Manager.

When set to false, the client picks one of the address lists at random and fails over to the other address list if the chosen ADDRESS_LIST fails. With USE_CMAN=true, the client always uses the first address list.

If no Oracle Connection Manager addresses are available, then connections are routed through any available listener address.

Default

false

Values

true | false

Example

USE_CMAN=true

5.2.85 USE_DEDICATED_SERVER

Use the sqlnet.ora parameter USE_DEDICATED_SERVER to append (SERVER=dedicated) to the CONNECT_DATA section of the connect descriptor that the client uses.

Purpose

To append (SERVER=dedicated) to the CONNECT_DATA section of the connect descriptor used by the client.

Usage Notes

The value for this parameter overrides the current value of the SERVER parameter in the tnsnames.ora file.

When set to on, the parameter USE_DEDICATED_SERVER automatically appends (SERVER=dedicated) to the connect data for a connect descriptor. This enables connections from this client use a dedicated server process, even if shared server is configured.

Default

off

Values

  • on to append (SERVER=dedicated)

  • off to send requests to existing server processes

Example

USE_DEDICATED_SERVER=on

5.2.86 WALLET_LOCATION

Use the sqlnet.ora parameter WALLET_LOCATION to specify the location of wallets.

Purpose

To specify the location of wallets. Wallets are certificates, keys, and trustpoints processed by SSL.

Usage Notes

The key/value pair for Microsoft certificate store (MCS) omits the METHOD_DATA parameter because MCS does not use wallets. Instead, Oracle PKI (public key infrastructure) applications obtain certificates, trustpoints and private keys directly from a user's profile.

If an Oracle wallet is stored in the Microsoft Windows registry and the wallet's key (KEY) is SALESAPP, then the storage location of the encrypted wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\EWALLET.P12. The storage location of the decrypted wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\CWALLET.SSO.

Syntax

The syntax depends on the wallet, as follows:

  • Oracle wallets on the file system:

    WALLET_LOCATION=
      (SOURCE=
        (METHOD=file)
        (METHOD_DATA=
           (DIRECTORY=directory)
           [(PKCS11=TRUE/FALSE)]))
    
  • Microsoft certificate store:

    WALLET_LOCATION=
      (SOURCE=
         (METHOD=mcs))
    
  • Oracle wallets in the Microsoft Windows registry:

    WALLET_LOCATION=
       (SOURCE=
          (METHOD=reg)
          (METHOD_DATA=
             (KEY=registry_key)))
    
  • Entrust wallets:

    WALLET_LOCATION=
       (SOURCE=
          (METHOD=entr)
          (METHOD_DATA=
             (PROFILE=file.epf)
             (INIFILE=file.ini)))

Additional Parameters

WALLET_LOCATION supports the following parameters:

  • SOURCE: The type of storage for wallets, and storage location.

  • METHOD: The type of storage.

  • METHOD_DATA: The storage location.

  • DIRECTORY: The location of Oracle wallets on file system.

  • KEY: The wallet type and location in the Microsoft Windows registry.

  • PROFILE: The Entrust profile file (.epf).

  • INIFILE: The Entrust initialization file (.ini).

Default

None

Values

true | false

Examples

Oracle wallets on file system:

WALLET_LOCATION=  
  (SOURCE=
      (METHOD=file)
      (METHOD_DATA=  
         (DIRECTORY=/etc/oracle/wallets/databases)))

Microsoft certificate store:

WALLET_LOCATION=
   (SOURCE=
     (METHOD=mcs))
   

Oracle Wallets in the Microsoft Windows registry:

WALLET_LOCATION=
   (SOURCE=
     (METHOD=REG)
     (METHOD_DATA=
        (KEY=SALESAPP)))

Entrust Wallets:

WALLET_LOCATION=
   (SOURCE=
     (METHOD=entr)
     (METHOD_DATA=
       (PROFILE=/etc/oracle/wallets/test.epf)
       (INIFILE=/etc/oracle/wallets/test.ini)))

5.2.87 BEQUEATH_DETACH

Use the sqlnet.ora parameter to enable and disable handling signals on Linux and UNIX systems.

Purpose

To enable or disable signal handling on Linux and UNIX systems

Default

no

Values

  • yes to turn signal handling off

  • no to leave signal handling on

Example

BEQUEATH_DETACH=yes

5.3 ADR Diagnostic Parameters in sqlnet.ora

Diagnostic data for critical errors is stored in the sqlnet.ora Automatic Diagnostic Repository (ADR).

5.3.1 About ADR Diagnostic Parameters

You can use Automatic Diagnostic Repository (ADR) diagnostic parameters when ADR is enabled, which is the default. Oracle ignores non-ADR parameters in the sqlnet.ora file when you enable ADR.

Since Oracle Database 11g, Oracle Database includes an advanced fault diagnostic infrastructure to prevent, detect, diagnose, and resolve problems. The problems might be critical errors such as those that are caused by database code bugs, metadata corruption, or customer data corruption.

When critical errors occur, they are assigned incident numbers. Diagnostic data for the errors, such as traces and dumps, are captured and tagged with the incident number. The data is then stored in ADR, which is a file-based repository outside the database.

The following sqlnet.ora parameters are used when you enable ADR (when DIAG_ADR_ENABLED is set to on):

5.3.2 ADR_BASE

Use the sqlnet.ora parameter ADR_BASE to specify the base location of the ADR files.

Purpose

To specify the base directory in which Oracle stores tracing and logging incidents when ADR is enabled.

Default

The default on the server side is ORACLE_BASE, or ORACLE_HOME/log, if ORACLE_BASE is not defined.

Values

Any valid directory path to a directory with write permission.

Example

ADR_BASE=/oracle/network/trace

5.3.3 DIAG_ADR_ENABLED

Use the sqlnet.ora parameter DIAG_ADR_ENABLED to enable and disable ADR tracing.

Purpose

To specify whether ADR tracing is enabled.

Usage Notes

If you set the DIAG_ADR_ENABLED parameter to OFF, then non-ADR file tracing is used.

Default

on

Values

on | off

Example 5-7 Example

DIAG_ADR_ENABLED=on

5.3.4 TRACE_LEVEL_CLIENT

Use the sqlnet.ora parameter TRACE_LEVEL_CLIENT to enable and disable client tracing at a specific level.

Purpose

To enable client tracing at a specified level or to disable it.

Usage Notes

This parameter is also applicable when non-ADR tracing is used.

Default

off or 0

Values

  • off or 0 for no trace output

  • user or 4 for user trace information

  • admin or 10 for administration trace information

  • support or 16 for Oracle Support Services trace information

Example

TRACE_LEVEL_CLIENT=user

5.3.5 TRACE_LEVEL_SERVER

Use the sqlnet.ora parameter TRACE_LEVEL_SERVER to enable and disable server tracing at a specific level.

Purpose

To turn server tracing on at a specified level or to turn it off.

Usage Notes

This parameter is also applicable when non-ADR tracing is used.

Default

off or 0

Values

  • off or 0 for no trace output

  • user or 4 for user trace information

  • admin or 10 for administration trace information

  • support or 16 for Oracle Support Services trace information

Example

TRACE_LEVEL_SERVER=admin

5.3.6 TRACE_TIMESTAMP_CLIENT

Use the sqlnet.ora parameter TRACE_TIMESTAMP_CLIENT to add time stamps to trace events in client trace files.

Purpose

To add a time stamp in the form of dd-mmm-yyyy hh:mm:ss:mil to every trace event in the client trace file, which has a default name of sqlnet.trc.

Usage Notes

This parameter is also applicable when non-ADR tracing is used.

Default

on

Values

on or true | off or false

Example

TRACE_TIMESTAMP_CLIENT=true

5.3.7 TRACE_TIMESTAMP_SERVER

Use the sqlnet.ora parameter TRACE_TIMESTAMP_CLIENT to add time stamps to trace events in database trace files.

Purpose

To add a time stamp in the form of dd-mmm-yyyy hh:mm:ss:mil to every trace event in the database server trace file, which has a default name of svr_pid.trc.

Usage Notes

This parameter is also applicable when non-ADR tracing is used.

Default

on

Values

on or true | off or false

Example

TRACE_TIMESTAMP_SERVER=true

5.4 Non-ADR Diagnostic Parameters in sqlnet.ora Files

Learn about sqlnet.ora parameters that you use when you disable ADR.

This section lists the sqlnet.ora parameters that are used when you disable ADR.

Note:

The default value of DIAG_ADR_ENABLED is on. Therefore, the DIAG_ADR_ENABLED parameter must explicitly be set to off to use non-ADR tracing.

5.4.1 LOG_DIRECTORY_CLIENT

Use the sqlnet.ora non-ADR diagnostic parameter LOG_DIRECTORY_CLIENT to specify the destination directory for client log files.

Purpose

To specify the destination directory for the client log file.

Usage Notes

Use this parameter when ADR is not enabled.

Default

ORACLE_HOME/network/log

Values

Any valid directory path.

Example

LOG_DIRECTORY_CLIENT=/oracle/network/log

5.4.2 LOG_DIRECTORY_SERVER

Use the non-ADR diagnostic sqlnet.ora parameter LOG_DIRECTORY_SERVER to specify the destination directory for database log files.

Purpose

To specify the destination directory for database log files.

Usage Notes

Use this parameter when ADR is not enabled.

Default

ORACLE_HOME/network/trace

Values

Any valid directory path to a directory with write permission.

Example

LOG_DIRECTORY_SERVER=/oracle/network/trace

5.4.3 LOG_FILE_CLIENT

Use the non-ADR diagnostic sqlnet.ora parameter LOG_FILE_CLIENT to specify the name of log files for clients.

Purpose

To specify the name of the log file for the client.

Usage Notes

Use this parameter when ADR is not enabled.

Default

ORACLE_HOME/network/log/sqlnet.log

Values

The default value cannot be changed.

5.4.4 LOG_FILE_SERVER

Use the non-ADR diagnostic sqlnet.ora parameter LOG_FILE_SERVER to specify log file names for the database.

Purpose

To specify the name of the log file for the database.

Usage Notes

Use this parameter when ADR is not enabled.

Default

sqlnet.log

Values

Example

LOG_FILE_SERVER=svr.log

5.4.5 TRACE_DIRECTORY_CLIENT

Use the non-ADR diagnostic sqlnet.ora parameter TRACE_DIRECTORY_CLIENT to specify the destination directory for client trace files.

Purpose

To specify the destination directory for the client trace file.

Usage Notes

Use this parameter when ADR is not enabled.

Default

ORACLE_HOME/network/trace

Values

Any valid directory path to a directory with write permission.

Example

TRACE_DIRECTORY_CLIENT=/oracle/traces

5.4.6 TRACE_DIRECTORY_SERVER

Use the non-ADR diagnostic sqlnet.ora parameter TRACE_DIRECTORY_SERVER to specify the destination directory for database trace files.

Purpose

To specify the destination directory for the database server trace file. Use this parameter when ADR is not enabled.

Default

 ORACLE_HOME/network/trace

Values

Any valid directory path to a directory with write permission.

Example

TRACE_DIRECTORY_SERVER=/oracle/traces

5.4.7 TRACE_FILE_CLIENT

Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILE_CLIENT to specify the names of client trace files.

Purpose

To specify the name of a client trace file.

Usage Notes

Use this parameter when ADR is not enabled.

Default

ORACLE_HOME/network/trace/cli.trc

Values

Any valid file name.

Example

TRACE_FILE_CLIENT=clientsqlnet.trc

5.4.8 TRACE_FILE_SERVER

Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILE_SERVER to specify the destination directory for database trace output.

Purpose

To specify the destination directory for the database server trace output.

Usage Notes

Use this parameter when ADR is not enabled.

Default

ORACLE_HOME/network/trace/svr_pid.trc

Values

Any valid file name. The process identifier (pid) is appended to the name automatically.

Example

TRACE_FILE_SERVER=svrsqlnet.trc

5.4.9 TRACE_FILEAGE_CLIENT

Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILEAGE_CLIENT to specify the maximum age of client trace files in minutes.

Purpose

To specify the maximum age of client trace files in minutes.

Usage Notes

When the age limit is reached, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_CLIENT parameter. Use this parameter when ADR is not enabled.

Default

Unlimited

This is the same as setting the parameter to 0.

Example 5-8 Example

TRACE_FILEAGE_CLIENT=60

5.4.10 TRACE_FILEAGE_SERVER

Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILEAGE_SERVER to specify the maximum age of database trace files in minutes.

Purpose

To specify the maximum age of database server trace files in minutes.

Usage Notes

When the age limit is reached, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_SERVER parameter. Use this parameter when ADR is not enabled.

Default

Unlimited

This is the same as setting the parameter to0.

Example 5-9 Example

TRACE_FILEAGE_SERVER=60

5.4.11 TRACE_FILELEN_CLIENT

Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILELEN_CLIENT to specify the size of client trace files in kilobytes.

Purpose

When the file grows to the specified size, Oracle writes the trace information to the next file. The number of files is specified with the TRACE_FILENO_CLIENT parameter. Use this parameter when ADR is not enabled.

To specify the size of the client trace files in kilobytes (KB).

Usage Notes

Example

TRACE_FILELEN_CLIENT=100

5.4.12 TRACE_FILELEN_SERVER

Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILELEN_SERVER to specify the size of database trace files in kilobytes.

Purpose

To specify the size of the database server trace files in kilobytes (KB).

Usage Notes

When the file grows to the specified size, Oracle writes the trace information to the next file. The number of files is specified with the TRACE_FILENO_SERVER parameter. Use this parameter when ADR is not enabled.

Example

TRACE_FILELEN_SERVER=100

5.4.13 TRACE_FILENO_CLIENT

Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILENO_CLIENT to specify the number of trace files for client tracing.

Purpose

To specify the number of trace files for client tracing.

Usage Notes

When this parameter is set with the TRACE_FILELEN_CLIENT parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, then the first file is re-used, and so on.

When this parameter is set with theTRACE_FILEAGE_CLIENT parameter, trace files are cycled based on their age. The first file is used until the age limit is reached, then the second file is used, and so on. When the last file's age limit is reached, the first file is re-used.

When you set this parameter with both the TRACE_FILELEN_CLIENT and TRACE_FILEAGE_CLIENT parameters, trace files are replaced when either the size limit or the age limit is reached.

The trace file names are distinguished from one another by their sequence numbers. For example, if the default trace file of sqlnet.trc is used, and this parameter is set to 3, then the trace files would be named sqlnet1.trc, sqlnet2.trc and sqlnet3.trc.

In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.

Default

None

Example

TRACE_FILENO_CLIENT=3

5.4.14 TRACE_FILENO_SERVER

Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILENO_SERVER to specify the number of trace files for database tracing.

Purpose

To specify the number of trace files for database server tracing.

Usage Notes

When you set this parameter with the TRACE_FILELEN_SERVER parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, then the first file is re-used.

When you set this parameter with theTRACE_FILEAGE_SERVER parameter, trace files are cycled based on the age of the trace file. The first file is used until the age limit is reached, then the second file is used, and so on. When the last file's age limit is reached, the first file is re-used.

When this parameter is set with both the TRACE_FILELEN_SERVER and TRACE_FILEAGE_SERVER parameters, trace files are cycled when either the size limit or the age limit is reached.

The trace file names are distinguished from one another by their sequence numbers. For example, if the default trace file of svr_pid.trc is used, and this parameter is set to 3, then the trace files would be named svr1_pid.trc, svr2_pid.trc and svr3_pid.trc.

In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.

Default

None

Example

TRACE_FILENO_SERVER=3

5.4.15 TRACE_UNIQUE_CLIENT

Use the non-ADR diagnostic sqlnet.ora parameter TRACE_UNIQUE_CLIENT to specify whether Oracle creates a unique trace file for each client trace session.

Purpose

To specify whether a unique trace file is created for each client trace session.

Usage Notes

When you set the value to on, a process identifier is appended to the name of each trace file, enabling several files to coexist. For example, trace files named sqlnetpid.trc are created if default trace file name sqlnet.trc is used. When you set the value to off, data from a new client trace session overwrites the existing file. Use this parameter when ADR is not enabled.

Default

on

Values

on or off

Example

TRACE_UNIQUE_CLIENT=on