1. Administering Oracle Radius Agent
  2. Appendices
  3. Custom Database Provider

A Custom Database Provider

This section provides information on how to install and configure a custom database provider (ora-custom-db-provider) for SQL*Plus Clients to support Yubikey OTPs.

Currently, Oracle DB does not allow Yubikey OTPs (44chars) from SQL*Plus Clients to enable multi-factor authentication with the RADIUS Server. To overcome this limitation, a custom UI implementation is provided which you can install on SQLPlus Clients. The custom UI implementation supports multi-factor authentication including Yubikey OTPs.

The custom database provider UI jar file, ora-custom-db-provider-1.0.0.jar is packaged in the idm-radius docker image and can be copied from the docker container at the following location: 
/u01/oracle/ora-custom-db-provider

To begin using the custom UI implementation, perform the following tasks for SQL *Plus clients:

  1. You must update the sqlnet.ora file with the following settings. The sqlnet.ora file exist in the location, ORACLE_HOME/network/admin/sqlnet.ora. It is recommended to use Oracle Net Manager. For more information, see Configure RADIUS on the Oracle Client 
    SQLNET.RADIUS_AUTHENTICATION_INTERFACE = oracle/idm/radius/dbprovider/CustomRadiusInterface
    SQLNET.RADIUS_CLASSPATH = <LIB_FOLDER>/ora-custom-db-provider-1.0.0.jar:<ORACLE_HOME>/network/jlib/netradius8.jar:<LIB_FOLDER>/aopalliance-repackaged-2.6.1.jar:<LIB_FOLDER>/hk2-api-2.6.1.jar:<LIB_FOLDER>/hk2-locator-2.6.1.jar:<LIB_FOLDER>/hk2-utils-2.6.1.jar:<LIB_FOLDER>/jackson-annotations-2.10.1.jar:<LIB_FOLDER>/jackson-core-2.10.1.jar:<LIB_FOLDER>/jackson-databind-2.10.1.jar:<LIB_FOLDER>/jackson-module-jaxb-annotations-2.10.1.jar:<LIB_FOLDER>/jakarta.activation-1.2.2.jar:<LIB_FOLDER>/jakarta.activation-api-1.2.1.jar:<LIB_FOLDER>/jakarta.annotation-api-1.3.5.jar:<LIB_FOLDER>/jakarta.inject-2.6.1.jar:<LIB_FOLDER>/jakarta.ws.rs-api-2.1.6.jar:<LIB_FOLDER>/jakarta.xml.bind-api-2.3.2.jar:<LIB_FOLDER>/javassist-3.25.0-GA.jar:<LIB_FOLDER>/jersey-client-2.32.jar:<LIB_FOLDER>/jersey-common-2.32.jar:<LIB_FOLDER>/jersey-entity-filtering-2.32.jar:<LIB_FOLDER>/jersey-hk2-2.32.jar:<LIB_FOLDER>/jersey-media-json-jackson-2.32.jar:<LIB_FOLDER>/osgi-resource-locator-1.0.3.jar:<ORACLE_HOME>/network/jlib:<ORACLE_HOME>/jdk/jre/lib:<ORACLE_HOME>/lib:<ORACLE_HOME>/jdk/jre/lib/amd64:<ORACLE_HOME>/jdk/jre/lib/amd64/server/

    All the required jars mentioned above can be copied into a folder on the file system (LIB_FOLDER). You must provide the Absolute Path in the above setting.

  2. For the custom UI to connect and validate the passwords and OTPs, you need to configure the mandatory parameters such as RADIUS Server Host, RADIUS Server HTTPS Port, and DB Server Host. You can configure the mandatory parameters by using the config.properties file. By default the config.properties file is looked for in USER.HOME (user.home system property).
    You can override this location by defining an ENV Variable: IRA_CONFIG_PATH. For example, 
    export IRA_CONFIG_PATH=/home/opc/uiconfig
    Here, the config.properties file would be searched for in the above path.

    Note:

    If you have defined the hostname aliases for the RADIUS Server and Database Server and the default HTTPS port used by RADIUS Server is 8080, then you need not use the config.properties file.

Parameters of config.properties File

The parameters in the config.properties file is as follows:

  • RADIUS_HOST

    Represents the IP address of the RADIUS Server to connect to. If a hostname alias by name, ora-radius-server is defined, then by default, it is considered as the RADIUS_HOST. Otherwise, the value for RADIUS_HOST in the config.properties file is considered.

  • RADIUS_HTTPS_PORT

    Represents the HTTPS port of the RADIUS Server to connect to. By default, 8080 is used. If the RADIUS Server uses a different HTTPS port, then this parameter needs to be defined in the config.properties file.

  • DB_SERVER_HOST

    Represents the IP address of the DB Server. If a hostname alias by name, db-server is defined, then by default, it is considered as the DB_SERVER_HOST. Otherwise, the value for DB_SERVER_HOST in the config.properties file is considered.

Sample Value of config.properties file Parameters

The sample value of the parameters in the config.properties file is as follows:

If db-server hostname alias is defined, then DB_SERVER_HOST need not be configured. 
DB_SERVER_HOST=1.1.1.1
If ora-radius-server hostname alias is defined, then RADIUS_HOST need not be configured. 
RADIUS_HOST=2.2.2.2
If the default HTTPS port used by RADIUS Server is 8080, then RADIUS_HTTPS_PORT need not be configured. 
RADIUS_HTTPS_PORT=8090

Troubleshooting

A basic logging feature is provided with the capability to only turn on/off logging in case of any issues seen while connecting from the SQL*Plus clients. You can configure the following properties in the config.properties file, if required.

To enable logging, set the following property:

ENABLE_LOG=true
By default, ora-custom-mfa.log is created under the system property, user.dir. This location can be customized by defining the following property: 
LOG_FILE_LOCATION=path_where_logfile_should_be_created
If the custom-db-provider is not able to connect to RADIUS Server and timing out, configure the following two properties:

  • CONNECT_TIMEOUT: Represents the time in milliseconds that the client waits to connect to RADIUS Server before a timeout. Default value is 60000ms (1 min).

  • READ_TIMEOUT: Represents the time in milliseconds that the client waits for the server to respond back before a timeout. Default value is 60000ms (1 min).