A Custom Database Provider
This section provides information on how to install and configure a custom database
provider (ora-custom-db-provider
) for SQL*Plus Clients to support
Yubikey OTPs.
Currently, Oracle DB does not allow Yubikey OTPs (44chars) from SQL*Plus Clients to enable multi-factor authentication with the RADIUS Server. To overcome this limitation, a custom UI implementation is provided which you can install on SQLPlus Clients. The custom UI implementation supports multi-factor authentication including Yubikey OTPs.
ora-custom-db-provider-1.0.0.jar
is packaged in the
idm-radius
docker image and can be copied from the docker container
at the following location:
/u01/oracle/ora-custom-db-provider
To begin using the custom UI implementation, perform the following tasks for SQL *Plus clients:
- You must update the
sqlnet.ora
file with the following settings. Thesqlnet.ora
file exist in the location,ORACLE_HOME/network/admin/sqlnet.ora
. It is recommended to use Oracle Net Manager. For more information, see Configure RADIUS on the Oracle ClientSQLNET.RADIUS_AUTHENTICATION_INTERFACE = oracle/idm/radius/dbprovider/CustomRadiusInterface
SQLNET.RADIUS_CLASSPATH = <LIB_FOLDER>/ora-custom-db-provider-1.0.0.jar:<ORACLE_HOME>/network/jlib/netradius8.jar:<LIB_FOLDER>/aopalliance-repackaged-2.6.1.jar:<LIB_FOLDER>/hk2-api-2.6.1.jar:<LIB_FOLDER>/hk2-locator-2.6.1.jar:<LIB_FOLDER>/hk2-utils-2.6.1.jar:<LIB_FOLDER>/jackson-annotations-2.10.1.jar:<LIB_FOLDER>/jackson-core-2.10.1.jar:<LIB_FOLDER>/jackson-databind-2.10.1.jar:<LIB_FOLDER>/jackson-module-jaxb-annotations-2.10.1.jar:<LIB_FOLDER>/jakarta.activation-1.2.2.jar:<LIB_FOLDER>/jakarta.activation-api-1.2.1.jar:<LIB_FOLDER>/jakarta.annotation-api-1.3.5.jar:<LIB_FOLDER>/jakarta.inject-2.6.1.jar:<LIB_FOLDER>/jakarta.ws.rs-api-2.1.6.jar:<LIB_FOLDER>/jakarta.xml.bind-api-2.3.2.jar:<LIB_FOLDER>/javassist-3.25.0-GA.jar:<LIB_FOLDER>/jersey-client-2.32.jar:<LIB_FOLDER>/jersey-common-2.32.jar:<LIB_FOLDER>/jersey-entity-filtering-2.32.jar:<LIB_FOLDER>/jersey-hk2-2.32.jar:<LIB_FOLDER>/jersey-media-json-jackson-2.32.jar:<LIB_FOLDER>/osgi-resource-locator-1.0.3.jar:<ORACLE_HOME>/network/jlib:<ORACLE_HOME>/jdk/jre/lib:<ORACLE_HOME>/lib:<ORACLE_HOME>/jdk/jre/lib/amd64:<ORACLE_HOME>/jdk/jre/lib/amd64/server/
All the required jars mentioned above can be copied into a folder on the file system (LIB_FOLDER). You must provide the Absolute Path in the above setting.
- For the custom UI to connect and validate the passwords and OTPs, you
need to configure the mandatory parameters such as RADIUS Server Host,
RADIUS Server HTTPS Port, and DB Server Host. You can configure
the mandatory parameters by using the
config.properties
file. By default theconfig.properties
file is looked for inUSER.HOME
(user.home
system property).You can override this location by defining an ENV Variable: IRA_CONFIG_PATH. For example,
Here, theexport IRA_CONFIG_PATH=/home/opc/uiconfig
config.properties
file would be searched for in the above path.Note:
If you have defined the hostname aliases for the RADIUS Server and Database Server and the default HTTPS port used by RADIUS Server is 8080, then you need not use theconfig.properties
file.
Parameters of config.properties
File
The parameters in the config.properties
file is as follows:
- RADIUS_HOST
Represents the IP address of the RADIUS Server to connect to. If a hostname alias by name,
ora-radius-server
is defined, then by default, it is considered as the RADIUS_HOST. Otherwise, the value for RADIUS_HOST in theconfig.properties
file is considered. - RADIUS_HTTPS_PORT
Represents the HTTPS port of the RADIUS Server to connect to. By default, 8080 is used. If the RADIUS Server uses a different HTTPS port, then this parameter needs to be defined in the
config.properties
file. - DB_SERVER_HOST
Represents the IP address of the DB Server. If a hostname alias by name,
db-server
is defined, then by default, it is considered as the DB_SERVER_HOST. Otherwise, the value for DB_SERVER_HOST in theconfig.properties
file is considered.
Sample Value of config.properties
file Parameters
The sample value of the parameters in the config.properties
file is as
follows:
db-server
hostname alias is defined, then DB_SERVER_HOST
need not be configured. DB_SERVER_HOST=1.1.1.1
ora-radius-server
hostname alias is defined, then
RADIUS_HOST need not be configured.
RADIUS_HOST=2.2.2.2
RADIUS_HTTPS_PORT=8090
Troubleshooting
A basic logging feature is provided with the capability to only turn on/off logging in case of any issues seen while connecting from the SQL*Plus clients. You can configure the following properties in the config.properties file, if required.
To enable logging, set the following property:
ENABLE_LOG=true
ora-custom-mfa.log
is created under the system
property, user.dir
. This location can be customized by defining the
following property:
LOG_FILE_LOCATION=path_where_logfile_should_be_created
If the custom-db-provider
is not able to connect to RADIUS Server and
timing out, configure the following two properties:
-
CONNECT_TIMEOUT: Represents the time in milliseconds that the client waits to connect to RADIUS Server before a timeout. Default value is 60000ms (1 min).
-
READ_TIMEOUT: Represents the time in milliseconds that the client waits for the server to respond back before a timeout. Default value is 60000ms (1 min).