Oracle Advanced Security Administrator's Guide
Release 8.1.7
Part Number A85430-01

Library
Product
Contents
Index

Go to previous page Go to next page

B
Authentication Parameters

This appendix demonstrates some sample configuration files with the necessary profile file (sqlnet.ora) and database initialization file (init.ora) authentication parameters, when using the CyberSafe, Identix, Kerberos, SecurID, RADIUS, or SSL authentication. It contains the following sections:

Parameters for Clients and Servers using CyberSafe Authentication

Following is a list of parameters to insert into the configuration files for clients and servers using CyberSafe.

Table B-1 CyberSafe Configuration Parameters
File Name  Configuration Parameters 

sqlnet.ora 

 
SQLNET.AUTHENTICATION_SERVICES=(cybersafe)	
SQLNET.AUTHENTICATION_GSSAPI_SERVICE=
oracle/dbserver.someco.com@SOMECO.COM
 

initialization parameter file (init.ora

 
REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""
 

Parameters for Clients and Servers using Identix Authentication

The following sections describe the parameters for Identix authentication

sqlnet.ora File Parameters

SQLNET.IDENTIX_USE_MD5HASH

Table B-2 SQLNET.IDENTIX_USE_MD5HASH

Description 

The server uses MD5 hashing to validate the authentication decision made on the client PC: values are YES and NO. 

Default 

YES 

SQLNET.IDENTIX_KEY_INDEX

Table B-3 SQLNET.IDENTIX_KEY_INDEX

Description 

The Identix key index the client uses when it generates its MD5 checksum: 0 <= value <= 256. 

Default 

SQLNET.IDENTIX_VERIFICATION_THRESHOLD

Table B-4 SQLNET.IDENTIX_VERIFICATION_THRESHOLD

Description 

This parameter specifies the verification threshold the server expects its Identix clients to use during fingerprint verification: 0 <= value <= 256. 

Default 

SQLNET.IDENTIX_FINGERPRINT_METHOD

Table B-5 SQLNET.IDENTIX_FINGERPRINT_METHOD

Description 

This parameter specifies the storage method used for storing fingerprint template files: format = [file/oracle] 

Default 

None 

SQLNET.IDENTIX_DATABASE_DIRECTORY

Table B-6 SQLNET.IDENTIX_DATABASE_DIRECTORY

Description 

This file method specifies the file location in which the fingerprint templates are stored: format = <path-to-file>. 

Default 

None 

SQLNET.IDENTIX_FINGERPRINT_DATABASE

Table B-7 SQLNET.IDENTIX_FINGERPRINT_DATABASE

Description 

This parameter specifies the database SQL*NET alias for the Oracle fingerprint storage method: format = <db-alias>. 

Default 

None 

SQLNET.IDENTIX_FINGERPRINT_DATABASE_USER

Table B-8 SQLNET.IDENTIX_FINGERPRINT_DATABASE_USER

Description 

This parameter specifies the database user when using the Oracle fingerprint storage method: format = <username>. 

Default 

None 

SQLNET.IDENTIX_FINGERPRINT_DATABASE_PASSWORD

Table B-9 SQLNET.IDENTIX_FINGERPRINT_DATABASE_PASSWORD

Description 

This parameter specifies the database password when using the Oracle fingerprint storage method: format = <password>. 

Default 

None 

Recommended Minimum Sets of Identix Biometric Parameters

Following are two sets of parameters: the Oracle database method and the file system method. The minimum sets of parameters required for each method are listed below:

Oracle Database Method

sqlnet.authentication_services = (beq, identix)
sqlnet.identix_fingerprint_method = oracle
sqlnet.identix_database_directory = <identix_scanner>
sqlnet.identix_fingerprint_database_user = <usrname>
sqlnet.identix_fingerprint_database_password = <pwd>

File System Method

sqlnet.authentication_services = (beq, identix)
sqlnet.identix_fingerprint_method = file
sqlnet.identix_database_directory = /etc/ofm_storage

Initialization File Parameters

REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using Kerberos Authentication

Following is a list of parameters to insert into the configuration files for clients and servers using Kerberos.

Table B-10 Kerberos Authentication Parameters
File Name  Configuration Parameters 

sqlnet.ora 

 
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)	
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle	
SQLNET.KERBEROS5_CC_NAME=/usr/tmp/DCE-CC 	
SQLNET.KERBEROS5_CLOCKSKEW=1200	
SQLNET.KERBEROS5_CONF=/krb5/krb.conf	
SQLNET.KERBEROS5_CONF_MIT=(FALSE)
SQLNET.KERBEROS5_REALMS=/krb5/krb.realms	
SQLNET.KERBEROS5_KEYTAB=/krb5/v5srvtab
 

initialization parameter file (init.ora) 

 
REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""
 

Parameters for Clients and Servers using SecurID Authentication

Following is list of parameters to insert into the configuration files for clients and servers using SecurID.

Table B-11 SecurID Authentication Parameters
File Name  Configuration Parameters 

sqlnet.ora 

 
SQLNET.AUTHENTICATION_SERVICES=(securid)
 

initialization parameter file (init.ora) 

 
REMOTE_OS_AUTHENT=FALSE
	OS_AUTHENT_PREFIX=""
 

Parameters for Clients and Servers using RADIUS Authentication

The following sections describe the parameters for Identix authentication

sqlnet.ora File Parameters

SQLNET.AUTHENTICATION_SERVICES

Table B-12 SQLNET.AUTHENTICATION_SERVICES

Description 

Configure the client or the server to use the RADIUS adapter: value = radius. 

Default 

None 

SQLNET.RADIUS_AUTHENTICATION

Table B-13 SQLNET.RADIUS_AUTHENTICATION

Description 

To set the location of the primary RADIUS server, either host name or dotted decimal format. If the RADIUS server is on a different machine from the Oracle server, you must specify either the host name or the IP address of that machine: format = IP_address_of RADIUS_Server

Default 

localhost 

SQLNET.RADIUS_AUTHENTICATION_PORT

Table B-14 SQLNET.RADIUS_AUTHENTICATION_PORT

Description 

To set the listening port of the primary RADIUS server.  

Default 

1645 

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT

Table B-15 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT

Description 

To set the time to wait for response. 

Default 

SQLNET.RADIUS_AUTHENTICATION_RETRIES

Table B-16 SQLNET.RADIUS_AUTHENTICATION_RETRIES

Description 

To set the number of times to re-send. 

Default 

SQLNET.RADIUS_SEND_ACCOUNTING

Table B-17 SQLNET.RADIUS_SEND_ACCOUNTING

Description 

To set the turn accounting ON/OFF. If you enable accounting, packets will be sent to the active RADIUS server at listening port plus one. Default port is 1646. You need to turn this feature on only when your RADIUS server supports accounting and you want to keep track of the number of times the user is logging on to the system. 

Default 

OFF 

SQLNET.RADIUS_SECRET

Table B-18 SQLNET.RADIUS_SECRET

Description 

The file name and location of the RADIUS secret key. 

Default 

$ORACLE_HOME/network/security/radius.key 

SQLNET.RADIUS_ALTERNATE

Table B-19 SQLNET.RADIUS_ALTERNATE

Description 

To set the location of alternate RADIUS server to be used in case the primary server becomes unavailable. This feature is set to OFF by default. If you want to set up a second RADIUS server for fault tolerance, you need to specify the host name or the IP address of the host where the second RADIUS server is located. 

Default 

NONE 

SQLNET.RADIUS_ALTERNATE_PORT

Table B-20 SQLNET.RADIUS_ALTERNATE_PORT

Description 

To set the listening port for the alternate RADIUS server. 

Default 

1645 

SQLNET.RADIUS_ALTERNATE_TIMEOUT

Table B-21 SQLNET.RADIUS_ALTERNATE_TIMEOUT

Description 

To set the time to wait for response. 

Default 

5 

SQLNET.RADIUS_ALTERNATE_RETRIES

Table B-22 SQLNET.RADIUS_ALTERNATE_RETRIES

Description 

To set the number of times to re-send messages. 

Default 

3 

SQLNET.RADIUS_CHALLENGE_RESPONSE

Table B-23 SQLNET.RADIUS_CHALLENGE_RESPONSE

Description 

To turn challenge/response support ON/OFF. 

Default 

OFF 

SQLNET.RADIUS_CHALLENGE_KEYWORD

Table B-24 SQLNET.RADIUS_CHALLENGE_KEYWORD

Description 

To set the keyword to request a challenge from the RADIUS server. User types no password on client. 

Default 

challenge 

SQLNET.RADIUS_AUTHENTICATION_INTERFACE

Table B-25 SQLNET.RADIUS_AUTHENTICATION_INTERFACE

Description 

To set the name of the Java class that contains the graphical user interface when RADIUS is in the challenge-response (asynchronous) mode. 

Default 

DefaultRadiusInterface (oracle/net/radius/DefaultRadiusInterface) 

SQLNET.RADIUS_CLASSPATH

Table B-26 SQLNET.RADIUS_CLASSPATH

Description 

If you decide to use the challenge-response authentication mode, RADIUS presents the user with a Java-based graphical interface requesting first a password, then additional information--for example, a dynamic password that the user obtains from a token card. Add the SQLNET.RADIUS_CLASSPATH parameter in the sqlnet.ora file to set the path for the Java classes for that graphical interface, and to set the path to the JDK Libjava. 

Default 

$ORACLE_HOME/jlib/netradius.jar:$ORACLE_HOME/JRE/lib/sparc/native_threads 

Recommended Minimum Sets of RADIUS Parameters

Following are two set of sample sqlnet.ora file RADIUS authentication parameters:

Static User Name and Password

The following sample sqlnet.ora file shows the minimum set of RADIUS authentication parameters you need to configure for static user name and password PAP mode authentication with no accounting. 

sqlnet.authentication_services = (radius)
sqlnet.authentication = IP-address-of-RADIUS-server

Note:

If you are using the default value, confirm that the following file exists:

$ORACLE_HOME/network/security/radius.key 

Challenge Response Mode

The following sample sqlnet.ora file shows the minimum set of RADIUS authentication parameters you need to configure for challenge response mode authentication using token cards or biometric authentication methods. 

sqlnet.authentication_services = (radius)
sqlnet.authentication = IP-address-of-RADIUS-server
sqlnet.radius_challenge_response = ON

Initialization File (init.ora) Parameters

REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

Parameters for Clients and Servers using SSL

There are two ways to configure a parameter:

Authentication Parameters

Table B-27 SSL Authentication Parameters

Parameter Name (static):  

SQLNET.AUTHENTICATION_SERVICES  

Parameter Name (dynamic):  

AUTHENTICATION  

Parameter Type:  

String LIST 

Parameter Class:  

Static 

Allowable Values:  

Add TCPS to the list of available authentication services.  

Default Value: 

No default value. 

Description:  

To control which authentication services a user wants to use.

Note: The dynamic version supports only the setting of one type. 

Existing/New Parameter 

Existing 

Syntax (static):  

 
SQLNET.AUTHENTICATION_SERVICES = (TCPS,  selected_
method_1, selected_method_2)
 

Example (static):  

 
SQLNET.AUTHENTICATION_SERVICES = (TCPS, cybersafe, 
securid)
 

Syntax (dynamic):  

 
AUTHENTICATION = string
 

Example (dynamic):  

 
AUTHENTICATION = (TCPS)
 

Cipher Suites

Table B-28 Cipher Suite Parameters

Parameter Name (static):  

SSL_CIPHER_SUITES 

Parameter Name (dynamic):  

SSL_CIPHER_SUITES 

Parameter Type:  

String LIST 

Parameter Class:  

Static 

Allowable Values:  

Any known SSL cipher suite 

Default Value: 

No default 

Description:  

Controls the combination of encryption and data integrity used by SSL. 

Existing/New Parameter 

New 

Syntax (static):  

 
SSL_CIPHER_SUITES=(SSL_cipher_suite1[, SSL_cipher_
suite2, ... SSL_cipher_suiteN])
 

Example (static):  

 
SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA)
 

Syntax (dynamic):  

 
SSL_CIPHER_SUITES=(SSL_cipher_suite1
[, SSL_cipher_suite2, ...SSL_cipher_suiteN])
 

Example (dynamic):  

 
SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA)
 

Supported SSL Cipher Suites

Oracle Advanced Security supports the following cipher suites:

SSL Version

Table B-29 SSL Version Parameters

Parameter Name (static):  

SSL_VERSION  

Parameter Name (dynamic): 

SSL_VERSION 

Parameter Type:  

string 

Parameter Class:  

Static 

Allowable Values:  

Any version which is valid to SSL. (0, 3.0) 

Default Value: 

"0" 

Description:  

To force the version of the SSL connection. 

Existing/New Parameter 

New 

Syntax (static):  

 
SSL_VERSION=version
 

Example (static):  

 
SSL_VERSION=3.0
 

Syntax (static):  

 
SSL_VERSION=version
 

Example (dynamic):  

 
SSL_VERSION=3.0
 

SSL Client Authentication

Table B-30 SSL Client Authentication Parameters

Parameter Name (static):  

SSL_CLIENT_AUTHENTICATION  

Parameter Name (dynamic): 

SSL_CLIENT_AUTHENTICATION 

Parameter Type:  

Boolean 

Parameter Class:  

Static 

Allowable Values:  

TRUE/FALSE 

Default Value: 

TRUE 

Description:  

To control whether a client, in addition to the server, is authenticated using SSL. 

Existing/New Parameter 

New 

Syntax (static):  

 
SSL_CLIENT_AUTHENTICATION={TRUE | FALSE}
 

Example (static):  

 
SSL_CLIENT_AUTHENTICATION=FALSE
 

Syntax (dynamic):  

 
SSL_CLIENT_AUTHENTICATION={TRUE | FALSE}
 

Example (dynamic):  

 
SSL_CLIENT_AUTHENTICATION=FALSE
 

Wallet Location

For any application that must access a wallet for loading the security credentials into the process space, you must specify the wallet location parameters defined by Table B-31 in each of the following configuration files:

The default wallet location is the $ORACLE_HOME directory.

Go to previous page Go to next page
Oracle
Copyright © 1996-2000, Oracle Corporation.
All Rights Reserved.

Library
Product
Contents
Index