5 Parameters for sqlnet.ora Files
This chapter describes the sqlnet.ora file parameters.
- Overview of Profile Configuration Files
Learn about profile configuration files. - Profile Parameters in sqlnet.ora Files
These are thesqlnet.oraprofile configuration parameters that you use to administer database clients and servers. - ADR Diagnostic Parameters in sqlnet.ora
Diagnostic data for critical errors is stored in thesqlnet.oraAutomatic Diagnostic Repository (ADR). - Non-ADR Diagnostic Parameters in sqlnet.ora Files
Learn aboutsqlnet.oraparameters that you use when you disable ADR.
5.1 Overview of Profile Configuration Files
Learn about profile configuration files.
The sqlnet.ora file is the Net Services profile configuration file. The sqlnet.ora file resides on clients and databases. You store and implement profiles using this file. You can also configure the database with access control parameters in the sqlnet.ora file. These parameters specify whether clients are allowed or denied access to a database based on the parameter settings.
The sqlnet.ora file enables you to:
- Specify the client domain to append to unqualified names
- Prioritize naming methods
- Enable logging and tracing features
- Route connections through specific processes
- Configure parameters for external naming
- Configure Oracle Advanced Security
- Use protocol-specific parameters to restrict access to the database
sqlnet.ora file in the following locations
and in the following order:
- In the directory specified in the
TNS_ADMINenvironment variable, if it is set. - In the
ORACLE_BASE_HOME/network/admindirectory. - In the
ORACLE_HOME/network/admindirectory.
Note:
-
The settings in the
sqlnet.orafile apply to all pluggable databases (PDBs) in multitenant container database environments. -
Oracle Net Services supports the IFILE parameter in the
sqlnet.orafile, with up to three levels of nesting. The parameter is added manually to the file. The following is an example of the syntax:IFILE=/tmp/listener_em.ora IFILE=/tmp/listener_cust1.ora IFILE=/tmp/listener_cust2.oraRefer to Oracle Database Reference for additional information.
-
With Oracle Instant Client, the
sqlnet.orafile is located in the subdirectory of the Oracle Instant Client software. For example, in the/opt/oracle/instantclient_release_number/network/admindirectory. -
In the read-only Oracle home mode, the
sqlnet.orafile default location isORACLE_BASE_HOME/network/admin. -
In the read-only Oracle home mode, the parameters are stored in the
ORACLE_BASE_HOMElocation by default.
Parent topic: Parameters for sqlnet.ora Files
5.2 Profile Parameters in sqlnet.ora Files
These are the sqlnet.ora profile configuration parameters that you use to administer database clients and servers.
Note:
Starting with Oracle AI Database 26ai, the parameter
ENCRYPTION_WALLET_LOCATION is desupported.
To store and retrieve the TDE wallet, use the WALLET_ROOT structure (introduced with Oracle Database 18c).
The WALLET_ROOT parameter is described in Oracle AI Database
Transparent Data Encryption Guide.
- ACCEPT_MD5_CERTS
Thesqlnet.oraprofile parameterACCEPT_MD5_CERTSaccepts MD5 signed certificates. - ACCEPT_SHA1_CERTS
Use thesqlnet.oraprofile parameterACCEPT_SHA1_CERTSto determine whether SQL Net accepts SHA1 signed certificates. - ALLOWED_WEAK_CERT_ALGORITHMS
Use thesqlnet.oraparameterALLOWED_WEAK_CERT_ALGORITHMSto allow the use of deprecated certification algorithms as an exception. - AZURE_DB_APP_ID_URI
Use theAZURE_DB_APP_ID_URIparameter to specify the application ID URI of the Oracle Database instance, registered with Microsoft Entra ID (previously called Microsoft Azure Active Directory). - BEQUEATH_DETACH
Use thesqlnet.oraparameter to enable and disable handling signals on Linux and UNIX systems. - CLIENT_CERTIFICATE
Use theCLIENT_CERTIFICATEparameter to specify the file system path to a client certificate that authenticates your database client application. - CLIENT_ID
Use theCLIENT_IDparameter to specify the ID of the database client Microsoft Entra ID app registration. - EXADIRECT_FLOW_CONTROL
Thesqlnet.oraprofile parameterEXADIRECT_FLOW_CONTROLenables or disables Exadirect flow control. - EXADIRECT_RECVPOLL
Use thesqlnet.oraparameterEXADIRECT_RECVPOLLto specify the amount of time that a receiver polls for incoming data. - DEFAULT_SDU_SIZE
Use thesqlnet.oraprofile parameter to specify the session data unit size (SDU) for connections. - DISABLE_INTERRUPT
Use thesqlnet.oraprofile parameterDISABLE_INTERRUPTto disable Oracle Net handling of aSIGINITsignal in client applications. - DISABLE_OOB
Use thesqlnet.oraprofile parameterDISABLE_OOBto enable or disable Oracle Net to send or receive out-of-band break messages using urgent data from the underlying protocol. - DISABLE_OOB_AUTO
Use thesqlnet.oraprofile parameterDISABLE_OOB_AUTOto disable server path checks for out-of-band break messages at the time of the connection. - IPC.KEYPATH
Use thesqlnet.oraprofile parameterIPC.KEYPATHto specify the destination directory where the internal file is created for UNIX domain sockets. - KERBEROS5_PRINCIPAL
Use theKERBEROS5_PRINCIPALparameter to set the Kerberos principal name associated with the Kerberos credentials cache (CC) file. - MAX_CONDUITS
Use thesqlnet.oraparameterMAX_CONDUITSto specify the maximum number of conduits between the listener and the broker or dispatcher for handing off client connections. - NAMES.DEFAULT_DOMAIN
Use thesqlnet.oraprofile parameterNAMES.DEFAULT_DOMAINto set the name of the domain in which clients most often look up names resolution requests. - NAMES.DIRECTORY_PATH
Use thesqlnetparameterNAMES.DIRECTORY_PATHto specify the order of the naming methods for client name resolution lookups. - NAMES.LDAP_AUTHENTICATE_BIND
Use thesqlnetparameterNAMES.LDAP_AUTHENTICATE_BINDto specify whether the LDAP naming adapter should authenticate using a specified wallet when it connects to the LDAP directory to resolve connect string names. - NAMES.LDAP_AUTHENTICATE_BIND_METHOD
Use thesqlnetparameterNAMES.LDAP_AUTHENTICATE_BIND_METHODto specify an authentication method for the client LDAP naming adapter. - NAMES.LDAP_CONN_TIMEOUT
Use thesqlnetparameterNAMES.LDAP_CONN_TIMEOUTto specify the number of seconds that indicates that a non-blocking connect timeout to the LDAP server occurred. - NAMES.LDAP_PERSISTENT_SESSION
Use thesqlnetparameterNAMES.LDAP_PERSISTENT_SESSIONto specify whether the LDAP naming adapter should leave the session with the LDAP server open after name lookups are complete. - NAMES.NIS.META_MAP
Use thesqlnetparameterNAMES.NIS.META_MAPto specify the map file to use to map Network Information Service (NIS) attributes to an NIS mapname. - OCI_COMPARTMENT
Use theOCI_COMPARTMENTparameter to specify Oracle Cloud Identifier (OCID) of the compartment that holds database instances for client connections. - OCI_CONFIG_FILE
Use theOCI_CONFIG_FILEparameter to specify the directory location where the Oracle Cloud Infrastructure (OCI) configuration file is stored. - OCI_DATABASE
Use theOCI_DATABASEparameter to specify Oracle Cloud Identifier (OCID) of the database that you want to access for the client connection. - OCI_IAM_URL
Use theOCI_IAM_URLparameter to specify an endpoint URL that the database client must connect with to get the database token for authenticating Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) users on OCI Database as a Service (DBaaS). - OCI_PROFILE
Use theOCI_PROFILEparameter to specify the profile name for Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) users. - OCI_TENANCY
Use theOCI_TENANCYparameter to specify Oracle Cloud Identifier (OCID) of the user’s tenancy. - PASSWORD_AUTH
With this setting, client connections use the IAM user name and IAM database password for logging in users to the database. - RECV_BUF_SIZE
Use thesqlnetparameterRECV_BUF_SIZEto specify buffer space limit for session receive operations. - REDIRECT_URI
Use theREDIRECT_URIparameter to specify the redirect URI, registered for your Microsoft Entra ID client application. - SDP.PF_INET_SDP
Use thesqlnetparameterSDP.PF_INET_SDPto specify the protocol family or address family constant for the SDP protocol on your system. - SEC_USER_AUDIT_ACTION_BANNER
Use thesqlnetparameterSEC_USER_AUDIT_ACTION_BANNERto specify a text file that contains the banner contents that warn users about user action auditing. - SEC_USER_UNAUTHORIZED_ACCESS_BANNER
Use thesqlnetparameterSEC_USER_UNAUTHORIZED_ACCESS_BANNERto specify the file that contains the banner contents that warn users about unauthorized database access. - SEND_BUF_SIZE
Use thesqlnetparameterSEND_BUF_SIZEto specify the buffer space limit for session send operations. - SEPS_WALLET_LOCATION
Use theSEPS_WALLET_LOCATIONparameter to specify the wallet location for secure external password store (SEPS) and to enable the use of specified wallet for authentication. - SQLNET.ALLOW_WEAK_CRYPTO
Use thesqlnet.oracompatibility parameterSQLNET.ALLOW_WEAK_CRYPTOto configure your client-side network connection by reviewing the specified encryption and crypto-checksum algorithms. - SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS
Use thesqlnet.oracompatibility parameterSQLNET.ALLOW_WEAK_CRYPTO_CLIENTSto configure your server-side network connection by reviewing the specified encryption and crypto-checksum algorithms. - SQLNET.ALLOWED_LOGON_VERSION_CLIENT
Use thesqlnetparameterSQLNET.ALLOWED_LOGON_VERSION_CLIENTto define minimum authentication protocols that servers acting as clients to other servers can use for connecting to Oracle Database instances. - SQLNET.ALLOWED_LOGON_VERSION_SERVER
Use thesqlnet.oraparameterSQLNET.ALLOWED_LOGON_VERSION_SERVERto set the minimum authentication protocol that is permitted when connecting to Oracle Database instances. - SQLNET.AUTHENTICATION_SERVICES
Use thesqlnet.oraparameterSQLNET.AUTHENTICATION_SERVICESto enable one or more authentication services. - SQLNET.BREAK_RESET_TIMEOUT
Use thesqlnet.oraparameterSQLNET.BREAK_RESET_TIMEOUTto specify the duration of time that a database client or server should wait for the completion of break/reset operation. - SQLNET.CLIENT_REGISTRATION
Use thesqlnet.oraparameterSQLNET.CLIENT_REGISTRATIONto set a unique identifier for the client computer. - SQLNET.CLOUD_USER
Use thesqlnet.oraparameterSQLNET.CLOUD_USERto specify a user name for web serverHTTPbasic authentication. - SQLNET.COMPRESSION
Use thesqlnet.oraparameterSQLNET.COMPRESSIONto enable or disable data compression. - SQLNET.COMPRESSION_ACCELERATION
Use thesqlnet.oraparameterSQLNET.COMPRESSION_ACCELERATIONto specify the use of hardware accelerated version of compression using this parameter if it is available for that platform. - SQLNET.COMPRESSION_LEVELS
Use thesqlnet.oraparameterSQLNET.COMPRESSION_LEVELSto specify the compression level. - SQLNET.COMPRESSION_THRESHOLD
Use thesqlnet.oraparameterSQLNET.COMPRESSION_THRESHOLDto specify the minimum data size for which compression is needed. - SQLNET.CRYPTO_CHECKSUM_CLIENT
Use thesqlnet.oraparameterSQLNET.CRYPTO_CHECKSUM_CLIENTto specify the desired data integrity behavior when this client or server acting as a client connects to a server. - SQLNET.CRYPTO_CHECKSUM_SERVER
Use thesqlnet.oraparameterSQLNET.CRYPTO_CHECKSUM_SERVERto specify the data integrity behavior when a client or another server acting as a client connects to this server. - SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT
Use thesqlnet.oraparameterSQLNET.CRYPTO_CHECKSUM_TYPES_CLIENTto specify a list of data integrity algorithms that this client or server acting as a client uses. - SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER
Use thesqlnet.oraparameterSQLNET.CRYPTO_CHECKSUM_TYPES_SERVERto specify the data integrity algorithms that this server or client to another server uses, in order of intended use. - SQLNET.DBFW_PUBLIC_KEY
Use thesqlnet.oraparameterSQLNET.DBFW_PUBLIC_KEYto provide Oracle Database Firewall public keys to the Advanced Security Option (ASO) by specifying the file that stores the public keys. - SQLNET.DOWN_HOSTS_TIMEOUT
Use thesqlnet.oraparameterSQLNET.DOWN_HOSTS_TIMEOUTto specify the amount of time in seconds that server hosts down state information remains in the client cache. - SQLNET.ENCRYPTION_CLIENT
Use thesqlnet.oraparameterSQLNET.ENCRYPTION_CLIENTto set the encryption behavior when this client or server acting as a client connects to a server. - SQLNET.ENCRYPTION_SERVER
Thesqlnet.oraparameterSQLNET.ENCRYPTION_SERVERspecifies the encryption behavior when a client or a server acting as a client connects to this server. - SQLNET.ENCRYPTION_TYPES_CLIENT
Use thesqlnet.oraparameterSQLNET.ENCRYPTION_TYPES_CLIENTto specify the encryption algorithms this client or the server acting as a client uses. - SQLNET.ENCRYPTION_TYPES_SERVER
Use thesqlnet.oraparameterSQLNET.ENCRYPTION_TYPES_SERVERto specify the encryption algorithms this server uses in the order of the intended use. - SQLNET.EXPIRE_TIME
Use thesqlnet.oraparameterSQLNET.EXPIRE_TIMEto specify how often, in minutes, to verify that client and server connections are alive. - SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS
Use thesqlnet.oraparameterSQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPSto ignore the value that is set for the parameterSQLNET.ENCRYPTION_SERVERfor TCPS connections. This disables ANO encryption on the TCPS listener. - SQLNET.INBOUND_CONNECT_TIMEOUT
Use thesqlnet.oraparameterSQLNET.INBOUND_CONNECT_TIMEOUTto specify the amount of time that clients have to connect with the database and authenticate. - SQLNET.FALLBACK_AUTHENTICATION
Use thesqlnet.oraparameterSQLNET.FALLBACK_AUTHENTICATIONto specify whether to attempt password-based authentication if Kerberos authentication fails. - SQLNET.KERBEROS5_CC_NAME
Use thesqlnet.oraparameterSQLNET.KERBEROS5_CC_NAMEto specify the complete path name to the Kerberos credentials cache (CC) file. - SQLNET.KERBEROS5_CLOCKSKEW
Use thesqlnet.oraparameterSQLNET.KERBEROS5_CLOCKSKEWto specify how much time elapses before a Kerberos credential is considered out-of-date. - SQLNET.KERBEROS5_CONF
Use thesqlnet.oraparameterSQLNET.KERBEROS5_CONFto specify the path name to the Kerberos configuration file that contains the realm for the default Key Distribution Center (KDC) and that maps realms to KDC hosts. - SQLNET.KERBEROS5_CONF_LOCATION
Use thesqlnet.oraparameterSQLNET.KERBEROS5_CONF_LOCATIONto specify the directory for the Kerberos configuration file. TheSQLNET.KERBEROS5_CONF_LOCATIONparameter also specifies that the file is created by the system and not by the client. - SQLNET.KERBEROS5_KEYTAB
Use thesqlnet.oraparameterSQLNET.KERBEROS5_KEYTABto specify the path name to the Kerberos principal or, secret, key mapping file that extracts keys and decrypts incoming authentication information. - SQLNET.KERBEROS5_REALMS
Use thesqlnet.oraparameterSQLNET.KERBEROS5_REALMSto specify the complete path name to the Kerberos realm translation file that maps a host name or domain name to a realm. - SQLNET.OUTBOUND_CONNECT_TIMEOUT
Use thesqlnet.oraparameterSQLNET.OUTBOUND_CONNECT_TIMEOUTto specify the amount of time, in milliseconds, seconds, or minutes, in which clients must establish Oracle Net connections to database instances. - SQLNET.RADIUS_ALLOW_WEAK_CLIENTS
Use the client-sidesqlnet.oraparameterSQLNET.RADIUS_ALLOW_WEAK_CLIENTSto control the transport protocol that the Oracle Database client must use for communicating with the Oracle Database server. - SQLNET.RADIUS_ALLOW_WEAK_PROTOCOL
Use the server-sidesqlnet.oraparameterSQLNET.RADIUS_ALLOW_WEAK_PROTOCOLto allow weak Oracle Database clients to use RADIUS authentication. - SQLNET.RADIUS_ALTERNATE
Use thesqlnet.oraparameterSQLNET.RADIUS_ALTERNATEto specify an alternate RADIUS server to be used when the primary server is unavailable. - SQLNET.RADIUS_ALTERNATE_PORT
Use thesqlnet.oraparameterSQLNET.RADIUS_ALTERNATE_PORTto specify the listening port of an alternate RADIUS server. - SQLNET.RADIUS_ALTERNATE_RETRIES
Use thesqlnet.oraparameterSQLNET.RADIUS_ALTERNATE_RETRIESto specify the number of times that the database resends messages to alternate RADIUS servers. - SQLNET.RADIUS_ALTERNATE_TIMEOUT
Use thesqlnet.oraparameterSQLNET.RADIUS_ALTERNATE_TIMEOUTto set the time for an alternate RADIUS server to wait for a response. - SQLNET.RADIUS_ALTERNATE_TLS_HOST
Use thesqlnet.oraparameterSQLNET.RADIUS_ALTERNATE_TLS_HOSTto specify the host name of an alternate RADIUS server to be used when the primary server is unavailable. - SQLNET.RADIUS_ALTERNATE_TLS_PORT
Use thesqlnet.oraparameterSQLNET.RADIUS_ALTERNATE_TLS_PORTto specify the listening port of an alternate RADIUS server. - SQLNET.RADIUS_AUTHENTICATION
Use thesqlnet.oraparameterSQLNET.RADIUS_AUTHENTICATIONto specify the location of a primary RADIUS server. - SQLNET.RADIUS_AUTHENTICATION_INTERFACE
Use thesqlnet.oraparameterSQLNET.RADIUS_AUTHENTICATION_INTERFACEto specify the class that contains the user interface for interacting with users. - SQLNET.RADIUS_AUTHENTICATION_PORT
Use thesqlnet.oraparameterSQLNET.RADIUS_AUTHENTICATION_PORTto specify the listening port of a primary RADIUS server. - SQLNET.RADIUS_AUTHENTICATION_RETRIES
Use thesqlnet.oraparameterSQLNET.RADIUS_AUTHENTICATION_RETRIESto specify the number of times the database should resend messages to a primary RADIUS server. - SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
Use thesqlnet.oraparameterSQLNET.RADIUS_AUTHENTICATION_TIMEOUTto specify the amount of time that the database should wait for a response from a primary RADIUS server. - SQLNET.RADIUS_AUTHENTICATION_TLS_HOST
Use thesqlnet.oraparameterSQLNET.RADIUS_AUTHENTICATION_TLS_HOSTto specify the host name of a primary RADIUS server. - SQLNET.RADIUS_AUTHENTICATION_TLS_PORT
Use thesqlnet.oraparameterSQLNET.RADIUS_AUTHENTICATION_TLS_PORTto specify the listening port of a primary RADIUS server. - SQLNET.RADIUS_CHALLENGE_KEYWORD
Use thesqlnet.oraparameterSQLNET.RADIUS_CHALLENGE_KEYWORDto set the keyword for requesting a challenge from the RADIUS server. - SQLNET.RADIUS_CHALLENGE_RESPONSE
Use thesqlnet.oraparameterSQLNET.RADIUS_CHALLENGE_RESPONSEto enable or disable challenge responses. - SQLNET.RADIUS_CLASSPATH
Use thesqlnet.oraparameterSQLNET.RADIUS_CLASSPATHto set the path for Java classes and JDK Java libraries. - SQLNET.RADIUS_SECRET
Use thesqlnet.oraparameterSQLNET.RADIUS_SECRETto specify the location of a RADIUS secret key. - SQLNET.RADIUS_SEND_ACCOUNTING
Use thesqlnet.oraparameterSQLNET.RADIUS_SEND_ACCOUNTINGto enable and disable accounting. - SQLNET.RADIUS_TRANSPORT_PROTOCOL
Use the server-sidesqlnet.oraparameterSQLNET.RADIUS_TRANSPORT_PROTOCOLto control the transport protocol that the Oracle Database server must use for communicating with the RADIUS server. - SQLNET.RECV_TIMEOUT
Use thesqlnet.oraparameterSQLNET.RECV_TIMEOUTto specify the duration of time that a database client or server should wait for data from a peer after establishing a connection. - SQLNET.SEND_TIMEOUT
Use thesqlnet.oraparameterSQLNET.SEND_TIMEOUTto specify the duration of time in which a database must complete send operations to clients after establishing connections. - SQLNET.URI
Use thesqlnet.oraparameterSQLNET.URIto specify a database client URI mapping on a web server. - SQLNET.USE_HTTPS_PROXY
Use thesqlnet.oraparameterSQLNET.USE_HTTPS_PROXYto enable forward HTTP proxy tunneling for client connections. - SQLNET.WALLET_OVERRIDE
Use thesqlnet.oraparameterSQLNET.WALLET_OVERRIDEto determine whether a client should override strong authentication credentials with the password credential from the stored wallet. - SSL_ALLOW_WEAK_DN_MATCH
Use thesqlnet.oraparameterSSL_ALLOW_WEAK_DN_MATCHto allow the earlier weaker distinguished name (DN) matching behavior during server-side certificate validation. - SSL_CERTIFICATE_ALIAS
Use thesqlnet.oraortnsnames.oraparameterSSL_CERTIFICATE_ALIASto specify the certificate alias to use in Transport Layer Security (TLS) connections. - SSL_CERTIFICATE_THUMBPRINT
Use thesqlnet.oraortnsnames.oraparameterSSL_CERTIFICATE_THUMBPRINTto specify the certificate thumbprint to use in Transport Layer Security (TLS) connections. - SSL_CERT_REVOCATION
Use thesqlnet.oraparameterSSL_CERT_REVOCATIONto configure revocation checks for certificates. - SSL_CRL_FILE
Use thesqlnet.oraparameterSSL_CRL_FILEto specify the name of the file in which you assemble the certificate revocation list (CRL) for client authentication. - SSL_CRL_PATH
Use thesqlnet.oraparameterSSL_CRL_PATHto specify the destination directory of the certificate revocation list (CRL) for client authentication. - SSL_CIPHER_SUITES
Use theSSL_CIPHER_SUITESparameter to control the combination of authentication, encryption, and data integrity algorithms used by Transport Layer Security (TLS). - SSL_CLIENT_AUTHENTICATION
Use theSSL_CLIENT_AUTHENTICATIONparameter to specify whether the database client is authenticated using Transport Layer Security (TLS). - SSL_DISABLE_WEAK_EC_CURVES
Use theSSL_DISABLE_WEAK_EC_CURVESparameter to disable the use of weak Elliptic Curve Cryptography (ECC) curves. - SSL_ENABLE_WEAK_CIPHERS
Use thesqlnet.oraparameterSSL_ENABLE_WEAK_CIPHERSto enable the use of weak Transport Layer Security (TLS) cipher suites. - SSL_EXTENDED_KEY_USAGE
Use thesqlnet.oraparameterSSL_EXTENDED_KEY_USAGEto specify the purpose certificate keys. - SSL_SERVER_DN_MATCH
Use theSSL_SERVER_DN_MATCHparameter to enforce server-side certificate validation through distinguished name (DN) matching. - SSL_VERSION
Use theSSL_VERSIONparameter to define valid Transport Layer Security (TLS) versions to be used for connections. - TCP.ALLOWED_PROXIES
Use thesqlnet.oraparameterTCP.ALLOWED_PROXIESto specify a list of the Oracle Connection Manager (CMAN) addresses that can forward client IP address to the database server. - TCP.CONNECT_TIMEOUT
Use thesqlnet.oraparameterTCP.CONNECT_TIMEOUTto specify the amount of time in which a client must establish TCP connections to database servers. - TCP.EXCLUDED_NODES
Use thesqlnet.oraparameterTCP.EXCLUDED_NODESto specify which clients are denied access to the database. - TCP.INVITED_NODES
Use thesqlnet.oraparameterTCP.INVITED_NODESto specify which clients are allowed access to the database. - TCP.NODELAY
Use thesqlnet.oraparameterTCP.NODELAYto preempt delays in buffer flushing within the TCP/IP protocol stack. - TCP.QUEUESIZE
Use the sqlnet.ora parameter TCP.QUEUESIZE to configure the maximum length of queues for pending connections on TCP listening sockets. - TCP.VALIDNODE_CHECKING
Use thesqlnet.oraparameterTCP.VALIDNODE_CHECKINGto enable and disable valid node checking for incoming connections. - TENANT_ID
Use theTENANT_IDparameter to specify the ID of your Microsoft Entra ID tenant. - TNSPING.TRACE_DIRECTORY
Use thesqlnet.oraparameterTNSPING.TRACE_DIRECTORYto specify the destination directory for the TNSPING utility trace file,tnsping.trc. - TNSPING.TRACE_LEVEL
Use thesqlnet.oraparameterTNSPING.TRACE_LEVELto enable or disable TNSPING utility tracing at a specified level. - TOKEN_AUTH
Use theTOKEN_AUTHparameter to configure token-based authentication for Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) or Microsoft Azure users of Microsoft Entra ID (previously called Microsoft Azure Active Directory). - TOKEN_LOCATION
Use theTOKEN_LOCATIONparameter to specify the directory location where token file is stored for token-based authentication. - TLS_KEY_EXCHANGE_GROUPS
Use theTLS_KEY_EXCHANGE_GROUPSparameter to enable or disable post-quantum cryptographic (PQC) ML-KEM algorithms and classical ECDHE groups for TLS connections. - USE_CMAN
Use thesqlnet.oraparameterUSE_CMANto specify client routing to Oracle Connection Manager. - USE_DEDICATED_SERVER
Use the sqlnet.ora parameter USE_DEDICATED_SERVER to append(SERVER=dedicated)to theCONNECT_DATAsection of the connect descriptor that the client uses. - USE_SNI
Use thesqlnet.oraparameterUSE_SNIto enable setting Server Name Indication (SNI) value usingCONNECT_DATAparameters. - WALLET_LOCATION
Use theWALLET_LOCATIONparameter to specify the location of Oracle wallets.
Parent topic: Parameters for sqlnet.ora Files
5.2.1 ACCEPT_MD5_CERTS
The sqlnet.ora profile parameter ACCEPT_MD5_CERTS accepts MD5 signed certificates.
Purpose
To enable sqlnet to accept MD5 signed certificates. In addition to sqlnet.ora, you must also set this parameter in listener.ora.
Default
FALSE
Values
-
TRUEto accept MD5 signed certificates -
FALSEto not accept MD5 signed certficates
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.2 ACCEPT_SHA1_CERTS
Use the sqlnet.ora profile parameter ACCEPT_SHA1_CERTS to determine whether SQL Net accepts SHA1 signed certificates.
Purpose
To determine whether sqlnet accepts SHA1 signed certificates. In addition to setting this parameter in sqlnet.ora, you must also set this parameter in listener.ora.
The use of SHA-1 with DBMS_CRYPTO, SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT and SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER is deprecated.
Using SHA-1 (Secure Hash Algorithm 1) with the parameters SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT and SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER is deprecated in this release, and can be desupported in a future release. Using SHA-1 ciphers with DBMS_CRYPTO is also deprecated (HASH_SH1, HMAC_SH1). Instead of using SHA1, Oracle recommends that you start using a stronger SHA-2 cipher in place of the SHA-1 cipher.
Default
TRUE
Values
-
TRUEto accept SHA1 signed certificates -
FALSEto not accept SHA1 signed certificates
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.3 ALLOWED_WEAK_CERT_ALGORITHMS
Use the sqlnet.ora parameter ALLOWED_WEAK_CERT_ALGORITHMS to allow the use of deprecated certification algorithms as an exception.
Purpose
To allow the use of earlier weaker algorithms for backward compatibility. This is useful for environments that still require the use of certificates associated with deprecated algorithms, such as MD5 or SHA1 signed certificates.
Usage Notes
Starting in Oracle AI Database 26ai, the
ALLOW_MD5_CERTS and ALLOW_SHA1_CERTS
sqlnet.ora parameters are deprecated.
Instead of these parameters, use the
ALLOWED_WEAK_CERT_ALGORITHMS
sqlnet.ora parameter, which is new with Oracle AI Database
26ai.
If ALLOWED_WEAK_CERT_ALGORITHMS is set, then Oracle Database ignores ALLOW_MD5_CERTS and ALLOW_SHA1_CERTS. If ALLOWED_WEAK_CERT_ALGORITHMS is not set, then Oracle Database checks and uses the ALLOW_MD5_CERTS and ALLOW_SHA1_CERTS settings.
Values
MD5 | SHA1
-
When set to
MD5, it allowsMD5but disablesSHA1. -
When set to
SHA1, it allowsSHA1but disablesMD5. -
When set to
MD5,SHA1, it allows bothMD5andSHA1.
Ensure that you enclose the values in parenthesis. If you want to specify both MD5 and SHA1, then separate the values with a comma.
Default
SHA1
Examples
ALLOWED_WEAK_CERT_ALGORITHMS=(SHA1)ALLOWED_WEAK_CERT_ALGORITHMS=(MD5,SHA1)Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.4 AZURE_DB_APP_ID_URI
Use the AZURE_DB_APP_ID_URI parameter to specify the application ID URI of the Oracle Database instance, registered with Microsoft Entra ID (previously called Microsoft Azure Active Directory).
Purpose
To specify the application ID URI that uniquely identifies your database instance in Entra ID.
$Scope = "database_app_id_uri/scope"$Scope = "https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3/session:scope:connect"Here, the app ID URI https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3 is part of the scope.
Usage Notes
This parameter is mandatory. You must set it along with the TOKEN_AUTH parameter for the AZURE_INTERACTIVE, AZURE_SERVICE_PRINCIPAL, AZURE_MANAGED_IDENTITY, and AZURE_DEVICE_CODE authentication flows.
For the JDBC-thin clients, you can specify this parameter in the connect string, Easy Connect syntax, tnsnames.ora file, or properties. For the thick clients (OCI and Instant Client) and ODP.NET core and managed database clients, you can specify this parameter in the connect string, sqlnet.ora file, Easy Connect syntax, or tnsnames.ora file. The parameter value specified in the connect string takes precedence.
Default
None
Value
You can get the application ID URI value by logging in to the Azure portal. This is listed as the Application ID URI value on the App registrations - Overview page.
Note that this is the value that you specified while registering your Oracle Database instance with the Entra ID tenancy, as shown in Oracle AI Database Security Guide.
Examples
tnsnames.ora file:net_service_name=
(DESCRIPTION =
(ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1521))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(SSL_SERVER_CERT_DN="C=US,O=example,CN=OracleContext")
(TOKEN_AUTH=AZURE_INTERACTIVE)
(AZURE_DB_APP_ID_URI=https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3))
(CONNECT_DATA=(SERVICE_NAME=sales.us.example.com))
) sqlnet.ora file:SSL_SERVER_DN_MATCH=TRUE
TOKEN_AUTH=AZURE_INTERACTIVE
AZURE_DB_APP_ID_URI=https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3tcps:sales-svr:1521/sales.us.example.com?TOKEN_AUTH=AZURE_INTERACTIVE&AZURE_DB_APP_ID_URI=https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3In these examples, the CLIENT_ID, TENANT_ID, and REDIRECT_URI parameters are not specified. CLIENT_ID and TENANT_ID are required parameters when using the thick clients (OCI and Instant Client). These parameters are optional for the JDBC-thin and ODP.NET core and managed database clients, which can automatically get these values from the Azure SDK configuration.
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.5 BEQUEATH_DETACH
Use the sqlnet.ora parameter to enable and disable handling signals on Linux and UNIX systems.
Purpose
To enable or disable signal handling on Linux and UNIX systems
Default
no
Values
-
yesto turn signal handling off -
noto leave signal handling on
Example
BEQUEATH_DETACH=yesParent topic: Profile Parameters in sqlnet.ora Files
5.2.6 CLIENT_CERTIFICATE
Use the CLIENT_CERTIFICATE parameter to specify the file system path to a client certificate that authenticates your database client application.
Purpose
File system path to a client certificate that authenticates your database client application in Microsoft Entra ID. A client certificate is the digital certificate of an Azure cloud resource, and the client uses this certificate as a credential to prove its identity when requesting an Entra ID access token. This is used for the AZURE_SERVICE_PRINCIPAL token-based authentication flow.
Note:
Only the JDBC-thin clients and ODP.NET core and managed database clients (and not the thick clients, such as OCI and Instant Client) support certificate-based authentication.Usage Notes
-
The Entra ID client uses a client ID and a client secret to retrieve the Entra ID
OAuth2database access token. If a client secret is not configured, then the client driver automatically reads the file system path of a client certificate from theAZURE_CLIENT_CERTIFICATE_PATHenvironment variable in the Azure SDK configuration. If the application client is public, then it uses only a client ID.For more information about using certificates with service principals, review Microsoft documentation.
-
This parameter is optional. You can set it if you have not configured the SDKs.
Note that this parameter is ignored if the client driver is configured with a client secret.
-
You can specify this parameter along with the
TOKEN_AUTH=AZURE_SERVICE_PRINCIPALsetting in the connect string, Easy Connect syntax, ortnsnames.orafile. The parameter value specified in the connect string takes precedence. -
The supported formats for a certificate file are:
-
.pem(Privacy Enhanced Mail) -
.pfx(Personal Information Exchange)This format is password-protected. If the file is in a
.pfxformat, then you must also set the correspondingAZURE_CLIENT_CERTIFICATE_PASSWORDparameter.
-
-
You cannot store the certificate in an Oracle Wallet or Azure Key Vault.
Because this certificate is a credential for accessing the database, you must protect it on your file system.
Default
None
Value
Full path (including a file name) to the Azure certificate file
Examples
tnsnames.ora file:net_service_name=
(DESCRIPTION =
(ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1521))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(SSL_SERVER_CERT_DN="C=US,O=example,CN=OracleContext")
(TOKEN_AUTH=AZURE_SERVICE_PRINCIPAL)
(AZURE_DB_APP_ID_URI=https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3)
(CLIENT_CERTIFICATE=ORACLE_HOME/.azure/certificates/my-app.pem))
(CONNECT_DATA=(SERVICE_NAME=sales.us.example.com))
) tcps:sales-svr:1521/sales.us.example.com?TOKEN_AUTH=AZURE_SERVICE_PRINCIPAL&AZURE_DB_APP_ID_URI=https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3&CLIENT_CERTIFICATE=ORACLE_HOME/.azure/certificates/my-app.pemIn these examples, the CLIENT_ID and TENANT_ID parameters are not specified. These parameters are optional for the JDBC-thin and ODP.NET core and managed database clients, which can automatically get these values from the Azure SDK configuration.
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.7 CLIENT_ID
Use the CLIENT_ID parameter to specify the ID of the database client Microsoft Entra ID app registration.
Purpose
To specify the client ID assigned to your database client during Entra ID app registration. Note that this is not the client ID for the database server. This application is your database client that requests to get an access token for the user during Azure token-based authentication.
Usage Notes
You use this parameter along with the TOKEN_AUTH parameter for the AZURE_INTERACTIVE, AZURE_SERVICE_PRINCIPAL, AZURE_MANAGED_IDENTITY, and AZURE_DEVICE_CODE authentication flows, as follows:
-
The
AZURE_MANAGED_IDENTITYauthentication flow is applicable to client-side or server-side applications hosted on Azure environments, such as Azure App Service or Azure virtual machine.When using the JDBC-thin clients and ODP.NET core and managed database clients, the client driver uses a system-assigned managed identity. A system-assigned managed identity is an implicit identity assigned by Entra ID to your application, and is configured in the Azure SDK by default. Optionally, you can set this parameter to explicitly assign the client ID of a user-assigned managed identity to your application.
When using the thick clients (OCI and Instant Client), which do not use the Azure SDKs, you must set this parameter to assign a user-assigned managed identity to your application.
-
For other authentication flows, when using the JDBC-thin clients and ODP.NET core and managed database clients, the client driver searches for the client ID in the Azure SDK configuration. In this case, this parameter is optional.
When using the OCI and Instant Clients, you must set this parameter (along with other required parameters, such as
TENANT_ID). Otherwise, an error message appears prompting you to configure the required parameters.
Note that this parameter is mandatory for the OCI and Instant Clients. It is optional only when using the JDBC-thin clients and ODP.NET core and managed database clients.
For the JDBC-thin clients, you can specify this parameter in the connect string, Easy Connect syntax, tnsnames.ora file, or properties. For the thick clients (OCI and Instant Client) and ODP.NET core and managed database clients, you can specify this parameter in the connect string, sqlnet.ora file, Easy Connect syntax, or tnsnames.ora file. The parameter value specified in the connect string takes precedence.
Default
None
Value
You can get the client ID value by logging in to the Azure portal. This is listed as the Application (client) ID value on the App registrations - Overview page.
Examples
tnsnames.ora file:net_service_name=
(DESCRIPTION =
(ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1521))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(SSL_SERVER_CERT_DN="C=US,O=example,CN=OracleContext")
(TOKEN_AUTH=AZURE_INTERACTIVE)
(AZURE_DB_APP_ID_URI=https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3)
(CLIENT_ID=123ab4cd-1a2b-1234-a12b-aa00123b2cd3)
(CONNECT_DATA=(SERVICE_NAME=sales.us.example.com))
) sqlnet.ora file:SSL_SERVER_DN_MATCH=TRUE
TOKEN_AUTH=AZURE_INTERACTIVE
AZURE_DB_APP_ID_URI=https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3
CLIENT_ID=123ab4cd-1a2b-1234-a12b-aa00123b2cd3tcps:sales-svr:1521/sales.us.example.com?TOKEN_AUTH=AZURE_INTERACTIVE&AZURE_DB_APP_ID_URI=https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3&CLIENT_ID=123ab4cd-1a2b-1234-a12b-aa00123b2cd3In these examples, the TENANT_ID and REDIRECT_URI parameters are not specified. TENANT_ID is required when using the thick clients (OCI and Instant Client). This parameter is optional for the JDBC-thin and ODP.NET core and managed database clients, which can automatically get this value from the Azure SDK configuration.
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.8 EXADIRECT_FLOW_CONTROL
The sqlnet.ora profile parameter EXADIRECT_FLOW_CONTROL enables or disables Exadirect flow control.
Purpose
To enable or disable Exadirect flow control.
Usage Notes
Set to on, the parameter enables Oracle Net to broadcast the available receive window to the sender. The sender limits the sends based on the receiver broadcast window.
Default
off
Example
EXADIRECT_FLOW_CONTROL=on
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.9 EXADIRECT_RECVPOLL
Use the sqlnet.ora parameter EXADIRECT_RECVPOLL to specify the amount of time that a receiver polls for incoming data.
Purpose
To specify the amount of time that a receiver polls for incoming data.
Usage Notes
You can set the parameter to a fixed value or set the parameter to AUTO to automatically tune the polling value.
Default
0
Example
EXADIRECT_RECVPOLL = 10
EXADIRECT_RECVPOLL = AUTO
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.10 DEFAULT_SDU_SIZE
Use the sqlnet.ora profile parameter to specify the session data unit size (SDU) for connections.
Purpose
To specify the SDU size, in bytes, for connections.
Usage Notes
Oracle recommends setting this parameter in both the client-side and server-side sqlnet.ora files to ensure that the same SDU size is used throughout a connection. When the configured values of client and database server do not match for a session, the lower of the two values is used.
You can override this parameter for a particular client connection by specifying the SDU parameter in the connect descriptor for a client.
Default
-
For clients:
8192bytes (8 KB) -
For servers:
65536bytes (64KB)
Value
512 to 2097152 bytes
Example 5-1 Example
DEFAULT_SDU_SIZE=4096Parent topic: Profile Parameters in sqlnet.ora Files
5.2.11 DISABLE_INTERRUPT
Use the sqlnet.ora profile parameter DISABLE_INTERRUPT to disable Oracle Net handling of a SIGINIT signal in client applications.
Purpose
To disable Oracle Net handling of a SIGINIT signal in client applications.
Usage Notes
Oracle Net installs a signal handler to catch a SIGINT signal. By default, the action on receipt of a SIGINIT signal is to cancel the current operation. If you set this parameter to TRUE, then you can override the default behavior and ignore Oracle Net handling of SIGINT signals.
For details on installing and uninstalling your own signal handlers in addition to Oracle Net, see Oracle AI Database Administrator's Reference for Linux and UNIX-Based Operating Systems.
Default
FALSE
Example
DISABLE_INTERRUPT=TRUE
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.12 DISABLE_OOB
Use the sqlnet.ora profile parameter DISABLE_OOB to enable or disable Oracle Net to send or receive out-of-band break messages using urgent data from the underlying protocol.
Purpose
To enable or disable Oracle Net to send or receive out-of-band break messages using urgent data provided by the underlying protocol.
Usage Notes
Set to off, the parameter enables Oracle Net to send and receive break messages. Set to on, the parameter disables the ability to send and receive break messages. Once enabled, this feature applies to all protocols that the client uses.
Default
offExample 5-2 Example
DISABLE_OOB=onParent topic: Profile Parameters in sqlnet.ora Files
5.2.13 DISABLE_OOB_AUTO
Use the sqlnet.ora profile parameter DISABLE_OOB_AUTO to disable server path checks for out-of-band break messages at the time of the connection.
Purpose
To disable sqlnet.ora from checking for out-of-band (OOB) break messages in the server path at connection time.
Usage Notes
By default, the client determines if the server path supports out-of-band break messages at the time of establishing the connection. If DISABLE_OOB_AUTO is set to TRUE, then the client does not perform this check at connection time.
Default
FALSE
Example 5-3 Example
DISABLE_OOB_AUTO = TRUE
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.14 IPC.KEYPATH
Use the sqlnet.ora profile parameter IPC.KEYPATH to specify the destination directory where the internal file is created for UNIX domain sockets.
Purpose
To specify the destination directory where the internal file is created for UNIX domain sockets.
Usage Notes
This parameter applies only to Oracle Net usage of UNIX domain sockets and does not apply to other uses of UNIX domain sockets in Oracle Database, such as in Oracle Clusterware. If you use the IPC.KEYPATH parameter, then you should use the same value for IPC_KEYPATH on both the client and the listener on Oracle Database versions that are greater than Oracle Database 18c.
Default
The directory path is either /var/tmp/.oracle for Oracle Linux, Oracle Solaris or /tmp/.oracle for other UNIX variants.
Example
ipc.keypath=/home/oracleuser.
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.15 KERBEROS5_PRINCIPAL
Use the KERBEROS5_PRINCIPAL parameter to set the Kerberos principal name associated with the Kerberos credentials cache (CC) file.
Purpose
When you configure Kerberos authentication for an Oracle Database client, you can specify multiple Kerberos principals with a single Oracle Database client.
This is an optional parameter. When specified, it is used to verify if the principal name in the credential cache (specified using KERBEROS5_CC_NAME) matches the parameter value.
Usage Notes
Use this parameter in the SECURITY section of the tnsnames.ora file, or set it in the sqlnet.ora file. Alternatively, you can set KERBEROS5_PRINCIPAL in the connect string along with the KERBEROS5_CC_NAME parameter to connect as a different Kerberos principal.
The parameter value specified in the connect string takes precedence over the value specified in the sqlnet.ora or tnsnames.ora file.
Each Kerberos principal must have a valid credential cache. Oracle Database checks KERBEROS5_PRINCIPAL against the value that is retrieved from the credential cache. If the two values do not match, then the user is not authenticated.
Examples
-
For a user
krbuser1, who is externally authenticated using the Kerberos principalkrbprinc1@example.comand the credential cache for this principal is located at/tmp/krbuser1/krb.cc, the connect descriptor in thetnsnames.orafile is:net_service_name= (DESCRIPTION= (ADDRESS=(PROTOCOL=tcp)(HOST=sales-svr)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=sales.example.com)) (SECURITY= (KERBEROS5_CC_NAME=/tmp/krbuser1/krb.cc) (KERBEROS5_PRINCIPAL=krbprinc1@example.com)))In thesqlnet.orafile:SQLNET.KERBEROS5_CC_NAME=/tmp/krbuser1/krb.cc KERBEROS5_PRINCIPAL=krbprinc1@example.com -
For a user
krbuser2, who is externally authenticated using the Kerberos principalkrbprinc2@example.comand the credential cache for this principal is located at/tmp/krbuser2/krb.cc, the connect descriptor in thetnsnames.orafile is:net_service_name= (DESCRIPTION= (ADDRESS=(PROTOCOL=tcp)(HOST=sales-svr)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=sales.example.com)) (SECURITY= (KERBEROS5_CC_NAME=/tmp/krbuser2/krb.cc) (KERBEROS5_PRINCIPAL=krbprinc2@example.com)))Insqlnet.orafile:SQLNET.KERBEROS5_CC_NAME=/tmp/krbuser2/krb.cc KERBEROS5_PRINCIPAL=krbprinc2@example.com
Note:
The connection fails if the principal in the/tmp/krbuser1/krb.cc file does not contain the krbprinc1@example.com value.
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.16 MAX_CONDUITS
Use the sqlnet.ora parameter MAX_CONDUITS to specify the maximum number of conduits between the listener and the broker or dispatcher for handing off client connections.
Purpose
To set the maximum number of conduits created between the listener and the broker or dispatcher processes over which client connections are handed off.Usage Notes
Setting a higher value enables multiple connections to be handed off in parallel, which is particularly useful during a logon storm when there is a spike in incoming connections.
Default
50
Example
MAX_CONDUITS=80
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.17 NAMES.DEFAULT_DOMAIN
Use the sqlnet.ora profile parameter NAMES.DEFAULT_DOMAIN to set the name of the domain in which clients most often look up names resolution requests.
Purpose
To set the domain from which the client most often looks up names resolution requests.
Usage Notes
When you set NAMES.DEFAULT_DOMAIN, the default domain name is automatically appended to any unqualified net service name or service name.
For example, if you set the default domain to www.example.com, then Oracle searches the connect string CONNECT scott@sales as www.example.com. If the connect string includes the domain extension, such as CONNECT scott@sales.www.example.com, then the domain is not appended to the string.
Default
None
Example
NAMES.DEFAULT_DOMAIN=example.com
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.18 NAMES.DIRECTORY_PATH
Use the sqlnet parameter NAMES.DIRECTORY_PATH to specify the order of the naming methods for client name resolution lookups.
Purpose
To specify the order of the naming methods for client name resolution lookups.
Default
NAMES.DIRECTORY_PATH=(tnsnames, ezconnect, ldap)Values
The following table shows the NAMES.DIRECTORY_PATH values for the naming methods.
| Naming Method Value | Description |
|---|---|
|
|
Set to resolve a network service name through the |
|
|
Set to resolve a database service name, net service name, or network service alias through a directory server. |
|
|
Select to enable clients to use a TCP/IP connect identifier that consists of a host name and optional port and service name. |
|
|
Set to resolve service information through an existing Network Information Service (NIS). |
Example
NAMES.DIRECTORY_PATH=(tnsnames)
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.19 NAMES.LDAP_AUTHENTICATE_BIND
Use the sqlnet parameter NAMES.LDAP_AUTHENTICATE_BIND to specify whether the LDAP naming adapter should authenticate using a specified wallet when it connects to the LDAP directory to resolve connect string names.
Purpose
To specify whether the LDAP naming adapter should attempt to authenticate using a specified wallet when it connects to the LDAP directory to resolve the service name in the connect string.
Usage Notes
When set to FALSE, the LDAP connection is established using an anonymous bind.
When set to TRUE, the LDAP connection is authenticated using an Oracle wallet. You must specify the wallet location using the WALLET_LOCATION parameter.
The parameter WALLET_LOCATION is deprecated for
use with Oracle AI Database 26ai for the Oracle Database server. It is not
deprecated for use with the Oracle Database client or listener.
For Oracle Database server, Oracle recommends that you use the
WALLET_ROOT system parameter instead of using
WALLET_LOCATION.
Values
TRUE | FALSE
Default
FALSE
Example
NAMES.LDAP_AUTHENTICATE_BIND=TRUE
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.20 NAMES.LDAP_AUTHENTICATE_BIND_METHOD
Use the sqlnet parameter NAMES.LDAP_AUTHENTICATE_BIND_METHOD to specify an authentication method for the client LDAP naming adapter.
Purpose
To specify the authentication method that the client LDAP naming adapter should use while connecting to the LDAP directory to resolve connect string names.
Usage Notes
The simple authentication method over LDAPS (LDAP over TLS connection) is supported.
You store the directory entry DN and password in an Oracle wallet. When the client connects to the LDAP server, it is authenticated using the credentials stored in this wallet. The wallet trust store must contain root certificates issued by the certificate authority of the LDAP server.
The LDAP naming adapter uses the oracle.ldap.client.dn and oracle.ldap.client.password entries from the wallet for authenticating to the LDAP server. If these entries are not present, then the client attempts an anonymous authentication using TLS or LDAPS.
Values
-
LDAPS_SIMPLE_AUTH -
NONE
Default
NONE
Example
NAMES.LDAP_AUTHENTICATE_BIND_METHOD=LDAPS_SIMPLE_AUTHRelated Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.21 NAMES.LDAP_CONN_TIMEOUT
Use the sqlnet parameter NAMES.LDAP_CONN_TIMEOUT to specify the number of seconds that indicates that a non-blocking connect timeout to the LDAP server occurred.
Purpose
The parameter value -1 is for infinite timeout.
Default
15 seconds
Values
Values are in seconds. The range is -1 to the number of seconds that is acceptable for your environment. There is no upper limit.
To specify the number of seconds for a non-blocking connect timeout to the LDAP server.
Usage Notes
Example
names.ldap_conn_timeout = -1
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.22 NAMES.LDAP_PERSISTENT_SESSION
Use the sqlnet parameter NAMES.LDAP_PERSISTENT_SESSION to specify whether the LDAP naming adapter should leave the session with the LDAP server open after name lookups are complete.
Purpose
To specify whether the LDAP naming adapter should leave the session with the LDAP server open after a name lookup is complete.
Usage Notes
The parameter value is Boolean.
If you set the parameter to TRUE, then the connection to the LDAP server is left open after the name lookup is complete. The connection remains open for the duration of the process. If the connection is lost, then it is re-established as needed.
If you set the parameter to FALSE, then the LDAP connection is terminated as soon as the name lookup completes. Every subsequent look-up opens the connection, performs the look-up, and closes the connection. This option prevents LDAP from having a large number of clients connected to it at any one time.
Default
falseExample
NAMES.LDAP_PERSISTENT_SESSION=trueParent topic: Profile Parameters in sqlnet.ora Files
5.2.23 NAMES.NIS.META_MAP
Use the sqlnet parameter NAMES.NIS.META_MAP to specify the map file to use to map Network Information Service (NIS) attributes to an NIS mapname.
Purpose
To specify the map file to be used to map Network Information Service (NIS) attributes to an NIS mapname.
Default
sqlnet.maps
Example
NAMES.NIS.META_MAP=sqlnet.maps
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.24 OCI_COMPARTMENT
Use the OCI_COMPARTMENT parameter to specify Oracle Cloud Identifier (OCID) of the compartment that holds database instances for client connections.
Purpose
To define the scope of your database token request. This value instructs the database client to initiate a token request to databases within the specified compartment only. You use this parameter while configuring token-based authentication for Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) users on OCI Database as a Service (DBaaS).
Usage Notes
The OCI_COMPARTMENT parameter is optional if you have not specified the OCI_DATABASE parameter. If you choose to set OCI_DATABASE, then you must also set OCI_COMPARTMENT to limit your token request to the specified database within that compartment.
If you do not set both the OCI_COMPARTMENT and OCI_DATABASE parameters, then the entire tenancy is the scope of your token request.
PASSWORD_AUTH and TOKEN_AUTH authentication settings:
-
With the
PASSWORD_AUTHconfiguration, the database client can only request an IAM database token using the IAM user name and IAM database password. - With the
TOKEN_AUTHconfiguration, the database client can request an IAM database token using the API-key, delegation token, security token, resource principal, or instance principal credentials. You can also enable the database client to directly retrieve thedb-tokenwith IAM Single-Sign On (SSO) credentials by using theOCI_INTERACTIVE,OCI_API_KEY,OCI_INSTANCE_PRINCIPAL,OCI_DELEGATION_TOKEN, andOCI_RESOURCE_PRINCIPALauthentication flows.
Use this parameter under the SECURITY section of the tnsnames.ora file, sqlnet.ora file, Easy Connect syntax, or directly as part of the command-line connect string. The parameter value specified in the connect string takes precedence over the other specified values.
Default
None
Value
OCID for the IAM compartment to allow access for the database token. You can get the OCID value for your compartment from the Compartments information page in the OCI console.
The compartment OCID uses this syntax:
OCI_COMPARTMENT=compartment_OCID
For details on the syntax options, see Oracle Cloud IDs (OCIDs).
Examples
tnsnames.ora file:net_service_name=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcps)(HOST=salesserver1)(PORT=1522))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(SSL_SERVER_CERT_DN="C=US,O=example,CN=OracleContext")
(PASSWORD_AUTH=OCI_TOKEN)
(OCI_IAM_URL=https://auth.us-region-1.example.com/v1/actions/generateScopedAccessBearerToken)
(OCI_TENANCY=ocid1.tenancy..12345)
(OCI_COMPARTMENT=ocid1.compartment..12345)
(OCI_DATABASE=ocid1.autonomousdatabase.oc1.12345))
(CONNECT_DATA=(SERVICE_NAME=sales.us.example.com))
)
sqlnet.ora file:SSL_SERVER_DN_MATCH=TRUE
PASSWORD_AUTH=OCI_TOKEN
OCI_IAM_URL=https://auth.us-region-1.example.com/v1/actions/generateScopedAccessBearerToken
OCI_TENANCY=ocid1.tenancy..12345
OCI_COMPARTMENT=ocid1.compartment..12345
OCI_DATABASE=ocid1.autonomousdatabase.oc1.12345tcps:sales-svr:1521/sales.us.example.com?TOKEN_AUTH=OCI_INTERACTIVE&OCI_COMPARTMENT=ocid1.compartment..12345&OCI_DATABASE=ocid1.autonomousdatabase.oc1.12345Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.25 OCI_CONFIG_FILE
Use the OCI_CONFIG_FILE parameter to specify the directory location where the Oracle Cloud Infrastructure (OCI) configuration file is stored.
Purpose
To specify the directory location of the OCI configuration file. This file stores the client connection information for OCI Identity and Access Management (IAM) users as part of their profile. The SDK, CLI, and other OCI tools use this file to access the IAM user credentials during IAM token-based authentication.
Usage Notes
This is an optional parameter. If you do not set this parameter, then the database client gets the user's profile from the default configuration file located at C:/user-profile/.oci/config. You can use this parameter to override the default configuration file location. In this case, the database client searches for the profile in the location specified by OCI_CONFIG_FILE.
TOKEN_AUTH parameter for the OCI_API_KEY and OCI_INTERACTIVE authentication flows:
-
When using the
OCI_INTERACTIVEauthentication flow, if this parameter is not set and the configuration file is also not present in the default location, then Oracle Database prompts the user for a region ID, presenting a list of region IDs from which the user can choose. -
When using the
OCI_API_KEYauthentication flow, if this parameter is not set and the default configuration file is also not present, then an ORA-50109 error message is returned. In this case, you must set this parameter to include the configuration file location.
For JDBC-thin clients, you can specify this parameter in the Easy Connect syntax or tnsnames.ora connect string. For ODP.NET Core classes and ODP.NET Managed Driver classes, you can specify this parameter in the sqlnet.ora file, Easy Connect syntax, or tnsnames.ora connect string. The parameter value specified in the connect string takes precedence.
Default
None
Value
Full path (including a file name) to the OCI configuration file
Examples
tnsnames.ora file:net_service_name=
(DESCRIPTION =
(ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1521))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(SSL_SERVER_CERT_DN="C=US,O=example,CN=OracleContext")
(TOKEN_AUTH=OCI_INTERACTIVE)
(OCI_CONFIG_FILE=/home/dbuser1/config))
(CONNECT_DATA=(SERVICE_NAME=sales.us.example.com))
) sqlnet.ora file:SSL_SERVER_DN_MATCH=TRUE
TOKEN_AUTH=OCI_INTERACTIVE
OCI_CONFIG_FILE=/home/dbuser1/configtcps:sales-svr:1521/sales.us.example.com?TOKEN_AUTH=OCI_INTERACTIVE&OCI_CONFIG_FILE=/home/dbuser1/configIn these examples, the optional OCI_PROFILE parameter is not specified. Thus, the client automatically gets the DEFAULT profile from the specified configuration file directory.
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.26 OCI_DATABASE
Use the OCI_DATABASE parameter to specify Oracle Cloud Identifier (OCID) of the database that you want to access for the client connection.
Purpose
To define the scope of your database token request. The database OCID value instructs the database client to initiate a token request to the specified database within your compartment. You use this parameter while configuring token-based authentication for Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) users on OCI Database as a Service (DBaaS).
Usage Notes
This is an optional parameter. You can set this parameter to limit the access to only a particular database. If you set OCI_DATABASE, then you must also provide specific compartment identifier using the OCI_COMPARTMENT parameter.
PASSWORD_AUTH and TOKEN_AUTH authentication settings:
-
With the
PASSWORD_AUTHconfiguration, the database client can only request an IAM database token using the IAM user name and IAM database password. - With the
TOKEN_AUTHconfiguration, the database client can request an IAM database token using the API-key, delegation token, security token, resource principal, or instance principal credentials. You can also enable the database client to directly retrieve thedb-tokenwith IAM Single-Sign On (SSO) credentials by using theOCI_INTERACTIVE,OCI_API_KEY,OCI_INSTANCE_PRINCIPAL,OCI_DELEGATION_TOKEN, andOCI_RESOURCE_PRINCIPALauthentication flows.
Specify this parameter under the SECURITY section of the tnsnames.ora file, sqlnet.ora file, Easy Connect syntax, or directly as part of the command-line connect string. The parameter value specified in the connect string takes precedence.
Default
None
Value
OCID of the database that you want to access for the client connection. You can get the OCID value for your database from the Database details page in the OCI console.
The database OCID uses this syntax:
OCI_DATABASE=database_OCID
For details on the syntax options, see Oracle Cloud IDs (OCIDs).
Examples
tnsnames.ora file:net_service_name=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcps)(HOST=salesserver1)(PORT=1522))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(SSL_SERVER_CERT_DN="C=US,O=example,CN=OracleContext")
(PASSWORD_AUTH=OCI_TOKEN)
(OCI_IAM_URL=https://auth.us-region-1.example.com/v1/actions/generateScopedAccessBearerToken)
(OCI_TENANCY=ocid1.tenancy..12345)
(OCI_COMPARTMENT=ocid1.compartment..12345)
(OCI_DATABASE=ocid1.autonomousdatabase.oc1.12345))
(CONNECT_DATA=(SERVICE_NAME=sales.us.example.com))
)
sqlnet.ora file:SSL_SERVER_DN_MATCH=TRUE
PASSWORD_AUTH=OCI_TOKEN
OCI_IAM_URL=https://auth.us-region-1.example.com/v1/actions/generateScopedAccessBearerToken
OCI_TENANCY=ocid1.tenancy..12345
OCI_COMPARTMENT=ocid1.compartment..12345
OCI_DATABASE=ocid1.autonomousdatabase.oc1.12345tcps:sales-svr:1521/sales.us.example.com?TOKEN_AUTH=OCI_INTERACTIVE&OCI_COMPARTMENT=ocid1.compartment..12345&OCI_DATABASE=ocid1.autonomousdatabase.oc1.12345Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.27 OCI_IAM_URL
Use the OCI_IAM_URL parameter to specify an endpoint URL that the database client must connect with to get the database token for authenticating Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) users on OCI Database as a Service (DBaaS).
Purpose
To specify the IAM URL for your REST API requests. The database client connects to this URL to retrieve the database token from IAM.
Usage Notes
You set the OCI_IAM_URL parameter along with the PASSWORD_AUTH and OCI_TENANCY parameters while configuring IAM token-based authentication (using the IAM user name and IAM database password to retrieve the database token). These parameters are mandatory.
With this configuration, the database client can only request an IAM database token using the IAM user name and IAM database password. The client cannot request an IAM database token for an API-key, delegation token, security token, resource principal, service principal, or instance principal.
You can also set the optional OCI_COMPARTMENT and OCI_DATABASE parameters to specify the scope of your token request.
Use this parameter under the SECURITY section of the tnsnames.ora file, sqlnet.ora file, or directly as part of the command-line connect string. The parameter value specified in the connect string takes precedence over the other specified values.
Default
None
Value
<authentication_regional_endpoint>/v1/actions/generateScopedAccessBearerTokenYou can derive this value by replacing <authentication_regional_endpoint> with the API endpoint URL for your region. To obtain the appropriate API endpoint URL, see Identity and Access Management Data Plane API.
https://auth.us-region-1.example.com, then your OCI_IAM_URL value is:https://auth.us-region-1.example.com/v1/actions/generateScopedAccessBearerTokenExamples
tnsnames.ora file:net_service_name=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcps)(HOST=salesserver1)(PORT=1522))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(SSL_SERVER_CERT_DN="C=US,O=example,CN=OracleContext")
(PASSWORD_AUTH=OCI_TOKEN)
(OCI_IAM_URL=https://auth.us-region-1.example.com/v1/actions/generateScopedAccessBearerToken)
(OCI_TENANCY=ocid1.tenancy..12345))
(CONNECT_DATA=(SERVICE_NAME=sales.us.example.com))
)
sqlnet.ora file:SSL_SERVER_DN_MATCH=TRUE
PASSWORD_AUTH=OCI_TOKEN
OCI_IAM_URL=https://auth.us-region-1.example.com/v1/actions/generateScopedAccessBearerToken
OCI_TENANCY=ocid1.tenancy..12345In these examples, the optional OCI_COMPARTMENT and OCI_DATABASE parameters are not specified and thus the entire tenancy is set as the scope of the token request.
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.28 OCI_PROFILE
Use the OCI_PROFILE parameter to specify the profile name for Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) users.
Purpose
To specify the profile name for IAM users. This profile is the client connection information stored in the OCI configuration file, and is used during IAM token-based authentication.
Usage Notes
-
This is an optional parameter. A profile named
DEFAULTis already set in the configuration file. The database client gets theDEFAULTprofile from the OCI configuration file (from either the defaultC:/user-profile/.oci/configdirectory location or the location specified byOCI_CONFIG_FILE). -
You can specify this parameter to override the
DEFAULTprofile set in the configuration file and assign a new profile name for the IAM user.When this parameter is not set and the profile is also not present in the configuration file, then an error message appears indicating that token-based authentication has failed due to the profile not existing.
-
You can use this parameter along with the
TOKEN_AUTHparameter for theOCI_API_KEYandOCI_INTERACTIVEauthentication flows.For JDBC-thin clients, you can specify this parameter in the Easy Connect syntax or
tnsnames.oraconnect string. For ODP.NET Core classes and ODP.NET Managed Driver classes, you can specify this parameter in thesqlnet.orafile, Easy Connect syntax, ortnsnames.oraconnect string. The parameter value specified in the connect string takes precedence.
Values
-
DEFAULT: This means that no value is explicitly defined for a given profile, and the profile is inherited from the default profile set in the configuration file. -
profile_name: Specify a new configuration profile name (for example,ADMIN_USER) to override theDEFAULTprofile set in the configuration file.
Default
DEFAULT
Examples
tnsnames.ora file:net_service_name=
(DESCRIPTION =
(ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1521))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(SSL_SERVER_CERT_DN="C=US,O=example,CN=OracleContext")
(TOKEN_AUTH=OCI_INTERACTIVE)
(OCI_CONFIG_FILE=/home/dbuser1/config))
(OCI_PROFILE=ADMIN_USER))
(CONNECT_DATA=(SERVICE_NAME=sales.us.example.com))
) sqlnet.ora file:SSL_SERVER_DN_MATCH=TRUE
TOKEN_AUTH=OCI_INTERACTIVE
OCI_CONFIG_FILE=/home/dbuser1/config
OCI_PROFILE=ADMIN_USERtcps:sales-svr:1521/sales.us.example.com?TOKEN_AUTH=OCI_INTERACTIVE&OCI_CONFIG_FILE=/home/dbuser1/config&OCI_PROFILE=ADMIN_USERRelated Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.29 OCI_TENANCY
Use the OCI_TENANCY parameter to specify Oracle Cloud Identifier (OCID) of the user’s tenancy.
Purpose
To specify OCID of the user’s tenancy (root compartment).
Usage Notes
You set this parameter along with the mandatory PASSWORD_AUTH and OCI_IAM_URL parameters while configuring token-based authentication for Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) users on OCI Database as a Service (DBaaS).
With this configuration, the database client can only request an IAM database token using the IAM user name and IAM database password. The client cannot request an IAM database token for an API-key, delegation token, security token, resource principal, service principal, or instance principal.
You can also set the optional OCI_COMPARTMENT and OCI_DATABASE parameters to specify the scope of your token request. If you do not set the OCI_COMPARTMENT and OCI_DATABASE parameter values, then the entire tenancy is the scope of your token request.
Use this parameter under the SECURITY section of the tnsnames.ora file, sqlnet.ora file, or directly as part of the command-line connect string. The parameter value specified in the connect string takes precedence over the other specified values.
Default
None
Value
OCID of the user’s tenancy. You can get the OCID value for your tenancy from the Tenancy information page in the OCI console.
The tenancy OCID uses this syntax:
OCI_TENANCY=tenancy_OCID
For details on the syntax options, see Oracle Cloud IDs (OCIDs).
Examples
tnsnames.ora file:net_service_name=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcps)(HOST=salesserver1)(PORT=1522))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(SSL_SERVER_CERT_DN="C=US,O=example,CN=OracleContext")
(PASSWORD_AUTH=OCI_TOKEN)
(OCI_IAM_URL=https://auth.us-region-1.example.com/v1/actions/generateScopedAccessBearerToken)
(OCI_TENANCY=ocid1.tenancy..12345))
(CONNECT_DATA=(SERVICE_NAME=sales.us.example.com))
)
sqlnet.ora file:SSL_SERVER_DN_MATCH=TRUE
PASSWORD_AUTH=OCI_TOKEN
OCI_IAM_URL=https://auth.us-region-1.example.com/v1/actions/generateScopedAccessBearerToken
OCI_TENANCY=ocid1.tenancy..12345In these examples, the optional OCI_COMPARTMENT and OCI_DATABASE parameters are not specified and thus the entire tenancy is set as the scope of the token request.
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.30 PASSWORD_AUTH
PASSWORD_AUTH parameter to configure an authentication method for Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) users on OCI Database as a Service (DBaaS). With this setting, client connections use the IAM user name and IAM database password for logging in users to the database. Purpose
To configure either IAM database password verifier authentication or IAM token-based authentication, using the IAM user name and IAM database password for the access.
For password verifier authentication, the database server retrieves an IAM database password verifier from IAM. For token-based authentication, the database client requests a database token (db-token) from IAM.
Usage Notes
-
Use this parameter under the
SECURITYsection of thetnsnames.orafile,sqlnet.orafile, or directly as part of the command-line connect string. The parameter value specified in the connect string takes precedence over the other specified values. -
This setting instructs the database client to either use the existing password login process with the database server (password verifier authentication) or to get a token with the IAM user name and IAM database password (token-based authentication). This IAM database password is different from the OCI console password. An IAM user can set this password from the OCI console.
See Create an OCI IAM password to use for Autonomous Databases User Authentication and Authorization.
-
By default, this parameter is set to
PASSWORD_VERIFIER. ThePASSWORD_AUTH=PASSWORD_VERIFIERsetting configures IAM database password verifier authentication. The database server retrieves an IAM database password verifier (an encrypted hash of password) from IAM to authenticate users.When an IAM user logs in with the IAM user name and IAM database password using
@connect_identifier, thePASSWORD_AUTH=PASSWORD_VERIFIERsetting along with@connect_identifierinstructs the database client to follow the existing user name and password login process with the database server.You can use the
PASSWORD_AUTHparameter to override thetnsnames.oraorsqlnet.orasetting by specifying a different value in the connect string. -
To configure IAM token-based authentication with the IAM user name and IAM database password, set
PASSWORD_AUTH=OCI_TOKEN. The database client requests a database token (db-token) from IAM for the user to access the database.This
db-tokenobtained by the client is a bearer token with an expiration time and scope, and does not come with a private key. These tokens are transmitted over secure channels. You must use only the TCP/IP with Transport Layer Security (TLS) protocol, otherwise an error message appears indicating that non-TLS connections are disallowed.When an IAM user logs in with the IAM user name and IAM database password using
/@connect_identifier, thePASSWORD_AUTH=OCI_TOKENsetting along with/@connect_identifierinstructs the database client to get the token directly from an OCI IAM endpoint using a REST API request. If the IAM user is mapped to a database schema (exclusively or shared), then the login is completed.For the database client to retrieve the token from IAM, you must set additional parameters so that the database client can find the IAM endpoint along with additional meta-data. The additional parameters are
OCI_IAM_URLandOCI_TENANCYalong with the optionalOCI_COMPARTMENTandOCI_DATABASE. These values enable the database client to make appropriate calls to the specified endpoint.The
OCI_IAM_URLparameter specifies the API endpoint URL that the database client must connect with. TheOCI_TENANCYparameter specifies the OCID (Oracle Cloud Identifier) of the user’s tenancy. The optionalOCI_COMPARTMENTandOCI_DATABASEparameters limit the scope of your request.This authentication method is more secure than using a password verifier because a password verifier is considered sensitive. Also, only the database client can retrieve the database token. Applications or tools cannot pass these types of tokens through the database client API.
Note:
You can also use other IAM user credentials (such as API-key, security token, resource principal, service principal, instance principal, or delegation token) to get the db-token. This db-token is a proof-of-possession (PoP) token. In this case, you use a different parameter setting (TOKEN_AUTH=OCI_TOKEN).
Unlike the IAM database password that can only be used by the database client to retrieve the token, these credentials require an application or tool to retrieve the token. See TOKEN_AUTH.
Default
PASSWORD_VERIFIER
Values and Examples
| Value | Example |
|---|---|
|
For IAM database password verifier authentication:
Note: Use of IAM user name and IAM database password with the IAM database password verifier is the default configuration, and you do not need to set any additional parameters for the client. However, if |
In the
tnsnames.ora file:In the
sqlnet.ora file: |
|
For IAM token-based authentication with the IAM user name and IAM database password:
Note: You must configure the TCPS protocol ( |
In the
tnsnames.ora file:In the
sqlnet.ora file:In these examples, the optional |
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.31 RECV_BUF_SIZE
Use the sqlnet parameter RECV_BUF_SIZE to specify buffer space limit for session receive operations.
Purpose
To specify the buffer space limit for receive operations of sessions.
Usage Notes
You can override this parameter for a particular client connection by specifying the RECV_BUF_SIZE parameter in the connect descriptor for a client.
This parameter is supported by the TCP/IP, TCP/IP with TLS, and SDP protocols.
Note:
Additional protocols might support this parameter on certain operating systems. Refer to the operating system-specific documentation for additional information about additional protocols that support this parameter.
Default
The default value for this parameter is operating system specific. The default for Linux 2.6 operating system is 87380 bytes.
Example
RECV_BUF_SIZE=11784
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.32 REDIRECT_URI
Use the REDIRECT_URI parameter to specify the redirect URI, registered for your Microsoft Entra ID client application.
Purpose
To specify the redirect URI (or reply URL), registered for your Entra ID client application. This is used for the AZURE_INTERACTIVE token-based authentication flow. This URL obtains the authorization code from the Entra authentication endpoint and determines which port to use to receive the authorization code.
Usage Notes
This is an optional parameter. If you do not specify this parameter, then it uses the default value of http://localhost, which is the most common redirect URL.
Specify this parameter only if necessary for your use case. The authorization server redirects the user to your specified address only if you have registered the redirect URI for the client application in the Azure portal, as shown in Oracle AI Database Security Guide.
You can specify this parameter along with the TOKEN_AUTH=AZURE_INTERACTIVE setting in the connect string, Easy Connect syntax, or tnsnames.ora file. The parameter value specified in the connect string takes precedence.
Default
http://localhostValue
You can get a redirect URI value by logging in to the Azure portal. All URI values are listed as Redirect URIs on the App registrations - Authentication page of your Entra ID service.
Note that this is the value that you specified while registering your database client application with Entra ID.
Examples
tnsnames.ora file:net_service_name=
(DESCRIPTION =
(ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1521))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(SSL_SERVER_CERT_DN="C=US,O=example,CN=OracleContext")
(TOKEN_AUTH=AZURE_INTERACTIVE)
(AZURE_DB_APP_ID_URI=https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3)
(REDIRECT_URI=http://localhost:1575))
(CONNECT_DATA=(SERVICE_NAME=sales.us.example.com))
) tcps:sales-svr:1521/sales.us.example.com?TOKEN_AUTH=AZURE_INTERACTIVE&AZURE_DB_APP_ID_URI=https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3&REDIRECT_URI=http://localhost:1575In these examples, the CLIENT_ID and TENANT_ID parameters are not specified. CLIENT_ID and TENANT_ID are required parameters when using the thick clients (OCI and Instant Client). These parameters are optional for the JDBC-thin and ODP.NET core and managed database clients, which can automatically get these values from the Azure SDK configuration.
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.33 SDP.PF_INET_SDP
Use the sqlnet parameter SDP.PF_INET_SDP to specify the protocol family or address family constant for the SDP protocol on your system.
Purpose
To specify the protocol family or address family constant for the SDP protocol on your system.
Default
27
Values
Any positive integer
Example
SDP.PF_INET_SDP=30
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.34 SEC_USER_AUDIT_ACTION_BANNER
Use the sqlnet parameter SEC_USER_AUDIT_ACTION_BANNER to specify a text file that contains the banner contents that warn users about user action auditing.
Purpose
To specify a text file containing the banner contents that warn users about possible user action auditing.
Usage Notes
You must specify the complete path of the text file in the sqlnet.ora file on the server. Oracle Call Interface (OCI) applications can use OCI features to retrieve this banner and display it to users.
Default
None
Values
Name of the file for which the database owner has read permissions.
Example
SEC_USER_AUDIT_ACTION_BANNER=/opt/oracle/admin/data/auditwarning.txt
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.35 SEC_USER_UNAUTHORIZED_ACCESS_BANNER
Use the sqlnet parameter SEC_USER_UNAUTHORIZED_ACCESS_BANNER to specify the file that contains the banner contents that warn users about unauthorized database access.
Purpose
To specify the name of a text file containing the banner contents that warn users about unauthorized access to the database.
Usage Notes
You must specify the complete path of the text file in the sqlnet.ora file on the server. OCI applications can use OCI features to retrieve this banner and display it to users.
Default
None
Values
Name of the banner file for which the database owner has read permissions.
Example
SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.36 SEND_BUF_SIZE
Use the sqlnet parameter SEND_BUF_SIZE to specify the buffer space limit for session send operations.
Purpose
To specify the buffer space limit for send operations of sessions.
Usage Notes
You can override this parameter for a particular client connection by specifying the SEND_BUF_SIZE parameter in the connect descriptor for a client.
This parameter is supported by the TCP/IP, TCP/IP with TLS, and SDP protocols.
Note:
Additional protocols might support this parameter on certain operating systems. Refer to the operating system-specific documentation for additional information about additional protocols that support this parameter.
Default
The default value for this parameter is operating system specific. The default for Linux 2.6 operating systems is 16 KB.
Example
SEND_BUF_SIZE=11784
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.37 SEPS_WALLET_LOCATION
Use the SEPS_WALLET_LOCATION parameter to specify the wallet location for secure external password store (SEPS) and to enable the use of specified wallet for authentication.
Purpose
To specify the directory path of the client-side oracle wallet and to configure the client to use secure external password store for authentication purposes. Setting this parameter causes all CONNECT /@db_connect_string statements to use the information in the SEPS wallet at the specified location to authenticate to databases.
Usage Notes
You can set SEPS_WALLET_LOCATION in the sqlnet.ora file to specify a common wallet location for all connections. You can also set it in the connect string or tnsnames.ora file to specify a different wallet location for a particular connection.
Use of SEPS_WALLET_LOCATION in the connect string or tnsnames.ora overrides the sqlnet.ora SEPS_WALLET_LOCATION setting for the specific tnsnames.ora service.
To disable authentication using SEPS, you must unset SEPS_WALLET_LOCATION parameter. You must also unset SQLNET.WALLET_OVERRIDE or set it to FALSE in sqlnet.ora file.
Note:
If theSEPS_WALLET_LOCATION parameter is set, the SQLNET.WALLET_OVERRIDE parameter is ignored.
Default
None
Examples
If you created the wallet in $ORACLE_HOME/network/admin and your Oracle home is set to/private/ora_db, then you need to enter the following into your client sqlnet.ora file.
SEPS_WALLET_LOCATION=/private/ora_db/network/adminYou can also set this parameter under the SECURITY section of the tnsnames.ora or directly as part of the command-line connect string. The parameter value specified in the connect string take precedence over the other specified values.
net_service_name=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1521))
(CONNECT_DATA=(SERVICE_NAME=sales.us.example.com))
(SECURITY=(SEPS_WALLET_LOCATION=/private/ora_db/network/admin)))
)Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.38 SQLNET.ALLOW_WEAK_CRYPTO
Use the sqlnet.ora compatibility parameter SQLNET.ALLOW_WEAK_CRYPTO to configure your client-side network connection by reviewing the specified encryption and crypto-checksum algorithms.
Purpose
To configure your client-side network connection by reviewing the encryption and crypto-checksum algorithms enabled on the client and server. This ensures that the connection does not encounter compatibility issues and your configuration uses supported strong algorithms.
Usage Notes
-
The
DES,DES40,3DES112,3DES168,RC4_40,RC4_56,RC4_128,RC4_256, andMD5algorithms are deprecated in this release.As a result of this deprecation, Oracle recommends that you review your network encryption and integrity configuration to check if you have specified any of the deprecated weak algorithms.
To transition your Oracle Database environment to use stronger algorithms, download and install the patch described in My Oracle Support note 2118136.2.
-
If you set this parameter to
TRUE, then you can specify deprecated algorithms for backward compatibility. This configuration allows patched clients to connect to unpatched servers, and thus such a connection is less secure. -
If you set this parameter to
FALSE, then you can specify only supported algorithms so that clients and servers can communicate in a fully patched environment. The server enforces key fold-in for all Kerberos and JDBC thin clients. This configuration strengthens the connection between clients and servers by using strong native network encryption and integrity capabilities.Using this setting, if native network encryption or checksumming is enabled and a patched server or client attempts to communicate with an unpatched old client or server, then the connection fails with an error message.
Values
TRUEFALSE
Default Value
TRUE
Recommended Value
FALSE
Note:
Before setting this parameter to FALSE, you must remove all deprecated algorithms listed in the server and client sqlnet.ora files.
Example
SQLNET.ALLOW_WEAK_CRYPTO = FALSE5.2.39 SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS
Use the sqlnet.ora compatibility parameter SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS to configure your server-side network connection by reviewing the specified encryption and crypto-checksum algorithms.
Purpose
To configure your server-side network connection by reviewing the encryption and crypto-checksum algorithms enabled on the client and server. This ensures that the connection does not encounter compatibility issues and your configuration uses supported strong algorithms.
Usage Notes
-
The
DES,DES40,3DES112,3DES168,RC4_40,RC4_56,RC4_128,RC4_256, andMD5algorithms are deprecated in this release.As a result of this deprecation, Oracle recommends that you review your network encryption and integrity configuration to check if you have specified any of the deprecated weak algorithms.
To transition your Oracle Database environment to use stronger algorithms, download and install the patch described in My Oracle Support note 2118136.2.
-
If you set this parameter to
TRUE, then you can specify deprecated algorithms for backward compatibility. This configuration allows patched servers to connect to unpatched clients, and thus such a connection is less secure. -
If you set this parameter to
FALSE, then you can specify only supported algorithms so that clients and servers can communicate in a fully patched environment. The server enforces key fold-in for all Kerberos and JDBC thin clients. This configuration strengthens the connection between clients and servers by using strong native network encryption and integrity capabilities.Using this setting, if native network encryption or checksumming is enabled and a patched server or client attempts to communicate with an unpatched old client or server, then the connection fails with an error message.
Values
TRUEFALSE
Default Value
TRUE
Recommended Value
FALSE
Note:
Before setting this parameter to FALSE, you must remove all deprecated algorithms listed in the server and client sqlnet.ora files.
Example
SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS = FALSE5.2.40 SQLNET.ALLOWED_LOGON_VERSION_CLIENT
Use the sqlnet parameter SQLNET.ALLOWED_LOGON_VERSION_CLIENT to define minimum authentication protocols that servers acting as clients to other servers can use for connecting to Oracle Database instances.
Purpose
To set the minimum authentication protocol allowed for clients when a server is acting as a client, such as connecting over a database link, when connecting to Oracle Database instances.
Usage Notes
The term VERSION in the parameter name refers to the version of the authentication protocol, not the version of the Oracle Database release.
If the version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: The database does not accept your client's authentication protocol; login denied error.
The
database password verifier for Oracle Database 10g, 10G is no
longer supported or available on Oracle AI Database 26ai. Refer to the database
upgrade guide preinstallation chapters for information about how to identify the
Oracle Database 10G database password verifiers, and how to update the database user
to use the latest and most secure database password verifier
cryptography.
Values
-
12afor Oracle Database 12c Release 1 (12.1.0.2) or later (strongest protection)Note:
Using this setting, the clients can only authenticate using a de-optimized password version. For example, the12Cpassword version. -
12for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (default setting)Note:
Using this setting, the clients can only authenticate using a verifier that uses salt. For example, the11Gor12Cpassword versions.
Default
12
Example
SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameter as follows for the database link connection to proceed:SQLNET.ALLOWED_LOGON_VERSION_CLIENT=12In this case, you cannot configure the more secure SQLNET.ALLOWED_LOGON_VERSION_CLIENT setting of 12a on the 26ai server hosting the database link because the account on the Oracle Database 19g database might not have its password changed and thus might only have the 11G verifier.
5.2.41 SQLNET.ALLOWED_LOGON_VERSION_SERVER
Use the sqlnet.ora parameter SQLNET.ALLOWED_LOGON_VERSION_SERVER to set the minimum authentication protocol that is permitted when connecting to Oracle Database instances.
Purpose
To set the minimum authentication protocol for connecting to Oracle Database instances.
Usage Notes
-
Authentication Protocol Versions:
The term
VERSIONin the parameter name refers to the version of the authentication protocol, not the Oracle Database release.A value that appears higher up in Table 5-1 is less compatible (in terms of the protocol that clients must understand in order to authenticate) but simultaneously more secure than a value that appears lower down. The server is also more restrictive in terms of the password version that must exist to authenticate any specific account. Whether a client can authenticate to a specific account depends on both the server's setting of its
SQLNET.ALLOWED_LOGON_VERSION_SERVERparameter, as well as on the password versions that exist for the specified account. You can see the list of password versions in fileDBA_USERS.PASSWORD_VERSIONS.If the client does not have the ability listed in the "Ability Required of the Client" column that corresponds to the row that matches the value of the
SQLNET.ALLOWED_LOGON_VERSION_SERVERparameter in Table 5-1, then authentication fails with anORA-28040: The database does not accept your client's authentication protocol; login deniedor anORA-03134: Connections to this server version are no longer supportederror.A setting of
12(the default) enables only the11Gand12Cpassword versions. A setting of12aenables only the12Cpassword version.Note the following implications of setting the value to
12or12a:-
Releases of OCI clients earlier than Oracle Database 10g cannot authenticate to the Oracle database using password-based authentication.
-
If an older client (such as Oracle Database 10g, which has the critical patch update CPUOct2012 and thus has the
O5L_NPcapability) attempts to authenticate to a more recent server and the server that it is authenticating to does not have the necessary11Gpassword version (which is required to authenticate to such an older client), then the client will receive anORA-03134: Connections to this server version are no longer supportederror message.To enable older Oracle Database 10g clients to authenticate when the server is using the default
SQLNET.ALLOWED_LOGON_VERSION_SERVER=12setting, ensure that thePASSWORD_VERSIONSvalue (found inDBA_USERS) for the account contains the value11G(meaning that an SHA-1 verifier has been provisioned for the account). You may need to reset the password of the account if11Gdoes not appear in the list of password versions of the account. Resetting the password of the account automatically causes the server to provision the necessary11Gpassword version for the authentication of older clients (which have theO5L_NPcapability). -
To take advantage of the
12Cpassword version introduced in Oracle Database release 12.2, user passwords should be expired to encourage users to change their passwords and cause the new12Cpassword version to be generated for their account. By default, new passwords are treated in a case-sensitive fashion. When an account password is changed, the earlier10Gcase-insensitive password version and the11Gpassword version are both automatically removed, and the new12Cpassword version is generated. -
JDBC Thin Client Support:
In Oracle Database release 12.1.0.2 and later, if you set the
sqlnet.oraparameterSQLNET.ALLOWED_LOGON_VERSION_SERVERto12aand you create a new account or change the password of an existing account, then only the new12Cpassword version is generated. The12Cpassword version is based on aSHA-2 (Secure Hash Algorithm) SHA-512salted cryptographic hash deoptimized using thePBKDF2(Password-Based Key Derivation Function 2) algorithm. When the database server is running withALLOWED_LOGON_VERSION_SERVERset to12a, it is running in exclusive mode. In this mode, to log in using a JDBC client, the JRE version must be at least version 8. The JDBC client enables itsO7L_MRcapability flag only when it is running with at least version 8 of the JRE.Note:
Check thePASSWORD_VERSIONScolumn of theDBA_USERScatalog view in Oracle Database Reference to see the list of password versions for any given account.If you set the
sqlnet.oraparameterSQLNET.ALLOWED_LOGON_VERSION_SERVERto12, then the server runs in exclusive mode and only the11Gand12Cpassword versions (theSHA-1andPBKDF2 SHA-2based hashes of the password, respectively) are generated and allowed to be used. In such cases, fully-patched JDBC clients having the CPUOct2012 patch can connect because these JDBC clients provide theO5L_NPclient ability.Older JDBC clients that do not have the CPUOct2012 containing the fix for the stealth password cracking vulnerability CVE-2012-3132, do not provide the
O5L_NPclient ability. Therefore, ensure that all of the JDBC clients are patched properly.
-
-
Desupport of Oracle Database 10G Password Verifier
The database password verifier for Oracle Database 10g,
10Gis no longer supported or available on Oracle AI Database 26ai. Refer to the database upgrade guide preinstallation chapters for information about how to identify the Oracle Database 10G database password verifiers, and how to update the database user to use the latest and most secure database password verifier cryptography.Be aware that the older client capabilities are not sufficient to authenticate with more modern servers because these servers use the default configuration of
ALLOWED_LOGON_VERSION_SERVER=12and do not support the10Gverifier. You should upgrade all clients to Oracle Database release 12c so that the12Cpassword version can be used exclusively to authenticate. By default, Oracle Database release 11.2.0.3 and later clients have theO5L_NPability, which enables the11Gpassword version to be used exclusively. If you have an earlier Oracle Database client, then you must install the CPUOct2012 patch. -
Client Capabilities:
The client must support certain abilities of the authentication protocol before the server will authenticate. If the client does not support a specified authentication ability, then the server rejects the connection with an
ORA-28040 "The database does not accept your client's authentication protocol; login denied."error message.The following is the list of all client abilities. Some clients do not have all the listed abilities. Clients that are more recent have all of the capabilities of the older clients, but older clients tend to have fewer abilities than more recent clients. An ability that appears at the top in this list is more recent and secure than an ability that appears lower toward the bottom:
-
O8L_LI: The ability to support long identifiers (user names up to 128 bytes). -
O7L_MR: The ability to perform the Oracle Database 10g authentication protocol using the12Cpassword version. For JDBC clients, only those running on at least JRE version 8 offer the O7L_MR capability. -
O5L_NP: The ability to perform Oracle Database 10g authentication protocols using the11Gpassword version, and generating a session key encrypted for critical patch update CPUOct2012. -
O5L(desupported with Oracle AI Database 26ai): The ability to perform the Oracle Database 10g authentication protocol using the10Gpassword version. -
O4L(desupported with Oracle AI Database 26ai): The ability to perform the Oracle9i database authentication protocol using the10Gpassword version. -
O3L(desupported with Oracle AI Database 26ai): The ability to perform the Oracle8i database authentication protocol using the10Gpassword version.
-
-
Using the Gradual Database Password Rollover Feature
When the gradual database password rollover feature is enabled for an account, the
LOGON_INFOclause in the audit record enables you to see whether the user has logged in with the old password or whether an application has not yet been updated to log in using the new password.For example:(TYPE=(DATABASE)); (CLIENT ADDRESS=((PROTOCOL=ipc)(HOST=0.0.0.0))); (LOGON_INFO=((VERIFIER=11G-OLD)(CLIENT_CAPABILITIES=O5L_NP,O7L_MR,O8L_LI))); -
Allowed Parameter Settings:
The following table describes the allowed settings of the
SQLNET.ALLOWED_LOGON_VERSION_SERVERparameter, its effect on the generated password versions when an account is created or a password is changed, the ability flag required of the client to authenticate while the server has this setting, and whether the setting is considered to be an exclusive mode.Table 5-1 SQLNET.ALLOWED_LOGON_VERSION_SERVER Settings
Value of the ALLOWED_LOGON_VERSION_SERVER Parameter Generated Password Version Ability Required of the Client Meaning for Clients Server Runs in Exclusive Mode 12a12CO7L_MROnly Oracle Database 12c release 1 (12.1.0.2 or later) clients can connect to the server.
Yes because it excludes the use of
11Gpassword version.1211G,12CO5L_NPOracle Database 11g release 2 (11.2.0.3 or later) clients can connect to the server.
Older clients need the critical patch update CPUOct2012 or later, to gain the
O5L_NPability.Only older clients that have applied critical patch update CPUOct2012 or later can connect to the server.
Yes because it excludes the use of the
10Gpassword version.
Values
-
12afor Oracle Database 12c release 12.1.0.2 or later authentication protocols (strongest protection) -
12for Oracle Database 12c release 12.1 authentication protocols (default and recommended value)
Note:
-
Starting with Oracle Database 12c Release 2 (12.2), the default value is 12.
-
For earlier releases, the value 12 can be used after the critical patch updates CPUOct2012 and later are applied.
Default
12
Example
SQLNET.ALLOWED_LOGON_VERSION_SERVER=12
5.2.42 SQLNET.AUTHENTICATION_SERVICES
Use the sqlnet.ora parameter SQLNET.AUTHENTICATION_SERVICES to enable one or more authentication services.
Purpose
To enable one or more authentication services. If you have installed authentication, then Oracle recommends that you set SQLNET.AUTHENTICATION_SERVICES to either NONE or to one of the listed authentication methods.
Usage Notes
-
You can set this parameter in the
sqlnet.orafile.You can also set this value in the
tnsnames.orafile or directly as part of the connect string. TheSQLNET.AUTHENTICATION_SERVICESparameter is equivalent to thetnsnames.oraparameterAUTHENTICATION_SERVICE. The parameter value specified in the connect string takes precedence. -
When you set
SQLNET.AUTHENTICATION_SERVICEStoALL, the server attempts to authenticate using each of the following methods.-
Authentication based on a service external to the database, such as a service on the network layer, Kerberos, or RADIUS.
-
Authentication based on the operating system user's membership in an administrative operating system group. Group names are platform-specific. This authentication applies to administrative connections only.
-
Authentication performed by the database.
-
Authentication based on credentials stored in a directory server.
The server falls back to the authentication methods that appear further down on the list if attempts to use the authentication methods appearing higher on the list were unsuccessful.
-
-
When using local database password authentication (no external authentication), set
SQLNET.AUTHENTICATION_SERVICES=(NONE)for better client performance. -
Operating system authentication enables access to the database using any user name and any password when an administrative connection is attempted to the CDB root, such as using the
AS SYSDBAclause when connecting using SQL*Plus.An example of a connection to the CDB root is as follows.
sqlplus ignored_username/ignored_password AS SYSDBA
When the operating-system user who issued the preceding command is already a member of the appropriate administrative operating system group, then the connection is successful. This is because Oracle checks the group membership first, and thus the user name and password are ignored by the server.
Values
Authentication methods that are available with Oracle Net Services are:
-
NONEfor no authentication methods, including Microsoft Windows native operating system authentication. When you setSQLNET.AUTHENTICATION_SERVICEStoNONE, then the user can use a valid user name and password to access the database. -
ALLfor all authentication methods. -
BEQfor native operating system authentication for operating systems other than Microsoft Windows. -
KERBEROS5for Kerberos authentication. -
RADIUSfor Remote Authentication Dial-In User Service (RADIUS) authentication. -
TCPSfor TLS authentication. -
NTSfor Microsoft Windows native operating system authentication. In this case, the user must authenticate to the database (CDB root) with OS credentials using Windows native authentication. No external password is needed. NTS checks the group membership for an OS user. For example, if an OS user is a member of theORA_DBAgroup, then the user can log in to the database asSYSDBA.Note:
With the
SQLNET.AUTHENTICATION_SERVICESvalueNTS, if you try to connect through SQL*Plus using NTS authentication and specify an external password (for example,SQL*Plus SYSTEM/password), then the connection fails with anORA-12638, 00000, "Failed to retrieve credentials for adapter_name.error message. For regular user name and password based authentication, set the value toNONE.
Default
TCPS
Note:
When installing Oracle Database with Database Configuration Assistant (DBCA), you can set this parameter to NTS in the sqlnet.ora file.
Examples
When specifying multiple authentication services, you must enclose the values within parentheses as follows:
SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)If you want to specify only a single authentication service, then parentheses are not required:
SQLNET.AUTHENTICATION_SERVICES=KERBEROS55.2.43 SQLNET.BREAK_RESET_TIMEOUT
Use the sqlnet.ora parameter SQLNET.BREAK_RESET_TIMEOUT to specify the duration of time that a database client or server should wait for the completion of break/reset operation.
Purpose
To specify the time for a database client or server to wait for the break/reset operation to complete. If the break/reset operation does not complete in the specified time interval, then the connection is closed.
You can specify the time in hours, minutes, seconds, or milliseconds by using the hr, min, sec, or ms keyword respectively. If you do not specify a unit of measurement, then the default unit is sec.
Usage Notes
Setting this parameter ensures that the peer is not left waiting indefinitely for the completion of break/reset operation. If a peer does not receive response data within the specified BREAK_RESET_TIMEOUT interval, the connection will be closed. If you set the timeout interval, then set the value initially to a low value and adjust the value according to the system and network capacity.
Default
None
Minimum Value
1 ms
Allowed Range
Any number greater than the minimum value of 1 ms up to 4294967295 ms
Example
SQLNET.BREAK_RESET_TIMEOUT=10 ms
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.44 SQLNET.CLIENT_REGISTRATION
Use the sqlnet.ora parameter SQLNET.CLIENT_REGISTRATION to set a unique identifier for the client computer.
Purpose
To set a unique identifier for the client computer.
Usage Notes
This identifier is passed to the listener with any connection request and is included in the audit trail. The identifier can be any alphanumeric string up to 128 characters long.
Default
None
Example
SQLNET.CLIENT_REGISTRATION=1432
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.45 SQLNET.CLOUD_USER
Use the sqlnet.ora parameter SQLNET.CLOUD_USER to specify a user name for web server HTTP basic authentication.
Purpose
To specify a user name for web server HTTP basic authentication.
Usage Notes
When you use a secure websocket protocol, the client uses this user as the user name for authentication. The password for this user should be stored in a wallet using mkstore commands.
Perform the following configuration steps to use HTTP basic authentication with secure websockets:
-
Create a wallet using the
orapkiutility.orapki wallet create -wallet wallet_directoryExample
orapki wallet create -wallet /app/wallet -
Add a web server public certificate.
orapki wallet -wallet wallet_directory -trusted_cert -cert web_server_public_certificate_in_pem_formatExample
orapki wallet -wallet /app/wallet -trusted_cert -cert server_cert.txt -
Add the web server user name to
sqlnet.ora. This user name is only used for authenticating the web server. This is not a database user name. After web server authentication, the web server connects to the back-end database server and database authentication is completed.Example
sqlnet.cloud_user = dbuser1 -
Add a web server user password to the wallet.
mkstore -wrl wallet_location -createEntry username passwordExample
mkstore -wrl /app/wallet -createEntry dbuser1 Secretdb# -
Make the wallet automatically log in and protect this wallet directory using operating system file permissions or any other means. Do this so that only the database client can have read access to it. Refer to the operating system utilities for information about changing the file permissions.
orapki wallet create -wallet wallet_directory -auto_loginExample
orapki wallet create -wallet /app/wallet -auto_loginNote:
Oracle has introduced a new auto-login wallet version (7) with Oracle AI Database 26ai. Version 6 of the Oracle local auto-login wallet is deprecated.
You can update your local auto-login wallet by modifying it with
orapki. -
Update the
sqlnet.orafile with the wallet entry.Example
wallet_location=(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=/app/wallet)))
Note:
- The parameter
WALLET_LOCATIONis deprecated for use with Oracle AI Database 26ai for the Oracle Database server. It is not deprecated for use with the Oracle Database client or listener.For Oracle Database server, Oracle recommends that you use the
WALLET_ROOTsystem parameter instead of usingWALLET_LOCATION. -
The
mkstorewallet management command line tool is deprecated with Oracle AI Database 26ai, and can be removed in a future release.To manage wallets, Oracle recommends that you use the
orapkicommand line tool.
Default
None
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.46 SQLNET.COMPRESSION
Use the sqlnet.ora parameter SQLNET.COMPRESSION to enable or disable data compression.
Purpose
To enable or disable data compression. If both the server and client have this parameter set to ON, then compression is used for the connection.
Note:
The SQLNET.COMPRESSION parameter applies to all database connections, except for Oracle Data Guard streaming redo and SecureFiles LOBs (Large Objects).
Default
off
Values
-
onto enable data compression. -
offto disable data compression.
Example
SQLNET.COMPRESSION=on
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.47 SQLNET.COMPRESSION_ACCELERATION
Use the sqlnet.ora parameter SQLNET.COMPRESSION_ACCELERATION to specify the use of hardware accelerated version of compression using this parameter if it is available for that platform.
Purpose
To specify the use of hardware accelerated version of compression using this parameter if it is available for that platform.
Usage Notes
You can set this parameter in the Oracle Connection Manager alias description.
Default
on
Values
-
on -
off -
0 -
1
Example 5-4 Example
compression_acceleration = on
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.48 SQLNET.COMPRESSION_LEVELS
Use the sqlnet.ora parameter SQLNET.COMPRESSION_LEVELS to specify the compression level.
Purpose
To specify the compression level.
Usage Notes
The compression levels are used at the time of negotiation to verify which levels are used at both ends, and to select one level.
For Database Resident Connection Pooling (DRCP), only the compression level low is supported.
Default
low
Values
-
lowto use low CPU usage and low compression ratio -
highto use high CPU usage and high compression ratio
Example
SQLNET.COMPRESSION_LEVELS=(high)
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.49 SQLNET.COMPRESSION_THRESHOLD
Use the sqlnet.ora parameter SQLNET.COMPRESSION_THRESHOLD to specify the minimum data size for which compression is needed.
Purpose
To specify the minimum data size, in bytes, for which compression is needed.
Usage Notes
Compression is not to be performed if the size of the data you are sending is less than this value.
Default
1024 bytes
Example
SQLNET.COMPRESSION_THRESHOLD=1024
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.50 SQLNET.CRYPTO_CHECKSUM_CLIENT
Use the sqlnet.ora parameter SQLNET.CRYPTO_CHECKSUM_CLIENT to specify the desired data integrity behavior when this client or server acting as a client connects to a server.
Purpose
To specify the checksum behavior for the client. The behavior partially depends on the SQLNET.CRYPTO_CHECKSUM_SERVER setting at the other end of the connection.
Default
accepted
Values
-
acceptedto enable the security service if required or requested by the other side -
rejectedto disable the security service, even if required by the other side -
requestedto enable the security service if the other side allows it -
requiredto enable the security service and disallow the connection if the other side is not enabled for the security service
Example
SQLNET.CRYPTO_CHECKSUM_CLIENT=accepted
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.51 SQLNET.CRYPTO_CHECKSUM_SERVER
Use the sqlnet.ora parameter SQLNET.CRYPTO_CHECKSUM_SERVER to specify the data integrity behavior when a client or another server acting as a client connects to this server.
Purpose
To specify the checksum behavior for the database. The behavior partially depends on the SQLNET.CRYPTO_CHECKSUM_CLIENT setting at the other end of the connection.
Default
accepted
Values
-
acceptedto enable the security service if required or requested by the other side -
rejectedto disable the security service, even if required by the other side -
requestedto enable the security service if the other side allows it -
requiredto enable the security service and disallow the connection if the other side is not enabled for the security service
Example
SQLNET.CRYPTO_CHECKSUM_SERVER=accepted
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.52 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT
Use the sqlnet.ora parameter SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT to specify a list of data integrity algorithms that this client or server acting as a client uses.
Purpose
To specify a list of crypto-checksum algorithms for the client to use.
This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. If an algorithm that is not installed on this side is specified, the connection terminates with the ORA-12650: No common encryption or data integrity algorithm error error message.
Default
All available algorithms
Values
-
MD5for the RSA Data Security MD5 algorithmThe
MD5algorithm is deprecated in this release. To transition your Oracle Database environment to use stronger algorithms, download and install the patch described in My Oracle Support note 2118136.2. -
SHA1for the Secure Hash AlgorithmThe use of SHA-1 with
DBMS_CRYPTO,SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENTandSQLNET.CRYPTO_CHECKSUM_TYPES_SERVERis deprecated.Using SHA-1 (Secure Hash Algorithm 1) with the parameters
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENTandSQLNET.CRYPTO_CHECKSUM_TYPES_SERVERis deprecated in this release, and can be desupported in a future release. Using SHA-1 ciphers withDBMS_CRYPTOis also deprecated (HASH_SH1,HMAC_SH1). Instead of using SHA1, Oracle recommends that you start using a stronger SHA-2 cipher in place of the SHA-1 cipher. -
SHA256for SHA-2 uses 256 bits with the hashing algorithm -
SHA384for SHA-2 uses 384 bits with the hashing algorithm -
SHA512for SHA-2 uses 512 bits with the hashing algorithm
Example
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(SHA256, MD5)
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.53 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER
Use the sqlnet.ora parameter SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER to specify the data integrity algorithms that this server or client to another server uses, in order of intended use.
Purpose
To specify a list of crypto-checksum algorithms for the database to use.
This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. Each algorithm is checked against the list of available client algorithm types until a match is found. If an algorithm is specified that is not installed on this side, the connection terminates with the ORA-12650: No common encryption or data integrity algorithm error error message.
Default
All available algorithms
Values
-
MD5for the RSA Data Security's MD5 algorithmThe
MD5algorithm is deprecated in this release. To transition your Oracle Database environment to use stronger algorithms, download and install the patch described in My Oracle Support note 2118136.2. -
SHA1for the Secure Hash algorithmThe use of SHA-1 with
DBMS_CRYPTO,SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENTandSQLNET.CRYPTO_CHECKSUM_TYPES_SERVERis deprecated.Using SHA-1 (Secure Hash Algorithm 1) with the parameters
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENTandSQLNET.CRYPTO_CHECKSUM_TYPES_SERVERis deprecated in this release, and can be desupported in a future release. Using SHA-1 ciphers withDBMS_CRYPTOis also deprecated (HASH_SH1,HMAC_SH1). Instead of using SHA1, Oracle recommends that you start using a stronger SHA-2 cipher in place of the SHA-1 cipher. -
SHA256for SHA-2 uses 256 bits with the hashing algorithm -
SHA384for SHA-2 uses 384 bits with the hashing algorithm -
SHA512for SHA-2 uses 512 bits with the hashing algorithm
Example
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA256, MD5)
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.54 SQLNET.DBFW_PUBLIC_KEY
Use the sqlnet.ora parameter SQLNET.DBFW_PUBLIC_KEY to provide Oracle Database Firewall public keys to the Advanced Security Option (ASO) by specifying the file that stores the public keys.
Purpose
To provide Oracle Database Firewall public keys to Advanced Security Option (ASO) by specifying the name of the file that stores the Oracle Database Firewall public keys.
Default
None
Values
Full path name of the operating system file that has the public keys
Example
SQLNET.DBFW_PUBLIC_KEY="/path_to_file/dbfw_public_key_file.txt"
See Also:
"SQLNET.ENCRYPTION_TYPES_SERVER"Parent topic: Profile Parameters in sqlnet.ora Files
5.2.55 SQLNET.DOWN_HOSTS_TIMEOUT
Use the sqlnet.ora parameter SQLNET.DOWN_HOSTS_TIMEOUT to specify the amount of time in seconds that server hosts down state information remains in the client cache.
Purpose
To specify the amount of time in seconds that information about the down state of server hosts is kept in the client process cache.
Usage Notes
Clients discover the down state of server hosts when attempting connections. When a connection attempt fails, the information about the down state of the server host is added to the client process cache. Subsequent connection attempts by the same client process move the addresses of the down hosts to the end of the address list, thereby reducing the priority of down hosts. When the duration of time that is specified by the SQLNET.DOWN_HOSTS_TIMEOUT parameter has elapsed, the host is purged from the process cache and its priority in the address list is restored.
Default
600 seconds (10 minutes)
Values
Any positive integer
Example
SQLNET.DOWN_HOSTS_TIMEOUT=60
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.56 SQLNET.ENCRYPTION_CLIENT
Use the sqlnet.ora parameter SQLNET.ENCRYPTION_CLIENT to set the encryption behavior when this client or server acting as a client connects to a server.
Purpose
To enable encryption for clients. Setting the tnsnames.ora parameter IGNORE_ANO_ENCRYPTION_FOR_TCPS to TRUE disables SQLNET.ENCRYPTION_CLIENT.
The behavior of the client partially depends on the value set for SQLNET.ENCRYPTION_SERVER at the other end of the connection.
Default
accepted
Values
-
acceptedto enable the security service if required or requested by the other side -
rejectedto disable the security service, even if required by the other side -
requestedto enable the security service if the other side allows it -
requiredto enable the security service and disallow the connection if the other side is not enabled for the security service
Example
SQLNET.ENCRYPTION_CLIENT=accepted
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.57 SQLNET.ENCRYPTION_SERVER
The sqlnet.ora parameter SQLNET.ENCRYPTION_SERVER specifies the encryption behavior when a client or a server acting as a client connects to this server.
Purpose
To enable encryption for the database. Setting SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS to FALSE disables SQLNET.ENCRYPTION_SERVER.
The behavior of the server partially depends on the SQLNET.ENCRYPTION_CLIENT setting at the other end of the connection.
Default
accepted
Values
-
acceptedto enable the security service if required or requested by the other side -
rejectedto disable the security service, even if required by the other side -
requestedto enable the security service if the other side allows it -
requiredto enable the security service and disallow the connection if the other side is not enabled for the security service
Example
SQLNET.ENCRYPTION_SERVER=accepted
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.58 SQLNET.ENCRYPTION_TYPES_CLIENT
Use the sqlnet.ora parameter SQLNET.ENCRYPTION_TYPES_CLIENT to specify the encryption algorithms this client or the server acting as a client uses.
Purpose
This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. If an algorithm that is not installed is specified on this side, the connection terminates with the ORA-12650: No common encryption or data integrity algorithm error message.
Usage Notes
Starting with Oracle Database 21c, older encryption and hashing algorithms are deprecated.
The deprecated
algorithms for DBMS_CRYPTO and native network encryption include
MD4, MD5, DES, 3DES, and RC4-related algorithms as well as 3DES for Transparent Data
Encryption (TDE). Removing older, less secure cryptography algorithms prevents
accidental use of these algorithms. To meet your security requirements, Oracle
recommends that you use more modern cryptography algorithms, such as the Advanced
Encryption Standard (AES).
As a consequence of this deprecation, Oracle recommends that you review your network encryption configuration to see if you have specified use of any of the deprecated algorithms. If any are found, then switch to using a more modern cipher, such as AES. Also, if you are currently using 3DES encryption for your TDE deployment, then you should plan to migrate to a more modern algorithm such as AES. For more information, refer to Oracle Database Security Guide
To transition your Oracle Database environment to use stronger algorithms, download and install the patch described in My Oracle Support note 2118136.2.
Default
All available algorithms
Values
-
AES128for AES (128-bit key size) -
AES192for AES (192-bit key size) -
AES256for AES (256-bit key size)
-
3DES112for triple DES with a two-key (112-bit) option -
3DES168for triple DES with a three-key (168-bit) option -
DESfor standard DES (56-bit key size) -
DES40for DES (40-bit key size) -
RC4_40for RSA RC4 (40-bit key size) -
RC4_56for RSA RC4 (56-bit key size) -
RC4_128for RSA RC4 (128-bit key size) -
RC4_256for RSA RC4 (256-bit key size)
Example
SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256)
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.59 SQLNET.ENCRYPTION_TYPES_SERVER
Use the sqlnet.ora parameter SQLNET.ENCRYPTION_TYPES_SERVER to specify the encryption algorithms this server uses in the order of the intended use.
Purpose
This list is used to negotiate a mutually acceptable algorithm with the client end of the connection. Each algorithm is checked against the list of available client algorithm types until a match is found. If an algorithm that is not installed is specified on this side, the connection terminates with an ORA-12650: No common encryption or data integrity algorithm error message.
Default
All available algorithms
Values
-
AES128for AES (128-bit key size) -
AES192for AES (192-bit key size) -
AES256for AES (256-bit key size)
-
3DES112for triple DES with a two-key (112-bit) option -
3DES168for triple DES with a three-key (168-bit) option -
DESfor standard DES (56-bit key size) -
DES40for DES40 (40-bit key size) -
RC4_40for RSA RC4 (40-bit key size) -
RC4_56for RSA RC4 (56-bit key size) -
RC4_128for RSA RC4 (128-bit key size) -
RC4_256for RSA RC4 (256-bit key size)
Starting with Oracle Database 21c, older encryption and hashing algorithms are deprecated.
The deprecated
algorithms for DBMS_CRYPTO and native network encryption include
MD4, MD5, DES, 3DES, and RC4-related algorithms as well as 3DES for Transparent Data
Encryption (TDE). Removing older, less secure cryptography algorithms prevents
accidental use of these algorithms. To meet your security requirements, Oracle
recommends that you use more modern cryptography algorithms, such as the Advanced
Encryption Standard (AES).
As a consequence of this deprecation, Oracle recommends that you review your network encryption configuration to see if you have specified use of any of the deprecated algorithms. If any are found, then switch to using a more modern cipher, such as AES. Also, if you are currently using 3DES encryption for your TDE deployment, then you should plan to migrate to a more modern algorithm such as AES. For more information, refer to Oracle Database Security Guide
To transition your Oracle Database environment to use stronger algorithms, download and install the patch described in My Oracle Support note 2118136.2.
Example
SQLNET.ENCRYPTION_TYPES_SERVER=(AES256, AES192, ...)
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.60 SQLNET.EXPIRE_TIME
Use the sqlnet.ora parameter SQLNET.EXPIRE_TIME to specify how often, in minutes, to verify that client and server connections are alive.
Purpose
To specify time intervals, in minutes, for how often to verify that client and server connections are alive.
Usage Notes
Setting a value greater than 0 ensures that connections are not left open indefinitely due to an unusual client termination. If your environment supports TCP keepalive tuning, then Oracle Net Services automatically uses the enhanced detection model and tunes the TCP keepalive parameters.
If the verification check identifies a terminated connection or a connection that is no longer usable, then the check returns an error, causing the server process to exit.
The sqlnet.ora parameter SQLNET.EXPIRE_TIME is primarily intended for the database server, which typically handles multiple connections simultaneously.
You can also use this parameter for database clients to verify if the server connection is alive.
Limitations on using the terminated connection detection feature are:
-
You cannot use it on bequeathed connections.
-
Though very small, a probe packet generates additional traffic that may degrade your network performance.
-
Depending on your operating system, the server may need to perform additional processing to distinguish the connection probing event from other events. This can also result in degraded network performance.
Default
0
Minimum Value
0
Recommended Value
10
Example
SQLNET.EXPIRE_TIME=10
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.61 SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS
Use the sqlnet.ora parameter SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS to ignore the value that is set for the parameter SQLNET.ENCRYPTION_SERVER for TCPS connections. This disables ANO encryption on the TCPS listener.
Purpose
Use SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS on your server to ignore
the value that is set for SQLNET.ENCRYPTION_SERVER for TCPS
connections. Doing this disables ANO encryption on the TCPS listener.
Default
FALSE
Example 5-5 Example
SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS=TRUEParent topic: Profile Parameters in sqlnet.ora Files
5.2.62 SQLNET.INBOUND_CONNECT_TIMEOUT
Use the sqlnet.ora parameter SQLNET.INBOUND_CONNECT_TIMEOUT to specify the amount of time that clients have to connect with the database and authenticate.
Purpose
Use the parameter SQLNET.INBOUND_CONNECT_TIMEOUT to specify the time limit in ms, sec, or min, within which a client must connect with the database and provide authentication information.
Usage Notes
If the client fails to connect and complete the authentication within the specified timeframe, then the database terminates the connection. In addition, the database logs the IP address of the client and writes an ORA-12170 error message to the database alert log file.
The client receives either an ORA-12547: TNS:lost contact or an ORA-12637: Packet receive failed error message.
The default value of SQLNET.INBOUND_CONNECT_TIMEOUT is appropriate for typical scenarios. However, if you need to set a different value, then Oracle recommends setting this parameter in combination with theINBOUND_CONNECT_TIMEOUT_listener_name parameter in the listener.ora file. When specifying the values for these parameters, note the following recommendations:
-
Set both parameters to a low value initially.
-
Set the value of the
INBOUND_CONNECT_TIMEOUT_listener_nameparameter to a lower value than the value that you have set for theSQLNET.INBOUND_CONNECT_TIMEOUTparameter.
It accepts different timeouts with or without space between the value and the unit. If you do not set a unit of measurement for SQLNET.INBOUND_CONNECT_TIMEOUT, then the default unit is sec. For example, you can set INBOUND_CONNECT_TIMEOUT_listener_name to 2 seconds and set the SQLNET.INBOUND_CONNECT_TIMEOUT parameter to 3 seconds. If clients are unable to complete the connections within the specified time due to system or network delays that are normal for the particular environment, then increase the value for SQLNET.INBOUND_CONNECT_TIMEOUT as needed.
Default
60 seconds
Example
SQLNET.INBOUND_CONNECT_TIMEOUT=3ms
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.63 SQLNET.FALLBACK_AUTHENTICATION
Use the sqlnet.ora parameter SQLNET.FALLBACK_AUTHENTICATION to specify whether to attempt password-based authentication if Kerberos authentication fails.
Purpose
To specify whether to attempt to use password-based authentication if Kerberos authentication fails. This is relevant for direct connections as well as database link connections.
Default
FALSE
Example
SQLNET.FALLBACK_AUTHENTICATION=TRUE
See Also:
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.64 SQLNET.KERBEROS5_CC_NAME
Use the sqlnet.ora parameter SQLNET.KERBEROS5_CC_NAME to specify the complete path name to the Kerberos credentials cache (CC) file.
Purpose
To specify the complete path name to the Kerberos CC file.
Usage Notes
-
You can set this parameter in the
sqlnet.orafile.You can also set this value in the
tnsnames.orafile or directly as part of the connect string. TheSQLNET.KERBEROS5_CC_NAMEparameter is equivalent to thetnsnames.oraparameterKERBEROS5_CC_NAME. The parameter value specified in the connect string takes precedence. -
This parameter supports multiple principals for the storage of credentials that are returned by KDC in an encrypted format.
You can use the
okinit,oklist, andokdstryutilities to configure encrypted cache files for all Kerberos principals. These utilities work with encrypted cache files only if you specify the cache path usingSQLNET.KERBEROS5_CC_NAME. -
SQLNET.KERBEROS5_CC_NAMEis mandatory for all additional Kerberos users and principals. Optionally, you can set theKERBEROS5_PRINCIPALparameter to specify the Kerberos principal name associated with the credential cache (specified throughSQLNET.KERBEROS5_CC_NAME). You can setKERBEROS5_PRINCIPALin the connect string,sqlnet.orafile, ortnsnames.orafile.Oracle Database checks
KERBEROS5_PRINCIPALagainst the value that is retrieved from the credential cache. If the two values do not match, then the user is not authenticated.
Values and Examples
SQLNET.KERBEROS5_CC_NAME:
-
If the Oracle database is using a directory cache:
-
SQLNET.KERBEROS5_CC_NAME=complete_path_to_cc_fileFor example:
SQLNET.KERBEROS5_CC_NAME=/tmp/kcacheSQLNET.KERBEROS5_CC_NAME=D:\tmp\kcache -
SQLNET.KERBEROS5_CC_NAME=FILE:complete_path_to_cc_ fileFor example:
SQLNET.KERBEROS5_CC_NAME=FILE:/tmp/kcache
-
-
If the Oracle database is using the native Windows cache:
-
SQLNET.KERBEROS5_CC_NAME=OSMSFT:// -
SQLNET.KERBEROS5_CC_NAME=MSLSA:
The
OSMSFTandMSLSAoptions specify that the file is on Microsoft Windows and is running Microsoft Kerberos Key Distribution Center (KDC). -
Default
-
On Linux and UNIX operating systems:
/tmp/krb5cc_userid -
On Microsoft Windows operating systems:
c:\tmp\krbcache
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.65 SQLNET.KERBEROS5_CLOCKSKEW
Use the sqlnet.ora parameter SQLNET.KERBEROS5_CLOCKSKEW to specify how much time elapses before a Kerberos credential is considered out-of-date.
Purpose
To specify how many seconds elapse before a Kerberos credential is considered out-of-date.
Default
300
Example
SQLNET.KERBEROS5_CLOCKSKEW=1200
See Also:
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.66 SQLNET.KERBEROS5_CONF
Use the sqlnet.ora parameter SQLNET.KERBEROS5_CONF to specify the path name to the Kerberos configuration file that contains the realm for the default Key Distribution Center (KDC) and that maps realms to KDC hosts.
Purpose
To specify the complete path name to the Kerberos configuration file that contains the realm for the default Key Distribution Center (KDC) and that also maps realms to KDC hosts.
Usage Notes
KDC maintains a list of user principals and is contacted through the kinit program for the user's initial ticket.
If you configure the SQLNET.KERBEROS5_CONF parameter, then the Kerberos 5 configuration file krb.conf is fetched from the directory path specified in the parameter. Alternately, you can skip configuring the SQLNET.KERBEROS5_CONF altogether and still ensure the discovery of your configuration file by placing the krb.conf file in one of the default search locations so as to allow for an automatic discovery by Kerberos authentication service.
Note:
If you choose to place the Kerberos configuration file in one of the default search paths, then it is optional to set the parameter value asAUTO_DISCOVER, as placing the krb.conf file in one of the default locations enables automatic discovery without having to set the AUTO_DISCOVER parameter.
Default
krb.conf is automatically searched in the below file paths in the specified order:
$ORACLE_BASE/network/admin/krb.conf$ORACLE_BASE_HOME/network/admin/krb.conf$ORACLE_HOME/network/admin/krb.conf/etc/krb.conf
c:\krb5\krb.conf on Microsoft Windows operating systems
Values
-
Directory path to
krb.conffile AUTO_DISCOVER
Example
SQLNET.KERBEROS5_CONF=/krb5/krb.conf
See Also:
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.67 SQLNET.KERBEROS5_CONF_LOCATION
Use the sqlnet.ora parameter SQLNET.KERBEROS5_CONF_LOCATION to specify the directory for the Kerberos configuration file. The SQLNET.KERBEROS5_CONF_LOCATION parameter also specifies that the file is created by the system and not by the client.
Purpose
To specify the directory for the Kerberos configuration file. The parameter also specifies that the file is created by the system, and not by the client.
Usage Notes
The configuration file uses DNS look-up to obtain the realm for the default KDC, and it maps realms to the KDC hosts. This option is supported for all operating systems that support this feature.
Default
/krb5 on Linux and UNIX operating systems
c:\krb5 on Microsoft Windows operating systems
Example
SQLNET.KERBEROS5_CONF_LOCATION=/krb5Parent topic: Profile Parameters in sqlnet.ora Files
5.2.68 SQLNET.KERBEROS5_KEYTAB
Use the sqlnet.ora parameter SQLNET.KERBEROS5_KEYTAB to specify the path name to the Kerberos principal or, secret, key mapping file that extracts keys and decrypts incoming authentication information.
Purpose
To specify the complete path name to the Kerberos principal or, secret, key mapping file that extracts keys and decrypts incoming authentication information.
Default
/etc/v5srvtab on Linux and UNIX operating systems
c:\krb5\v5srvtab on Microsoft Windows operating systems
Example
SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab
See Also:
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.69 SQLNET.KERBEROS5_REALMS
Use the sqlnet.ora parameter SQLNET.KERBEROS5_REALMS to specify the complete path name to the Kerberos realm translation file that maps a host name or domain name to a realm.
Purpose
To specify the complete path name to the Kerberos realm translation file that maps a host name or domain name to a realm.
Default
/krb5/krb.realms on Linux and UNIX operating systems
c:\krb5\krb.realms on Microsoft Windows operating systems
Example
SQLNET.KERBEROS5_REALMS=/krb5/krb.realms
See Also:
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.70 SQLNET.OUTBOUND_CONNECT_TIMEOUT
Use the sqlnet.ora parameter SQLNET.OUTBOUND_CONNECT_TIMEOUT to specify the amount of time, in milliseconds, seconds, or minutes, in which clients must establish Oracle Net connections to database instances.
Purpose
To specify the time in ms, sec, or min for clients to establish an Oracle Net connection to the database instance.Usage Notes
If an Oracle Net connection is not established in the time specified, then the connection attempt is terminated. The client receives the following error:
ORA-12170: Cannot connect. Outbound connect timeout of time_interval for host_port or key. (CONNECTION_ID=ID_string).
The outbound connect timeout interval is a superset of the TCP connect timeout interval that specifies a limit on the time needed to establish a TCP connection. Additionally, the outbound connect timeout interval includes the time taken to be connected to an Oracle instance that is providing the service. It accepts different timeouts with or without space between the value and the unit.
Without this parameter, a client connection request to the database server may be blocked for the default TCP connect timeout duration (60 seconds) when the database server host system is unreachable. In this case, no unit is mentioned and the default unit is sec.
The outbound connect timeout interval is only applicable for TCP, TCP with TLS, and IPC transport connections.
This parameter is overridden by the CONNECT_TIMEOUT parameter in the address description.
Default
None
Example
SQLNET.OUTBOUND_CONNECT_TIMEOUT=10 ms
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.71 SQLNET.RADIUS_ALLOW_WEAK_CLIENTS
Use the client-side sqlnet.ora parameter SQLNET.RADIUS_ALLOW_WEAK_CLIENTS to control the transport protocol that the Oracle Database client must use for communicating with the Oracle Database server.
Purpose
To control the transport protocol that the Oracle Database client must use for communication between the database client and database server, if the database client wants to use RADIUS authentication.
The default value is FALSE so that database clients can connect to the database server (to use RADIUS authentication) only if the connecting protocol used is TCPS.
Usage Notes
-
Starting with Oracle AI Database 26ai, the older RADIUS API that is based on Request for Comments (RFC) 2138 is deprecated.
Oracle AI Database 26ai introduces an updated RADIUS API based on RFC 6613 and RFC 6614. Oracle recommends that you start planning on migrating to use the new RADIUS API as soon as possible. The new API is enabled by default. These parameters associated with the older RADIUS API are also deprecated:
SQLNET.RADIUS_ALTERNATE,SQLNET.RADIUS_ALTERNATE_PORT,SQLNET.RADIUS_AUTHENTICATION, andSQLNET.RADIUS_AUTHENTICATION_PORT. Refer to the Radius API documentation for information on changing the default to use the older RADIUS API.The updated RADIUS API uses TCPS as the protocol for secure communication.
-
Starting with Oracle AI Database 26ai, users authenticating to the database using the legacy RADIUS API no longer are granted administrative privileges.
In previous releases, users authenticating with RADIUS API could be granted administrative privileges such as
SYSDBAorSYSBACKUP. In Oracle AI Database 26ai, Oracle introduces a new RADIUS API that uses the latest standards. To grant administrative privileges to users, ensure the database connection to the database uses the new RADIUS API, and that you are using the Oracle AI Database 26ai client to connect to the Oracle AI Database 26ai server.
Values
-
TRUE: To allow database clients to connect using a weak protocol, such as User Datagram Protocol (UDP). -
FALSE: To allow database clients to connect using only a strong protocol, such as TCPS.
Default
FALSE
Example
SQLNET.RADIUS_ALLOW_WEAK_CLIENTS=FALSE
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.72 SQLNET.RADIUS_ALLOW_WEAK_PROTOCOL
Use the server-side sqlnet.ora parameter SQLNET.RADIUS_ALLOW_WEAK_PROTOCOL to allow weak Oracle Database clients to use RADIUS authentication.
Purpose
To allow weak Oracle Database clients, which use non-TCPS protocol for connecting to the Oracle Database server, to use RADIUS authentication.
The default value is FALSE so that only strong clients (using TCPS for connecting to the database server) can use RADIUS authentication.
Usage Notes
-
Starting with Oracle AI Database 26ai, the older RADIUS API that is based on Request for Comments (RFC) 2138 is deprecated.
Oracle AI Database 26ai introduces an updated RADIUS API based on RFC 6613 and RFC 6614. Oracle recommends that you start planning on migrating to use the new RADIUS API as soon as possible. The new API is enabled by default. These parameters associated with the older RADIUS API are also deprecated:
SQLNET.RADIUS_ALTERNATE,SQLNET.RADIUS_ALTERNATE_PORT,SQLNET.RADIUS_AUTHENTICATION, andSQLNET.RADIUS_AUTHENTICATION_PORT. Refer to the Radius API documentation for information on changing the default to use the older RADIUS API.The updated RADIUS API uses TCPS as the protocol for secure communication.
-
Starting with Oracle AI Database 26ai, users authenticating to the database using the legacy RADIUS API no longer are granted administrative privileges.
In previous releases, users authenticating with RADIUS API could be granted administrative privileges such as
SYSDBAorSYSBACKUP. In Oracle AI Database 26ai, Oracle introduces a new RADIUS API that uses the latest standards. To grant administrative privileges to users, ensure the database connection to the database uses the new RADIUS API, and that you are using the Oracle AI Database 26ai client to connect to the Oracle AI Database 26ai server.
Values
-
TRUE: To allow weak database clients to use RADIUS authentication -
FALSE: To allow only strong database clients (and block weak clients) to use RADIUS authentication
Default
FALSE
Example
SQLNET.RADIUS_ALLOW_WEAK_PROTOCOL=FALSE
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.73 SQLNET.RADIUS_ALTERNATE
Use the sqlnet.ora parameter SQLNET.RADIUS_ALTERNATE to specify an alternate RADIUS server to be used when the primary server is unavailable.
Purpose
To specify the location of an alternate RADIUS server to be used for fault tolerance when the primary server is unavailable. The value can be either the IP address or host name of the server.
Usage Notes
Starting with Oracle AI Database 26ai, the older RADIUS API that is based on Request for Comments (RFC) 2138 is deprecated.
Oracle AI Database 26ai introduces an updated RADIUS API
based on RFC 6613 and RFC 6614. Oracle recommends that you start planning on
migrating to use the new RADIUS API as soon as possible. The new API is enabled by
default. These parameters associated with the older RADIUS API are also deprecated:
SQLNET.RADIUS_ALTERNATE,
SQLNET.RADIUS_ALTERNATE_PORT,
SQLNET.RADIUS_AUTHENTICATION, and
SQLNET.RADIUS_AUTHENTICATION_PORT. Refer to the Radius API
documentation for information on changing the default to use the older RADIUS
API.
If your database server supports the updated RADIUS standards, then use the SQLNET.RADIUS_ALTERNATE_TLS_HOST parameter instead of the deprecated SQLNET.RADIUS_ALTERNATE parameter.
If you need to enable pre-release 23ai clients to connect RADIUS users using the older RADIUS standards (which are blocked by default), then you must set one or both of the SQLNET.RADIUS_ALLOW_WEAK_CLIENTS and SQLNET.RADIUS_ALLOW_WEAK_PROTOCOL parameters.
Syntax
SQLNET.RADIUS_ALTERNATE=(hostname_or_IP_address_of_alternate_RADIUS_server)Default
None
Example
SQLNET.RADIUS_ALTERNATE=(radius-server2)
5.2.74 SQLNET.RADIUS_ALTERNATE_PORT
Use the sqlnet.ora parameter SQLNET.RADIUS_ALTERNATE_PORT to specify the listening port of an alternate RADIUS server.
Purpose
To specify the listening port of an alternate RADIUS server.
Usage Notes
Starting with Oracle AI Database 26ai, the older RADIUS API that is based on Request for Comments (RFC) 2138 is deprecated.
Oracle AI Database 26ai introduces an updated RADIUS API
based on RFC 6613 and RFC 6614. Oracle recommends that you start planning on
migrating to use the new RADIUS API as soon as possible. The new API is enabled by
default. These parameters associated with the older RADIUS API are also deprecated:
SQLNET.RADIUS_ALTERNATE,
SQLNET.RADIUS_ALTERNATE_PORT,
SQLNET.RADIUS_AUTHENTICATION, and
SQLNET.RADIUS_AUTHENTICATION_PORT. Refer to the Radius API
documentation for information on changing the default to use the older RADIUS
API.
If your database server supports the updated RADIUS standards, then use the SQLNET.RADIUS_ALTERNATE_TLS_PORT parameter instead of the deprecated SQLNET.RADIUS_ALTERNATE_PORT parameter.
If you need to enable pre-release 23ai clients to connect RADIUS users using the older RADIUS standards (which are blocked by default), then you must set one or both of the SQLNET.RADIUS_ALLOW_WEAK_CLIENTS and SQLNET.RADIUS_ALLOW_WEAK_PROTOCOL parameters.
Syntax
SQLNET.RADIUS_ALTERNATE_PORT=(listening_port_of_alternate_RADIUS_server)Default
1812
Example
SQLNET.RADIUS_ALTERNATE_PORT=(1667)5.2.75 SQLNET.RADIUS_ALTERNATE_RETRIES
Use the sqlnet.ora parameter SQLNET.RADIUS_ALTERNATE_RETRIES to specify the number of times that the database resends messages to alternate RADIUS servers.
Purpose
To specify the number of times that the database server should resend messages to an alternate RADIUS server.
Default
3
Example
SQLNET.RADIUS_ALTERNATE_RETRIES=4
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.76 SQLNET.RADIUS_ALTERNATE_TIMEOUT
Use the sqlnet.ora parameter SQLNET.RADIUS_ALTERNATE_TIMEOUT to set the time for an alternate RADIUS server to wait for a response.
Purpose
To set the time, in seconds, for an alternate RADIUS server to wait for a response.
Syntax
SQLNET.RADIUS_ALTERNATE_TIMEOUT=time_in_secondsDefault
5
Example
SQLNET.RADIUS_ALTERNATE_TIMEOUT=5Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.77 SQLNET.RADIUS_ALTERNATE_TLS_HOST
Use the sqlnet.ora parameter SQLNET.RADIUS_ALTERNATE_TLS_HOST to specify the host name of an alternate RADIUS server to be used when the primary server is unavailable.
Purpose
To specify the host name of an alternate RADIUS server, which is used for fault tolerance when the primary server is unavailable.
Usage Notes
Use this parameter only if your RADIUS server implements RADIUS with TLS over TCP.
Syntax
SQLNET.RADIUS_ALTERNATE_TLS_HOST=(TLS_hostname_of_alternate_RADIUS_server)Default
None
Example
SQLNET.RADIUS_ALTERNATE_TLS_HOST=(radius-server2)Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.78 SQLNET.RADIUS_ALTERNATE_TLS_PORT
Use the sqlnet.ora parameter SQLNET.RADIUS_ALTERNATE_TLS_PORT to specify the listening port of an alternate RADIUS server.
Purpose
To specify the listening port of an alternate RADIUS server. The default port is 2083. If the alternate server uses a different port, then specify that value.
Usage Notes
Use this parameter only if your RADIUS server implements RADIUS with TLS over TCP.
Syntax
SQLNET.RADIUS_ALTERNATE_TLS_PORT=(listening_TLS_port_of_alternate_RADIUS_server)Default
2083
Example
SQLNET.RADIUS_ALTERNATE_TLS_PORT=(5530)Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.79 SQLNET.RADIUS_AUTHENTICATION
Use the sqlnet.ora parameter SQLNET.RADIUS_AUTHENTICATION to specify the location of a primary RADIUS server.
Purpose
To specify the location of a primary RADIUS server. The value can be either the IP address or host name of the server.
Usage Notes
Starting with Oracle AI Database 26ai, the older RADIUS API that is based on Request for Comments (RFC) 2138 is deprecated.
Oracle AI Database 26ai introduces an updated RADIUS API
based on RFC 6613 and RFC 6614. Oracle recommends that you start planning on
migrating to use the new RADIUS API as soon as possible. The new API is enabled by
default. These parameters associated with the older RADIUS API are also deprecated:
SQLNET.RADIUS_ALTERNATE,
SQLNET.RADIUS_ALTERNATE_PORT,
SQLNET.RADIUS_AUTHENTICATION, and
SQLNET.RADIUS_AUTHENTICATION_PORT. Refer to the Radius API
documentation for information on changing the default to use the older RADIUS
API.
If your database server supports the updated RADIUS standards, then use the SQLNET.RADIUS_AUTHENTICATION_TLS_HOST parameter instead of the deprecated SQLNET.RADIUS_AUTHENTICATION parameter.
If you need to enable pre-release 23ai clients to connect RADIUS users using the older RADIUS standards (which are blocked by default), then you must set one or both of the SQLNET.RADIUS_ALLOW_WEAK_CLIENTS and SQLNET.RADIUS_ALLOW_WEAK_PROTOCOL parameters.
Syntax
SQLNET.RADIUS_AUTHENTICATION=(hostname_or_IP_address_of_primary_RADIUS_server)Default
Local host
Example
SQLNET.RADIUS_AUTHENETICATION=(radius-server1)5.2.80 SQLNET.RADIUS_AUTHENTICATION_INTERFACE
Use the sqlnet.ora parameter SQLNET.RADIUS_AUTHENTICATION_INTERFACE to specify the class that contains the user interface for interacting with users.
Purpose
To specify the class containing the user interface that is used to interact with the user.
Default
DefaultRadiusInterface
Example
SQLNET.RADIUS_AUTHENTICATION_INTERFACE=DefaultRadiusInterface
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.81 SQLNET.RADIUS_AUTHENTICATION_PORT
Use the sqlnet.ora parameter SQLNET.RADIUS_AUTHENTICATION_PORT to specify the listening port of a primary RADIUS server.
Purpose
To specify the listening port of a primary RADIUS server.
Usage Notes
Starting with Oracle AI Database 26ai, the older RADIUS API that is based on Request for Comments (RFC) 2138 is deprecated.
Oracle AI Database 26ai introduces an updated RADIUS API
based on RFC 6613 and RFC 6614. Oracle recommends that you start planning on
migrating to use the new RADIUS API as soon as possible. The new API is enabled by
default. These parameters associated with the older RADIUS API are also deprecated:
SQLNET.RADIUS_ALTERNATE,
SQLNET.RADIUS_ALTERNATE_PORT,
SQLNET.RADIUS_AUTHENTICATION, and
SQLNET.RADIUS_AUTHENTICATION_PORT. Refer to the Radius API
documentation for information on changing the default to use the older RADIUS
API.
If your database server supports the updated RADIUS standards, then use the SQLNET.RADIUS_AUTHENTICATION_TLS_PORT parameter instead of the deprecated SQLNET.RADIUS_AUTHENTICATION_PORT parameter.
If you need to enable pre-release 23ai clients to connect RADIUS users using the older RADIUS standards (which are blocked by default), then you must set one or both of the SQLNET.RADIUS_ALLOW_WEAK_CLIENTS and SQLNET.RADIUS_ALLOW_WEAK_PROTOCOL parameters.
Syntax
SQLNET.RADIUS_AUTHENTICATION_PORT=(listening_port_of_primary_RADIUS_server)Default
1645
Example
SQLNET.RADIUS_AUTHENTICATION_PORT=(1667)5.2.82 SQLNET.RADIUS_AUTHENTICATION_RETRIES
Use the sqlnet.ora parameter SQLNET.RADIUS_AUTHENTICATION_RETRIES to specify the number of times the database should resend messages to a primary RADIUS server.
Purpose
To specify the number of times the database should resend messages to a primary RADIUS server.
Default
3
Example
SQLNET.RADIUS_AUTHENTICATION_RETRIES=4
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.83 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
Use the sqlnet.ora parameter SQLNET.RADIUS_AUTHENTICATION_TIMEOUT to specify the amount of time that the database should wait for a response from a primary RADIUS server.
Purpose
To specify the amount of time, in seconds, that the database should wait for a response from a primary RADIUS server.
Default
5
Example
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=10
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.84 SQLNET.RADIUS_AUTHENTICATION_TLS_HOST
Use the sqlnet.ora parameter SQLNET.RADIUS_AUTHENTICATION_TLS_HOST to specify the host name of a primary RADIUS server.
Purpose
To specify the host name of a primary RADIUS server. This value is mandatory. If you do not set this parameter, then authentication fails.
Usage Notes
Use this parameter only if your RADIUS server implements RADIUS with TLS over TCP.
Syntax
SQLNET.RADIUS_AUTHENTICATION_TLS_HOST=(TLS_hostname_of_primary_RADIUS_server)Default
None
Example
SQLNET.RADIUS_AUTHENTICATION_TLS_HOST=(radius-server1)Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.85 SQLNET.RADIUS_AUTHENTICATION_TLS_PORT
Use the sqlnet.ora parameter SQLNET.RADIUS_AUTHENTICATION_TLS_PORT to specify the listening port of a primary RADIUS server.
Purpose
To specify the listening port of a primary RADIUS server. The default port is 2083. If the server uses a different port, then specify that value.
Usage Notes
Use this parameter only if your RADIUS server implements RADIUS with TLS over TCP.
Syntax
SQLNET.RADIUS_AUTHENTICATION_TLS_PORT=(listening_TLS_port_of_primary_RADIUS_server)Default
2083
Example
SQLNET.RADIUS_AUTHENTICATION_TLS_PORT=(5530)Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.86 SQLNET.RADIUS_CHALLENGE_KEYWORD
Use the sqlnet.ora parameter SQLNET.RADIUS_CHALLENGE_KEYWORD to set the keyword for requesting a challenge from the RADIUS server.
Purpose
To set the keyword for requesting a challenge from the RADIUS server. By setting the challenge keyword, you let the user avoid using a password on the client to verify identity.
Syntax
SQLNET.RADIUS_CHALLENGE_KEYWORD=keywordDefault
challenge
Example
SQLNET.RADIUS_CHALLENGE_KEYWORD=challengeRelated Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.87 SQLNET.RADIUS_CHALLENGE_RESPONSE
Use the sqlnet.ora parameter SQLNET.RADIUS_CHALLENGE_RESPONSE to enable or disable challenge responses.
Purpose
To turn the challenge responses on or off.
Default
off
Values
on | off
Example
SQLNET.RADIUS_CHALLENGE_RESPONSE=on
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.88 SQLNET.RADIUS_CLASSPATH
Use the sqlnet.ora parameter SQLNET.RADIUS_CLASSPATH to set the path for Java classes and JDK Java libraries.
Purpose
To set the path for Java classes for a graphical interface, and to set the path to JDK Java libraries.
If you use the challenge-response authentication mode, then RADIUS displays a Java-based graphical interface. This interface first requests a password and then additional information, for example, a dynamic password that the user obtains from a token card.
Syntax
SQLNET.RADIUS_CLASSPATH=path_to_GUI_Java_classesDefault
$ORACLE_HOME/jlib/netradius.jar:$ORACLE_HOME/JRE/lib/sparc/native_threads
Example
SQLNET.RADIUS_CLASSPATH=/jre1.1Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.89 SQLNET.RADIUS_SECRET
Use the sqlnet.ora parameter SQLNET.RADIUS_SECRET to specify the location of a RADIUS secret key.
Purpose
To specify the location of a RADIUS secret key.
Usage Notes
For RADIUS with TLS over TCP, the default value is radsec. This value is used if you do not set this parameter in the sqlnet.ora file.
There is no default value for RADIUS with UDP. You must configure this parameter with a directory path to the file containing secret key. For example:
ORACLE_HOME/network/security/radius.key
Example
SQLNET.RADIUS_SECRET=oracle/bin/admin/radiuskeyRelated Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.90 SQLNET.RADIUS_SEND_ACCOUNTING
Use the sqlnet.ora parameter SQLNET.RADIUS_SEND_ACCOUNTING to enable and disable accounting.
Purpose
To turn accounting ON and OFF. When you enable accounting, packets are sent to the active RADIUS server at the listening port number's value plus one.
Default
OFFValues
ON | OFFExample
SQLNET.RADIUS_SEND_ACCOUNTING=ONRelated Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.91 SQLNET.RADIUS_TRANSPORT_PROTOCOL
Use the server-side sqlnet.ora parameter SQLNET.RADIUS_TRANSPORT_PROTOCOL to control the transport protocol that the Oracle Database server must use for communicating with the RADIUS server.
Purpose
To specify mutual Transport Layer Security (mTLS), Transport Layer Security (TLS), or User Datagram Protocol (UDP) as the protocol for communication between the Oracle Database server (acting as the RADIUS client) and the RADIUS server.
Usage Notes
-
Starting with Oracle AI Database 26ai, the older RADIUS API that is based on Request for Comments (RFC) 2138 is deprecated.
Oracle AI Database 26ai introduces an updated RADIUS API based on RFC 6613 and RFC 6614. Oracle recommends that you start planning on migrating to use the new RADIUS API as soon as possible. The new API is enabled by default. These parameters associated with the older RADIUS API are also deprecated:
SQLNET.RADIUS_ALTERNATE,SQLNET.RADIUS_ALTERNATE_PORT,SQLNET.RADIUS_AUTHENTICATION, andSQLNET.RADIUS_AUTHENTICATION_PORT. Refer to the Radius API documentation for information on changing the default to use the older RADIUS API. -
Both the mTLS and TLS protocols implement the latest RADIUS API standards and enforce stronger security.
When set to
MTLS, a mutual or two-way TLS connection is established between the Oracle Database server and RADIUS server. You must configure an Oracle wallet on the database server to use mTLS. Ensure that the wallet stores RADIUS client user certificates and trusted CA certificates of both the RADIUS client and RADIUS server.When set to
TLS, a one-way TLS connection is established between the Oracle Database server and RADIUS server. For walletless TLS connections (which do not use a client wallet), the RADIUS client automatically picks up common root certificates from the system default certificate store to verify the RADIUS server certificates. Use this value if your RADIUS server supports TLS (RADIUS over TCP) or TCPS (RADIUS with TLS over TCP). -
If you must use RADIUS with UDP for backward compatibility, then set this parameter to
UDP. However, note that RADIUS with UDP uses the older RADIUS API standards and is considered insecure. -
If you omit this parameter value, then the default protocol, mTLS, is used.
Values
MTLS | TLS | UDP
Default
MTLS
Example
SQLNET.RADIUS_TRANSPORT_PROTOCOL=MTLSRelated Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.92 SQLNET.RECV_TIMEOUT
Use the sqlnet.ora parameter SQLNET.RECV_TIMEOUT to specify the duration of time that a database client or server should wait for data from a peer after establishing a connection.
Purpose
To specify the time for a database client or server to wait for data from the peer after establishing a connection. The peer must send data within the time interval that you specify.
You can specify the time in hours, minutes, seconds, or milliseconds by using the hr, min, sec, or ms keyword respectively. If you do not specify a unit of measurement, then the default unit is sec.
Usage Notes
Setting this parameter for clients ensures that receive operations are not left in a wait state indefinitely or for a long period due to an unusual termination of the server process or server busy state. If a client does not receive response data in the time specified, then the client logs ORA-12535: TNS:operation timed out and ORA-12609: TNS: Receive timeout occurred messages to the sqlnet.log file. If you set the value, then set the value initially to a low value and adjust the value according to the system and network capacity. If necessary, use this parameter with the SQLNET.SEND_TIMEOUT parameter.
You can also set this parameter on the server-side to specify the time, in ms, sec, or min, for a server to wait for client data after a connection is established. If a client does not send data in time specified, then the database server logs ORA-12535: TNS:operation timed out and ORA-12609: TNS: Receive timeout occurred messages to the sqlnet.log file. Without this parameter, the database server might continue to wait for data from clients that may be down or are experiencing problems. The server usually blocks input from the client and gets these timeouts frequently if you set it to a low value.
Default
None
Minimum Value
1 ms
Allowed Range
Any number greater than the minimum value of 1 ms up to 4294967295 ms.
Example
SQLNET.RECV_TIMEOUT=10 ms
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.93 SQLNET.SEND_TIMEOUT
Use the sqlnet.ora parameter SQLNET.SEND_TIMEOUT to specify the duration of time in which a database must complete send operations to clients after establishing connections.
Purpose
To specify the time for a database to complete send operations to clients after establishing connections.
You can specify the time in hours, minutes, seconds, or milliseconds by using the hr, min, sec, or ms keyword respectively. If you do not specify a unit of measurement, then the default unit is sec.
Usage Notes
Setting this parameter is recommended for environments in which clients shut down occasionally or unusually.
If the database server cannot complete a send operation in the time specified, then it logs ORA-12608: TNS: Send timeout occurred messages to the sqlnet.log file. Without this parameter, the database server might continue to send responses to clients that are unable to receive data due to a downed computer or a busy state.
You can also set this parameter on the client-side to specify the duration of time in ms, sec, or min, in which client must complete send operations to the database server after connections are established. It accepts different timeouts with or without space between the value and the unit. If you do not specify a unit of measure, then the default unit is sec. Without this parameter, the client might continue to send requests to a database server that is saturated with requests. If you choose to set the value, then set the value initially to a low value and adjust the value according to system and network capacity.
If necessary, then use this parameter with the SQLNET.RECV_TIMEOUT parameter.
Default
None
Minimum Value
1 ms
Allowed Range
Any number greater than the minimum value of 1 ms up to 4294967295 ms.
Example
SQLNET.SEND_TIMEOUT=3 ms
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.94 SQLNET.URI
Use the sqlnet.ora parameter SQLNET.URI to specify a database client URI mapping on a web server.
Purpose
To specify a database client URI mapping on a web server.
Usage Notes
Use this parameter to customize a URI for mapping the database websocket requests that come into a web server to the back-end database server. Secure websocket handshaking requests are sent with this URI.
Default
/sqlnet
Example 5-6 Example
sqlnet.uri="/my_uri_prefix/database/"
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.95 SQLNET.USE_HTTPS_PROXY
Use the sqlnet.ora parameter SQLNET.USE_HTTPS_PROXY to enable forward HTTP proxy tunneling for client connections.
Purpose
To enable forward HTTP proxy tunneling for client connections.
Usage Notes
If set to on, then clients can tunnel secure connections over forward HTTP proxy using the HTTP CONNECT method. This helps access the public cloud database service because it eliminates the requirement to open an outbound port on a client-side firewall.
This parameter is applicable with Oracle Connection Manager on the server side.
Default
on
Example
SQLNET.USE_HTTPS_PROXY=on
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.96 SQLNET.WALLET_OVERRIDE
Use the sqlnet.ora parameter SQLNET.WALLET_OVERRIDE to determine whether a client should override strong authentication credentials with the password credential from the stored wallet.
Purpose
To determine whether a client should override strong authentication credentials with the password credential from the stored wallet to log in to a database.
Note:
This is a client-side parameter. TheSQLNET.WALLET_OVERRIDE=TRUE setting on the database server may break external procedures.
Usage Notes
-
When you use wallets for authentication, the database credentials for user name and password are securely stored in an Oracle wallet. The auto-login feature of the wallet is enabled so that the database does not need a password to open the wallet. From the wallet, the database gets the credentials to access the database for the user.
Oracle has introduced a new auto-login wallet version (7) with Oracle AI Database 26ai. Version 6 of the Oracle local auto-login wallet is deprecated.
You can update your local auto-login wallet by modifying it with
orapki. -
Wallet use can simplify large-scale deployments that rely on password credentials for connecting to databases. When this feature is configured, application code, batch jobs, and scripts do not need embedded user names and passwords. Risk is reduced because such passwords are no longer exposed, and password management policies are enforced without changing application code whenever user names or passwords change.
Users connect using the
connect /@database_namecommand instead of specifying a user name and password explicitly. This simplifies the maintenance of the scripts and secures the password management for the applications. -
Middle-tier applications create an Oracle Applications wallet during installation to store an application's identity. The password may be randomly generated rather than hardcoded. When an Oracle application accesses the database, it sets appropriate values for
SQLNET.AUTHENTICATION_SERVICESandWALLET_LOCATION. The new wallet-based password authentication code uses the password credential in the Oracle Applications wallet to log in to the database.The parameter
WALLET_LOCATIONis deprecated for use with Oracle AI Database 26ai for the Oracle Database server. It is not deprecated for use with the Oracle Database client or listener.For Oracle Database server, Oracle recommends that you use the
WALLET_ROOTsystem parameter instead of usingWALLET_LOCATION.
Values
true | falseExample
SQLNET.WALLET_OVERRIDE=true
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.97 SSL_ALLOW_WEAK_DN_MATCH
Use the sqlnet.ora parameter SSL_ALLOW_WEAK_DN_MATCH to allow the earlier weaker distinguished name (DN) matching behavior during server-side certificate validation.
Purpose
The SSL_SERVER_DN_MATCH parameter controls the DN matching behavior. DN matching adds another client-side check on both the listener and server certificates to ensure that the certificates are the correct ones that the client expects.
Starting with Oracle AI Database 26ai, the DN matching behavior is enhanced for better security. You can use the SSL_ALLOW_WEAK_DN_MATCH parameter to revert to the earlier DN matching behavior, that is, checking only the server certificate and allowing a service name check for partial DN matching.
Usage Notes
This parameter, introduced with Oracle AI Database 26ai, provides you with a longer period of time to adjust to the new DN matching behavior of SSL_SERVER_DN_MATCH.
The SSL_ALLOW_WEAK_DN_MATCH parameter, though new to Oracle AI Database 26ai, is deprecated and will be removed in a future release. Oracle recommends that you get new certificates or change your DN matching strategy.
Values
-
TRUE|ON|YES|1:Allows
SSL_SERVER_DN_MATCHto revert to its earlier (pre-Oracle AI Database release 26ai) DN matching behavior. DN matching only checks the server certificate (but not the listener certificate), and allows to check the service name for partial DN matching. -
FALSE|OFF|NO|0:Enforces
SSL_SERVER_DN_MATCHto use the enhanced DN matching behavior. DN matching checks both the listener and server certificates, and does not allow a service name check for partial DN matching.
Default
FALSE
Example
SSL_ALLOW_WEAK_DN_MATCH=FALSEParent topic: Profile Parameters in sqlnet.ora Files
5.2.98 SSL_CERTIFICATE_ALIAS
Use the sqlnet.ora or tnsnames.ora parameter SSL_CERTIFICATE_ALIAS to specify the certificate alias to use in Transport Layer Security (TLS) connections.
Purpose
To specify the alias that you provided when storing the client or server certificate in an Oracle Database wallet.
When encrypting TLS connections, both the database client and database server need to provide a signed certificate. You can store this certificate in an Oracle Database wallet or Microsoft Certificate Store (MCS). If there is more than one certificate that can be used, the user or application settings can specify the particular certificate to connect with. This choice can be made manually by the user via graphical user interface (GUI) or automatically by the application using a thumbprint or alias name. A thumbprint or alias name can uniquely identify the certificate.
This parameter instructs the client or server to automatically select a particular certificate using the specified alias name. Thus, the user does not need to manually select the correct client certificate from the list available in a wallet.
Usage Notes
Use this parameter in the tnsnames.ora file, sqlnet.ora file, or directly as part of the command-line connect string. The parameter values specified in the connect string take precedence over the other specified values.
orapki helps you manage certificates and wallets for Oracle Database. To get the alias name value, run the following command: orapki wallet display -wallet <wallet directory> -pwd <wallet password> -completeValue
Certificate alias name
Default
None
Examples
-
In the
tnsnames.orafile:net_service_name= (DESCRIPTION= (ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1521)) (SECURITY=(SSL_CERTIFICATE_ALIAS=my_cert)) ) -
In the Easy Connect string:
tcps://salesserver:1521/sales.us.example.com?SSL_CERTIFICATE_ALIAS=my_cert -
In the
sqlnet.orafile:SSL_CERTIFICATE_ALIAS=my_cert
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.99 SSL_CERTIFICATE_THUMBPRINT
Use the sqlnet.ora or tnsnames.ora parameter SSL_CERTIFICATE_THUMBPRINT to specify the certificate thumbprint to use in Transport Layer Security (TLS) connections.
Purpose
To specify the thumbprint signature for an X509 certificate. These thumbprints are automatically generated for certificates.
When encrypting TLS connections, both the database client and database server need to provide a signed certificate. You can store this certificate in an Oracle Database wallet or Microsoft Certificate Store (MCS). If there is more than one certificate that can be used, the user or application settings can specify the particular certificate to connect with. This choice can be made manually by the user via graphical user interface (GUI) or automatically by the application using a thumbprint or alias name. A thumbprint or alias name can uniquely identify the certificate.
This parameter instructs the client or server to automatically select a particular certificate using the specified thumbprint. Thus, the user does not need to manually select the correct certificate from the list available in a certificate store.
Usage Notes
Use this parameter in the tnsnames.ora file, sqlnet.ora file, or directly as part of the command-line connect string. The parameter values specified in the connect string take precedence over the other specified values.
You can specify both the SHA-1 and SHA-256 thumbprint information for the client certificate.
orapki helps you manage certificates and wallets for Oracle Database. To get the thumbprint value, run the following command: orapki wallet display -wallet <wallet directory> -pwd <wallet password> -completeValue
SHA-1 or SHA-256 thumbprint of the client certificate, in the <Algorithm>:<Hash> format
For example:
SHA1:1B:11:01:5A:B1:2C:20:B2:12:34:3E:04:7B:83:47:DE:70:2E:4E:11SHA256:B3:8A:5B:1A:03:63:83:92:2B:5D:E1:53:61:EE:03:94:0A:56:B4:56:41:7E:41:24:41:9B:88:EB:C6:1E:11:23or
SHA1:1B11015AB12C20B212343E047B8347DE702E4E11SHA256:B38A5B1A036383922B5DE15361EE03940A56B456417E4124419B88EBC61E1123Default
None
Examples
-
In the
tnsnames.orafile:net_service_name= (DESCRIPTION= (ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1521)) (SECURITY=(SSL_CERTIFICATE_THUMBPRINT=SHA1:1B:11:01:5A:B1:2C:20:B2:12:34:3E:04:7B:83:47:DE:70:2E:4E:11)) )net_service_name= (DESCRIPTION= (ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1521)) (SECURITY=(SSL_CERTIFICATE_THUMBPRINT=SHA1:1B11015AB12C20B212343E047B8347DE702E4E11)) ) -
In the Easy Connect string:
tcps://salesserver:1521/sales.us.example.com?SSL_CERTIFICATE_THUMBPRINT=SHA1:1B11015AB12C20B212343E047B8347DE702E4E11 -
In the
sqlnet.orafile:SSL_CERTIFICATE_THUMBPRINT=SHA256:B38A5B1A036383922B5DE15361EE03940A56B456417E4124419B88EBC61E1123
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.100 SSL_CERT_REVOCATION
Use the sqlnet.ora parameter SSL_CERT_REVOCATION to configure revocation checks for certificates.
Default
none
Values
-
nonedisables certificate revocation status checking. This is the default value.Note:
Oracle recommends that you do not set theSSL_CERT_REVOCATIONparameter tononebecause this removes a critical component in certificate-based authentication. Without certificate revocation status checking, you cannot protect against stolen certificates that are used for authentication. Set thenonevalue only in cases where mitigating controls safeguard the use of certificates for authentication, such as network access control lists or Oracle Database Vault policies that limit the database connection to trusted clients. -
requestedto perform certificate revocation if a Certificate Revocation List (CRL) is available. Reject an TLS connection if the certificate is revoked. If no appropriate CRL is found to determine the revocation status of the certificate and the certificate is not revoked, then accept the TLS connection. -
requiredto perform certificate revocation when a certificate is available. If a certificate is revoked and no appropriate CRL is found, then reject the TLS connection. If no appropriate CRL is found to ascertain the revocation status of the certificate and the certificate is not revoked, then accept the TLS connection.
Example
SSL_CERT_REVOCATION=required
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.101 SSL_CRL_FILE
Use the sqlnet.ora parameter SSL_CRL_FILE to specify the name of the file in which you assemble the certificate revocation list (CRL) for client authentication.
Purpose
To specify the name of the file where you can assemble the CRL for client authentication.
Usage Notes
This file contains the PEM-encoded CRL files, in order of preference. You can use this file alternatively or in addition to the SSL_CRL_PATH parameter. This parameter is only valid if SSL_CERT_REVOCATION is set to either requested or required.
Syntax
SSL_CRL_FILE=certificate_revocation_list_filenameDefault
None
Example
SSL_CRL_FILE=crl.txt
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.102 SSL_CRL_PATH
Use the sqlnet.ora parameter SSL_CRL_PATH to specify the destination directory of the certificate revocation list (CRL) for client authentication.
Purpose
To specify the directory path where CRLs are stored.
Usage Notes
This parameter is only valid if you set SSL_CERT_REVOCATION to either requested or required.
Both DER-encoded (binary format) and PEM-encoded (BASE64) CRLs are supported.
If you want to store CRLs in a local file system directory, then you must use the orapki utility to rename CRLs in your file system so the system can locate them.
Syntax
SSL_CRL_PATH=certificate_revocation_list_pathDefault
None
Example
SSL_CRL_PATH=/home/user1/crldir
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.103 SSL_CIPHER_SUITES
Use the SSL_CIPHER_SUITES parameter to control the combination of authentication, encryption, and data integrity algorithms used by Transport Layer Security (TLS).
Purpose
To control the combination of authentication, encryption, and data integrity algorithms used by TLS. By default, the strongest protocol and cipher are negotiated between the database client and server. Setting this parameter will override the default behavior. You must use this parameter only if you have internal security controls that dictate the usage of certain protocol versions.
Usage Notes
Starting with Oracle AI Database 26ai, the use of Transport Layer Security protocol versions 1.0 and 1.1 are desupported.
In most cases, this change will not have any impact, because the database client and server will negotiate the use of the most secure protocol and cipher algorithm. However, if TLS 1.0 or 1.1 has been specified, then you must either remove it to allow the database server and client to pick the most secure protocol, or you must specify either TLS 1.2, or TLS 1.3, or both, for the protocol. Oracle recommends using the latest, most secure protocol. That protocol is TLS 1.3, which is introduced with Oracle AI Database 26ai.
Enclose the SSL_CIPHER_SUITES parameter value in parentheses. Otherwise, the cipher suite setting does not parse correctly.
Default
None
Values
-
TLS_AES_256_GCM_SHA384 -
TLS_CHACHA20_POLY1305_SHA256(non-FIPS only) -
TLS_AES_128_CCM_SHA256 -
TLS_AES_128_GCM_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 -
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 -
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 -
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 -
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -
TLS_RSA_WITH_AES_256_GCM_SHA384 -
TLS_RSA_WITH_AES_256_CBC_SHA256 -
TLS_RSA_WITH_AES_256_CBC_SHA -
TLS_RSA_WITH_AES_128_GCM_SHA256 -
TLS_RSA_WITH_AES_128_CBC_SHA256 -
TLS_RSA_WITH_AES_128_CBC_SHA -
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 -
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 -
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Examples
SSL_CIPHER_SUITES=(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)SSL_CIPHER_SUITES=(TLS_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)Parent topic: Profile Parameters in sqlnet.ora Files
5.2.104 SSL_CLIENT_AUTHENTICATION
Use the SSL_CLIENT_AUTHENTICATION parameter to specify whether the database client is authenticated using Transport Layer Security (TLS).
Purpose
To enable client authentication in a TLS connection. The connection can be one-way or two-way (mutual TLS or mTLS).
Usage Notes
When set to TRUE, a two-way TLS connection is initiated. Both the client and server (including the listener) authenticate each other. For example, if you set this parameter to TRUE in the server configuration (server-side sqlnet.ora), then the server attempts to authenticate the client. If you set it to TRUE in the listener configuration (listener.ora), then the listener attempts to authenticate the client.
When set to FALSE, only the client authenticates the server and listener as a one-way TLS connection. For example, if you set this parameter to FALSE in the server configuration, then the server does not authenticate the client. If you set it to FALSE in the listener configuration, then the listener does not authenticate the client.
OPTIONAL, the server behaves as follows:
-
If the client sends a certificate, then the connection is completed as a two-way TLS connection after authenticating the client.
-
If the client does not send a certificate, then the connection is completed as a one-way TLS connection.
Ensure that this parameter setting is consistent for the server or listener (on one side) and the client (on the other). Otherwise, the connection may fail. For example, if you enable client authentication in the server or listener configuration, then you must enable it in the client configuration.
Default
TRUE
Values
-
TRUE|ON|YES|1: To enable mTLS -
FALSE|OFF|NO|0: To enable one-way TLS -
OPTIONAL: To enable both TLS and mTLS
Example
SSL_CLIENT_AUTHENTICATION=FALSERelated Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.105 SSL_DISABLE_WEAK_EC_CURVES
Use the SSL_DISABLE_WEAK_EC_CURVES parameter to disable the use of weak Elliptic Curve Cryptography (ECC) curves.
Purpose
To disable the use of weak ECC curves with key length less than 256 bits. You can set this parameter in the database server (sqlnet.ora), client (sqlnet.ora or tnsnames.ora connect string), or the listener (listener.ora).
Usage Notes
The Oracle Net Services parameter SSL_DISABLE_WEAK_EC_CURVES is deprecated in Oracle AI Database 26ai.
Elliptic Curve Cryptography (ECC) features in Oracle Net Services, such as those used for secure external password stores, have some curves disabled by default. Oracle and other major vendors disable weak elliptic curves by default to protect systems from known cryptographic vulnerabilities, and to enforce modern security standards. These older, weaker curves can be susceptible to a variety of attacks and may present security risks if used. Because Oracle no longer has ECC curves with key length less than 256 bit enabled, this parameter no longer serves a purpose, and will be removed in a future release. Oracle strongly recommends that you review your configurations to ensure that you follow security best practices.
Note:
SSL_DISABLE_WEAK_EC_CURVES is deprecated in favor of TLS_KEY_EXCHANGE_GROUPS parameter starting with Oracle AI Database 26ai.
By default, this parameter is set to FALSE to enable the use of all ECC curves. If you want to enable the use of only Oracle approved curves with ECC curve key size of 256 bits or higher, then set this parameter to TRUE.
TRUE, you can use only the following ECC curves:
-
secp256r1 -
secp384r1 -
secp521r1 -
x25519
Values
-
TRUE|ON|YES|1: To enable only the Oracle approved ECC curves with minimum ECC curve key length of 256 bits -
FALSE|OFF|NO|0: To enable all ECC curves
Default
FALSE
Examples
-
In the
tnsnames.orafile:net_service_name= (DESCRIPTION= (ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1521)) (SECURITY=(SSL_DISABLE_WEAK_EC_CURVES=TRUE)) ) -
In the
sqlnet.orafile or thelistener.orafile:SSL_DISABLE_WEAK_EC_CURVES=TRUE
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.106 SSL_ENABLE_WEAK_CIPHERS
Use the sqlnet.ora parameter SSL_ENABLE_WEAK_CIPHERS to enable the use of weak Transport Layer Security (TLS) cipher suites.
Purpose
To enable the use of weak TLS ciphers for backward compatibility. You can set this parameter on both the database server and client.
Usage Notes
By default, this parameter is set to FALSE to block the use of weak ciphers. This simplifies the passing of compliance audits and improves the overall security of your database. If you want to enable the use of weak ciphers, then set this parameter to TRUE.
FALSE, you can use only the following strong ciphers:
-
TLS_AES_128_CCM_SHA256 -
TLS_AES_128_GCM_SHA256 -
TLS_AES_256_GCM_SHA384 -
TLS_CHACHA20_POLY1305_SHA256 -
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 -
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 -
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL_ENABLE_WEAK_CIPHERS=FALSE setting, if you try to use a weak cipher, then the following error messages appear:
-
On the database server:
ORA-28860: Fatal SSL error -
On the database client:
ORA-29039: There are no matching cipher suites
Values
-
TRUE|ON|YES|1: To enable weak ciphers -
FALSE|OFF|NO|0: To disable weak ciphers
Default
FALSE
Example
SSL_ENABLE_WEAK_CIPHERS=FALSERelated Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.107 SSL_EXTENDED_KEY_USAGE
Use the sqlnet.ora parameter SSL_EXTENDED_KEY_USAGE to specify the purpose certificate keys.
Purpose
To specify the purpose of the key in a certificate.
Usage Notes
When you specify this parameter, Oracle uses the certificate with the matching extended key.
Values
client authentication
Example
SSL_EXTENDED_KEY_USAGE="client authentication"
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.108 SSL_SERVER_DN_MATCH
Use the SSL_SERVER_DN_MATCH parameter to enforce server-side certificate validation through distinguished name (DN) matching.
Purpose
To enforce server-side certificate validation through DN matching.
The purpose of adding this DN matching parameter for the client is to further improve security on a Transport Layer Security (TLS) connection. A TLS connection relies on the client to verify if the database server certificate is valid and signed by a trusted root certificate. The listener and server certificate DN matching adds another client-side check on the listener and server certificates to ensure that the certificates are the correct ones that the client expects.
Usage Notes
-
If you set this parameter to
TRUE, then in addition to verifying the server's certificate chain, the client enforces another check against the listener and server through DN matching. -
You can configure either partial DN matching or full DN matching.
Through partial DN matching, the client checks theHOSTparameter (in the clientsqlnet.orafile or connect string) against a host name in the certificate DN or certificate Subject Alternative Name (SAN) field. The client checksHOSTagainst both the listener and server certificates in this order:-
The client first compares
HOSTwith a host name in the listener certificate’s DN. For example, CN part of DN:"c=us,o=examplecorporation,cn=sales.us.example.com" -
If no match is found in the listener certificate’s DN, then the client compares
HOSTwith a host name in the listener certificate’s SAN field. For example:"DNS:sales.us.example.com"If no match is found in the listener certificate’s SAN field, then the client does not try connecting to the server and the connection fails.
-
If the listener certificate check succeeds, then the client performs similar checks on the server certificate. That is, the client first compares
HOSTwith a host name in the server certificate’s DN. -
If no match is found in the server certificate’s DN, then the client compares
HOSTwith a host name in the server certificate’s SAN field.
Through full DN matching, the client checks the complete DN in
SSL_SERVER_CERT_DNagainst the certificate DN of both the listener and server certificates. To enforce a full DN match, specify the complete DN using theSSL_SERVER_CERT_DNparameter in thetnsnames.orafile or connect string. -
-
Oracle recommends that you use the same certificate for both the listener and server.
If you use different certificates with different DNs for the listener and server, then full DN matching fails. In this case, you need to get new certificates with the same DN (for full DN matching) or you need to change your DN matching strategy. If you have configured partial DN matching, then it may also fail if
HOSTis not found in the certificate DN or SAN fields of both the listener and server certificates. -
Prior to Oracle AI Database 26ai, partial DN matching checked against host name and SAN only in the server certificate. If a match was not found, then along with the host name and SAN, it also checked the
SERVICE_NAMEparameter. Similarly, full DN matching checked against the complete DN only in the server certificate.If you want to revert to the earlier weaker DN matching behavior (that is, checking only the server certificate and allowing a service name check for partial DN matching), then set
SSL_ALLOW_WEAK_DN_MATCH=TRUE. However, note that theSSL_ALLOW_WEAK_DN_MATCHparameter is deprecated and will be removed in a future release. Oracle recommends that you get new certificates or change your DN matching strategy.
Default
NO
Values
-
YES|ON|TRUE|1:To enforce partial or full DN matching. If the DN matches the host name or SAN in both the listener and server certificates, then the connection succeeds. If the DN does not match the host name or SAN in the server or listener certificate, then the connection fails.
-
NO|OFF|FALSE|0:To not enforce DN matching. If the DN does not match the host name or SAN in the sever or listener certificate, then the connection is successful, but an error is logged to the
sqlnet.logfile.
Example
SSL_SERVER_DN_MATCH=YES
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.109 SSL_VERSION
Use the SSL_VERSION parameter to define valid Transport Layer Security (TLS) versions to be used for connections.
Purpose
To define the version of TLS that must run on the systems with which the database server communicates. By default, the database server and client negotiate the strongest security protocol. Oracle does not recommend modifying this parameter, unless your security requirements mandate the usage of certain protocol versions.
Usage Notes
-
Clients, listeners, and database servers must use compatible versions. Modify this parameter only when necessary to enforce the use of the more secure TLS protocol and not allow clients that only work with the older TLS protocols. The current default uses TLS 1.3, which is the version required for multiple security compliance requirements. If you need to specify TLS 1.2, then also include TLS 1.3 to allow more secure connections.
-
In addition to
sqlnet.ora,listener.ora, andcman.ora, you can specify this parameter under theSECURITYsection oftnsnames.oraor directly as part of the connect string. The parameter value specified in the connect string takes precedence over the other specified values. -
Starting with Oracle AI Database 26ai, the use of Transport Layer Security protocol versions 1.0 and 1.1 are desupported.
In most cases, this change will not have any impact, because the database client and server will negotiate the use of the most secure protocol and cipher algorithm. However, if TLS 1.0 or 1.1 has been specified, then you must either remove it to allow the database server and client to pick the most secure protocol, or you must specify either TLS 1.2, or TLS 1.3, or both, for the protocol. Oracle recommends using the latest, most secure protocol. That protocol is TLS 1.3, which is introduced with Oracle AI Database 26ai.
-
Starting with Oracle AI Database 26ai, the Secure Socket Layer v3 protocol (SSLv3) is no longer supported for database server-client connections, and the
sqlnet.oraparameterADD_SSLV3_TO_DEFAULThas been removed.SSLv3 is a much less secure protocol to secure the database server-to-client connection. Instead of using SSLv3, allow the database server and client to negotiate the most secure protocol that is common between the server and the client. Oracle AI Database 26ai provides TLS 1.2 and TLS 1.3 protocols for certificate-based network encryption.
-
If you set
SSL_VERSIONtoundetermined, then the most secure TLS protocol version is used. You can also use theSSL_VERSION=undeterminedsetting in the connect string for a specific connection to override theSSL_VERSIONvalue configured in thesqlnet.ora,listener.ora, orcman.orafile. -
If you do not set
SSL_VERSIONto any value, then all the supported TLS protocol versions are tried starting with the most secure version. This is typically the most common configuration, ensuring that the strongest protocol is chosen during TLS negotiation.
Values
undetermined | TLSv1.2 | TLSv1.3
Default
undetermined
Syntax and Examples
-
To specify a single protocol version:
SSL_VERSION=TLS_protocol_versionFor example:SSL_VERSION=TLSv1.3 -
To specify multiple protocol versions, use a comma-separated string of values, enclosed in parenthesis:
SSL_VERSION=(TLS_protocol_version1,TLS_protocol_version2)For example:SSL_VERSION=(TLSv1.2,TLSv1.3)Note:
Do not enclose protocol versions in parenthesis while specifying this parameter in the
tnsnames.orafile or as part of the connect string, otherwise the setting will not parse correctly. For example:net_service_name= (DESCRIPTION= (ADDRESS=(PROTOCOL=tcps)(HOST=salesserver)(PORT=1522)) (SECURITY=(SSL_VERSION=TLSv1.2,TLSv1.3)) )
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.110 TCP.ALLOWED_PROXIES
Use the sqlnet.ora parameter TCP.ALLOWED_PROXIES to specify a list of the Oracle Connection Manager (CMAN) addresses that can forward client IP address to the database server.
Purpose
To specify a list of the CMAN addresses (IP addresses or host names) that can forward client IP address to the database server.
Usage Notes
Use this parameter in the server-side sqlnet.ora file to list the allowed CMAN instances.
In addition to the TCP.ALLOWED_PROXIES parameter, you must set the ENABLE_IP_FORWARDING parameter in the cman.ora file to enable client address forwarding. CMAN will forward client address only if ENABLE_IP_FORWARDING is set to ON.
You can use the SYS_CONTEXT ('USERENV','IP_ADDRESS') function to query the forwarded client address details.
Default
None
Value
A comma-separated list of IP addresses or host names from which you want to allow client address forwarding.
Example
TCP.ALLOWED_PROXIES=(10.1.1.1/24,cmanhost1.example.com)Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.111 TCP.CONNECT_TIMEOUT
Use the sqlnet.ora parameter TCP.CONNECT_TIMEOUT to specify the amount of time in which a client must establish TCP connections to database servers.
Purpose
To specify the time in ms, sec, or min, for a client to establish a TCP connection (PROTOCOL=tcp in the TNS connect address) to the database server.
Usage Notes
If a TCP connection to the database is not established in the specified amount of time, then the connection attempt ends. The client receives the following error:
ORA-12170: Cannot connect. TCP connect timeout of time_interval for host_port or key. (CONNECTION_ID=ID_string).
The timeout applies to each IP address that resolves to a host name. It accepts different timeouts with or without space between the value and the unit. For example, if a host name resolves to an IPv6 and an IPv4 address, and if the host is not reachable through the network, then the connection request times out twice because there are two IP addresses. In this example, the default timeout setting of 60 causes a timeout in 120 seconds. If you do not specify a unit of measure, then the default unit is sec.
Default
60
Example
TCP.CONNECT_TIMEOUT=10 ms
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.112 TCP.EXCLUDED_NODES
Use the sqlnet.ora parameter TCP.EXCLUDED_NODES to specify which clients are denied access to the database.
Purpose
To specify which clients are denied access to the database.
Usage Notes
This parameter is only valid when you set the TCP.VALIDNODE_CHECKING parameter to yes.
You can use wildcards in this parameter for IPv4 addresses and CIDR notation for IPv4 and IPv6 addresses.
Syntax
TCP.EXCLUDED_NODES=(hostname | ip_address, hostname | ip_address, ...)
Example
TCP.EXCLUDED_NODES=(finance.us.example.com, mktg.us.example.com, 192.0.2.25, 172.30.*, 2001:DB8:200C:417A/32)
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.113 TCP.INVITED_NODES
Use the sqlnet.ora parameter TCP.INVITED_NODES to specify which clients are allowed access to the database.
Purpose
To specify which clients are allowed access to the database. This list takes precedence over the TCP.EXCLUDED_NODES parameter if both lists are present.
Syntax
TCP.INVITED_NODES=(hostname | ip_address, hostname | ip_address, ...)
Usage Notes
-
This parameter is only valid when you set the TCP.VALIDNODE_CHECKING parameter to
yes. -
This parameter accepts wildcards for IPv4 addresses and CIDR notation for IPv4 and IPv6 addresses.
Example
TCP.INVITED_NODES=(sales.us.example.com, hr.us.example.com, 192.0.*, 2001:DB8:200C:433B/32)
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.114 TCP.NODELAY
Use the sqlnet.ora parameter TCP.NODELAY to preempt delays in buffer flushing within the TCP/IP protocol stack.
Purpose
To preempt delays in buffer flushing within the TCP/IP protocol stack.
Default
yes
Values
yes | no
Example
TCP.NODELAY=yes
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.115 TCP.QUEUESIZE
Use the sqlnet.ora parameter TCP.QUEUESIZE to configure the maximum length of queues for pending connections on TCP listening sockets.
Purpose
To configure the maximum length of the queue for pending connections on a TCP listening socket.
Default
System-defined maximum value. The defined maximum value for Linux is 128.
Values
Any integer value up to the system-defined maximum.
Examples
TCP.QUEUESIZE=100
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.116 TCP.VALIDNODE_CHECKING
Use the sqlnet.ora parameter TCP.VALIDNODE_CHECKING to enable and disable valid node checking for incoming connections.
Purpose
To enable and disable valid node checking for incoming connections.
Usage Notes
If you set this parameter to yes, then incoming connections are allowed only if the connections originate from a node that conforms to a list that you specified in the TCP.INVITED_NODES or TCP.EXCLUDED_NODES parameters.
The TCP.INVITED_NODES and TCP.EXCLUDED_NODES parameters are valid only when you set the TCP.VALIDNODE_CHECKING parameter to yes.
You must set this parameter and the dependent parameters, TCP.INVITED_NODES and TCP.EXCLUDED_NODES, in the sqlnet.ora file of the listener. This is important in Oracle RAC environments where listeners run from the Oracle Grid Infrastructure home. Setting the parameter in the database home does not have an effect in Oracle RAC environments. In such environments, you must include the address of all Single Client Access Name (SCANs), Virtual IPs (VIPs), local IP in the TCP.INVITED_NODES list.
In VLAN environments, the sqlnet.ora file present in the Oracle Grid Infrastructure homes should include all of the addresses of all of the VLANs. The VLANs perform the network segregation, whereas the values that are set for INVITED_NODES enables or restricts access to databases within the VLANs.
If multiple databases within the same VLAN require different INVITED_NODE lists, then you must configure separate listeners.
Default
no
Values
yes | no
Example
TCP.VALIDNODE_CHECKING=yes
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.117 TENANT_ID
Use the TENANT_ID parameter to specify the ID of your Microsoft Entra ID tenant.
Purpose
To specify the ID of the Entra ID tenant in which your Entra ID application is registered. This is the Azure tenancy ID that uniquely identifies your database instance in Entra ID.
Usage Notes
-
You use this parameter along with the
TOKEN_AUTHparameter for theAZURE_INTERACTIVE,AZURE_SERVICE_PRINCIPAL,AZURE_MANAGED_IDENTITY, andAZURE_DEVICE_CODEtoken-based authentication flows. -
This parameter is mandatory for the thick clients (OCI and Instant Client). It is optional when using the JDBC-thin clients and ODP.NET core and managed database clients.
When using the JDBC-thin clients and ODP.NET core and managed database clients, if you have configured the Azure SDKs, then the client driver automatically searches for the tenant ID in the SDK configuration. If you have not configured the SDKs, then you must set this parameter.
When using the OCI and Instant Clients (which do not use the Azure SDKs), you must set this parameter (along with other required parameters, such as
CLIENT_ID). Otherwise, an error message appears prompting you to configure the required parameters. -
For the JDBC-thin clients, you can specify this parameter in the connect string, Easy Connect syntax,
tnsnames.orafile, or properties. For the thick clients (OCI and Instant Client) and ODP.NET core and managed database clients, you can specify this parameter in the connect string,sqlnet.orafile, Easy Connect syntax, ortnsnames.orafile. The parameter value specified in the connect string takes precedence.
Default
None
Value
You can get the tenant ID value by logging in to the Azure portal. This is listed as Tenant ID on the Tenant Properties page.
Examples
tnsnames.ora file:net_service_name=
(DESCRIPTION =
(ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1521))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(SSL_SERVER_CERT_DN="C=US,O=example,CN=OracleContext")
(TOKEN_AUTH=AZURE_INTERACTIVE)
(AZURE_DB_APP_ID_URI=https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3)
(TENANT_ID=1a123ab1-a1b1-1a2b-a1b2-a12bcdab0123)
(REDIRECT_URI=http://localhost:1575))
(CONNECT_DATA=(SERVICE_NAME=sales.us.example.com))
) sqlnet.ora file:SSL_SERVER_DN_MATCH=TRUE
TOKEN_AUTH=AZURE_INTERACTIVE
AZURE_DB_APP_ID_URI=https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3
TENANT_ID=1a123ab1-a1b1-1a2b-a1b2-a12bcdab0123
REDIRECT_URI=http://localhost:1575tcps:sales-svr:1521/sales.us.example.com?TOKEN_AUTH=AZURE_INTERACTIVE&AZURE_DB_APP_ID_URI=https://application.example.com/123ab4cd-1a2b-1234-a12b-aa00123b2cd3&TENANT_ID=1a123ab1-a1b1-1a2b-a1b2-a12bcdab0123&REDIRECT_URI=http://localhost:1575In these examples, the CLIENT_ID parameter is not specified. CLIENT_ID is required when using the thick clients (OCI and Instant Client). This parameter is optional for the JDBC-thin and ODP.NET core and managed database clients, which can automatically get this value from the Azure SDK configuration.
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.118 TNSPING.TRACE_DIRECTORY
Use the sqlnet.ora parameter TNSPING.TRACE_DIRECTORY to specify the destination directory for the TNSPING utility trace file, tnsping.trc.
Purpose
To specify the destination directory for the TNSPING utility trace file, tnsping.trc.
Default
The ORACLE_HOME/network/trace directory.
Example
TNSPING.TRACE_DIRECTORY=/oracle/traces
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.119 TNSPING.TRACE_LEVEL
Use the sqlnet.ora parameter TNSPING.TRACE_LEVEL to enable or disable TNSPING utility tracing at a specified level.
Purpose
To enable or diable TNSPING utility tracing at a specified level.
Default
off
Values
-
offfor no trace output -
userfor user trace information -
adminfor administration trace information -
supportfor Oracle Support Services trace information
Example
TNSPING.TRACE_LEVEL=admin
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.120 TOKEN_AUTH
Use the TOKEN_AUTH parameter to configure token-based authentication for Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) or Microsoft Azure users of Microsoft Entra ID (previously called Microsoft Azure Active Directory).
Purpose
Token-based access enforces strong authentication, which enables a more secure access to the database. IAM users can connect to OCI Database as a Service (DBaaS) databases, and Azure users can connect to Oracle Databases (cloud or on-premises).
With this setting, when a / (slash) login is used, the Oracle Database client either looks for a token file or directly gets the token using single-sign on (SSO) credentials.
Use this parameter under the SECURITY section of the tnsnames.ora file, sqlnet.ora file, or directly as part of the command-line connect string. The parameter value specified in the connect string takes precedence over the other specified values.
Usage Notes for IAM
-
OCI IAM token:
An OCI IAM token (
db-token), which is obtained from IAM using Oracle Cloud Infrastructure (OCI) Command Line Interface (CLI) or programmatically from the OCI Software Development Kit (SDK), is a proof-of-possession (PoP) token with an expiration time and scope.You can use one of the IAM user credentials, such as API-key, security token, resource principal, instance principal, or delegation token to retrieve the
db-tokenand private key from IAM.These tokens are transmitted over secure channels. You must use only the TCP/IP with Transport Layer Security (TLS) protocol, otherwise an error message appears indicating that non-TLS connections are disallowed.
-
Required setting for token-based authentication:
You must configure the TCPS protocol (
PROTOCOL=tcps) and set theSSL_SERVER_DN_MATCHparameter toTRUEfor token-based authentication. -
Use a file location to send the token to Oracle Database:
When an IAM user logs in using
/@connect_identifier(andTOKEN_AUTHis set toOCI_TOKEN), theTOKEN_AUTH=OCI_TOKENsetting along with/@connect_identifierinstructs the database client to get thedb-tokenand private key from either the default directory or the location specified byTOKEN_LOCATION. -
Use the client API to send the token to Oracle Database:
If your client application is updated to retrieve tokens from IAM, then you can override the
TOKEN_AUTH=OCI_TOKENsetting. The client application gets thedb-tokenand private key from IAM and sends as attributes to the database client using the client API. In this case, you do not need to specify theTOKEN_AUTHandTOKEN_LOCATIONparameters. -
General IAM token-based authentication process:
-
An IAM user or application in OCI first requests the
db-tokenfrom IAM by using API-key, security token, resource principal, service principal, instance principal, or delegation token (delegation token is available only in the Cloud Shell).To use a security token, you need to generate it by completing the browser authentication process and then request the
db-tokenusing that security token. If the IAM policy that authorizes you to be issued thedb-tokenexists, then thedb-tokenis returned.You request the
db-tokenusing OCI CLI (or OCI SDK for applications). For example, run the following OCI CLI command to request thedb-tokenby using an API-key (apikey):$ oci iam db-token get --profile scottThe
profileoption specifies the profile for which you want to access the IAM user credentials and retrieve thedb-token.For more information on using OCI CLI, see the
getcommand details in Oracle Cloud Infrastructure CLI Command Reference. -
OCI CLI references the
configfile (that stores your IAM user credentials as part of the profile) and makes a call to IAM to get thedb-token. Thedb-tokenand private key files are written at the default or specified token location. -
You can specify the
TOKEN_LOCATIONparameter to override the default directory where thedb-tokenand private key files are stored.The database client gets the
db-tokenand private key from the default token location or the location specified byTOKEN_LOCATION, signs thedb-tokenwith the private key and sends it to the database server. The database server verifies thedb-tokenand gets the group membership information for the user. If the IAM user is mapped to a database schema (exclusively or shared), then the login is completed.
-
-
Use an Oracle Database client to directly send the token to Oracle Database:
This feature is available in environments that use the JDBC-thin clients and ODP.NET core and managed database clients. For the JDBC-thin clients, you can set this in the
tnsnames.oraor Easy Connect connect string. For the ODP.NET core and managed database clients, you can set this in thesqlnet.ora,tnsnames.ora, or Easy Connect connect string. The parameter value specified in the connect string takes precedence.To configure this feature for the JDBC-thin clients, see Oracle Database JDBC Developer's Guide and for the ODP.NET clients, see Oracle Data Provider for .NET Developer's Guide.
The following authentication flows enable the database client to directly retrieve the
db-tokenwith IAM SSO credentials:-
OCI Interactive:
TOKEN_AUTH=OCI_INTERACTIVEspecifies the OCI Interactive flow. This authenticates the token request interactively using a web browser, and is useful for client-side web applications or desktop applications.The database client gets a default profile (named
DEFAULT) from the OCI configuration file, which is stored either in the default directory or at the location specified by theOCI_CONFIG_FILEparameter. After validating the user's region against a list of valid regions, the client launches an authentication request to the user in a web browser, prompting to log in using the IAM user name and password along with any additional factors required by IAM.Optionally, you can override the
DEFAULTprofile set in the configuration file by specifying theOCI_PROFILEparameter. -
OCI API Key:
TOKEN_AUTH=OCI_API_KEYspecifies the OCI API Key flow. This authenticates the token request with IAM using an IAM-recognized API-key.The database client reads the file system location of the API-key from the user's
DEFAULTprofile in the OCI configuration file, from either the default configuration file directory or the location specified byOCI_CONFIG_FILE.Optionally, you can override the user's
DEFAULTprofile set in the configuration file by specifying theOCI_PROFILEparameter. -
OCI Instance Principal:
TOKEN_AUTH=OCI_INSTANCE_PRINCIPALspecifies the OCI Instance Principal flow. This authenticates the token request with IAM as an OCI instance principal for applications running on OCI compute instances. -
OCI Delegation Token:
TOKEN_AUTH=OCI_DELEGATION_TOKENspecifies the OCI Delegation Token flow. This authenticates the token request with IAM using a delegation token for applications running in an OCI Cloud Shell. -
OCI Resource Principal:
TOKEN_AUTH=OCI_RESOURCE_PRINCIPALspecifies the OCI Resource Principal flow. This authenticates the token request with IAM as an OCI resource principal for applications running in a container (as an OCI function). -
Default:
TOKEN_AUTH=OCI_DEFAULTspecifies the Default flow. With this setting, the client driver reads the predefined environment variables from the SDK configuration, evaluates each authentication flow in a sequence, and then assigns the most appropriate flow based on the environment where the application is running.Sequence in which the driver evaluates each authentication flow withOCI_DEFAULT:-
OCI API Key: The driver first checks if a configuration file is present at the location specified by the
OCI_CONFIG_FILEparameter or at the default location ($HOME/.oci/config). The driver then checks if the file contains a profile matching the name configured by theOCI_PROFILEparameter or the default name (DEFAULT). Finally, the driver checks if the profile is configured with an entry namedkey_file. If all of these checks succeed, then authentication with an API key is used. If any of these checks fail, then the driver proceeds to the next step. -
OCI Delegation Token: The driver first checks if the
OCI_CONFIG_FILEenvironment variable is set. The driver then checks if a file is present at the location configured by theOCI_CONFIG_FILEenvironment variable. The driver then checks if the file contains a profile namedDEFAULT. Finally, the driver checks if the profile is configured with an entry nameddelegation_token_file. If all of these checks succeed, then authentication with a delegation token is used. If any of these checks fail, then the driver proceeds to the next step. -
OCI Resource Principal: The driver first checks if the
OCI_RESOURCE_PRINCIPAL_VERSIONenvironment variable is set. The driver then checks if the variable is set to version2.2or1.1. If the variable is set to2.2, the driver then checks if theOCI_RESOURCE_PRINCIPAL_PRIVATE_PEM,OCI_RESOURCE_PRINCIPAL_RPST, andOCI_RESOURCE_PRINCIPAL_REGIONenvironment variables are also set. Otherwise, if the variable is set to1.1, then the driver checks if theOCI_RESOURCE_PRINCIPAL_RPT_ENDPOINTenvironment variable is also set. If the required variables for a version are set, then authentication as a resource principal is used. If any variable is not set, then the driver proceeds to the next step. -
OCI Instance Principal: The driver requests a certificate from the instance metadata service. The base URL of the service is
http://169.254.169.254/opc/v2/. However, a fallback URL ofhttp://169.254.169.254/opc/v1/is used if thev2service request fails. If a request to thev2orv1service succeeds, then authentication as an instance principal is used. If the request fails, then the driver proceeds to the next step. -
The driver reports an error indicating that authentication is not possible using any of the authentication flows.
-
You also need to specify the
OCI_DATABASEandOCI_COMPARTMENTparameters for all these authentication flows, if the OCI database token policy limits you to access only a particular database or databases within a compartment. -
Note:
You can also use another IAM credential, IAM database password, to request the db-token from IAM. This db-token is a bearer token and does not come with a private key. You can configure the database client to request this token using your IAM user name and IAM database password. An application cannot pass this type of db-token to the client. In this case, you use a different parameter setting (PASSWORD_AUTH=OCI_TOKEN).
Unlike the API-key, security token, resource principal, service principal, instance principal, and delegation token that require an application or tool to get a token, the IAM database password can only be used by the database client to retrieve the token. See PASSWORD_AUTH.
Default Setting for IAM
None
Table 5-2 Values and Examples for IAM
| Value | Example |
|---|---|
|
|
In the
tnsnames.ora file:In the
sqlnet.ora file:In these examples, the optional |
|
|
In the
tnsnames.ora file:In the
sqlnet.ora file:In these examples, the optional |
|
|
In the
tnsnames.ora file:In the
sqlnet.ora file:In these examples, the optional |
|
|
In the
tnsnames.ora file:In the
sqlnet.ora file: |
|
|
In the
tnsnames.ora file:In the
sqlnet.ora file: |
|
|
In the
tnsnames.ora file:In the
sqlnet.ora file: |
Usage Notes for Entra ID
-
Entra ID access token:
An Entra ID OAuth2 access token is a bearer token with an expiration time and scope. This token follows the OAuth2.0 standard with Entra ID extensions. You can request these tokens from tools and scripts run on Linux, Microsoft PowerShell, or other environments. You can also request these tokens programmatically using the Microsoft SDKs.
These tokens are transmitted over secure channels. You must use only the TCP/IP with Transport Layer Security (TLS) protocol, otherwise an error message appears indicating that non-TLS connections are disallowed.
-
Required setting for token-based authentication:
You must configure the TCPS protocol (
PROTOCOL=tcps) and set theSSL_SERVER_DN_MATCHparameter toTRUEfor token-based authentication. -
Use a file location to send the token to Oracle Database:
When an Azure user logs in using
/@connect_identifier(andTOKEN_AUTHis set toOAUTH), theTOKEN_AUTH=OAUTHsetting instructs the database client to get the access token from the directory location specified byTOKEN_LOCATIONif the token file is namedtoken. If the token file name is different fromtoken, then you must use the file name along with the directory location while specifying theTOKEN_LOCATIONparameter.The
TOKEN_LOCATIONparameter is mandatory for Azure token-based authentication. The database client gets the token from this location and sends it to the database server. -
Use the client API to send the token to Oracle Database:
If your client application is updated to retrieve tokens from Entra ID, then you can override the
TOKEN_AUTH=OAUTHsetting. Entra ID directly passes thedb-tokenas an attribute to the database client using the client API. When the client receives this request, the client sends it to the database server.In this case, you do no need to specify the
TOKEN_AUTHandTOKEN_LOCATIONparameters. -
General Azure token-based authentication process:
-
An Azure user or application first requests the access token from Entra ID using one of the supported authentication flows (resource owner password credentials, authorization code, on-behalf-of (OBO) flow, or client credentials).
An Azure user can connect using any supported utility to retrieve the token and store it in a local file directory.
You can request the token from tools and scripts run on Linux, Microsoft PowerShell, or other environments. You can also request programmatically using the Microsoft SDKs.For detailed examples on how to retrieve an Entra ID OAuth2 access token, see Oracle AI Database Security Guide.
-
The database client then sends the token to the database server. The database server verifies the token (using the Entra ID public key) and extracts various claims from the token, including user name, app roles, and audience. If the Entra ID principal is mapped to a database schema (exclusively or shared), then the login is completed.
-
-
Use an Oracle Database client to directly send the token to Oracle Database:
This feature is available in environments that use the JDBC-thin clients, thick clients (Oracle Call Interface (OCI) and Oracle Database Instant Client, JDBC-thick, ODP.NET unmanaged, or Python-thick), ODP.NET Core classes, or ODP.NET Managed Driver classes.
For the thick clients, only the interactive flow is supported (
TOKEN_AUTH=AZURE_INTERACTIVE).For the JDBC-thin clients, you can set this in the
tnsnames.oraor Easy Connect connect string. For the thick clients and ODP.NET core and managed database clients, you can set this in thetnsnames.ora, connect string, orsqlnet.orafile (except forREDIRECT_URIandCLIENT_CERTIFICATE). The parameter value specified in the connect string takes precedence.To configure this feature for the JDBC clients, see Oracle Database JDBC Developer's Guide. For the ODP.NET clients, see Oracle Data Provider for .NET Developer's Guide. For the OCI and Instant Clients, see Oracle Call Interface Developer's Guide.
The following authentication flows enable the database client to directly retrieve an access token with Azure SSO credentials:
-
Azure OAuth2 Interactive:
TOKEN_AUTH=AZURE_INTERACTIVEspecifies the Azure OAuth2 Interactive flow. This authenticates the token request interactively using a web browser, and is useful for client-side web applications or desktop applications.When an Azure user logs in using
/@connect_identifier(andTOKEN_AUTHis set toAZURE_INTERACTIVE), theTOKEN_AUTH=AZURE_INTERACTIVEsetting along with/@connect_identifierinstructs the database client driver to directly get an access token from Entra ID. This is for human users who are logging in to tools (such as SQLcl) and can also open a browser window in their environment for authentication.If the user has not already logged in, then the database client launches an authentication request to the user (either in a dialog box if the user is using a web application or as a prompt if the user is working in a command line shell), prompting to log in using the Azure user name and password. After logging in to the Azure account, the user is redirected back to the client application (to its registered redirect URI).
Optionally, you can set the
REDIRECT_URIparameter if you want to override the default redirect URI value (http://localhost).You must set the
AZURE_DB_APP_ID_URIparameter to compose the authorization scope of your token request.The
CLIENT_IDandTENANT_IDparameters are optional for the JDBC-thin and ODP.NET core and managed database clients, which can automatically get these values from the Azure SDK configuration.CLIENT_IDandTENANT_IDare required parameters for the OCI and Instant Clients. -
Azure Service Principal:
TOKEN_AUTH=AZURE_SERVICE_PRINCIPALspecifies the Azure Service Principal flow. This authenticates the token request as a service principal by using either a client secret or a client certificate, and is useful for server-side applications (for example, microservices or back-end apps).You must set the
AZURE_DB_APP_ID_URIparameter to compose the authorization scope of your token request.The
CLIENT_ID,TENANT_ID, andCLIENT_CERTIFICATEparameters are optional for the JDBC-thin and ODP.NET core and managed database clients, which can automatically get these values from the Azure SDK configuration.CLIENT_IDandTENANT_IDare required parameters for the OCI and Instant Clients. -
Azure Managed Identity:
TOKEN_AUTH=AZURE_MANAGED_IDENTITYspecifies the Azure Managed Identity flow. This authenticates the token request with Entra ID as an Azure managed identity, and is useful for client-side or server-side applications hosted on Azure environments (for example, Azure App Service or Azure virtual machine).You must set the
AZURE_DB_APP_ID_URIparameter to compose the authorization scope of your token request.You can set the
CLIENT_IDparameter to configure a user-assigned managed identity for authenticating the token request. This parameter is optional for the JDBC-thin and ODP.NET core and managed database clients, which can automatically get this value from the Azure SDK configuration.CLIENT_IDis required for the OCI and Instant Clients. -
Azure Device Code:
TOKEN_AUTH=AZURE_DEVICE_CODEspecifies the Azure Device Code flow. This authenticates the token request interactively, and is for human users or client-side applications running on platforms with limited or no browser support (for example, command line environments such as SQLcl).The database client displays a device code and an Entra ID login URL through the standard output of the tool, and prompts the user to enter the device code, Azure user name, and Azure password on any browser-supporting device (for example, cellphone or laptop). After completing the login in a web browser, the Azure SDK returns an access token to the client. The client sends the access token to the database to authorize the database user session.
You must set the
AZURE_DB_APP_ID_URIparameter to compose the authorization scope of your token request.The
CLIENT_IDandTENANT_IDparameters are optional for the JDBC-thin and ODP.NET core and managed database clients, which can automatically get these values from the Azure SDK configuration.CLIENT_IDandTENANT_IDare required parameters for the OCI and Instant Clients.Note:
You must explicitly enable the Azure OAuth2 Interactive and Azure Device Code flows for your Entra ID app in the Azure portal. To do so, on the App registrations - Authentication page, under Advanced Settings, set Allow public client flows to Yes. -
Default:
TOKEN_AUTH=AZURE_DEFAULTspecifies the Default flow. With this setting, the client driver reads the predefined environment variables from the SDK configuration, evaluates each authentication flow in a sequence, and then assigns the most appropriate flow based on the environment where the application is running.Sequence in which the driver evaluates each authentication flow withAZURE_DEFAULT:-
Azure Service Principal with Client Secret Credentials: The driver checks if client ID and client secret are configured as parameters to the driver or as SDK environment variables. If both are configured, then the driver authenticates as a service principal using a client secret. Otherwise, the driver proceeds to the next step.
-
Azure Service Principal with Client Certificate Credentials: The driver checks if client ID and client certificate are configured as parameters to the driver or SDK environment variables. If both are configured, then the driver authenticates as a service principal using a client certificate. Otherwise, the driver proceeds to the next step.
-
Azure Username Credentials: The driver checks if client ID, username, and password are configured as parameters to the driver or SDK environment variables. If all are configured, then the driver authenticates as a service principal using the username and password. Otherwise, the driver proceeds to the next step.
-
Azure Managed Identity: The driver checks if the
MSI_ENDPOINTorIDENTITY_ENDPOINTenvironment variable is set. If either is set, then the driver authenticates as a managed identity using the configured endpoint. If neither is set, then the driver checks if theAZURE_TENANT_IDandAZURE_FEDERATED_TOKEN_FILEenvironment variables are set. If both are set, then the driver authenticates as a managed identity using the configured token file. If both are not set, then the driver requests an access token from the Azure Instance Metadata Service (IMDS) endpoint. If the request succeeds, then the driver authenticates as a managed identity. Otherwise, the driver proceeds to the next step. -
Visual Studio Credentials: For ODP.NET Core classes and ODP.NET Managed Driver classes, the driver additionally evaluates the Azure user through Visual Studio Credentials authentication flow. The driver checks if the
TENANT_IDparameter or theAZURE_TENANT_IDenvironment variable is set and if the Azure user is logged in to Visual Studio. If both the checks succeed, then authentication with the Visual Studio credentials is used. Otherwise, the driver proceeds to the next step. -
The driver reports an error indicating that authentication is not possible using any of the authentication flows.
-
-
Default Setting for Entra ID
None
Table 5-3 Values and Examples for Entra ID
| Value | Example |
|---|---|
|
|
|
|
|
In the
tnsnames.ora file:In the
sqlnet.ora file:In these examples, the |
|
|
In the
tnsnames.ora file:In the
sqlnet.ora file:In these examples, the |
|
|
In the
tnsnames.ora file:In the
sqlnet.ora file:In these examples, the |
|
|
In the
tnsnames.ora file:In the
sqlnet.ora file:In these examples, the |
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.121 TOKEN_LOCATION
Use the TOKEN_LOCATION parameter to specify the directory location where token file is stored for token-based authentication.
Purpose
To specify the token file directory location. You use this parameter while configuring token-based authentication for Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) or Microsoft Azure users of Microsoft Entra ID. The database client gets the token from this location and sends it to the database server. For Entra ID, you can also specify the token file name along with the directory location.
Use this parameter along with the TOKEN_AUTH parameter in the tnsnames.ora file, sqlnet.ora file, or directly as part of the command-line connect string. The parameter values specified in the connect string take precedence over the other specified values.
Usage Notes for IAM
The TOKEN_LOCATION parameter is optional for IAM token-based authentication. You can use this parameter along with the TOKEN_AUTH parameter to override the default directory where the db-token and private key are stored. This location is used by the database client to retrieve the db-token and private key.
When an IAM user initiates a connection using /@connect_identifier (and TOKEN_AUTH is set to OCI_TOKEN), the database client retrieves the db-token and private key from either the default directory or the location specified by TOKEN_LOCATION. The client then signs the db-token using the private key and sends the db-token to the database server.
Default Setting for IAM
-
On Linux:
/home/username/.oci/db-token -
On Windows:
The database client searches for the default directory in this order:
If the
USERPROFILEenvironment variable is set, then the client searches in theUSERPROFILEdirectory (for example,C:\Users\username).If
USERPROFILEis not set, then the client searches inHOMEDRIVEdirectory (for example,C:) withHOMEPATH(for example,\Users\username).For example, the default token location directory on Windows is:
C:\Users\username\.oci\db-token
Values and Examples for IAM
| Value | Example |
|---|---|
|
|
In the
tnsnames.ora file:In the
sqlnet.ora file: |
Usage Notes for Entra ID
The TOKEN_LOCATION parameter is mandatory for Azure token-based authentication. You must use this parameter along with the TOKEN_AUTH parameter to specify the directory location where the Entra ID OAuth2 access token is stored. This location is used by the database client to get the access token.
If your token file is named token, then specify only the directory path. If the token file name is different from token, then you must use the file name along with the directory path.
When an Azure user initiates a connection using /@connect_identifier, the database client retrieves the access token from the location specified by TOKEN_LOCATION and sends the token to the database server.
Default Setting for Entra ID
None
Values and Examples for Entra ID
| Value | Example |
|---|---|
|
If the token file is named
|
In the
tnsnames.ora file:In the
sqlnet.ora file:In these examples, the token file name is |
|
If the token file name is different from
|
In the
tnsnames.ora file:In the
sqlnet.ora file:In these examples, the token file name is |
5.2.122 TLS_KEY_EXCHANGE_GROUPS
Use the TLS_KEY_EXCHANGE_GROUPS parameter to enable or disable post-quantum cryptographic (PQC) ML-KEM algorithms and classical ECDHE groups for TLS connections.
Purpose
To enable selection of classical or quantum-safe key exchange algorithms for TLS connections. You can set this parameter in the database server (sqlnet.ora), client (sqlnet.ora or tnsnames.ora connect string), or the listener (listener.ora).
Usage Notes
This parameter takes a combination of following values as a comma-separated list:
-
ec: If theTLS_KEY_EXCHANGE_GROUPSvalue containsec, the Oracle approved ECDHE groups -secp256r1,secp384r1,secp521r1, andx25519are enabled. This is similar to setting the deprecated parameterSSL_DISABLE_WEAK_EC_CURVEStoTRUE. -
weak: If the parameter value containsweak, then all ECDHE groups are enabled - including the weak groups that are disabled when the deprecated parameterSSL_DISABLE_WEAK_EC_CURVESis set toTRUE, as well as the Oracle approved ECDHE groups. Oracle does not recommend setting the value toweak.Note:
Some groups from the Oracle approved ECDHE list may be moved to the weak groups list in the future, and such changes would be transparent. -
ml-kem: If theTLS_KEY_EXCHANGE_GROUPSvalue containsml-kem, ML-KEM TLS groups are enabled.Note:
- ML-KEM refers to the Module-Lattice-based Key Encapsulation Mechanism that allows secure exchange of cryptographic keys over insecure channels. It is a cryptographic protocol designed for quantum-safe key exchange and is part of the NIST Post-Quantum Cryptography (PQC) standardization process.
- ML-KEM is only valid with TLSv1.3, it does not apply to TLSv1.2.
ML-KEM negotiation can happen if both client and server support ML-KEM which is to say both client and server are DB26ai and:
- The server has
TLS_KEY_EXCHANGE_GROUPSset toml-kemand the client has the value set toml-kem,ecor not haveTLS_KEY_EXCHANGE_GROUPSset at all. In this case, the client uses ECDHE to send the key share in its initial handshake message. The server's list does not contain any key shares supported by the client. It finds the common group, which isml-kemin this case, from the client's list and its own list and sends a retry request with its key share using ML-KEM. The client resends the key share, and the handshake proceeds withml-kemas the negotiated group. - The client sets
TLS_KEY_EXCHANGE_GROUPStoml-kemexplicitly and the server has the value set toec,ml-kemorml-kemor not haveTLS_KEY_EXCHANGE_GROUPSset at all. In this case, the client usesml-kemto send the key share in its initial handshake message. The server supports this group and the handshake proceeds withml-kemas the negotiated group.
Values
A comma-separated list of one or more of the values below:
-
ec: To enable the Oracle approved ECDHE groups -
weak: To enable both the weak and Oracle approved ECDHE groups -
ml-kem: To enable the ML-KEM TLS groups
The following table shows the results of TLS negotiations based on TLS_KEY_EXCHANGE_GROUPS values from both the client and server.
| Server-Side Value | Client-Side Value | Result |
|---|---|---|
| Not set | Not set | ECDHE |
ec,ml-kem |
ec,ml-kem |
ECDHE |
ec,ml-kem |
ml-kem |
ML-KEM |
ml-kem |
ec,ml-kem |
ML-KEM |
ml-kem |
ml-kem |
ML-KEM |
ec |
ec |
ECDHE |
ECDHE is given higher preference compared to ML-KEM. If TLS_KEY_EXCHANGE_GROUPS contains both ml-kem and ec, then ECDHE groups are given higher preference. The order in which the values are specified in TLS_KEY_EXCHANGE_GROUPS parameter does not matter.
Default
ec, weak, and ml-kem are enabled by default, in that order.
Examples
-
In the
tnsnames.orafile:net_service_name= (DESCRIPTION= (ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1521)) (SECURITY=(TLS_KEY_EXCHANGE_GROUPS=ml-kem,ec)) ) -
In the
sqlnet.orafile or thelistener.orafile:TLS_KEY_EXCHANGE_GROUPS=ml-kem,ec
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.123 USE_CMAN
Use the sqlnet.ora parameter USE_CMAN to specify client routing to Oracle Connection Manager.
Purpose
To specify client routing to Oracle Connection Manager.
Usage Notes
When set to true, the parameter routes the client to a protocol address for Oracle Connection Manager.
When set to false, the client picks one of the address lists at random and fails over to the other address list if the chosen ADDRESS_LIST fails. With USE_CMAN=true, the client always uses the first address list.
If no Oracle Connection Manager addresses are available, then connections are routed through any available listener address.
Default
false
Values
true | false
Example
USE_CMAN=true
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.124 USE_DEDICATED_SERVER
Use the sqlnet.ora parameter USE_DEDICATED_SERVER to append (SERVER=dedicated) to the CONNECT_DATA section of the connect descriptor that the client uses.
Purpose
To append (SERVER=dedicated) to the CONNECT_DATA section of the connect descriptor used by the client.
Usage Notes
The value for this parameter overrides the current value of the SERVER parameter in the tnsnames.ora file.
When set to on, the parameter USE_DEDICATED_SERVER
automatically appends (SERVER=dedicated) to the connect data for a
connect descriptor. This enables connections from this client use a dedicated server
process, even if shared server is configured.
Default
off
Values
-
onto append(SERVER=dedicated) -
offto send requests to existing server processes
Example
USE_DEDICATED_SERVER=on
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.125 USE_SNI
Use the sqlnet.ora parameter USE_SNI to enable setting Server Name Indication (SNI) value using CONNECT_DATA parameters.
Purpose
To enable or disable setting of SNI value using CONNECT_DATA parameters for TLS connections.
Usage Notes
When USE_SNI is set and CONNECT_DATA in the connect string has any of the supported parameters for SNI, then those parameters are used to set the SNI value. This SNI value is then used by the listener to select the appropriate service handler for servicing the request without having to do a TLS handshake with the client. The supported CONNECT_DATA parameters for setting SNI include SERVICE_NAME, INSTANCE_NAME, SERVER and COLOCATION_TAG.
When USE_SNI is set and CONNECT_DATA doesn't include any of the supported parameters listed above, then SNI value will not be set and the listener will perform the usual TLS handshake with the client to fetch the connect request.
Values
ON | TRUE | YESto set SNI value usingCONNECT_DATAOFF | FALSE | NOto not set SNI value usingCONNECT_DATA
Default Value
OFF
Example
USE_SNI=ONNote:
Support for SNI is available in all versions starting 23.7, but not in earlier versions.Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.2.126 WALLET_LOCATION
Use the WALLET_LOCATION parameter to specify the location of Oracle wallets.
Purpose
To specify the directory path where you want to create and store an Oracle wallet. Wallets securely contain certificates, secrets, private keys, and trust points used by Oracle Database.
Usage Notes
-
Deprecation of the server-side setting:
The parameter
WALLET_LOCATIONis deprecated for use with Oracle AI Database 26ai for the Oracle Database server. It is not deprecated for use with the Oracle Database client or listener.For Oracle Database server, Oracle recommends that you use the
WALLET_ROOTsystem parameter instead of usingWALLET_LOCATION. -
Where to set this parameter:
You can set
WALLET_LOCATIONin thesqlnet.orafile to specify a common wallet location for all connections. You can also set it in the connect string ortnsnames.orafile to specify a different wallet location for a particular connection.Use of
WALLET_LOCATIONin the connect string ortnsnames.oraoverrides thesqlnet.oraWALLET_LOCATIONsetting for the specifictnsnames.oraservice. Thetnsnames.oraWALLET_LOCATIONsetting enables a client to initiate multiple TLS sessions using different TLS certificates in the same client process. -
Setting to use the system default certificate store instead of a client-side wallet:
The Linux and Windows database clients can use the system default certificate store to validate the Oracle Database server certificate, instead of creating a local wallet with root certificate. The default certificate store is located in
/etc/pki/tls/cert.pemon Linux and Microsoft Certificate Store (MCS) on Windows.If you set
WALLET_LOCATION=SYSTEMin the connect string (intnsnames.oraor directly to the command line), then the database client uses the default certificate store to validate the server certificate. In this case, the server certificate needs to be signed by a trusted root certificate that is already installed in the default certificate store.For example:net_service_name= (DESCRIPTION = (ADDRESS=(PROTOCOL=tcps)(HOST=sales-svr)(PORT=1234)) (SECURITY=(WALLET_LOCATION=SYSTEM)) (CONNECT_DATA=(SERVICE_NAME=sales.us.example.com)) ) -
Order in which the database client searches for a client wallet:
-
The database client first tries to use a wallet from the
WALLET_LOCATIONdirectory specified in the connect string. -
If no wallet is present, then the client searches for the
WALLET_LOCATIONparameter value in thesqlnet.orafile. -
If no wallet is present, then the client searches for a wallet in the
$TNS_ADMINenvironment variable directory. -
If no wallet is present, then the client searches in the default wallet location, that is,
/etc/ORACLE/WALLETS/usernameon Linux andC:\Users\username\\ORACLE\WALLETSon Windows. -
If no wallet is present, then the client uses the wallet from the system default certificate store.
You can specify
WALLET_LOCATIONasSYSTEMin the connect string to ignore all the wallet configurations and use the system default certificate store instead. -
- Setting for walletless TLS connections:
The
WALLET_LOCATIONparameter is optional for TLS connections that do not use a client wallet. If you do not includeWALLET_LOCATIONin the connect string,tnsnames.ora, orsqlnet.ora, then the driver automatically picks up common root certificates from the system default certificate store (if the system is Windows or Linux).However, you may need to perform additional steps in the following cases:
-
If
WALLET_LOCATIONis set insqlnet.orafor all connections, then you can override this setting for a specific connection that does not need a client wallet (usingWALLET_LOCATION=SYSTEMin the connect string). -
If a wallet is present in the
$TNS_ADMINenvironment variable directory, then the database client uses the$TNS_ADMINpath as the default wallet location. In this case, you can either override theWALLET_LOCATIONsetting (usingWALLET_LOCATION=SYSTEMin the connect string) or remove that wallet.
-
- Storage of wallet files:
The password-protected wallet is stored in an
ewallet.p12file. The auto-login and local auto-login wallets are stored in acwallet.ssofile.For example, if an Oracle wallet is stored in the Microsoft Windows registry and the wallet's key
(KEY)isSALESAPP, then the storage location of the password-protected wallet isHKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\EWALLET.P12. The storage location of the auto-login and local auto-login wallets isHKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\CWALLET.SSO.
Additional Parameters
SOURCE to specify the type of storage and storage location for wallets, as follows:
-
METHOD: Type of storage -
METHOD_DATA: Storage location:-
DIRECTORY: Location of wallet on the file system -
KEY: Wallet type and location in the Microsoft Windows registry
-
Syntax and Examples
The syntax depends on the wallet as follows:
-
Wallet on the file system:
WALLET_LOCATION= (SOURCE= (METHOD=file) (METHOD_DATA= (DIRECTORY=directory)))For example:WALLET_LOCATION= (SOURCE= (METHOD=file) (METHOD_DATA= (DIRECTORY=/etc/oracle/wallets/databases))) -
Microsoft certificate store:
WALLET_LOCATION= (SOURCE= (METHOD=mcs))The key-value pair for MCS omits the
METHOD_DATAparameter because MCS does not use wallets. Instead, Oracle PKI (public key infrastructure) applications obtain certificates, trust points and private keys directly from a user's profile. -
Wallet in the Microsoft Windows registry:
WALLET_LOCATION= (SOURCE= (METHOD=reg) (METHOD_DATA= (KEY=registry_key)))For example:WALLET_LOCATION= (SOURCE= (METHOD=reg) (METHOD_DATA= (KEY=SALESAPP)))
Default
None
Related Topics
Parent topic: Profile Parameters in sqlnet.ora Files
5.3 ADR Diagnostic Parameters in sqlnet.ora
Diagnostic data for critical errors is stored in the sqlnet.ora Automatic Diagnostic Repository (ADR).
- About ADR Diagnostic Parameters
You can use Automatic Diagnostic Repository (ADR) diagnostic parameters when ADR is enabled, which is the default. Oracle ignores non-ADR parameters in thesqlnet.orafile when you enable ADR. - ADR_BASE
Use thesqlnet.oraparameterADR_BASEto specify the base location of the ADR files. - DIAG_ADR_ENABLED
Use thesqlnet.oraparameterDIAG_ADR_ENABLEDto enable and disable ADR tracing. - ENABLE_CONCISE_LOGS
Use thesqlnet.oraparameterENABLE_CONCISE_LOGSto enable or disable the logging in a concise format. - LOG_SUPPRESSED_COUNT
Use thesqlnet.oraparameterLOG_SUPPRESSED_COUNTto control the suppression of a log message based on the number of occurrences. - LOG_SUPPRESSED_TIME
Use thesqlnet.oraparameterLOG_SUPPRESSED_TIMEto control the suppression of a log message based on the time interval. - TRACE_LEVEL_CLIENT
Use thesqlnet.oraparameterTRACE_LEVEL_CLIENTto enable and disable client tracing at a specific level. - TRACE_LEVEL_SERVER
Use thesqlnet.oraparameterTRACE_LEVEL_SERVERto enable and disable server tracing at a specific level. - TRACE_TIMESTAMP_CLIENT
Use thesqlnet.oraparameterTRACE_TIMESTAMP_CLIENTto add time stamps to trace events in client trace files. - TRACE_TIMESTAMP_SERVER
Use thesqlnet.oraparameterTRACE_TIMESTAMP_CLIENTto add time stamps to trace events in database trace files.
Parent topic: Parameters for sqlnet.ora Files
5.3.1 About ADR Diagnostic Parameters
You can use Automatic Diagnostic Repository (ADR) diagnostic parameters when ADR is enabled, which is the default. Oracle ignores non-ADR parameters in the sqlnet.ora file when you enable ADR.
Since Oracle Database 11g, Oracle Database includes an advanced fault diagnostic infrastructure to prevent, detect, diagnose, and resolve problems. The problems might be critical errors such as those that are caused by database code bugs, metadata corruption, or customer data corruption.
When critical errors occur, they are assigned incident numbers. Diagnostic data for the errors, such as traces and dumps, are captured and tagged with the incident number. The data is then stored in ADR, which is a file-based repository outside the database.
The following sqlnet.ora parameters are used when you enable ADR (when DIAG_ADR_ENABLED is set to on):
Parent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.2 ADR_BASE
Use the sqlnet.ora parameter ADR_BASE to specify the base location of the ADR files.
Purpose
To specify the base directory in which Oracle stores tracing and logging incidents when ADR is enabled.
Usage Notes
This parameter is applicable only to clients. On the server side, the ADR base location is defined by the DIAGNOSTIC_DEST initialization parameter in the init.ora file. See DIAGNOSTIC_DEST in Oracle Database Reference.
Default
ORACLE_BASE or ORACLE_HOME/log (if ORACLE_BASE is not defined)
Values
Any valid directory path to a directory with write permission.
Example
ADR_BASE=/oracle/network/traceParent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.3 DIAG_ADR_ENABLED
Use the sqlnet.ora parameter DIAG_ADR_ENABLED to enable and disable ADR tracing.
Purpose
To specify whether ADR tracing is enabled.
Usage Notes
If you set the DIAG_ADR_ENABLED parameter to OFF, then non-ADR file tracing is used.
Default
on
Values
on | off
Example 5-7 Example
DIAG_ADR_ENABLED=onParent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.4 ENABLE_CONCISE_LOGS
Use the sqlnet.ora parameter ENABLE_CONCISE_LOGS to enable or disable the logging in a concise format.
Purpose
To control how you want to view error stack messages in Oracle Network logs (sqlnet.log files), either in a concise or long format.
Usage Notes
When set to TRUE, the logs are printed in a concise format. A concise format displays all the relevant information of a failure in a single line. This setting reduces the size of the log files and makes them easier to read.
When set to FALSE, the logs are printed in a longer, detailed format. A long format displays the messages in multiple lines, with additional details such as Version information.
Values
TRUE | FALSE
Default
TRUE
Example
ENABLE_CONCISE_LOGS=TRUERelated Topics
Parent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.5 LOG_SUPPRESSED_COUNT
Use the sqlnet.ora parameter LOG_SUPPRESSED_COUNT to control the suppression of a log message based on the number of occurrences.
Purpose
To suppress an Oracle Network log message based on the specified number of occurrences on the database server.
You can suppress repeated or duplicate records so that they no longer appear in any log. This can save some disk space and allow ease of navigation through large amounts of data.
Note:
You can set this parameter only on the database server side.Usage Notes
-
Both the
sqlnet.oraparametersLOG_SUPPRESSED_COUNTandLOG_SUPPRESSED_TIMEspecify log suppression. These parameters are enabled by default, but you can override the default values.-
LOG_SUPPRESSED_COUNTsuppresses a duplicate message based on the number of occurrences. The default occurrence count is set to50. -
LOG_SUPPRESSED_TIMEsuppresses a duplicate message based on the time interval. The default time interval is set to10seconds.
Logging is suppressed when either of the conditions (occurrence count or time interval) is fulfilled.
-
-
Duplicate messages are initially printed until the number of occurrences exceeds the internal default threshold of repetition. This means that log suppression starts only after this threshold is hit until
LOG_SUPPRESSED_COUNTtimes orLOG_SUPPRESSED_TIMEseconds are exhausted.For example, suppose
LOG_SUPPRESSED_COUNTis set to20andLOG_SUPPRESSED_TIMEis set to4seconds. When the message repeats21times in3seconds, logging is suppressed for that message based on the specified occurrence count of20times.At each threshold (for example, after every 5 repetitions), a status message is logged, indicating the occurrence count and time after which logging will be suppressed:
Logging of network errors for PID: number will be turned off until log repeats LOG_SUPPRESSED_COUNT times or LOG_SUPPRESSED_TIME seconds are exhausted.
Value
Number of times (starting from the first occurrence) after which you want logging to be suppressed
Allowed Range
Any number greater than the minimum value of 1 up to 4294967295
Default
50
Example
LOG_SUPPRESSED_COUNT=100Parent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.6 LOG_SUPPRESSED_TIME
Use the sqlnet.ora parameter LOG_SUPPRESSED_TIME to control the suppression of a log message based on the time interval.
Purpose
To suppress an Oracle Network log message based on the specified time interval.
You can suppress repeated or duplicate records so that they no longer appear in any log. This can save some disk space and allow ease of navigation through large amounts of data.
Note:
You can set this parameter only on the database server side.Usage Notes
-
Both the
sqlnet.oraparametersLOG_SUPPRESSED_COUNTandLOG_SUPPRESSED_TIMEspecify log suppression. These parameters are enabled by default, but you can override the default values.-
LOG_SUPPRESSED_COUNTsuppresses a duplicate message based on the number of occurrences. The default occurrence count is set to50. -
LOG_SUPPRESSED_TIMEsuppresses a duplicate message based on the time interval. The default time interval is set to10seconds.
Logging is suppressed when either of the conditions (occurrence count or time interval) is fulfilled.
-
-
Duplicate messages are initially printed until the number of occurrences exceeds the internal default threshold of repetition. This means that log suppression starts only after this threshold is hit until
LOG_SUPPRESSED_COUNTtimes orLOG_SUPPRESSED_TIMEseconds are exhausted.For example, suppose
LOG_SUPPRESSED_COUNTis set to20andLOG_SUPPRESSED_TIMEis set to4seconds. When the message repeats15times in5seconds, logging is suppressed for that message based on the specified time interval of4seconds.At each threshold (for example, after every 5 repetitions), a status message is logged, indicating the occurrence count and time after which logging will be suppressed:
Logging of network errors for PID: number will be turned off until log repeats LOG_SUPPRESSED_COUNT times or LOG_SUPPRESSED_TIME seconds are exhausted.
Value
Time interval in seconds (starting from the first occurrence) after which you want logging to be suppressed
Allowed Range
Any number greater than the minimum value of 1 up to 4294967295
Default
10
Example
LOG_SUPPRESSED_TIME=20Parent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.7 TRACE_LEVEL_CLIENT
Use the sqlnet.ora parameter TRACE_LEVEL_CLIENT to enable and disable client tracing at a specific level.
Purpose
To enable client tracing at a specified level or to disable it.
Usage Notes
This parameter is also applicable when non-ADR tracing is used.
Default
off or 0
Values
-
offor0for no trace output -
useror4for user trace information -
adminor10for administration trace information -
supportor16for Oracle Support Services trace information
Example
TRACE_LEVEL_CLIENT=user
Parent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.8 TRACE_LEVEL_SERVER
Use the sqlnet.ora parameter TRACE_LEVEL_SERVER to enable and disable server tracing at a specific level.
Purpose
To turn server tracing on at a specified level or to turn it off.
Usage Notes
This parameter is also applicable when non-ADR tracing is used.
Default
off or 0
Values
-
offor0for no trace output -
useror4for user trace information -
adminor10for administration trace information -
supportor16for Oracle Support Services trace information
Example
TRACE_LEVEL_SERVER=admin
Parent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.9 TRACE_TIMESTAMP_CLIENT
Use the sqlnet.ora parameter TRACE_TIMESTAMP_CLIENT to add time stamps to trace events in client trace files.
Purpose
To add a time stamp in the form of dd-mmm-yyyy hh:mm:ss:mil to every trace event in the client trace file, which has a default name of sqlnet.trc.
Usage Notes
This parameter is also applicable when non-ADR tracing is used.
Default
on
Values
on or true | off or false
Example
TRACE_TIMESTAMP_CLIENT=true
Parent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.10 TRACE_TIMESTAMP_SERVER
Use the sqlnet.ora parameter TRACE_TIMESTAMP_CLIENT to add time stamps to trace events in database trace files.
Purpose
To add a time stamp in the form of dd-mmm-yyyy hh:mm:ss:mil to every trace event in the database server trace file, which has a default name of svr_pid.trc.
Usage Notes
This parameter is also applicable when non-ADR tracing is used.
Default
on
Values
on or true | off or false
Example
TRACE_TIMESTAMP_SERVER=trueParent topic: ADR Diagnostic Parameters in sqlnet.ora
5.4 Non-ADR Diagnostic Parameters in sqlnet.ora Files
Learn about sqlnet.ora parameters that you use when you disable ADR.
This section lists the sqlnet.ora parameters that are used when you disable ADR.
Note:
The default value of DIAG_ADR_ENABLED is on. Therefore, the DIAG_ADR_ENABLED parameter must explicitly be set to off to use non-ADR tracing.
- LOG_DIRECTORY_CLIENT
Use thesqlnet.oranon-ADR diagnostic parameterLOG_DIRECTORY_CLIENTto specify the destination directory for client log files. - LOG_DIRECTORY_SERVER
Use the non-ADR diagnosticsqlnet.oraparameterLOG_DIRECTORY_SERVERto specify the destination directory for database log files. - LOG_FILE_CLIENT
Use the non-ADR diagnosticsqlnet.oraparameterLOG_FILE_CLIENTto specify the name of log files for clients. - LOG_FILE_SERVER
Use the non-ADR diagnosticsqlnet.oraparameterLOG_FILE_SERVERto specify log file names for the database. - TRACE_DIRECTORY_CLIENT
Use the non-ADR diagnosticsqlnet.oraparameterTRACE_DIRECTORY_CLIENTto specify the destination directory for client trace files. - TRACE_DIRECTORY_SERVER
Use the non-ADR diagnosticsqlnet.oraparameterTRACE_DIRECTORY_SERVERto specify the destination directory for database trace files. - TRACE_FILE_CLIENT
Use the non-ADR diagnosticsqlnet.oraparameterTRACE_FILE_CLIENTto specify the names of client trace files. - TRACE_FILE_SERVER
Use the non-ADR diagnosticsqlnet.oraparameterTRACE_FILE_SERVERto specify the destination directory for database trace output. - TRACE_FILEAGE_CLIENT
Use the non-ADR diagnosticsqlnet.oraparameterTRACE_FILEAGE_CLIENTto specify the maximum age of client trace files in minutes. - TRACE_FILEAGE_SERVER
Use the non-ADR diagnosticsqlnet.oraparameterTRACE_FILEAGE_SERVERto specify the maximum age of database trace files in minutes. - TRACE_FILELEN_CLIENT
Use the non-ADR diagnosticsqlnet.oraparameterTRACE_FILELEN_CLIENTto specify the size of client trace files in kilobytes. - TRACE_FILELEN_SERVER
Use the non-ADR diagnosticsqlnet.oraparameterTRACE_FILELEN_SERVERto specify the size of database trace files in kilobytes. - TRACE_FILENO_CLIENT
Use the non-ADR diagnosticsqlnet.oraparameterTRACE_FILENO_CLIENTto specify the number of trace files for client tracing. - TRACE_FILENO_SERVER
Use the non-ADR diagnosticsqlnet.oraparameterTRACE_FILENO_SERVERto specify the number of trace files for database tracing. - TRACE_UNIQUE_CLIENT
Use the non-ADR diagnosticsqlnet.oraparameterTRACE_UNIQUE_CLIENTto specify whether Oracle creates a unique trace file for each client trace session.
Parent topic: Parameters for sqlnet.ora Files
5.4.1 LOG_DIRECTORY_CLIENT
Use the sqlnet.ora non-ADR diagnostic parameter LOG_DIRECTORY_CLIENT to specify the destination directory for client log files.
Purpose
To specify the destination directory for the client log file. By default, the log file is created in the current working directory.
Usage Notes
Use this parameter when ADR is not enabled.
Values
Any valid directory path.
Example
LOG_DIRECTORY_CLIENT=/oracle/network/logParent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files
5.4.2 LOG_DIRECTORY_SERVER
Use the non-ADR diagnostic sqlnet.ora parameter LOG_DIRECTORY_SERVER to specify the destination directory for database log files.
Purpose
To specify the destination directory for database log files.
Usage Notes
Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/trace
Values
Any valid directory path to a directory with write permission.
Example
LOG_DIRECTORY_SERVER=/oracle/network/trace
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files
5.4.3 LOG_FILE_CLIENT
Use the non-ADR diagnostic sqlnet.ora parameter LOG_FILE_CLIENT to specify the name of log files for clients.
Purpose
To specify the name of the log file for the client.
Usage Notes
Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/log/sqlnet.logValues
The default value cannot be changed.
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files
5.4.4 LOG_FILE_SERVER
Use the non-ADR diagnostic sqlnet.ora parameter LOG_FILE_SERVER to specify log file names for the database.
Purpose
To specify the name of the log file for the database.
Usage Notes
Use this parameter when ADR is not enabled.
Default
sqlnet.logValues
Example
LOG_FILE_SERVER=svr.log
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files
5.4.5 TRACE_DIRECTORY_CLIENT
Use the non-ADR diagnostic sqlnet.ora parameter TRACE_DIRECTORY_CLIENT to specify the destination directory for client trace files.
Purpose
To specify the destination directory for the client trace file. By default, the trace file is created in the current working directory.
Usage Notes
Use this parameter when ADR is not enabled.
Values
Any valid directory path to a directory with write permission.
Example
TRACE_DIRECTORY_CLIENT=/oracle/traces
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files
5.4.6 TRACE_DIRECTORY_SERVER
Use the non-ADR diagnostic sqlnet.ora parameter TRACE_DIRECTORY_SERVER to specify the destination directory for database trace files.
Purpose
To specify the destination directory for the database server trace file. Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/trace
Values
Any valid directory path to a directory with write permission.
Example
TRACE_DIRECTORY_SERVER=/oracle/traces
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files
5.4.7 TRACE_FILE_CLIENT
Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILE_CLIENT to specify the names of client trace files.
Purpose
To specify the name of a client trace file.
Usage Notes
Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/trace/cli.trc
Values
Any valid file name.
Example
TRACE_FILE_CLIENT=clientsqlnet.trc
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files
5.4.8 TRACE_FILE_SERVER
Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILE_SERVER to specify the destination directory for database trace output.
Purpose
To specify the destination directory for the database server trace output.
Usage Notes
Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/trace/svr_pid.trcValues
Any valid file name. The process identifier (pid) is appended to the name automatically.
Example
TRACE_FILE_SERVER=svrsqlnet.trc
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files
5.4.9 TRACE_FILEAGE_CLIENT
Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILEAGE_CLIENT to specify the maximum age of client trace files in minutes.
Purpose
To specify the maximum age of client trace files in minutes.
Usage Notes
When the age limit is reached, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_CLIENT parameter. Use this parameter when ADR is not enabled.
Default
Unlimited
This is the same as setting the parameter to 0.
Example 5-8 Example
TRACE_FILEAGE_CLIENT=60
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files
5.4.10 TRACE_FILEAGE_SERVER
Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILEAGE_SERVER to specify the maximum age of database trace files in minutes.
Purpose
To specify the maximum age of database server trace files in minutes.
Usage Notes
When the age limit is reached, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_SERVER parameter. Use this parameter when ADR is not enabled.
Default
Unlimited
This is the same as setting the parameter to0.
Example 5-9 Example
TRACE_FILEAGE_SERVER=60
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files
5.4.11 TRACE_FILELEN_CLIENT
Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILELEN_CLIENT to specify the size of client trace files in kilobytes.
Purpose
When the file grows to the specified size, Oracle writes the trace information to the next file. The number of files is specified with the TRACE_FILENO_CLIENT parameter. Use this parameter when ADR is not enabled.
To specify the size of the client trace files in kilobytes (KB).
Usage Notes
Example
TRACE_FILELEN_CLIENT=100
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files
5.4.12 TRACE_FILELEN_SERVER
Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILELEN_SERVER to specify the size of database trace files in kilobytes.
Purpose
To specify the size of the database server trace files in kilobytes (KB).
Usage Notes
When the file grows to the specified size, Oracle writes the trace information to the next file. The number of files is specified with the TRACE_FILENO_SERVER parameter. Use this parameter when ADR is not enabled.
Example
TRACE_FILELEN_SERVER=100
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files
5.4.13 TRACE_FILENO_CLIENT
Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILENO_CLIENT to specify the number of trace files for client tracing.
Purpose
To specify the number of trace files for client tracing.
Usage Notes
When this parameter is set with the TRACE_FILELEN_CLIENT parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, then the first file is re-used, and so on.
When this parameter is set with theTRACE_FILEAGE_CLIENT parameter, trace files are cycled based on their age. The first file is used until the age limit is reached, then the second file is used, and so on. When the last file's age limit is reached, the first file is re-used.
When you set this parameter with both the TRACE_FILELEN_CLIENT and TRACE_FILEAGE_CLIENT parameters, trace files are replaced when either the size limit or the age limit is reached.
The trace file names are distinguished from one another by their sequence numbers. For example, if the default trace file of sqlnet.trc is used, and this parameter is set to 3, then the trace files would be named sqlnet1.trc, sqlnet2.trc and sqlnet3.trc.
In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.
Default
None
Example
TRACE_FILENO_CLIENT=3
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files
5.4.14 TRACE_FILENO_SERVER
Use the non-ADR diagnostic sqlnet.ora parameter TRACE_FILENO_SERVER to specify the number of trace files for database tracing.
Purpose
To specify the number of trace files for database server tracing.
Usage Notes
When you set this parameter with the TRACE_FILELEN_SERVER parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, then the first file is re-used.
When you set this parameter with theTRACE_FILEAGE_SERVER parameter, trace files are cycled based on the age of the trace file. The first file is used until the age limit is reached, then the second file is used, and so on. When the last file's age limit is reached, the first file is re-used.
When this parameter is set with both the TRACE_FILELEN_SERVER and TRACE_FILEAGE_SERVER parameters, trace files are cycled when either the size limit or the age limit is reached.
The trace file names are distinguished from one another by their sequence numbers. For example, if the default trace file of svr_pid.trc is used, and this parameter is set to 3, then the trace files would be named svr1_pid.trc, svr2_pid.trc and svr3_pid.trc.
In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.
Default
None
Example
TRACE_FILENO_SERVER=3
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files
5.4.15 TRACE_UNIQUE_CLIENT
Use the non-ADR diagnostic sqlnet.ora parameter TRACE_UNIQUE_CLIENT to specify whether Oracle creates a unique trace file for each client trace session.
Purpose
To specify whether a unique trace file is created for each client trace session.
Usage Notes
When you set the value to on, a process identifier is appended to the name of each trace file, enabling several files to coexist. For example, trace files named sqlnetpid.trc are created if default trace file name sqlnet.trc is used. When you set the value to off, data from a new client trace session overwrites the existing file. Use this parameter when ADR is not enabled.
Default
on
Values
on or off
Example
TRACE_UNIQUE_CLIENT=on
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora Files