5 Parameters for the sqlnet.ora File

BEQUEATH_DETACH

NETRF1046Purpose

To turn signal handling on or off for Linux and UNIX systems.

NETRF1047Default

NO

NETRF1048Values

• yes to turn signal handling off

• no to leave signal handling on

NETRF1049Example

BEQUEATH_DETACH=yes

DEFAULT_SDU_SIZE

NETRF1050Purpose

To specify the session data unit (SDU) size, in bytes to connections.

NETRF1051Usage

Oracle recommends setting this parameter in both the client-side and server-side sqlnet.ora file to ensure the same SDU size is used throughout a connection. When the configured values of client and database server do not match for a session, the lower of the two values is used.

You can override this parameter for a particular client connection by specifying the SDU parameter in the connect descriptor for a client.

NETRF1052Default

8192 bytes (8 KB)

NETRF1053Values

512 to 65535 bytes

NETRF1054Example

DEFAULT_SDU_SIZE=4096

DISABLE_OOB

NETRF1055Purpose

To enable or disable Oracle Net to send or receive out-of-band break messages using urgent data provided by the underlying protocol.

If turned off, then the parameter enables Oracle Net to send and receive break messages. If turned on, then the parameter disables the ability to send and receive break messages. Once enabled, this feature applies to all protocols used by this client.

NETRF1056Default

OFF

NETRF1057Example

DISABLE_OOB=on

NAMES.DEFAULT_DOMAIN

NETRF1061Purpose

To set the domain from which the client most often looks up names resolution requests. When this parameter is set, the default domain name is automatically appended to any unqualified net service name or service name.

For example, if the default domain is set to us.example.com, then the connect string CONNECT scott@sales gets searched as sales.us.example.com. If the connect string includes the domain extension, such as CONNECT scott@sales.us.example.com, then the domain is not appended to the string.

NETRF1062Default

None

NETRF1063Example

NAMES.DEFAULT_DOMAIN=example.com

NAMES.DIRECTORY_PATH

NETRF1064Purpose

To specify the order of the naming methods used for client name resolution lookups.

NETRF1065Default

NAMES.DIRECTORY_PATH=(tnsnames, ldap, ezconnect)

NETRF1066Values

NETRF1068Example

NAMES.DIRECTORY_PATH=(tnsnames)

NAMES.LDAP_AUTHENTICATE_BIND

NETRF1069Purpose

To specify whether the LDAP naming adapter should attempt to authenticate using a specified wallet when it connects to the LDAP directory to resolve the name in the connect string.

NETRF1070Usage

The parameter value is Boolean.

If the parameter is set to TRUE, then the LDAP connection is authenticated using a wallet whose location must be specified in the WALLET_LOCATION parameter.

If the parameter is set to FALSE, then the LDAP connection is established using an anonymous bind.

NETRF1071Default

FALSE

NETRF1072Example

NAMES.LDAP_AUTHENTICATE_BIND=TRUE

NAMES.LDAP_CONN_TIMEOUT

NETRF1980Purpose

To specify number of seconds for a non-blocking connect timeout to the LDAP server.

NETRF1981Usage

The parameter value -1 is for infinite timeout.

NETRF1982Default

15 seconds

NETRF1983Values

Values are in seconds. The range is -1 to the number of seconds acceptable for your environment. There is no upper limit.

NETRF1984Example

names.ldap_conn_timeout = -1

NAMES.LDAP_PERSISTENT_SESSION

NETRF1077Purpose

To specify whether the LDAP naming adapter should leave the session with the LDAP server open after name lookup is complete.

NETRF1078Usage

The parameter value is Boolean.

If the parameter is set to TRUE, then the connection to the LDAP server is left open after the name lookup is complete; the connection will effectively stay open for the duration of the process. If the connection is lost, then it will be re-established as needed.

If the parameter is set to FALSE, then the LDAP connection is terminated as soon as the name lookup completes. Every subsequent lookup opens the connection, performs the lookup, and closes the connection. This option prevents the LDAP server from having a large number of clients connected to it at any one time.

NETRF1079Default

FALSE

NETRF1080Example

NAMES.LDAP_PERSISTENT_SESSION=TRUE

RECV_BUF_SIZE

NETRF1084Purpose

To specify the buffer space limit for receive operations of sessions. This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.

NETRF1085Default

The default value for this parameter is operating system-specific.

NETRF1086Usage

You can override this parameter for a particular client connection by specifying the RECV_BUF_SIZE parameter in the connect descriptor for a client.

NETRF1087Example

RECV_BUF_SIZE=11784

SDP.PF_INET_SDP

NETRF1088Purpose

To specify the protocol family or address family constant for the SDP protocol on your system.

NETRF1089Default

27

NETRF1090Values

Any positive integer

NETRF1091Example

SDP.PF_INET_SDP=30

SEC_USER_AUDIT_ACTION_BANNER

NETRF1092Purpose

To specify a text file containing the banner contents that warn the user about possible user action auditing. The complete path of the text file must be specified in the sqlnet.ora file on the server. Oracle Call Interface (OCI) applications can make use of OCI features to retrieve this banner and display it to the user. The text file has a maximum limit of 512 bytes.

NETRF1093Default

None

NETRF1094Values

Name of the file for which the database owner has read permissions.

NETRF1095Example

SEC_USER_AUDIT_ACTION_BANNER=/opt/oracle/admin/data/auditwarning.txt

SEC_USER_UNAUTHORIZED_ACCESS_BANNER

NETRF1096Purpose

To specify a text file containing the banner contents that warn the user about unauthorized access to the database. The complete path of the text file must be specified in the sqlnet.ora file on the server. OCI applications can make use of OCI features to retrieve this banner and display it to the user. The text file has a maximum limit of 512 bytes.

NETRF1097Default

None

NETRF1098Values

Name of the file for which the database owner has read permissions.

NETRF1099Example

SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt

SEND_BUF_SIZE

NETRF1100Purpose

To specify the buffer space limit for send operations of sessions. This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.

NETRF1101Default

The default value for this parameter is operating system-specific.

NETRF1102Usage

You can override this parameter for a particular client connection by specifying the SEND_BUF_SIZE parameter in the connect descriptor for a client.

NETRF1103Example

SEND_BUF_SIZE=11784

SQLNET.ALLOWED_LOGON_VERSION

NETRF1104Purpose

To set the minimum authentication protocol allowed when connecting to Oracle Database instances. The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.

If the client release does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error or an ORA-03134: Connections to this server version are no longer supported error.

NETRF1985Usage Notes

A setting of 8 permits most password versions, and allows any combination of the DBA_USERS.PASSWORD_VERSIONS values 10G, and 11G.

A greater value means the server is less compatible in terms of the protocol that clients must understand in order to authenticate. The server is also more restrictive in terms of the password version that must exist to authenticate any specific account. The ability for a client to authenticate depends on the DBA_USERS.PASSWORD_VERSIONS value on the server for that account.

Note the following implications of setting the value to 12:

• To take advantage of the password protections introduced in Oracle Database 11g, users must change their passwords. The new passwords are case sensitive. When an account password is changed, the earlier 10G case-insensitive password version is automatically removed.

• Releases of OCI clients before Oracle Database 10g and all versions of JDBC thin clients cannot authenticate to the Oracle database using password-based authentication.

• If the client uses Oracle9i Database, then the client will receive an ORA-03134 error message. To allow the connection, remove the SQLNET.ALLOWED_LOGON_VERSION setting to return to the default. Ensure the DBA_USERS.PASSWORD_VERSIONS value for the account contains the value 10G. It may be necessary to reset the password for that account.

The client must support certain abilities of an authentication protocol before the server will authenticate. If the client does not support a specified authentication ability, then the server rejects the connection with an ORA-28040: No matching authentication protocol error message.

The following is the list of all client abilities. Some clients do not have all abilities. Clients that are more recent have all the capabilities of the older clients, but older clients tend to have less abilities than more recent clients.

• O5L_NP: The ability to perform the Oracle Database 10g authentication protocol using the 11G password version, and generating a session key encrypted for critical patch update CPUOct2012.

• O5L: The ability to perform the Oracle Database 10g authentication protocol using the 10G password version.

• O4L: The ability to perform the Oracle9i database authentication protocol using the 10G password version.

• O3L: The ability to perform the Oracle8i database authentication protocol using the 10G password version.

A higher ability value is more recent and secure than a lower ability value. Clients that are more recent have all the capabilities of the older clients.

The following table describes the allowed values, password versions, and descriptions:

^Footnote 1 This is considered "Exclusive Mode" because it excludes the use of the 10G password version.

NETRF1105Allowed Values

• 12 for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (recommended)

• 11 for Oracle Database 11g authentication protocols

• 10 for Oracle Database 10g authentication protocols

• 9 for Oracle9i Database authentication protocols

• 8 for Oracle8i Database authentication protocols (default)

NETRF1106Default

8

NETRF1107Example

If both Oracle Database 11g and Oracle Database 10g are present, then set the parameter as follows:

SQLNET.ALLOWED_LOGON_VERSION=10

SQLNET.AUTHENTICATION_KERBEROS5_SERVICE

NETRF1108Purpose

To define the name of the service used to obtain a Kerberos service ticket.

NETRF1109Default

None

NETRF1110Example

SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle

SQLNET.AUTHENTICATION_SERVICES

NETRF1111Purpose

To enable one or more authentication services. If authentication has been installed, then it is recommended that this parameter be set to either none or to one of the authentication methods.

NETRF1112Default

None

NETRF1113Values

• Authentication Methods Available with Oracle Net Services:

  • none for no authentication methods, including Microsoft Windows native operating system authentication. When SQLNET.AUTHENTICATION_SERVICES is set to none, a valid user name and password can be used to access the database.

  • all for all authentication methods.

  • nts for Microsoft Windows native operating system authentication.

• Authentication Methods Available with Oracle Advanced Security:

  • kerberos5 for Kerberos authentication.

  • radius for RADIUS authentication.

  • tcps for SSL authentication.

NETRF1116Example

SQLNET.AUTHENTICATION_SERVICES=(kerberos5)

SQLNET.CLIENT_REGISTRATION

NETRF1117Purpose

To set a unique identifier for the client computer. This identifier is passed to the listener with any connection request and is included in the Audit Trail. The identifier can be any alphanumeric string up to 128 characters long.

NETRF1118Default

None

NETRF1119Example

SQLNET.CLIENT_REGISTRATION=1432

SQLNET.CRYPTO_CHECKSUM_CLIENT

NETRF1120Purpose

To specify the checksum behavior for the client.

NETRF1121Default

accepted

NETRF1122Values

• accepted to enable the security service if required or requested by the other side.

• rejected to disable the security service, even if the required by the other side.

• requested to enable the security service if the other side allows it.

• required to enable the security service and disallow the connection if the other side is not enabled for the security service.

NETRF1123Example

SQLNET.CRYPTO_CHECKSUM_CLIENT=accepted

SQLNET.CRYPTO_CHECKSUM_SERVER

NETRF1124Purpose

To specify the checksum behavior for the database server.

NETRF1125Default

accepted

NETRF1126Values

• accepted to enable the security service if required or requested by the other side.

• rejected to disable the security service, even if the required by the other side.

• requested to enable the security service if the other side allows it.

• required to enable the security service and disallow the connection if the other side is not enabled for the security service.

NETRF1127Example

SQLNET.CRYPTO_CHECKSUM_SERVER=accepted

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT

NETRF1128Purpose

To specify a list of crypto-checksum algorithms for the client to use.

NETRF1129Default

All available algorithms

NETRF1130Values

• md5 for the RSA Data Security MD5 algorithm.

• sha1 for the Secure Hash algorithm.

NETRF1131Example

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(MD5)

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER

NETRF1132Purpose

To specify a list of crypto-checksum algorithms for the database server to use.

NETRF1133Default

All available algorithms

NETRF1134Values

• md5 for the RSA Data Security's MD5 algorithm

• sha1 for the Secure Hash algorithm

NETRF1135Example

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(md5)

SQLNET.ENCRYPTION_CLIENT

NETRF1139Purpose

To turn encryption on for the client.

NETRF1140Default

accepted

NETRF1141Values

• accepted to enable the security service if required or requested by the other side.

• rejected to disable the security service, even if the required by the other side.

• requested to enable the security service if the other side allows it.

• required to enable the security service and disallow the connection if the other side is not enabled for the security service.

NETRF1142Example

SQLNET.ENCRYPTION_CLIENT=accepted

SQLNET.ENCRYPTION_SERVER

NETRF1143Purpose

To turn encryption on for the database server.

NETRF1144Default

accepted

NETRF1145Values

• accepted to enable the security service if required or requested by the other side.

• rejected to disable the security service, even if the required by the other side.

• requested to enable the security service if the other side allows it.

• required to enable the security service and disallow the connection if the other side is not enabled for the security service.

NETRF1146Example

SQLNET.ENCRYPTION_SERVER=accepted

SQLNET.ENCRYPTION_TYPES_CLIENT

NETRF1147Purpose

To specify a list of encryption algorithms for the client to use.

NETRF1148Default

All available algorithms.

NETRF1149Values

One or more of the following:

• 3des112 for triple DES with a two-key (112-bit) option

• 3des168 for triple DES with a three-key (168-bit) option

• des for standard 56-bit key size

• des40 for 40-bit key size

• rc4_40 for 40-bit key size

• rc4_56 for 56-bit key size

• rc4_128 for 128-bit key size

• rc4_256 for 256-bit key size

NETRF1150Example

SQLNET.ENCRYPTION_TYPES_CLIENT=(rc4_56)

SQLNET.ENCRYPTION_TYPES_SERVER

NETRF1151Purpose

To specify a list of encryption algorithms for the database server to use.

NETRF1152Default

All available algorithms.

NETRF1153Values

One or more of the following:

• 3des112 for triple DES with a two-key (112-bit) option

• 3des168 for triple DES with a three-key (168-bit) option

• des for standard 56-bit key size

• des40 for 40-bit key size

• rc4_40 for 40-bit key size

• rc4_56 for 56-bit key size

• rc4_128 for 128-bit key size

• rc4_256 for 256-bit key size

NETRF1154Example

SQLNET.ENCRYPTION_TYPES_SERVER=(rc4_56, des, ...)

SQLNET.EXPIRE_TIME

NETRF1155Purpose

To specify a time interval, in minutes, to send a check to verify that client/server connections are active. The following usage notes apply to this parameter:

• Setting a value greater than 0 ensures that connections are not left open indefinitely, due to an abnormal client termination.

• If the probe finds a terminated connection, or a connection that is no longer in use, then it returns an error, causing the server process to exit.

• This parameter is primarily intended for the database server, which typically handles multiple connections at any one time.

• Limitations on using this terminated connection detection feature are:

  • It is not allowed on bequeathed connections.

  • Though very small, a probe packet generates additional traffic that may downgrade network performance.

  • Depending on which operating system is in use, the server may need to perform additional processing to distinguish the connection probing event from other events that occur. This can also result in degraded network performance.

NETRF1156Default

0

NETRF1157Minimum Value

0

NETRF1158Recommended Value

10

NETRF1159Example

SQLNET.EXPIRE_TIME=10

SQLNET.INBOUND_CONNECT_TIMEOUT

NETRF1160Purpose

To specify the time, in seconds, for a client to connect with the database server and provide the necessary authentication information.

If the client fails to establish a connection and complete authentication in the time specified, then the database server terminates the connection. In addition, the database server logs the IP address of the client and an ORA-12170: TNS:Connect timeout occurred error message to the sqlnet.log file. The client receives either an ORA-12547: TNS:lost contact or an ORA-12637: Packet receive failed error message.

The default value of this parameter is appropriate for typical usage scenarios. However, if you need to explicitly set a different value, then Oracle recommends setting this parameter in combination with the INBOUND_CONNECT_TIMEOUT_listener_name parameter in the listener.ora file. When specifying the values for these parameters, note the following recommendations:

• Set both parameters to an initial low value.

• Set the value of the INBOUND_CONNECT_TIMEOUT_listener_name parameter to a lower value than the SQLNET.INBOUND_CONNECT_TIMEOUT parameter.

For example, you can set INBOUND_CONNECT_TIMEOUT_listener_name to 2 seconds and SQLNET.INBOUND_CONNECT_TIMEOUT parameter to 3 seconds. If clients are unable to complete connections within the specified time due to system or network delays that are normal for the particular environment, then increment the time as needed.

NETRF1161Default

60 seconds

NETRF1162Example

SQLNET.INBOUND_CONNECT_TIMEOUT=3

SQLNET.KERBEROS5_CC_NAME

NETRF1163Purpose

To specify the complete path name to the Kerberos credentials cache file.

NETRF1164Default

/usr/tmp/krbcache on Linux and UNIX operating systems, and c:\tmp\krbcache on Microsoft Windows operating systems

NETRF1165Example

SQLNET.KERBEROS5_CC_NAME=/usr/tmp/krbcache

SQLNET.KERBEROS5_CLOCKSKEW

NETRF1166Purpose

To specify how many seconds can pass before a Kerberos credential is considered out of date.

NETRF1167Default

300

NETRF1168Example

SQLNET.KERBEROS5_CLOCKSKEW=1200

SQLNET.KERBEROS5_CONF

NETRF1169Purpose

To specify the complete path name to the Kerberos configuration file, which contains the realm for the default Key Distribution Center (KDC) and maps realms to KDC hosts. The KDC maintains a list of user principals and is contacted through the kinit program for the user's initial ticket.

NETRF1170Default

/krb5/krb.conf on Linux and UNIX operating systems and c:\krb5\krb.conf on Microsoft Windows operating systems

NETRF1171Example

SQLNET.KERBEROS5_CONF=/krb5/krb.conf

SQLNET.KERBEROS5_KEYTAB

NETRF1172Purpose

To specify the complete path name to the Kerberos principal/secret key mapping file, which is used to extract keys and decrypt incoming authentication information.

NETRF1173Default

/etc/v5srvtab on Linux and UNIX operating systems and c:\krb5\v5srvtab on Microsoft Windows operating systems

NETRF1174Example

SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab

SQLNET.KERBEROS5_REALMS

NETRF1175Purpose

To specify the complete path name to the Kerberos realm translation file, which provides a mapping from a host name or domain name to a realm.

NETRF1176Default

/krb5/krb.realms on Linux and UNIX operating systems and c:\krb5\krb.realms on Microsoft Windows operating systems

NETRF1177Example

SQLNET.KERBEROS5_REALMS=/krb5/krb.realms

SQLNET.OUTBOUND_CONNECT_TIMEOUT

NETRF1178Purpose

To specify the time, in seconds, for a client to establish an Oracle Net connection to the database instance.

If an Oracle Net connection is not established in the time specified, then the connect attempt is terminated. The client receives an ORA-12170: TNS:Connect timeout occurred error.

The outbound connect timeout interval is a superset of the TCP connect timeout interval, which specifies a limit on the time taken to establish a TCP connection. Additionally, the outbound connect timeout interval includes the time taken to be connected to an Oracle instance providing the requested service.

Without this parameter, a client connection request to the database server may block for the default TCP connect timeout duration (60 seconds) when the database server host system is unreachable.

The outbound connect timeout interval is only applicable for TCP, TCP with SSL, and IPC transport connections.

NETRF1179Default

None

NETRF1910Usage Notes

This parameter is overridden by the CONNECT_TIMEOUT parameter in the address description.

NETRF1180Example

SQLNET.OUTBOUND_CONNECT_TIMEOUT=10

SQLNET.RADIUS_ALTERNATE

NETRF1181Purpose

To specify an alternate RADIUS server to use in case the primary server is unavailable. The value can be either the IP address or host name of the server.

NETRF1182Default

None

NETRF1183Example

SQLNET.RADIUS_ALTERNATE=radius2

SQLNET.RADIUS_ALTERNATE_PORT

NETRF1184Purpose

To specify the listening port of the alternate RADIUS server.

NETRF1185Default

1645

NETRF1186Example

SQLNET.RADIUS_ALTERNATE_PORT=1667

SQLNET.RADIUS_ALTERNATE_RETRIES

NETRF1187Purpose

To specify the number of times the database server should resend messages to the alternate RADIUS server.

NETRF1188Default

3

NETRF1189Example

SQLNET.RADIUS_ALTERNATE_RETRIES=4

SQLNET.RADIUS_AUTHENTICATION

NETRF1190Purpose

To specify the location of the primary RADIUS server, either by its host name or IP address.

NETRF1191Default

Local host

NETRF1192Example

SQLNET.RADIUS_AUTHENETICATION=officeacct

SQLNET.RADIUS_AUTHENTICATION_INTERFACE

NETRF1193Purpose

To specify the class containing the user interface used to interact with the user.

NETRF1194Default

DefaultRadiusInterface

NETRF1195Example

SQLNET.RADIUS_AUTHENTICATION_INTERFACE=DefaultRadiusInterface

SQLNET.RADIUS_AUTHENTICATION_PORT

NETRF1196Purpose

Use the parameter SQLNET.RADIUS_AUTHENTICATION_PORT to specify the listening port of the primary RADIUS server.

NETRF1197Default

1645

NETRF1198Example

SQLNET.RADIUS_AUTHENTICATION_PORT= 1667

SQLNET.RADIUS_AUTHENTICATION_RETRIES

NETRF1199Purpose

To specify the number of times the database server should resend messages to the primary RADIUS server.

NETRF1200Default

3

NETRF1201Example

SQLNET.RADIUS_AUTHENTICATION_RETRIES=4

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT

NETRF1202Purpose

To specify the time, in seconds, that the database server should wait for a response from the primary RADIUS server.

NETRF1203Default

5

NETRF1204Example

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=10

SQLNET.RADIUS_CHALLENGE_RESPONSE

NETRF1205Purpose

To turn challenge response on or off.

NETRF1206Default

off

NETRF1207Values

on | off

NETRF1208Example

SQLNET.RADIUS_CHALLENGE_RESPONSE=on

SQLNET.RADIUS_SECRET

NETRF1209Purpose:

To specify the location of the RADIUS secret key.

NETRF1210Default

The ORACLE_HOME/network/security/radius.key file.

NETRF1211Example

SQLNET.RADIUS_SECRET=oracle/bin/admin/radiuskey

SQLNET.RADIUS_SEND_ACCOUNTING

NETRF1212Purpose

To turn accounting on and off. If enabled, then packets are sent to the active RADIUS server at listening port plus one. The default port is 1646.

NETRF1213Default

off

NETRF1214Values

on | off

NETRF1215Example

SQLNET.RADIUS_SEND_ACCOUNTING=on

SQLNET.RECV_TIMEOUT

NETRF1216Purpose

To specify the time, in seconds, for a database server to wait for client data after establishing a connection. A client must send some data within the time interval.

For environments in which clients shut down on occasion or abnormally, setting this parameter is recommended. If a client does not send any data in time specified, then the database server logs ORA-12535: TNS:operation timed out and ORA-12609: TNS: Receive timeout occurred messages to the sqlnet.log file. Without this parameter, the database server may continue to wait for data from clients that may be down or are experiencing difficulties.

You can also set this parameter on the client-side to specify the time, in seconds, for a client to wait for response data from the database server after connection establishment. Without this parameter, the client may wait a long period of time for a response from a database server saturated with requests. If you choose to set the value, then set the value to an initial low value and adjust according to system and network capacity. If necessary, use this parameter with the SQLNET.SEND_TIMEOUT parameter.

NETRF1217Default

None

NETRF1218Example

SQLNET.RECV_TIMEOUT=3

SQLNET.SEND_TIMEOUT

NETRF1219Purpose

To specify the time, in seconds, for a database server to complete a send operation to clients after establishing a connection. Setting this parameter is recommended for environments in which clients shut down occasionally or abnormally.

If the database server cannot complete a send operation in the time specified, then it logs ORA-12535: TNS:operation timed out and ORA-12608: TNS: Send timeout occurred messages to the sqlnet.log file. Without this parameter, the database server may continue to send responses to clients that are unable to receive data due to a downed computer or a busy state.

You can also set this parameter on the client-side to specify the time, in seconds, for a client to complete send operations to the database server after connection establishment. Without this parameter, the client may continue to send requests to a database server already saturated with requests. If you choose to set the value, then set the value to an initial low value and adjust according to system and network capacity. If necessary, use this parameter with the SQLNET.RECV_TIMEOUT parameter.

NETRF1220Default

None

NETRF1221Example

SQLNET.SEND_TIMEOUT=3

SSL_CERT_REVOCATION

NETRF1222Purpose

To configure a revocation check for a certificate.

NETRF1223Default

None

NETRF1224Values

• none to turn off certificate revocation checking. This is the default.

• requested to perform certificate revocation in case a Certificate Revocation List (CRL) is available. Reject SSL connection if the certificate is revoked. If no appropriate CRL is found to determine the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection.

• required to perform certificate revocation when a certificate is available. If a certificate is revoked and no appropriate CRL is found, then reject the SSL connection. If no appropriate CRL is found to ascertain the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection.

NETRF1225Example

SSL_CERT_REVOCATION=required

SSL_CERT_FILE

NETRF1226Purpose

To specify the name of the file where you can assemble the certificate revocation list (CRL) for client authentication.

This file contains the PEM-encoded CRL files, in order of preference. You can use this file alternatively or in addition to the SSL_CERT_PATH parameter. This parameter is only valid if SSL_CERT_REVOCATION is set to either requested or required.

NETRF1227Default

None

NETRF1911Example

SSL_CERT_FILE=

SSL_CERT_PATH

NETRF1228Purpose

To specify the destination directory of the CRL of CA. The files in this directory are hashed symbolic links created by Oracle Wallet Manager. This parameter is only valid if SSL_CERT_REVOCATION is set to either requested or required.

NETRF1229Default

None

NETRF1230Example

SSL_CERT_PATH=

SSL_CIPHER_SUITES

NETRF1231Purpose

To control which combination of encryption and data integrity is used by the Secure Sockets Layer (SSL). Cipher suites that use Advanced Encryption Standard (AES) only work with Transport Layer Security (TLS 1.0).

NETRF1232Default

None

NETRF1233Values

• SSL_RSA_WITH_3DES_EDE_CBC_SHA

• SSL_RSA_WITH_RC4_128_SHA

• SSL_RSA_WITH_RC4_128_MD5

• SSL_RSA_WITH_DES_CBC_SHA

• SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

• SSL_DH_anon_WITH_RC4_128_MD5

• SSL_DH_anon_WITH_DES_CBC_SHA

• SSL_RSA_EXPORT_WITH_RC4_40_MD5

• SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

• SSL_RSA_WITH_AES_128_CBC_SHA

• SSL_RSA_WITH_AES_256_CBC_SHA

NETRF1234Example

SSL_CIPHER_SUITES=(ssl_rsa_with_rc4_138_md5)

SSL_CLIENT_AUTHENTICATION

NETRF1235Purpose

To specify whether a client, in addition to the database server, is authenticated using SSL.

NETRF1236Default

true

NETRF1237Values

true | false

NETRF1238Example

SSL_CLIENT_AUTHENTICATION=true

SSL_SERVER_DN_MATCH

NETRF1239Purpose

To enforce that the distinguished name (DN) for the database server matches its service name. If you enforce the match verifications, then SSL ensures that the certificate is from the server. If you select to not enforce the match verification, then SSL performs the check but allows the connection, regardless if there is a match. Not enforcing the match allows the server to potentially fake its identify.

NETRF1240Default

no

NETRF1241Values

• yes | on | true to specify to enforce a match. If the DN matches the service name, then the connection succeeds. If the DN does not match the service name, then the connection fails.

• no | off | false to specify not to enforce a match. If the DN does not match the service name, then the connection is successful, but an error is logged to the sqlnet.log file.

NETRF1242Usage Notes

In addition to the sqlnet.ora file, configure the tnsnames.ora parameter SSL_SERVER_CERT_DN to enable server DN matching.

NETRF1243Example

SSL_SERVER_DN_MATCH=yes

SSL_VERSION

NETRF1244Purpose

To force the version of the SSL connection. Clients and database servers must use a compatible version.

NETRF1245Default

undetermined

NETRF1246Values

undetermined | 2.0 | 3.0

NETRF1247Example

SSL_VERSION=2.0

TCP.CONNECT_TIMEOUT

NETRF1248Purpose

To specify the time, in seconds, for a client to establish a TCP connection (PROTOCOL=tcp in the TNS connect address) to the database server. If a TCP connection to the database host is not established in the time specified, then the connection attempt is terminated. The client receives an ORA-12170: TNS:Connect timeout occurred error.

The timeout applies to each IP address to which a host name resolves. For example, if a host name resolves to an IPv6 and an IPv4 address, and if the host is not reachable through the network, then the connection request times out twice the TCP.CONNECT_TIMEOUT setting because there are two IP addresses. In this example, the default timeout setting of 60 would cause a timeout in 120 seconds.

NETRF1249Default

60

NETRF1250Example

TCP.CONNECT_TIMEOUT=10

TCP.EXCLUDED_NODES

NETRF1251Purpose

To specify which clients are denied access to the database.

NETRF1252Syntax

TCP.EXCLUDED_NODES=(hostname | ip_address, hostname | ip_address, ...)

NETRF1986Usage Notes

• This parameter is only valid when the TCP.VALIDNODE_CHECKING parameter is set to yes.

• This parameter can use wildcards for IPv4 addresses and CIDR (Classless Inter-Domain Routing) notation for IPv4 and IPv6 addresses.

NETRF1253Example

TCP.EXCLUDED_NODES=(finance.us.example.com, mktg.us.example.com, 192.168.2.25, 172.30.*, 2001:DB8:200C:417A/32)

TCP.INVITED_NODES

NETRF1254Purpose

To specify which clients are allowed access to the database. This list takes precedence over the TCP.EXCLUDED_NODES parameter if both lists are present.

NETRF1255Syntax

TCP.INVITED_NODES=(hostname | ip_address, hostname | ip_address, ...)

NETRF1987Usage Notes

• This parameter is only valid when the TCP.VALIDNODE_CHECKING parameter is set to yes.

• This parameter can use wildcards for IPv4 addresses and CIDR notation for IPv4 and IPv6 addresses.

NETRF1256Example

TCP.INVITED_NODES=(sales.us.example.com, hr.us.example.com, 192.168.*, 2001:DB8:200C:433B/32)

TCP.NODELAY

NETRF1261Purpose

To preempt delays in buffer flushing within the TCP/IP protocol stack.

NETRF1262Default

yes

NETRF1263Values

yes | no

NETRF1264Example

TCP.NODELAY=yes

TCP.VALIDNODE_CHECKING

NETRF1257Purpose

To enable and disable valid node checking for incoming connections. If this parameter is set to yes, then incoming connections are allowed only if they originate from a node that conforms to list specified by TCP.INVITED_NODES or TCP.EXCLUDED_NODES parameters.

NETRF1258Default

no

NETRF1259Values

yes | no

NETRF1988Usage Notes

The TCP.INVITED_NODES and TCP.EXCLUDED_NODES parameters are valid only when the TCP.VALIDNODE_CHECKING parameter is set to yes.

NETRF1260Example

TCP.VALIDNODE_CHECKING=yes

TNSPING.TRACE_DIRECTORY

NETRF1265Purpose

To specify the destination directory for the TNSPING utility trace file, tnsping.trc.

NETRF1266Default

The ORACLE_HOME/network/trace directory.

NETRF1267Example

TNSPING.TRACE_DIRECTORY=/oracle/traces

TNSPING.TRACE_LEVEL

NETRF1268Purpose

To turn TNSPING utility tracing on at a specified level or to turn it off.

NETRF1269Default

off

NETRF1270Values

• off for no trace output

• user for user trace information

• admin for administration trace information

• support for Oracle Support Services trace information

NETRF1271Example

TNSPING.TRACE_LEVEL=admin

USE_CMAN

NETRF1272Purpose

To specify client routing to Oracle Connection Manager.

If set to true, then the parameter routes the client to a protocol address for an Oracle Connection Manager.

If set to false, then the client picks one of the address lists at random and fails over to the other address list if the chosen ADDRESS_LIST fails. With USE_CMAN=true, the client always uses the first address list.

If no Oracle Connection Manager addresses are available, then connections are routed through any available listener address.

NETRF1273Default

false

NETRF1274Values

true | false

NETRF1275Example

USE_CMAN=true

USE_DEDICATED_SERVER

NETRF1276Purpose

To append (SERVER=dedicated) to the CONNECT_DATA section of the connect descriptor used by the client. It overrides the current value of the SERVER parameter in the tnsnames.ora file.

If set to on, then the parameter USE_DEDICATED_SERVER automatically appends (SERVER=dedicated) to the connect data for a connect descriptor. This way connections from this client use a dedicated server process, even if shared server is configured.

NETRF1277Default

off

NETRF1278Values

• on to append (SERVER=dedicated)

• off to send requests to existing server processes

NETRF1279Example

USE_DEDICATED_SERVER=on

WALLET_LOCATION

NETRF1280Purpose

To specify the location of wallets. Wallets are certificates, keys, and trustpoints processed by SSL.

NETRF1281Syntax

The syntax depends on the wallet, as follows:

• Oracle wallets on the file system:

  WALLET_LOCATION=
    (SOURCE=
      (METHOD=file)
      (METHOD_DATA=
         (DIRECTORY=directory)
         [(PKCS11=TRUE/FALSE)]))
  

• Microsoft certificate store:

  WALLET_LOCATION=
    (SOURCE=
       (METHOD=mcs))
  

• Oracle wallets in the Microsoft Windows registry:

  WALLET_LOCATION=
     (SOURCE=
        (METHOD=reg)
        (METHOD_DATA=
           (KEY=registry_key)))
  

• Entrust wallets:

  WALLET_LOCATION=
     (SOURCE=
        (METHOD=entr)
        (METHOD_DATA=
           (PROFILE=file.epf)
           (INIFILE=file.ini)))
  

NETRF1282Additional Parameters

WALLET_LOCATION supports the following parameters:

• SOURCE: The type of storage for wallets and storage location.

• METHOD: The type of storage.

• METHOD_DATA: The storage location.

• DIRECTORY: The location of Oracle wallets on file system.

• KEY: The wallet type and location in the Microsoft Windows registry.

• PROFILE: The Entrust profile file (.epf).

• INIFILE: The Entrust initialization file (.ini).

NETRF1283Default

None

NETRF1284Usage Notes

• The key/value pair for Microsoft certificate store (MCS) omits the METHOD_DATA parameter because MCS does not use wallets. Instead, Oracle PKI (public key infrastructure) applications obtain certificates, trustpoints and private keys directly from the user's profile.

• If an Oracle wallet is stored in the Microsoft Windows registry and the wallet's key (KEY) is SALESAPP, then the storage location of the encrypted wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\EWALLET.P12. The storage location of the decrypted wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\CWALLET.SSO.

NETRF1285Values

true | false

NETRF1286Examples

Oracle wallets on file system:

WALLET_LOCATION=  
  (SOURCE=
      (METHOD=file)
      (METHOD_DATA=  
         (DIRECTORY=/etc/oracle/wallets/databases)))

Microsoft certificate store:

WALLET_LOCATION=
   (SOURCE=
     (METHOD=mcs))
   

Oracle Wallets in the Microsoft Windows registry:

WALLET_LOCATION=
   (SOURCE=
     (METHOD=REG)
     (METHOD_DATA=
        (KEY=SALESAPP)))

Entrust Wallets:

WALLET_LOCATION=
   (SOURCE=
     (METHOD=entr)
     (METHOD_DATA=
       (PROFILE=/etc/oracle/wallets/test.epf)
       (INIFILE=/etc/oracle/wallets/test.ini)))

WALLET_OVERRIDE

NETRF1287Purpose

To determine whether the client should override the strong authentication credential with the password credential in the stored wallet to log in to the database.

NETRF1290Usage Notes

• When wallets are used for authentication, the database credentials for user name and password are securely stored in an Oracle wallet. The auto-login feature of the wallet is turned on so the database does not need a password to open the wallet. From the wallet, the database gets the credentials to access the database for the user.

• Wallet usage can simplify large-scale deployments that rely on password credentials for connecting to databases. When this feature is configured, application code, batch jobs, and scripts do not need embedded user names and passwords. Risk is reduced because such passwords are no longer exposed in the clear, and password management policies are more easily enforced without changing application code whenever user names or passwords change.

• Users connect using the connect /@database_name command instead of specifying a user name and password explicitly. This simplifies the maintenance of the scripts and secures the password management for the applications.

• Middle-tier applications create an Oracle Applications wallet at installation time to store the application's specific identity. The password may be randomly generated rather than hardcoded. When an Oracle application accesses the database, it sets appropriate values for SQLNET.AUTHENTICATION_SERVICES and WALLET_LOCATION. The new wallet-based password authentication code uses the password credential in the Oracle Applications wallet to log on to the database.

NETRF1912Values

TRUE | FALSE

NETRF1291Examples

WALLET_OVERRIDE=TRUE

ADR_BASE

NETRF1292Purpose

To specify the base directory into which tracing and logging incidents are stored when ADR is enabled.

NETRF1293Default

The default on the server side is ORACLE_BASE, or ORACLE_HOME/log, if ORACLE_BASE is not defined.

NETRF1294Values

Any valid directory path to a directory with write permission.

NETRF1295Example

ADR_BASE=/oracle/network/trace

DIAG_ADR_ENABLED

NETRF1296Purpose

To specify whether ADR tracing is enabled.

NETRF1297Usage

If the DIAG_ADR_ENABLED parameter is set to OFF, then non-ADR file tracing is used.

NETRF1298Default

on

NETRF1299Values

on | off

NETRF1300Example

DIAG_ADR_ENABLED=on

TRACE_LEVEL_CLIENT

NETRF1301Purpose

To turn client tracing on at a specified level or to turn it off. This parameter is also applicable when non-ADR tracing is used.

NETRF1302Default

off or 0

NETRF1303Values

• off or 0 for no trace output

• user or 4 for user trace information

• admin or 10 for administration trace information

• support or 16 for Oracle Support Services trace information

NETRF1304Example

TRACE_LEVEL_CLIENT=user

TRACE_LEVEL_SERVER

NETRF1305Purpose

To turn server tracing on at a specified level or to turn it off. This parameter is also applicable when non-ADR tracing is used.

NETRF1306Default

off or 0

NETRF1307Values

• off or 0 for no trace output

• user or 4 for user trace information

• admin or 10 for administration trace information

• support or 16 for Oracle Support Services trace information

NETRF1308Example

TRACE_LEVEL_SERVER=admin

TRACE_TIMESTAMP_CLIENT

NETRF1309Purpose

To add a time stamp in the form of dd-mon-yyyy hh:mi:ss:mil to every trace event in the client trace file, which has a default name of sqlnet.trc. This parameter is also applicable when non-ADR tracing is used.

NETRF1310Default

on

NETRF1311Values

on or true | off or false

NETRF1312Example

TRACE_TIMESTAMP_CLIENT=true

TRACE_TIMESTAMP_SERVER

NETRF1313Purpose

To add a time stamp in the form of dd-mon-yyyy hh:mi:ss:mil to every trace event in the database server trace file, which has a default name of svr_pid.trc. This parameter is also applicable when non-ADR tracing is used.

NETRF1314Default

on

NETRF1315Values

on or true | off or false

NETRF1316Example

TRACE_TIMESTAMP_SERVER=true

LOG_DIRECTORY_CLIENT

NETRF1317Purpose

To specify the destination directory for the client log file. Use this parameter when ADR is not enabled.

NETRF1318Default

ORACLE_HOME/network/log

NETRF1319Values

Any valid directory path.

NETRF1320Example

LOG_DIRECTORY_CLIENT=/oracle/network/log

LOG_DIRECTORY_SERVER

NETRF1321Purpose

To specify the destination directory for the database server log file. Use this parameter when ADR is not enabled.

NETRF1322Default

ORACLE_HOME/network/trace

NETRF1323Values

Any valid directory path to a directory with write permission.

NETRF1324Example

LOG_DIRECTORY_SERVER=/oracle/network/trace

LOG_FILE_CLIENT

NETRF1325Purpose

To specify the name of the log file for the client. Use this parameter when ADR is not enabled.

NETRF1326Default

ORACLE_HOME/network/log/sqlnet.log

NETRF1327Values

The default value cannot be changed.

LOG_FILE_SERVER

NETRF1328Purpose

To specify the name of the log file for the database server. Use this parameter when ADR is not enabled.

NETRF1329Default

sqlnet.log

NETRF1330Example

LOG_FILE_SERVER=svr.log

TRACE_DIRECTORY_CLIENT

NETRF1331Purpose

To specify the destination directory for the client trace file. Use this parameter when ADR is not enabled.

NETRF1332Default

The current working directory.

NETRF1333Values

Any valid directory path to a directory with write permission.

NETRF1334Example

TRACE_DIRECTORY_CLIENT=/oracle/traces

TRACE_DIRECTORY_SERVER

NETRF1335Purpose

To specify the destination directory for the database server trace file. Use this parameter when ADR is not enabled.

NETRF1336Default

ORACLE_HOME/network/trace

NETRF1337Values

Any valid directory path to a directory with write permission.

NETRF1338Example

TRACE_DIRECTORY_SERVER=/oracle/traces

TRACE_FILE_CLIENT

NETRF1339Purpose

To specify the name of the client trace file. Use this parameter when ADR is not enabled.

NETRF1340Values

Any valid file name.

NETRF1341Default

ORACLE_HOME/network/trace/cli.trc

NETRF1342Example

TRACE_FILE_CLIENT=clientsqlnet.trc

TRACE_FILE_SERVER

NETRF1343Purpose

To specify the name of the file to which the execution trace of the server program is written. Use this parameter when ADR is not enabled.

NETRF1344Default

ORACLE_HOME/network/trace/svr_pid.trc

NETRF1345Values

Any valid file name. The pid is appended to the name automatically.

NETRF1346Example

TRACE_FILE_SERVER=svrsqlnet.trc

TRACE_FILELEN_CLIENT

NETRF1347Purpose

To specify the size of the client trace files in kilobytes (KB). When the size is met, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_CLIENT parameter. Use this parameter when ADR is not enabled.

NETRF1348Example

TRACE_FILELEN_CLIENT=100

TRACE_FILELEN_SERVER

NETRF1349Purpose

To specify the size of the database server trace files in kilobytes (KB). When the size is met, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_SERVER parameter. Use this parameter when ADR is not enabled.

NETRF1350Example

TRACE_FILELEN_SERVER=100

TRACE_FILENO_CLIENT

NETRF1351Purpose

To specify the number of trace files for client tracing. When this parameter is set with the TRACE_FILELEN_CLIENT parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, the first file is re-used, and so on.

The trace file names are distinguished from one another by their sequence number. For example, if the default trace file of sqlnet.trc is used, and this parameter is set to 3, then the trace files would be named sqlnet1.trc, sqlnet2.trc and sqlnet3.trc.

In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.

NETRF1352Default

None

NETRF1353Example

TRACE_FILENO_CLIENT=3

TRACE_FILENO_SERVER

NETRF1354Purpose

To specify the number of trace files for database server tracing. When this parameter is set with the TRACE_FILELEN_SERVER parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, the first file is re-used, and so on.

The trace file names are distinguished from one another by their sequence number. For example, if the default trace file of svr_pid.trc is used, and this parameter is set to 3, then the trace files would be named svr1_pid.trc, svr2_pid.trc and svr3_pid.trc.

In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.

NETRF1355Default

None

NETRF1356Example

TRACE_FILENO_SERVER=3

TRACE_UNIQUE_CLIENT

NETRF1357Purpose

To specify whether a unique trace file is created for each client trace session. When the value is set to on, a process identifier is appended to the name of each trace file, enabling several files to coexist. For example, trace files named sqlnetpid.trc are created if default trace file name sqlnet.trc is used. When the value is set to off, data from a new client trace session overwrites the existing file. Use this parameter when ADR is not enabled.

NETRF1358Default

on

NETRF1359Values

on or off

NETRF1360Example

TRACE_UNIQUE_CLIENT=on