C Kerberos, SSL, and RADIUS Authentication Parameters
The sqlnet.ora
and the database initialization files provide Kerberos, RADIUS, or SSL authentication parameters.
- Parameters for Clients and Servers Using Kerberos Authentication
Oracle Database provides client and server parameters for using Kerberos authentication. - Parameters for Clients and Servers Using Secure Sockets Layer
Oracle provides parameters to control Secure Sockets Layer authentication. - Parameters for Clients and Servers Using RADIUS Authentication
Oracle provides parameters for RADIUS authentication.
Parent topic: Appendixes
Parameters for Clients and Servers Using Kerberos Authentication
Oracle Database provides client and server parameters for using Kerberos authentication.
Table C-1 lists parameters to insert into the configuration files for clients and servers using Kerberos.
Table C-1 Kerberos Authentication Parameters
File Name | Configuration Parameters |
---|---|
|
|
|
|
Parent topic: Kerberos, SSL, and RADIUS Authentication Parameters
Parameters for Clients and Servers Using Secure Sockets Layer
Oracle provides parameters to control Secure Sockets Layer authentication.
- Ways to Configure a Parameter for Secure Sockets Layer
There are two ways to configure a parameter for Secure Sockets Layer (SSL). - Secure Sockets Layer Authentication Parameters for Clients and Servers
Oracle provides both static and dynamic Secure Sockets Layer (SSL) authentication parameters. - Cipher Suite Parameters for Secure Sockets Layer
You can configure cipher suite parameters for Secure Sockets Layer (SSL). - Supported Secure Sockets Layer Cipher Suites
Oracle Database supports a large number of cipher suites for Secure Sockets Layer (SSL). - Secure Sockets Layer Version Parameters
You can set a range of Secure Sockets Layer (SSL) parameters to configure the version of SSL to use. - Secure Sockets Layer Client Authentication Parameters
You can configure static and dynamic parameters for Secure Sockes Layer (SSL) on the client. - Secure Sockets Layer X.509 Server Match Parameters
TheSSL_SERVER_DN_MATCH
andSSL_SERVER_CERT_DN
parameters validate the identity of the server to which a client connects. - Oracle Wallet Location
You must specify wallet location parameters for applications that must access an Oracle wallet for loading the security credentials into the process space.
Parent topic: Kerberos, SSL, and RADIUS Authentication Parameters
Ways to Configure a Parameter for Secure Sockets Layer
There are two ways to configure a parameter for Secure Sockets Layer (SSL).
-
Static: The name of the parameter that exists in the
sqlnet.ora
file. Parameters likeSSL_CIPHER_SUITES
andSSL_VERSION
can also be configured using thelistener.ora
file. -
Dynamic: The name of the parameter used in the security subsection of the Oracle Net address.
Secure Sockets Layer Authentication Parameters for Clients and Servers
Oracle provides both static and dynamic Secure Sockets Layer (SSL) authentication parameters.
Table C-2 describes the static and dynamic parameters for configuring SSL on the server.
Table C-2 SSL Authentication Parameters for Clients and Servers
Attribute | Description |
---|---|
Parameter Name (static) |
|
Parameter Name (dynamic) |
|
Parameter Type |
String |
Parameter Class |
Static |
Permitted Values |
Add TCPS to the list of available authentication services. |
Default Value |
No default value. |
Description |
To control which authentication services a user wants to use. Note: The dynamic version supports only the setting of one type. |
Existing/New Parameter |
Existing |
Syntax (static) |
|
Example (static) |
|
Syntax (dynamic) |
|
Example (dynamic) |
|
Cipher Suite Parameters for Secure Sockets Layer
You can configure cipher suite parameters for Secure Sockets Layer (SSL).
Table C-3 describes the static and dynamic parameters for configuring cipher suites.
Table C-3 Cipher Suite Parameters for Secure Sockets Layer
Attribute | Description |
---|---|
Parameter Name (static) |
|
Parameter Name (dynamic) |
|
Parameter Type |
String |
Parameter Class |
Static |
Permitted Values |
Any known SSL cipher suite |
Default Value |
No default |
Description |
Controls the combination of encryption and data integrity used by SSL. |
Existing/New Parameter |
Existing |
Syntax (static) |
|
Example (static) |
|
Syntax (dynamic) |
|
Example (dynamic) |
|
Supported Secure Sockets Layer Cipher Suites
Oracle Database supports a large number of cipher suites for Secure Sockets Layer (SSL).
The cipher suites are as follows:
-
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
-
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-
SSL_RSA_WITH_AES_128_CBC_SHA256
-
SSL_RSA_WITH_AES_128_GCM_SHA256
-
SSL_RSA_WITH_AES_128_CBC_SHA
-
SSL_RSA_WITH_AES_256_CBC_SHA
-
SSL_RSA_WITH_AES_256_CBC_SHA256
Secure Sockets Layer Version Parameters
You can set a range of Secure Sockets Layer (SSL) parameters to configure the version of SSL to use.
Table C-4 describes the SSL_VERSION
static and dynamic parameters for configuring the version of SSL to be used.
Table C-4 Secure Sockets Layer Version Parameters
Attribute | Description |
---|---|
Parameter Name (static) |
|
Parameter Name (dynamic) |
|
Parameter Type |
string |
Parameter Class |
Static |
Permitted Values |
Any version which is valid to SSL. Values are as follows:
If you want to specify one version or another version, then use "or". The following values are permitted: 1.0 or 3.0 | 1.2 or 3.0 | 1.1 or 1.0 | 1.2 or 1.0 | 1.2 or 1.1 | 1.1 or 1.0 or 3.0 | 1.2 or 1.0 or 3.0 | 1.2 or 1.1 or 1.0 | 1.2 or 1.1 or 3.0 |1.2 or 1.1 or 1.0 or 3 |
Default Value |
If you set |
Description |
To force the version of the SSL connection. |
Existing/New Parameter |
New |
Syntax (static) |
|
Example (static) |
|
Syntax (dynamic) |
|
Example (dynamic) |
|
Note:
TheADD_SSLv3_IMPLICITLY
initialization parameter has no effect on the SSL_VERSION
parameter.
Secure Sockets Layer Client Authentication Parameters
You can configure static and dynamic parameters for Secure Sockes Layer (SSL) on the client.
Table C-5 describes the SSL_CLIENT_AUTHENTICATION
parameters.
Table C-5 Secure Sockets Layer Client Authentication Parameters
Attribute | Description |
---|---|
Parameter Name (static) |
|
Parameter Name (dynamic) |
|
Parameter Type |
Boolean |
Parameter Class |
Static |
Permitted Values |
|
Default Value |
|
Description |
To control whether a client, in addition to the server, is authenticated using SSL. |
Existing/New Parameter |
New |
Syntax (static) |
|
Example (static) |
|
Syntax (dynamic) |
|
Example (dynamic) |
|
Secure Sockets Layer X.509 Server Match Parameters
The SSL_SERVER_DN_MATCH
and SSL_SERVER_CERT_DN
parameters validate the identity of the server to which a client connects.
- SSL_SERVER_DN_MATCH
TheSSL_SERVER_DN_MATCH
parameter forces the server’s distinguished name (DN) to match the name of the servivce. - SSL_SERVER_CERT_DN
The SSL_SERVER_CERT_DN specifies the distinguished name (DN) of a server.
SSL_SERVER_DN_MATCH
The SSL_SERVER_DN_MATCH
parameter forces the server’s distinguished name (DN) to match the name of the servivce.
Table C-6 describes the SSL_SERVER_DN_MATCH
parameter.
Table C-6 SSL_SERVER_DN_MATCH Parameter
Attribute | Description |
---|---|
Parameter Name |
|
Where stored |
|
Purpose |
Use this parameter to force the server's distinguished name (DN) to match its service name. If you force the match verifications, SSL ensures that the certificate is from the server. If you choose not to enforce the match verification, SSL performs the check but permits the connection, regardless of whether there is a match. Not forcing the match lets the server potentially fake its identity. |
Values |
|
Default |
Oracle8i, or later:.FALSE. SSL client (always) checks server DN. If it does not match the service name, the connection succeeds but an error is logged to |
Usage Notes |
Additionally configure the |
Parent topic: Secure Sockets Layer X.509 Server Match Parameters
SSL_SERVER_CERT_DN
The SSL_SERVER_CERT_DN specifies the distinguished name (DN) of a server.
Table C-7 describes the SSL_SERVER_CERT_DN
parameter.
Table C-7 SSL_SERVER_CERT_DN Parameter
Attribute | Description |
---|---|
Parameter Name |
|
Where stored |
|
Purpose |
This parameter specifies the distinguished name (DN) of the server. The client uses this information to obtain the list of DNs it expects for each of the servers to force the server's DN to match its service name. |
Values |
Set equal to distinguished name (DN) of the server. |
Default |
N/A |
Usage Notes |
Additionally configure the |
Example |
|
Parent topic: Secure Sockets Layer X.509 Server Match Parameters
Oracle Wallet Location
You must specify wallet location parameters for applications that must access an Oracle wallet for loading the security credentials into the process space.
Table C-8 lists the configuration files in which you must specify the wallet locations.
-
sqlnet.ora
-
listener.ora
Table C-8 Wallet Location Parameters
Static Configuration | Dynamic Configuration |
---|---|
WALLET_LOCATION = (SOURCE= (METHOD=File) (METHOD_DATA= (DIRECTORY=your_wallet_dir) ) ) |
MY_WALLET_DIRECTORY
= your_wallet_dir |
The default wallet location is the ORACLE_HOME
directory.
Parameters for Clients and Servers Using RADIUS Authentication
Oracle provides parameters for RADIUS authentication.
- sqlnet.ora File Parameters
You can include RADIUS-specific parameters in thesqlnet.ora
file. - Minimum RADIUS Parameters
At minimum, you should use theSQLNET.AUTHENTICATION_SERVICES
andSQLNET.RADIUS.AUTHENTICATION
parameters. - Initialization File Parameter for RADIUS
For RADIUS, you should set theOS_AUTHENT_PREFIX
initialization parameter.
Parent topic: Kerberos, SSL, and RADIUS Authentication Parameters
sqlnet.ora File Parameters
You can include RADIUS-specific parameters in the sqlnet.ora
file.
- SQLNET.AUTHENTICATION_SERVICES
TheSQLNET.AUTHENTICATION_SERVICES
parameter configures the client or the server to use the RADIUS adapter. - SQLNET.RADIUS_ALTERNATE
TheSQLNET.RADIUS_ALTERNATE
parameter sets the location of an alternate RADIUS server to be used if the primary server is unavailable for fault tolerance. - SQLNET.RADIUS_ALTERNATE_PORT
TheSQLNET.RADIUS_ALTERNATE_PORT
parameter sets the listening port for the alternate RADIUS server. - SQLNET.RADIUS_ALTERNATE_TIMEOUT
TheSQLNET.RADIUS_ALTERNATE_TIMEOUT
parameter sets the time for an alternate RADIUS server to wait for a response. - SQLNET.RADIUS_ALTERNATE_RETRIES
TheSQLNET.RADIUS_ALTERNATE_RETRIES
parameter sets the number of times that the alternate RADIUS server resends messages. - SQLNET.RADIUS_AUTHENTICATION
TheSQLNET.RADIUS_AUTHENTICATION
parameter sets the location of the primary RADIUS server, either host name or dotted decimal format. - SQLNET.RADIUS_AUTHENTICATION_INTERFACE
TheSQLNET.RADIUS_AUTHENTICATION_INTERFACE
parameter sets the name of the Java class that contains the GUI when RADIUS is in challenge-response (asynchronous) mode. - SQLNET.RADIUS_AUTHENTICATION_PORT
TheSQLNET.RADIUS_AUTHENTICATION_PORT
parameter sets the listening port of the primary RADIUS server. - SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
TheSQLNET.RADIUS_AUTHENTICATION_TIMEOUT
parameter sets the time to wait for response. - SQLNET.RADIUS_AUTHENTICATION_RETRIES
TheSQLNET.RADIUS_AUTHENTICATION_RETRIES
parameter sets the number of times to resend authentication information. - SQLNET.RADIUS_CHALLENGE_RESPONSE
TheSQLNET.RADIUS_CHALLENGE_RESPONSE
parameter turns on or turns off the challenge-response or asynchronous mode support. - SQLNET.RADIUS_CHALLENGE_KEYWORD
TheSQLNET.RADIUS_CHALLENGE_KEYWORD
parameter sets the keyword to request a challenge from the RADIUS server. - SQLNET.RADIUS_CLASSPATH
TheSQLNET.RADIUS_CLASSPATH
parameter sets the path for Java classes and the JDK Java libraries. - SQLNET.RADIUS_SECRET
TheSQLNET.RADIUS_SECRET
parameter specifies the file name and location of the RADIUS secret key. - SQLNET.RADIUS_SEND_ACCOUNTING
TheSQLNET.RADIUS_SEND_ACCOUNTING
parameter turns accounting on or off.
SQLNET.AUTHENTICATION_SERVICES
The SQLNET.AUTHENTICATION_SERVICES
parameter configures the client or the server to use the RADIUS adapter.
Table C-9 describes the SQLNET.AUTHENTICATION_SERVICES
parameter attributes.
Table C-9 SQLNET.AUTHENTICATION_SERVICES Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
None |
Parent topic: sqlnet.ora File Parameters
SQLNET.RADIUS_ALTERNATE
The SQLNET.RADIUS_ALTERNATE
parameter sets the location of an alternate RADIUS server to be used if the primary server is unavailable for fault tolerance.
Table C-10 describes the SQLNET.RADIUS_ALTERNATE
parameter attributes.
Table C-10 SQLNET.RADIUS_ALTERNATE Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
Parent topic: sqlnet.ora File Parameters
SQLNET.RADIUS_ALTERNATE_PORT
The SQLNET.RADIUS_ALTERNATE_PORT
parameter sets the listening port for the alternate RADIUS server.
Table C-11 describes the SQLNET.RADIUS_ALTERNATE_PORT
parameter attributes.
Table C-11 SQLNET.RADIUS_ALTERNATE_PORT Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
Parent topic: sqlnet.ora File Parameters
SQLNET.RADIUS_ALTERNATE_TIMEOUT
The SQLNET.RADIUS_ALTERNATE_TIMEOUT
parameter sets the time for an alternate RADIUS server to wait for a response.
Table C-12 describes the SQLNET.RADIUS_ALTERNATE_TIMEOUT
parameter attributes.
Table C-12 SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
Parent topic: sqlnet.ora File Parameters
SQLNET.RADIUS_ALTERNATE_RETRIES
The SQLNET.RADIUS_ALTERNATE_RETRIES
parameter sets the number of times that the alternate RADIUS server resends messages.
Table C-13 describes the SQLNET.RADIUS_ALTERNATE_RETRIES
parameter attributes.
Table C-13 SQLNET.RADIUS_ALTERNATE_RETRIES Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
Parent topic: sqlnet.ora File Parameters
SQLNET.RADIUS_AUTHENTICATION
The SQLNET.RADIUS_AUTHENTICATION
parameter sets the location of the primary RADIUS server, either host name or dotted decimal format.
If the RADIUS server is on a different computer from the Oracle server, you must specify either the host name or the IP address of that computer.
Table C-14 describes the SQLNET.RADIUS_AUTHENTICATION
parameter attributes.
Table C-14 SQLNET.RADIUS_AUTHENTICATION Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
Parent topic: sqlnet.ora File Parameters
SQLNET.RADIUS_AUTHENTICATION_INTERFACE
The SQLNET.RADIUS_AUTHENTICATION_INTERFACE
parameter sets the name of the Java class that contains the GUI when RADIUS is in challenge-response (asynchronous) mode.
Table C-15 describes the SQLNET.RADIUS_AUTHENTICATION_INTERFACE
parameter attributes.
Table C-15 SQLNET.RADIUS_AUTHENTICATION_INTERFACE Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
Parent topic: sqlnet.ora File Parameters
SQLNET.RADIUS_AUTHENTICATION_PORT
The SQLNET.RADIUS_AUTHENTICATION_PORT
parameter sets the listening port of the primary RADIUS server.
Table C-16 describes the SQLNET.RADIUS_AUTHENTICATION_PORT
parameter attributes.
Table C-16 SQLNET.RADIUS_AUTHENTICATION_PORT Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
Parent topic: sqlnet.ora File Parameters
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
The SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
parameter sets the time to wait for response.
Table C-17 describes the SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
parameter attributes.
Table C-17 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
Parent topic: sqlnet.ora File Parameters
SQLNET.RADIUS_AUTHENTICATION_RETRIES
The SQLNET.RADIUS_AUTHENTICATION_RETRIES
parameter sets the number of times to resend authentication information.
Table C-18 describes the SQLNET.RADIUS_AUTHENTICATION_RETRIES
parameter attributes.
Table C-18 SQLNET.RADIUS_AUTHENTICATION_RETRIES Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
Parent topic: sqlnet.ora File Parameters
SQLNET.RADIUS_CHALLENGE_RESPONSE
The SQLNET.RADIUS_CHALLENGE_RESPONSE
parameter turns on or turns off the challenge-response or asynchronous mode support.
Table C-19 describes the SQLNET.RADIUS_CHALLENGE_RESPONSE
parameter attributes.
Table C-19 SQLNET.RADIUS_CHALLENGE_RESPONSE Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
Parent topic: sqlnet.ora File Parameters
SQLNET.RADIUS_CHALLENGE_KEYWORD
The SQLNET.RADIUS_CHALLENGE_KEYWORD
parameter sets the keyword to request a challenge from the RADIUS server.
The user types no password on the client.
Table C-20 describes the SQLNET.RADIUS_CHALLENGE_KEYWORD
parameter attributes.
Table C-20 SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
Parent topic: sqlnet.ora File Parameters
SQLNET.RADIUS_CLASSPATH
The SQLNET.RADIUS_CLASSPATH
parameter sets the path for Java classes and the JDK Java libraries.
If you decide to use the challenge-response authentication mode, then RADIUS presents the user with a Java-based graphical interface requesting first a password, then additional information, for example, a dynamic password that the user obtains from a token card.
Add the SQLNET.RADIUS_CLASSPATH
parameter in the sqlnet.ora
file to set the path for the Java classes for that graphical interface, and to set the path to the JDK Java libraries.
Table C-21 describes the SQLNET.RADIUS_CLASSPATH
parameter attributes.
Table C-21 SQLNET.RADIUS_CLASSPATH Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
Parent topic: sqlnet.ora File Parameters
SQLNET.RADIUS_SECRET
The SQLNET.RADIUS_SECRET
parameter specifies the file name and location of the RADIUS secret key.
Table C-22 describes the SQLNET.RADIUS_SECRET
parameter attributes.
Table C-22 SQLNET.RADIUS_SECRET Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
Parent topic: sqlnet.ora File Parameters
SQLNET.RADIUS_SEND_ACCOUNTING
The SQLNET.RADIUS_SEND_ACCOUNTING
parameter turns accounting on or off.
If you enable accounting, packets will be sent to the active RADIUS server at the listening port plus one. By default, packets are sent to port 1646. You need to turn this feature on only when your RADIUS server supports accounting and you want to keep track of the number of times the user is logging on to the system.
Table C-23 describes the SQLNET.RADIUS_SEND_ACCOUNTING
parameter attributes.
Table C-23 SQLNET.RADIUS_SEND_ACCOUNTING Parameter Attributes
Attribute | Description |
---|---|
Syntax |
|
Default setting |
|
Parent topic: sqlnet.ora File Parameters
Minimum RADIUS Parameters
At minimum, you should use the SQLNET.AUTHENTICATION_SERVICES
and SQLNET.RADIUS.AUTHENTICATION
parameters.
Use the following settings:
sqlnet.authentication_services = (radius) sqlnet.radius.authentication = IP-address-of-RADIUS-server