5 Parameters for the sqlnet.ora File
This chapter provides a complete listing of the sqlnet.ora
file configuration parameters.
- Overview of Profile Configuration File
- sqlnet.ora Profile Parameters
- ADR Diagnostic Parameters in sqlnet.ora
The diagnostic data for the critical errors is quickly captured and stored in the ADR forsqlnet.ora
. - Non-ADR Diagnostic Parameters in sqlnet.ora
5.1 Overview of Profile Configuration File
The sqlnet.ora
file is the profile configuration file. It resides on the client machines and the database server. Profiles are stored and implemented using this file. The database server can be configured with access control parameters in the sqlnet.ora
file. These parameters specify whether clients are allowed or denied access based on the protocol.
The sqlnet.ora
file enables you to do the following:
-
Specify the client domain to append to unqualified names
-
Prioritize naming methods
-
Enable logging and tracing features
-
Route connections through specific processes
-
Configure parameters for external naming
-
Configure Oracle Advanced Security
-
Use protocol-specific parameters to restrict access to the database
By default, the sqlnet.ora
file is located in the ORACLE_HOME/network/admin
directory. The sqlnet.ora
file can also be stored in the directory specified by the TNS_ADMIN
environment variable.
Note:
-
The settings in the
sqlnet.ora
file apply to all pluggable databases (PDBs) in a multitenant container database environment. -
Oracle Net Services supports the IFILE parameter in the
sqlnet.ora
file, with up to three levels of nesting. The parameter is added manually to the file. The following is an example of the syntax:IFILE=/tmp/listener_em.ora IFILE=/tmp/listener_cust1.ora IFILE=/tmp/listener_cust2.ora
Refer to Oracle Database Reference for additional information.
-
In the read-only Oracle home mode,, the
sqlnet.ora
file default location isORACLE_BASE_HOME/network/admin
. -
In the read-only Oracle home mode, the parameters that default to
ORACLE_HOME
location change to default toORACLE_BASE_HOME
location.
Parent topic: Parameters for the sqlnet.ora File
5.2 sqlnet.ora Profile Parameters
This section lists and describes the following sqlnet.ora
file parameters:
- ACCEPT_MD5_CERTS
- ACCEPT_SHA1_CERTS
- ADD_SSLV3_TO_DEFAULT
- EXADIRECT_FLOW_CONTROL
- EXADIRECT_RECVPOLL
- DEFAULT_SDU_SIZE
- DISABLE_OOB
DISABLE_OOB is a networking parameter of the sqlnet.ora file and is used to enable or disable Oracle Net to send or receive out-of-band break messages using urgent data provided by the underlying protocol. - DISABLE_OOB_AUTO
TheDISABLE_OOB_AUTO
networking parameter of thesqlnet.ora
file checks the server path for out-of-band break messages support at the connection time. - HTTPS_SSL_VERSION
- IPC.KEYPATH
- NAMES.DEFAULT_DOMAIN
- NAMES.DIRECTORY_PATH
- NAMES.LDAP_AUTHENTICATE_BIND
- NAMES.LDAP_CONN_TIMEOUT
- NAMES.LDAP_PERSISTENT_SESSION
- NAMES.NIS.META_MAP
- RECV_BUF_SIZE
- SDP.PF_INET_SDP
- SEC_USER_AUDIT_ACTION_BANNER
- SEC_USER_UNAUTHORIZED_ACCESS_BANNER
- SEND_BUF_SIZE
- SQLNET.ALLOWED_LOGON_VERSION_CLIENT
- SQLNET.ALLOWED_LOGON_VERSION_SERVER
- SQLNET.AUTHENTICATION_SERVICES
- SQLNET.CLIENT_REGISTRATION
- SQLNET.CLOUD_USER
- SQLNET.COMPRESSION
- SQLNET.COMPRESSION_ACCELERATION
- SQLNET.COMPRESSION_LEVELS
- SQLNET.COMPRESSION_THRESHOLD
- SQLNET.CRYPTO_CHECKSUM_CLIENT
- SQLNET.CRYPTO_CHECKSUM_SERVER
- SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT
- SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER
- SQLNET.DBFW_PUBLIC_KEY
- SQLNET.DOWN_HOSTS_TIMEOUT
- SQLNET.ENCRYPTION_CLIENT
The SQLNET.ENCRYPTION_CLIENT networking parameter turns encryptionon
for the client. - SQLNET.ENCRYPTION_SERVER
TheSQLNET.ENCRYPTION_SERVER
networking parameter turns encryption on for the database server. - SQLNET.ENCRYPTION_TYPES_CLIENT
- SQLNET.ENCRYPTION_TYPES_SERVER
- SQLNET.EXPIRE_TIME
- SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS
TheSQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS
parameter is used on the server-side to ignore the value set inSQLNET.ENCRYPTION_SERVER
for TCPS connections (effectively disabling ANO encryption on the TCPS listener). - SQLNET.INBOUND_CONNECT_TIMEOUT
- SQLNET.FALLBACK_AUTHENTICATION
- SQLNET.KERBEROS5_CC_NAME
- SQLNET.KERBEROS5_CLOCKSKEW
- SQLNET.KERBEROS5_CONF
- SQLNET.KERBEROS5_CONF_LOCATION
- SQLNET.KERBEROS5_KEYTAB
- SQLNET.KERBEROS5_REALMS
- SQLNET.KERBEROS5_REPLAY_CACHE
- SQLNET.OUTBOUND_CONNECT_TIMEOUT
- SQLNET.RADIUS_ALTERNATE
- SQLNET.RADIUS_ALTERNATE_PORT
- SQLNET.RADIUS_ALTERNATE_RETRIES
- SQLNET.RADIUS_AUTHENTICATION
- SQLNET.RADIUS_AUTHENTICATION_INTERFACE
- SQLNET.RADIUS_AUTHENTICATION_PORT
- SQLNET.RADIUS_AUTHENTICATION_RETRIES
- SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
- SQLNET.RADIUS_CHALLENGE_RESPONSE
- SQLNET.RADIUS_SECRET
- SQLNET.RADIUS_SEND_ACCOUNTING
- SQLNET.RECV_TIMEOUT
- SQLNET.SEND_TIMEOUT
- SQLNET.URI
SQLNET.URI
networking parameter of thesqlnet.ora
file specifies a database client URI mapping on the web server. - SQLNET.USE_HTTPS_PROXY
- SQLNET.WALLET_OVERRIDE
- SSL_CERT_REVOCATION
- SSL_CRL_FILE
- SSL_CRL_PATH
- SSL_CIPHER_SUITES
- SSL_EXTENDED_KEY_USAGE
- SSL_SERVER_DN_MATCH
- SSL_VERSION
- TCP.CONNECT_TIMEOUT
- TCP.EXCLUDED_NODES
- TCP.INVITED_NODES
- TCP.NODELAY
- TCP.QUEUESIZE
- TCP.VALIDNODE_CHECKING
- TNSPING.TRACE_DIRECTORY
- TNSPING.TRACE_LEVEL
- USE_CMAN
- USE_DEDICATED_SERVER
- WALLET_LOCATION
- BEQUEATH_DETACH
It ix asqlnet.ora
networking parameter handling signals for Linux and UNIX systems.
Parent topic: Parameters for the sqlnet.ora File
5.2.1 ACCEPT_MD5_CERTS
Purpose
To accept MD5 signed certificates, in addition to sqlnet.ora
, this parameter must also be set in listener.ora
.
Default
FALSE
Values
-
TRUE
to accept MD5 signed certificates -
FALSE
to not accept MD5 signed certficates
Parent topic: sqlnet.ora Profile Parameters
5.2.2 ACCEPT_SHA1_CERTS
Purpose
To not accept SHA1 signed certificates, in addition to sqlnet.ora
, this parameter must also be set in listener.ora
.
Default
TRUE
Values
-
TRUE
to accept SHA1 signed certificates -
FALSE
to not accept SHA1 signed certificates
Parent topic: sqlnet.ora Profile Parameters
5.2.3 ADD_SSLV3_TO_DEFAULT
Purpose
If the server wants to accept SSL_VERSION=3.0
in its default list of SSL_VERSION
s, then in addition to sqlnet.ora
, this parameter must also be set in listener.ora
.
Default
FALSE
Values
-
If set to
TRUE
andSSL_VERSION
is not specified or is set to "undetermined", thenSSL_VERSION
includes versions1.2
,1.1
,1.0
, and3.0
. -
If set to
FALSE
andSSL_VERSION
is not specified or is set to "undetermined", thenSSL_VERSION
includes versions1.2
,1.1
, and1.0
Parent topic: sqlnet.ora Profile Parameters
5.2.4 EXADIRECT_FLOW_CONTROL
Purpose
To enable or disable Exadirect flow control.
Usage Notes
If turned on, the parameter enables Oracle Net to broadcast available receive window to the sender. The sender limits the sends based on the receiver broadcast window.
Default
off
Example
EXADIRECT_FLOW_CONTROL=on
Parent topic: sqlnet.ora Profile Parameters
5.2.5 EXADIRECT_RECVPOLL
Purpose
To specify the time that a receiver polls for incoming data.
Usage Notes
The parameter can be set to a fixed value or AUTO
for auto tuning of the polling value.
Default
0
Example
EXADIRECT_RECVPOLL = 10
EXADIRECT_RECVPOLL = AUTO
Parent topic: sqlnet.ora Profile Parameters
5.2.6 DEFAULT_SDU_SIZE
Purpose
To specify the session data unit (SDU) size, in bytes to connections.
Usage Notes
Oracle recommends setting this parameter in both the client-side and server-side sqlnet.ora
file to ensure the same SDU size is used throughout a connection. When the configured values of client and database server do not match for a session, the lower of the two values is used.
You can override this parameter for a particular client connection by specifying the SDU parameter in the connect descriptor for a client.
Default
8192 bytes (8 KB)
Values
512 to 2097152 bytes
Example 5-1 Example
DEFAULT_SDU_SIZE=4096
Parent topic: sqlnet.ora Profile Parameters
5.2.7 DISABLE_OOB
DISABLE_OOB is a networking parameter of the sqlnet.ora file and is used to enable or disable Oracle Net to send or receive out-of-band break messages using urgent data provided by the underlying protocol.
Purpose
To enable or disable Oracle Net to send or receive out-of-band break messages using urgent data provided by the underlying protocol.
Usage Notes
If turned off
, then the parameter enables Oracle Net to send and receive break messages. If turned on
, then the parameter disables the ability to send and receive break messages. Once enabled, this feature applies to all protocols used by this client.
Default
off
Example 5-2 Example
DISABLE_OOB=on
Parent topic: sqlnet.ora Profile Parameters
5.2.8 DISABLE_OOB_AUTO
The DISABLE_OOB_AUTO
networking parameter of the sqlnet.ora
file checks the server path for out-of-band break messages support at the connection time.
Purpose
Disable automatic out-of-band (OOB) support checks the server path at connection time.
Usage Notes
By default, the client checks if the server path supports out-of-band break messages or not at the connection time. If this parameter is set to TRUE
, then the client does not perform this check at the connection time.
Default
FALSE
Example 5-3 Example
DISABLE_OOB_AUTO = TRUE
Parent topic: sqlnet.ora Profile Parameters
5.2.9 HTTPS_SSL_VERSION
Purpose
To control the Secure Sockets Layer (SSL) version used by XDB HTTPS connections separately.
Usage Notes
In particular, the SSL_VERSION
parameter no longer controls the SSL version used by HTTPS. You can set this parameter to any valid SSL_VERSION
values.
Default
1.1
or 1.2
, meaning TLSv1.1
or TLSv1.2
.
Values
Any valid SSL_VERSION
value
Parent topic: sqlnet.ora Profile Parameters
5.2.10 IPC.KEYPATH
Purpose
To specify the destination directory where the internal file is created for UNIX domain sockets.
Usage Notes
This parameter applies only to Oracle Net's usage of UNIX domain socket and does not apply to other usages of UNIX domain sockets in the database, such as clusterware. If keypath
is used, then the same value should be used on both the client and the listener sides with version greater than 18.
Default
The directory path is either /var/tmp/.oracle
for Oracle Linux, Oracle Solaris or /tmp/.oracle
for other UNIX variants.
Example
ipc.keypath=/home/oracleuser
.
Parent topic: sqlnet.ora Profile Parameters
5.2.11 NAMES.DEFAULT_DOMAIN
Purpose
To set the domain from which the client most often looks up names resolution requests.
Usage Notes
When this parameter is set, the default domain name is automatically appended to any unqualified net service name or service name.
For example, if the default domain is set to us.example.com
, then the connect string CONNECT scott@sales
gets searched as sales.us.example.com
. If the connect string includes the domain extension, such as CONNECT scott@sales.us.example.com
, then the domain is not appended to the string.
Default
None
Example
NAMES.DEFAULT_DOMAIN=example.com
Parent topic: sqlnet.ora Profile Parameters
5.2.12 NAMES.DIRECTORY_PATH
Purpose
To specify the order of the naming methods used for client name resolution lookups.
Default
NAMES.DIRECTORY_PATH=(tnsnames, ldap, ezconnect)
Values
The following table shows the NAMES.DIRECTORY_PATH values for the naming methods.
Naming Method Value | Description |
---|---|
|
Set to resolve a network service name through the |
|
Set to resolve a database service name, net service name, or network service alias through a directory server. |
Select to enable clients to use a TCP/IP connect identifier, consisting of a host name and optional port and service name. |
|
|
Set to resolve service information through an existing Network Information Service (NIS). |
Example
NAMES.DIRECTORY_PATH=(tnsnames)
Parent topic: sqlnet.ora Profile Parameters
5.2.13 NAMES.LDAP_AUTHENTICATE_BIND
Purpose
To specify whether the LDAP naming adapter should attempt to authenticate using a specified wallet when it connects to the LDAP directory to resolve the name in the connect string.
Usage Notes
The parameter value is Boolean.
If the parameter is set to TRUE
, then the LDAP connection is authenticated using a wallet whose location must be specified in the WALLET_LOCATION parameter.
If the parameter is set to FALSE
, then the LDAP connection is established using an anonymous bind.
Default
false
Example
NAMES.LDAP_AUTHENTICATE_BIND=true
Parent topic: sqlnet.ora Profile Parameters
5.2.14 NAMES.LDAP_CONN_TIMEOUT
Purpose
To specify number of seconds for a non-blocking connect timeout to the LDAP server.
Usage Notes
The parameter value -1 is for infinite timeout.
Default
15 seconds
Values
Values are in seconds. The range is -1
to the number of seconds acceptable for your environment. There is no upper limit.
Example
names.ldap_conn_timeout = -1
Parent topic: sqlnet.ora Profile Parameters
5.2.15 NAMES.LDAP_PERSISTENT_SESSION
Purpose
To specify whether the LDAP naming adapter should leave the session with the LDAP server open after name lookup is complete.
Usage Notes
The parameter value is Boolean.
If the parameter is set to TRUE
, then the connection to the LDAP server is left open after the name lookup is complete. The connection will effectively stay open for the duration of the process. If the connection is lost, then it is re-established as needed.
If the parameter is set to FALSE
, then the LDAP connection is terminated as soon as the name lookup completes. Every subsequent lookup opens the connection, performs the lookup, and closes the connection. This option prevents the LDAP server from having a large number of clients connected to it at any one time.
Default
false
Example
NAMES.LDAP_PERSISTENT_SESSION=true
Parent topic: sqlnet.ora Profile Parameters
5.2.16 NAMES.NIS.META_MAP
Purpose
To specify the map file to be used to map Network Information Service (NIS) attributes to an NIS mapname.
Default
sqlnet.maps
Example
NAMES.NIS.META_MAP=sqlnet.maps
Parent topic: sqlnet.ora Profile Parameters
5.2.17 RECV_BUF_SIZE
Purpose
To specify the buffer space limit for receive operations of sessions.
Usage Notes
You can override this parameter for a particular client connection by specifying the RECV_BUF_SIZE parameter in the connect descriptor for a client.
This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.
Note:
Additional protocols might support this parameter on certain operating systems. Refer to the operating system-specific documentation for additional information about additional protocols that support this parameter.
See Also:
Oracle Database Net Services Administrator's Guide for additional information about configuring this parameter
Default
The default value for this parameter is operating system specific. The default for Linux 2.6 operating system is 87380 bytes.
Example
RECV_BUF_SIZE=11784
Parent topic: sqlnet.ora Profile Parameters
5.2.18 SDP.PF_INET_SDP
Purpose
To specify the protocol family or address family constant for the SDP protocol on your system.
Default
27
Values
Any positive integer
Example
SDP.PF_INET_SDP=30
Parent topic: sqlnet.ora Profile Parameters
5.2.19 SEC_USER_AUDIT_ACTION_BANNER
Purpose
To specify a text file containing the banner contents that warn the user about possible user action auditing.
Usage Notes
The complete path of the text file must be specified in the sqlnet.ora
file on the server. Oracle Call Interface (OCI) applications can make use of OCI features to retrieve this banner and display it to the user.
Default
None
Values
Name of the file for which the database owner has read permissions.
Example
SEC_USER_AUDIT_ACTION_BANNER=/opt/oracle/admin/data/auditwarning.txt
Parent topic: sqlnet.ora Profile Parameters
5.2.20 SEC_USER_UNAUTHORIZED_ACCESS_BANNER
Purpose
To specify a text file containing the banner contents that warn the user about unauthorized access to the database.
Usage Notes
The complete path of the text file must be specified in the sqlnet.ora
file on the server. OCI applications can make use of OCI features to retrieve this banner and display it to the user.
Default
None
Values
Name of the file for which the database owner has read permissions.
Example
SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt
Parent topic: sqlnet.ora Profile Parameters
5.2.21 SEND_BUF_SIZE
Purpose
To specify the buffer space limit for send operations of sessions.
Usage Notes
You can override this parameter for a particular client connection by specifying the SEND_BUF_SIZE parameter in the connect descriptor for a client.
This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.
Note:
Additional protocols might support this parameter on certain operating systems. Refer to the operating system-specific documentation for additional information about additional protocols that support this parameter.
See Also:
Oracle Database Net Services Administrator's Guide for additional information about configuring this parameter
Default
The default value for this parameter is operating system specific. The default for Linux 2.6 operating system is 16 KB.
Example
SEND_BUF_SIZE=11784
Parent topic: sqlnet.ora Profile Parameters
5.2.22 SQLNET.ALLOWED_LOGON_VERSION_CLIENT
Purpose
To set the minimum authentication protocol allowed for clients, and when a server is acting as a client, such as connecting over a database link, when connecting to Oracle Database instances.
Usage Notes
The term VERSION
in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.
If the version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol
error.
See Also:
Values
-
12a
for Oracle Database 12c Release 1 (12.1.0.2) or later (strongest protection)Note:
Using this setting, the clients can only authenticate using a de-optimized password version. For example, the12C
password version. -
12
for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (stronger protection)Note:
Using this setting, the clients can only authenticate using a password hash value that uses salt. For example, the11G
or12C
password versions. -
11
for Oracle Database 11g authentication protocols (default) -
10
for Oracle Database 10g authentication protocols -
8
for Oracle8i authentication protocol
Default
11
Example
If an Oracle Database 12c database hosts a database link to an Oracle Database 10g database, then the SQLNET.ALLOWED_LOGON_VERSION_CLIENT
parameter should be set as follows in order for the database link connection to proceed:
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10
See Also:
Oracle Database ReferenceParent topic: sqlnet.ora Profile Parameters
5.2.23 SQLNET.ALLOWED_LOGON_VERSION_SERVER
Purpose
To set the minimum authentication protocol allowed when connecting to Oracle Database instances.
Usage Notes
The term VERSION
in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.
The authentication fails with an ORA-28040: No matching authentication protocol
error or an ORA-03134: Connections to this server version are no longer supported
error if the client does not have the ability listed in the "Ability Required of the Client" column corresponding to the row matching the value of the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter in Table 1.
See Also:
A setting of 8
permits all password versions, and allows any combination of the DBA_USERS.PASSWORD_VERSIONS
values 10G
, 11G
, and 12C
.
A setting of 12a
permits only the 12C
password version.
A greater value means the server is less compatible in terms of the protocol that clients must understand in order to authenticate. The server is also more restrictive in terms of the password version that must exist to authenticate any specific account. Whether a client can authenticate to a specific account depends on both the server's setting of its SQLNET.ALLOWED_LOGON_VERSION_SERVER
parameter, as well as on the password versions which exist for the specified account. The list of password versions can be seen in DBA_USERS.PASSWORD_VERSIONS
.
Note the following implications of setting the value to 12
or 12a
:
-
A value of
FALSE
for theSEC_CASE_SENSITIVE_LOGON
Oracle instance initialization parameter must not be used because password case insensitivity requires the use of the10G
password version. If theSEC_CASE_SENSITIVE_LOGON
Oracle instance initialization parameter is set toFALSE
, then user accounts and secure roles become unusable because Exclusive Mode excludes the use of the10G
password version. TheSEC_CASE_SENSITIVE_LOGON
Oracle instance initialization parameter enables or disables password case sensitivity. However, since Exclusive mode is enabled by default in this release, disabling the password case sensitivity is not supported.Note:
-
The use of the Oracle instance initialization parameter
SEC_CASE_SENSITIVE_LOGON
is deprecated in favor of setting theSQLNET.ALLOWED_LOGON_VERSION_SERVER
parameter to12
to ensure that passwords are treated in a case-sensitive fashion. -
Disabling password case sensitivity is not supported in Exclusive mode (when
SQLNET.ALLOWED_LOGON_VERSION_SERVER
is set to12
or12a
.)
-
-
Releases of OCI clients earlier than Oracle Database 10g cannot authenticate to the Oracle database using password-based authentication.
-
If the client uses Oracle Database 10g, then the client will receive an
ORA-03134: Connections to this server version are no longer supported
error message. To allow the connection, set theSQLNET.ALLOWED_LOGON_VERSION_SERVER
value to8
. Ensure theDBA_USERS.PASSWORD_VERSIONS
value for the account contains the value10G
. It may be necessary to reset the password for that account.
Note the following implication of setting the value to 12a
:
-
To take advantage of the new
12C
password version introduced in Oracle Database release 12.2, user passwords should be expired to encourage users to change their passwords and cause the new12C
password version to be generated for their account. By default in this release, new passwords are treated in a case-sensitive fashion. When an account password is changed, the earlier10G
case-insensitive password version is automatically removed, and the new12C
password version is generated. -
When an account password is changed, the earlier
10G
case-insensitive password version and the11G
password version are both automatically removed. -
JDBC Thin Client Support:
In Oracle Database release 12.1.0.2 and later, if you set the
sqlnet.ora
parameterSQLNET.ALLOWED_LOGON_VERSION_SERVER
to12a
and you create a new account or change the password of an existing account, then only the new12C
password version is generated. The12C
password version is based on aSHA-2 (Secure Hash Algorithm) SHA-512
salted cryptographic hash deoptimized using thePBKDF2
(Password-Based Key Derivation Function 2) algorithm. When the database server is running withALLOWED_LOGON_VERSION_SERVER
set to12a
, it is running in Exclusive Mode. In this mode, to log in using a JDBC client, the JRE version must be at least version 8. The JDBC client enables itsO7L_MR
capability flag only when it is running with at least version 8 of the JRE.Note:
Check thePASSWORD_VERSIONS
column of theDBA_USERS
catalog view to see the list of password versions for any given account.If you set the
sqlnet.ora
parameterSQLNET.ALLOWED_LOGON_VERSION_SERVER
to12
, the server runs in Exclusive Mode and only the11G
and12C
password versions (theSHA-1
andPBKDF2 SHA-2
based hashes of the password, respectively) are generated and allowed to be used. In such cases, fully-patched JDBC clients having the CPUOct2012 patch can connect because these JDBC clients provide theO5L_NP
client ability.Older JDBC clients which do not have the CPUOct2012 containing the fix for the stealth password cracking vulnerability CVE-2012-3132, do not provide the
O5L_NP
client ability. Therefore, ensure that all the JDBC clients are patched properly.
The client must support certain abilities of the authentication protocol before the server will authenticate. If the client does not support a specified authentication ability, then the server rejects the connection with an ORA-28040: No matching authentication protocol
error message.
The following is the list of all client abilities. Some clients do not have all abilities. Clients that are more recent have all the capabilities of the older clients, but older clients tend to have less abilities than more recent clients.
-
O7L_MR
: The ability to perform the Oracle Database 10g authentication protocol using the12C
password version. For JDBC clients, only those running on at least JRE version 8 offer the O7L_MR capability. -
O5L_NP
: The ability to perform the Oracle Database 10g authentication protocol using the11G
password version, and generating a session key encrypted for critical patch update CPUOct2012. -
O5L
: The ability to perform the Oracle Database 10g authentication protocol using the10G
password version. -
O4L
: The ability to perform the Oracle9i database authentication protocol using the10G
password version. -
O3L
: The ability to perform the Oracle8i database authentication protocol using the10G
password version.
An ability which appears higher in the above list is more recent and secure than an ability which appears lower in the list. Clients that are more recent have all the capabilities of the older clients.
-
the allowed settings of the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter
-
its effect on the generated password versions when an account is created or a password is changed
-
the ability flag required of the client to authenticate while the server has this setting
-
and whether the setting is considered to be an Exclusive Mode.
Table 5-1 SQLNET.ALLOWED_LOGON_VERSION_SERVER Settings
Value of the ALLOWED_LOGON_VERSION_SERVER Parameter | Generated Password Version | Ability Required of the Client | Meaning for Clients | Server Runs in Exclusive Mode |
---|---|---|---|---|
|
|
|
Only Oracle Database 12c release 1 (12.1.0.2 or later) clients can connect to the server. |
Yes because it excludes the use of both |
|
|
|
Oracle Database 11g release 2 (11.2.0.3 or later) clients can connect to the server. Older clients need the critical patch update CPUOct2012 or later, to gain the O5L_NP ability. Only older clients which have applied critical patch update CPUOct2012 or later can connect to the server. |
Yes because it excludes the use of the |
|
|
|
Clients using Oracle Database 10g and later can connect to the server. Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the |
No |
|
|
|
It has the same meaning as the earlier row. |
No |
|
|
|
It has the same meaning as the earlier row. |
No |
|
|
|
It has the same meaning as the earlier row. |
No |
Values
-
12a
for Oracle Database 12c release 12.1.0.2 or later authentication protocols (strongest protection) -
12
for Oracle Database 12c release 12.1 authentication protocols (default and recommended value) -
11
for Oracle Database 11g authentication protocols -
10
for Oracle Database 10g authentication protocols -
9
for Oracle9i Database authentication protocol -
8
for Oracle8i Database authentication protocol
Note:
-
Starting with Oracle Database 12c Release 2 (12.2), the default value is 12.
-
For earlier releases, the value 12 can be used after the critical patch updates CPUOct2012 and later are applied.
Default
12
Example
SQLNET.ALLOWED_LOGON_VERSION_SERVER=12
Parent topic: sqlnet.ora Profile Parameters
5.2.24 SQLNET.AUTHENTICATION_SERVICES
Purpose
To enable one or more authentication services. If authentication has been installed, then it is recommended that this parameter be set to either none
or to one of the listed authentication methods.
Usage Notes
When using the SQLNET.AUTHENTICATION_SERVICES
value all
, the server attempts to authenticate using each of the following methods. The server falls back to the ones lower on the list if the ones higher on the list were unsuccessful.
-
Authentication based on a service external to the database, such as a service on the network layer, Kerberos, or RADIUS.
-
Authentication based on the operating system user's membership in an administrative operating system group. Group names are platform-specific. This authentication is applicable to administrative connections only.
-
Authentication performed by the database.
-
Authentication based on credentials stored in a directory server.
Operating system authentication allows access to the database using any user name and any password when an administrative connection is attempted, such as using the AS SYSDBA
clause when connecting using SQL*Plus. An example of a connection is as follows.
sqlplus ignored_username/ignored_password AS SYSDBA
When the operating-system user who issued the preceding command is already a member of the appropriate administrative operating system group, then the connection is successful. This is because the user name and password are ignored by the server due to checking the group membership first.
See Also:
Oracle Database Security Guide for additional information about authentication methods
Default
all
Note:
When installing the database with Database Configuration Assistant (DBCA), this parameter may be set to nts
in the sqlnet.ora
file.
Values
Authentication methods available with Oracle Net Services:
-
none
for no authentication methods, including Microsoft Windows native operating system authentication. WhenSQLNET.AUTHENTICATION_SERVICES
is set tonone
, a valid user name and password can be used to access the database. -
all
for all authentication methods. -
beq
for native operating system authentication for operating systems other than Microsoft Windows -
kerberos5
for Kerberos authentication -
nts
for Microsoft Windows native operating system authentication -
radius
for Remote Authentication Dial-In User Service (RADIUS) authentication -
tcps
for SSL authentication
Example
SQLNET.AUTHENTICATION_SERVICES=(kerberos5)
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.25 SQLNET.CLIENT_REGISTRATION
Purpose
To set a unique identifier for the client computer.
Usage Notes
This identifier is passed to the listener with any connection request, and is included in the audit trail. The identifier can be any alphanumeric string up to 128 characters long.
Default
None
Example
SQLNET.CLIENT_REGISTRATION=1432
Parent topic: sqlnet.ora Profile Parameters
5.2.26 SQLNET.CLOUD_USER
Purpose
To specify a user name for the web server HTTP
basic authentication.
Usage Notes
When secure websocket protocol is used, the client uses this user as the user name for authentication. The password for this user should be stored in a wallet using mkstore
commands.
Configuration steps to use HTTP
basic authentication with secure websockets:
-
Create wallet using orapki utility.
orapki wallet create -wallet wallet_directory
Example
orapki wallet create -wallet /app/wallet
-
Add web server public certificate.
orapki wallet -wallet wallet_directory -trusted_cert -cert web_server_public_certificate_in_pem_format
Example
orapki wallet -wallet /app/wallet -trusted_cert -cert server_cert.txt
-
Add web server user name to
sqlnet.ora
. This user name is only used for authenticating the web server. This is not a database user name. After web server authentication , the web server makes connection to the backend database server and usual database authentication happens.Example
sqlnet.cloud_user = dbuser1
-
Add web server user password to wallet.
mkstore -wrl wallet_location -createEntry username password
Example
mkstore -wrl /app/wallet -createEntry dbuser1 Secretdb#
-
Make wallet auto login and protect this wallet directory using operating system file permissions or any other means, so that ONLY database client can have read access to it. Refer to the operating system utilities for information about changing file permissions.
orapki wallet create -wallet wallet_directory -auto_login
Example
orapki wallet create -wallet /app/wallet -auto_login
-
Update
sqlnet.ora
with wallet entry.Example
wallet_location=(SOURCE= (METHOD=file) (METHOD_DATA= (DIRECTORY=/app/wallet)))
Default
None
Parent topic: sqlnet.ora Profile Parameters
5.2.27 SQLNET.COMPRESSION
Purpose
To enable or disable data compression. If both the server and client have this parameter set to ON
, then compression is used for the connection.
Note:
The SQLNET.COMPRESSION
parameter applies to all database connections, except for Oracle Data Guard streaming redo and SecureFiles LOBs (Large Objects).
Default
off
Values
-
on
to enable data compression. -
off
to disable data compression.
Example
SQLNET.COMPRESSION=on
Parent topic: sqlnet.ora Profile Parameters
5.2.28 SQLNET.COMPRESSION_ACCELERATION
Purpose
To specify the use of hardware accelerated version of compression using this parameter if it is available for that platform.
Usage Notes
This parameter can be specified under Oracle Connection Manager alias description.
Default
on
Values
-
on
-
off
-
0
-
1
Example 5-4 Example
compression_acceleration = on
Parent topic: sqlnet.ora Profile Parameters
5.2.29 SQLNET.COMPRESSION_LEVELS
Purpose
To specify the compression level.
Usage Notes
The compression levels are used at time of negotiation to verify which levels are used at both ends, and to select one level.
For Database Resident Connection Pooling (DRCP), only the compression level low
is supported.
Default
low
Values
-
low
to use low CPU usage and low compression ratio. -
high
to use high CPU usage and high compression ratio.
Example
SQLNET.COMPRESSION_LEVELS=(high)
Parent topic: sqlnet.ora Profile Parameters
5.2.30 SQLNET.COMPRESSION_THRESHOLD
Purpose
To specify the minimum data size, in bytes, for which compression is needed.
Usage Notes
Compression is not be done if the size of the data to be sent is less than this value.
Default
1024 bytes
Example
SQLNET.COMPRESSION_THRESHOLD=1024
Parent topic: sqlnet.ora Profile Parameters
5.2.31 SQLNET.CRYPTO_CHECKSUM_CLIENT
Purpose
To specify the checksum behavior for the client.
See Also:
Default
accepted
Values
-
accepted
to enable the security service if required or requested by the other side. -
rejected
to disable the security service, even if required by the other side. -
requested
to enable the security service if the other side allows it. -
required
to enable the security service and disallow the connection if the other side is not enabled for the security service.
Example
SQLNET.CRYPTO_CHECKSUM_CLIENT=accepted
Parent topic: sqlnet.ora Profile Parameters
5.2.32 SQLNET.CRYPTO_CHECKSUM_SERVER
Purpose
To specify the checksum behavior for the database server.
Default
accepted
Values
-
accepted
to enable the security service if required or requested by the other side. -
rejected
to disable the security service, even if required by the other side. -
requested
to enable the security service if the other side allows it. -
required
to enable the security service and disallow the connection if the other side is not enabled for the security service.
Example
SQLNET.CRYPTO_CHECKSUM_SERVER=accepted
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.33 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT
Purpose
To specify a list of crypto-checksum algorithms for the client to use.
Default
All available algorithms
Values
-
MD5
for the RSA Data Security MD5 algorithm. -
SHA1
for the Secure Hash Algorithm. -
SHA256
for SHA-2 uses 256 bits with the hashing algorithm. -
SHA384
for SHA-2 uses 384 bits with the hashing algorithm. -
SHA512
for SHA-2 uses 512 bits with the hashing algorithm.
Example
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(SHA256, MD5)
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.34 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER
Purpose
To specify a list of crypto-checksum algorithms for the database server to use.
Default
All available algorithms
Values
-
MD5
for the RSA Data Security's MD5 algorithm -
SHA1
for the Secure Hash algorithm. -
SHA256
for SHA-2 uses 256 bits with the hashing algorithm. -
SHA384
for SHA-2 uses 384 bits with the hashing algorithm. -
SHA512
for SHA-2 uses 512 bits with the hashing algorithm.
Example
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA256, MD5)
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.35 SQLNET.DBFW_PUBLIC_KEY
Purpose
To provide Oracle Database Firewall public keys to Advanced Security Option (ASO) by specifying the file that stores the Oracle Database Firewall public keys.
Default
None
Values
Full path name of the operating system file that has the public keys.
Example
SQLNET.DBFW_PUBLIC_KEY="/path_to_file
/dbfw_public_key_file.txt
"
Parent topic: sqlnet.ora Profile Parameters
5.2.36 SQLNET.DOWN_HOSTS_TIMEOUT
Purpose
To specify the amount of time in seconds that information about the down
state of server hosts is kept in client process cache.
Usage Notes
Clients discover the down
state of server hosts when attempting connections. When a connection attempt fails, the information about the down
state of the server host is added to the client process cache. Subsequent connection attempts by the same client process move the down
hosts to the end of the address list, thereby reducing the priority of such hosts. When the time specified by the SQLNET.DOWN_HOSTS_TIMEOUT
parameter has passed, the host is purged from the process cache, and its priority in the address list is restored.
Default
600 seconds (10 minutes)
Values
Any positive integer
Example
SQLNET.DOWN_HOSTS_TIMEOUT=60
Parent topic: sqlnet.ora Profile Parameters
5.2.37 SQLNET.ENCRYPTION_CLIENT
The SQLNET.ENCRYPTION_CLIENT networking parameter turns encryption on
for the client.
Purpose
To turn encryption on for the client. Setting the tnsnames.ora
parameter IGNORE_ANO_ENCRYPTION_FOR_TCPS
to TRUE
disables SQLNET.ENCRYPTION_CLIENT
.
Default
accepted
Values
-
accepted
to enable the security service if required or requested by the other side. -
rejected
to disable the security service, even if required by the other side. -
requested
to enable the security service if the other side allows it. -
required
to enable the security service and disallow the connection if the other side is not enabled for the security service.
Example
SQLNET.ENCRYPTION_CLIENT=accepted
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.38 SQLNET.ENCRYPTION_SERVER
The SQLNET.ENCRYPTION_SERVER
networking parameter turns encryption on for the database server.
Purpose
To turn encryption on for the database server. Setting SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS
to FALSE
disables SQLNET.ENCRYPTION_SERVER
.
Default
accepted
Values
-
accepted
to enable the security service if required or requested by the other side. -
rejected
to disable the security service, even if required by the other side. -
requested
to enable the security service if the other side allows it. -
required
to enable the security service and disallow the connection if the other side is not enabled for the security service.
Example
SQLNET.ENCRYPTION_SERVER=accepted
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.39 SQLNET.ENCRYPTION_TYPES_CLIENT
Purpose
To specify a list of encryption algorithms for the client to use. It can now be used to enable ARIA, SEED, and GOST as encryption algorithms for encrypting SQLNet traffic.
Default
All available algorithms.
Values
One or more of the following:
-
3des112
for triple DES with a two-key (112-bit) option -
3des168
for triple DES with a three-key (168-bit) option -
aes128
for AES (128-bit key size) -
aes192
for AES (192-bit key size) -
aes256
for AES (256-bit key size) -
des
for standard DES (56-bit key size) -
des40
for DES (40-bit key size) -
rc4_40
for RSA RC4 (40-bit key size) -
rc4_56
for RSA RC4 (56-bit key size) -
rc4_128
for RSA RC4 (128-bit key size) -
rc4_256
for RSA RC4 (256-bit key size) -
ARIA128
for ARIA (128-bit key size) -
ARIA192
for ARIA (192-bit key size) -
ARIA256
for ARIA (256-bit key size) -
SEED128
for SEED (128-bit key size) -
GOST256
for GOST (256-bit key size)
Example
SQLNET.ENCRYPTION_TYPES_CLIENT=(rc4_56)
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.40 SQLNET.ENCRYPTION_TYPES_SERVER
Purpose
To specify a list of encryption algorithms for the database server to use. It can now be used to enable ARIA, SEED, and GOST as encryption algorithms for encrypting SQLNet traffic.
Default
All available algorithms.
Values
One or more of the following:
-
3des112
for triple DES with a two-key (112-bit) option -
3des168
for triple DES with a three-key (168-bit) option -
aes128
for AES (128-bit key size) -
aes192
for AES (192-bit key size) -
aes256
for AES (256-bit key size) -
des
for standard DES (56-bit key size) -
des40
for DES40 (40-bit key size) -
rc4_40
for RSA RC4 (40-bit key size) -
rc4_56
for RSA RC4 (56-bit key size) -
rc4_128
for RSA RC4 (128-bit key size) -
rc4_256
for RSA RC4 (256-bit key size) -
ARIA128
for ARIA (128-bit key size) -
ARIA192
for ARIA (192-bit key size) -
ARIA256
for ARIA (256-bit key size) -
SEED128
for SEED (128-bit key size) -
GOST256
for GOST (256-bit key size)
Example
SQLNET.ENCRYPTION_TYPES_SERVER=(rc4_56, des, ...)
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.41 SQLNET.EXPIRE_TIME
Purpose
To specify a time interval, in minutes, to send a check to verify that client/server connections are active.
Usage Notes
Setting a value greater than 0 ensures that connections are not left open indefinitely, due to an abnormal client termination. If the system supports TCP keepalive tuning, then Oracle Net Services automatically uses the enhanced detection model, and tunes the TCP keepalive parameters
If the probe finds a terminated connection, or a connection that is no longer in use, then it returns an error, causing the server process to exit.
This parameter is primarily intended for the database server, which typically handles multiple connections at any one time.
Limitations on using this terminated connection detection feature are:
-
It is not allowed on bequeathed connections.
-
Though very small, a probe packet generates additional traffic that may downgrade network performance.
-
Depending on which operating system is in use, the server may need to perform additional processing to distinguish the connection probing event from other events that occur. This can also result in degraded network performance.
Default
0
Minimum Value
0
Recommended Value
10
Example
SQLNET.EXPIRE_TIME=10
Parent topic: sqlnet.ora Profile Parameters
5.2.42 SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS
The SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS
parameter is used on the server-side to ignore the value set in SQLNET.ENCRYPTION_SERVER
for TCPS connections (effectively disabling ANO encryption on the TCPS listener).
Purpose
Used on the server-side to ignore the value set in SQLNET.ENCRYPTION_SERVER
for TCPS connections (effectively disabling ANO encryption on the TCPS listener).
Usage Notes
If you set the SQLNET.ENCRYPTION_CLIENT
parameter on the client to required
and SQLNET.ENCRYPTION_SERVER
on the server to required
, and if a TCPS listener is used, then the ORA-12696 Double Encryption Turned On, login disallowed
error appears. Starting with this release, you can set a new parameter, SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS
, to TRUE
to ignore the SQLNET.ENCRYPTION_CLIENT
or SQLNET.ENCRYPTION_SERVER
when there is a conflict between the use of a TCPS client and these two parameters are set to required
.
Default
FALSE
Example 5-5 Example
SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS=TRUE
Parent topic: sqlnet.ora Profile Parameters
5.2.43 SQLNET.INBOUND_CONNECT_TIMEOUT
Purpose
To specify the time, in ms
, sec
, or min
, for a client to connect with the database server and provide the necessary authentication information.
Usage Notes
If the client fails to establish a connection and complete authentication in the time specified, then the database server terminates the connection. In addition, the database server logs the IP address of the client and an ORA-12170: TNS:Connect timeout occurred
error message to the sqlnet.log
file. The client receives either an ORA-12547: TNS:lost contact
or an ORA-12637: Packet receive failed
error message.
The default value of this parameter is appropriate for typical usage scenarios. However, if you need to explicitly set a different value, then Oracle recommends setting this parameter in combination with the INBOUND_CONNECT_TIMEOUT_listener_name
parameter in the listener.ora
file. When specifying the values for these parameters, note the following recommendations:
-
Set both parameters to an initial low value.
-
Set the value of the
INBOUND_CONNECT_TIMEOUT_
listener_name
parameter to a lower value than theSQLNET.INBOUND_CONNECT_TIMEOUT
parameter.
It accepts different timeouts with or without space between the value and the unit. In case, no unit is mentioned, the default unit is sec
. For example, you can set INBOUND_CONNECT_TIMEOUT_
listener_name
to 2 seconds and SQLNET.INBOUND_CONNECT_TIMEOUT
parameter to 3 seconds. If clients are unable to complete connections within the specified time due to system or network delays that are normal for the particular environment, then increment the time as needed.
Default
60 seconds
Example
SQLNET.INBOUND_CONNECT_TIMEOUT=3ms
Parent topic: sqlnet.ora Profile Parameters
5.2.44 SQLNET.FALLBACK_AUTHENTICATION
Purpose
To specify whether password-based authentication is going to be attempted if Kerberos authentication fails. This is relevant for direct connections as well as database link connections.
Default
FALSE
Example
SQLNET.FALLBACK_AUTHENTICATION=TRUE
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.45 SQLNET.KERBEROS5_CC_NAME
Purpose
To specify the complete path name to the Kerberos credentials cache file.
Usage Notes
The MSLSA
option specifies the file is on Microsoft Windows, and is running Microsoft KDC.
The OS_MEMORY
option specifies that an operating system-managed memory credential is used for the credential cache file. This option is supported for all operating systems with such a feature.
Default
/usr/tmp/krbcache
on Linux and UNIX operating systems
c:\tmp\krbcache
on Microsoft Windows operating systems
Examples
SQLNET.KERBEROS5_CC_NAME=/usr/tmp/krbcache SQLNET.KERBEROS5_CC_NAME=MSLSA SQLNET.KERBEROS5_CC_NAME=OS_MEMORY
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.46 SQLNET.KERBEROS5_CLOCKSKEW
Purpose
To specify how many seconds can pass before a Kerberos credential is considered out of date.
Default
300
Example
SQLNET.KERBEROS5_CLOCKSKEW=1200
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.47 SQLNET.KERBEROS5_CONF
Purpose
To specify the complete path name to the Kerberos configuration file, which contains the realm for the default Key Distribution Center (KDC) and maps realms to KDC hosts.
Usage Notes
The KDC maintains a list of user principals and is contacted through the kinit
program for the user's initial ticket.
The AUTO_DISCOVER
option allows the automatic discovery of KDC and realms. It is the default configuration for Kerberos clients. If there are multiple realms to be specified, then Oracle recommends creating configuration files instead of using the AUTO_DISCOVER
option. This option is supported for all operating systems with such a feature.
Default
/krb5/krb.conf
on Linux and UNIX operating systems
c:\krb5\krb.conf
on Microsoft Windows operating systems
Values
-
Directory path to
krb.conf
file -
AUTO_DISCOVER
Example
SQLNET.KERBEROS5_CONF=/krb5/krb.conf
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.48 SQLNET.KERBEROS5_CONF_LOCATION
Purpose
To specify the directory for the Kerberos configuration file. The parameter also specifies the file is created by the system, and not by the client.
Usage Notes
The configuration file uses DNS lookup to obtain the realm for the default KDC, and maps realms to the KDC hosts. This option is supported for all operating systems with such a feature.
Default
/krb5
on Linux and UNIX operating systems
c:\krb5
on Microsoft Windows operating systems
Example
SQLNET.KERBEROS5_CONF_LOCATION=/krb5
Parent topic: sqlnet.ora Profile Parameters
5.2.49 SQLNET.KERBEROS5_KEYTAB
Purpose
To specify the complete path name to the Kerberos principal/secret key mapping file, which is used to extract keys and decrypt incoming authentication information.
Default
/etc/v5srvtab
on Linux and UNIX operating systems
c:\krb5\v5srvtab
on Microsoft Windows operating systems
Example
SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.50 SQLNET.KERBEROS5_REALMS
Purpose
To specify the complete path name to the Kerberos realm translation file, which provides a mapping from a host name or domain name to a realm.
Default
/krb5/krb.realms
on Linux and UNIX operating systems
c:\krb5\krb.realms
on Microsoft Windows operating systems
Example
SQLNET.KERBEROS5_REALMS=/krb5/krb.realms
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.51 SQLNET.KERBEROS5_REPLAY_CACHE
Purpose
To specify replay cache is stored in operating system-managed memory on the server, and that file-based replay cache is not used.
Usage Notes
The OS_MEMORY
option specifies the replay cache is stored in operating system-managed memory on the server, and file-based replay cache is not used.
Example
SQLNET_KERBEROS5_REPLAY_CACHE=OS_MEMORY
Parent topic: sqlnet.ora Profile Parameters
5.2.52 SQLNET.OUTBOUND_CONNECT_TIMEOUT
Purpose
To specify the time, in ms
, sec
, or min
, for a client to establish an Oracle Net connection to the database instance.
Usage Notes
If an Oracle Net connection is not established in the time specified, then the connect attempt is terminated. The client receives an ORA-12170: TNS:Connect timeout occurred
error.
The outbound connect timeout interval is a superset of the TCP connect timeout interval, which specifies a limit on the time taken to establish a TCP connection. Additionally, the outbound connect timeout interval includes the time taken to be connected to an Oracle instance providing the requested service. It accepts different timeouts with or without space between the value and the unit.
Without this parameter, a client connection request to the database server may block for the default TCP connect timeout duration (60 seconds
) when the database server host system is unreachable. In case, no unit is mentioned, the default unit is sec
.
The outbound connect timeout interval is only applicable for TCP, TCP with SSL, and IPC transport connections.
This parameter is overridden by the CONNECT_TIMEOUT parameter in the address description.
Default
None
Example
SQLNET.OUTBOUND_CONNECT_TIMEOUT=10 ms
Parent topic: sqlnet.ora Profile Parameters
5.2.53 SQLNET.RADIUS_ALTERNATE
Purpose
To specify an alternate RADIUS server to use in case the primary server is unavailable.
Usage Notes
The value can be either the IP address or host name of the server.
Default
None
Example
SQLNET.RADIUS_ALTERNATE=radius2
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.54 SQLNET.RADIUS_ALTERNATE_PORT
Purpose
To specify the listening port of the alternate RADIUS server.
Default
1645
Example
SQLNET.RADIUS_ALTERNATE_PORT=1667
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.55 SQLNET.RADIUS_ALTERNATE_RETRIES
Purpose
To specify the number of times the database server should resend messages to the alternate RADIUS server.
Default
3
Example
SQLNET.RADIUS_ALTERNATE_RETRIES=4
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.56 SQLNET.RADIUS_AUTHENTICATION
Purpose
To specify the location of the primary RADIUS server, either by its host name or IP address.
Default
Local host
Example
SQLNET.RADIUS_AUTHENETICATION=officeacct
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.57 SQLNET.RADIUS_AUTHENTICATION_INTERFACE
Purpose
To specify the class containing the user interface used to interact with the user.
Default
DefaultRadiusInterface
Example
SQLNET.RADIUS_AUTHENTICATION_INTERFACE=DefaultRadiusInterface
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.58 SQLNET.RADIUS_AUTHENTICATION_PORT
Purpose
To specify the listening port of the primary RADIUS server.
Default
1645
Example
SQLNET.RADIUS_AUTHENTICATION_PORT=1667
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.59 SQLNET.RADIUS_AUTHENTICATION_RETRIES
Purpose
To specify the number of times the database server should resend messages to the primary RADIUS server.
Default
3
Example
SQLNET.RADIUS_AUTHENTICATION_RETRIES=4
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.60 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
Purpose
To specify the time, in seconds, that the database server should wait for a response from the primary RADIUS server.
Default
5
Example
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=10
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.61 SQLNET.RADIUS_CHALLENGE_RESPONSE
Purpose
To turn challenge response on or off.
Default
off
Values
on | off
Example
SQLNET.RADIUS_CHALLENGE_RESPONSE=on
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.62 SQLNET.RADIUS_SECRET
Purpose:
To specify the location of the RADIUS secret key.
Default
The ORACLE_HOME
/network/security/radius.key
file.
Example
SQLNET.RADIUS_SECRET=oracle/bin/admin/radiuskey
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.63 SQLNET.RADIUS_SEND_ACCOUNTING
Purpose
To turn accounting on
and off
. If enabled, then packets are sent to the active RADIUS server at listening port plus one.
Usage Notes
Default
off
Values
on | off
Example
SQLNET.RADIUS_SEND_ACCOUNTING=on
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.64 SQLNET.RECV_TIMEOUT
Purpose
To specify the time, in ms
, sec
, or min
, for a database client or server to wait for data from the peer after establishing a connection. The peer must send some data within the time interval.
Usage Notes
Setting this parameter for clients ensure that receive operation is not left in wait state indefinitely or for a long period due to an abnormal termination of server process or server busy state. If a client does not receive response data in time specified, then it logsORA-12535: TNS:operation timed out
and ORA-12609: TNS: Receive timeout occurred
messages to the sqlnet.log
file. If you choose to set the value, then set the value to an initial low value and adjust according to the system and network capacity. If necessary, use this parameter with the SQLNET.SEND_TIMEOUT
parameter.
You can also set this parameter on the server-side to specify the time, in ms
, sec
, or min
, for a server to wait for client data after connection establishment. If a client does not send any data in time specified, then the database server logs ORA-12535: TNS:operation timed out
and ORA-12609: TNS: Receive timeout occurred
messages to the sqlnet.log
file. Without this parameter, the database server may continue to wait for data from clients that may be down or are experiencing difficulties. The server usually blocks on input from the client and gets these timeouts frequently if set to a low value. In case, no unit is mentioned, the default unit is sec
.
Default
None
Example
SQLNET.RECV_TIMEOUT=10ms
or
SQLNET.RECV_TIMEOUT=10 ms
See Also:
Oracle Database Net Services Administrator's Guide for additional information about configuring these parameters
Parent topic: sqlnet.ora Profile Parameters
5.2.65 SQLNET.SEND_TIMEOUT
Purpose
To specify the time, in ms
, sec
, or min
, for a database server to complete a send operation to clients after establishing a connection.
Usage Notes
Setting this parameter is recommended for environments in which clients shut down occasionally or abnormally.
If the database server cannot complete a send operation in the time specified, then it logs ORA-12535: TNS:operation timed out
and ORA-12608: TNS: Send timeout occurred
messages to the sqlnet.log
file. Without this parameter, the database server may continue to send responses to clients that are unable to receive data due to a downed computer or a busy state.
You can also set this parameter on the client-side to specify the time, in ms
, sec
, or min
, for a client to complete send operations to the database server after connection establishment. It accepts different timeouts with or without space between the value and the unit. In case, no unit is mentioned, the default unit is sec
.Without this parameter, the client may continue to send requests to a database server already saturated with requests. If you choose to set the value, then set the value to an initial low value and adjust according to system and network capacity. If necessary, use this parameter with the SQLNET.RECV_TIMEOUT parameter.
Default
None
Example
SQLNET.SEND_TIMEOUT=3 ms
See Also:
Oracle Database Net Services Administrator's Guide for additional information about configuring this parameter
Parent topic: sqlnet.ora Profile Parameters
5.2.66 SQLNET.URI
SQLNET.URI
networking parameter of the sqlnet.ora
file specifies a database client URI mapping on the web server.
Purpose
To specify a database client URI mapping on the web server.
Usage Notes
You can use this parameter to customize URI for mapping the database websocket requests coming onto web server to the backend database server. Secure websocket handshaking requests are sent with this URI.
Default
/sqlnet
Example 5-6 Example
sqlnet.uri="/my_uri_prefix/database/"
Parent topic: sqlnet.ora Profile Parameters
5.2.67 SQLNET.USE_HTTPS_PROXY
Purpose
To enable forward HTTP proxy tunneling client connections.
Usage Notes
If turned on
, the clients can tunnel secure connections over forward HTTP proxy using HTTP CONNECT method. This helps in accessing the public cloud database service as it eliminates the requirement to open an outbound port on a client side firewall.
This parameter is applicable with Oracle Connection Manager on the server side.
Default
off
Example
SQLNET.USE_HTTPS_PROXY=on
Parent topic: sqlnet.ora Profile Parameters
5.2.68 SQLNET.WALLET_OVERRIDE
OracleMetaLink note 340559.1.
Purpose
To determine whether the client should override the strong authentication credential with the password credential in the stored wallet to log in to the database.
Usage Notes
When wallets are used for authentication, the database credentials for user name and password are securely stored in an Oracle wallet. The auto-login feature of the wallet is turned on so the database does not need a password to open the wallet. From the wallet, the database gets the credentials to access the database for the user.
Wallet usage can simplify large-scale deployments that rely on password credentials for connecting to databases. When this feature is configured, application code, batch jobs, and scripts do not need embedded user names and passwords. Risk is reduced because such passwords are no longer exposed in the clear, and password management policies are more easily enforced without changing application code whenever user names or passwords change.
Users connect using the connect /@
database_name
command instead of specifying a user name and password explicitly. This simplifies the maintenance of the scripts and secures the password management for the applications.
Middle-tier applications create an Oracle Applications wallet at installation time to store the application's specific identity. The password may be randomly generated rather than hardcoded. When an Oracle application accesses the database, it sets appropriate values for SQLNET.AUTHENTICATION_SERVICES
and WALLET_LOCATION
. The new wallet-based password authentication code uses the password credential in the Oracle Applications wallet to log on to the database.
Values
true | false
Examples
SQLNET.WALLET_OVERRIDE=true
See Also:
In order to use wallets, a wallet must be configured on the client. Refer to Oracle Database Security Guide for additional information about configuring the clients.
Parent topic: sqlnet.ora Profile Parameters
5.2.69 SSL_CERT_REVOCATION
Purpose
To configure a revocation check for a certificate.
See Also:
Default
none
Values
-
none
to turn off certificate revocation checking. This is the default. -
requested
to perform certificate revocation in case a Certificate Revocation List (CRL) is available. Reject SSL connection if the certificate is revoked. If no appropriate CRL is found to determine the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection. -
required
to perform certificate revocation when a certificate is available. If a certificate is revoked and no appropriate CRL is found, then reject the SSL connection. If no appropriate CRL is found to ascertain the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection.
Example
SSL_CERT_REVOCATION=required
Parent topic: sqlnet.ora Profile Parameters
5.2.70 SSL_CRL_FILE
Purpose
To specify the name of the file where you can assemble the CRL for client authentication.
Usage Notes
This file contains the PEM-encoded CRL files, in order of preference. You can use this file alternatively or in addition to the SSL_CERT_PATH parameter. This parameter is only valid if SSL_CERT_REVOCATION is set to either requested
or required
.
Default
None
Example
SSL_CRL_FILE=
Parent topic: sqlnet.ora Profile Parameters
5.2.71 SSL_CRL_PATH
Purpose
To specify the destination directory of the CRL of CA.
Usage Notes
The files in this directory are hashed symbolic links created by Oracle Wallet Manager.
This parameter is only valid if SSL_CERT_REVOCATION is set to either requested
or required
.
Default
None
Example
SSL_CRL_PATH=
Parent topic: sqlnet.ora Profile Parameters
5.2.72 SSL_CIPHER_SUITES
Purpose
To control which combination of encryption and data integrity is used by the Secure Sockets Layer (SSL). Cipher suites that use Advanced Encryption Standard (AES) only work with Transport Layer Security (TLS 1.0).
Default
None
Values
-
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
-
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-
SSL_RSA_WITH_AES_128_CBC_SHA256
-
SSL_RSA_WITH_AES_128_GCM_SHA256
-
SSL_RSA_WITH_AES_128_CBC_SHA
-
SSL_RSA_WITH_AES_256_CBC_SHA
-
SSL_RSA_WITH_AES_256_CBC_SHA256
-
SSL_RSA_WITH_AES_256_GCM_SHA384
-
SSL_RSA_WITH_RC4_128_MD5
-
SSL_RSA_WITH_RC4_128_SHA
-
SSL_RSA_WITH_3DES_EDE_CBC_SHA
-
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
-
SSL_DH_anon_WITH_RC4_128_MD5
Note:
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
and SSL_DH_anon_WITH_RC4_128_MD5
do not the provide authentication of the communicating parties, and can be vulnerable to man-in-the-middle attacks. Oracle recommends that you do not use these cipher suites to protect sensitive data. However, they are useful if the communicating parties want to remain anonymous or simply do not want the overhead caused by mutual authentication.
Example
SSL_CIPHER_SUITES=(ssl_rsa_with_aes_128_cbc_sha256)
See Also:
Oracle Database Security Guide for additional information about cipher suite valuesParent topic: sqlnet.ora Profile Parameters
5.2.73 SSL_EXTENDED_KEY_USAGE
Purpose
To specify the purpose of the key in the certificate.
Usage Notes
When this parameter is specified, the certificate with the matching extended key is used.
Values
client authentication
Example
SSL_EXTENDED_KEY_USAGE="client authentication"
Parent topic: sqlnet.ora Profile Parameters
5.2.74 SSL_SERVER_DN_MATCH
Purpose
To enforce server-side certification validation through distinguished name (DN) matching.
Usage Notes
If you enforce the DN matching, in addition to verifying the server's certificate chain, the client performs another check through DN matching. There are two flavors of DN matching. Partial DN matching happens if the server's CN contains its host name. Complete DN matching happens against the server's complete DN. Not enforcing the match allows the server to potentially fake its identity. This parameter must be set to TRUE
to do both full or partial DN matching
In addition to the sqlnet.ora
file, configure the tnsnames.ora
parameter SSL_SERVER_CERT_DN to enable full DN matching.
Default
no
Values
-
yes
|on
|true
to enforce a match. If the DN matches the service name, then the connection succeeds. If the DN does not match the service name, then the connection fails. -
no
|off
|false
to not enforce a match. If the DN does not match the service name, then the connection is successful, but an error is logged to thesqlnet.log
file.
Example
SSL_SERVER_DN_MATCH=yes
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.75 SSL_VERSION
Purpose
To limit allowable SSL or TLS versions used for connections.
Usage Notes
Clients and database servers must use a compatible version. This parameter should only be used when absolutely necessary for backward compatibility. The current default uses TLS version 1.2 which is the version required for multiple security compliance requirements.
If you set SSL_VERSION
to undetermined
, then by default it uses 3.0
.
Default
1.2
Values
Note:
Thesqlnet.ora parameter ADD_SSLV3_TO_DEFAULT
has no impact on this parameter.
undetermined | 3.0 | 1.0| 1.1 | 1.2
If you want to specify one version or another version, then use “or”. The following values are permitted:
1.0 or 3.0 | 1.2 or 3.0 | 1.1 or 1.0 | 1.2 or 1.0 | 1.2 or 1.1 | 1.1 or 1.0 or 3.0 | 1.2 or 1.0 or 3.0 | 1.2 or 1.1 or 1.0 | 1.2 or 1.1 or 3.0 |1.2 or 1.1 or 1.0 or 3.0
Example
SSL_VERSION=1.2
The remaining version numbers correspond to the TLS versions, such as, TLSv1.0, TLSv1.1, and TLSv1.2.
See Also:
Parent topic: sqlnet.ora Profile Parameters
5.2.76 TCP.CONNECT_TIMEOUT
Purpose
To specify the time, in ms
, sec
, or min
, for a client to establish a TCP connection (PROTOCOL=tcp
in the TNS connect address) to the database server.
Usage Notes
If a TCP connection to the database host is not established in the specified time, then the connection attempt is terminated. The client receives an ORA-12170: TNS:Connect timeout occurred
error.
The timeout applies to each IP address that resolves to a host name. It accepts different timeouts with or without space between the value and the unit. For example, if a host name resolves to an IPv6 and an IPv4 address, and if the host is not reachable through the network, then the connection request times out twice because there are two IP addresses. In this example, the default timeout setting of 60 causes a timeout in 120 seconds
. In case, no unit is mentioned, the default unit is sec
.
Default
60
Example
TCP.CONNECT_TIMEOUT=10 ms
Parent topic: sqlnet.ora Profile Parameters
5.2.77 TCP.EXCLUDED_NODES
Purpose
To specify which clients are denied access to the database.
Usage Notes
This parameter is only valid when the TCP.VALIDNODE_CHECKING parameter is set to yes
.
This parameter can use wildcards for IPv4 addresses and CIDR notation for IPv4 and IPv6 addresses.
Syntax
TCP.EXCLUDED_NODES=(hostname | ip_address, hostname | ip_address, ...)
Example
TCP.EXCLUDED_NODES=(finance.us.example.com, mktg.us.example.com, 192.0.2.25, 172.30.*, 2001:DB8:200C:417A/32)
Parent topic: sqlnet.ora Profile Parameters
5.2.78 TCP.INVITED_NODES
Purpose
To specify which clients are allowed access to the database. This list takes precedence over the TCP.EXCLUDED_NODES
parameter if both lists are present.
Syntax
TCP.INVITED_NODES=(hostname | ip_address, hostname | ip_address, ...)
Usage Notes
-
This parameter is only valid when the TCP.VALIDNODE_CHECKING parameter is set to
yes
. -
This parameter can use wildcards for IPv4 addresses and CIDR notation for IPv4 and IPv6 addresses.
Example
TCP.INVITED_NODES=(sales.us.example.com, hr.us.example.com, 192.0.*, 2001:DB8:200C:433B/32)
Parent topic: sqlnet.ora Profile Parameters
5.2.79 TCP.NODELAY
Purpose
To preempt delays in buffer flushing within the TCP/IP protocol stack.
Default
yes
Values
yes | no
Example
TCP.NODELAY=yes
Parent topic: sqlnet.ora Profile Parameters
5.2.80 TCP.QUEUESIZE
Purpose
To configure the maximum length of the queue for pending connections on a TCP listening socket.
Default
System-defined maximum value. The defined maximum value for Linux is 128.
Values
Any integer value up to the system-defined maximum.
Examples
TCP.QUEUESIZE=100
Parent topic: sqlnet.ora Profile Parameters
5.2.81 TCP.VALIDNODE_CHECKING
Purpose
To enable and disable valid node checking for incoming connections.
Usage Notes
If this parameter is set to yes
, then incoming connections are allowed only if they originate from a node that conforms to list specified by TCP.INVITED_NODES or TCP.EXCLUDED_NODES parameters.
The TCP.INVITED_NODES and TCP.EXCLUDED_NODES parameters are valid only when the TCP.VALIDNODE_CHECKING parameter is set to yes
.
This parameter and the depending parameters, TCP.INVITED_NODES and TCP.EXCLUDED_NODES must be set in the sqlnet.ora
file of the listener. This is important in an Oracle RAC environment where the listener runs out of the Oracle Grid Infrastructure home. Setting the parameter in the database home does not have any effect in Oracle RAC environments. In such environments, the address of all Single Client Access Name (SCANs), Virtual IPs (VIPs), local IP must be included in the TCP.INVITED_NODES list.
In VLAN environments, the sqlnet.ora
file present in the Oracle Grid Infrastructure home should include all the addresses of all the VLANs. The VLANs perform the network segregation, whereas the INVITED_NODES allows or restricts access to databases within the VLANs.
If multiple databases within the same VLAN require different INVITED_NODE lists, then separate listeners are required.
Default
no
Values
yes | no
Example
TCP.VALIDNODE_CHECKING=yes
Parent topic: sqlnet.ora Profile Parameters
5.2.82 TNSPING.TRACE_DIRECTORY
Purpose
To specify the destination directory for the TNSPING utility trace file, tnsping.trc
.
Default
The ORACLE_HOME/network/trace
directory.
Example
TNSPING.TRACE_DIRECTORY=/oracle/traces
Parent topic: sqlnet.ora Profile Parameters
5.2.83 TNSPING.TRACE_LEVEL
Purpose
To turn TNSPING utility tracing on at a specified level or to turn it off.
Default
off
Values
-
off
for no trace output -
user
for user trace information -
admin
for administration trace information -
support
for Oracle Support Services trace information
Example
TNSPING.TRACE_LEVEL=admin
Parent topic: sqlnet.ora Profile Parameters
5.2.84 USE_CMAN
Purpose
To specify client routing to Oracle Connection Manager.
Usage Notes
If set to true
, then the parameter routes the client to a protocol address for Oracle Connection Manager.
If set to false
, then the client picks one of the address lists at random and fails over to the other address list if the chosen ADDRESS_LIST
fails. With USE_CMAN
=true
, the client always uses the first address list.
If no Oracle Connection Manager addresses are available, then connections are routed through any available listener address.
Default
false
Values
true | false
Example
USE_CMAN=true
Parent topic: sqlnet.ora Profile Parameters
5.2.85 USE_DEDICATED_SERVER
Purpose
To append (SERVER=dedicated)
to the CONNECT_DATA
section of the connect descriptor used by the client.
Usage Notes
It overrides the current value of the SERVER parameter in the tnsnames.ora
file.
If set to on
, then the parameter USE_DEDICATED_SERVER
automatically appends (SERVER=dedicated)
to the connect data for a connect descriptor. This way connections from this client use a dedicated server process, even if shared server is configured.
Default
off
Values
-
on
to append(SERVER=dedicated)
-
off
to send requests to existing server processes
Example
USE_DEDICATED_SERVER=on
See Also:
Oracle Database Net Services Administrator's Guide for complete configuration information
Parent topic: sqlnet.ora Profile Parameters
5.2.86 WALLET_LOCATION
Purpose
To specify the location of wallets. Wallets are certificates, keys, and trustpoints processed by SSL.
Usage Notes
The key/value pair for Microsoft certificate store (MCS) omits the METHOD_DATA
parameter because MCS does not use wallets. Instead, Oracle PKI (public key infrastructure) applications obtain certificates, trustpoints and private keys directly from the user's profile.
If an Oracle wallet is stored in the Microsoft Windows registry and the wallet's key (KEY)
is SALESAPP
, then the storage location of the encrypted wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\EWALLET.P12
. The storage location of the decrypted wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\CWALLET.SSO.
Syntax
The syntax depends on the wallet, as follows:
-
Oracle wallets on the file system:
WALLET_LOCATION= (SOURCE= (METHOD=file) (METHOD_DATA= (DIRECTORY=directory) [(PKCS11=TRUE/FALSE)]))
-
Microsoft certificate store:
WALLET_LOCATION= (SOURCE= (METHOD=mcs))
-
Oracle wallets in the Microsoft Windows registry:
WALLET_LOCATION= (SOURCE= (METHOD=reg) (METHOD_DATA= (KEY=registry_key)))
-
Entrust wallets:
WALLET_LOCATION= (SOURCE= (METHOD=entr) (METHOD_DATA= (PROFILE=file.epf) (INIFILE=file.ini)))
Additional Parameters
WALLET_LOCATION
supports the following parameters:
-
SOURCE
: The type of storage for wallets, and storage location. -
METHOD
: The type of storage. -
METHOD_DATA
: The storage location. -
DIRECTORY
: The location of Oracle wallets on file system. -
KEY
: The wallet type and location in the Microsoft Windows registry. -
PROFILE
: The Entrust profile file (.epf
). -
INIFILE
: The Entrust initialization file (.ini
).
Default
None
Values
true | false
Examples
Oracle wallets on file system:
WALLET_LOCATION= (SOURCE= (METHOD=file) (METHOD_DATA= (DIRECTORY=/etc/oracle/wallets/databases)))
Microsoft certificate store:
WALLET_LOCATION= (SOURCE= (METHOD=mcs))
Oracle Wallets in the Microsoft Windows registry:
WALLET_LOCATION= (SOURCE= (METHOD=REG) (METHOD_DATA= (KEY=SALESAPP)))
Entrust Wallets:
WALLET_LOCATION= (SOURCE= (METHOD=entr) (METHOD_DATA= (PROFILE=/etc/oracle/wallets/test.epf) (INIFILE=/etc/oracle/wallets/test.ini)))
Parent topic: sqlnet.ora Profile Parameters
5.2.87 BEQUEATH_DETACH
It ix a sqlnet.ora
networking parameter handling signals for Linux and UNIX systems.
Purpose
To turn signal handling on or off for Linux and UNIX systems
Default
no
Values
-
yes
to turn signal handling off -
no
to leave signal handling on
Example
BEQUEATH_DETACH=yes
Parent topic: sqlnet.ora Profile Parameters
5.3 ADR Diagnostic Parameters in sqlnet.ora
The diagnostic data for the critical errors is quickly captured and stored in the ADR for sqlnet.ora
.
- About ADR Diagnostic Parameters
You can use ADR diagnostic parameters when ADR is enabled. ADR is enabled by default. Non-ADR parameters listed in thesqlnet.ora
file are ignored when ADR is enabled. - ADR_BASE
It is a diagnostic parameter in thesqlnet.ora
file and it specifies the base location of the ADR files. - DIAG_ADR_ENABLED
DIAG_ADR_ENABLED
diagnostic parameter of the sqlnet.ora file specifies whether ADR tracing is enabled. - TRACE_LEVEL_CLIENT
TheTRACE_LEVEL_CLIENT
diagnostic parameter of thesqlnet.ora
file turns client tracing on or off at a specified level. - TRACE_LEVEL_SERVER
TheTRACE_LEVEL_SERVER
diagnostic parameter of thesqlnet.ora
file turns server tracing on or off at a specified level. - TRACE_TIMESTAMP_CLIENT
TheTRACE_TIMESTAMP_CLIENT
diagnostic parameter of thesqlnet.ora
file adds a time stamp to every trace event in the client trace file. - TRACE_TIMESTAMP_SERVER
TheTRACE_TIMESTAMP_CLIENT
diagnostic parameter of thesqlnet.ora
file adds a time stamp to every trace event in the database server trace file.
Parent topic: Parameters for the sqlnet.ora File
5.3.1 About ADR Diagnostic Parameters
You can use ADR diagnostic parameters when ADR is enabled. ADR is enabled by default. Non-ADR parameters listed in the sqlnet.ora
file are ignored when ADR is enabled.
Since Oracle Database 11g, Oracle Database includes an advanced fault diagnosability infrastructure for preventing, detecting, diagnosing, and resolving problems. The problems are critical errors such as those caused by database code bugs, metadata corruption, and customer data corruption.
When a critical error occurs, it is assigned an incident number, and diagnostic data for the error, such as traces and dumps, are immediately captured and tagged with the incident number. The data is then stored in the Automatic Diagnostic Repository (ADR), a file-based repository outside the database.
The following sqlnet.ora
parameters are used when ADR is enabled (when DIAG_ADR_ENABLED
is set to on
):
Parent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.2 ADR_BASE
It is a diagnostic parameter in the sqlnet.ora
file and it specifies the base location of the ADR files.
Purpose
To specify the base directory into which tracing and logging incidents are stored when ADR is enabled.
Default
The default on the server side is ORACLE_BASE
, or ORACLE_HOME/log
, if ORACLE_BASE
is not defined.
Values
Any valid directory path to a directory with write permission.
Example
ADR_BASE=/oracle/network/trace
Parent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.3 DIAG_ADR_ENABLED
DIAG_ADR_ENABLED
diagnostic parameter of the sqlnet.ora file specifies whether ADR tracing is enabled.
Purpose
To specify whether ADR tracing is enabled.
Usage Notes
If the DIAG_ADR_ENABLED
parameter is set to OFF
, then non-ADR file tracing is used.
Default
on
Values
on
| off
Example 5-7 Example
DIAG_ADR_ENABLED=on
Parent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.4 TRACE_LEVEL_CLIENT
The TRACE_LEVEL_CLIENT
diagnostic parameter of the sqlnet.ora
file turns client tracing on or off at a specified level.
Purpose
To turn client tracing on at a specified level or to turn it off.
Usage Notes
This parameter is also applicable when non-ADR tracing is used.
Default
off or 0
Values
-
off
or0
for no trace output -
user
or4
for user trace information -
admin
or10
for administration trace information -
support
or16
for Oracle Support Services trace information
Example
TRACE_LEVEL_CLIENT=user
Parent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.5 TRACE_LEVEL_SERVER
The TRACE_LEVEL_SERVER
diagnostic parameter of the sqlnet.ora
file turns server tracing on or off at a specified level.
Purpose
To turn server tracing on at a specified level or to turn it off.
Usage Notes
This parameter is also applicable when non-ADR tracing is used.
Default
off or 0
Values
-
off
or0
for no trace output -
user
or4
for user trace information -
admin
or10
for administration trace information -
support
or16
for Oracle Support Services trace information
Example
TRACE_LEVEL_SERVER=admin
Parent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.6 TRACE_TIMESTAMP_CLIENT
The TRACE_TIMESTAMP_CLIENT
diagnostic parameter of the sqlnet.ora
file adds a time stamp to every trace event in the client trace file.
Purpose
To add a time stamp in the form of dd-mmm-yyyy hh:mm:ss:mil
to every trace event in the client trace file, which has a default name of sqlnet.trc
.
Usage Notes
This parameter is also applicable when non-ADR tracing is used.
Default
on
Values
on
or true
| off
or false
Example
TRACE_TIMESTAMP_CLIENT=true
Parent topic: ADR Diagnostic Parameters in sqlnet.ora
5.3.7 TRACE_TIMESTAMP_SERVER
The TRACE_TIMESTAMP_CLIENT
diagnostic parameter of the sqlnet.ora
file adds a time stamp to every trace event in the database server trace file.
Purpose
To add a time stamp in the form of dd-mmm-yyyy hh:mm:ss:mil
to every trace event in the database server trace file, which has a default name of svr_pid.trc
.
Usage Notes
This parameter is also applicable when non-ADR tracing is used.
Default
on
Values
on
or true
| off
or false
Example
TRACE_TIMESTAMP_SERVER=true
Parent topic: ADR Diagnostic Parameters in sqlnet.ora
5.4 Non-ADR Diagnostic Parameters in sqlnet.ora
This section lists the sqlnet.ora
parameters used when ADR is disabled.
Note:
The default value of DIAG_ADR_ENABLED is on
. Therefore, the DIAG_ADR_ENABLED
parameter must explicitly be set to off
in order for non-ADR tracing to be used.
- LOG_DIRECTORY_CLIENT
TheLOG_DIRECTORY_CLIENT
non-ADR diagnostic parameter of thesqlnet.ora
file specifies the destination directory for the client log file. - LOG_DIRECTORY_SERVER
- LOG_FILE_CLIENT
- LOG_FILE_SERVER
- TRACE_DIRECTORY_CLIENT
- TRACE_DIRECTORY_SERVER
- TRACE_FILE_CLIENT
- TRACE_FILE_SERVER
- TRACE_FILEAGE_CLIENT
- TRACE_FILEAGE_SERVER
- TRACE_FILELEN_CLIENT
- TRACE_FILELEN_SERVER
- TRACE_FILENO_CLIENT
- TRACE_FILENO_SERVER
- TRACE_UNIQUE_CLIENT
Parent topic: Parameters for the sqlnet.ora File
5.4.1 LOG_DIRECTORY_CLIENT
The LOG_DIRECTORY_CLIENT
non-ADR diagnostic parameter of the sqlnet.ora
file specifies the destination directory for the client log file.
Purpose
To specify the destination directory for the client log file.
Usage Notes
Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/log
Values
Any valid directory path.
Example
LOG_DIRECTORY_CLIENT=/oracle/network/log
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora
5.4.2 LOG_DIRECTORY_SERVER
Purpose
To specify the destination directory for the database server log file.
Usage Notes
Use this parameter when ADR is not enabled.
Default
ORACLE_HOME
/network/trace
Values
Any valid directory path to a directory with write permission.
Example
LOG_DIRECTORY_SERVER=/oracle/network/trace
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora
5.4.3 LOG_FILE_CLIENT
Purpose
To specify the name of the log file for the client.
Usage Notes
Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/log/sqlnet.log
Values
The default value cannot be changed.
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora
5.4.4 LOG_FILE_SERVER
Purpose
To specify the name of the log file for the database server.
Usage Notes
Use this parameter when ADR is not enabled.
Default
sqlnet.log
Values
Any valid directory path to a directory with write permission.
Example
LOG_FILE_SERVER=svr.log
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora
5.4.5 TRACE_DIRECTORY_CLIENT
Purpose
To specify the destination directory for the client trace file.
Usage Notes
Use this parameter when ADR is not enabled.
Default
ORACLE_HOME
/network/trace
Values
Any valid directory path to a directory with write permission.
Example
TRACE_DIRECTORY_CLIENT=/oracle/traces
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora
5.4.6 TRACE_DIRECTORY_SERVER
Purpose
To specify the destination directory for the database server trace file. Use this parameter when ADR is not enabled.
Default
ORACLE_HOME
/network/trace
Values
Any valid directory path to a directory with write permission.
Example
TRACE_DIRECTORY_SERVER=/oracle/traces
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora
5.4.7 TRACE_FILE_CLIENT
Purpose
To specify the name of the client trace file.
Usage Notes
Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/trace/cli.trc
Values
Any valid file name.
Example
TRACE_FILE_CLIENT=clientsqlnet.trc
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora
5.4.8 TRACE_FILE_SERVER
Purpose
To specify the destination directory for the database server trace output.
Usage Notes
Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/trace/svr_pid.trc
Values
Any valid file name. The process identifier (pid) is appended to the name automatically.
Example
TRACE_FILE_SERVER=svrsqlnet.trc
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora
5.4.9 TRACE_FILEAGE_CLIENT
Purpose
To specify the maximum age of client trace files in minutes.
Usage Notes
When the age limit is reached, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_CLIENT parameter. Use this parameter when ADR is not enabled.
Default
Unlimited
This is the same as setting the parameter to 0
.
Example 5-8 Example
TRACE_FILEAGE_CLIENT=60
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora
5.4.10 TRACE_FILEAGE_SERVER
Purpose
To specify the maximum age of database server trace files in minutes.
Usage Notes
When the age limit is reached, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_SERVER parameter. Use this parameter when ADR is not enabled.
Default
Unlimited
This is the same as setting the parameter to0
.
Example 5-9 Example
TRACE_FILEAGE_SERVER=60
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora
5.4.11 TRACE_FILELEN_CLIENT
Purpose
To specify the size of the client trace files in kilobytes (KB).
Usage Notes
When the size is met, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_CLIENT parameter. Use this parameter when ADR is not enabled.
Example
TRACE_FILELEN_CLIENT=100
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora
5.4.12 TRACE_FILELEN_SERVER
Purpose
To specify the size of the database server trace files in kilobytes (KB).
Usage Notes
When the size is met, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_SERVER parameter. Use this parameter when ADR is not enabled.
Example
TRACE_FILELEN_SERVER=100
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora
5.4.13 TRACE_FILENO_CLIENT
Purpose
To specify the number of trace files for client tracing.
Usage Notes
When this parameter is set with the TRACE_FILELEN_CLIENT parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, then the first file is re-used, and so on.
When this parameter is set with theTRACE_FILEAGE_CLIENT parameter, trace files are cycled based on their age. The first file is used until the age limit is reached, then the second file is used, and so on. When the last file's age limit is reached, the first file is re-used, and so on.
When this parameter is set with both the TRACE_FILELEN_CLIENT and TRACE_FILEAGE_CLIENT parameters, trace files are cycled when either the size limit or the age limit is reached.
The trace file names are distinguished from one another by their sequence number. For example, if the default trace file of sqlnet.trc
is used, and this parameter is set to 3, then the trace files would be named sqlnet1.trc
, sqlnet2.trc
and sqlnet3.trc
.
In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.
Default
None
Example
TRACE_FILENO_CLIENT=3
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora
5.4.14 TRACE_FILENO_SERVER
Purpose
To specify the number of trace files for database server tracing.
Usage Notes
When this parameter is set with the TRACE_FILELEN_SERVER parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, then the first file is re-used, and so on.
When this parameter is set with theTRACE_FILEAGE_SERVER parameter, trace files are cycled based on the age of the trace file. The first file is used until the age limit is reached, then the second file is used, and so on. When the last file's age limit is reached, the first file is re-used, and so on.
When this parameter is set with both the TRACE_FILELEN_SERVER and TRACE_FILEAGE_SERVER parameters, trace files are cycled when either the size limit or the age limit is reached.
The trace file names are distinguished from one another by their sequence number. For example, if the default trace file of svr_
pid
.trc
is used, and this parameter is set to 3, then the trace files would be named svr1_
pid
.trc
, svr2_
pid
.trc
and svr3_
pid
.trc
.
In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.
Default
None
Example
TRACE_FILENO_SERVER=3
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora
5.4.15 TRACE_UNIQUE_CLIENT
Purpose
To specify whether a unique trace file is created for each client trace session.
Usage Notes
When the value is set to on
, a process identifier is appended to the name of each trace file, enabling several files to coexist. For example, trace files named sqlnet
pid
.trc
are created if default trace file name sqlnet.trc
is used. When the value is set to off
, data from a new client trace session overwrites the existing file. Use this parameter when ADR is not enabled.
Default
on
Values
on
or off
Example
TRACE_UNIQUE_CLIENT=on
Parent topic: Non-ADR Diagnostic Parameters in sqlnet.ora