Skip Headers

Oracle® Datab ase Advanced Security Administrator's Guide
10g Release 1 (10.1)
Part Number B10772-01
Go to Documentation Home
Home		 Go to Bo ok List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go t o Master Index
Master Index		 Go to Feedback page
Feedback< /font>
Go to previous page
Previous		 Go to next page
Next
View PDF

9
Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security

This chapter describes how to configure multiple authentication methods under Oracle Advanced Security, and how to use conventional user name and password authentication, even if you have configured another authenticat ion method. This also chapter describes how to configure your network so that Oracle clients can use a specific authentication method , and Oracle servers can accept any method specified.

This chapter contains the following to pics:

Connecting with User Name and Password

To connect to an Oracle database server using a user name and password when an Oracle Advanced Security authentication method has been configured, disable the external authentication (See: "Disabling Oracle Advanced Security Authenti cation" ).

With the external authentication disabled, a user can connect to a database using the following format:

% sqlplus username/password@n
et_service_name

For example:

% sqlplus scott/tiger@emp
Note:

You can configure multiple au thentication methods, including both externally authenticated users and password authenticated users, on a single database.

< /td>

Disabling Oracle Advanced Security Authentication

Use O racle Net Manager to disable authentication methods (See "Starting Oracle Net Manager"):

  1. Navigate to the Orac le Advanced Security profile. (See "Navigating to the Oracle Advanced Security Profile"). The Oracle Advanced Security tabbed window appears (Figure 9-1):

    2. Figure 9-1 Oracle Advanced Security Authentic ation Window

    Text description of auth0001.gif follows.

    Text description of the illustration auth0001.gif

    1. Choose the Authentication tab.
    2. Sequentially move all authentication methods from the Selected Method list to the Available Methods list by selecti ng a method and choosing the left arrow [<].
    3. Choose File > Save N etwork Configuration.

      The sqlnet.ora file is updated with the following ent ry:

      SQLNET.AUTHENTICATION_SERVICES = (NONE)

    Configuring Multip le Authentication Methods

    Many networks use more than one authenticat ion method on a single security server. Accordingly, Oracle Advanced Security lets you configure your network so that Oracle clients can use a specific authentication method, and Oracle database servers can accept any method specified.

    You can set up multiple authentication methods on both client and server systems either by using Oracle Net Manager, or by using any text editor to modify the sqlnet.ora file.

    Use Oracle Net Manager to add authentication methods to both clients and servers (See "Starting Oracle Net Manager"):

    1. Navigate to the Oracle Advanced Security profile. (See "Navigating to the Oracle Advanced Security Profile") The Oracle Advanced Security tabbed window appears (Figure 9-1).
    2. Choose the Authentication tab.
    3. Select a method listed in the Available Methods list.
    4. Sequentially move selected methods to the Selected Methods list by choosing the right arrow [>].
    5. Arrange the selected methods in order of desired use. To do this, select a method in the Selected Metho ds list, and choose Promote or Demote to position it in the list.
    6. Choos e File > Save Network Configuration.

      The sqlnet.ora file is updated with the following entry, listing the selected authentication methods:

      SQLNET.AUTHENTICATION_
SERVICES = (RADIUS|KERBEROS5)
      Note:
      • SecurID functionality is availab le through RADIUS; RADIUS support is built into the RSA ACE/Server.
      • See Also: < a href="asoradus.htm#1006084">Chapter 5, "Configuring RADIUS Authentication"

      7. Configurin g Oracle Database for External Authentication

      This section describes the parameters you must set to configure Oracle Database for network authentication, using the following tasks:

      Setting the SQLNET.A UTHENTICATION_SERVICES Parameter in sqlnet.ora

      The following paramete r must be set in the sqlnet.ora file for all clients and servers to enable each to use a supported authentication method:

      SQLNET.AUTHENTICATION_SERVICES=(oracle_authentication_method)

      For example, for all clients and servers using Kerberos authentication, the sqln et.ora parameter must be set as follows:

      SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)

      Verifying tha t REMOTE_OS_AUTHENT Is Not Set to TRUE

      To verify that REMOVE_OS_AUTHE NT is not set to TRUE, add the following parameter to the initialization file--in each database instance--when you configure the auth entication method:

      REMOTE_OS_AUTHENT=FALSE
      Caution:

      Setting REMOTE_OS_A UTHENT to TRUE can cause a security exposure, because it lets someone using a non-secure protocol, such as TCP, p erform an operating system-authorized login (formerly referred to as an OPS$ login).

      If REMOTE_OS_AUTHENT is set to FALSE, and the server cannot support any of the aut hentication methods requested by the client, the authentication service negotiation fails and the connection terminates.

      If the parameter is set as follows in the sqlnet.ora file on either the client or server, the database a ttempts to use the supplied user name and password to login the user:

      SQLNET.AUTHENTICATIO
N_SERVICES=(NONE)

      If REMOTE_OS_AUTHENT is set to FALSE, however, the connection fails.

      Setting OS_AUTHENT_PREFIX to a Null Value

      A uthentication service-based user names can be long, and Oracle user names are limited to 30 characters. Oracle Corporation strongly r ecommends that you enter a null value for the OS_AUTHENT_PREFIX parameter in the initialization file used for the database instance a s follows:

      OS_AUTHENT_PREFIX=""
      Note:

      The default value for OS_AUTHENT_PREFI X is OPS$; however, you can set it to any string.
      Attention:

      If a data base already has the OS_AUTHENT_PREFIX set to a value other than NULL (" "), do not chan ge it, since it can inhibit previously created, externally identified users from connecting to the Oracle server.

      < hr>

      To create a user, launch SQL*Plus and enter the following:

      SQL> CREATE USER os_authent_prefix username IDENTIFIED EXTERNALLY; < a name="1006288">

      When OS_AUTHENT_PREFIX is set to a null value (" "), e nter the following to create the user king:

      SQL> CREATE USER king IDENTIFIED EXTERNALLY
;

      The advantage of creating a user in this way is that the admini strator no longer needs to maintain different user names for externally identified users. This is true for all supported authenticati on methods.

      See Also:
Go to previous page
Previous		 Go to next page
Next
Oracle
Copyright © 1996, 2003 Oracle Corporation
All Rights Reserved. < tr>
Go to Documentation Hom e
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to In dex
Index
Master Index		 Go to Feedback pag e
Feedback