Skip Headers

Oracle® Database Advanced Security Administrator's Guide
10g Release 1 (10.1)
Part Number B10772-01
Go to Documentation Home
Home		 Go to Book List
Book Li st		 Go to Table of C ontents
Contents		 Go to Index
Index		 < a href="../../mix$101/b12039/toc.htm">Go to Master Index
Master Index		 Go to Feedback page
Feedback
Go to previous page
Previous		 Go to next page
Next
View PDF

10
Configuring Oracle DC E Integration

Oracle DCE Integration enables Oracle applications and tools to access Oracle Database servers in a distributed computi ng environment. This chapter briefly describes the Distributed Computing Environment (DCE), the Oracle DCE Integration product, and how to configure it. It contains the following topics:

Introduction to Oracl e DCE Integration

The Distributed Computing Environment (DCE) from the Open Group is a set of integrated network services that works across multiple systems to provide a distributed environment. The network services include remote procedure calls (RPCs), directory service, security service, threads, distributed file service, diskless support, and distributed time service.

DCE is the middleware between distributed applications and the operating system/network services and is based on a client/s erver model of computing. By using the services and tools that DCE provides, users can create, use, and maintain distributed applicat ions that run across a heterogeneous environment.

Oracle DCE Integration enables Oracle appl ications and tools to access Oracle database servers in a DCE environment.

System Requirements

Oracle DCE Integration requires Oracle Net Services and Oracle Database. It is based on the Open Software Foundation (OSF) DCE protocol (V1.1 and later).

Note that OSF has merged with X/OPEN, another standard s group, to form The Open Group. This group is committed to continuing DCE support.

Oracle servers running DCE Integration 2.3.2 and later are backward compatible with c lients running SQL*Net/DCE 2.1.6 or 2.2.3; however, Release 2.1.6 clients cannot take advantage of external roles.

A client running DCE Integration 2.3.2 or later cannot connect to a SQL*Net/DCE 2.1.6 or 2.2.3 server. A DCE Integration Release 2.3.2 or later client requires a Release 2.3.2 or later server in order to connect to a database.

Components of Oracle DCE Integration

Oracle DCE Integration has t wo components: DCE Communication/Security and DCE CDS Native Naming.

DCE Communication/Security

This component has three principal features:

Authenticated RPC

Oracle DCE Integration provides authenticated Remote Procedure Call (RPC) as the transport mechanism that enables multi-vend or interoperability. RPC also uses some of the other DCE services, including directory and security services, to provide location tra nsparency and secure distributed computing.

Integrated Security and Single Sign-On

Oracle DCE Integration works with the DCE Security service to provide security within DCE cells. It enables a user logged onto D CE to securely access any Oracle database without having to specify a user name or password. This is sometimes called external authentication to the database, or single sign-on (SSO). Clients and servers that are not running DCE authentication services can interoperate with systems that have DCE security by specifying an Oracle password.

Data Privacy and Integrity

Oracle DCE Integration uses the multiple levels of security that DCE provides to ensure data authenticity, privacy, and integrity. Users have a range of choices, from no protection to full encryption for each connection, with a guarantee that no data i s modified in transit.

D CE Cell Directory Services Native Naming

The DCE Cell Directory Services (CDS) Native Naming component includes naming and location transpar ency.

DCE Integration registers Oracle Database connect descriptors in the DCE CDS, letting them be transparently accessed across the entire DCE environment. Users can connect to Oracle database servers in a DCE environment u sing familiar Oracle service names.

The DCE CDS offers a distributed, replicated repository service for name, address, and attributes of objects across the network. Because servers register their name and address information in the CDS, Oracle clients can make location-independent connections to Oracle Database servers. Services can be relocated without an y changes to the client configuration. An Oracle utility is provided to load the Oracle service names with corresponding connect desc riptors into CDS. After this is done, Oracle connect descriptors can be viewed from a central location with standard DCE tools.

< a name="1006206">

For location of services across multiple cells, either of the following options can be used:

Note:

For parts of the network that do not use DCE, you can use the other security and authenticatio n services that are part of Oracle Advanced Security. These services work with SQL*Net release 2.1 and later or with Oracle Net Servi ces. They provide message integrity and data encryption services in non-DCE environments, letting administrators ensure that all netw ork traffic is protected against unauthorized viewing or modification, regardless of the start or end point.
See Also:

Flexible DCE Deployment

Oracle Advanced Security provides flexibility in your use of DCE services. You have the following options:

Release Limitati ons

The following are limitations in 10g Rele ase 1 (10.1) of Oracle Advanced Security:

Configuring DCE for Oracle DCE Integration

The following tasks, performed by the DCE cell administrator, assume that a DCE cell has been configured and the systems be ing used are part of that cell:

Task 1: Create New Principals and Accounts

< !--/TOC=h2-->

Use the following procedure model to add server principals:

<
a name="1006370">% dce_login cell_admin password
% rgy_edit
Current site is: registry server at /.../cell1/subsys/dce/sec/master
rgy_edit=>do p
Domain changed to: principal 
rgy_edit=> add oracle
rgy_edit=> do a
Domain changed to: account
rg
y_edit=> add oracle -g none -o none -pw oracle_password -mp cell_admin_
password
rgy_edit=&
gt; quit
bye

In this example, a DCE principal na med oracle is created. The principal has a corresponding account with a password set to oracle_password. Th e account does not belong to any DCE group or DCE profile.

Note:

Perform this task on the server only once after DCE Integr ation has been installed. Do not perform this task on client systems.

Task 2: Install the Key of the Server in to a Keytab File

Install the key of the server into a keytab file, dc epa.key. This file contains the password of the principal under which the Oracle Net listener starts. The Oracle Net listener reads t his file to authenticate itself to DCE. To generate the keytab file, enter the following:


% dce_login cell_admin password
% rgy_edit
Current site is: registry ser
ver at /.../cell1/subsys/dce/sec/master
rgy_edit=> ktadd -p oracle -pw Oracle_password -f
<
a name="1006395">$ORACLE_HOME/dcepa/admin/dcepa.key
rgy_edit=>quit
bye
< td class="Note">
Note:
  • Perform this task on the server only once after DCE Integration has been installed. Do not perform this task on client systems.
  • Re member to substitute the full path name for the $ORACLE_HOME variable. If the specified directories do not exist, create them before running the command. To create the directories. enter the following: 
    mkdir $ORACLE_HOME/dcepa

mkdir $ORACLE_HOME/dcepa/admin

Task 3: Configure DCE CDS for Use by Oracle DCE Integration

  1. Create Oracle directories in the CDS namespace by entering the following after installing DCE Integration for the first time in a cell. Cre ate directories on all CDS replicas: 
    % dce_login cell_admin

Enter Password:(password not displayed)
$ cdscp
cdscp> create dir /.:/subsys/oracle
cdscp> create dir /.:/subsys/oracle/nam
es
cdscp> create dir /.:/subsys/oracle/service_registry
cdsc
p> exit
    Note:
    • The directory /.:/subsys/ora cle/names contains objects that map Oracle Net service names to connect descriptors, which are used by the CDS naming adapter.
    • The directory /.:/subsys/oracle/service_registry contains objects that map the service name in DCE addresses to the network endpoint that is used by both DCE protocol adapter clients and servers.
  2. Give servers permission to cr eate objects in the CDS namespace by entering the following, which adds the principal oracle to the CDS-server group:

    $ dce_login cell_admin Enter Password: (password not d isplayed) $ rgy_edit rgy_edit=> domain group Domain changed to: group rgy_edit=> member subsys/dce/cds-server -a oracle < a name="1006439">rgy_edit=> exit

  3. L oad Oracle service names into CDS as described in "Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration".

Configuring Oracle Database and Oracle Net Services for Oracle DCE Integration

This section describes how to configure an Oracle databa se server and Oracle Net Services to use Oracle DCE Integration after it has been successfully installed. It contains the following t opics:

DCE Address Parameters

DCE addresses in the listener.ora and tnsnames.ora configuration files are defined by DCE parameters, illustrated in the fo llowing:

ADDRESS=(PROTOCOL=DCE)(SERVER_PRINCIPAL=server_name)(CELL
_NAME=cell_name)
(SERVICE=dce_service_name))

These parameters are described by Table 10-1:

Table 10-1 DCE Address Parameters and Definitions
Component Description< /strong>
< p class="TB">PROTOCOL

A mandatory field that identifies the DCE RPC protocol.

SERV ER_PRINCIPAL

A mandatory field for the server and an optional field for the client. The server authenticates itself to DCE as this principal. This field is mandatory in the listener configuration file (listener.ora) and specifies the principal the server will start under. This field is optional in your local naming configuration fi le (tnsnames.ora) and specifies the principal of the server the client must connect to. If not specified, then one-way a uthentication is used. In this case, the client does not care what principal the server is running under.

CELL_NAME

An optional parameter. If present, it specifies the DCE cell name of the database. If this paramete r is not set, the cell name defaults to the local cell (useful for single-cell environments). Optionally, the SERVICE parameter (desc ribed in the following section) may specify the complete path (including the cell name) to the service, making this parameter unneces sary.

SERVICE

A mandatory field for both server and client. For the server, this i s the service registered with CDS. For the client, this is the service name used when querying CDS for the location of the Oracle DCE servers. The default directory for storing service names in CDS is /.../cellname/subsys/oracle
/service_registry. T his service name can fully specify the path in CDS.

You can sp ecify a service as follows:

SERVICE=/.../cell_name/subsys/oracle/service_registry/dce_serv
ice_name

Alternatively, you can specify:

SERVICE=dce_service_name

if CELL_ NAME=cell_name is also specified.

In this case, the cell name defaults to the local c ell. However, this way of specifying service names only works if you are operating within a single cell.

< div align="center">
Note:

The dce_service_name in the service field might not be the same as that used by Oracle Net Services. The service name use d by Oracle Net is mapped to the connect descriptor in a local naming configuration file (tnsnames.ora). The dce_service_name is part of the address within the connect descriptor.

Task 1: Configure the Serv er

To configure a server for DCE Integration, do the following:

< ol class="LN1" type="1">
  • Configure the listener configuration file (listener .ora) with DCE address information for all servers.
  • For servers in dist ributed systems that require database link connections to other servers, configure the sqlnet.ora and protocol.ora files with DCE address information.

    For a database server to receive connections from Oracle Net clients in a DCE env ironment, there must be an Oracle Net listener active on the server platform. This process listens for connections on a network addre ss that is defined in the listener.ora configuration file.

    The SERVER_PR INCIPAL parameter designates what DCE principal the listener should be running under. In the following sample, the listener is running under principal oracle.

    The following is a sample DCE address as it w ould appear in the listener.ora file.

    LSNR_DCE=
  (ADDRESS=
      (PROTOCOL=
DCE)
      (SERVER_PRINCIPAL=oracle)
      (CELL_NAME=cell1)

(SERVICE=dce_svc))       
SID_LIST_LSNR_DCE=
      (SID_DESC=
      (SID_NAME=ORASID)
       (ORACLE_HOME=/private/oracle9))

    Task 2: Create and Name Externally Authenticated Accounts

    To use DCE auth entication for logging on to an Oracle database, you must create database accounts that are authenticated externally. To enable secur e external authentication, do the following:

    Note:

    In this release, the configuration files listener.ora, sqlnet.or a, tnsnames.ora, and protocol.ora are located in the $ORACLE_HOME/network/admin directory.
    Note:

    The privileges shown in this section are the minimum< /em> access privileges necessary. The actual set of privileges needed depends upon the instance or applicatio n.
    1. Verify that these lines are in the initialization parameter file: 
      REMOTE_OS_AUTHENT=FALSE
 OS_AUTHENT_PR
EFIX=""
    2. Verify that the initialization pa rameter file does not have a multi-threaded server (MTS) entry for DCE. For example, an entry such as the following is not permitted: 
      mts_dispatchers="(PROTOCOL=dce)(DISPATCHERS=3)"
      Note:

      The MTS_DISPATCHERS initialization parameter is obsolete in 10g Release 1 (10.1). See Oracle Database Upgrade Guide for further details.

    3. Ensure that you are logged on as a member of the DBA group. Restart the database instance for the changes to take effect.
    4. At the SQL*Plus prompt, define users. Before doing so, decide whether you are, or ever will be, operating in a mult i-cell DCE environment in which you let Oracle access across cell boundaries. The way you define users depends on whether they are co nnecting within a single cell or across cell boundaries.

      Local Cell :

      If users are connecting within a local cell, use the following format:

      SQL> CREATE USER server_principal IDENTIFIED EXTERNALLY;
SQL> GRANT CR
EATE SESSION TO server_principal;

      For exampl e:

      SQL> CREATE USER oracle IDENTIFIED EXTERNALLY;
SQL&g
t; GRANT CREATE SESSION TO oracle;

      The entire CELL_NAME/SERVER_PR INCIPAL string must be 30 characters or less (this is an Oracle Database restriction--not a restriction of the DCE adapter).

      For example:

      SQL> CREATE USE
R "CELL1/ORACLE" IDENTIFIED EXTERNALLY;
SQL> GRANT CREATE SESSION TO "CELL1/ORACLE";

      Multiple Cells:

      If connecting to the database across multiple cells, specify both the cell_name and the se rver_principal, as illustrated in the following:

      SQL> CREATE USER "CELL_NAME/SERV
ER_PRINCIPAL" IDENTIFIED EXTERNALLY;
SQL> GRANT CREATE SESSION TO "CELL_NAME/SERVER_PRINCIPAL";

      You must enclose the externally-identified account name in double quotation m arks, because the slash is a reserved character. Also, if the account (user) name is double-quoted, it must be capitalized.

      For example:

      SQL> CREAT
E USER "CELL1/ORACLE" IDENTIFIED EXTERNALLY;
SQL> GRANT CREATE SESSION TO "CELL1/ORACLE";

      When using this format, set the following parameter in the protocol.ora configuration file to FALSE:

      dce.local_cell_usernames=false




      References to an Oracle account created in this manner must include the schema/account in th
e correct format. Consider requests for access to tables from another account. When a user references the tables in another account c
reated within a local cell, the command might appear as follows:
      

      SQL> SELECT * FROM or
acle.emp


      


      If a user wants to access tables in another account crea
ted for connections across cells, the command might appear as follows:
      

      SQL> SELECT * F
ROM "CELL1/ORACLE" .emp
    See Also:

    Oracle Database Heterogeneous Connectivity Administrator's Guide, for more information about external authentication

    Task 3: Set up DCE Integration External Roles

    To set up external roles for DCE Integration, and enable connection to an Oracle database as SYSOPER or SY SDBA with DCE credentials, do the following:

    1. S et the following parameter in the initialization parameter file: 
      OS_ROLES=TRUE
    2. Restart the database.
    3. Ensure that the DCE groups that map to Oracle roles adhere to the following syntax: 
      ORA_global_name_role[_[a][d]]

      Table 10-2 describes the syntax components:

      Table 10-2 Setting Up External Role Syntax Components
      < thead>
      Component Definition

      ORA

      Designates that this group is used for Oracle purposes

      GLOBAL_NAME

      The global name for the database

      ROLE

      The name of the role, as defined in the data dictionary

      A or a

      Optional character indicating that the user has admin privi leges for this role

      D or d

      Optional character indicating the role is to be enabled by default at connect time
      See Also :

      Oracle Database Administrator's Guide for more information about external roles
    1. Authenticate to D CE a user who is a member of a DCE group by entering the following commands: 
      dce_login
klist

    Sample Outp ut:

    % dce_login oracle

    Enter Password:

    % klist
dce identity information:
Warning: Identity information is not certified
Global Principal: /.../ilab1/oracle
Cell:      001c3f90-01f5-1f72-ba65-02608c2c84f3 /.../ilab1
Principal: 00000068-0568-2f72-bd00-02608c2
c84f3 oracle
Group:     0000000c-01f5-2f72-ba01-02608c2c84f3 none
Local Groups:
0000000c-01f5-2f72-ba01-02608c2c84f3 none
0000006a-0204-2f72-b901-02608c2c84f3 subsys/dce/cds-serv
er
00000078-daf4-2fe1-a201-02608c2c84f3 ora_dce222_dba
00000084-89c8-2fe8-a201-02608c2c84
f3 ora_dce222_connect_d
00000087-8a13-2fe8-a201-02608c2c84f3 ora_dce222_resource_d
000000
80-f681-2fe1-a201-02608c2c84f3 ora_dce222_role1_ad
.
.
.
    • Connect to the database as usual.

      The following sample output lists external roles (DBA, CONNECT, RESOURCE, and ROLE1) tha t have been mapped to DCE groups:

      SQL> SELECT * FROM session_roles;

ROLE
------------
------------------
CONNECT
RESOURCE
ROLE1

SQL> SET ROLE all;

Role set.

SQL> SELECT * FROM session_roles;

ROLE
-------------
-----------------
DBA
EXP_FULL_DATABASE
IMP_FULL_DATABASE
CONNECT
RESOURCE
ROLE1

6 rows selected.

SQL> EXIT
    < a name="1006749">

    Task 4: Configu re DCE for SYSDBA and SYSOPER Connections to Oracle Databases

    To conf igure DCE so that you can connect to an Oracle database as SYSOPER or SYSDBA with DCE credentials, do the f ollowing:

    1. Create DCE groups that map to Oracle DBA and OPERATOR roles. DCE group names should adhere to the syntax described by Task 3: Set up DCE I ntegration External Roles. Add the externally authenticated user oracle as a memb er of the group(s). 
      $ dce_login cell_admin cell_admin_password 
$ rgy_e
dit 
rgy_edit=> domain group 
Domain changed to: group 
rgy_edit
=> add ora_dce222_dba_ad 
rgy_edit=> add ora_dce222_operator_ad 
rgy_edit=> memb
er ora_dce222_dba_ad -a oracle 
rgy_edit=> member ora_dce222_operator_ad -a oracle
    2. Add the GLOBAL_NAME parameter to the DCE address or TNS service name in the local config uration file tnsnames.ora. 
      ORADCE=
    (ADDRESS=
              (PROTOCOL=DCE)  
              (SERVER_PRINCIPAL=oracle)

         (CELL_NAME=cell1)
              (SERVICE=dce_svc))
 (CONNECT_DATA= 
             (SID=ORASID) 
             (GLOBAL_NAME=dce222)))
    3. Create the database user oracle as described by Task 2: C reate and Name Externally Authenticated Accounts.
    4. Get DCE credentials for the externally authenticated user: 
      $ dce_login orac
le oracle_password 
$klist 
DCE Identity Information: 
        Warning: Identity information is not certified 
        Global Principal: /.../dce.dlsun685
.us.oracle.com/oracle 
        Cell:      00af8052-7e94-11d2-b261-9019b88baa77 
/.../dce.
dlsun685.us.ora 
cle.com 
        Principal: 0000006d-88b9-21d2-9300-9019b88baa77 oracle

        Group:     0000000c-7e94-21d2-b201-9019b88baa77 none 
        Local Groups: 
                0000000c-7e94-21d2-b201-9019b88baa77 none 
                0000006a-7e94-21d
2-ad01-9019b88baa77 subsys/dce/cds-server 
                00000076-8b53-21d2-9301-9019b88baa77 ora_dce222_dba_
ad 
                00000077-8b53-21d2-9301-9019b88baa77 ora_dce222_operator_ad 
 
Identity Info Expires: 1999-12-04-10:28:22 
Account Expires:       never 
Passwd Expires:        never 
 
Kerberos Ticket Information: 
Tick
et cache: /opt/dcelocal/var/security/creds/dcecred_43ae2600 
Default principal: oracle@dce.dlsun685.us.oracle.c
om 
Server: krbtgt/dce.dlsun685.us.oracle.com@dce.dlsun685.us.oracle.com 
        valid 1
999-12-04-00:28:22 to 1999-12-04-10:28:22 
Server: dce-rgy@dce.dlsun685.us.oracle.com 

      valid 1999-12-04-00:28:22 to 1999-12-04-10:28:22 
Server: dce-ptgt@dce.dlsun685.us.oracle.com 
        valid 1999-12-04-00:28:26 to 1999-12-04-02:28:26 
Client: dce-ptgt@dce.dlsun685.us.oracle.c
om     Server: 
krbtgt/dce.dlsun685.us.o 
racle.com@dce.dlsun685.us.oracle.com 
        valid 1999-12-04-00:28:26 to 1999-12-04-02:28:26 
Client: dce-ptgt@dce.dlsun685.us.oracle.
com     Server: 
dce-rgy@dce.dlsun685.us. 
oracle.com 
        vali
d 1999-12-04-00:28:27 to 1999-12-04-02:28:26
      Note:

      List output shows the DCE group membership of oracle.
    1. Connect to the Oracle database as SYSDBA or SYSOPER.

      For example:

      SQL> conne
ct /@oradce as SYSDBA

    Task 5: Configure the Client

    To configure a client for DCE Integration, you must configure the following Oracle Net files with DCE address and parameter information:

    • protocol.ora
    • sqlnet.ora

    Typically, CDS is used for name resolution. Thus, a local naming configuration file (tnsnames.ora) is not used, except when loading names and addresses into CDS.

    Parameters in prot ocol.ora

    There are four DCE parameters located in the protocol. ora file. Each parameter begins with the prefix DCE. to distinguish it from paramet ers relevant to other protocols. If default values are used for these four parameters, DCE Integration does not require a proto col.ora file. The parameters and their current defaults follow:

    • DCE.AUTHENTICATION=dce_secret
    • DCE.PROTECTION= pkt_integ
    • DCE.TNS_ADDRESS_OID=1.3.22.1.5.1
    • DCE.LOCAL_CELL_USERNAMES=TRUE

    Configurati on parameters are not case-sensitive; you can enter them in either uppercase or lowercase.

    DCE.AUTHENTICATION

    The DCE.AUTHENTICATION parameter is optional. It indicates the authentication value to be used for ea ch DCE RPC. The client DCE_AUTHENTICATION value must be the same as the server DCE_AUTHENTICATION value. If this entry is not specified, cell-wide default authentication is used. The options follow:

    Option Description

    NONE

    No authentication

    DCE_SECRET

    DCE shared-secret key authentication (Kerberos)

    DCE_SECRET

    Default authentication level and recomm ended value

    DEFAULT

    Cell default

    DCE.PROTECTION< /h4>

    DCE.PROTECTION is an optional field that specifies the data integrity protec tion levels for data transmission. The client DCE_PROTECTION level must be equal to or greater than the server DCE _PROTECTION level. If this entry is not specified, cell-wide default protection is used. The options follow:

    Option < /a> Description

    NONE

    Perform no protection for the current connection

    DEFAULT

    Use the default cell-wide protection level

    CONNECT

    Perform protection only when the client establishes a relationship with the server

    CALL

    < /td>

    Perform protection only at the beginning of each remote procedure call when the server receives the request

    PKT

    Ensure tha t all data received is from the expected client

    PKT_INTEG

    Ensure and verify that none of the data transferred between the client and server has been modified

    PRIVACY

    Perform protection as specified by all of the previous levels and also encrypt each RPC argument value and all user data in each call

    DCE.TNS_ADDRESS_OID

    DCE.TNS_ADDRESS_OID is an optional parameter that enables you to specify an alternative to the def ault value as follows:

    DCE.TNS_ADDRESS_OID=1.3.22.1.x.x
    See Also:

    "Step 2: Modify the CDS Attributes File and Restart the CDS" .

    DCE.LOCAL_CELL_USERNAMES

    DCE.LOCAL_CELL_USERNAMES is an optional parameter that defines the format used to specify the principal name (username), with or without the cell name. The choice you make for this parameter should be determined by whether or not users are making connections across cells--with unique names. The default for DCE.LOCAL_CELL_USERNAMES is now TRUE (it was s et to FALSE in the DCE Integration 2.1.6 release).

    The associated options follo w:

    Option Description

    TRUE

    The default value. Select TRUE if using just the SERVER_PRINCIPAL format, without the CELL_NAME.

    An example of a user specified in this format is as follows:

    oracle

    TRUE is an appropriate option if users are making connections within a single cell, or if naming co nventions in the network assure that users in different cells do not have duplicate names.

    FALSE

    Select FALSE when using the CELLNAME/SERVER_PRINCIPAL format. An example of a user spe cified in this format is as follows:

    CELL1/ORACLE

    FALSE is an appropriate option if users are making connections across cells and there can be users in differ ent cells with identical name

    Task 6: Configure Clients to Use DCE CDS Naming

    Clients typically use Cell Directory Services (CDS) to resolve Oracle service names to addresses. Perform the following steps to configure CDS:

    Step 1: Enable CDS for use in Performing Name Lookup

    To use CDS for name resolution, the DCE Integration CDS N aming Adapter must be installed on all clients and servers that use CDS. Also, the CDS namespace must have been configured for use by DCE Integration.

    See Also:< /font>

    DCE Integration installation instructions, and "Task 3: Co nfigure DCE CDS for Use by Oracle DCE Integration" .

    For example, a service name such as ORADCE and its network address can be stored in DC E CDS.

    Users can typically connect to Oracle services using the familiar Oracle servi ce name if there are no domains or the database is in the user's default domain, as in the following example:

    sqlplus /@ORADCE

    This example assumes that DCE externally-authenticated accounts are in use.

    As an alternative name resolution service, us e a local naming configuration file, tnsnames.ora, when CDS is inaccessible. To do so, locate names and addresses of all Oracle servers in the local tnsnames.ora file.

    Step 2: Modify the CDS Attributes File and Restart the CDS

    On all DCE machines where CDS naming is used, add the object ID for the CDS attribute TNS_A ddress to the CDS attributes file. (The object ID must be the same across all machines.)

    1. Add a line in the following format to the /opt/dcelocal/etc/cds_attributes fi le: 
      1.3.22.1.5.1    TNS_Address    char

      The first four digits of this TNS_Address attribute value, 1.3.22.1.x.y, are fixed, under DCE naming conv entions. If the default TNS_Address object ID value 1.3.22.1.5.1 already exists in the cds_attributes file, you must spe cify a value for the object ID that is not already in use.

      If you are unable to use the def ault value for the object ID, then you must specify the object ID in the protocol.ora file on the client.

      If you had to specify a value other than the default value 1.3.22.1.5.1, then you must add t he following parameter to the protocol.ora file:

      DCE.TNS_ADDRESS_OID=1.3.22.
1.x.y

      Make sure that the object ID value in the cds_attributes fi le matches the value specified in the DCE.TNS_ADDRESS_OID parameter in the protocol.ora file.

    2. Restart CDS on the system.

      The com mand to restart CDS varies between different operating systems. On the Solaris platform, for example, you can use the following comma nd to restart CDS:

      /opt/dcelocal/etc/rc.dce restart

    Step 3: Create a tnsnames.ora Fi le for Loading Oracle Connect Descriptors into CDS

    To load the Oracle service names and addresses into CDS, create or modify a local naming configuration file, tnsnames.ora. This file is used to map ser vice names to addresses for use by Oracle Net.

    This section describes the parameters that mu st be included in the tnsnames.ora file. The file contains a list of Oracle service names mapped to connect descriptors of destinations or endpoints in the network. The sample DCE address in the following section shows a network address for an Oracle se rver with the Oracle service name ORADCE. It is used to connect to the service registered as DCE_SVC in the CDS directory

     /.../cell_name/subsys/oracle/names.
ORADCE=(DESCRIPT
ION=(ADDRESS=(PROTOCOL=DCE)(SERVER_PRINCIPAL=oracle)(CELL_
NAME=cell1)(SERVICE=DCE_SVC))(CONNECT_DATA=(SID=ORASID)))
    Note:

    In this example, the Oracle service name and the DCE service name are different, although they are frequently the same.

    < /td>
    Parameter Name Type Mandatory? Description

    PROTOCOL=DCE

    keyword value pair

    Yes

    Appears in the address sections of (i ) listener.ora, a listener configuration file, and (ii) tnsnames.ora, a local naming configuration file.

    SERVER_ PRINCIPAL

    DCE Parameter

    No

    Appears in tnsnames.or a

    SERVICE

    DCE Parameter

    		 < a name="1008531">

    Yes

    The value given for the D CE parameter (SERVICE=dce_service_name) must be the same in listener.ora and tnsnames.ora

    SID

    Oracle Parameter

    Yes

    Identifies the Oracle system ID; each SID value must be unique on a node. This parameter is used locally only, and is not used in DCE CDS.
    See Al so:

    Oracle Net Services Administrator's Guide, for information about tnsnames.ora, the local naming config uration file.

    Step 4: Load Oracle Connect Descriptors into CDS

    < p class="BP">A separate utility called tnnfg is provided with Oracle DCE Integration to load connect descriptors into CDS. If you con figure a new service name and address in tnsnames.ora, tnnfg adds the new service name and address to CDS. If you change the address for a particular service name, tnnfg updates the address for a particular service name.

    To load the Oracle service names or aliases from tnsnames.ora into CDS, enter the fol lowing at the system prompt:

    % dce_login cell_admin
% tnnfg dceload
full_pathname_to_tnsnames.ora
% Enter Password:(password will not display)

    Be sure to enter the full path name of the tnsnames.ora file, and ensure that the s qlnet.ora file exists in the same directory as the tnsnames.ora file.

    Step 5: Delete or Rename the tnsnames.ora File

    You can keep tnsnames.ora available a s a backup in case CDS becomes unavailable. To assure that CDS is routinely searched instead of tnsnames.ora, configure the NAMES.DIRECTORY_PATH parameter in a profile (sqlnet.ora), as described by "Step 6: Modify the sqlnet.ora File to Resolve Names in CDS" (the next section).

    Step 6: Modify the sqlnet.ora File to Resolve Names in CDS

    The parameters required in a profile (sqlnet.ora) de pend upon the version of SQL*Net or Oracle Net Services you are using.

    For a client or serve r to use DCE CDS Naming, the administrator must do the following:

    1. Ensure that the CDS Naming Adapter has been installed on that node.
    2. Add the following parameter to the sqlnet.ora file: 
      NAMES.DIREC
TORY_PATH=(cds, tnsnames, onames)

      The first name resolution servi ce listed as a value for this parameter is used. If it is unavailable for any reason, the next name resolution service is used, and s o forth.

    Connecting to an Oracle Database Server in the DCE Environment

    This section describes how to connect to an Oracle database after installing Oracle DCE Integration, and configuring both DCE a nd Oracle to use Oracle DCE Integration in the following topics:

    Starting the Li stener

    To start the listener, do the following:

    1. Enter the following commands: 
      <
/a>% dce_login principal_name password 
% lsnrctl start listener_name

      For example, if the listener name is LSNR_DCE in the listener.ora file, enter the following:

      % dce_login oracle orapwd
% lsnrctl start LSNR_DCE
    2. Verify that the server has registered its binding handler with rpcd: < pre class="CE1"> % rpccp show mapping

      Look for the line that includes the dce_service_name that is part of the listener address.

    3. Verify that the service has been created by searching for the dce_service_name as follows: 
      % cdscp show object "/.:/subsys/oracle/service_registry/dce_servi
ce_name"

      For example:

      The following command shows you the mapping in the CDS namespace that the listener has chosen for the en dpoint:

      % cdscp show object "/.:/subsys/oracle/service_registry/dce_svc"

            SHOW
          OBJECT    /.../subsys/oracle/service_registry/dce_svc
<
a name="1007968">              AT   1999-05-15-17:10:52
RPC_ClassVersion = 0100

    CDS_CTS = 1999-05-16-00:05:01.221106100/aa-00-04-00-3e-8c           
         CDS_UTS = 1999-05-16-00:05:01
.443343100/aa-00-04-00-3e-8c                  
       CDS_Class = RPC_Server
CDS_ClassVer
sion = 1.0
      CDS_Towers = :
           Tower = ncacn_ip_tcp:144.25.23.57[]

    Connec ting to an Oracle Database by Using DCE Authentication for Single Sign-On

    After externally-identified accounts have been set up, you can take advantage of DCE authentication to log in to Oracle without providing any username or password information. To use this single sign-on capability, just log in to DCE using a command like the fo llowing:

    % dce_login principal_name password

    For example:

    % dce_login oracle orapwd
    Note:

    You only need to enter the dce_login command once. If you are already logged into DCE, you do not n eed to log in again.

    You can now connect to an Oracle server without using a username or password. Enter a command like the following:

    % sqlplus /@net
_service_name

    where net_service_name is th e database service name.

    For example:

    % sqlplus /@ORADCE

    Connecting to an Oracle Database by Using Password Authentication

    From a client, you can still connect with a user name and password:

    % sqlplus username/password@net_service_name

    where net_service_name is the Oracle Net service name.

    For e xample:

    % sqlplus scott/tiger@ORADCE

    Connecting Clients Outside DCE to Oracle Servers i n DCE

    Clients without access to DCE and CDS can still connect to Orac le servers in DCE using TCP/IP or some other protocol if a listener is configured to do this. If a listener has been configured in th e listener.ora file on the server, non-DCE clients can use normal Oracle Database and Oracle Net Services procedures to connect to an Oracle server in DCE.

    The following section contains these topics, which include samples of listener.ora and tnsnames.ora files as they would be configured if a client from outside of DCE wanted to connect to Oracle database servers in a DCE environment:

    Sample Parameter Files

    At least the follo wing two Oracle parameter files are needed for successful client/server communications; create and modify these files using a text ed itor:

    The parameter files are described in the following sections:

    The listener.ora File

    The listener.ora file resides on the listener node. It defines listener characteristics and the addr esses at which the listener listens.

    In the following example, each element is displayed on a separate line, to show the file's structure. This is the recommended format, but you do not have to put each element on a separate line. Be sure to include all the appropriate parentheses, and to indent if you must continue an element on the next line.

    This example assumes the UNIX operating system and the TCP/IP protocol for one listener, and the DCE pr otocol for another listener. A single listener can have multiple addresses. For example, instead of having two separate listeners for different database instances on a server node, you could have one listener for both, listening on both TCP/I P and on DCE. However, performance is improved with separate listeners.

    LSNR_TCP=
   (ADDRESS_LIST=
       (ADDRESS=
              (PROTOCOL=IPC)
              (KEY=DB1)
       )
       (ADDRESS=

        (PROTOCOL=tcp)
              (HOST=rose)
              (PORT=1521)
       ))
SID_LIST_LSNR_TCP=
      (SID_DESC=
             (SID_NAME=ORASID)
             (ORACLE_HOME=/usr/jprod/Oracle Database)
      )
LSNR_DCE=
(ADDRESS=
  (PROTOCOL=DCE)
  (SERVER_PRINCIPAL=oracle)
  (CELL_NAME=cell1)
  (SERVICE=dce_svc))
SID_LIST_LSNR_DCE=
  (SID_DESC=
    (SID_NAME=ORASID)
    (O
RACLE_HOME=/usr/prod/oracle8))
#For all listeners, the following parameters list sample
#
default values.
PASSWORDS_LISTENER=
STARTUP_WAIT_TIME_LISTENER=0
CONNECT_TIMEOUT_LISTENER=10
TRACE_LEVEL_LISTENER=OFF
TRACE_DIRECTORY_
LISTENER=/usr/prod/Oracle Database/network/trace
TRACE File_LISTENER=listener.trc
LOG_DIR
ECTORY_LISTENER=/usr/prod/Oracle Database/network/log
LOG_FILE_LISTENER=listener.log

    The tnsnames.ora File

    This file resides on both the client and the server nodes. It lists the service names and addresses of all services on the network.

    The following sample tnsnames.ora file maps the service name ORATCP to the connect descriptor that includes a TCP/IP address and the service name ORADCE< /code> to a connect descriptor that includes a DCE address.

    ORATCP = (DESCRIPTION=
       (ADDRESS=
         (PROTOCOL=TCP)
         (HOST=rose)
         (PORT=1521)
        )
        (CONNECT_DATA=

       (SID=DB1)
        )
       )
ORADCE=(DESCRIPTION=
      (ADDRESS=
        (PROTOCOL=DCE)
        (SERVER_PRINCIPAL=oracle)
        (CELL_NAME=cell1)
        (SERVICE=dce_svc)
       )
       (CONNECT_DATA=
              (SID=ORASID)
       )
<
/a>       )

    To access the DB1 database, a user can use ORATC P to identify the appropriate connect descriptor.

    For example:

    sqlplus scott/tiger@oratcp
    < h3 class="H2">Using tnsnames.ora for Name Lookup When CDS Is Inaccessible

    Typically, names are resolved into network addresses by CDS. Although the main purpose of the tnsnames.ora file (in the context of native naming adapters) is to load Oracle service names and network addresses into CDS, it could be used temporarily as a backup name resolution service if CDS is inaccessible.

    SQL*Net Release 2.2 and Earlier

    To use the tnsnames.ora file for name lookup and resolution, remove (or comment out) the "native name" parameters from the sqlnet.ora file on the client. To comment out the lines, add a pound sign (#) at the beginning of each line.

    For exa mple:

    #native_names.use_native=true
#native_names.directory
_path=(dce)

    SQL*Net Release 2.3 and Oracle Net Services

    You can use t nsnames.ora for name lookup and resolution when DCE CDS is unavailable if you have TNSNAMES listed as a value for the NAMES.DIRECTORY_PATH parameter in the sqlnet.ora file on the client.

    For example:

    names.directory_path=(dce, tnsnames)

<
a name="1007453">

    This parameter enables you to list more than one names resolution m ethod. The methods are tried in order. In this example, DCE is attempted first. If it is unsuccessful, TNSNAMES is tried next.

    Note:

    In this case, DCE security is not available to clients. Also, service names are resolved to ne twork addresses and located in a tnsnames.ora file on the client, not using the CDS name server.
    Go to previous page
    Previous    		 G o to next page
    Next
    		Oracle
    Copyright © 1996, 2 003 Oracle Corporation
    All Rights Reserved.
    Go to Documentation Home
    Home    		 Go to Book List
    Book List    		 Go to Table of Contents
    Contents    		 Go to Index
    Index    		 Go to Master Index
    Master Index    		 Go to Feedback page
    Feedback
    < /td>