SSL Profile

The SSL tab enables you to modify Secure Sockets Layer (SSL) settings. SSL is an industry standard protocol for securing network communications. SSL provides for authentication, encryption, and data integrity. Use SSL to secure communications between any client and any server. Specifically, you can use SSL to authenticate any client or server to one or more Oracle servers or an Oracle server to any client.

Configure SSL

From the list, select to specify settings for either the client or server.

The settings you need to configure for the server are similar to those you set for the client. There is one additional parameter: a check box entitled Require Client Authentication.

Configuration Method

TBD...From the list, select File System to...., or select Entrust to...

Wallet Configuration

A wallet is contains certificates, keys and trust points. Select one of the four configuration methods described in the table. If the method chosen is File System or Entrust Wallets, Browse to search for a wallet in your file system.

Wallet Configuration Method	Access Method
File system	Directory path
Microsoft certificate	None
Microsoft registry	Registry key
Entrust wallets	Directory path

Cipher Suite Configuration

Several SSL cipher suites have been installed by default. These default cipher suites will be overwritten if you add one or more manually.

Element	Description
Add button	Choose to invoke the Select a Cipher Suite to enable dialog box. In the dialog box, select a suite, and then choose OK . The cipher suite is added to the list box. Note: All Oracle Advanced Security encryption algorithms and key lengths are available for both U.S. domestic and international use.
Remove button	Choose to remove a selected Cipher Suite.
Promote button	Choose to move a selected Cipher Suite to a higher level in the list.
Demote button	Choose to move a selected Cipher Suite to a lower level in the list.

Revocation Check (Server only)

Specify a revocation check for a certificate. Select from one of the following values:

• None: Select to turn off certificate revocation checking.

• Required: Select to perform certificate revocation when a certificate is available. If a certificate is revoked and no appropriate Certificate Revocation List (CRL) is found, then reject the SSL connection If no appropriate CRL is found to ascertain the revocation status of the certificate and the certificate is not revoked. then accept the SSL connection.

• Requested: Select to perform certificate revocation in case a CRL is available. Reject SSL connection if the certificate is revoked. If no appropriate CRL is found to determine the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection

Require SSL Version (optional)

From the list, select the version of SSL. The client and the server must use a compatible versions of SSL. You can select SSL v3.0 or choose to allow any existing or future version of SSL to be used.

Require Client Authentication (Server only)

This check box is selected by default. Deselect this check box if you do not want to require client-side authentication.

Match server X.509 name (Client only)

From the list, select whether or not check to see if the server's distinguished name (DN) matches its service name. If you enforce the match verifications, then SSL ensures that the certificate is from the server. If you select to not enforce the match verification, then SSL performs the check but allows the connection, regardless if there is a match. Not enforcing the match allows the server to potentially fake its identify. Select from one of the following values:

• Yes: Select to check the server DN. If the DN matches the service name, the connection succeeds. If the DN does not match the service name, the connection is successful, but an error is logged in the sqlnet.log file..

• No: Select to not check the server DN. Ignoring this check can enable the server to fake its identity.

• Let Client Decide: TBD

Copyright © 1996, 2009, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

CONNECT_DATA

The portion of the connect descriptor that defines the destination database service name or Oracle System Identifier (SID). In the following example, SERVICE_NAME specifies a database service called sales.us.example.com:

(DESCRIPTION=

(ADDRESS=(PROTOCOL=tcp)(HOST=sales-pc)(PORT=1521)

(CONNECT_DATA=(SERVICE_NAME=sales.us.example.com)))

CONNECT_DATA can be configured with advanced connection information.

Copyright © 1996, 2009, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

Configuring Advanced Connect Data Options

Besides the service name or Oracle System Identifier (SID) of the database, you can optionally configure the CONNECT_DATA section of a connect descriptor with the following options:

• Instance Name to connect to a specific database instance

• Oracle home of the database to start the database from across the network

• Session Data Unit Size to specify the buffer size

• Dedicated Server to connect a dedicated server process

• Heterogeneous Services to access a non-Oracle system

• Oracle Rdb settings to access an Oracle Rdb database

To configure advanced connection options for a net service name:

1. In the navigator pane, expand Oracle Net Configuration > Directory > Local or Service Naming.

2. Select a net service name or database service. The right pane displays the current destination service and address list.

3. In the Service Identification box, choose Advanced. The Advanced Service Options dialog box appears.

4. Enter fields or select options as appropriate, and then choose OK.

5. In the right pane, choose Apply.

6. If you are making these changes to the Local folder, choose File > Save Network Configuration.

Related Topics

Oracle Net Services Overview

Copyright © 1996, 2009, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

Address List Options dialog box

The Address List Options dialog box enables you to specify the order and how the protocol addresses in connect descriptors are used in a connections.

Try each address, in order, until one succeeds

Select to enable connect-time failover for an Oracle9i or Oracle8i client. If the first address cannot be reached, then failover enables the client to use the next listener protocol address. Select this option and the Use Options Compatible with Net8 8.0 Clients option to turn source routing off for a release 8.0 or previous client.

Try each address, randomly, until one succeeds

Select to enable client load balancing and connect-time failover for an Oracle9i or Oracle8i client.

Try one address, selected at random

Select to enable client load balancing feature for an Oracle9i or Oracle8i client.

Use each address in order until destination is reached

Select to enable source routing for an Oracle8i or Oracle8 client.

This option is required when reaching the destination requires more than one address stop. This feature is typically used to enable Oracle Connection Manager features.

This parameter is not required for an Oracle9i client.

Use only the first address

Select to disable source routing, connect-time failover, and client load balancing features.

Use Options Compatible with Net8 8.0 Clients

Select if you are configuring a release 8.0 client. You will only be able to select among the following options:

-Try each address, in order, until one succeeds

-Use each address in order until destination is reached

Clear this option if you are configuring a Oracle9i or Oracle8i client.

Related Topics

Configure a Connect Descriptor for Connections to Oracle Connection Manager

Configure Multiple Address Options

Oracle Net Services Overview

Copyright © 1996, 2009, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

Choose a New Context dialog box

The Choose a New Context dialog enables you to set another Oracle Context, which is an container named cn=OracleContext in a Directory Information Tree (DIT) that contains entries for use with Oracle software. These entries can include net service names and database service names for connections to database services. By default, Oracle Net Manager uses the Oracle Context configured by Oracle Net Configuration Assistant.

Directory Naming Context

From the list, select a directory entry that contains the Oracle Context that you want to view.

Oracle Context

From the list, select an Oracle Context. The Oracle Context you select should contain the entries in the directory tree whose networking information you intend to modify or add.

The Directory > Service Naming folder in the navigator pane updates with the network objects of the selected Oracle Context.

Related Topics

Change the Oracle Context

Oracle Net Services Overview

Copyright © 1996, 2009, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

Configuring Heterogeneous Services for the Listener

Heterogeneous Services enable you to access a non-Oracle systems from an Oracle server. To initiate a connection to a non-Oracle system, the Oracle server starts an agent process through the listener on the gateway. Configuration of a Heterogeneous Services for the listener involves creating service information for the Heterogeneous agent.

To configure a Heterogeneous Services for the listener:

1. In the navigator pane, expand Oracle Net Configuration > Local > Listeners.

2. Select a listener.

3. From the list in the right pane, select Other Services.

4. Choose Add Service. A new Service tab appears.

5. Enter the agent executable in the Program Name field, the agent's Oracle System Identifier (SID) in the SID field, and the executable Oracle home in the Oracle Home Directory field.

6. Ensure the server is configured with a connect descriptor to access the Heterogeneous Service, as described in Configure a Connect Descriptor for External Procedures.

7. Choose File > Save Network Configuration.

Related Topics

Oracle Net Services Overview

Copyright © 1996, 2009, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

Configuring External Procedures for the Listener

External procedures are procedures that are called from another program, but are written in a different language. An example would be a PL/SQL program calling one or more C routines that are required to perform special-purpose processing.

You can configure the listener to listen for external procedure calls. When an application calls an external procedure, the listener starts an external procedure agent, which by default is named extproc. Using the network connection established by the listener, the application passes the following information to the agent:

• DLL or shared library name

• External procedure name

• Any parameters

The agent then loads the DLL and runs the external procedure and passes back to the application any values returned by the external procedure.

The agent can reside on the same computer as the database server or on a remote computer with a listener.

For an Oracle database to connect to an external procedure, configure the listener.ora file with a protocol address and external procedure service information.

Note: Oracle Net Configuration Assistant configures this information in the listener.ora file during an Oracle9i or Oracle8i installation.

To configure the listener for external procedure calls:

1. Create a listener to exclusively handle external procedures:

2. a. In the navigator pane, expand Oracle Net Configuration > Local > Listeners.

   b. Choose plus (+) from the toolbar or select Edit > Create. The Choose Listener Name dialog box appears.

   c. Enter a unique listener name in the Listener Name field.

   d. Choose OK.

3. If the agent resides on the database server, configure either a TCP/IP or an IPC protocol address in the listener.ora file. If the external procedure agent resides on a remote computer, configure a TCP/IP protocol address in the listener.ora file. The following procedure describes creating an IPC address for the default external procedure agent extproc :

4. a. Select the newly-created listener.

   b. From the list in the right pane, select Listening Locations .

   c. Choose Add Address . A new Address tab appears.

   d. From the Protocol list, select IPC, and enter a value for the Key..

5. Add service information about extproc in the listener.ora file

6. a. From the list in the right pane, select Other Services .

   b. Choose Add Service. A new Service tab appears.

   c. Enter extproc in the Program Name field, a system identifier such as extproc in the field, and the Oracle home where the extproc executable resides in the Oracle Home Directory field. If the application requires that an environment variable be set before the agent is started, enter it the Environment field. For example, if the application requires environment variables MYAPPDIR for the binary location and APPID for the ID, you would enter the following in the Environment field:

   'MYAPPDIR=/myappdir/bin','APPID=MYAPP'

7. If you configured a TCP/IP protocol address, specify remote clients that are allowed access:

8. a. In the navigator pane, expand Local > Profile.

   b. From the list in the right pane, select General.

   c. Choose the Access Rights tab.

   d. Select the Check TCP/IP client access rights option.

   e. In the Clients allowed to access field, enter either a host name or an IP address for a client that you wish to include or exclude, using commas to delimit entries placed on the same line.

9. Create a net service name in the database server tnsnames.ora file whose connect descriptor matches the information configured in the listener.ora file, as described in Configure a Connect Descriptor for External Procedures.

10. Choose File > Save Network Configuration.

Related Topics

Oracle Net Services Overview

Copyright © 1996, 2009, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

Configuring Multiple Address Options

When a database service is accessible by multiple listener protocol addresses, it is important to specify the order in which the protocol addresses are to be used. For example, the protocol addresses can be chosen randomly or tried sequentially.

When multiple protocol addresses have been configured for a net service name or database service, the following options are configurable:

• Connect-time failover to choose the first protocol address, and fail over to the next protocol address if the first protocol address fails

• Client load balancing to randomly choose a protocol address

• Source routing to use all protocol addresses sequentially

To configure multiple address options:

1. In the navigator pane, expand Oracle Net Configuration > Directory > Local or Service Naming.

2. Select a net service name or database service. The right pane displays the current destination service and address list.

3. In the Address Configuration box, choose Advanced. The Address List Options dialog box appears.

4. Clear Use Options Compatible with Net8 8.0 Clients if this configuration is for an Oracle9 i or Oracle8 i client.

5. Select the option appropriate for the protocol address list, and then choose OK.

6. In the right pane, choose Apply.

7. If you are making these changes to the Local folder, choose File > Save Network Configuration.

Related Topics

Oracle Net Services Overview

Copyright © 1996, 2009, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

Configuring Oracle Advanced Security

Use Oracle Net Manager to configure Oracle Advanced Security. Each Oracle Advanced Security tab page enables you to configure a separate set of parameters. Oracle Advanced Security enables data encryption and integrity checking, enhanced authentication,and single sign-on. Oracle Advanced Security also provides centralized user management on LDAP-compliant directory servers and certificate-based single sign-on; this functionality relies on the Secure Sockets Layer (SSL).

To configure Oracle Advanced Security:

1. In the navigator pane, expand Oracle Net Configuration > Local > Profile.

2. From the list in the right pane, select Oracle Advanced Security.

3. The following tab panels are displayed:

4. • Authentication

   • Other Parameters

   • Integrity

   • Encryption

   • SSL

5. Make your configuration changes.

6. Choose File > Save Network Configuration.

Your changes are saved to the sqlnet.ora file.

Note: If Oracle Advanced Security is not displayed on the list, then it was not installed.

For more information, see Oracle Advanced Security Administrator's Guide.

Related Topics

Oracle Net Services Overview

Copyright © 1996, 2009, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

Configuring Oracle Advanced Security Authentication Methods

Centralized, secure authentication methods allow you to have high confidence in the identity of users, clients, and servers in distributed environments. Network authentication methods can also provide the benefit of single sign-on for users.

Use the Oracle Net Manager to configure the following authentication adapters:

• Kerberos

• CyberSafe

• RADIUS

• SSL

• Windows NT native authentication

Note: If you have configured the TCP/IP with SSL protocol, then Secure Sockets Layer (SSL) will be configured by default. Any authentication method you choose in this tab will override authentication features of SSL. See the SSL tab to configure additional SSL options. If you are using the TCP/IP with SSL protocol, do not use any of the other authentication methods.

To configure the authentication methods:

1. In the navigator pane, expand Oracle Net Configuration > Local > Profile.

2. From the list in the right pane, select Oracle Advanced Security.

3. Select the Authentication tab.

4. From the Available Methods list, select which authentication method you want to use, and then choose the right-arrow button (>).

5. Order the authentication methods according to which method you want used. Select the authentication method in the Selected Methods list, and use the Promote or Demote button to move the selection up or down in the list.

6. Choose the Other Params tab to configure additional parameters for the following authentication methods:

7. • Kerberos

   • CyberSAFE

   • RADIUS

8. Choose File > Save Network Configuration.

Related Topics

Oracle Advanced Security: Authentication.

Oracle Net Services Overview

Copyright © 1996, 2009, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.