| Oracle® Database Net Services Reference 11g Release 2 (11.2) Part Number E10835-01 |
|
|
View PDF |
| Oracle® Database Net Services Reference 11g Release 2 (11.2) Part Number E10835-01 |
|
|
View PDF |
This chapter provides complete listing of the sqlnet.ora file configuration parameters.
This chapter includes the following topics:
The sqlnet.ora file is the profile configuration file. It resides on the client machines and the database server. Profiles are stored and implemented using this file. The database server can be configured with access control parameters in the sqlnet.ora file. These parameters specify whether clients are allowed or denied access based on the protocol.
The sqlnet.ora file enables you to do the following:
Specify the client domain to append to unqualified names
Prioritize naming methods
Enable logging and tracing features
Route connections through specific processes
Configure parameters for external naming
Configure Oracle Advanced Security
Use protocol-specific parameters to restrict access to the database
By default, the sqlnet.ora file is located in the ORACLE_HOME/network/admin directory. The sqlnet.ora file can also be stored in the directory specified by the TNS_ADMIN environment variable.
This section lists and describes the following sqlnet.ora file parameters:
Purpose
To turn signal handling on or off for Linux and UNIX systems.
Default
NO
Values
yes to turn signal handling off
no to leave signal handling on
Example
BEQUEATH_DETACH=yes
Purpose
To specify the session data unit (SDU) size, in bytes to connections.
Usage
Oracle recommends setting this parameter in both the client-side and server-side sqlnet.ora file to ensure the same SDU size is used throughout a connection. When the configured values of client and database server do not match for a session, the lower of the two values is used.
You can override this parameter for a particular client connection by specifying the SDU parameter in the connect descriptor for a client.
See Also:
Oracle Database Net Services Administrator's Guide for complete SDU usage and configuration informationDefault
8192 bytes (8 KB)
Values
512 to 32767 bytes
Example
DEFAULT_SDU_SIZE=4096
Purpose
To enable or disable Oracle Net to send or receive out-of-band break messages using urgent data provided by the underlying protocol.
If turned off, then the parameter enables Oracle Net to send and receive break messages. If turned on, then the parameter disables the ability to send and receive break messages. Once enabled, this feature applies to all protocols used by this client.
Default
OFF
Example
DISABLE_OOB=on
See Also:
Operating system-specific documentation to determine if the protocols you are using support urgent data requests. TCP/IP is an example of a protocol that supports this feature.Purpose
To set the domain from which the client most often looks up names resolution requests. When this parameter is set, the default domain name is automatically appended to any unqualified net service name or service name.
For example, if the default domain is set to us.example.com, then the connect string CONNECT scott@sales gets searched as sales.us.example.com. If the connect string includes the domain extension, such as CONNECT scott@sales.us.example.com, then the domain is not appended to the string.
Default
None
Example
NAMES.DEFAULT_DOMAIN=example.com
Purpose
To specify the order of the naming methods used for client name resolution lookups.
Default
NAMES.DIRECTORY_PATH=(tnsnames, ldap, ezconnect)
Values
Table 5-1 NAMES.DIRECTORY_PATH Values
| Naming Method Value | Description |
|---|---|
|
|
Set to resolve a net service name through the |
|
|
Set to resolve a database service name, net service name, or net service alias through a directory server. |
|
|
Select to enable clients to use a TCP/IP connect identifier, consisting of a host name and optional port and service name. |
|
|
Example
NAMES.DIRECTORY_PATH=(tnsnames)
Purpose
To specify whether the LDAP naming adapter should attempt to authenticate using a specified wallet when it connects to the LDAP directory to resolve the name in the connect string.
Usage
The parameter value is Boolean.
If the parameter is set to TRUE, then the LDAP connection is authenticated using a wallet whose location must be specified in the WALLET_LOCATION parameter.
If the parameter is set to FALSE, then the LDAP connection is established using an anonymous bind.
Default
FALSE
Example
NAMES.LDAP_AUTHENTICATE_BIND=TRUE
Purpose
To specify whether the LDAP naming adapter should leave the session with the LDAP server open after name lookup is complete.
Usage
The parameter value is Boolean.
If the parameter is set to TRUE, then the connection to the LDAP server is left open after the name lookup is complete; the connection will effectively stay open for the duration of the process. If the connection is lost, then it will be re-established as needed.
If the parameter is set to FALSE, then the LDAP connection is terminated as soon as the name lookup completes. Every subsequent lookup opens the connection, performs the lookup, and closes the connection. This option prevents the LDAP server from having a large number of clients connected to it at any one time.
Default
FALSE
Example
NAMES.LDAP_PERSISTENT_SESSION=TRUE
Purpose
To specify the map file to be used to map Network Information Service (NIS) attributes to an NIS mapname.
Default
sqlnet.maps
Example
NAMES.NIS.META_MAP=sqlnet.maps
Purpose
To specify the buffer space limit for receive operations of sessions. This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.
Note:
Additional protocols might support this parameter on certain operating systems. Refer to the operating system-specific documentation for additional information about additional protocols that support this parameter.See Also:
Oracle Net Services Administrator's Guide for additional information about configuring this parameterDefault
The default value for this parameter is operating system-specific. The default for Linux 2.6 operating system is 87380 bytes.
Usage
You can override this parameter for a particular client connection by specifying the RECV_BUF_SIZE parameter in the connect descriptor for a client.
Example
RECV_BUF_SIZE=11784
Purpose
To specify the protocol family or address family constant for the SDP protocol on your system.
Default
27
Values
Any positive integer
Example
SDP.PF_INET_SDP=30
Purpose
To specify a text file containing the banner contents that warn the user about possible user action auditing. The complete path of the text file must be specified in the sqlnet.ora file on the server. Oracle Call Interface (OCI) applications can make use of OCI features to retrieve this banner and display it to the user.
Default
None
Values
Name of the file for which the database owner has read permissions.
Example
SEC_USER_AUDIT_ACTION_BANNER=/opt/oracle/admin/data/auditwarning.txt
Purpose
To specify a text file containing the banner contents that warn the user about unauthorized access to the database. The complete path of the text file must be specified in the sqlnet.ora file on the server. OCI applications can make use of OCI features to retrieve this banner and display it to the user.
Default
None
Values
Name of the file for which the database owner has read permissions.
Example
SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt
Purpose
To specify the buffer space limit for send operations of sessions. This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.
Note:
Additional protocols might support this parameter on certain operating systems. Refer to the operating system-specific documentation for additional information about additional protocols that support this parameter.See Also:
Oracle Database Net Services Administrator's Guide for additional information about configuring this parameterDefault
The default value for this parameter is operating system-specific. The default for Linux 2.6 operating system is 16 KB.
Usage
You can override this parameter for a particular client connection by specifying the SEND_BUF_SIZE parameter in the connect descriptor for a client.
Example
SEND_BUF_SIZE=11784
Purpose
To define the minimum Oracle Database client release that is allowed to attempt connections to Oracle database instances under the control of the given code tree.
If the client release does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040 error.
Allowed Values
11 for Oracle Database 11g authentication protocols (recommended for strongest protection)
10 for Oracle Database 10g authentication protocols
9 for Oracle9i authentication protocols
Note the following implications of setting the value to 11:
To take advantage of the password protections introduced in Oracle Database 11g, users must change their passwords.
Releases of OCI clients before Oracle Database 10g and all versions of JDBC thin clients cannot authenticate to the Oracle database using password-based authentication.
Default
8
Example
If both Oracle Database 11g and Oracle Database 10g are present, then set the parameter as follows:
SQLNET.ALLOWED_LOGON_VERSION=10
Purpose
To define the name of the service used to obtain a Kerberos service ticket.
Default
None
Example
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
Purpose
To enable one or more authentication services. If authentication has been installed, then it is recommended that this parameter be set to either none or to one of the authentication methods.
Default
None
Note:
When installing the database with Database Configuration Assistant (DBCA), this parameter may be set to
nts in the sqlnet.ora file.Values
Authentication Methods Available with Oracle Net Services:
none for no authentication methods, including Microsoft Windows native operating system authentication. When SQLNET.AUTHENTICATION_SERVICES is set to none, a valid user name and password can be used to access the database.
all for all authentication methods.
nts for Microsoft Windows native operating system authentication.
Authentication Methods Available with Oracle Advanced Security:
kerberos5 for Kerberos authentication.
radius for RADIUS authentication.
tcps for SSL authentication.
Example
SQLNET.AUTHENTICATION_SERVICES=(kerberos5)
Purpose
To set a unique identifier for the client computer. This identifier is passed to the listener with any connection request and is included in the Audit Trail. The identifier can be any alphanumeric string up to 128 characters long.
Default
None
Example
SQLNET.CLIENT_REGISTRATION=1432
Purpose
To specify the checksum behavior for the client.
Default
accepted
Values
accepted to enable the security service if required or requested by the other side.
rejected to disable the security service, even if the required by the other side.
requested to enable the security service if the other side allows it.
required to enable the security service and disallow the connection if the other side is not enabled for the security service.
Example
SQLNET.CRYPTO_CHECKSUM_CLIENT=accepted
Purpose
To specify the checksum behavior for the database server.
Default
accepted
Values
accepted to enable the security service if required or requested by the other side.
rejected to disable the security service, even if the required by the other side.
requested to enable the security service if the other side allows it.
required to enable the security service and disallow the connection if the other side is not enabled for the security service.
Example
SQLNET.CRYPTO_CHECKSUM_SERVER=accepted
Purpose
To specify a list of crypto-checksum algorithms for the client to use.
Default
All available algorithms
Values
md5 for the RSA Data Security MD5 algorithm.
sha1 for the Secure Hash algorithm.
Example
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(MD5)
Purpose
To specify a list of crypto-checksum algorithms for the database server to use.
Default
All available algorithms
Values
md5 for the RSA Data Security's MD5 algorithm
sha1 for the Secure Hash algorithm
Example
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(md5)
Purpose
To turn encryption on for the client.
Default
accepted
Values
accepted to enable the security service if required or requested by the other side.
rejected to disable the security service, even if the required by the other side.
requested to enable the security service if the other side allows it.
required to enable the security service and disallow the connection if the other side is not enabled for the security service.
Example
SQLNET.ENCRYPTION_CLIENT=accepted
Purpose
To turn encryption on for the database server.
Default
accepted
Values
accepted to enable the security service if required or requested by the other side.
rejected to disable the security service, even if the required by the other side.
requested to enable the security service if the other side allows it.
required to enable the security service and disallow the connection if the other side is not enabled for the security service.
Example
SQLNET.ENCRYPTION_SERVER=accepted
Purpose
To specify a list of encryption algorithms for the client to use.
Default
All available algorithms.
Values
One or more of the following:
3des112 for triple DES with a two-key (112-bit) option
3des168 for triple DES with a three-key (168-bit) option
des for standard 56-bit key size
des40 for 40-bit key size
rc4_40 for 40-bit key size
rc4_56 for 56-bit key size
rc4_128 for 128-bit key size
rc4_256 for 256-bit key size
Example
SQLNET.ENCRYPTION_TYPES_CLIENT=(rc4_56)
Purpose
To specify a list of encryption algorithms for the database server to use.
Default
All available algorithms.
Values
One or more of the following:
3des112 for triple DES with a two-key (112-bit) option
3des168 for triple DES with a three-key (168-bit) option
des for standard 56-bit key size
des40 for 40-bit key size
rc4_40 for 40-bit key size
rc4_56 for 56-bit key size
rc4_128 for 128-bit key size
rc4_256 for 256-bit key size
Example
SQLNET.ENCRYPTION_TYPES_SERVER=(rc4_56, des, ...)
Purpose
To specify a time interval, in minutes, to send a check to verify that client/server connections are active. The following usage notes apply to this parameter:
Setting a value greater than 0 ensures that connections are not left open indefinitely, due to an abnormal client termination.
If the probe finds a terminated connection, or a connection that is no longer in use, then it returns an error, causing the server process to exit.
This parameter is primarily intended for the database server, which typically handles multiple connections at any one time.
Limitations on using this terminated connection detection feature are:
It is not allowed on bequeathed connections.
Though very small, a probe packet generates additional traffic that may downgrade network performance.
Depending on which operating system is in use, the server may need to perform additional processing to distinguish the connection probing event from other events that occur. This can also result in degraded network performance.
Default
0
Minimum Value
0
Recommended Value
10
Example
SQLNET.EXPIRE_TIME=10
Purpose
To specify the time, in seconds, for a client to connect with the database server and provide the necessary authentication information.
If the client fails to establish a connection and complete authentication in the time specified, then the database server terminates the connection. In addition, the database server logs the IP address of the client and an ORA-12170: TNS:Connect timeout occurred error message to the sqlnet.log file. The client receives either an ORA-12547: TNS:lost contact or an ORA-12637: Packet receive failed error message.
The default value of this parameter is appropriate for typical usage scenarios. However, if you need to explicitly set a different value, then Oracle recommends setting this parameter in combination with the INBOUND_CONNECT_TIMEOUT_listener_name parameter in the listener.ora file. When specifying the values for these parameters, note the following recommendations:
Set both parameters to an initial low value.
Set the value of the INBOUND_CONNECT_TIMEOUT_listener_name parameter to a lower value than the SQLNET.INBOUND_CONNECT_TIMEOUT parameter.
For example, you can set INBOUND_CONNECT_TIMEOUT_listener_name to 2 seconds and SQLNET.INBOUND_CONNECT_TIMEOUT parameter to 3 seconds. If clients are unable to complete connections within the specified time due to system or network delays that are normal for the particular environment, then increment the time as needed.
Default
60 seconds
Example
SQLNET.INBOUND_CONNECT_TIMEOUT=3
See Also:
"Control Parameters" for additional information about INBOUND_CONNECT_TIMEOUT_listener_name
Oracle Net Services Administrator's Guide for additional information about configuring these parameters
Purpose
To specify the complete path name to the Kerberos credentials cache file.
Default
/usr/tmp/krbcache on Linux and UNIX operating systems, and c:\tmp\krbcache on Microsoft Windows operating systems
Example
SQLNET.KERBEROS5_CC_NAME=/usr/tmp/krbcache
Purpose
To specify how many seconds can pass before a Kerberos credential is considered out of date.
Default
300
Example
SQLNET.KERBEROS5_CLOCKSKEW=1200
Purpose
To specify the complete path name to the Kerberos configuration file, which contains the realm for the default Key Distribution Center (KDC) and maps realms to KDC hosts. The KDC maintains a list of user principals and is contacted through the kinit program for the user's initial ticket.
Default
/krb5/krb.conf on Linux and UNIX operating systems and c:\krb5\krb.conf on Microsoft Windows operating systems
Example
SQLNET.KERBEROS5_CONF=/krb5/krb.conf
Purpose
To specify the complete path name to the Kerberos principal/secret key mapping file, which is used to extract keys and decrypt incoming authentication information.
Default
/etc/v5srvtab on Linux and UNIX operating systems and c:\krb5\v5srvtab on Microsoft Windows operating systems
Example
SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab
Purpose
To specify the complete path name to the Kerberos realm translation file, which provides a mapping from a host name or domain name to a realm.
Default
/krb5/krb.realms on Linux and UNIX operating systems and c:\krb5\krb.realms on Microsoft Windows operating systems
Example
SQLNET.KERBEROS5_REALMS=/krb5/krb.realms
Purpose
To specify the time, in seconds, for a client to establish an Oracle Net connection to the database instance.
If an Oracle Net connection is not established in the time specified, then the connect attempt is terminated. The client receives an ORA-12170: TNS:Connect timeout occurred error.
The outbound connect timeout interval is a superset of the TCP connect timeout interval, which specifies a limit on the time taken to establish a TCP connection. Additionally, the outbound connect timeout interval includes the time taken to be connected to an Oracle instance providing the requested service.
Without this parameter, a client connection request to the database server may block for the default TCP connect timeout duration (60 seconds) when the database server host system is unreachable.
The outbound connect timeout interval is only applicable for TCP, TCP with SSL, and IPC transport connections.
Default
None
Usage Notes
This parameter is overridden by the CONNECT_TIMEOUT parameter in the address description.
Example
SQLNET.OUTBOUND_CONNECT_TIMEOUT=10
Purpose
To specify an alternate RADIUS server to use in case the primary server is unavailable. The value can be either the IP address or host name of the server.
Default
None
Example
SQLNET.RADIUS_ALTERNATE=radius2
Purpose
To specify the listening port of the alternate RADIUS server.
Default
1645
Example
SQLNET.RADIUS_ALTERNATE_PORT=1667
Purpose
To specify the number of times the database server should resend messages to the alternate RADIUS server.
Default
3
Example
SQLNET.RADIUS_ALTERNATE_RETRIES=4
Purpose
To specify the location of the primary RADIUS server, either by its host name or IP address.
Default
Local host
Example
SQLNET.RADIUS_AUTHENETICATION=officeacct
Purpose
To specify the class containing the user interface used to interact with the user.
Default
DefaultRadiusInterface
Example
SQLNET.RADIUS_AUTHENTICATION_INTERFACE=DefaultRadiusInterface
Purpose
Use the parameter SQLNET.RADIUS_AUTHENTICATION_PORT to specify the listening port of the primary RADIUS server.
Default
1645
Example
SQLNET.RADIUS_AUTHENTICATION_PORT= 1667
Purpose
To specify the number of times the database server should resend messages to the primary RADIUS server.
Default
3
Example
SQLNET.RADIUS_AUTHENTICATION_RETRIES=4
Purpose
To specify the time, in seconds, that the database server should wait for a response from the primary RADIUS server.
Default
5
Example
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=10
Purpose
To turn challenge response on or off.
Default
off
Values
on | off
Example
SQLNET.RADIUS_CHALLENGE_RESPONSE=on
Purpose:
To specify the location of the RADIUS secret key.
Default
The ORACLE_HOME/network/security/radius.key file.
Example
SQLNET.RADIUS_SECRET=oracle/bin/admin/radiuskey
Purpose
To turn accounting on and off. If enabled, then packets are sent to the active RADIUS server at listening port plus one. The default port is 1646.
Default
off
Values
on | off
Example
SQLNET.RADIUS_SEND_ACCOUNTING=on
Purpose
To specify the time, in seconds, for a database server to wait for client data after establishing a connection. A client must send some data within the time interval.
For environments in which clients shut down on occasion or abnormally, setting this parameter is recommended. If a client does not send any data in time specified, then the database server logs ORA-12535: TNS:operation timed out and ORA-12609: TNS: Receive timeout occurred messages to the sqlnet.log file. Without this parameter, the database server may continue to wait for data from clients that may be down or are experiencing difficulties.
You can also set this parameter on the client-side to specify the time, in seconds, for a client to wait for response data from the database server after connection establishment. Without this parameter, the client may wait a long period of time for a response from a database server saturated with requests. If you choose to set the value, then set the value to an initial low value and adjust according to system and network capacity. If necessary, use this parameter with the SQLNET.SEND_TIMEOUT parameter.
Default
None
Example
SQLNET.RECV_TIMEOUT=3
See Also:
Oracle Database Net Services Administrator's Guide for additional information about configuring these parametersPurpose
To specify the time, in seconds, for a database server to complete a send operation to clients after establishing a connection. Setting this parameter is recommended for environments in which clients shut down occasionally or abnormally.
If the database server cannot complete a send operation in the time specified, then it logs ORA-12535: TNS:operation timed out and ORA-12608: TNS: Send timeout occurred messages to the sqlnet.log file. Without this parameter, the database server may continue to send responses to clients that are unable to receive data due to a downed computer or a busy state.
You can also set this parameter on the client-side to specify the time, in seconds, for a client to complete send operations to the database server after connection establishment. Without this parameter, the client may continue to send requests to a database server already saturated with requests. If you choose to set the value, then set the value to an initial low value and adjust according to system and network capacity. If necessary, use this parameter with the SQLNET.RECV_TIMEOUT parameter.
Default
None
Example
SQLNET.SEND_TIMEOUT=3
See Also:
Oracle Database Net Services Administrator's Guide for additional information about configuring these parametersPurpose
To configure a revocation check for a certificate.
Default
none
Values
none to turn off certificate revocation checking
requested to perform certificate revocation in case a Certificate Revocation List (CRL) is available. Reject SSL connection if the certificate is revoked. If no appropriate CRL is found to determine the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection
required to perform certificate revocation when a certificate is available. If a certificate is revoked and no appropriate CRL is found, then reject the SSL connection If no appropriate CRL is found to ascertain the revocation status of the certificate and the certificate is not revoked. then accept the SSL connection.
Example
SSL_CERT_REVOCATION=required
Purpose
To specify the name of the file where you can assemble the certificate revocation list (CRL) for client authentication.
This file contains the PEM-encoded CRL files, in order of preference. You can use this file alternatively or in addition to the SSL_CERT_PATH parameter. This parameter is only valid if SSL_CERT_REVOCATION is set to either requested or required.
Default
None
Example
SSL_CERT_FILE=
Purpose
To specify the destination directory of the CRL of CA. The files in this directory are hashed symbolic links created by Oracle Wallet Manager. This parameter is only valid if SSL_CERT_REVOCATION is set to either requested or required.
Default
None
Example
SSL_CERT_PATH=
Purpose
To control which combination of encryption and data integrity is used by the Secure Sockets Layer (SSL). Cipher suites that use Advanced Encryption Standard (AES) only work with Transport Layer Security (TLS 1.0).
Default
None
Values
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
Example
SSL_CIPHER_SUITE=(ssl_rsa_with_rc4_138_md5)
See Also:
Oracle Database Advanced Security Administrator's Guide for additional information about cipher suite valuesPurpose
To specify whether a client, in addition to the database server, is authenticated using SSL.
Default
true
Values
true | false
Example
SSL_CLIENT_AUTHENTICATION=true
Purpose
To enforce that the distinguished name (DN) for the database server matches its service name. If you enforce the match verifications, then SSL ensures that the certificate is from the server. If you select to not enforce the match verification, then SSL performs the check but allows the connection, regardless if there is a match. Not enforcing the match allows the server to potentially fake its identify.
Default
no
Values
yes | on | true to specify to enforce a match. If the DN matches the service name, then the connection succeeds. If the DN does not match the service name, then the connection fails.
no | off | false to specify not to enforce a match. If the DN does not match the service name, then the connection is successful, but an error is logged to the sqlnet.log file.
Usage Notes
In addition to the sqlnet.ora file, configure the tnsnames.ora parameter SSL_SERVER_CERT_DN to enable server DN matching.
Example
SSL_SERVER_DN_MATCH=yes
Purpose
To force the version of the SSL connection. Clients and database servers must use a compatible version.
Default
undetermined
Values
undetermined | 2.0 | 3.0
Example
SSL_VERSION=2.0
Purpose
To specify the time, in seconds, for a client to establish a TCP connection (PROTOCOL=tcp in the TNS connect address) to the database server. If a TCP connection to the database host is not established in the time specified, then the connection attempt is terminated. The client receives an ORA-12170: TNS:Connect timeout occurred error.
The timeout applies to each IP address to which a host name resolves. For example, if a host name resolves to an IPv6 and an IPv4 address, and if the host is not reachable through the network, then the connection request times out twice the TCP.CONNECT_TIMEOUT setting because there are two IP addresses. In this example, the default timeout setting of 60 would cause a timeout in 120 seconds.
Default
60
Example
TCP.CONNECT_TIMEOUT=10
Purpose
To specify which clients are denied access to the database. This parameter does not use wildcards for IP addresses or partial IP addresses.
Syntax
TCP.EXCLUDED_NODES=(hostname | ip_address, hostname | ip_address, ...)
Example
TCP.EXCLUDED_NODES=(finance.us.example.com, mktg.us.example.com, 192.168.2.25, 172.30.*, 2001:DB8:200C:417A/32)
Purpose
To specify which clients are allowed access to the database. This parameter does not use wildcards for IP addresses or partial IP addresses. This list takes precedence over the TCP.EXCLUDED_NODES parameter if both lists are present.
Syntax
TCP.INVITED_NODES=(hostname | ip_address, hostname | ip_address, ...)
Example
TCP.INVITED_NODES=(sales.us.example.com, hr.us.example.com, 192.168.2.73)
Purpose
To create a hard failure when host names in the invited or excluded list fail to resolve to an IP address. This ensures a customer's desired configuration is enforced, meaning that valid node checking cannot take place unless the host names are resolvable to IP addresses.
This is important in the context of the TCP.INVITED_NODES parameter, because it requires that every one of the client nodes be listed in the server's sqlnet.invited_nodes list. When one of the clients is decommissioned, and removed from the host name database, it becomes unresolvable, and causes the listener to fail to start.
Note:
In order to use theTCP.VALIDNODE_CHECKING parameter invited nodes, the host name database must be kept in up-to-date with the sqlnet.invited_node list.Default
no
Values
yes | no
Example
TCP.VALIDNODE_CHECKING=yes
Purpose
To preempt delays in buffer flushing within the TCP/IP protocol stack.
Default
yes
Values
yes | no
Example
TCP.NODELAY=yes
Purpose
To specify the destination directory for the TNSPING utility trace file, tnsping.trc.
Default
The ORACLE_HOME/network/trace directory.
Example
TNSPING.TRACE_DIRECTORY=/oracle/traces
Purpose
To turn TNSPING utility tracing on at a specified level or to turn it off.
Default
off
Values
off for no trace output
user for user trace information
admin for administration trace information
support for Oracle Support Services trace information
Example
TNSPING.TRACE_LEVEL=admin
Purpose
To specify client routing to Oracle Connection Manager.
If set to true, then the parameter routes the client to a protocol address for an Oracle Connection Manager.
If set to false, then the client picks one of the address lists at random and fails over to the other address list if the chosen ADDRESS_LIST fails. With USE_CMAN=true, the client always uses the first address list.
If no Oracle Connection Manager addresses are available, then connections are routed through any available listener address.
Default
false
Values
true | false
Example
USE_CMAN=true
Purpose
To append (SERVER=dedicated) to the CONNECT_DATA section of the connect descriptor used by the client. It overrides the current value of the SERVER parameter in the tnsnames.ora file.
If set to on, then the parameter USE_DEDICATED_SERVER automatically appends (SERVER=dedicated) to the connect data for a connect descriptor. This way connections from this client use a dedicated server process, even if shared server is configured.
Default
off
Values
on to append (SERVER=dedicated)
off to send requests to existing server processes
Example
USE_DEDICATED_SERVER=on
See Also:
Oracle Database Net Services Administrator's Guide for complete configuration informationPurpose
To specify the location of wallets. Wallets are certificates, keys, and trustpoints processed by SSL.
Syntax
The syntax depends on the wallet, as follows:
Oracle wallets on the file system:
WALLET_LOCATION=
(SOURCE=
(METHOD=file)
(METHOD_DATA=
(DIRECTORY=directory)
[(PKCS11=TRUE/FALSE)]))
Microsoft certificate store:
WALLET_LOCATION=
(SOURCE=
(METHOD=mcs))
Oracle wallets in the Microsoft Windows registry:
WALLET_LOCATION=
(SOURCE=
(METHOD=reg)
(METHOD_DATA=
(KEY=registry_key)))
Entrust wallets:
WALLET_LOCATION=
(SOURCE=
(METHOD=entr)
(METHOD_DATA=
(PROFILE=file.epf)
(INIFILE=file.ini)))
Additional Parameters
WALLET_LOCATION supports the following parameters:
SOURCE: The type of storage for wallets and storage location.
METHOD: The type of storage.
METHOD_DATA: The storage location.
DIRECTORY: The location of Oracle wallets on file system.
KEY: The wallet type and location in the Microsoft Windows registry.
PROFILE: The Entrust profile file (.epf).
INIFILE: The Entrust initialization file (.ini).
Default
None
Usage Notes
The key/value pair for Microsoft certificate store (MCS) omits the METHOD_DATA parameter because MCS does not use wallets. Instead, Oracle PKI (public key infrastructure) applications obtain certificates, trustpoints and private keys directly from the user's profile.
If an Oracle wallet is stored in the Microsoft Windows registry and the wallet's key (KEY) is SALESAPP, then the storage location of the encrypted wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\EWALLET.P12. The storage location of the decrypted wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\CWALLET.SSO.
Values
true | false
Oracle wallets on file system:
WALLET_LOCATION=
(SOURCE=
(METHOD=file)
(METHOD_DATA=
(DIRECTORY=/etc/oracle/wallets/databases)))
Microsoft certificate store:
WALLET_LOCATION=
(SOURCE=
(METHOD=mcs))
Oracle Wallets in the Microsoft Windows registry:
WALLET_LOCATION=
(SOURCE=
(METHOD=REG)
(METHOD_DATA=
(KEY=SALESAPP)))
Entrust Wallets:
WALLET_LOCATION=
(SOURCE=
(METHOD=entr)
(METHOD_DATA=
(PROFILE=/etc/oracle/wallets/test.epf)
(INIFILE=/etc/oracle/wallets/test.ini)))
Purpose
To determine whether the client should override the strong authentication credential with the password credential in the stored wallet to log in to the database.
Usage Notes
When wallets are used for authentication, the database credentials for user name and password are securely stored in an Oracle wallet. The auto-login feature of the wallet is turned on so the database does not need a password to open the wallet. From the wallet, the database gets the credentials to access the database for the user.
Wallet usage can simplify large-scale deployments that rely on password credentials for connecting to databases. When this feature is configured, application code, batch jobs, and scripts do not need embedded user names and passwords. Risk is reduced because such passwords are no longer exposed in the clear, and password management policies are more easily enforced without changing application code whenever user names or passwords change.
Users connect using the connect /@database_name command instead of specifying a user name and password explicitly. This simplifies the maintenance of the scripts and secures the password management for the applications.
Middle-tier applications create an Oracle Applications wallet at installation time to store the application's specific identity. The password may be randomly generated rather than hardcoded. When an Oracle application accesses the database, it sets appropriate values for SQLNET.AUTHENTICATION_SERVICES and WALLET_LOCATION. The new wallet-based password authentication code uses the password credential in the Oracle Applications wallet to log on to the database.
Values
TRUE | FALSE
Examples
WALLET_OVERRIDE=TRUE
See Also:
In order to use wallets, a wallet must be configured on the client. Refer to Oracle Database Security Guide for additional information about configuring the clients.Beginning with Oracle Database 11g, Oracle Database includes an advanced fault diagnosability infrastructure for preventing, detecting, diagnosing, and resolving problems. The problems are critical errors such as those caused by database code bugs, metadata corruption, and customer data corruption.
When a critical error occurs, it is assigned an incident number, and diagnostic data for the error, such as traces and dumps, is immediately captured and tagged with the incident number. The data is then stored in the Automatic Diagnostic Repository (ADR), a file-based repository outside the database.
This section describes the parameters used when ADR is enabled. "Non-ADR Diagnostic Parameters in sqlnet.ora" describes the parameters used when ADR is disabled. Non-ADR parameters listed in the sqlnet.ora file are ignored when ADR is enabled. ADR is enabled by default.
This section lists the parameters used when ADR is enabled (when DIAG_ADR_ENABLED is set to on):
Purpose
To specify the base directory into which tracing and logging incidents are stored when ADR is enabled.
Default
The default on the server side is ORACLE_BASE, or ORACLE_HOME/log, if ORACLE_BASE is not defined.
Values
Any valid directory path to a directory with write permission.
Example
ADR_BASE=/oracle/network/trace
See Also:
Oracle Call Interface Programmer's Guide for the default on the client sidePurpose
To specify whether ADR tracing is enabled.
Usage
If the DIAG_ADR_ENABLED parameter is set to OFF, then non-ADR file tracing is used.
Default
on
Values
on | off
Example
DIAG_ADR_ENABLED=on
Purpose
To turn client tracing on at a specified level or to turn it off. This parameter is also applicable when non-ADR tracing is used.
Default
off or 0
Values
off or 0 for no trace output
user or 4 for user trace information
admin or 10 for administration trace information
support or 16 for Oracle Support Services trace information
Example
TRACE_LEVEL_CLIENT=user
Purpose
To turn server tracing on at a specified level or to turn it off. This parameter is also applicable when non-ADR tracing is used.
Default
off or 0
Values
off or 0 for no trace output
user or 4 for user trace information
admin or 10 for administration trace information
support or 16 for Oracle Support Services trace information
Example
TRACE_LEVEL_SERVER=admin
Purpose
To add a time stamp in the form of dd-mon-yyyy hh:mi:ss:mil to every trace event in the client trace file, which has a default name of sqlnet.trc. This parameter is also applicable when non-ADR tracing is used.
Default
on
Values
on or true | off or false
Example
TRACE_TIMESTAMP_CLIENT=true
Purpose
To add a time stamp in the form of dd-mon-yyyy hh:mi:ss:mil to every trace event in the database server trace file, which has a default name of svr_pid.trc. This parameter is also applicable when non-ADR tracing is used.
Default
on
Values
on or true | off or false
Example
TRACE_TIMESTAMP_SERVER=true
This section lists the parameters used when ADR is disabled.
Notes:
The default value of DIAG_ADR_ENABLED ison. Therefore, the DIAG_ADR_ENABLED parameter must explicitly be set to off in order for non-ADR tracing to be used.Purpose
To specify the destination directory for the client log file. Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/log
Values
Any valid directory path.
Example
LOG_DIRECTORY_CLIENT=/oracle/network/log
Purpose
To specify the destination directory for the database server log file. Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/trace
Values
Any valid directory path to a directory with write permission.
Example
LOG_DIRECTORY_SERVER=/oracle/network/trace
Purpose
To specify the name of the log file for the client. Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/log/sqlnet.log
Values
The default value cannot be changed.
Purpose
To specify the name of the log file for the database server. Use this parameter when ADR is not enabled.
Default
sqlnet.log
Example
LOG_FILE_SERVER=svr.log
Purpose
To specify the destination directory for the client trace file. Use this parameter when ADR is not enabled.
Default
The current working directory.
Values
Any valid directory path to a directory with write permission.
Example
TRACE_DIRECTORY_CLIENT=/oracle/traces
Purpose
To specify the destination directory for the database server trace file. Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/trace
Values
Any valid directory path to a directory with write permission.
Example
TRACE_DIRECTORY_SERVER=/oracle/traces
Purpose
To specify the name of the client trace file. Use this parameter when ADR is not enabled.
Values
Any valid file name.
Default
ORACLE_HOME/network/trace/cli.trc
Example
TRACE_FILE_CLIENT=clientsqlnet.trc
Purpose
To specify the name of the file to which the execution trace of the server program is written. Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/trace/svr_pid.trc
Values
Any valid file name. The pid is appended to the name automatically.
Example
TRACE_FILE_SERVER=svrsqlnet.trc
Purpose
To specify the size of the client trace files in kilobytes (KB). When the size is met, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_CLIENT parameter. Use this parameter when ADR is not enabled.
Example
TRACE_FILELEN_CLIENT=100
Purpose
To specify the size of the database server trace files in kilobytes (KB). When the size is met, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_SERVER parameter. Use this parameter when ADR is not enabled.
Example
TRACE_FILELEN_SERVER=100
Purpose
To specify the number of trace files for client tracing. When this parameter is set with the TRACE_FILELEN_CLIENT parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, the first file is re-used, and so on.
The trace file names are distinguished from one another by their sequence number. For example, if the default trace file of sqlnet.trc is used, and this parameter is set to 3, then the trace files would be named sqlnet1.trc, sqlnet2.trc and sqlnet3.trc.
In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.
Default
None
Example
TRACE_FILENO_CLIENT=3
Purpose
To specify the number of trace files for database server tracing. When this parameter is set with the TRACE_FILELEN_SERVER parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, the first file is re-used, and so on.
The trace file names are distinguished from one another by their sequence number. For example, if the default trace file of svr_pid.trc is used, and this parameter is set to 3, then the trace files would be named svr1_pid.trc, svr2_pid.trc and svr3_pid.trc.
In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.
Default
None
Example
TRACE_FILENO_SERVER=3
Purpose
To specify whether a unique trace file is created for each client trace session. When the value is set to on, a process identifier is appended to the name of each trace file, enabling several files to coexist. For example, trace files named sqlnetpid.trc are created if default trace file name sqlnet.trc is used. When the value is set to off, data from a new client trace session overwrites the existing file. Use this parameter when ADR is not enabled.
Default
on
Values
on or off
Example
TRACE_UNIQUE_CLIENT=on
|
 Copyright © 2002, 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|