To accept MD5 signed certificates, in addition to sqlnet.ora, this parameter must also be set in listener.ora.

FALSE

• TRUE to accept MD5 signed certificates

• FALSE to not accept MD5 signed certficates

To not accept SHA1 signed certificates, in addition to sqlnet.ora, this parameter must also be set in listener.ora.

TRUE

• TRUE to accept SHA1 signed certificates

• FALSE to not accept SHA1 signed certificates

If the server wants to accept SSL_VERSION=3.0 in its default list of SSL_VERSIONs, then in addition to sqlnet.ora, this parameter must also be set in listener.ora.

FALSE

• If set to TRUE and SSL_VERSION is not specified or is set to "undetermined", then SSL_VERSION includes versions 1.2, 1.1, 1.0, and 3.0.

• If set to FALSE and SSL_VERSION is not specified or is set to "undetermined", then SSL_VERSION includes versions 1.2, 1.1, and 1.0

DISABLE_OOB is a networking parameter of the sqlnet.ora file and is used to enable or disable Oracle Net to send or receive out-of-band break messages using urgent data provided by the underlying protocol.

The DISABLE_OOB_AUTO networking parameter of the sqlnet.ora file checks the server path for out-of-band break messages support at the connection time.

To set the domain from which the client most often looks up names resolution requests.

When this parameter is set, the default domain name is automatically appended to any unqualified net service name or service name.

For example, if the default domain is set to us.example.com, then the connect string CONNECT scott@sales gets searched as sales.us.example.com. If the connect string includes the domain extension, such as CONNECT scott@sales.us.example.com, then the domain is not appended to the string.

None

NAMES.DEFAULT_DOMAIN=example.com

To specify the order of the naming methods used for client name resolution lookups.

NAMES.DIRECTORY_PATH=(tnsnames, ldap, ezconnect)

The following table shows the NAMES.DIRECTORY_PATH values for the naming methods.

NAMES.DIRECTORY_PATH=(tnsnames)

To specify whether the LDAP naming adapter should attempt to authenticate using a specified wallet when it connects to the LDAP directory to resolve the name in the connect string.

The parameter value is Boolean.

If the parameter is set to TRUE, then the LDAP connection is authenticated using a wallet whose location must be specified in the WALLET_LOCATION parameter.

If the parameter is set to FALSE, then the LDAP connection is established using an anonymous bind.

false

NAMES.LDAP_AUTHENTICATE_BIND=true

To specify number of seconds for a non-blocking connect timeout to the LDAP server.

The parameter value -1 is for infinite timeout.

15 seconds

Values are in seconds. The range is -1 to the number of seconds acceptable for your environment. There is no upper limit.

names.ldap_conn_timeout = -1

To specify whether the LDAP naming adapter should leave the session with the LDAP server open after name lookup is complete.

The parameter value is Boolean.

If the parameter is set to TRUE, then the connection to the LDAP server is left open after the name lookup is complete. The connection will effectively stay open for the duration of the process. If the connection is lost, then it is re-established as needed.

If the parameter is set to FALSE, then the LDAP connection is terminated as soon as the name lookup completes. Every subsequent lookup opens the connection, performs the lookup, and closes the connection. This option prevents the LDAP server from having a large number of clients connected to it at any one time.

false

NAMES.LDAP_PERSISTENT_SESSION=true

To specify the map file to be used to map Network Information Service (NIS) attributes to an NIS mapname.

sqlnet.maps

NAMES.NIS.META_MAP=sqlnet.maps

To specify the buffer space limit for receive operations of sessions.

You can override this parameter for a particular client connection by specifying the RECV_BUF_SIZE parameter in the connect descriptor for a client.

This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.

The default value for this parameter is operating system specific. The default for Linux 2.6 operating system is 87380 bytes.

RECV_BUF_SIZE=11784

To specify the protocol family or address family constant for the SDP protocol on your system.

27

Any positive integer

SDP.PF_INET_SDP=30

To specify a text file containing the banner contents that warn the user about possible user action auditing.

The complete path of the text file must be specified in the sqlnet.ora file on the server. Oracle Call Interface (OCI) applications can make use of OCI features to retrieve this banner and display it to the user.

None

Name of the file for which the database owner has read permissions.

SEC_USER_AUDIT_ACTION_BANNER=/opt/oracle/admin/data/auditwarning.txt

To specify a text file containing the banner contents that warn the user about unauthorized access to the database.

The complete path of the text file must be specified in the sqlnet.ora file on the server. OCI applications can make use of OCI features to retrieve this banner and display it to the user.

None

Name of the file for which the database owner has read permissions.

SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt

To specify the buffer space limit for send operations of sessions.

You can override this parameter for a particular client connection by specifying the SEND_BUF_SIZE parameter in the connect descriptor for a client.

This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.

The default value for this parameter is operating system specific. The default for Linux 2.6 operating system is 16 KB.

SEND_BUF_SIZE=11784

Use the sqlnet.ora compatibility parameter SQLNET.ALLOW_WEAK_CRYPTO to configure your client-side network connection by reviewing the specified encryption and crypto-checksum algorithms.

SQLNET.ALLOW_WEAK_CRYPTO = FALSE

Use the sqlnet.ora compatibility parameter SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS to configure your server-side network connection by reviewing the specified encryption and crypto-checksum algorithms.

SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS = FALSE

To set the minimum authentication protocol allowed for clients, and when a server is acting as a client, such as connecting over a database link, when connecting to Oracle Database instances.

The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.

If the version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error.

• 12a for Oracle Database 12c Release 1 (12.1.0.2) or later (strongest protection)

  Note:

  Using this setting, the clients can only authenticate using a de-optimized password version. For example, the 12C password version.

• 12 for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (stronger protection)

  Note:

  Using this setting, the clients can only authenticate using a password hash value that uses salt. For example, the 11G or 12C password versions.

• 11 for Oracle Database 11g authentication protocols (default)

• 10 for Oracle Database 10g authentication protocols

• 8 for Oracle8i authentication protocol

11

If an Oracle Database 12c database hosts a database link to an Oracle Database 10g database, then the SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameter should be set as follows in order for the database link connection to proceed:

SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10

To set the minimum authentication protocol allowed when connecting to Oracle Database instances.

The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.

The authentication fails with an ORA-28040: No matching authentication protocol error or an ORA-03134: Connections to this server version are no longer supported error if the client does not have the ability listed in the "Ability Required of the Client" column corresponding to the row matching the value of the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter in Table 1.

A setting of 8 permits all password versions, and allows any combination of the DBA_USERS.PASSWORD_VERSIONS values 10G, 11G, and 12C.

A setting of 12a permits only the 12C password version.

A greater value means the server is less compatible in terms of the protocol that clients must understand in order to authenticate. The server is also more restrictive in terms of the password version that must exist to authenticate any specific account. Whether a client can authenticate to a specific account depends on both the server's setting of its SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter, as well as on the password versions which exist for the specified account. The list of password versions can be seen in DBA_USERS.PASSWORD_VERSIONS.

Note the following implications of setting the value to 12 or 12a:

• A value of FALSE for the SEC_CASE_SENSITIVE_LOGON Oracle instance initialization parameter must not be used because password case insensitivity requires the use of the 10G password version. If the SEC_CASE_SENSITIVE_LOGON Oracle instance initialization parameter is set to FALSE, then user accounts and secure roles become unusable because Exclusive Mode excludes the use of the 10G password version. The SEC_CASE_SENSITIVE_LOGON Oracle instance initialization parameter enables or disables password case sensitivity. However, since Exclusive mode is enabled by default in this release, disabling the password case sensitivity is not supported.

  Note:

  • The use of the Oracle instance initialization parameter SEC_CASE_SENSITIVE_LOGON is deprecated in favor of setting the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter to 12 to ensure that passwords are treated in a case-sensitive fashion.

  • Disabling password case sensitivity is not supported in Exclusive mode (when SQLNET.ALLOWED_LOGON_VERSION_SERVER is set to 12 or 12a.)

• Releases of OCI clients earlier than Oracle Database 10g cannot authenticate to the Oracle database using password-based authentication.

• If the client uses Oracle Database 10g, then the client will receive an ORA-03134: Connections to this server version are no longer supported error message. To allow the connection, set the SQLNET.ALLOWED_LOGON_VERSION_SERVER value to 8. Ensure the DBA_USERS.PASSWORD_VERSIONS value for the account contains the value 10G. It may be necessary to reset the password for that account.

Note the following implication of setting the value to 12a:

• To take advantage of the new 12C password version introduced in Oracle Database release 12.2, user passwords should be expired to encourage users to change their passwords and cause the new 12C password version to be generated for their account. By default in this release, new passwords are treated in a case-sensitive fashion. When an account password is changed, the earlier 10G case-insensitive password version is automatically removed, and the new 12C password version is generated.

• When an account password is changed, the earlier 10G case-insensitive password version and the 11G password version are both automatically removed.

• JDBC Thin Client Support:

  In Oracle Database release 12.1.0.2 and later, if you set the sqlnet.ora parameter SQLNET.ALLOWED_LOGON_VERSION_SERVER to 12a and you create a new account or change the password of an existing account, then only the new 12C password version is generated. The 12C password version is based on a SHA-2 (Secure Hash Algorithm) SHA-512 salted cryptographic hash deoptimized using the PBKDF2 (Password-Based Key Derivation Function 2) algorithm. When the database server is running with ALLOWED_LOGON_VERSION_SERVER set to 12a, it is running in Exclusive Mode. In this mode, to log in using a JDBC client, the JRE version must be at least version 8. The JDBC client enables its O7L_MR capability flag only when it is running with at least version 8 of the JRE.

  Note:

  Check the PASSWORD_VERSIONS column of the DBA_USERS catalog view to see the list of password versions for any given account.

  If you set the sqlnet.ora parameter SQLNET.ALLOWED_LOGON_VERSION_SERVER to 12, the server runs in Exclusive Mode and only the 11G and 12C password versions (the SHA-1 and PBKDF2 SHA-2 based hashes of the password, respectively) are generated and allowed to be used. In such cases, fully-patched JDBC clients having the CPUOct2012 patch can connect because these JDBC clients provide the O5L_NP client ability.

  Older JDBC clients which do not have the CPUOct2012 containing the fix for the stealth password cracking vulnerability CVE-2012-3132, do not provide the O5L_NP client ability. Therefore, ensure that all the JDBC clients are patched properly.

The client must support certain abilities of the authentication protocol before the server will authenticate. If the client does not support a specified authentication ability, then the server rejects the connection with an ORA-28040: No matching authentication protocol error message.

The following is the list of all client abilities. Some clients do not have all abilities. Clients that are more recent have all the capabilities of the older clients, but older clients tend to have less abilities than more recent clients.

• O7L_MR: The ability to perform the Oracle Database 10g authentication protocol using the 12C password version. For JDBC clients, only those running on at least JRE version 8 offer the O7L_MR capability.

• O5L_NP: The ability to perform the Oracle Database 10g authentication protocol using the 11G password version, and generating a session key encrypted for critical patch update CPUOct2012.

• O5L: The ability to perform the Oracle Database 10g authentication protocol using the 10G password version.

• O4L: The ability to perform the Oracle9i database authentication protocol using the 10G password version.

• O3L: The ability to perform the Oracle8i database authentication protocol using the 10G password version.

An ability which appears higher in the above list is more recent and secure than an ability which appears lower in the list. Clients that are more recent have all the capabilities of the older clients.

• 12a for Oracle Database 12c release 12.1.0.2 or later authentication protocols (strongest protection)

• 12 for Oracle Database 12c release 12.1 authentication protocols (default and recommended value)

• 11 for Oracle Database 11g authentication protocols

• 10 for Oracle Database 10g authentication protocols

• 9 for Oracle9i Database authentication protocol

• 8 for Oracle8i Database authentication protocol

12

SQLNET.ALLOWED_LOGON_VERSION_SERVER=12

To enable one or more authentication services. If authentication has been installed, then it is recommended that this parameter be set to either none or to one of the listed authentication methods.

When using the SQLNET.AUTHENTICATION_SERVICES value all, the server attempts to authenticate using each of the following methods. The server falls back to the ones lower on the list if the ones higher on the list were unsuccessful.

• Authentication based on a service external to the database, such as a service on the network layer, Kerberos, or RADIUS.

• Authentication based on the operating system user's membership in an administrative operating system group. Group names are platform-specific. This authentication is applicable to administrative connections only.

• Authentication performed by the database.

• Authentication based on credentials stored in a directory server.

Operating system authentication allows access to the database using any user name and any password when an administrative connection is attempted, such as using the AS SYSDBA clause when connecting using SQL*Plus. An example of a connection is as follows.

sqlplus ignored_username/ignored_password AS SYSDBA

When the operating-system user who issued the preceding command is already a member of the appropriate administrative operating system group, then the connection is successful. This is because the user name and password are ignored by the server due to checking the group membership first.

all

Authentication methods available with Oracle Net Services:

• none for no authentication methods, including Microsoft Windows native operating system authentication. When SQLNET.AUTHENTICATION_SERVICES is set to none, a valid user name and password can be used to access the database.

• all for all authentication methods.

• beq for native operating system authentication for operating systems other than Microsoft Windows

• kerberos5 for Kerberos authentication

• nts for Microsoft Windows native operating system authentication

• radius for Remote Authentication Dial-In User Service (RADIUS) authentication

• tcps for SSL authentication

SQLNET.AUTHENTICATION_SERVICES=(kerberos5)

To set a unique identifier for the client computer.

This identifier is passed to the listener with any connection request, and is included in the audit trail. The identifier can be any alphanumeric string up to 128 characters long.

None

SQLNET.CLIENT_REGISTRATION=1432

To enable or disable data compression. If both the server and client have this parameter set to ON, then compression is used for the connection.

off

• on to enable data compression.

• off to disable data compression.

SQLNET.COMPRESSION=on

To specify the compression level.

The compression levels are used at time of negotiation to verify which levels are used at both ends, and to select one level.

For Database Resident Connection Pooling (DRCP), only the compression level low is supported.

low

• low to use low CPU usage and low compression ratio.

• high to use high CPU usage and high compression ratio.

SQLNET.COMPRESSION_LEVELS=(high)

To specify the minimum data size, in bytes, for which compression is needed.

Compression is not be done if the size of the data to be sent is less than this value.

1024 bytes

SQLNET.COMPRESSION_THRESHOLD=1024

To specify the checksum behavior for the client.

accepted

• accepted to enable the security service if required or requested by the other side.

• rejected to disable the security service, even if required by the other side.

• requested to enable the security service if the other side allows it.

• required to enable the security service and disallow the connection if the other side is not enabled for the security service.

SQLNET.CRYPTO_CHECKSUM_CLIENT=accepted

To specify the checksum behavior for the database server.

accepted

• accepted to enable the security service if required or requested by the other side.

• rejected to disable the security service, even if required by the other side.

• requested to enable the security service if the other side allows it.

• required to enable the security service and disallow the connection if the other side is not enabled for the security service.

SQLNET.CRYPTO_CHECKSUM_SERVER=accepted

To specify a list of crypto-checksum algorithms for the client to use.

All available algorithms

• MD5 for the RSA Data Security MD5 algorithm.

  The MD5 algorithm is deprecated in this release. To transition your Oracle Database environment to use stronger algorithms, download and install the patch described in My Oracle Support note 2118136.2.

• SHA1 for the Secure Hash Algorithm.

• SHA256 for SHA-2 uses 256 bits with the hashing algorithm.

• SHA384 for SHA-2 uses 384 bits with the hashing algorithm.

• SHA512 for SHA-2 uses 512 bits with the hashing algorithm.

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(SHA256, MD5)

To specify a list of crypto-checksum algorithms for the database server to use.

All available algorithms

• MD5 for the RSA Data Security's MD5 algorithm

  The MD5 algorithm is deprecated in this release. To transition your Oracle Database environment to use stronger algorithms, download and install the patch described in My Oracle Support note 2118136.2.

• SHA1 for the Secure Hash algorithm.

• SHA256 for SHA-2 uses 256 bits with the hashing algorithm.

• SHA384 for SHA-2 uses 384 bits with the hashing algorithm.

• SHA512 for SHA-2 uses 512 bits with the hashing algorithm.

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA256, MD5)

To provide Oracle Database Firewall public keys to Advanced Security Option (ASO) by specifying the file that stores the Oracle Database Firewall public keys.

None

Full path name of the operating system file that has the public keys.

SQLNET.DBFW_PUBLIC_KEY="/path_to_file/dbfw_public_key_file.txt"

To specify the amount of time in seconds that information about the down state of server hosts is kept in client process cache.

Clients discover the down state of server hosts when attempting connections. When a connection attempt fails, the information about the down state of the server host is added to the client process cache. Subsequent connection attempts by the same client process move the down hosts to the end of the address list, thereby reducing the priority of such hosts. When the time specified by the SQLNET.DOWN_HOSTS_TIMEOUT parameter has passed, the host is purged from the process cache, and its priority in the address list is restored.

600 seconds (10 minutes)

Any positive integer

SQLNET.DOWN_HOSTS_TIMEOUT=60

The SQLNET.ENCRYPTION_CLIENT networking parameter turns encryption on for the client.

To turn encryption on for the client. Setting the tnsnames.ora parameter IGNORE_ANO_ENCRYPTION_FOR_TCPS to TRUE disables SQLNET.ENCRYPTION_CLIENT.

accepted

• accepted to enable the security service if required or requested by the other side.

• rejected to disable the security service, even if required by the other side.

• requested to enable the security service if the other side allows it.

• required to enable the security service and disallow the connection if the other side is not enabled for the security service.

SQLNET.ENCRYPTION_CLIENT=accepted

The SQLNET.ENCRYPTION_SERVER networking parameter turns encryption on for the database server.

To turn encryption on for the database server. Setting SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS to FALSE disables SQLNET.ENCRYPTION_SERVER.

accepted

• accepted to enable the security service if required or requested by the other side.

• rejected to disable the security service, even if required by the other side.

• requested to enable the security service if the other side allows it.

• required to enable the security service and disallow the connection if the other side is not enabled for the security service.

SQLNET.ENCRYPTION_SERVER=accepted

Use the sqlnet.ora parameter SQLNET.ENCRYPTION_TYPES_CLIENT to list encryption algorithms for clients to use.

SQLNET.ENCRYPTION_TYPES_CLIENT=(rc4_56)

Use the sqlnet.ora parameter SQLNET.ENCRYPTION_TYPES_SERVER to list the encryption algorithms for the database to use.

SQLNET.ENCRYPTION_TYPES_SERVER=(rc4_56, des, ...)

To specify a time interval, in minutes, to send a check to verify that client/server connections are active.

Setting a value greater than 0 ensures that connections are not left open indefinitely, due to an abnormal client termination. If the system supports TCP keepalive tuning, then Oracle Net Services automatically uses the enhanced detection model, and tunes the TCP keepalive parameters

If the probe finds a terminated connection, or a connection that is no longer in use, then it returns an error, causing the server process to exit.

This parameter is primarily intended for the database server, which typically handles multiple connections at any one time.

Limitations on using this terminated connection detection feature are:

• It is not allowed on bequeathed connections.

• Though very small, a probe packet generates additional traffic that may downgrade network performance.

• Depending on which operating system is in use, the server may need to perform additional processing to distinguish the connection probing event from other events that occur. This can also result in degraded network performance.

0

0

10

SQLNET.EXPIRE_TIME=10

The SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS parameter is used on the server-side to ignore the value set in SQLNET.ENCRYPTION_SERVER for TCPS connections (effectively disabling ANO encryption on the TCPS listener).

To specify the time, in ms, sec, or min, for a client to connect with the database server and provide the necessary authentication information.

If the client fails to establish a connection and complete authentication in the time specified, then the database server terminates the connection. In addition, the database server logs the IP address of the client and an ORA-12170: TNS:Connect timeout occurred error message to the sqlnet.log file. The client receives either an ORA-12547: TNS:lost contact or an ORA-12637: Packet receive failed error message.

The default value of this parameter is appropriate for typical usage scenarios. However, if you need to explicitly set a different value, then Oracle recommends setting this parameter in combination with the INBOUND_CONNECT_TIMEOUT_listener_name parameter in the listener.ora file. When specifying the values for these parameters, note the following recommendations:

• Set both parameters to an initial low value.

• Set the value of the INBOUND_CONNECT_TIMEOUT_listener_name parameter to a lower value than the SQLNET.INBOUND_CONNECT_TIMEOUT parameter.

It accepts different timeouts with or without space between the value and the unit. In case, no unit is mentioned, the default unit is sec. For example, you can set INBOUND_CONNECT_TIMEOUT_listener_name to 2 seconds and SQLNET.INBOUND_CONNECT_TIMEOUT parameter to 3 seconds. If clients are unable to complete connections within the specified time due to system or network delays that are normal for the particular environment, then increment the time as needed.

60 seconds

SQLNET.INBOUND_CONNECT_TIMEOUT=3ms

To specify whether password-based authentication is going to be attempted if Kerberos authentication fails. This is relevant for direct connections as well as database link connections.

FALSE

SQLNET.FALLBACK_AUTHENTICATION=TRUE

Use the sqlnet.ora parameter SQLNET.KERBEROS5_CC_NAME to specify the complete path name to the Kerberos credentials cache file.

To specify the complete path name to the Kerberos credentials cache file.

The MSLSA option specifies that the file is on Microsoft Windows and is running Microsoft KDC.

The OS_MEMORY option specifies that an operating system-managed memory credential is used for the credential cache file. This option is supported for all operating systems with such a feature.

/usr/tmp/krbcache on Linux and UNIX operating systems

c:\tmp\krbcache on Microsoft Windows operating systems

SQLNET.KERBEROS5_CC_NAME=/usr/tmp/krbcache

SQLNET.KERBEROS5_CC_NAME=MSLSA

SQLNET.KERBEROS5_CC_NAME=OS_MEMORY

To specify how many seconds can pass before a Kerberos credential is considered out of date.

300

SQLNET.KERBEROS5_CLOCKSKEW=1200

To specify the complete path name to the Kerberos configuration file, which contains the realm for the default Key Distribution Center (KDC) and maps realms to KDC hosts.

The KDC maintains a list of user principals and is contacted through the kinit program for the user's initial ticket.

The AUTO_DISCOVER option allows the automatic discovery of KDC and realms. It is the default configuration for Kerberos clients. If there are multiple realms to be specified, then Oracle recommends creating configuration files instead of using the AUTO_DISCOVER option. This option is supported for all operating systems with such a feature.

/krb5/krb.conf on Linux and UNIX operating systems

c:\krb5\krb.conf on Microsoft Windows operating systems

• Directory path to krb.conf file

• AUTO_DISCOVER

SQLNET.KERBEROS5_CONF=/krb5/krb.conf

To specify the directory for the Kerberos configuration file. The parameter also specifies the file is created by the system, and not by the client.

The configuration file uses DNS lookup to obtain the realm for the default KDC, and maps realms to the KDC hosts. This option is supported for all operating systems with such a feature.

/krb5 on Linux and UNIX operating systems

c:\krb5 on Microsoft Windows operating systems

SQLNET.KERBEROS5_CONF_LOCATION=/krb5

To specify the complete path name to the Kerberos principal/secret key mapping file, which is used to extract keys and decrypt incoming authentication information.

/etc/v5srvtab on Linux and UNIX operating systems

c:\krb5\v5srvtab on Microsoft Windows operating systems

SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab

To specify the complete path name to the Kerberos realm translation file, which provides a mapping from a host name or domain name to a realm.

/krb5/krb.realms on Linux and UNIX operating systems

c:\krb5\krb.realms on Microsoft Windows operating systems

SQLNET.KERBEROS5_REALMS=/krb5/krb.realms

To specify replay cache is stored in operating system-managed memory on the server, and that file-based replay cache is not used.

The OS_MEMORY option specifies the replay cache is stored in operating system-managed memory on the server, and file-based replay cache is not used.

SQLNET_KERBEROS5_REPLAY_CACHE=OS_MEMORY

To specify the time, in ms, sec, or min, for a client to establish an Oracle Net connection to the database instance.

If an Oracle Net connection is not established in the time specified, then the connect attempt is terminated. The client receives an ORA-12170: TNS:Connect timeout occurred error.

The outbound connect timeout interval is a superset of the TCP connect timeout interval, which specifies a limit on the time taken to establish a TCP connection. Additionally, the outbound connect timeout interval includes the time taken to be connected to an Oracle instance providing the requested service. It accepts different timeouts with or without space between the value and the unit.

Without this parameter, a client connection request to the database server may block for the default TCP connect timeout duration (60 seconds) when the database server host system is unreachable. In case, no unit is mentioned, the default unit is sec.

The outbound connect timeout interval is only applicable for TCP, TCP with SSL, and IPC transport connections.

This parameter is overridden by the CONNECT_TIMEOUT parameter in the address description.

None

SQLNET.OUTBOUND_CONNECT_TIMEOUT=10 ms

To specify an alternate RADIUS server to use in case the primary server is unavailable.

The value can be either the IP address or host name of the server.

None

SQLNET.RADIUS_ALTERNATE=radius2

To specify the listening port of the alternate RADIUS server.

1645

SQLNET.RADIUS_ALTERNATE_PORT=1667

To specify the number of times the database server should resend messages to the alternate RADIUS server.

3

SQLNET.RADIUS_ALTERNATE_RETRIES=4

To specify the location of the primary RADIUS server, either by its host name or IP address.

Local host

SQLNET.RADIUS_AUTHENETICATION=officeacct

To specify the class containing the user interface used to interact with the user.

DefaultRadiusInterface

SQLNET.RADIUS_AUTHENTICATION_INTERFACE=DefaultRadiusInterface

To specify the listening port of the primary RADIUS server.

1645

SQLNET.RADIUS_AUTHENTICATION_PORT=1667

To specify the number of times the database server should resend messages to the primary RADIUS server.

3

SQLNET.RADIUS_AUTHENTICATION_RETRIES=4

To specify the time, in seconds, that the database server should wait for a response from the primary RADIUS server.

5

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=10

To turn challenge response on or off.

off

on | off

SQLNET.RADIUS_CHALLENGE_RESPONSE=on

To specify the location of the RADIUS secret key.

The ORACLE_HOME/network/security/radius.key file.

SQLNET.RADIUS_SECRET=oracle/bin/admin/radiuskey

To turn accounting on and off. If enabled, then packets are sent to the active RADIUS server at listening port plus one.

The default port is 1646.

off

on | off

SQLNET.RADIUS_SEND_ACCOUNTING=on

Use the sqlnet.ora parameter SQLNET.RECV_TIMEOUT to specify the duration of time that a database client or server should wait for data from a peer after establishing a connection.

SQLNET.RECV_TIMEOUT=10ms

To specify the time, in ms, sec, or min , for a database server to complete a send operation to clients after establishing a connection.

Setting this parameter is recommended for environments in which clients shut down occasionally or abnormally.

If the database server cannot complete a send operation in the time specified, then it logs ORA-12535: TNS:operation timed out and ORA-12608: TNS: Send timeout occurred messages to the sqlnet.log file. Without this parameter, the database server may continue to send responses to clients that are unable to receive data due to a downed computer or a busy state.

You can also set this parameter on the client-side to specify the time, in ms, sec, or min , for a client to complete send operations to the database server after connection establishment. It accepts different timeouts with or without space between the value and the unit. In case, no unit is mentioned, the default unit is sec.Without this parameter, the client may continue to send requests to a database server already saturated with requests. If you choose to set the value, then set the value to an initial low value and adjust according to system and network capacity. If necessary, use this parameter with the SQLNET.RECV_TIMEOUT parameter.

None

SQLNET.SEND_TIMEOUT=3 ms

SQLNET.URI networking parameter of the sqlnet.ora file specifies a database client URI mapping on the web server.

OracleMetaLink note 340559.1.

To determine whether the client should override the strong authentication credential with the password credential in the stored wallet to log in to the database.

When wallets are used for authentication, the database credentials for user name and password are securely stored in an Oracle wallet. The auto-login feature of the wallet is turned on so the database does not need a password to open the wallet. From the wallet, the database gets the credentials to access the database for the user.

Wallet usage can simplify large-scale deployments that rely on password credentials for connecting to databases. When this feature is configured, application code, batch jobs, and scripts do not need embedded user names and passwords. Risk is reduced because such passwords are no longer exposed in the clear, and password management policies are more easily enforced without changing application code whenever user names or passwords change.

Users connect using the connect /@database_name command instead of specifying a user name and password explicitly. This simplifies the maintenance of the scripts and secures the password management for the applications.

Middle-tier applications create an Oracle Applications wallet at installation time to store the application's specific identity. The password may be randomly generated rather than hardcoded. When an Oracle application accesses the database, it sets appropriate values for SQLNET.AUTHENTICATION_SERVICES and WALLET_LOCATION. The new wallet-based password authentication code uses the password credential in the Oracle Applications wallet to log on to the database.

true | false

SQLNET.WALLET_OVERRIDE=true

To configure a revocation check for a certificate.

none

• none disables certificate revocation status checking. This is the default value.

  Note:

  Oracle recommends that you do not set the SSL_CERT_REVOCATION parameter to none because this removes a critical component in certificate-based authentication. Without certificate revocation status checking, you cannot protect against stolen certificates that are used for authentication. Set the none value only in cases where mitigating controls safeguard the use of certificates for authentication, such as network access control lists or Oracle Database Vault policies that limit the database connection to trusted clients.

• requested to perform certificate revocation in case a Certificate Revocation List (CRL) is available. Reject SSL connection if the certificate is revoked. If no appropriate CRL is found to determine the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection.

• required to perform certificate revocation when a certificate is available. If a certificate is revoked and no appropriate CRL is found, then reject the SSL connection. If no appropriate CRL is found to ascertain the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection.

SSL_CERT_REVOCATION=required

To specify the name of the file where you can assemble the CRL for client authentication.

This file contains the PEM-encoded CRL files, in order of preference. You can use this file alternatively or in addition to the SSL_CERT_PATH parameter. This parameter is only valid if SSL_CERT_REVOCATION is set to either requested or required.

None

SSL_CRL_FILE=

To specify the destination directory of the CRL of CA.

The files in this directory are hashed symbolic links created by Oracle Wallet Manager.

This parameter is only valid if SSL_CERT_REVOCATION is set to either requested or required.

None

SSL_CRL_PATH=

To control which combination of encryption and data integrity is used by the Secure Sockets Layer (SSL). Cipher suites that use Advanced Encryption Standard (AES) only work with Transport Layer Security (TLS 1.0).

None

• SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

• SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

• SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

• SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

• SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• SSL_RSA_WITH_AES_128_CBC_SHA256

• SSL_RSA_WITH_AES_128_GCM_SHA256

• SSL_RSA_WITH_AES_128_CBC_SHA

• SSL_RSA_WITH_AES_256_CBC_SHA

• SSL_RSA_WITH_AES_256_CBC_SHA256

• SSL_RSA_WITH_AES_256_GCM_SHA384

• SSL_RSA_WITH_RC4_128_MD5

• SSL_RSA_WITH_RC4_128_SHA

• SSL_RSA_WITH_3DES_EDE_CBC_SHA

• SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

• SSL_DH_anon_WITH_RC4_128_MD5

SSL_CIPHER_SUITES=(ssl_rsa_with_aes_128_cbc_sha256)

To specify the purpose of the key in the certificate.

When this parameter is specified, the certificate with the matching extended key is used.

client authentication

SSL_EXTENDED_KEY_USAGE="client authentication"

To enforce server-side certification validation through distinguished name (DN) matching.

If you enforce the DN matching, in addition to verifying the server's certificate chain, the client performs another check through DN matching. There are two flavors of DN matching. Partial DN matching happens if the server's CN contains its host name. Complete DN matching happens against the server's complete DN. Not enforcing the match allows the server to potentially fake its identity. This parameter must be set to TRUE to do both full or partial DN matching

In addition to the sqlnet.ora file, configure the tnsnames.ora parameter SSL_SERVER_CERT_DN to enable full DN matching.

no

• yes | on | true to enforce a match. If the DN matches the service name, then the connection succeeds. If the DN does not match the service name, then the connection fails.

• no | off | false to not enforce a match. If the DN does not match the service name, then the connection is successful, but an error is logged to the sqlnet.log file.

SSL_SERVER_DN_MATCH=yes

1.2

undetermined | 3.0 | 1.0| 1.1 | 1.2

If you want to specify one version or another version, then use “or”. The following values are permitted:

1.0 or 3.0 | 1.2 or 3.0 | 1.1 or 1.0 | 1.2 or 1.0 | 1.2 or 1.1 | 1.1 or 1.0 or 3.0 |
1.2 or 1.0 or 3.0 | 1.2 or 1.1 or 1.0 | 1.2 or 1.1 or 3.0 |1.2 or 1.1 or 1.0 or 3.0

SSL_VERSION=1.2

The remaining version numbers correspond to the TLS versions, such as, TLSv1.0, TLSv1.1, and TLSv1.2.

To specify the time, in ms, sec, or min, for a client to establish a TCP connection (PROTOCOL=tcp in the TNS connect address) to the database server.

If a TCP connection to the database host is not established in the specified time, then the connection attempt is terminated. The client receives an ORA-12170: TNS:Connect timeout occurred error.

The timeout applies to each IP address that resolves to a host name. It accepts different timeouts with or without space between the value and the unit. For example, if a host name resolves to an IPv6 and an IPv4 address, and if the host is not reachable through the network, then the connection request times out twice because there are two IP addresses. In this example, the default timeout setting of 60 causes a timeout in 120 seconds. In case, no unit is mentioned, the default unit is sec.

60

TCP.CONNECT_TIMEOUT=10 ms

To specify which clients are denied access to the database.

This parameter is only valid when the TCP.VALIDNODE_CHECKING parameter is set to yes.

This parameter can use wildcards for IPv4 addresses and CIDR notation for IPv4 and IPv6 addresses.

TCP.EXCLUDED_NODES=(hostname | ip_address, hostname | ip_address, ...)

TCP.EXCLUDED_NODES=(finance.us.example.com, mktg.us.example.com, 192.0.2.25,
 172.30.*, 2001:DB8:200C:417A/32)

To specify which clients are allowed access to the database. This list takes precedence over the TCP.EXCLUDED_NODES parameter if both lists are present.

TCP.INVITED_NODES=(hostname | ip_address, hostname | ip_address, ...)

• This parameter is only valid when the TCP.VALIDNODE_CHECKING parameter is set to yes.

• This parameter can use wildcards for IPv4 addresses and CIDR notation for IPv4 and IPv6 addresses.

TCP.INVITED_NODES=(sales.us.example.com, hr.us.example.com, 192.0.*,
 2001:DB8:200C:433B/32)

To preempt delays in buffer flushing within the TCP/IP protocol stack.

yes

yes | no

TCP.NODELAY=yes

To configure the maximum length of the queue for pending connections on a TCP listening socket.

System-defined maximum value. The defined maximum value for Linux is 128.

Any integer value up to the system-defined maximum.

TCP.QUEUESIZE=100

To enable and disable valid node checking for incoming connections.

If this parameter is set to yes, then incoming connections are allowed only if they originate from a node that conforms to list specified by TCP.INVITED_NODES or TCP.EXCLUDED_NODES parameters.

The TCP.INVITED_NODES and TCP.EXCLUDED_NODES parameters are valid only when the TCP.VALIDNODE_CHECKING parameter is set to yes.

This parameter and the depending parameters, TCP.INVITED_NODES and TCP.EXCLUDED_NODES must be set in the sqlnet.ora file of the listener. This is important in an Oracle RAC environment where the listener runs out of the Oracle Grid Infrastructure home. Setting the parameter in the database home does not have any effect in Oracle RAC environments. In such environments, the address of all Single Client Access Name (SCANs), Virtual IPs (VIPs), local IP must be included in the TCP.INVITED_NODES list.

In VLAN environments, the sqlnet.ora file present in the Oracle Grid Infrastructure home should include all the addresses of all the VLANs. The VLANs perform the network segregation, whereas the INVITED_NODES allows or restricts access to databases within the VLANs.

If multiple databases within the same VLAN require different INVITED_NODE lists, then separate listeners are required.

no

yes | no

TCP.VALIDNODE_CHECKING=yes

To specify the destination directory for the TNSPING utility trace file, tnsping.trc.

The ORACLE_HOME/network/trace directory.

TNSPING.TRACE_DIRECTORY=/oracle/traces

To turn TNSPING utility tracing on at a specified level or to turn it off.

off

• off for no trace output

• user for user trace information

• admin for administration trace information

• support for Oracle Support Services trace information

TNSPING.TRACE_LEVEL=admin

To specify client routing to Oracle Connection Manager.

If set to true, then the parameter routes the client to a protocol address for Oracle Connection Manager.

If set to false, then the client picks one of the address lists at random and fails over to the other address list if the chosen ADDRESS_LIST fails. With USE_CMAN=true, the client always uses the first address list.

If no Oracle Connection Manager addresses are available, then connections are routed through any available listener address.

false

true | false

USE_CMAN=true

To append (SERVER=dedicated) to the CONNECT_DATA section of the connect descriptor used by the client.

It overrides the current value of the SERVER parameter in the tnsnames.ora file.

If set to on, then the parameter USE_DEDICATED_SERVER automatically appends (SERVER=dedicated) to the connect data for a connect descriptor. This way connections from this client use a dedicated server process, even if shared server is configured.

off

• on to append (SERVER=dedicated)

• off to send requests to existing server processes

USE_DEDICATED_SERVER=on

To specify the location of wallets. Wallets are certificates, keys, and trustpoints processed by SSL.

The key/value pair for Microsoft certificate store (MCS) omits the METHOD_DATA parameter because MCS does not use wallets. Instead, Oracle PKI (public key infrastructure) applications obtain certificates, trustpoints and private keys directly from the user's profile.

If an Oracle wallet is stored in the Microsoft Windows registry and the wallet's key (KEY) is SALESAPP, then the storage location of the encrypted wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\EWALLET.P12. The storage location of the decrypted wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\CWALLET.SSO.

The syntax depends on the wallet, as follows:

• Oracle wallets on the file system:

  WALLET_LOCATION=
    (SOURCE=
      (METHOD=file)
      (METHOD_DATA=
         (DIRECTORY=directory)
         [(PKCS11=TRUE/FALSE)]))
  

• Microsoft certificate store:

  WALLET_LOCATION=
    (SOURCE=
       (METHOD=mcs))
  

• Oracle wallets in the Microsoft Windows registry:

  WALLET_LOCATION=
     (SOURCE=
        (METHOD=reg)
        (METHOD_DATA=
           (KEY=registry_key)))
  

• Entrust wallets:

  WALLET_LOCATION=
     (SOURCE=
        (METHOD=entr)
        (METHOD_DATA=
           (PROFILE=file.epf)
           (INIFILE=file.ini)))

WALLET_LOCATION supports the following parameters:

• SOURCE: The type of storage for wallets, and storage location.

• METHOD: The type of storage.

• METHOD_DATA: The storage location.

• DIRECTORY: The location of Oracle wallets on file system.

• KEY: The wallet type and location in the Microsoft Windows registry.

• PROFILE: The Entrust profile file (.epf).

• INIFILE: The Entrust initialization file (.ini).

None

true | false

Oracle wallets on file system:

WALLET_LOCATION=  
  (SOURCE=
      (METHOD=file)
      (METHOD_DATA=  
         (DIRECTORY=/etc/oracle/wallets/databases)))

Microsoft certificate store:

WALLET_LOCATION=
   (SOURCE=
     (METHOD=mcs))
   

Oracle Wallets in the Microsoft Windows registry:

WALLET_LOCATION=
   (SOURCE=
     (METHOD=REG)
     (METHOD_DATA=
        (KEY=SALESAPP)))

Entrust Wallets:

WALLET_LOCATION=
   (SOURCE=
     (METHOD=entr)
     (METHOD_DATA=
       (PROFILE=/etc/oracle/wallets/test.epf)
       (INIFILE=/etc/oracle/wallets/test.ini)))

It ix a sqlnet.ora networking parameter handling signals for Linux and UNIX systems.

You can use ADR diagnostic parameters when ADR is enabled. ADR is enabled by default. Non-ADR parameters listed in the sqlnet.ora file are ignored when ADR is enabled.

Since Oracle Database 11g, Oracle Database includes an advanced fault diagnosability infrastructure for preventing, detecting, diagnosing, and resolving problems. The problems are critical errors such as those caused by database code bugs, metadata corruption, and customer data corruption.

When a critical error occurs, it is assigned an incident number, and diagnostic data for the error, such as traces and dumps, are immediately captured and tagged with the incident number. The data is then stored in the Automatic Diagnostic Repository (ADR), a file-based repository outside the database.

The following sqlnet.ora parameters are used when ADR is enabled (when DIAG_ADR_ENABLED is set to on):

It is a diagnostic parameter in the sqlnet.ora file and it specifies the base location of the ADR files.

DIAG_ADR_ENABLED diagnostic parameter of the sqlnet.ora file specifies whether ADR tracing is enabled.

The TRACE_LEVEL_CLIENT diagnostic parameter of the sqlnet.ora file turns client tracing on or off at a specified level.

To turn client tracing on at a specified level or to turn it off.

This parameter is also applicable when non-ADR tracing is used.

off or 0

• off or 0 for no trace output

• user or 4 for user trace information

• admin or 10 for administration trace information

• support or 16 for Oracle Support Services trace information

TRACE_LEVEL_CLIENT=user

The TRACE_LEVEL_SERVER diagnostic parameter of the sqlnet.ora file turns server tracing on or off at a specified level.

To turn server tracing on at a specified level or to turn it off.

This parameter is also applicable when non-ADR tracing is used.

off or 0

• off or 0 for no trace output

• user or 4 for user trace information

• admin or 10 for administration trace information

• support or 16 for Oracle Support Services trace information

TRACE_LEVEL_SERVER=admin

The TRACE_TIMESTAMP_CLIENT diagnostic parameter of the sqlnet.ora file adds a time stamp to every trace event in the client trace file.

To add a time stamp in the form of dd-mmm-yyyy hh:mm:ss:mil to every trace event in the client trace file, which has a default name of sqlnet.trc.

This parameter is also applicable when non-ADR tracing is used.

on

on or true | off or false

TRACE_TIMESTAMP_CLIENT=true

The TRACE_TIMESTAMP_CLIENT diagnostic parameter of the sqlnet.ora file adds a time stamp to every trace event in the database server trace file.

TRACE_TIMESTAMP_SERVER=true

The LOG_DIRECTORY_CLIENT non-ADR diagnostic parameter of the sqlnet.ora file specifies the destination directory for the client log file.

ORACLE_HOME/network/log

LOG_DIRECTORY_CLIENT=/oracle/network/log

To specify the destination directory for the database server log file.

Use this parameter when ADR is not enabled.

ORACLE_HOME/network/trace

Any valid directory path to a directory with write permission.

LOG_DIRECTORY_SERVER=/oracle/network/trace

To specify the name of the log file for the client.

Use this parameter when ADR is not enabled.

ORACLE_HOME/network/log/sqlnet.log

The default value cannot be changed.

To specify the name of the log file for the database server.

Use this parameter when ADR is not enabled.

sqlnet.log

Any valid directory path to a directory with write permission.

LOG_FILE_SERVER=svr.log

To specify the destination directory for the client trace file.

Use this parameter when ADR is not enabled.

ORACLE_HOME/network/trace

Any valid directory path to a directory with write permission.

TRACE_DIRECTORY_CLIENT=/oracle/traces

To specify the destination directory for the database server trace file. Use this parameter when ADR is not enabled.

 ORACLE_HOME/network/trace

Any valid directory path to a directory with write permission.

TRACE_DIRECTORY_SERVER=/oracle/traces

To specify the name of the client trace file.

Use this parameter when ADR is not enabled.

ORACLE_HOME/network/trace/cli.trc

Any valid file name.

TRACE_FILE_CLIENT=clientsqlnet.trc

To specify the destination directory for the database server trace output.

Use this parameter when ADR is not enabled.

ORACLE_HOME/network/trace/svr_pid.trc

Any valid file name. The process identifier (pid) is appended to the name automatically.

TRACE_FILE_SERVER=svrsqlnet.trc

To specify the size of the client trace files in kilobytes (KB).

When the size is met, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_CLIENT parameter. Use this parameter when ADR is not enabled.

TRACE_FILELEN_CLIENT=100

To specify the size of the database server trace files in kilobytes (KB).

When the size is met, the trace information is written to the next file. The number of files is specified with the TRACE_FILENO_SERVER parameter. Use this parameter when ADR is not enabled.

TRACE_FILELEN_SERVER=100

To specify the number of trace files for client tracing.

When this parameter is set with the TRACE_FILELEN_CLIENT parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, then the first file is re-used, and so on.

When this parameter is set with theTRACE_FILEAGE_CLIENT parameter, trace files are cycled based on their age. The first file is used until the age limit is reached, then the second file is used, and so on. When the last file's age limit is reached, the first file is re-used, and so on.

When this parameter is set with both the TRACE_FILELEN_CLIENT and TRACE_FILEAGE_CLIENT parameters, trace files are cycled when either the size limit or the age limit is reached.

The trace file names are distinguished from one another by their sequence number. For example, if the default trace file of sqlnet.trc is used, and this parameter is set to 3, then the trace files would be named sqlnet1.trc, sqlnet2.trc and sqlnet3.trc.

In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.

None

TRACE_FILENO_CLIENT=3

To specify the number of trace files for database server tracing.

When this parameter is set with the TRACE_FILELEN_SERVER parameter, trace files are used in a cyclical fashion. The first file is filled first, then the second file, and so on. When the last file has been filled, then the first file is re-used, and so on.

When this parameter is set with theTRACE_FILEAGE_SERVER parameter, trace files are cycled based on the age of the trace file. The first file is used until the age limit is reached, then the second file is used, and so on. When the last file's age limit is reached, the first file is re-used, and so on.

When this parameter is set with both the TRACE_FILELEN_SERVER and TRACE_FILEAGE_SERVER parameters, trace files are cycled when either the size limit or the age limit is reached.

The trace file names are distinguished from one another by their sequence number. For example, if the default trace file of svr_pid.trc is used, and this parameter is set to 3, then the trace files would be named svr1_pid.trc, svr2_pid.trc and svr3_pid.trc.

In addition, trace events in the trace files are preceded by the sequence number of the file. Use this parameter when ADR is not enabled.

None

TRACE_FILENO_SERVER=3

To specify whether a unique trace file is created for each client trace session.

When the value is set to on, a process identifier is appended to the name of each trace file, enabling several files to coexist. For example, trace files named sqlnetpid.trc are created if default trace file name sqlnet.trc is used. When the value is set to off, data from a new client trace session overwrites the existing file. Use this parameter when ADR is not enabled.

on

on or off

TRACE_UNIQUE_CLIENT=on