Oracle Advanced Networking Option Administrator's Guide | Library |
Product |
Contents |
Index |
The following sections describe the parameters you need to configure for servers and clients.
ADDRESS=(PROTOCOL=DCE) (SERVER_PRINCIPAL=server_name) (CELL_NAME=cell_name) (SERVICE=dce_service_name))
where:
PROTOCOL is a mandatory field that identifies the DCE RPC protocol.
SERVER_PRINCIPAL is a mandatory field for the server and an optional field for the client. The server authenticates itself to DCE as this principal. This field is mandatory in LISTENER.ORA and specifies the principal the server will start under. This field is optional in TNSNAMES.ORA and specifies the principal of the server the client must connect to. If not specified, then one-way authentication is used. In this case, the client does not care what principal the server is running under.
CELL_NAME is an optional parameter. If present, it specifies the DCE cell name of the database. If this parameter is not set, the cell name defaults to the local cell (useful for single-cell environments). Optionally, the SERVICE parameter (described below) may specify the complete path (including the cell name) to the service, making this parameter unnecessary.
SERVICE is a mandatory field for both server and client. For the server, this is the service registered with CDS. For the client, this is the service name used when querying CDS for the location of the Oracle DCE servers. The default directory for storing service names in CDS is /.../cell_name/subsys/oracle/service_registry. This service name can fully specify the path in CDS.
You can specify a service as:
SERVICE=/.../cell_name/subsys/oracle/service_registry/dce_service_name
or it can be specified as SERVICE=dce_service_name provided that CELL_NAME=cell_name is also specified.
A third option is to specify SERVICE=dce_service_name and the cell name defaults to the local cell. However, this third way of specifying service names only works well if you are working within a single cell.
Note: The dce_service_name in the service field may or may not be the same as the service name used by SQL*Net. The service name used by SQL*Net is mapped to the connect descriptor in TNSNAMES.ORA. The dce_service_name is part of the address within the connect descriptor.
Note: In this DCE Integration release, the configuration files LISTENER.ORA, SQLNET.ORA, TNSNAMES.ORA, and PROTOCOL.ORA are located in the $ORACLE_HOME/network/admin directory. The INIT<SID>.ORA file is located in the $ORACLE_HOME/dbs directory.
With the exception of PROTOCOL.ORA, the necessary configuration files should be created and maintained with Oracle Network Manager. PROTOCOL.ORA must be created manually. For detailed information on creating the configuration files, see the Oracle Network Manager Administrator's Guide and for explanations of the configuration files, see Understanding SQL*Net.
The SERVER_PRINCIPAL parameter designates what DCE principal the listener should be running under. In the sample below, the listener is running under principal "oracle".
LSNR_DCE= (ADDRESS= (PROTOCOL=DCE) (SERVER_PRINCIPAL=oracle) (CELL_NAME=cell1) (SERVICE=dce_svc)) SID_LIST_LSNR_DCE= (SID_DESC= (SID_NAME=ORASID) (ORACLE_HOME=/private/oracle7))
Refer to Oracle7 Server Distributed Systems, Volume I for more information on external authentication.
To enable secure external authentication, do the following:
REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""
mts_dispatchers="dce, 3"
sqldba> create user SERVER_PRINCIPAL identified externally;
sqldba> grant create session to SERVER_PRINCIPAL;
sqldba> create user oracle identified externally;
sqldba> grant create session to oracle;
sqldba> create user "CELL_NAME/SERVER_PRINCIPAL" identified externally;
sqldba> grant create session to "CELL_NAME/SERVER_PRINCIPAL";
Attention: You must enclose the externally-identified account name in double quotes because the slash is a reserved character. Also, if the account (user) name is double-quoted, it must be capitalized.
Note: The entire CELL_NAME/SERVER_PRINCIPAL string must be 15 characters or less.
sqldba> create user "CELL1/ORACLE" identified externally;
sqldba> grant create session to "CELL1/ORACLE";
Note: When using the above format, set the following parameter in PROTOCOL.ORA to FALSE:
dce.local_cell_usernames=false
Note: References to an Oracle account created in this manner must include the schema/account in the correct format. For example, consider requests for access to tables from another account. When a user references the tables in another account created within a local cell, the command might be:
SQL> select * from oracle.emp
If a user wants to access tables in an another account created for connections across cells, the command might be:
SQL> select * from "CELL1/ORACLE".emp
OS_ROLES=TRUE
ORA_<SID>_<ROLE>[_[A][D]]
% dce_login oracle Enter Password: % klist DCE Identity Information: Warning: Identity information is not certified Global Principal: /.../ilab1/oracle Cell: 001c3f90-01f5-1f72-ba65-02608c2c84f3 /.../ilab1 Principal: 00000068-0568-2f72-bd00-02608c2c84f3 oracle Group: 0000000c-01f5-2f72-ba01-02608c2c84f3 none Local Groups: 0000000c-01f5-2f72-ba01-02608c2c84f3 none 0000006a-0204-2f72-b901-02608c2c84f3 subsys/dce/cds-server 00000078-daf4-2fe1-a201-02608c2c84f3 ora_dce222_dba 00000084-89c8-2fe8-a201-02608c2c84f3 ora_dce222_connect_d 00000087-8a13-2fe8-a201-02608c2c84f3 ora_dce222_resource_d 00000080-f681-2fe1-a201-02608c2c84f3 ora_dce222_role1_ad . . .
% sqlplus /@test_222 SQL*Plus: Release 3.2.2.0.0 - Production on Thu Aug 31 11:24:12 1995 Copyright (c) Oracle Corporation 1979, 1994. All rights reserved. Connected to: Oracle7 Server Release 7.2.2.3.0 - Production Release PL/SQL Release 2.2.2.3.0 - Production SQL> select * from session_roles; ROLE ------------------------------ CONNECT RESOURCE ROLE1 SQL> set role all; Role set. SQL> select * from session_roles; ROLE ------------------------------ DBA EXP_FULL_DATABASE IMP_FULL_DATABASE CONNECT RESOURCE ROLE1 6 rows selected. SQL> exit Disconnected from Oracle7 Server Release 7.2.2.3.0 - Production Release PL/SQL Release 2.2.2.3.0 - Production % logout
Typically, CDS is used for name resolution, thus TNSNAMES.ORA is not used, except when loading names and addresses into CDS. See "Configuring Clients to Use the CDS Naming Adapter" 12 - 11.
DCE.AUTHENTICATION=dce_secret DCE.PROTECTION=pkt_integ DCE.TNS_ADDRESS_OID=1.3.22.1.5.1 DCE.LOCAL_CELL_USERNAMES=TRUE
Note: The default for DCE.LOCAL_CELL_USERNAMES is now TRUE. (It was set to FALSE in the DCE Integration 2.1.6 release.)
Configuration parameters are not case-sensitive--you can enter them in either upper-case or lower-case.
Note: If the DCE.AUTHENTICATION entry is not specified, cell-wide default authentication is used. If the DCE.PROTECTION entry is not specified, cell-wide default protection is used.
DCE.AUTHENTICA-TION
This parameter is optional. It indicates the authentication value to be used for each DCE RPC. The client's DCE_AUTHENTICATION value must be the same as the server's DCE_AUTHENTICATION value. The choices are:
NONE. No authentication.
DCE_SECRET. DCE shared-secret key authentication (Kerberos). DCE_SECRET is the default authentication level.
DEFAULT. The cell default.
Note: It is recommended that DCE_SECRET be used for this parameter.
This is an optional field, which specifies the data integrity protection levels for data transmission. The client's DCE_PROTECTION level must be equal to or greater than the server's DCE_PROTECTION level. Choices are:
NONE. Perform no protection for the current connection.
DEFAULT. Use the default cell-wide protection level.
CONNECT. Perform protection only when the client establishes a relationship with the server.
CALL. Perform protection only at the beginning of each remote procedure call when the server receives the request.
PKT. Ensures that all data received is from the expected client.
PKT_INTEG. Ensures and verifies that none of the data transferred between the client and server has been modified.
PRIVACY. Performs protection as specified by all of the previous levels and also encrypts each RPC argument value and all user data in each call.
DCE.TNS_ADDRESS_OID
DCE.TNS_ADDRESS_OID=1.3.22.1.x.x
For information on how to determine if you need to include this parameter, and how to specify it, see
"Modify the CDS Attributes File and Restart CDS" 12 - 11.
DCE.LOCAL_CELL_USERNAMES
This optional parameter defines the format used to specify the principal name (username), either with or without the cell name.
Note: The choice you make for this parameter should be determined by whether users will be making connections across cells, and if so, whether you have naming conventions that assure that users in different cells do not have duplicate names.
Choices are:
TRUE. This is the default. Choose TRUE when using just the SERVER_PRINCIPAL format, without the CELL_NAME. An example of a user specified in this format would be:
oracle
This choice would be appropriate if users are making connections within a single cell, or if naming conventions in your network assure that users in different cells do not have duplicate names.
FALSE. Choose FALSE when using the CELLNAME/SERVER_PRINCIPAL format. An example of a user specified in this format would be:
"CELL1/ORACLE"
This choice would be appropriate if users are making connections across cells and there may be users in different cells with identical names.
Typically, users can connect to Oracle services using the familiar Oracle service name (if there are no domains or the database is in the user's default domain): For example:
sqlplus /@ORADCE
This example assumes that DCE externally-authenticated accounts are in use.
As an alternative name resolution service, you can use TNSNAMES.ORA files when CDS is inaccessible. To do this, you must locate names and addresses of all Oracle servers in the TNSNAMES.ORA file.
1.3.22.1.5.1 TNS_Address char
DCE.TNS_ADDRESS_OID=1.3.22.1.x.y
Note: Make sure that the OID value in the cds_attributes file matches the value specified in the DCE.TNS_ADDRESS_OID parameter in the PROTOCOL.ORA file.
Use Oracle Network Manager to create the files. The SERVICE and SERVER_PRINCIPAL parameters appear on the Address page of the Listener property sheet when you select DCE as the protocol. Enter their values. If you want to include a value for the optional CELL_NAME parameter, enter the parameter and its value in the User Defined text box, surrounded by parentheses. For example:
(CELL_NAME=cell1)
The values you provide for these keywords will appear in the LISTENER.ORA file and the TNSNAMES.ORA and NATIVE.ORA files.
TNSNAMES.ORA contains a list of Oracle service names mapped to connect descriptors of destinations or endpoints in the network. The sample DCE address below shows a network address for an Oracle server with the Oracle service name "ORADCE". It is used to connect to the service registered as "DCE_SVC" in the CDS directory /.../<cell_name>/subsys/oracle/names.
ORADCE=(DESCRIPTION= (ADDRESS= (PROTOCOL=DCE) (SERVER_PRINCIPAL=oracle) (CELL_NAME=cell1) (SERVICE=DCE_SVC)) (CONNECT_DATA= (SID=ORASID)))
Note: In this example, the Oracle service name and the DCE service name are different. However, they are often the same.
The keyword value pair PROTOCOL=DCE is mandatory. It appears in the address section of LISTENER.ORA and in the address section of TNSNAMES.ORA. It must be the same in both places.
The DCE parameter SERVER_PRINCIPAL is optional in TNSNAMES.ORA.
The DCE parameter SERVICE is mandatory. The value given for the DCE parameter (SERVICE= dce_service_name) must be the same in the LISTENER.ORA and TNSNAMES.ORA files.
For further information on TNSNAMES.ORA, refer to Understanding SQL*Net.
To load the Oracle service names or aliases into CDS, perform the following steps:
% dce_login cell_admin
% tnnfg dceload full_pathname_to_TNSNAMES.ORA
Enter Password: (password will not display)
Note: You must enter the full pathname for the TNSNAMES.ORA file in the previous command.
Also make sure that the SQLNET.ORA file exists in the same directory as the TNSNAMES.ORA file.
This procedure loads the service names in TNSNAMES.ORA into DCE's CDS.
Note: In SQL*Net release 2.3, Network Manager creates a file called NATIVE.ORA to be loaded into DCE CDS or other Native Naming Adapters. The contents of NATIVE.ORA are same as those in TNSNAMES.ORA. If you use NATIVE.ORA, the command would be
% tnnfg dceload full_pathname_to_NATIVE.ORA
Note: If you configure a new service name and address in TNSNAMES.ORA or NATIVE.ORA, tnnfg will add the new service name and address to CDS.
If you change the address for a particular service name, tnnfg will update the address for that service name.
If you are using SQL*Net 2.3, you can keep TNSNAMES.ORA available as a backup in case CDS becomes unavailable. To assure that CDS will routinely be searched instead of TNSNAMES.ORA, configure the NAMES.DIRECTORY_PATH parameter in the SQLNET.ORA file, as described in "Modify SQLNET.ORA Parameter File to Have Names Resolved in CDS".
For a client or server to use the DCE CDS Naming Adapter, the administrator needs to do the following:
native_names.use_native=true native_names.directory_path=(dce)
After these parameters are added to the SQLNET.ORA file, the client's or server's name requests will be resolved in CDS instead of by a local TNSNAMES.ORA file.
Note: It is recommended that you rename the TNSNAMES.ORA file to another name, TNSNAMES.BAK, for example. Otherwise, TNSNAMES.ORA may be searched instead of CDS to resolve the service name to an address.
Note: A client or server can use CDS to reach services on a network even if some of those services are not also using CDS.
NAMES.DIRECTORY_PATH=(dce, tnsnames, onames)
The first name resolution service listed as a value for this parameter is used. If it is unavailable for some reason, the next name resolution service is used, and so forth.
Prev Next |
Copyright © 1996 Oracle Corporation. All Rights Reserved. |
Library |
Product |
Contents |
Index |