8
Configuring the DCE GSSAPI Authentication Adapter

The DCE GSSAPI authentication adapter enables you to use DCE authentication even if you do not use other portions of the Oracle DCE Integration product in your environment.

This chapter describes how to configure and use the DCE GSSAPI authentication adapter. It describes the following four steps:

1. "Create the DCE Principal"
2. "Set Up Parameters to Use the New DCE Principal, and Turn On DCE GSSAPI Authentication"
3. "Set Up the Account You Will Use to Authenticate to the Database"
4. "Connect to an Oracle Server Using DCE GSSAPI Authentication"

8.1 Create the DCE Principal

To create the DCE principal used by the Oracle Server to validate authentication, type the commands below shown in bold typeface. These instructions assume the Oracle Server principal is named "oracle_server". Type the following commands on the database server.

% su

  password:			(root password is not echoed)

# dce_login cell_admin cell_admin_password

# rgy_edit

Current site is: registry server at 

    /.../cellname/subsys/dce/sec/master

rgy_edit=> do p

Domain changed to: principal

rgy_edit=> add oracle_server

rgy_edit=> do a

Domain changed to: account

rgy_edit=> add oracle_server -g none -o none -pw oracle_server_password -mp 
cell_admin_password

rgy_edit=> ktadd -p oracle_server -pw oracle_server_password

rgy_edit=> quit

bye

8.2 Set Up Parameters to Use the New DCE Principal, and Turn On DCE GSSAPI Authentication

The following instructions assume that the Oracle Server principal is named "oracle_server".

Add the following lines to the SQLNET.ORA file. (This file is probably found in <ORACLE_HOME>/NETWORK/ADMIN.)

SQLNET.AUTHENTICATION_GSSAPI_SERVICE=/.../cellname/oracle_server

SQLNET.AUTHENTICATION_SERVICES=(DCEGSSAPI)





Note:



The Oracle Server principal name used above must be a fully qualified name, including the cell name.

  

8.3 Set Up the Account You Will Use to Authenticate to the Database

Create the DCE principal used by the Oracle client to connect to the database. The following instructions assume the Oracle client principal is named "oracle".

% dce_login cell_admin cell_admin_password

% rgy_edit

Current site is : registry server at /.../cellname/subsys/dce/sec/master

rgy_edit=> do p

Domain changed to: principal

rgy_edit=> add oracle

rgy_edit=> do a

Domain changed to: account

rgy_edit=> add oracle -g none -o none -pw oracle_client_password 	-mp 
cell_admin_password

rgy_edit=> quit

bye

Create the Oracle database user account. The following instructions show how to use the Oracle Server Manager to do this.

% svrmgrl
Oracle Server Manager Release 2.3.3.0.0 -Production

Copyright (c) Oracle Corporation 1994,1995. All rights reserved.

Oracle8 Server Release 8.0.3.0.0 -Production Release

With the distributed, heterogeneous, replication, objects, parallel query, 
Parallel Server and Spatial Data options

PL/SQL Release 8.0.3.0.0 - Production
SVRMGR> connect internal

Connected
SVRMGR> create user "/.../CELLNAME/ORACLE" identified externally;

Statement processed.
SVRMGR> grant connect to "/.../CELLNAME/ORACLE";

Statement processed.
SVRMGR> exit
Server Manager complete.







Note:



The Oracle client principal name must be a fully qualified principal (including full cell designation), must be in uppercase, and must be enclosed within quotes.

  

8.4 Connect to an Oracle Server Using DCE GSSAPI Authentication

The following instructions assume the Oracle Server principal is "oracle_server", the Oracle client principal is "oracle", and the database service name is "sales".

1. If your DCE authentication is not already encapsulated into the operating system authentication, log in:

   % dce_login <oracle_client_principal> <oracle_client_password>
   
   

   For example:

   % dce_login oracle oraclnt
   
   

2. Connect to the Oracle database using DCE GSSAPI authentication.

   % sqlplus /@<database_service_name>
   
   

   For example:

   % sqlplus /@sales
   
   

---