Configuration Files

This appendix discusses the configuration files that are required for the Oracle Enterprise Manager and its components.

Configuration Files

The Oracle Enterprise Manager Console uses a daemon process for network communication with the Oracle Intelligent Agents on remote systems. The network communication is done using Oracle’s SQL*Net product.

Job Scheduling, Event Management, Software Manager, Data Manager, Backup Manager, and Tablespace Manager rely on communication between the Console, agent, and daemon, and require SQL*Net.

SQL*Net requires a number of configuration files in order to work.

On both the Console and host node, the sqlnet.ora file, which contains items such as domain name and trace level, is needed:

On the host node where the Oracle database and agent reside, the following additional files are needed.

Contains the listening addresses of the SQL*Net Listener on the machine plus the name and ORACLE_HOME of any databases the listener knows about.

Contains the listening address of the agent, the names of SQL*Net listener and Oracle database services it knows about, plus tracing parameters. snmp_ro.ora and snmp_rw.ora are created by the 7.3.4 Intelligent Agent. snmp.ora is used by pre-7.3.3 machines. For information on this file, see Parameters for snmp*.ora Files on page A-9.

On the Console side of the connection, the topology file is required for releases previous to Enterprise Manager 1.3.6 and Intelligent Agent 7.3.4. This additional file is needed to populate the Navigator tree if the Intelligent Agent is not used with the Navigator Discovery feature.

Configuration for Console Machine

The following are examples of the configuration files needed on the machine where the Oracle Enterprise Manager Console is run:

sqlnet.ora

The above example assumes ORACLE_HOME is set to C:\ORANT. When tracing is switched on, a trace file called daemon.trc appears in the directory specified by the DAEMON.TRACE_DIRECTORY parameter.

tnsnames.ora

Configuration for Remotely Managed Machines

The following are some of the example configuration files which may be needed for the machine where the Oracle database and the Oracle Intelligent agent run.

sqlnet.ora

The most important thing to note about this sqlnet.ora is that the domain name is world which means any service name in tnsnames.ora should have world tagged onto it.

tnsnames.ora

listener.ora

This command explicitly specifies the name of the SQL*Net listener.

snmp.ora for Pre-7.3.3 Agents Only

This snmp.ora example is used by a pre-7.3.3 Intelligent Agent, or a 7.3.3 Intelligent Agent registering with the Names Server. Pre-7.3.3 Intelligent Agents can use any port number, as long as the numbers match the tnsnames.ora entries for the Agent.

The configuration files, s nmp_ro.ora, and snmp_rw.ora, provide configuration parameters for the agent. These files are created by the 7.3.3 (and later) Intelligent Agent.

snmp_ro.ora

snmp_rw.ora

The 7.3.4 agent requires port address 1748 and 1754. TCP/IP protocol is required to automatically discover services with the 7.3.4 agent. The port address is automatically set.

The following parameters are not automatically generated, but may be added to the file:

services.ora

Parameters for snmp*.ora Files

These parameters are used in the snmp_ro.ora and snmp_rw.ora files, the configuration files for the 7.3.4 Intelligent Agent release. These parameters are also used in the snmp.ora file, the primary configuration file for Intelligent Agent releases prior to the 7.3.4 release.

In the following parameters, note these substitutions:

The name of the services that the agent is monitoring. Each database and each SNMP-manageable service must be listed. For a database, the service name is the name of the database as it appears in the tnsnames.ora file or in the Names Server.

SNMP.INDEX.service_name.world = index_number

The unique index number of the service that the agent is monitoring.

SNMP.SID.service_name.world = server_id

The server Id (SID) of the database service that the agent is monitoring.

SNMP.CONNECT.service_name.world.USER = user_name

The username that the subagent uses to connect to the database. The default is dbsnmp. This parameter is optional.

SNMP.CONNECT.service_name.world.PASSWORD = password

The password for the username that is used by the subagent to connect to the database. The default is dbsnmp. This parameter is optional.

SNMP.ORACLEHOME.service_name.world = ORACLE_HOME_DIR

The Oracle home directory of the database. A separate entry is required for each database even if ORACLE_HOME_DIR is the same for all services.

SNMP.CONTACT.service_name.world = «contact_info»

A string containing contact information, such as name, phone number, and email, of the administrator responsible for the service. This parameter is optional.

DBSNMP.POLLTIME = nn

The time interval (seconds) that the agent polls the database to check whether it is down. If the database has gone down or was never connected, this is the interval between retries. The default is 30 seconds.

NMI.TRACE_LEVEL = OFF | USER | ADMIN | nn

Turns on tracing at the specified level. Oracle recommends that you set the trace level to 13. Level 15 produces a deluge of information, which is only useful if a bug is being investigated. This parameter is optional.

NMI.TRACE_DIRECTORY = directory

NMI.TRACE_FILE = filename

Filename of the trace file. This parameter is optional.

NMI.LOG_DIRECTORY = directory

Directory where log file is written. This parameter is optional.

NMI.LOG_FILE = filename

Filename of the log file. This parameter is optional. On Windows NT, the filename defaults to dbsnmp.

dbsnmp.address = (DESCRIPTION=(ADDRESS=(PROTOCOL=protocol) (HOST=host_name)(PORT=port_no)))

The TNS address that the agent uses to listen for incoming requests. There should be no space or return characters in the address. This parameter is the address that the Agent listens on for network connections.

TCP/IP is the only protocol supported by Oracle. TCP/IP is required to automatically discover services with the 7.3.4 agent.

The 7.3.4 agent requires PORT=1748. The port address 1748 is a registered TCP port granted to Oracle by the Internet Assigned Number Authority (IANA). The port address is automatically set. Changing this port makes the agent undetectable by the Enterprise Manager Console and forces a manual configuration setup.

For agent releases previous to the 7.3.4 release, this address must match exactly the entry for this agent in the tnsnames.ora file on the machine where the Oracle Enterprise Manager Console resides.

dbsnmp.spawnaddress = (DESCRIPTION=(ADDRESS= (PROTOCOL=protocol) (HOST=host_name)(PORT=spnport_no)))

The TNS address which the agent can use to accept RPC’s. This address is used for file transfers. The spnport_no used in this parameter is different than port_no used in the DBSNMP.ADDRESS parameter.

The 7.3.4 agent PORT=1754. The port address 1754 is a registered TCP port granted to Oracle by the Internet Assigned Number Authority (IANA). Changing this port makes the agent undetectable by the Enterprise Manager Console and forces a manual configuration setup.

Источник

5 Parameters for the sqlnet.ora File

This chapter provides complete listing of the sqlnet.ora file configuration parameters.

This chapter includes the following topics:

Overview of Profile Configuration File

The sqlnet.ora file is the profile configuration file. It resides on the client machines and the database server. Profiles are stored and implemented using this file. The database server can be configured with access control parameters in the sqlnet.ora file. These parameters specify whether clients are allowed or denied access based on the protocol.

The sqlnet.ora file enables you to do the following:

Specify the client domain to append to unqualified names

Enable logging and tracing features

Route connections through specific processes

Configure parameters for external naming

Use protocol-specific parameters to restrict access to the database

By default, the sqlnet.ora file is located in the ORACLE_HOME/network/admin directory. The sqlnet.ora file can also be stored in the directory specified by the TNS_ADMIN environment variable.

sqlnet.ora Profile Parameters

This section lists and describes the following sqlnet.ora file parameters:

BEQUEATH_DETACH

To turn signal handling on or off for Linux and UNIX systems.

yes to turn signal handling off

no to leave signal handling on

DEFAULT_SDU_SIZE

To specify the session data unit (SDU) size, in bytes to connections.

Oracle recommends setting this parameter in both the client-side and server-side sqlnet.ora file to ensure the same SDU size is used throughout a connection. When the configured values of client and database server do not match for a session, the lower of the two values is used.

You can override this parameter for a particular client connection by specifying the SDU parameter in the connect descriptor for a client.

Oracle Database Net Services Administrator’s Guide for complete SDU usage and configuration information

512 to 65535 bytes

DISABLE_OOB

To enable or disable Oracle Net to send or receive out-of-band break messages using urgent data provided by the underlying protocol.

Operating system-specific documentation to determine if the protocols you are using support urgent data requests. TCP/IP is an example of a protocol that supports this feature.

NAMES.DEFAULT_DOMAIN

To set the domain from which the client most often looks up names resolution requests. When this parameter is set, the default domain name is automatically appended to any unqualified net service name or service name.

NAMES.DIRECTORY_PATH

To specify the order of the naming methods used for client name resolution lookups.

NAMES.DIRECTORY_PATH=(tnsnames, ldap, ezconnect)

NAMES.LDAP_AUTHENTICATE_BIND

To specify whether the LDAP naming adapter should attempt to authenticate using a specified wallet when it connects to the LDAP directory to resolve the name in the connect string.

The parameter value is Boolean.

NAMES.LDAP_CONN_TIMEOUT

To specify number of seconds for a non-blocking connect timeout to the LDAP server.

NAMES.LDAP_PERSISTENT_SESSION

To specify whether the LDAP naming adapter should leave the session with the LDAP server open after name lookup is complete.

The parameter value is Boolean.

RECV_BUF_SIZE

To specify the buffer space limit for receive operations of sessions. This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.

Additional protocols might support this parameter on certain operating systems. Refer to the operating system-specific documentation for additional information about additional protocols that support this parameter.

Oracle Net Services Administrator’s Guide for additional information about configuring this parameter

The default value for this parameter is operating system-specific.

You can override this parameter for a particular client connection by specifying the RECV_BUF_SIZE parameter in the connect descriptor for a client.

SDP.PF_INET_SDP

To specify the protocol family or address family constant for the SDP protocol on your system.

Any positive integer

SEC_USER_AUDIT_ACTION_BANNER

To specify a text file containing the banner contents that warn the user about possible user action auditing. The complete path of the text file must be specified in the sqlnet.ora file on the server. Oracle Call Interface (OCI) applications can make use of OCI features to retrieve this banner and display it to the user. The text file has a maximum limit of 512 bytes.

Name of the file for which the database owner has read permissions.

SEC_USER_UNAUTHORIZED_ACCESS_BANNER

To specify a text file containing the banner contents that warn the user about unauthorized access to the database. The complete path of the text file must be specified in the sqlnet.ora file on the server. OCI applications can make use of OCI features to retrieve this banner and display it to the user. The text file has a maximum limit of 512 bytes.

Name of the file for which the database owner has read permissions.

SEND_BUF_SIZE

To specify the buffer space limit for send operations of sessions. This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDP protocols.

Additional protocols might support this parameter on certain operating systems. Refer to the operating system-specific documentation for additional information about additional protocols that support this parameter.

Oracle Database Net Services Administrator’s Guide for additional information about configuring this parameter

The default value for this parameter is operating system-specific.

You can override this parameter for a particular client connection by specifying the SEND_BUF_SIZE parameter in the connect descriptor for a client.

SQLNET.ALLOWED_LOGON_VERSION

To set the minimum authentication protocol allowed when connecting to Oracle Database instances. The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.

If the client release does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error or an ORA-03134: Connections to this server version are no longer supported error.

A greater value means the server is less compatible in terms of the protocol that clients must understand in order to authenticate. The server is also more restrictive in terms of the password version that must exist to authenticate any specific account. The ability for a client to authenticate depends on the DBA_USERS.PASSWORD_VERSIONS value on the server for that account.

Note the following implications of setting the value to 12 :

Releases of OCI clients before Oracle Database 10 g and all versions of JDBC thin clients cannot authenticate to the Oracle database using password-based authentication.

The client must support certain abilities of an authentication protocol before the server will authenticate. If the client does not support a specified authentication ability, then the server rejects the connection with an ORA-28040: No matching authentication protocol error message.

The following is the list of all client abilities. Some clients do not have all abilities. Clients that are more recent have all the capabilities of the older clients, but older clients tend to have less abilities than more recent clients.

O5L_NP : The ability to perform the Oracle Database 10 g authentication protocol using the 11G password version, and generating a session key encrypted for critical patch update CPUOct2012.

O5L : The ability to perform the Oracle Database 10 g authentication protocol using the 10G password version.

O4L : The ability to perform the Oracle9 i database authentication protocol using the 10G password version.

O3L : The ability to perform the Oracle8 i database authentication protocol using the 10G password version.

A higher ability value is more recent and secure than a lower ability value. Clients that are more recent have all the capabilities of the older clients.

The following table describes the allowed values, password versions, and descriptions:

Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10G password version.

Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10G password version.

Footnote 1 This is considered «Exclusive Mode» because it excludes the use of the 10G password version.

12 for the critical patch updates CPUOct2012 and later Oracle Database 11 g authentication protocols (recommended)

11 for Oracle Database 11 g authentication protocols

10 for Oracle Database 10 g authentication protocols

9 for Oracle9 i Database authentication protocols

8 for Oracle8 i Database authentication protocols (default)

If both Oracle Database 11 g and Oracle Database 10 g are present, then set the parameter as follows:

SQLNET.AUTHENTICATION_KERBEROS5_SERVICE

To define the name of the service used to obtain a Kerberos service ticket.

SQLNET.AUTHENTICATION_SERVICES

To enable one or more authentication services. If authentication has been installed, then it is recommended that this parameter be set to either none or to one of the listed authentication methods.

Authentication based on a service external to the database, such as a service on the network layer, Kerberos, or RADIUS.

Authentication based on the operating system user’s membership in an administrative operating system group. Group names are platform-specific. This authentication is applicable to administrative connections only.

Authentication performed by the database.

Authentication based on credentials stored in a directory server.

Operating system authentication allows access to the database using any user name and any password when an administrative connection is attempted, such as using the AS SYSDBA clause when connecting using SQL*Plus. An example of a connection is as follows.

When the operating-system user who issued the preceding command is already a member of the appropriate administrative operating system group, then the connection is successful. This is because the user name and password are ignored by the server due to checking the group membership first.

Oracle Database Security Guide for additional information about authentication methods

When installing the database with Database Configuration Assistant (DBCA), this parameter may be set to nts in the sqlnet.ora file.

Authentication methods available with Oracle Net Services:

all for all authentication methods.

beq for native operating system authentication for operating systems other than Microsoft Windows

kerberos5 for Kerberos authentication

nts for Microsoft Windows native operating system authentication

radius for Remote Authentication Dial-In User Service (RADIUS) authentication

tcps for SSL authentication

SQLNET.CLIENT_REGISTRATION

To set a unique identifier for the client computer. This identifier is passed to the listener with any connection request and is included in the Audit Trail. The identifier can be any alphanumeric string up to 128 characters long.

SQLNET.CRYPTO_CHECKSUM_CLIENT

To specify the checksum behavior for the client.

accepted to enable the security service if required or requested by the other side.

rejected to disable the security service, even if the required by the other side.

requested to enable the security service if the other side allows it.

required to enable the security service and disallow the connection if the other side is not enabled for the security service.

SQLNET.CRYPTO_CHECKSUM_SERVER

To specify the checksum behavior for the database server.

accepted to enable the security service if required or requested by the other side.

rejected to disable the security service, even if the required by the other side.

requested to enable the security service if the other side allows it.

required to enable the security service and disallow the connection if the other side is not enabled for the security service.

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT

To specify a list of crypto-checksum algorithms for the client to use.

All available algorithms

md5 for the RSA Data Security MD5 algorithm.

sha1 for the Secure Hash algorithm.

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER

To specify a list of crypto-checksum algorithms for the database server to use.

All available algorithms

md5 for the RSA Data Security’s MD5 algorithm

sha1 for the Secure Hash algorithm

SQLNET.ENCRYPTION_CLIENT

To turn encryption on for the client.

accepted to enable the security service if required or requested by the other side.

rejected to disable the security service, even if the required by the other side.

requested to enable the security service if the other side allows it.

required to enable the security service and disallow the connection if the other side is not enabled for the security service.

SQLNET.ENCRYPTION_SERVER

To turn encryption on for the database server.

accepted to enable the security service if required or requested by the other side.

rejected to disable the security service, even if the required by the other side.

requested to enable the security service if the other side allows it.

required to enable the security service and disallow the connection if the other side is not enabled for the security service.

SQLNET.ENCRYPTION_TYPES_CLIENT

To specify a list of encryption algorithms for the client to use.

All available algorithms.

One or more of the following:

3des112 for triple DES with a two-key (112-bit) option

3des168 for triple DES with a three-key (168-bit) option

des for standard 56-bit key size

des40 for 40-bit key size

rc4_40 for 40-bit key size

rc4_56 for 56-bit key size

rc4_128 for 128-bit key size

rc4_256 for 256-bit key size

SQLNET.ENCRYPTION_TYPES_SERVER

To specify a list of encryption algorithms for the database server to use.

All available algorithms.

One or more of the following:

3des112 for triple DES with a two-key (112-bit) option

3des168 for triple DES with a three-key (168-bit) option

des for standard 56-bit key size

des40 for 40-bit key size

rc4_40 for 40-bit key size

rc4_56 for 56-bit key size

rc4_128 for 128-bit key size

rc4_256 for 256-bit key size

SQLNET.EXPIRE_TIME

To specify a time interval, in minutes, to send a check to verify that client/server connections are active. The following usage notes apply to this parameter:

Setting a value greater than 0 ensures that connections are not left open indefinitely, due to an abnormal client termination.

If the probe finds a terminated connection, or a connection that is no longer in use, then it returns an error, causing the server process to exit.

This parameter is primarily intended for the database server, which typically handles multiple connections at any one time.

Limitations on using this terminated connection detection feature are:

It is not allowed on bequeathed connections.

Though very small, a probe packet generates additional traffic that may downgrade network performance.

Depending on which operating system is in use, the server may need to perform additional processing to distinguish the connection probing event from other events that occur. This can also result in degraded network performance.

SQLNET.INBOUND_CONNECT_TIMEOUT

To specify the time, in seconds, for a client to connect with the database server and provide the necessary authentication information.

If the client fails to establish a connection and complete authentication in the time specified, then the database server terminates the connection. In addition, the database server logs the IP address of the client and an ORA-12170: TNS:Connect timeout occurred error message to the sqlnet.log file. The client receives either an ORA-12547: TNS:lost contact or an ORA-12637: Packet receive failed error message.

The default value of this parameter is appropriate for typical usage scenarios. However, if you need to explicitly set a different value, then Oracle recommends setting this parameter in combination with the INBOUND_CONNECT_TIMEOUT_ listener_name parameter in the listener.ora file. When specifying the values for these parameters, note the following recommendations:

Set both parameters to an initial low value.

Set the value of the INBOUND_CONNECT_TIMEOUT_ listener_name parameter to a lower value than the SQLNET.INBOUND_CONNECT_TIMEOUT parameter.

For example, you can set INBOUND_CONNECT_TIMEOUT_ listener_name to 2 seconds and SQLNET.INBOUND_CONNECT_TIMEOUT parameter to 3 seconds. If clients are unable to complete connections within the specified time due to system or network delays that are normal for the particular environment, then increment the time as needed.

«Control Parameters» for additional information about INBOUND_CONNECT_TIMEOUT_ listener_name

Oracle Net Services Administrator’s Guide for additional information about configuring these parameters

SQLNET.FALLBACK_AUTHENTICATION

To specify whether password-based authentication is going to be attempted if Kerberos authentication fails. This is relevant for direct connections as well as database link connections.

SQLNET.KERBEROS5_CC_NAME

To specify the complete path name to the Kerberos credentials cache file.

/usr/tmp/krbcache on Linux and UNIX operating systems, and c:\tmp\krbcache on Microsoft Windows operating systems

SQLNET.KERBEROS5_CLOCKSKEW

To specify how many seconds can pass before a Kerberos credential is considered out of date.

SQLNET.KERBEROS5_CONF

To specify the complete path name to the Kerberos configuration file, which contains the realm for the default Key Distribution Center (KDC) and maps realms to KDC hosts. The KDC maintains a list of user principals and is contacted through the kinit program for the user’s initial ticket.

/krb5/krb.conf on Linux and UNIX operating systems and c:\krb5\krb.conf on Microsoft Windows operating systems

SQLNET.KERBEROS5_KEYTAB

To specify the complete path name to the Kerberos principal/secret key mapping file, which is used to extract keys and decrypt incoming authentication information.

/etc/v5srvtab on Linux and UNIX operating systems and c:\krb5\v5srvtab on Microsoft Windows operating systems

SQLNET.KERBEROS5_REALMS

To specify the complete path name to the Kerberos realm translation file, which provides a mapping from a host name or domain name to a realm.

/krb5/krb.realms on Linux and UNIX operating systems and c:\krb5\krb.realms on Microsoft Windows operating systems

SQLNET.OUTBOUND_CONNECT_TIMEOUT

To specify the time, in seconds, for a client to establish an Oracle Net connection to the database instance.

If an Oracle Net connection is not established in the time specified, then the connect attempt is terminated. The client receives an ORA-12170: TNS:Connect timeout occurred error.

The outbound connect timeout interval is a superset of the TCP connect timeout interval, which specifies a limit on the time taken to establish a TCP connection. Additionally, the outbound connect timeout interval includes the time taken to be connected to an Oracle instance providing the requested service.

Without this parameter, a client connection request to the database server may block for the default TCP connect timeout duration (60 seconds) when the database server host system is unreachable.

The outbound connect timeout interval is only applicable for TCP, TCP with SSL, and IPC transport connections.

This parameter is overridden by the CONNECT_TIMEOUT parameter in the address description.

SQLNET.RADIUS_ALTERNATE

To specify an alternate RADIUS server to use in case the primary server is unavailable. The value can be either the IP address or host name of the server.

SQLNET.RADIUS_ALTERNATE_PORT

To specify the listening port of the alternate RADIUS server.

SQLNET.RADIUS_ALTERNATE_RETRIES

To specify the number of times the database server should resend messages to the alternate RADIUS server.

SQLNET.RADIUS_AUTHENTICATION

To specify the location of the primary RADIUS server, either by its host name or IP address.

SQLNET.RADIUS_AUTHENTICATION_INTERFACE

To specify the class containing the user interface used to interact with the user.

SQLNET.RADIUS_AUTHENTICATION_PORT

Use the parameter SQLNET.RADIUS_AUTHENTICATION_PORT to specify the listening port of the primary RADIUS server.

SQLNET.RADIUS_AUTHENTICATION_RETRIES

To specify the number of times the database server should resend messages to the primary RADIUS server.

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT

To specify the time, in seconds, that the database server should wait for a response from the primary RADIUS server.

Источник