5 Parameters forthe sqlnet.ora File
This chapter provides completelisting of the sqlnet.ora file configurationparameters.
This chapterincludes the following topics:
- Overview of Profile Configuration File
- sqlnet.ora Profile Parameters
- ADR Diagnostic Parameters in sqlnet.ora
- Non-ADR Diagnostic Parameters in sqlnet.ora
Overview of Profile Configuration File
The sqlnet.ora file is theprofile configuration file. It resides on the client machines and the databaseserver. Profiles are stored and implemented using this file. The databaseserver can be configured with access control parameters in the sqlnet.ora file. Theseparameters specify whether clients are allowed or denied access based on theprotocol.
The sqlnet.ora file enablesyou to do the following:
- Specify the client domain to append to unqualified names
- Prioritize naming methods
- Enable logging and tracing features
- Route connections through specific processes
- Configure parameters for external naming
- Configure Oracle Advanced Security
- Use protocol-specific parameters to restrict access to the database
By default, the sqlnet.ora file islocated in the ORACLE_HOME/network/admin directory.The sqlnet.ora file can also be stored in the directoryspecified by the TNS_ADMIN environment variable.
sqlnet.ora Profile Parameters
This section lists and describes thefollowing sqlnet.ora file parameters:
- BEQUEATH_DETACH
- DEFAULT_SDU_SIZE
- DISABLE_OOB
- NAMES.DEFAULT_DOMAIN
- NAMES.DIRECTORY_PATH
- NAMES.LDAP_AUTHENTICATE_BIND
- NAMES.LDAP_CONN_TIMEOUT
- NAMES.LDAP_PERSISTENT_SESSION
- RECV_BUF_SIZE
- SDP.PF_INET_SDP
- SEC_USER_AUDIT_ACTION_BANNER
- SEC_USER_UNAUTHORIZED_ACCESS_BANNER
- SEND_BUF_SIZE
- SQLNET.ALLOWED_LOGON_VERSION
- SQLNET.AUTHENTICATION_KERBEROS5_SERVICE
- SQLNET.AUTHENTICATION_SERVICES
- SQLNET.CLIENT_REGISTRATION
- SQLNET.CRYPTO_CHECKSUM_CLIENT
- SQLNET.CRYPTO_CHECKSUM_SERVER
- SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT
- SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER
- SQLNET.ENCRYPTION_CLIENT
- SQLNET.ENCRYPTION_SERVER
- SQLNET.ENCRYPTION_TYPES_CLIENT
- SQLNET.ENCRYPTION_TYPES_SERVER
- SQLNET.EXPIRE_TIME
- SQLNET.INBOUND_CONNECT_TIMEOUT
- SQLNET.FALLBACK_AUTHENTICATION
- SQLNET.KERBEROS5_CC_NAME
- SQLNET.KERBEROS5_CLOCKSKEW
- SQLNET.KERBEROS5_CONF
- SQLNET.KERBEROS5_KEYTAB
- SQLNET.KERBEROS5_REALMS
- SQLNET.OUTBOUND_CONNECT_TIMEOUT
- SQLNET.RADIUS_ALTERNATE
- SQLNET.RADIUS_ALTERNATE_PORT
- SQLNET.RADIUS_ALTERNATE_RETRIES
- SQLNET.RADIUS_AUTHENTICATION
- SQLNET.RADIUS_AUTHENTICATION_INTERFACE
- SQLNET.RADIUS_AUTHENTICATION_PORT
- SQLNET.RADIUS_AUTHENTICATION_RETRIES
- SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
- SQLNET.RADIUS_CHALLENGE_RESPONSE
- SQLNET.RADIUS_SECRET
- SQLNET.RADIUS_SEND_ACCOUNTING
- SQLNET.RECV_TIMEOUT
- SQLNET.SEND_TIMEOUT
- WALLET_OVERRIDE
- SSL_CERT_REVOCATION
- SSL_CRL_FILE
- SSL_CRL_PATH
- SSL_CIPHER_SUITES
- SSL_CLIENT_AUTHENTICATION
- SSL_EXTENDED_KEY_USAGE
- SSL_SERVER_DN_MATCH
- SSL_VERSION
- TCP.CONNECT_TIMEOUT
- TCP.EXCLUDED_NODES
- TCP.INVITED_NODES
- TCP.NODELAY
- TCP.VALIDNODE_CHECKING
- TNSPING.TRACE_DIRECTORY
- TNSPING.TRACE_LEVEL
- USE_CMAN
- USE_DEDICATED_SERVER
- WALLET_LOCATION
BEQUEATH_DETACH
Purpose
To turn signal handling on or off for Linux and UNIX systems.
Default
NO
Values
- yes to turn signal handling off
- no to leave signal handling on
Example
BEQUEATH_DETACH=yes
DEFAULT_SDU_SIZE
Purpose
To specify the session data unit (SDU) size, in bytes to connections.
Usage
Oracle recommends setting this parameter inboth the client-side and server-side sqlnet.ora file to ensurethe same SDU size is used throughout a connection. When the configured valuesof client and database server do not match for a session, the lower of the twovalues is used.
You can override this parameter for a particular clientconnection by specifying the SDU parameter in the connect descriptor for a client.
See Also:
OracleDatabase Net Services Administrator's Guide for complete SDU usageand configuration information
Default
8192 bytes (8 KB)
Values
512 to 65535 bytes
Example
DEFAULT_SDU_SIZE=4096
DISABLE_OOB
Purpose
To enable or disable Oracle Net to send or receive out-of-bandbreak messages using urgent data provided by the underlying protocol.
If turned off, then the parameterenables Oracle Net to send and receive break messages. If turned on, then the parameterdisables the ability to send and receive break messages. Once enabled, thisfeature applies to all protocols used by this client.
Default
OFF
Example
DISABLE_OOB=on
See Also:
Operating system-specific documentation todetermine if the protocols you are using support urgent data requests. TCP/IPis an example of a protocol that supports this feature.
NAMES.DEFAULT_DOMAIN
Purpose
To set the domain from which the client most often looks upnames resolution requests. When this parameter is set, the default domain nameis automatically appended to any unqualified net service name or service name.
For example, if the default domain is setto us.example.com, then the connect string CONNECTscott@sales getssearched as sales.us.example.com. If the connectstring includes the domain extension, such as CONNECTscott@sales.us.example.com, then the domain is not appended to the string.
Default
None
Example
NAMES.DEFAULT_DOMAIN=example.com
NAMES.DIRECTORY_PATH
Purpose
To specify the order of the naming methods used for client nameresolution lookups.
Default
NAMES.DIRECTORY_PATH=(tnsnames, ldap, ezconnect)
Values
Naming Method Value | Description |
tnsnames (local naming method) | Set to resolve a net service name through the tnsnames.ora file on the client. |
ldap (directory naming method) | Set to resolve a database service name, net service name, or net service alias through a directory server. |
ezconnect or hostname (Easy Connect naming method) | Select to enable clients to use a TCP/IP connect identifier, consisting of a host name and optional port and service name. |
nis (external naming method) | Set to resolve service information through an existing Network Information Service (NIS). |
Example
NAMES.DIRECTORY_PATH=(tnsnames)
NAMES.LDAP_AUTHENTICATE_BIND
Purpose
To specify whether the LDAP naming adapter should attempt toauthenticate using a specified wallet when it connects to the LDAP directory toresolve the name in the connect string.
Usage
The parameter value is Boolean.
If the parameter is set to TRUE, then the LDAPconnection is authenticated using a wallet whose location must be specified inthe WALLET_LOCATION parameter.
If the parameter is set to FALSE, then the LDAPconnection is established using an anonymous bind.
Default
FALSE
Example
NAMES.LDAP_AUTHENTICATE_BIND=TRUE
NAMES.LDAP_CONN_TIMEOUT
Purpose
To specify number of seconds for a non-blocking connect timeoutto the LDAP server.
Usage
The parameter value -1 is for infinite timeout.
Default
15 seconds
Values
Values are in seconds. The range is -1 to the numberof seconds acceptable for your environment. There is no upper limit.
Example
names.ldap_conn_timeout = -1
NAMES.LDAP_PERSISTENT_SESSION
Purpose
To specify whether the LDAP naming adapter should leave thesession with the LDAP server open after name lookup is complete.
Usage
The parameter value is Boolean.
If the parameter is set to TRUE, then theconnection to the LDAP server is left open after the name lookup is complete;the connection will effectively stay open for the duration of the process. Ifthe connection is lost, then it will be re-established as needed.
If the parameter is set to FALSE, then the LDAPconnection is terminated as soon as the name lookup completes. Every subsequentlookup opens the connection, performs the lookup, and closes the connection.This option prevents the LDAP server from having a large number of clientsconnected to it at any one time.
Default
FALSE
Example
NAMES.LDAP_PERSISTENT_SESSION=TRUE
RECV_BUF_SIZE
Purpose
To specify the buffer space limit for receive operations ofsessions. This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDPprotocols.
Note:
Additional protocols might support thisparameter on certain operating systems. Refer to the operating system-specificdocumentation for additional information about additional protocols thatsupport this parameter.
See Also:
OracleNet Services Administrator's Guide for additional information aboutconfiguring this parameter
Default
The default value for this parameter is operatingsystem-specific.
Usage
You can override this parameter for a particular clientconnection by specifying the RECV_BUF_SIZE parameter in the connect descriptor for a client.
Example
RECV_BUF_SIZE=11784
SDP.PF_INET_SDP
Purpose
To specify the protocol family or address family constant forthe SDP protocol on your system.
Default
27
Values
Any positive integer
Example
SDP.PF_INET_SDP=30
SEC_USER_AUDIT_ACTION_BANNER
Purpose
To specify a text file containing the bannercontents that warn the user about possible user action auditing. The completepath of the text file must be specified in the sqlnet.ora file on theserver. Oracle Call Interface (OCI) applications can make use of OCI featuresto retrieve this banner and display it to the user. The text file has a maximumlimit of 512 bytes.
Default
None
Values
Name of the file for which the database owner has readpermissions.
Example
SEC_USER_AUDIT_ACTION_BANNER=/opt/oracle/admin/data/auditwarning.txt
SEC_USER_UNAUTHORIZED_ACCESS_BANNER
Purpose
To specify a text file containing the bannercontents that warn the user about unauthorized access to the database. Thecomplete path of the text file must be specified in the sqlnet.ora file on theserver. OCI applications can make use of OCI features to retrieve this bannerand display it to the user. The text file has a maximum limit of 512 bytes.
Default
None
Values
Name of the file for which the database owner has readpermissions.
Example
SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/opt/oracle/admin/data/unauthwarning.txt
SEND_BUF_SIZE
Purpose
To specify the buffer space limit for send operations ofsessions. This parameter is supported by the TCP/IP, TCP/IP with SSL, and SDPprotocols.
Note:
Additional protocols might support thisparameter on certain operating systems. Refer to the operating system-specificdocumentation for additional information about additional protocols thatsupport this parameter.
See Also:
OracleDatabase Net Services Administrator's Guide for additionalinformation about configuring this parameter
Default
The default value for this parameter is operatingsystem-specific.
Usage
You can override this parameter for a particular clientconnection by specifying the SEND_BUF_SIZE parameter in the connect descriptor for a client.
Example
SEND_BUF_SIZE=11784
SQLNET.ALLOWED_LOGON_VERSION
Purpose
To set the minimum authentication protocolallowed when connecting to Oracle Database instances. The term VERSION in theparameter name refers to the version of the authentication protocol, not theOracle Database release.
If the client release does not meet or exceedthe value defined by this parameter, then authentication fails with an ORA-28040:No matching authentication protocol error or an ORA-03134:Connections to this server version are no longer supported error.
Usage Notes
A setting of 8 permits mostpassword versions, and allows any combination of the DBA_USERS.PASSWORD_VERSIONS values 10G, and 11G.
A greater value means the server is lesscompatible in terms of the protocol that clients must understand in order toauthenticate. The server is also more restrictive in terms of the passwordversion that must exist to authenticate any specific account. The ability for aclient to authenticate depends on the DBA_USERS.PASSWORD_VERSIONS value on theserver for that account.
Note the following implications of setting thevalue to 12:
- To take advantage of the password protections introduced in Oracle Database 11g, users must change their passwords. The new passwords are case sensitive. When an account password is changed, the earlier 10G case-insensitive password version is automatically removed.
- Releases of OCI clients before Oracle Database 10g and all versions of JDBC thin clients cannot authenticate to the Oracle database using password-based authentication.
- If the client uses Oracle9i Database, then the client will receive an ORA-03134 error message. To allow the connection, remove the SQLNET.ALLOWED_LOGON_VERSION setting to return to the default. Ensure the DBA_USERS.PASSWORD_VERSIONS value for the account contains the value 10G. It may be necessary to reset the password for that account.
The client must support certain abilities of anauthentication protocol before the server will authenticate. If the client doesnot support a specified authentication ability, then the server rejects theconnection with an ORA-28040: No matching authentication protocol error message.
The following is the list of all client abilities. Someclients do not have all abilities. Clients that are more recent have all thecapabilities of the older clients, but older clients tend to have lessabilities than more recent clients.
- O5L_NP: The ability to perform the Oracle Database 10g authentication protocol using the 11G password version, and generating a session key encrypted for critical patch update CPUOct2012.
- O5L: The ability to perform the Oracle Database 10g authentication protocol using the 10G password version.
- O4L: The ability to perform the Oracle9i database authentication protocol using the 10G password version.
- O3L: The ability to perform the Oracle8i database authentication protocol using the 10G password version.
A higher ability value is more recent and secure than a lowerability value. Clients that are more recent have all the capabilities of theolder clients.
The following table describes the allowed values, passwordversions, and descriptions:
Value of the ALLOWED_LOGON_VERSION Parameter | Generated Password Version | Ability Required of the Client | Meaning for Clients |
12Foot 1 | 11G | O5L_NP | Only clients which have applied critical patch update CPUOct2012 or later, or release 11.2.0.3 clients with an equivalent update can connect to the server. |
11 | 10G, 11G | O5L | Clients using Oracle Database 10g and later can connect to the server. Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10G password version. |
10 | 10G, 11G | O5L | Clients using Oracle Database 10g and later can connect to the server. Clients using releases earlier than Oracle Database release 11.2.0.3 that have not applied critical patch update CPUOct2012 or later patches must use the 10G password version. |
9 | 10G, 11G | O4L | Oracle9i Database or later clients can connect to the server. |
8 | 10G, 11G | O3L | Oracle8i Database and later clients can connect to the server. |
Footnote 1 This is considered"Exclusive Mode" because it excludes the use of the 10G passwordversion.
Allowed Values
- 12 for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols (recommended)
- 11 for Oracle Database 11g authentication protocols
- 10 for Oracle Database 10g authentication protocols
- 9 for Oracle9i Database authentication protocols
- 8 for Oracle8i Database authentication protocols (default)
Default
8
Example
If both Oracle Database 11g andOracle Database 10g are present,then set the parameter as follows:
SQLNET.ALLOWED_LOGON_VERSION=10
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE
Purpose
To define the name of the service used to obtain a Kerberosservice ticket.
Default
None
Example
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.AUTHENTICATION_SERVICES
Purpose
To enable one or more authentication services.If authentication has been installed, then it is recommended that thisparameter be set to either none or to one ofthe listed authentication methods.
Usage Notes
When using the SQLNET.AUTHENTICATION_SERVICES value all, the serverattempts to authenticate using each of the following methods. The server fallsback to the ones lower on the list if the ones higher on the list wereunsuccessful.
- Authentication based on a service external to the database, such as a service on the network layer, Kerberos, or RADIUS.
- Authentication based on the operating system user's membership in an administrative operating system group. Group names are platform-specific. This authentication is applicable to administrative connections only.
- Authentication performed by the database.
- Authentication based on credentials stored in a directory server.
Operating system authentication allows accessto the database using any user name and any password when an administrativeconnection is attempted, such as using the AS SYSDBA clause whenconnecting using SQL*Plus. An example of a connection is as follows.
sqlplus ignored_username/ignored_password ASSYSDBA
When the operating-system user who issued the preceding commandis already a member of the appropriate administrative operating system group,then the connection is successful. This is because the user name and passwordare ignored by the server due to checking the group membership first.
See Also:
OracleDatabase Security Guide for additional information aboutauthentication methods
Default
all
Note:
Wheninstalling the database with Database Configuration Assistant (DBCA), thisparameter may be set to nts in the sqlnet.ora file.
Values
Authentication methods available with Oracle Net Services:
- none for no authentication methods, including Microsoft Windows native operating system authentication. When SQLNET.AUTHENTICATION_SERVICES is set to none, a valid user name and password can be used to access the database.
- all for all authentication methods.
- beq for native operating system authentication for operating systems other than Microsoft Windows
- kerberos5 for Kerberos authentication
- nts for Microsoft Windows native operating system authentication
- radius for Remote Authentication Dial-In User Service (RADIUS) authentication
- tcps for SSL authentication
Example
SQLNET.AUTHENTICATION_SERVICES=(kerberos5)
See Also:
SQLNET.CLIENT_REGISTRATION
Purpose
To set a unique identifier for the client computer. Thisidentifier is passed to the listener with any connection request and isincluded in the Audit Trail. The identifier can be any alphanumeric string upto 128 characters long.
Default
None
Example
SQLNET.CLIENT_REGISTRATION=1432
SQLNET.CRYPTO_CHECKSUM_CLIENT
Purpose
To specify the checksum behavior for the client.
See Also:
OracleDatabase Advanced Security Administrator's Guide
Default
accepted
Values
- accepted to enable the security service if required or requested by the other side.
- rejected to disable the security service, even if the required by the other side.
- requested to enable the security service if the other side allows it.
- required to enable the security service and disallow the connection if the other side is not enabled for the security service.
Example
SQLNET.CRYPTO_CHECKSUM_CLIENT=accepted
SQLNET.CRYPTO_CHECKSUM_SERVER
Purpose
To specify the checksum behavior for the database server.
Default
accepted
Values
- accepted to enable the security service if required or requested by the other side.
- rejected to disable the security service, even if the required by the other side.
- requested to enable the security service if the other side allows it.
- required to enable the security service and disallow the connection if the other side is not enabled for the security service.
Example
SQLNET.CRYPTO_CHECKSUM_SERVER=accepted
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT
Purpose
To specify a list of crypto-checksum algorithms for the clientto use.
Default
All available algorithms
Values
- md5 for the RSA Data Security MD5 algorithm.
- sha1 for the Secure Hash algorithm.
Example
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(MD5)
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER
Purpose
To specify a list of crypto-checksum algorithms for the databaseserver to use.
Default
All available algorithms
Values
- md5 for the RSA Data Security's MD5 algorithm
- sha1 for the Secure Hash algorithm
Example
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(md5)
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.ENCRYPTION_CLIENT
Purpose
To turn encryption on for the client.
Default
accepted
Values
- accepted to enable the security service if required or requested by the other side.
- rejected to disable the security service, even if the required by the other side.
- requested to enable the security service if the other side allows it.
- required to enable the security service and disallow the connection if the other side is not enabled for the security service.
Example
SQLNET.ENCRYPTION_CLIENT=accepted
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.ENCRYPTION_SERVER
Purpose
To turn encryption on for the database server.
Default
accepted
Values
- accepted to enable the security service if required or requested by the other side.
- rejected to disable the security service, even if the required by the other side.
- requested to enable the security service if the other side allows it.
- required to enable the security service and disallow the connection if the other side is not enabled for the security service.
Example
SQLNET.ENCRYPTION_SERVER=accepted
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.ENCRYPTION_TYPES_CLIENT
Purpose
To specify a list of encryption algorithms for the client touse.
Default
All available algorithms.
Values
One or more of the following:
- 3des112 for triple DES with a two-key (112-bit) option
- 3des168 for triple DES with a three-key (168-bit) option
- des for standard 56-bit key size
- des40 for 40-bit key size
- rc4_40 for 40-bit key size
- rc4_56 for 56-bit key size
- rc4_128 for 128-bit key size
- rc4_256 for 256-bit key size
Example
SQLNET.ENCRYPTION_TYPES_CLIENT=(rc4_56)
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.ENCRYPTION_TYPES_SERVER
Purpose
To specify a list of encryption algorithms for the databaseserver to use.
Default
All available algorithms.
Values
One or more of the following:
- 3des112 for triple DES with a two-key (112-bit) option
- 3des168 for triple DES with a three-key (168-bit) option
- des for standard 56-bit key size
- des40 for 40-bit key size
- rc4_40 for 40-bit key size
- rc4_56 for 56-bit key size
- rc4_128 for 128-bit key size
- rc4_256 for 256-bit key size
Example
SQLNET.ENCRYPTION_TYPES_SERVER=(rc4_56, des,...)
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.EXPIRE_TIME
Purpose
To specify a time interval, in minutes, to send a check toverify that client/server connections are active. The following usage notesapply to this parameter:
- Setting a value greater than 0 ensures that connections are not left open indefinitely, due to an abnormal client termination.
- If the probe finds a terminated connection, or a connection that is no longer in use, then it returns an error, causing the server process to exit.
- This parameter is primarily intended for the database server, which typically handles multiple connections at any one time.
- Limitations on using this terminated connection detection feature are:
- It is not allowed on bequeathed connections.
- Though very small, a probe packet generates additional traffic that may downgrade network performance.
- Depending on which operating system is in use, the server may need to perform additional processing to distinguish the connection probing event from other events that occur. This can also result in degraded network performance.
Default
0
Minimum Value
0
Recommended Value
10
Example
SQLNET.EXPIRE_TIME=10
SQLNET.INBOUND_CONNECT_TIMEOUT
Purpose
To specify the time, in seconds, for a client to connect withthe database server and provide the necessary authentication information.
If the client fails to establish a connectionand complete authentication in the time specified, then the database serverterminates the connection. In addition, the database server logs the IP addressof the client and an ORA-12170: TNS:Connect timeout occurred error messageto the sqlnet.log file. The client receives either an ORA-12547:TNS:lost contact or an ORA-12637: Packet receivefailed errormessage.
The default value of this parameter isappropriate for typical usage scenarios. However, if you need to explicitly seta different value, then Oracle recommends setting this parameter in combinationwith the INBOUND_CONNECT_TIMEOUT_listener_name parameter inthe listener.ora file. When specifying the values forthese parameters, note the following recommendations:
- Set both parameters to an initial low value.
- Set the value of the INBOUND_CONNECT_TIMEOUT_listener_name parameter to a lower value than the SQLNET.INBOUND_CONNECT_TIMEOUT parameter.
For example, you can set INBOUND_CONNECT_TIMEOUT_listener_name to 2 seconds and SQLNET.INBOUND_CONNECT_TIMEOUT parameter to 3seconds. If clients are unable to complete connections within the specifiedtime due to system or network delays that are normal for the particularenvironment, then increment the time as needed.
Default
60 seconds
Example
SQLNET.INBOUND_CONNECT_TIMEOUT=3
See Also:
- "Control Parameters" for additional information about INBOUND_CONNECT_TIMEOUT_listener_name
- Oracle Net Services Administrator's Guide for additional information about configuring these parameters
SQLNET.FALLBACK_AUTHENTICATION
Purpose
To specify whether password-based authentication is going to beattempted if Kerberos authentication fails. This is relevant for directconnections as well as database link connections.
Default
FALSE
Example
SQLNET.FALLBACK_AUTHENTICATION=TRUE
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.KERBEROS5_CC_NAME
Purpose
To specify the complete path name to the Kerberos credentialscache file.
Default
/usr/tmp/krbcache on Linux andUNIX operating systems, and c:\tmp\krbcache on MicrosoftWindows operating systems
Example
SQLNET.KERBEROS5_CC_NAME=/usr/tmp/krbcache
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.KERBEROS5_CLOCKSKEW
Purpose
To specify how many seconds can pass before a Kerberoscredential is considered out of date.
Default
300
Example
SQLNET.KERBEROS5_CLOCKSKEW=1200
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.KERBEROS5_CONF
Purpose
To specify the complete path name to theKerberos configuration file, which contains the realm for the default KeyDistribution Center (KDC) and maps realms to KDC hosts. The KDC maintains alist of user principals and is contacted through the kinit program forthe user's initial ticket.
Default
/krb5/krb.conf on Linux andUNIX operating systems and c:\krb5\krb.conf on MicrosoftWindows operating systems
Example
SQLNET.KERBEROS5_CONF=/krb5/krb.conf
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.KERBEROS5_KEYTAB
Purpose
To specify the complete path name to the Kerberosprincipal/secret key mapping file, which is used to extract keys and decryptincoming authentication information.
Default
/etc/v5srvtab on Linux andUNIX operating systems and c:\krb5\v5srvtab on MicrosoftWindows operating systems
Example
SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.KERBEROS5_REALMS
Purpose
To specify the complete path name to the Kerberos realmtranslation file, which provides a mapping from a host name or domain name to arealm.
Default
/krb5/krb.realms on Linux andUNIX operating systems and c:\krb5\krb.realms on MicrosoftWindows operating systems
Example
SQLNET.KERBEROS5_REALMS=/krb5/krb.realms
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.OUTBOUND_CONNECT_TIMEOUT
Purpose
To specify the time, in seconds, for a client to establish anOracle Net connection to the database instance.
If an Oracle Net connection is not establishedin the time specified, then the connect attempt is terminated. The clientreceives an ORA-12170: TNS:Connect timeout occurred error.
The outbound connect timeout interval is a superset of theTCP connect timeout interval, which specifies a limit on the time taken toestablish a TCP connection. Additionally, the outbound connect timeout intervalincludes the time taken to be connected to an Oracle instance providing therequested service.
Without this parameter, a client connection request to thedatabase server may block for the default TCP connect timeout duration (60seconds) when the database server host system is unreachable.
The outbound connect timeout interval is only applicable forTCP, TCP with SSL, and IPC transport connections.
Default
None
Usage Notes
This parameter is overridden by the CONNECT_TIMEOUT parameter inthe address description.
Example
SQLNET.OUTBOUND_CONNECT_TIMEOUT=10
SQLNET.RADIUS_ALTERNATE
Purpose
To specify an alternate RADIUS server to use in case the primaryserver is unavailable. The value can be either the IP address or host name ofthe server.
Default
None
Example
SQLNET.RADIUS_ALTERNATE=radius2
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.RADIUS_ALTERNATE_PORT
Purpose
To specify the listening port of the alternate RADIUS server.
Default
1645
Example
SQLNET.RADIUS_ALTERNATE_PORT=1667
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.RADIUS_ALTERNATE_RETRIES
Purpose
To specify the number of times the database server should resendmessages to the alternate RADIUS server.
Default
3
Example
SQLNET.RADIUS_ALTERNATE_RETRIES=4
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.RADIUS_AUTHENTICATION
Purpose
To specify the location of the primary RADIUS server, either byits host name or IP address.
Default
Local host
Example
SQLNET.RADIUS_AUTHENETICATION=officeacct
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.RADIUS_AUTHENTICATION_INTERFACE
Purpose
To specify the class containing the user interface used tointeract with the user.
Default
DefaultRadiusInterface
Example
SQLNET.RADIUS_AUTHENTICATION_INTERFACE=DefaultRadiusInterface
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.RADIUS_AUTHENTICATION_PORT
Purpose
Use the parameter SQLNET.RADIUS_AUTHENTICATION_PORT to specify thelistening port of the primary RADIUS server.
Default
1645
Example
SQLNET.RADIUS_AUTHENTICATION_PORT= 1667
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.RADIUS_AUTHENTICATION_RETRIES
Purpose
To specify the number of times the database server should resendmessages to the primary RADIUS server.
Default
3
Example
SQLNET.RADIUS_AUTHENTICATION_RETRIES=4
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
Purpose
To specify the time, in seconds, that the database server shouldwait for a response from the primary RADIUS server.
Default
5
Example
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=10
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.RADIUS_CHALLENGE_RESPONSE
Purpose
To turn challenge response on or off.
Default
off
Values
on | off
Example
SQLNET.RADIUS_CHALLENGE_RESPONSE=on
SQLNET.RADIUS_SECRET
Purpose:
To specify the location of the RADIUS secret key.
Default
The ORACLE_HOME/network/security/radius.key file.
Example
SQLNET.RADIUS_SECRET=oracle/bin/admin/radiuskey
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.RADIUS_SEND_ACCOUNTING
Purpose
To turn accounting on and off. If enabled, thenpackets are sent to the active RADIUS server at listening port plus one. Thedefault port is 1646.
Default
off
Values
on | off
Example
SQLNET.RADIUS_SEND_ACCOUNTING=on
See Also:
OracleDatabase Advanced Security Administrator's Guide
SQLNET.RECV_TIMEOUT
Purpose
To specify the time, in seconds, for a database server to waitfor client data after establishing a connection. A client must send some datawithin the time interval.
For environments in which clients shut down onoccasion or abnormally, setting this parameter is recommended. If a client doesnot send any data in time specified, then the database server logs ORA-12535:TNS:operation timed out and ORA-12609: TNS: Receive timeout occurred messages tothe sqlnet.log file. Without this parameter, thedatabase server may continue to wait for data from clients that may be down orare experiencing difficulties.
You can also set this parameter on the client-side tospecify the time, in seconds, for a client to wait for response data from thedatabase server after connection establishment. Without this parameter, theclient may wait a long period of time for a response from a database serversaturated with requests. If you choose to set the value, then set the value toan initial low value and adjust according to system and network capacity. Ifnecessary, use this parameter with the SQLNET.SEND_TIMEOUT parameter.
Default
None
Example
SQLNET.RECV_TIMEOUT=3
See Also:
OracleDatabase Net Services Administrator's Guide for additionalinformation about configuring these parameters
SQLNET.SEND_TIMEOUT
Purpose
To specify the time, in seconds, for a database server tocomplete a send operation to clients after establishing a connection. Settingthis parameter is recommended for environments in which clients shut downoccasionally or abnormally.
If the database server cannot complete a sendoperation in the time specified, then it logs ORA-12535:TNS:operation timed out and ORA-12608: TNS: Send timeout occurred messages tothe sqlnet.log file. Without this parameter, thedatabase server may continue to send responses to clients that are unable toreceive data due to a downed computer or a busy state.
You can also set this parameter on the client-side tospecify the time, in seconds, for a client to complete send operations to thedatabase server after connection establishment. Without this parameter, theclient may continue to send requests to a database server already saturatedwith requests. If you choose to set the value, then set the value to an initiallow value and adjust according to system and network capacity. If necessary,use this parameter with the SQLNET.RECV_TIMEOUT parameter.
Default
None
Example
SQLNET.SEND_TIMEOUT=3
See Also:
OracleDatabase Net Services Administrator's Guide for additionalinformation about configuring these parameters
WALLET_OVERRIDE
Purpose
To determine whether the client should override the strongauthentication credential with the password credential in the stored wallet tolog in to the database.
Usage Notes
- When wallets are used for authentication, the database credentials for user name and password are securely stored in an Oracle wallet. The auto-login feature of the wallet is turned on so the database does not need a password to open the wallet. From the wallet, the database gets the credentials to access the database for the user.
- Wallet usage can simplify large-scale deployments that rely on password credentials for connecting to databases. When this feature is configured, application code, batch jobs, and scripts do not need embedded user names and passwords. Risk is reduced because such passwords are no longer exposed in the clear, and password management policies are more easily enforced without changing application code whenever user names or passwords change.
- Users connect using the connect /@database_name command instead of specifying a user name and password explicitly. This simplifies the maintenance of the scripts and secures the password management for the applications.
- Middle-tier applications create an Oracle Applications wallet at installation time to store the application's specific identity. The password may be randomly generated rather than hardcoded. When an Oracle application accesses the database, it sets appropriate values for SQLNET.AUTHENTICATION_SERVICES and WALLET_LOCATION. The new wallet-based password authentication code uses the password credential in the Oracle Applications wallet to log on to the database.
Values
TRUE | FALSE
Examples
WALLET_OVERRIDE=TRUE
See Also:
In order to use wallets, a walletmust be configured on the client. Refer to Oracle Database Security Guide for additional information about configuring theclients.
SSL_CERT_REVOCATION
Purpose
To configure a revocation check for a certificate.
See Also:
OracleDatabase Advanced Security Administrator's Guide
Default
None
Values
- none to turn off certificate revocation checking. This is the default.
- requested to perform certificate revocation in case a Certificate Revocation List (CRL) is available. Reject SSL connection if the certificate is revoked. If no appropriate CRL is found to determine the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection.
- required to perform certificate revocation when a certificate is available. If a certificate is revoked and no appropriate CRL is found, then reject the SSL connection. If no appropriate CRL is found to ascertain the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection.
Example
SSL_CERT_REVOCATION=required
SSL_CRL_FILE
Purpose
To specify the name of the file where you can assemble thecertificate revocation list (CRL) for client authentication.
This file contains the PEM-encoded CRL files,in order of preference. You can use this file alternatively or in addition tothe SSL_CRL_PATH parameter.This parameter is only valid if SSL_CERT_REVOCATION is set toeither requested or required.
Default
None
Example
SSL_CRL_FILE=
See Also:
OracleDatabase Advanced Security Administrator's Guide
SSL_CRL_PATH
Purpose
To specify the destination directory of the CRLof CA. The files in this directory are hashed symbolic links created by OracleWallet Manager. This parameter is only valid if SSL_CERT_REVOCATION is set toeither requested or required.
See Also:
Default
None
Example
SSL_CRL_PATH=
SSL_CIPHER_SUITES
Purpose
To control which combination of encryption and dataintegrity is used by the Secure Sockets Layer (SSL). Cipher suites that use Advanced Encryption Standard(AES) only work with Transport Layer Security (TLS 1.0).
Default
None
Values
- SSL_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_RSA_WITH_RC4_128_SHA
- SSL_RSA_WITH_RC4_128_MD5
- SSL_RSA_WITH_DES_CBC_SHA
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
- SSL_DH_anon_WITH_RC4_128_MD5
- SSL_DH_anon_WITH_DES_CBC_SHA
- SSL_RSA_EXPORT_WITH_RC4_40_MD5
- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
- SSL_RSA_WITH_AES_128_CBC_SHA
- SSL_RSA_WITH_AES_256_CBC_SHA
Example
SSL_CIPHER_SUITES=(ssl_rsa_with_rc4_138_md5)
See Also:
OracleDatabase Security Guide for additional information about ciphersuite values
SSL_CLIENT_AUTHENTICATION
Purpose
To specify whether a client, in addition to the database server,is authenticated using SSL.
Default
true
Values
true | false
Example
SSL_CLIENT_AUTHENTICATION=true
See Also:
OracleDatabase Advanced Security Administrator's Guide
SSL_EXTENDED_KEY_USAGE
Purpose
To specify the purpose of the key in the certificate. When thisparameter is specified, the certificate with the matching extended key is used.
Values
client authentication
Example
SSL_EXTENDED_KEY_USAGE="clientauthentication"
See Also:
OracleDatabase Advanced Security Administrator's Guide
SSL_SERVER_DN_MATCH
Purpose
To enforce that the distinguished name (DN) for the database server matches its service name.If you enforce the match verifications, then SSL ensures that the certificateis from the server. If you select to not enforce the match verification, thenSSL performs the check but allows the connection, regardless if there is amatch. Not enforcing the match allows the server to potentially fake itsidentify.
Default
no
Values
- yes | on | true to specify to enforce a match. If the DN matches the service name, then the connection succeeds. If the DN does not match the service name, then the connection fails.
- no | off | false to specify not to enforce a match. If the DN does not match the service name, then the connection is successful, but an error is logged to the sqlnet.log file.
Usage Notes
In addition to the sqlnet.ora file,configure the tnsnames.ora parameter SSL_SERVER_CERT_DN to enableserver DN matching.
Example
SSL_SERVER_DN_MATCH=yes
See Also:
OracleDatabase Advanced Security Administrator's Guide
SSL_VERSION
Purpose
To force the version of the SSL connection. Clients and databaseservers must use a compatible version.
Default
undetermined
Values
undetermined | 3.0 | 1.0 | 1.1 | 1.2
If you want to specify one version or anotherversion, then use or. The following values are permitted:
1.0 or 3.0 | 1.2 or 3.0 | 1.1 or 1.0 | 1.2 or1.0 | 1.2 or 1.1 | 1.1 or 1.0 or 3.0 |
1.2 or 1.0 or 3.0 | 1.2 or 1.1 or 1.0 | 1.2 or 1.1 or 3.0 |1.2 or 1.1 or 1.0 or3
Example
SSL_VERSION=3.0
The remaining version numbers correspond to the TLS versions,such as, TLSv1.0, TLSv1.1, and TLSv1.2.
See Also:
OracleDatabase Advanced Security Administrator's Guide
TCP.CONNECT_TIMEOUT
Purpose
To specify the time, in seconds, for a clientto establish a TCP connection (PROTOCOL=tcp in the TNSconnect address) to the database server. If a TCP connection to the databasehost is not established in the time specified, then the connection attempt isterminated. The client receives an ORA-12170: TNS:Connect timeoutoccurred error.
The timeout applies to each IP address to whicha host name resolves. For example, if a host name resolves to an IPv6 and anIPv4 address, and if the host is not reachable through the network, then theconnection request times out twice the TCP.CONNECT_TIMEOUT settingbecause there are two IP addresses. In this example, the default timeoutsetting of 60 would cause a timeout in 120 seconds.
Default
60
Example
TCP.CONNECT_TIMEOUT=10
TCP.EXCLUDED_NODES
Purpose
To specify which clients are denied access to the database.
Syntax
TCP.EXCLUDED_NODES=(hostname | ip_address, hostname | ip_address,...)
Usage Notes
- This parameter is only valid when the TCP.VALIDNODE_CHECKING parameter is set to yes.
- This parameter can use wildcards for IPv4 addresses and CIDR (Classless Inter-Domain Routing) notation for IPv4 and IPv6 addresses.
Example
TCP.EXCLUDED_NODES=(finance.us.example.com,mktg.us.example.com, 192.168.2.25, 172.30.*, 2001:DB8:200C:417A/32)
TCP.INVITED_NODES
Purpose
To specify which clients are allowed access tothe database. This list takes precedence over the TCP.EXCLUDED_NODES parameter ifboth lists are present.
Syntax
TCP.INVITED_NODES=(hostname | ip_address, hostname | ip_address,...)
Usage Notes
- This parameter is only valid when the TCP.VALIDNODE_CHECKING parameter is set to yes.
- This parameter can use wildcards for IPv4 addresses and CIDR notation for IPv4 and IPv6 addresses.
Example
TCP.INVITED_NODES=(sales.us.example.com,hr.us.example.com, 192.168.*, 2001:DB8:200C:433B/32)
TCP.NODELAY
Purpose
To preempt delays in buffer flushing within the TCP/IP protocolstack.
Default
yes
Values
yes | no
Example
TCP.NODELAY=yes
TCP.VALIDNODE_CHECKING
Purpose
To enable and disable valid node checking forincoming connections. If this parameter is set to yes, then incomingconnections are allowed only if they originate from a node that conforms tolist specified by TCP.INVITED_NODES or TCP.EXCLUDED_NODES parameters.
Default
no
Values
yes | no
Usage Notes
The TCP.INVITED_NODES and TCP.EXCLUDED_NODESparameters are valid only when the TCP.VALIDNODE_CHECKING parameter is setto yes.
Example
TCP.VALIDNODE_CHECKING=yes
TNSPING.TRACE_DIRECTORY
Purpose
To specify the destination directory for theTNSPING utility trace file, tnsping.trc.
Default
The ORACLE_HOME/network/trace directory.
Example
TNSPING.TRACE_DIRECTORY=/oracle/traces
TNSPING.TRACE_LEVEL
Purpose
To turn TNSPING utility tracing on at a specified level or toturn it off.
Default
off
Values
- off for no trace output
- user for user trace information
- admin for administration trace information
- support for Oracle Support Services trace information
Example
TNSPING.TRACE_LEVEL=admin
USE_CMAN
Purpose
To specify client routing to Oracle Connection Manager.
If set to true, then the parameterroutes the client to a protocol address for an Oracle Connection Manager.
If set to false, then the clientpicks one of the address lists at random and fails over to the other addresslist if the chosen ADDRESS_LIST fails. With USE_CMAN=true, the client alwaysuses the first address list.
If no Oracle Connection Manager addresses are available, thenconnections are routed through any available listener address.
Default
false
Values
true | false
Example
USE_CMAN=true
USE_DEDICATED_SERVER
Purpose
To append (SERVER=dedicated) to the CONNECT_DATA section of theconnect descriptor used by the client. It overrides the current value ofthe SERVER parameter inthe tnsnames.ora file.
If set to on, then theparameter USE_DEDICATED_SERVER automaticallyappends (SERVER=dedicated) to the connect data for a connectdescriptor. This way connections from this client use a dedicated server process, evenif shared server is configured.
Default
off
Values
- on to append (SERVER=dedicated)
- off to send requests to existing server processes
Example
USE_DEDICATED_SERVER=on
See Also:
OracleDatabase Net Services Administrator's Guide for completeconfiguration information
WALLET_LOCATION
Purpose
To specify the location of wallets. Wallets are certificates,keys, and trustpoints processed by SSL.
Syntax
The syntax depends on the wallet, as follows:
- Oracle wallets on the file system:
WALLET_LOCATION=
(SOURCE=
(METHOD=file)
(METHOD_DATA=
(DIRECTORY=directory)
[(PKCS11=TRUE/FALSE)])) - Microsoft certificate store:
WALLET_LOCATION=
(SOURCE=
(METHOD=mcs)) - Oracle wallets in the Microsoft Windows registry:
WALLET_LOCATION=
(SOURCE=
(METHOD=reg)
(METHOD_DATA=
(KEY=registry_key))) - Entrust wallets:
WALLET_LOCATION=
(SOURCE=
(METHOD=entr)
(METHOD_DATA=
(PROFILE=file.epf)
(INIFILE=file.ini)))
Additional Parameters
WALLET_LOCATION supports thefollowing parameters:
- SOURCE: The type of storage for wallets and storage location.
- METHOD: The type of storage.
- METHOD_DATA: The storage location.
- DIRECTORY: The location of Oracle wallets on file system.
- KEY: The wallet type and location in the Microsoft Windows registry.
- PROFILE: The Entrust profile file (.epf).
- INIFILE: The Entrust initialization file (.ini).
Default
None
Usage Notes
- The key/value pair for Microsoft certificate store (MCS) omits the METHOD_DATA parameter because MCS does not use wallets. Instead, Oracle PKI (public key infrastructure) applications obtain certificates, trustpoints and private keys directly from the user's profile.
- If an Oracle wallet is stored in the Microsoft Windows registry and the wallet's key (KEY) is SALESAPP, then the storage location of the password-protected wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\EWALLET.P12. The storage location of the local auto-open wallet is HKEY_CURRENT_USER\SOFTWARE\ORACLE\WALLETS\SALESAPP\CWALLET.SSO.
Values
true | false
Examples
Oracle wallets on file system:
WALLET_LOCATION=
(SOURCE=
(METHOD=file)
(METHOD_DATA=
(DIRECTORY=/etc/oracle/wallets/databases)))
Microsoft certificate store:
WALLET_LOCATION=
(SOURCE=
(METHOD=mcs))
Oracle Wallets in the Microsoft Windows registry:
WALLET_LOCATION=
(SOURCE=
(METHOD=REG)
(METHOD_DATA=
(KEY=SALESAPP)))
Entrust Wallets:
WALLET_LOCATION=
(SOURCE=
(METHOD=entr)
(METHOD_DATA=
(PROFILE=/etc/oracle/wallets/test.epf)
(INIFILE=/etc/oracle/wallets/test.ini)))
See Also:
OracleDatabase Advanced Security Administrator's Guide
ADR Diagnostic Parameters in sqlnet.ora
Beginning with Oracle Database 11g,Oracle Database includes an advanced fault diagnosability infrastructure forpreventing, detecting, diagnosing, and resolving problems. The problems arecritical errors such as those caused by database code bugs, metadatacorruption, and customer data corruption.
When a critical error occurs, it is assigned an incidentnumber, and diagnostic data for the error, such as traces and dumps, isimmediately captured and tagged with the incident number. The data is thenstored in the Automatic Diagnostic Repository (ADR), a file-based repository outside the database.
This section describes the parameters used whenADR is enabled. "Non-ADR DiagnosticParameters in sqlnet.ora" describes the parameters used when ADR isdisabled. Non-ADR parameters listed in the sqlnet.ora file areignored when ADR is enabled. ADR is enabled by default.
This section lists the parameters used when ADRis enabled (when DIAG_ADR_ENABLED is set to on):
- ADR_BASE
- DIAG_ADR_ENABLED
- TRACE_LEVEL_CLIENT
- TRACE_LEVEL_SERVER
- TRACE_TIMESTAMP_CLIENT
- TRACE_TIMESTAMP_SERVER
ADR_BASE
Purpose
To specify the base directory into which tracing and loggingincidents are stored when ADR is enabled.
Default
The default on the server side is ORACLE_BASE, or ORACLE_HOME/log, if ORACLE_BASE is notdefined.
Values
Any valid directory path to a directory with write permission.
Example
ADR_BASE=/oracle/network/trace
See Also:
OracleCall Interface Programmer's Guide for the default on the client side
DIAG_ADR_ENABLED
Purpose
To specify whether ADR tracing is enabled.
Usage
If the DIAG_ADR_ENABLED parameter isset to OFF, then non-ADR file tracing is used.
Default
on
Values
on | off
Example
DIAG_ADR_ENABLED=on
TRACE_LEVEL_CLIENT
Purpose
To turn client tracing on at a specified level or to turn itoff. This parameter is also applicable when non-ADR tracing is used.
Default
off or 0
Values
- off or 0 for no trace output
- user or 4 for user trace information
- admin or 10 for administration trace information
- support or 16 for Oracle Support Services trace information
Example
TRACE_LEVEL_CLIENT=user
TRACE_LEVEL_SERVER
Purpose
To turn server tracing on at a specified level or to turn itoff. This parameter is also applicable when non-ADR tracing is used.
Default
off or 0
Values
- off or 0 for no trace output
- user or 4 for user trace information
- admin or 10 for administration trace information
- support or 16 for Oracle Support Services trace information
Example
TRACE_LEVEL_SERVER=admin
TRACE_TIMESTAMP_CLIENT
Purpose
To add a time stamp in the form of dd-mon-yyyyhh:mi:ss:mil to every trace event in the client trace file, which has adefault name of sqlnet.trc. This parameter is also applicable whennon-ADR tracing is used.
Default
on
Values
on or true | off or false
Example
TRACE_TIMESTAMP_CLIENT=true
TRACE_TIMESTAMP_SERVER
Purpose
To add a time stamp in the form of dd-mon-yyyyhh:mi:ss:mil to every trace event in the database server trace file,which has a default name of svr_pid.trc. This parameter is also applicable whennon-ADR tracing is used.
Default
on
Values
on or true | off or false
Example
TRACE_TIMESTAMP_SERVER=true
Non-ADR Diagnostic Parameters in sqlnet.ora
This section lists the parameters used when ADR is disabled.
Notes:
The defaultvalue of DIAG_ADR_ENABLED is on.Therefore, the DIAG_ADR_ENABLED parameter mustexplicitly be set to off in order for non-ADR tracing to be used.
- LOG_DIRECTORY_CLIENT
- LOG_DIRECTORY_SERVER
- LOG_FILE_CLIENT
- LOG_FILE_SERVER
- TRACE_DIRECTORY_CLIENT
- TRACE_DIRECTORY_SERVER
- TRACE_FILE_CLIENT
- TRACE_FILE_SERVER
- TRACE_FILELEN_CLIENT
- TRACE_FILELEN_SERVER
- TRACE_FILENO_CLIENT
- TRACE_FILENO_SERVER
- TRACE_UNIQUE_CLIENT
LOG_DIRECTORY_CLIENT
Purpose
To specify the destination directory for the client log file.Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/log
Values
Any valid directory path.
Example
LOG_DIRECTORY_CLIENT=/oracle/network/log
LOG_DIRECTORY_SERVER
Purpose
To specify the destination directory for the database server logfile. Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/trace
Values
Any valid directory path to a directory with write permission.
Example
LOG_DIRECTORY_SERVER=/oracle/network/trace
LOG_FILE_CLIENT
Purpose
To specify the name of the log file for the client. Use thisparameter when ADR is not enabled.
Default
ORACLE_HOME/network/log/sqlnet.log
Values
The default value cannot be changed.
LOG_FILE_SERVER
Purpose
To specify the name of the log file for the database server. Usethis parameter when ADR is not enabled.
Default
sqlnet.log
Example
LOG_FILE_SERVER=svr.log
TRACE_DIRECTORY_CLIENT
Purpose
To specify the destination directory for the client trace file.Use this parameter when ADR is not enabled.
Default
The current working directory.
Values
Any valid directory path to a directory with write permission.
Example
TRACE_DIRECTORY_CLIENT=/oracle/traces
TRACE_DIRECTORY_SERVER
Purpose
To specify the destination directory for the database servertrace file. Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/trace
Values
Any valid directory path to a directory with write permission.
Example
TRACE_DIRECTORY_SERVER=/oracle/traces
TRACE_FILE_CLIENT
Purpose
To specify the name of the client trace file. Use this parameterwhen ADR is not enabled.
Values
Any valid file name.
Default
ORACLE_HOME/network/trace/cli.trc
Example
TRACE_FILE_CLIENT=clientsqlnet.trc
TRACE_FILE_SERVER
Purpose
To specify the name of the file to which the execution trace ofthe server program is written. Use this parameter when ADR is not enabled.
Default
ORACLE_HOME/network/trace/svr_pid.trc
Values
Any valid file name. The pid is appended to the nameautomatically.
Example
TRACE_FILE_SERVER=svrsqlnet.trc
TRACE_FILELEN_CLIENT
Purpose
To specify the size of the client trace files inkilobytes (KB). When the size is met, the trace information is written to thenext file. The number of files is specified with the TRACE_FILENO_CLIENT parameter. Use this parameter when ADR is notenabled.
Example
TRACE_FILELEN_CLIENT=100
TRACE_FILELEN_SERVER
Purpose
To specify the size of the database server trace files inkilobytes (KB). When the size is met, the trace information is written to thenext file. The number of files is specified with the TRACE_FILENO_SERVER parameter. Use this parameter when ADR is notenabled.
Example
TRACE_FILELEN_SERVER=100
TRACE_FILENO_CLIENT
Purpose
To specify the number of trace files for client tracing.When this parameter is set with the TRACE_FILELEN_CLIENT parameter, trace files are used in a cyclicalfashion. The first file is filled first, then the second file, and so on. Whenthe last file has been filled, the first file is re-used, and so on.
The trace file names are distinguished from oneanother by their sequence number. For example, if the default trace fileof sqlnet.trc is used, and this parameter is set to 3,then the trace files would be named sqlnet1.trc, sqlnet2.trc and sqlnet3.trc.
In addition, trace events in the trace files are preceded by thesequence number of the file. Use this parameter when ADR is not enabled.
Default
None
Example
TRACE_FILENO_CLIENT=3
TRACE_FILENO_SERVER
Purpose
To specify the number of trace files for database servertracing. When this parameter is set with the TRACE_FILELEN_SERVER parameter, trace files are used in a cyclicalfashion. The first file is filled first, then the second file, and so on. Whenthe last file has been filled, the first file is re-used, and so on.
The trace file names are distinguished from oneanother by their sequence number. For example, if the default trace fileof svr_pid.trc is used, andthis parameter is set to 3, then the trace files would be named svr1_pid.trc, svr2_pid.trc and svr3_pid.trc.
In addition, trace events in the trace files are preceded by thesequence number of the file. Use this parameter when ADR is not enabled.
Default
None
Example
TRACE_FILENO_SERVER=3
TRACE_UNIQUE_CLIENT
Purpose
To specify whether a unique trace file iscreated for each client trace session. When the value is set to on, a processidentifier is appended to the name of each trace file, enabling several filesto coexist. For example, trace files named sqlnetpid.trc are created if default trace filename sqlnet.trc is used. When the value is set to off, data from a newclient trace session overwrites the existing file. Use this parameter when ADRis not enabled.
Default
on
Values
on or off
Example
TRACE_UNIQUE_CLIENT=on
来自 <http://docs.oracle.com/cd/E11882_01/network.112/e10835/sqlnet.htm#NETRF254>