User's Manual
Enabling Kerberos Authentication
6-8 Oracle Database Advanced Security Administrator's Guide
The sqlnet.ora file is updated with the following entries:
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=kservice
Step 2: Set the Initialization Parameters
To set parameters in the initialization parameter file:
1. Add the following parameter to the initialization parameter file:
REMOTE_OS_AUTHENT=FALSE
2. Because Kerberos user names can be long, and Oracle user names are limited to
30 characters, Oracle Corporation strongly recommends that you set the value
of OS_AUTHENT_PREFIX to null as follows:
OS_AUTHENT_PREFIX=""
Setting this parameter to null overrides the default value of OPS$.
Step 3: Set sqlnet.ora Parameters (optional)
In addition to the required parameters, you can optionally set the following
parameters in the sqlnet.ora file on the client and the Oracle database server:
Caution: Setting REMOTE_OS_AUTHENT to TRUE can enable a
security breach, because it lets someone using a non-secure
protocol, such as TCP, perform an operating system-authorized
login (formerly called an OPS$ login).
Parameter: SQLNET.KERBEROS5_CC_NAME=pathname_to_
credentials_cache_file
Description: Specifies the complete path name to the Kerberos credentials
cache (CC) file. The default value is operating
system-dependent. For UNIX, it is /tmp/krb5cc_userid.
You can also set this parameter by using the KRB5CCNAME
environment variable, but the value set in the sqlnet.ora file
takes precedence over the value set in KRB5CCNAME.
Example: SQLNET.KERBEROS5_CC_NAME=/usr/tmp/krbcache