12
i for Oracle DCE Integration

This chapter describes how to configure Oracle9i and Oracle Net Services to use Oracle DCE Integration after it has been successfully installed.

This chapter contains the following topics:

• DCE Address Parameters
• Configuring Oracle9i and Oracle Net Services

DCE Address Parameters

DCE addresses in the listener.ora and tnsnames.ora configuration files are defined by DCE parameters, illustrated in the following:

ADDRESS=(PROTOCOL=DCE)(SERVER_PRINCIPAL=server_name)(CELL_NAME=cell_name)
(SERVICE=dce_service_name))

These parameters are described by Table 12-1:

Table 12-1 DCE Address Parameters and Definitions

Component	Description
PROTOCOL	A mandatory field that identifies the DCE RPC protocol.
SERVER_PRINCIPAL	A mandatory field for the server and an optional field for the client. The server authenticates itself to DCE as this principal. This field is mandatory in the listener configuration file (listener.ora) and specifies the principal the server will start under. This field is optional in your local naming configuration file (tnsnames.ora) and specifies the principal of the server the client must connect to. If not specified, then one-way authentication is used. In this case, the client does not care what principal the server is running under.
CELL_NAME	An optional parameter. If present, it specifies the DCE cell name of the database. If this parameter is not set, the cell name defaults to the local cell (useful for single-cell environments). Optionally, the SERVICE parameter (described in the following section) may specify the complete path (including the cell name) to the service, making this parameter unnecessary.
SERVICE	A mandatory field for both server and client. For the server, this is the service registered with CDS. For the client, this is the service name used when querying CDS for the location of the Oracle DCE servers. The default directory for storing service names in CDS is /.../cellname/subsys/oracle /service_registry. This service name can fully specify the path in CDS.

You can specify a service as follows:

SERVICE=/.../cell_name/subsys/oracle/service_registry/dce_service_name

Alternatively, you can specify:

SERVICE=dce_service_name

if CELL_NAME=cell_name is also specified.

In this case, the cell name defaults to the local cell. However, this way of specifying service names only works if you are operating within a single cell.

Configuring Oracle9i and Oracle Net Services

To configure Oracle9i and Oracle Net Services to use Oracle DCE Integration, perform the following tasks:

• Task 1: Configure the Server
• Task 2: Create and Name Externally Authenticated Accounts
• Task 3: Set up DCE Integration External Roles
• Task 4: Configure DCE for SYSDBA and SYSOPER Connections to Oracle Databases
• Task 5: Configure the Client
• Task 6: Configure Clients to Use DCE CDS Naming

Task 1: Configure the Server

To configure a server for DCE Integration, do the following:

1. Configure the listener configuration file (listener.ora) with DCE address information for all servers.
2. For servers in distributed systems that require database link connections to other servers, configure the sqlnet.ora and protocol.ora files with DCE address information.

   Note: In this release, the configuration files listener.ora, sqlnet.ora, tnsnames.ora, and protocol.ora are located in the $ORACLE_HOME/network/admin directory.

   For a database server to receive connections from Oracle Net clients in a DCE environment, there must be an Oracle Net listener active on the server platform. This process listens for connections on a network address that is defined in the listener.ora configuration file.

   The SERVER_PRINCIPAL parameter designates what DCE principal the listener should be running under. In the following sample, the listener is running under principal oracle.

   The following is a sample DCE address as it would appear in the listener.ora file.

   LSNR_DCE=
   
     (ADDRESS=
   
         (PROTOCOL=DCE)
         (SERVER_PRINCIPAL=oracle)
         (CELL_NAME=cell1)
         (SERVICE=dce_svc))
   
   SID_LIST_LSNR_DCE=
   
         (SID_DESC=
   
         (SID_NAME=ORASID)
   
          (ORACLE_HOME=/private/oracle9))
   

Task 2: Create and Name Externally Authenticated Accounts

To use DCE authentication for logging onto an Oracle database, you must create database accounts that are authenticated externally. To enable secure external authentication, do the following:

1. Verify that these lines are in the initialization parameter file:

   REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

2. Verify that the initialization parameter file does not have a multi-threaded server (MTS) entry for DCE. For example, an entry such as the following is not permitted:

   mts_dispatchers="(PROTOCOL=dce)(DISPATCHERS=3)"
   
   

3. Ensure that you are logged on as a member of the DBA group. Restart the database instance for the changes to take effect.
4. At the SQL*Plus prompt, define users. Before doing so, decide whether you are, or ever will be, operating in a multi-cell DCE environment in which you let Oracle access across cell boundaries. The way you define users depends on whether they are connecting within a single cell or across cell boundaries.

   Local Cell:

   If users are connecting within a local cell, use the following format:

   SQL> CREATE USER server_principal IDENTIFIED EXTERNALLY;
   SQL> GRANT CREATE SESSION TO server_principal;
   
   

   For example:

   SQL> CREATE USER oracle IDENTIFIED EXTERNALLY;
   SQL> GRANT CREATE SESSION TO oracle;
   
   

   The entire CELL_NAME/SERVER_PRINCIPAL string must be 30 characters or less (this is an Oracle9i restriction--not a restriction of the DCE adapter).

   For example:

   SQL> CREATE USER "CELL1/ORACLE" IDENTIFIED EXTERNALLY;
   SQL> GRANT CREATE SESSION TO "CELL1/ORACLE";
   
   

   Multiple Cells:

   If connecting to the database across multiple cells, specify both the cell_name and the server_principal, as illustrated in the following:

   SQL> CREATE USER "CELL_NAME/SERVER_PRINCIPAL" IDENTIFIED EXTERNALLY;
   SQL> GRANT CREATE SESSION TO "CELL_NAME/SERVER_PRINCIPAL";
   
   

   You must enclose the externally-identified account name in double quotation marks, because the slash is a reserved character. Also, if the account (user) name is double-quoted, it must be capitalized.

   For example:

   SQL> CREATE USER "CELL1/ORACLE" IDENTIFIED EXTERNALLY;
   SQL> GRANT CREATE SESSION TO "CELL1/ORACLE";
   
   

   When using this format, set the following parameter in the protocol.ora configuration file to FALSE:

   dce.local_cell_usernames=false
   
   

   References to an Oracle account created in this manner must include the schema/account in the correct format. Consider requests for access to tables from another account. When a user references the tables in another account created within a local cell, the command might appear as follows:

   SQL> SELECT * FROM oracle.emp
   
   

   If a user wants to access tables in another account created for connections across cells, the command might appear as follows:

   SQL> SELECT * FROM "CELL1/ORACLE" .emp
   
   

Task 3: Set up DCE Integration External Roles

To set up external roles for DCE Integration, and enable connection to an Oracle database as SYSOPER or SYSDBA with DCE credentials, do the following:

1. Set the following parameter in the initialization parameter file:

   OS_ROLES=TRUE

2. Restart the database.
3. Ensure that the DCE groups that map to Oracle roles adhere to the following syntax:

   ORA_global_name_role[_[a][d]]

   Table 12-2 describes the syntax components:

Table 12-2 Setting Up External Role Syntax Components

Component	Definition
ORA	Designates that this group is used for Oracle purposes
GLOBAL_NAME	The global name for the database
ROLE	The name of the role, as defined in the data dictionary
A or a	Optional character indicating that the user has admin privileges for this role
D or d	Optional character indicating the role is to be enabled by default at connect time

4. Authenticate to DCE a user who is a member of a DCE group by entering the following commands:

   dce_login
   klist
   
   

Sample Output:

% dce_login oracle

Enter Password:

% klist
dce identity information:
Warning: Identity information is not certified
Global Principal: /.../ilab1/oracle
Cell:      001c3f90-01f5-1f72-ba65-02608c2c84f3 /.../ilab1
Principal: 00000068-0568-2f72-bd00-02608c2c84f3 oracle
Group:     0000000c-01f5-2f72-ba01-02608c2c84f3 none
Local Groups:
0000000c-01f5-2f72-ba01-02608c2c84f3 none
0000006a-0204-2f72-b901-02608c2c84f3 subsys/dce/cds-server
00000078-daf4-2fe1-a201-02608c2c84f3 ora_dce222_dba
00000084-89c8-2fe8-a201-02608c2c84f3 ora_dce222_connect_d
00000087-8a13-2fe8-a201-02608c2c84f3 ora_dce222_resource_d
00000080-f681-2fe1-a201-02608c2c84f3 ora_dce222_role1_ad
.
.
.

• Connect to the database as usual.

  The following sample output lists external roles (DBA, CONNECT, RESOURCE, and ROLE1) that have been mapped to DCE groups:

  SQL> SELECT * FROM session_roles;
  
  
  
  ROLE
  
  ------------------------------
  
  CONNECT
  
  RESOURCE
  
  ROLE1
  
  
  
  SQL> SET ROLE all;
  
  
  
  Role set.
  
  
  
  SQL> SELECT * FROM session_roles;
  
  
  
  ROLE
  
  ------------------------------
  
  DBA
  
  EXP_FULL_DATABASE
  
  IMP_FULL_DATABASE
  
  CONNECT
  
  RESOURCE
  
  ROLE1
  
  
  
  6 rows selected.
  
  
  
  SQL> EXIT
  
  
  

  Task 4: Configure DCE for SYSDBA and SYSOPER Connections to Oracle Databases

  To configure DCE so that you can connect to an Oracle database as SYSOPER or SYSDBA with DCE credentials, do the following:

  1. Create DCE groups that map to Oracle DBA and OPERATOR roles. DCE group names should adhere to the syntax described by Task 3: Set up DCE Integration External Roles. Add the externally authenticated user oracle as a member of the group(s).

     $ dce_login cell_admin cell_admin_password 
     $ rgy_edit 
     rgy_edit=> domain group 
     Domain changed to: group 
     rgy_edit=> add ora_dce222_dba_ad 
     rgy_edit=> add ora_dce222_operator_ad 
     rgy_edit=> member ora_dce222_dba_ad -a oracle 
     rgy_edit=> member ora_dce222_operator_ad -a oracle
     
     
     

  2. Add the GLOBAL_NAME parameter to the DCE address or TNS service name in the local configuration file tnsnames.ora.

     ORADCE=
         (ADDRESS=
                   (PROTOCOL=DCE)  
                   (SERVER_PRINCIPAL=oracle)
                   (CELL_NAME=cell1)
                   (SERVICE=dce_svc))
      (CONNECT_DATA= 
                  (SID=ORASID) 
                  (GLOBAL_NAME=dce222)))
     
     
     

  3. Create the database user oracle as described by Task 2: Create and Name Externally Authenticated Accounts.
  4. Get DCE credentials for the externally authenticated user:

     $ dce_login oracle oracle_password 
     $klist 
     DCE Identity Information: 
             Warning: Identity information is not certified 
             Global Principal: /.../dce.dlsun685.us.oracle.com/oracle 
             Cell:      00af8052-7e94-11d2-b261-9019b88baa77 
     /.../dce.dlsun685.us.ora 
     cle.com 
             Principal: 0000006d-88b9-21d2-9300-9019b88baa77 oracle 
             Group:     0000000c-7e94-21d2-b201-9019b88baa77 none 
             Local Groups: 
                     0000000c-7e94-21d2-b201-9019b88baa77 none 
                     0000006a-7e94-21d2-ad01-9019b88baa77 subsys/dce/cds-server 
                     00000076-8b53-21d2-9301-9019b88baa77 ora_dce222_dba_ad 
                     00000077-8b53-21d2-9301-9019b88baa77 ora_dce222_operator_ad 
      
     Identity Info Expires: 1999-12-04-10:28:22 
     Account Expires:       never 
     Passwd Expires:        never 
      
     Kerberos Ticket Information: 
     Ticket cache: /opt/dcelocal/var/security/creds/dcecred_43ae2600 
     Default principal: oracle@dce.dlsun685.us.oracle.com 
     Server: krbtgt/dce.dlsun685.us.oracle.com@dce.dlsun685.us.oracle.com 
             valid 1999-12-04-00:28:22 to 1999-12-04-10:28:22 
     Server: dce-rgy@dce.dlsun685.us.oracle.com 
             valid 1999-12-04-00:28:22 to 1999-12-04-10:28:22 
     Server: dce-ptgt@dce.dlsun685.us.oracle.com 
             valid 1999-12-04-00:28:26 to 1999-12-04-02:28:26 
     Client: dce-ptgt@dce.dlsun685.us.oracle.com     Server: 
     krbtgt/dce.dlsun685.us.o 
     Oracle.com@dce.dlsun685.us.oracle.com 
             valid 1999-12-04-00:28:26 to 1999-12-04-02:28:26 
     Client: dce-ptgt@dce.dlsun685.us.oracle.com     Server: 
     dce-rgy@dce.dlsun685.us. 
     oracle.com 
             valid 1999-12-04-00:28:27 to 1999-12-04-02:28:26
     

  Note: List output shows the DCE group membership of oracle.

• Connect to the Oracle database as SYSBDA or SYSOPER.

  For example:

  SQL> connect /@oradce as SYSDBA
  
  

Task 5: Configure the Client

To configure a client for DCE Integration, you must configure the following Oracle Net files with DCE address and parameter information:

• protocol.ora
• sqlnet.ora

Typically, CDS is used for name resolution. Thus, a local naming configuration file (tnsnames.ora) is not used, except when loading names and addresses into CDS.

Parameters in protocol.ora

There are four DCE parameters located in the protocol.ora file. Each parameter begins with the prefix DCE. to distinguish it from parameters relevant to other protocols. If default values are used for these four parameters, DCE Integration does not require a protocol.ora file. The parameters and their current defaults follow:

• DCE.AUTHENTICATION=dce_secret
• DCE.PROTECTION=pkt_integ
• DCE.TNS_ADDRESS_OID=1.3.22.1.5.1
• DCE.LOCAL_CELL_USERNAMES=TRUE

Configuration parameters are not case-sensitive; you can enter them in either uppercase or lowercase.

DCE.AUTHENTICATION

The DCE.AUTHENTICATION parameter is optional. It indicates the authentication value to be used for each DCE RPC. The client DCE_AUTHENTICATION value must be the same as the server DCE_AUTHENTICATION value. If this entry is not specified, cell-wide default authentication is used. The options follow:

Option	Description
NONE	No authentication
DCE_SECRET	DCE shared-secret key authentication (Kerberos)
DCE_SECRET	Default authentication level and recommended value
DEFAULT	Cell default

DCE.PROTECTION

DCE.PROTECTION is an optional field that specifies the data integrity protection levels for data transmission. The client DCE_PROTECTION level must be equal to or greater than the server DCE_PROTECTION level. If this entry is not specified, cell-wide default protection is used. The options follow:

Option	Description
NONE	Perform no protection for the current connection
DEFAULT	Use the default cell-wide protection level
CONNECT	Perform protection only when the client establishes a relationship with the server
CALL	Perform protection only at the beginning of each remote procedure call when the server receives the request
PKT	Ensure that all data received is from the expected client
PKT_INTEG	Ensure and verify that none of the data transferred between the client and server has been modified
PRIVACY	Perform protection as specified by all of the previous levels and also encrypt each RPC argument value and all user data in each call

DCE.TNS_ADDRESS_OID

DCE.TNS_ADDRESS_OID is an optional parameter that enables you to specify an alternative to the default value as follows:

DCE.TNS_ADDRESS_OID=1.3.22.1.x.x

DCE.LOCAL_CELL_USERNAMES

DCE.LOCAL_CELL_USERNAMES is an optional parameter that defines the format used to specify the principal name (username), with or without the cell name. The choice you make for this parameter should be determined by whether or not users are making connections across cells--with unique names. The default for DCE.LOCAL_CELL_USERNAMES is now TRUE (it was set to FALSE in the DCE Integration 2.1.6 release).

The associated options follow:

Option	Description
TRUE	The default value. Select TRUE if using just the SERVER_PRINCIPAL format, without the CELL_NAME. An example of a user specified in this format is as follows: oracle TRUE is an appropriate option if users are making connections within a single cell, or if naming conventions in the network assure that users in different cells do not have duplicate names.
FALSE	Select FALSE when using the CELLNAME/SERVER_PRINCIPAL format. An example of a user specified in this format is as follows: CELL1/ORACLE FALSE is an appropriate option if users are making connections across cells and there can be users in different cells with identical name

Task 6: Configure Clients to Use DCE CDS Naming

Clients typically use Cell Directory Services (CDS) to resolve Oracle service names to addresses. Perform the following steps to configure CDS:

• Step 1: Enable CDS for use in Performing Name Lookup
• Step 2: Modify the CDS Attributes File and Restart the CDS
• Step 3: Create a tnsnames.ora File for Loading Oracle Connect Descriptors into CDS
• Step 4: Load Oracle Connect Descriptors into CDS
• Step 5: Delete or Rename the tnsnames.ora File
• Step 6: Modify the sqlnet.ora File to Resolve Names in CDS

  Note: Upon completion of this task, you can connect to an Oracle database in your DCE environment.

Step 1: Enable CDS for use in Performing Name Lookup

To use CDS for name resolution, the DCE Integration CDS Naming Adapter must be installed on all clients and servers that use CDS. Also, the CDS namespace must have been configured for use by DCE Integration.

For example, a service name such as ORADCE and its network address can be stored in DCE CDS.

Users can typically connect to Oracle services using the familiar Oracle service name if there are no domains or the database is in the user's default domain, as in the following example:

sqlplus /@ORADCE

This example assumes that DCE externally-authenticated accounts are in use.

As an alternative name resolution service, use a local naming configuration file, tnsnames.ora, when CDS is inaccessible. To do so, locate names and addresses of all Oracle servers in the local tnsnames.ora file.

Step 2: Modify the CDS Attributes File and Restart the CDS

On all DCE machines where CDS naming is used, add the object ID for the CDS attribute TNS_Address to the CDS attributes file. (The object ID must be the same across all machines.)

1. Add a line in the following format to the /opt/dcelocal/etc/cds_attributes file:

   1.3.22.1.5.1    TNS_Address    char
   
   

   The first four digits of this TNS_Address attribute value, 1.3.22.1.x.y, are fixed, under DCE naming conventions. If the default TNS_Address object ID value 1.3.22.1.5.1 already exists in the cds_attributes file, you must specify a value for the object ID that is not already in use.

   If you are unable to use the default value for the object ID, then you must specify the object ID in the protocol.ora file on the client.

   If you had to specify a value other than the default value 1.3.22.1.5.1, then you must add the following parameter to the protocol.ora file:

   DCE.TNS_ADDRESS_OID=1.3.22.1.x.y
   
   

   Make sure that the object ID value in the cds_attributes file matches the value specified in the DCE.TNS_ADDRESS_OID parameter in the protocol.ora file.

2. Restart CDS on the system.

   The command to restart CDS varies between different operating systems. On the Solaris platform, for example, you can use the following command to restart CDS:

   /opt/dcelocal/etc/rc.dce restart
   
   

Step 3: Create a tnsnames.ora File for Loading Oracle Connect Descriptors into CDS

To load the Oracle service names and addresses into CDS, create or modify a local naming configuration file, tnsnames.ora. This file is used to map service names to addresses for use by Oracle Net.

This section describes the parameters that must be included in the tnsnames.ora file. The file contains a list of Oracle service names mapped to connect descriptors of destinations or endpoints in the network. The sample DCE address in the following section shows a network address for an Oracle server with the Oracle service name ORADCE. It is used to connect to the service registered as DCE_SVC in the CDS directory

 /.../cell_name/subsys/oracle/names.
ORADCE=(DESCRIPTION=(ADDRESS=(PROTOCOL=DCE)(SERVER_PRINCIPAL=oracle)(CELL_
NAME=cell1)(SERVICE=DCE_SVC))(CONNECT_DATA=(SID=ORASID)))

Parameter
Name	Type	Mandatory?	Description
PROTOCOL=DCE	keyword value pair	Yes	Appears in the address sections of (i) listener.ora, a listener configuration file, and (ii) tnsnames.ora, a local naming configuration file.
SERVER_PRINCIPAL	DCE Parameter	No	Appears in tnsnames.ora
SERVICE	DCE Parameter	Yes	The value given for the DCE parameter (SERVICE=dce_service_name) must be the same in listener.ora and tnsnames.ora
SID	Oracle Parameter	Yes	Identifies the Oracle system ID; each SID value must be unique on a node. This parameter is used locally only, and is not used in DCE CDS.

Step 4: Load Oracle Connect Descriptors into CDS

A separate utility called tnnfg is provided with Oracle DCE Integration to load connect descriptors into CDS. If you configure a new service name and address in tnsnames.ora, tnnfg adds the new service name and address to CDS. If you change the address for a particular service name, tnnfg updates the address for a particular service name.

To load the Oracle service names or aliases from tnsnames.ora into CDS, enter the following at the system prompt:

% dce_login cell_admin
% tnnfg dceload full_pathname_to_tnsnames.ora
% Enter Password:(password will not display)

Be sure to enter the full path name of the tnsnames.ora file, and ensure that the sqlnet.ora file exists in the same directory as the tnsnames.ora file.

Step 5: Delete or Rename the tnsnames.ora File

You can keep tnsnames.ora available as a backup in case CDS becomes unavailable. To assure that CDS is routinely searched instead of tnsnames.ora, configure the NAMES.DIRECTORY_PATH parameter in a profile (sqlnet.ora), as described by Step 6: Modify the sqlnet.ora File to Resolve Names in CDS (the next section).

Step 6: Modify the sqlnet.ora File to Resolve Names in CDS

The parameters required in a profile (sqlnet.ora) depend upon the version of SQL*Net or Oracle Net Services you are using.

For a client or server to use DCE CDS Naming, the administrator must do the following:

1. Ensure that the CDS Naming Adapter has been installed on that node.
2. Add the following parameter to the sqlnet.ora file:

   NAMES.DIRECTORY_PATH=(cds, tnsnames, onames)
   
   

   The first name resolution service listed as a value for this parameter is used. If it is unavailable for any reason, the next name resolution service is used, and so forth.