2 of 4
8.2K
[reformatted in plain MS DOS text]
Paper 143: Oracle8 on NT - Tips and Techniques
Bruce McCartney and Steve Recsky
DBCORP Information Systems Inc.
...
[begin 2 of 4]
Windows NT Registry
The Windows NT registry is a central location for programs to store
initialization and configuration information. Oracle uses this
facility to store various configuration setting. You can change these
using the REGEDT32.EXE program, however "use at your own risk" as you
can completely toast your system if you mess up. Having said that, it
is often necessary to change some of the settings. Most of the
settings are located under the HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE key.
Some entries you might want to change are:
Registry Key Value Comments
-------------------------- ---------------------- ---------------------------
ORA_%SID%_PWFILE %ORACLE_HOME%\DATABASE Change location of PASSWORD
file for Connect Internal
-------------------------- ---------------------- ---------------------------
ORA_%SID%_SHUTDOWN TRUE or FALSE TRUE cause shutdown immediate
when service terminates
-------------------------- ---------------------- ---------------------------
ORA_%SID%_SHUTDOWN_TIMEOUT Number Seconds to wait for timeout -
numbers < 30 are ignored
-------------------------- ---------------------- ---------------------------
ORACLE_SID SID Default SID
-------------------------- ---------------------- ---------------------------
SQLPATH %ORACLE_HOME%\PLUS80 Directory to search for SQL files
-------------------------- ---------------------- ---------------------------
*** [end table] ***
Under the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Oracle80\Performance\Oracle%HOME%80
Registry Key Value Comments
------------ ------------------ ---------------------------
Username SYSTEM (Default) Oracle user to connect with
------------ ------------------ ---------------------------
Password MANAGER (Default) You should change this
------------ ------------------ ---------------------------
Hostname TNSLOCATION STRING Any valid SQLNET service works.
------------ ------------------ ---------------------------
*** [end table] ***
Remote Management
You can't telnet or rlogin to an NT box as you can to Unix. So, you
must figure out other methods on how to access the server. Some of
these methods include:
- If going through dial-up: RAS or PPP
- Remote access tools such as Symantec's pcANYWHERE, Danware's
NetOps Remote Control Software, Funk Software's Proxy,
Traveling Software's LapLink.
- Install the Remote Console Server and/or the Web Administration
Tool from the NT Server Resource Kit CD.
- Oracle Enterprise Manager (OEM)
- Administration from the Command line - using the NET command
***** Most simple Oracle remote management can be completed
over SQL*Net. For NT specific operations such as
installs, disk and service maintenance, machine boots,
and Oracle Server Manager startup/shutdown commands,
you must remotely control the machine if you can't
access it directly.
Most Unix operating systems will have startup and shutdown routines
that are unique to the particular flavor of Unix. For example: Sun
Solaris, HP/UX, and IBM/AIX all have different installation
instructions for their particular startup and shutdown routines.
***** Automatic startup and shutdown of things like the
Oracle RDMS, SQL*Net Listener, Oracle Agent, and
Oracle Names is all handled through Services within
the Control Panel.
Security
Database security for Oracle on Windows NT is exactly like Oracle for
other platforms and will not be covered in this paper. Two main tasks
that you will want to do when setting up Oracle security under NT are:
- tighten security for the "starter database", and
- provide password-less connections via the
Identified Externally Option.
***** The starter database for installed by Oracle is not
secure and should be modified as follows
1. Change the SYS and SYSTEM Password
2. Change the INTERNAL or DBA Password
3. Protect Oracle REGESTRY ENTRIES from view/modification
4. Protect STRTSID.CMD from viewing
5. Protect ORACLE EXECUTABLES from spoofing or deletion
6. Protect ORACLE datafiles, redo logs, control files from
deletion or unauthorized capture
7. Protect EXPORTS and BACKUPS deletion or unauthorized capture
The Identified Externally authorization mechanism is a means for
Oracle users to connect to ORACLE8 without providing a password.
Essentially, you tell Oracle that you trust the operating system to
authenticate a user. In order to have this work some preparation is
required. If correctly configured, you can provide the following
privileges:
- Connecting without a password as a 'normal' user
- Connecting as SYSDBA or SYSOPER without a password
- Connecting as INTERNAL without a password
- Grant Oracle ROLES exclusively through NT groups
You may use NT authentication across NT domains, or for LOCAL access.
These examples will demonstrate the DOMAIN-based access.
For NT authentication to work:
1. You must modify the %ORACLE_HOME%\NET80\ADMIN\SQLNET.ORA file
on the server and client to include the following line:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
2. You must modify the INITSID.ORA file to include the following
line and shutdown/restart Oracle :
OS_AUTHEN_PREFIX = ""
3. Use NT User Manager to create a USER for the domain
4. Set/Create HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\HOMEn\OSAUTH_PREFIX_DOMAIN
to TRUE.
This optional step requires the Oracle username to include the
DOMAIN (i.e. DBCORP\SCOTT)
5. Set/Create HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\HOMEn\OSAUTH_ENFORCE_STRICT
to TRUE
This optional step requires any user to be a member of the
LOCAL group ORA_USER or ORA_SID_USER. You need to create
these groups and assign the user.
6. Use SQLPLUS or SRVMGR30 to
"create user DBCORP\SCOTT IDENTIFIED EXTERNALLY"
and grant the user the roles you wish.
You should now be able to log into oracle with the connect string
"Connect /@DBNAME" when you are connected to the NT server. Note that
you must either LOG ON to a client computer with the correct USERNAME
and Domain or access a shared area in the Windows NT server using the
NET USE command or Windows Explorer in order to be authenticated under
Windows NT..
In order to connect as SYSOPER or SYSDBA without a password, you must
create NT groups. Create the groups ORA_OPER or ORA_DBA for access to
all instances, or ORA_SID_OPER and ORA_SID_DBA for specific instances
on the NT server. Then add the NT user to these groups, and then you
can "connect /@DBNAME AS SYSDBA". To CONNECT INTERNAL without as
password, you must additionally add the following entry into
the INIT.ORA file:
REMOTE_LOGIN_PASSWORD=NONE
***** Connect INTERNAL then will work from any Oracle tool if
you are connected LOCALLY, but only Server Manager will
work remotely.
Finally, if you want to use NT to grant roles, it is important to know
that you must use OS roles exclusively.
***** You can't use a mixture of NT roles and Oracle roles.
To enable this feature you need to put the following line in the
INITSID.ORA:
OS_ROLES = TRUE
And then simply create the NT groups you want to assign roles to with
the following naming convention:
ORA_SID_ROLENAME [_D] [_A]
Where rolename is the Oracle role you have created and the optional
_A or _D indicate whether you want to have the role as DEFAULT or
WITH ADMIN OPTION.
[end 2 of 4]
