|
|
 Copyright © 2004 Oracle Corporation. All Rights Reserved. |
|
| Oracle Net Services README Release 1 (10.1) |
|
The Programs (which include both the software and documentation) contain proprietary information of Oracle Corporation; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent and other intellectual and industrial property laws. Reverse engineering, disassembly or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited.
The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this document is error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Oracle Corporation.
If the Programs are delivered to the U.S. Government or anyone licensing or using the programs on behalf of the U.S. Government, the following notice is applicable:
Programs delivered subject to the DOD FAR Supplement are "commercial computer software" and use, duplication, and disclosure of the Programs, including documentation, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement. Otherwise, Programs delivered subject to the Federal Acquisition Regulations are "restricted computer software" and use, duplication, and disclosure of the Programs shall be subject to the restrictions in FAR 52.227-19, Commercial Computer Software - Restricted Rights (June, 1987). Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065.
The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and Oracle Corporation disclaims liability for any damages caused by such use of the Programs.
Oracle is a registered trademark, and Oracle9i and Oracle8i are trademarks or registered trademarks of Oracle Corporation. Other names may be trademarks of their respective owners.
Documentation Accessibility:Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle Corporation is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at
http://www.oracle.com/accessibility/Accessibility of Code Examples in Documentation:
JAWS, a Windows screen reader, may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, JAWS may not always read a line of text that consists solely of a bracket or brace.
Accessibility of Links to External Web Sites in Documentation:his documentation may contain links to Web sites of other companies or organizations that Oracle Corporation does not own or control. Oracle Corporation neither evaluates nor makes any representations regarding the accessibility of these Web sites.
-----------------------------------------------
CONTENTS
This README is relevant only to Oracle Net Services release 1 (10.1). It identifies differences between Oracle Net Services and its documented functionality. It also identifies problems with the product and provides workarounds for these problems.
For information about upgrades, downgrades, and migration, see Oracle Database Upgrade Guide.
Oracle Net Services encompasses the Oracle family of networking products. It provides a comprehensive data access solution for heterogeneous distributed computing environments. It enables client-to-server and server-to-server communication across any network. Oracle Net Services offers the following benefits:
A release 1 (10.1) listener is required for an Oracle10g release 1 (10.1) database. This release does not support previous versions of the listener. To learn more about installation, see documentation specific to different operating systems.
This section discusses issues associated with Oracle Names usage. The following topics are covered:
Oracle Names and Oracle Names LDAP Proxy are no longer supported as a naming method in 10g Release 1 (10.1). For centralized storage of connect identifiers, you must migrate to directory naming. Neither Oracle10g clients nor Oracle10g databases can use an Oracle Names server or an Oracle Names LDAP Proxy server to resolve a connect identifier. Oracle9i and Oracle8i clients can still use the 9.2 version of Oracle Names or Oracle Names LDAP Proxy to resolve net service names that point to an Oracle10g database. Customers are, however, strongly urged to migrate Oracle8i and later release clients to directory naming.
Oracle9i or Oracle8i customers who want to use Oracle Names to resolve net service names for Oracle10g databases should upgrade Oracle Names or Oracle Names LDAP Proxy servers to version 9.2. See Oracle9i Net Services Administrator's Guide Release 2 (9.2) for upgrade procedures.
Oracle10g no longer uses Oracle Names for accessing global database links. Global database links are now resolved through directory naming using Oracle Internet Directory.
Before migrating a database to 10g, you must migrate global database links stored in an Oracle9i Release 2 (9.2) Oracle Names server to Oracle Internet Directory. Once global database links are migrated to directory naming, then Oracle10g can resolve the global database links through directory naming upon migrating your database to Oracle10g.
Directions for migrating global database links are part of Oracle Names to directory migration documented in Oracle9i Net Services Administrator's Guide Release 2 (9.2).
Oracle9i Release 2 (9.2) Oracle Names LDAP Proxy server has been tested and certified for use with the Oracle Internet Directory release 9.0.4.
This section discusses issues associated with using directory naming to resolve a connect identifier when connecting to a database. It contains the following topics:
In release 1 (10.1), clients may locate an Oracle Internet Directory dynamically with DNS or statically with the ldap.ora file. Oracle recommends using Oracle Internet Directory Configuration Assistant (OIDCA) for all directory usage configuration. OIDCA provides a command-line interface to create, upgrade, and delete an Oracle Context, configure the file ldap.ora, and convert an Oracle Context to an Identity Management Realm. OIDCA creates file ldap.ora in either the location of the directory specified by the $LDAP_ADMIN environment variable or the $ORACLE_HOME/ldap/admin directory.
If you prefer a graphical user interface, you can use Oracle Net Configuration Assistant to create file ldap.ora in either the location of the directory specified by the $TNS_ADMIN environment variable or the $ORACLE_HOME/network/admin directory. You cannot use the Oracle Net Configuration Assistant to create, upgrade, or delete an Oracle Context. You must use OIDCA to perform these functions.
For a previous release of Oracle Internet Directory, use the Oracle Net Configuration Assistant provided with that release of the directory.
See Also:
|
OIDCA enables you to create, upgrade, and delete an Oracle Context, configure the file ldap.ora, and convert an Oracle Context to an Identity Management Realm.
The OIDCA syntax is:
oidca oidhost=<host> nonsslport=<port> | sslport=<SSL Port> dn=<binddn> pwd=<bindpwd> -silent <list of properties> | propfile=<prop_file>
The following table lists properties of the OIDCA. These properties can also be specified as part of the command line directly. To see the usage of OIDCA, enter oidca -help at the command prompt.
The following syntax is used to create an Oracle Context in OIDCA; the properties are described in the subsequent table.
oidca [oidhost=<host>] [nonsslport=<port>] [sslport=<SSL Port>] dn=<binddn> pwd=<bindpwd> mode=CREATECTX contextdn=<OracleContext DN>
Note the following points:
contextdn must exist for this operation to be successful.mode and contextdn can also be passed as a properties file.nonsslport=port if you want to perform the operation using non-SSL mode.sslport=sslport if you want to perform the operation using SSL mode.port or the sslport parameter must be specified, but not both.contextdn has a valid DN syntax and that the entry exists in Oracle Internet Directory. Note that the OIDCA cannot create a root OracleContext explicitly. If there is no root Oracle Context, then OIDCA exits with an error.Oracle Context already exists and is up to date."Oracle Context already exists and is of an older version."To upgrade an OracleContext, use the following syntax; the properties are listed in the subsequent table.
oidca [oidhost=<host>] [nonsslport=<port>] [sslport=<SSL Port>] dn=<binddn> pwd=<bindpwd> mode=UPGRADECTX contextdn=<OracleContext DN>
Note the following points:
contextdn must contain an OracleContext for this operation to be successful.cn=oraclecontext, dc=acme, and dc=com are valid DNs.mode and contextdn can also be passed as a properties file.nonsslport=port if you want to perform the operation using a non-SSL mode.sslport=sslport if you want to perform the operation using SSL mode.port or the sslport parameter must be specified, but not both.contextdn has valid DN syntax and that OracleContext exists in Oracle Internet Directory. OIDCA cannot upgrade a root OracleContext explicitly. If there is no root OracleContext, then OIDCA sends an error message.OracleContext exists under contextdn,
OracleContext belongs to a realm, in which case it exits with the appropriate message. Note that OracleContext instances that belong to a realm cannot be upgraded.Oracle Context already exists and is up to date."OracleContext is not up-to-date, then the OIDCA upgrades the OracleContext under this DN.To delete an OracleContext, use the following syntax; the properties are listed in the subsequent table.
oidca [oidhost=<host>] [nonsslport=<port>] [sslport=<SSL Port>] dn=<binddn> pwd=<bindpwd> mode=DELETECTX contextdn=<OracleContext DN>
Note the following points:
contextdn must contain an OracleContext for this operation to be successful.cn=oraclecontext, dc=acme, and dc=com are valid DNs.mode and contextdn can also be passed as a properties file.nonsslport=port if you want to perform the operation using a non-SSL mode.sslport=sslport if you want to perform the operation using SSL mode.port or the sslport parameter must be specified, but not both.contextdn has valid DN syntax and that OracleContext exists in Oracle Internet Directory.OracleContext exists under contextdn,
To configure the file ldap.ora, use the following syntax; the properties are listed in the subsequent table.
oidca mode=LDAPORA [host=<host>] [nonsslport=<port>] [sslport=<SSL Port>] [adminctx=<Admin Context>] dirtype=<OID|AD> [-update]
Note the following points:
mode, dirtype, and adminctx can also be passed as a properties file.ldap.ora location using the Discovery API.
ldap.ora exists and the -update parameter is not specified, then exit with message "ldap.ora exists."ldap.ora exists and the -update parameter is not specified, then update the existing ldap.ora using Discovery API.ldap.ora does not exist, create a new ldap.ora file in a location in the following order:
LDAP_ADMIN $ORACLE_HOME/ldap/admin
This section describes how to use Oracle Internet Directory Configuration Assistant to upgrade an Oracle Context Release 9.2 to an Identity Management Realm Release 9.0.4. Oracle Database 10g entries must be stored in Oracle Internet Directory Release 9.0.4 server. An Identity Management Realm Release 9.0.4 is also required for Enterprise User Security, a feature of the Oracle Database 10g.
You can use the Oracle Internet Directory Configuration Assistant to convert an existing Oracle Context to a realm with the exception of root.
To convert an existing Oracle Context to a realm, use the following syntax; the properties are listed in the subsequent table.
oidca [oidhost=<host>] [nonsslport=<port>] [sslport=<SSL Port>] dn=<binddn> pwd=<bindpwd> mode=CTXTOIMR contextdn=<OracleContext DN>
Note the following points:
OracleContext must exist under the specified contextdn.cn=oraclecontext, dc=acme, and dc=com are valid DNs.mode and contextdn can also be passed as a properties file.nonsslport=port if you want to perform the operation using a non-SSL mode.sslport=sslport if you want to perform the operation using SSL mode.port or the sslport parameter must be specified, but not both.contextdn has valid DN syntax, and if it contains a valid OracleContext.OracleContext exists under contextdn,
Note also:
cn, then configure it as a user configuration attribute by using the Oracle Internet Directory Self-Service Console.The DEFAULT_ADMIN_CONTEXT parameter in the ldap.ora file specifies the default directory entry that contains the Oracle Context that you use to create, modify, or search connect identifiers. In prior releases, the parameter value in this entry did not require quotation marks. Here is an example:
DEFAULT_ADMIN_CONTEXT=dc=us,dc=acme,dc=com
In release 1 (10.1), you must enclose the parameter value in single or double quotation marks. Here is the same example, but with quotation marks:
DEFAULT_ADMIN_CONTEXT="dc=us,dc=acme,dc=com"
Oracle Net Configuration Assistant encloses the value of the DEFAULT_ADMIN_CONTEXT parameter within double quotation marks. If you used another method to create an ldap.ora file and then migrated it to release 1 (10.1) minus the quotation marks, release 1 (10.1) clients see this message when trying to connect to a database:
ORA-12154 TNS:could not resolve the connect identifier specified
After migrating to release 1 (10.1), check that quotation marks are included in DEFAULT_ADMIN_CONTEXT.
In the Oracle10g Beta releases only, parentheses could be omitted from the DIRECTORY_SERVERS parameter in the ldap.ora file. In the production release and all prior releases, these parentheses must be included. Here is the correct syntax for the parameter:
DIRECTORY_SERVERS=(host:port[:sslport])
This section discusses issues associated with Oracle Net configuration and administration tools. The following topics are covered:
In the current release of Oracle Internet Directory, a root Oracle Context (dn:cn=OracleContext) is created by default. In release 8.1.7, the Net8 Configuration Assistant returns an error when you attempt to use a root Oracle Context.
To configure Oracle8i clients to use a root Oracle Context:
ldap.ora file that you created in Step 1 to the Oracle8i client directory $ORACLE_HOME/network/admin on UNIX or ORACLE_HOME\network\admin on Windows operating systems the Oracle8i clients.[Reference Bug 1777306]
Oracle Enterprise Manager 10g attempts to first stop a listener before deleting the configuration. If Enterprise Manager fails to stop a listener, it still deletes the configuration for that listener. For this reason, Oracle recommends stopping the listener prior to deleting the configuration.
Oracle Net Configuration Assistant and Oracle Net Manager do not first attempt to stop the listener. You must stop the listener before deleting the configuration. You cannot stop the listener once its configuration information is deleted.
When using Enterprise Manager or Oracle Net Manager for directory usage configuration, it is not possible to specify directory entries that use multibyte characters.
[Reference Bug 1102675]
Enterprise Manager and Oracle Net Manager do not display all entries stored in a tnsnames.ora file or in a directory server. A net service name must contain a complete connect descriptor, including description, protocol address, and connect data information.
The following example shows a net service name called sales that contains a protocol address and connection information to a database named sales.us.acme.com. This information displays correctly in Enterprise Manager and Oracle Net Manager.
sales= (DESCRIPTION= (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)) (CONNECT_DATA= (SERVICE_NAME=sales.us.acme.com)))
Some entries contain only address information. The following example shows an entry that is not a net service name, but rather a named address. The named address of listener1 only contains listener protocol address information. This named address does not display in Enterprise Manager and Oracle Net Manager, but can still be used to resolve listener1 to a list of protocol addresses. Named addresses are used mainly to identify nondefault local listeners or remote listeners.
listener1= (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcp)(HOST=sales1-server)(PORT=1521)) (ADDRESS=(PROTOCOL=tcp)(HOST=sales2-server)(PORT=1521)))
| See Also:
Chapter "Configuring and Administering the Listener," in Oracle Net Services Administrator's Guide for further information about configuring a listener that uses a nondefault address |
You can configure the RECV_BUF_SIZE and SEND_BUF_SIZE parameters within the connect descriptor of a net service name or a listener. You either specify the buffer space parameters for a particular protocol address or description. In this release, Enterprise Manager and Oracle Net Manager enable you to configure these parameters for each protocol address but not for the entire DESCRIPTION. If you want to configure these parameters for the entire description, you must perform this manually.
[Reference Bug 3074357]
The online help for Oracle Net Configuration Assistant does not describe that you can create file ldap.ora for configurations supporting Oracle Internet Directory. While Oracle recommends OIDCA, you can still use Oracle Net Configuration Assistant to configure an ldap.ora file.
Chapter 11, "Configuring and Administering Oracle Connection Manager" in Oracle Net Services Administrator's Guide, states that Oracle Connection Manager refuses all client connections if no access rules are included in the rule list section of cman.ora, the tool's configuration file. The intention here is to encourage the administrator to choose rules carefully before starting Oracle Connection Manager.
What the chapter does not state is that connections from the cmctl control utility to CMADMIN, the administrative process, also require access rules in cman.ora. If these are absent, the listener rejects all cmctl connections, treating cmctl like any other client. To allow cmctl connections, you can configure a catch-all rule as follows:
(rule=(src=*)(dst=127.0.0.1)(srv=cmon)(act=accept))
This rule allows cmctl to be used from any computer. The srv=cmon parameter setting is mandatory.
If you want to restrict cmctl usage to only the computer on which Connection Manager is located, use the following rule instead:
(rule=(src=127.0.0.1)(dst=127.0.0.1)(srv=cmon)(act=accept))
In an ongoing effort to strengthen the security of our products, the 10g Oracle Net Listener has a new local OS authentication security mechanism, which is automatically enabled for every installed listener. This mechanism allows the listener to determine the OS user credentials of the user running the lsnrctl control utility on the same host where the listener is running. A privileged command will only be allowed if it was issued by the same OS user as the user running the listener or a system administrator (for example the root user on UNIX). Administrative commands originating from a remote host will be rejected unless password security is configured.
Only the lsnrctl control utility of a version greater or equal to the version of the running listener can be used to administer it, with the exception of VERSION command. The VERSION command does not require authorization and may be issued from an older lsnrctl control utility program.
The listener control status and services commands always return results when executed on the host where the listener is running.
[Reference Bug 3359259]
The TRCROUTE utility for UNIX operating systems enables administrators to discover what Oracle Net Services route a connection takes from a client to a database server. If there is an address list containing SOURCE_ROUTE=on, as is the case with older releases of Oracle Connection Manager when there is more than one hop to the database server, this utility does not work.
[Reference Bug 2147202]
The "What's New" section of Oracle Net Services Administrator's Guide describes new features of Oracle Net Services and provides pointers to additional information. It also describes features no longer supported.
Appendix A, "Commands and Parameters Not Supported in This Release," of Oracle Net Services Reference Guide provides detailed information about control utility and networking parameters that are no longer supported.
|
|
Copyright © 2004 Oracle Corporation. All Rights Reserved. |
|