Authentication means verifying the identity of who (a user, device, or an entity) who wants to accessibility data, resources, or applications. Validating that identity develops a trust connection for additional interactions. Authentication also permits accountability by make it possible to link access and action to details identities. After ~ authentication, authorization procedures can permit or border the level of access and activity permitted to that reality as explained in thing 5, "Authorization: Privileges, Roles, Profiles, and source Limitations".

You are watching: Which of the following are not used for user authentication? enables a solitary database circumstances to use any type of or every methods. needs special authentication procedures for database administrators, since they execute special database operations. also encrypts passwords throughout transmission come ensure the protection of network authentication.

To validate the identity of database users and also prevent unauthorized usage of a database user name, you can authenticate users by using any mix of the methods defined in the complying with sections:

Authentication Considerations about ...Links to Topics
Operating SystemsAuthentication through the operating System
Networks and LDAP DirectoriesAuthentication through the Network
DatabasesAuthentication by Database
Multitier SystemsMultitier Authentication and also Authorization
Secure Socket class UsageAuthentication of Database Administrators
Database AdministratorsAuthentication of Database Administrators

See Also:

Authentication through the operating System

Some operating equipment permit to use information they preserve to authenticate users. This has the adhering to benefits:

With regulate over user authentication centralized in the operating system, need not save or regulate user passwords, despite it quiet maintains user names in the database.

When an operating device is provided to authenticate database users, controlling distributed database environments and also database web links requires one-of-a-kind care.

See Also:

Operating system-specific documentation through for more information about authenticating by utilizing your operation system

Authentication through the Network

Authentication over a network is taken on by the SSL protocol or through third-party services as defined in the adhering to subsections:

Authentication making use of Third-Party Services

Authentication using SSL

The for sure Socket great (SSL) protocol is an application layer protocol. It deserve to be supplied for user authentication come a database, and also it is elevation of global user management in web Directory. The is, users have the right to use SSL come authenticate to the database also without a catalog server in place.

Authentication utilizing Third-Party Services

Authentication over a network makes use of third-party network authentication services. Prominent examples encompass Kerberos, Public vital Infrastructure (PKI), the far Authentication Dial-In User organization (RADIUS), and also directory-based services, as explained in the adhering to subsections.

If network authentication services are obtainable to you, climate deserve to accept authentication from the network service. If you use a network authentication service, then some distinct considerations arise for network roles and also database links.


To use a network authentication business with, you require enterprise Edition through the advanced Security option.

See Also:

Kerberos Authentication

Kerberos is a trusted third-party authentication mechanism that relies on common secrets. That presumes that the 3rd party is secure, and provides solitary sign-on capabilities, centralized password storage, database connect authentication, and enhanced PC security. The does this with a Kerberos authentication server, or with Cybersafe energetic Trust, a advertisement Kerberos-based authentication server.

See Also: Database progressed Security Administrator"s overview for more information about Kerberos.
PKI-Based Authentication

Authentication systems based on PKI problem digital certificates to user clients, which use them come authenticate directly to servers in the enterprise without directly involving one authentication server. offers a PKI for using public keys and certificates, consisting of the following components:

Authentication and also secure session vital management utilizing SSL. contact Interface (OCI) and also PL/SQL functions

These are used to authorize user-specified data making use of a private key and certificate. The verification of the signature ~ above data is done by using a reliable certificate.

Trusted certificates

These are provided to recognize third-party entities that room trusted as signers of user certificates once an identity is being validated. When the user certificate is being validated, the signer is confirm by utilizing trust clues or a trusted certificate chain that certificate authorities save in the validating system. If there are number of levels of trusted certificates in this chain, climate a reliable certificate at a lower level is simply trusted without needing to have all that is higher-level certificates reverified. Wallet Manager

This is a independent Java application offered to manage and also edit the protection credentials in wallets. That performs the following operations:

Protects user keys

Manages X.509 variation 3 certificate on clients and also servers

Generates a public-private vital pair and creates a certificate inquiry for entry to a certificate authority

Installs a certificate for the entity

Configures reliable certificates because that the entity

Creates wallets

Opens a wallet to enable access to PKI-based services

X.509 variation 3 certificates acquired from (and signed by) a trusted entity, a certificate authority. Because the certificate authority is trusted, these certificates certify the the requesting entity"s information is correct and also that the public crucial on the certificate belongs to the determined entity. The certificate is loaded right into an wallet to enable future authentication. public vital infrastructure is depicted in number 4-1.

Figure 4-1 Public crucial Infrastructure

Description that "Figure 4-1 Public an essential Infrastructure"
Authentication v RADIUS supports far authentication that users v the remote Authentication Dial-In User organization (RADIUS), a traditional lightweight protocol provided for user authentication, authorization, and accounting.

See Also: Database advanced Security Administrator"s guide for information around advanced Security
Directory-Based Services

Using a main directory can make authentication and also its administration extremely efficient. Directory-based sevices include the following: Enterprise protection Manager, i m sorry provides central privilege management to make management easier and also increase security levels. Enterprise protection Manager allows you store and retrieve roles from internet Directory.

Authentication by Database Database can authenticate users attempting to connect to a database, by using info stored in that database itself. To collection up Database to use database authentication, friend must produce each user with an linked password. The user must provide this user name and password when attempting to establish a connection. This procedure prevents unauthorized use of the database, because the connection will be refuse if the user offers an not correct password. Database stores user passwords in the data thesaurus in an encrypted format to avoid unauthorized alteration. Customers can adjust their passwords at any type of time.

To identify the authentication protocols the are permitted by a customer or a database, a DBA deserve to explicitly collection the SQLNET.ALLOWED_LOGON_VERSION parameter in the server sqlnet.ora file. Then each connection attempt is tested, and if the client or server does not meet the minimum version mentioned by the partner, authentication fails with one ORA-28040 error. The parameter deserve to take the values 10, 9, or 8, i beg your pardon is the default. These values represent database server versions. recommends the worth 10.

Database authentication contains the adhering to features:

Password Encryption when Connecting

Passwords are always automatically and transparently encrypted during network (client/server and server/server) connections, making use of AES (Advanced Encryption Standard) prior to sending them throughout the network.

Account Locking have the right to lock a user"s account after a specified number of consecutive failed login attempts. You have the right to configure the account to unlock automatically after a specified time term or to call for database administrator intervention to it is in unlocked.

Use the produce PROFILE declare to create how numerous failed login make the efforts a user deserve to attempt before the account locks, and how lengthy it stays locked prior to it unlocks automatically.

The database administrator can also lock account manually, so the they can not unlock automatically but have to be unlocked explicitly by the database administrator.

Password Lifetime and also Expiration

The database administrator deserve to specify a life time for passwords, after which lock expire and also must be adjusted before account login is again permitted. A grace period can be established, throughout which every attempt come login come the database account receives a warning article to adjust the password. If that is not readjusted by the finish of the period, then the account is locked. No further logins to the account are enabled without aid by the database administrator.

The database administrator deserve to also set the password state to expired, resulting in the user account status to change to expired. The user or the database administrator must then change the password before the user have the right to log in to the database.

Password intricacy Verification

Complexity verification checks the each password is complex enough to carry out reasonable protection against intruders who shot to break into the mechanism by guessing passwords.

The sample password intricacy verification routine (the PL/SQL manuscript UTLPWDMG.SQL, which set the default file parameters) checks that each password meet the complying with requirements:

Be a minimum of four characters in length

Not same the userid

Include at least one alphabet character, one numeric character, and also one point mark

Not match any kind of word top top an inner list of straightforward words prefer welcome, account, database, user, and also so on

Multitier Authentication and also Authorization

In a multitier environment, controls the defense of middle-tier applications by limiting your privileges, preserving client identities v all tiers, and also auditing actions handled behalf the clients. In applications that usage a hefty middle tier, such together a transaction processing monitor, the identity of the clients connecting to the middle tier have to be preserved. One advantage of utilizing a center tier is connection pooling, which allows multiple individuals to accessibility a data server without every of lock needing a different connection. In such environments, you have to be may be to set up and failure connections really quickly.

For this environments, database administrators deserve to use the speak to Interface to develop lightweight sessions, which allow database password authentication for each user. This method preserves the identity of the real user v the middle tier without the overhead that a different database link for each user.

You can create lightweight sessions with or there is no passwords. However, if a center tier is external or on a firewall, then defense is better when each lightweight session has its own password. Because that an internal application server, lightweight sessions there is no passwords can be appropriate.

Issues of administration and defense in multitier settings are discussed in the adhering to sections:

Clients, applications Servers, and Database Servers

In a multitier environment, an application server gives data because that clients and also serves together an interface from them to one or more database servers. The applications server have the right to validate the credentials the a client, such as a net browser, and the database server can audit operations carry out by the applications server. This auditable operations encompass actions carry out by the applications server on behalf of clients, such together requests that details be displayed on the client. A request to affix to the database server is an example of an applications server operation not related to a specific client.


While client-side authentication is possible, strong recommends disabling the by setup the remote_os_authentication parameter come FALSE.

Authentication in a multitier setting is based upon trust regions. Customer authentication is the domain that the application server. The applications server itself is authenticated through the database server. The complying with operations room performed:

The client provides evidence of authenticity come the application server, typically, by making use of a password or an X.509 certificate.

The application server authenticates the customer and then authenticates chin to the database server.

The database server authenticates the applications server, verifies that the client exists, and verifies that the application server has actually the privilege to affix for this client.

Application servers can also enable roles because that a client on who behalf lock connect. The application server can obtain these duties from a directory, which therefore serves as an authorization repository. The applications server deserve to only request that these functions be enabled. The database verifies the following requirements:

That the client has these duties by checking its internal role repository

That the application server has actually the privilege to attach on behalf of the user, and thus to usage these duties as the user could

Figure 4-2 shows an instance of multitier authentication.

Figure 4-2 Multitier Authentication

Description that "Figure 4-2 Multitier Authentication"

Security issues for Middle-Tier Applications

Security for middle-tier applications must resolve the following an essential issues:

Accountability: The database server must be able to distinguish in between the plot of a customer and the plot an applications takes on instead of of a client. It should be possible to audit both type of actions.

Differentiation: The database server must have the ability to distinguish in between a client accessing the database directly and also an application server exhilaration either for itself or on behalf of a internet browser client.

Least privilege: Users and middle tiers have to be offered the fewest privileges necessary to carry out their actions, to minimization the risk of inadvertent or malicious innocuous activities.

Identity problems in a Multitier Environment

Multitier authentication maintains the identity of the customer through all tiers of the connection in order come maintain useful audit records. If the identity of the originating client is lost, then details accountability of that customer is lost. The becomes impossible to identify operations carry out by the applications server on instead of of the client from those excellent by the application server by itself.

Restricted Privileges in a Multitier Environment

Privileges in a multitier setting must be restricted to those important to execute the asked for operation.

Client Privileges

Client privileges need to be as minimal as possible in a multitier environment. Operations room performed on behalf of the client by the application server.

Application Server Privileges

Application server privileges in a multitier atmosphere must likewise be limited, so the the application server cannot do unwanted or unneeded operations when performing a customer operation.

See Also:

Chapter 10, "Administering Authentication", and also the Database Administrator"s Guide, for much more information around multitier authentication

Authentication of Database Administrators

Database administrators do special operations (such as shutting down or beginning up a database) that must not it is in performed by regular database users. provides for certain authentication the database administrator user names, for which girlfriend can pick either operating system authentication or password files.

Figure 4-3 illustrates the choices you have for database administrator authentication schemes. Various choices use to administering her database in your ar (on the maker where the database resides) and also to administering numerous different database makers from a single remote client.

Figure 4-3 Database Administrator Authentication Methods

Description the "Figure 4-3 Database Administrator Authentication Methods"

Operating system authentication because that a database administrator commonly involves developing a group on the operating system, assigning DBA privileges to the group, and then including the surname of persons who should have those privileges to that group. On UNIX systems, the special group is called the dba group.

On Microsoft windows systems, individuals who connect with the SYSDBA privilege deserve to take advantage of the Windows indigenous authentication. If these users job-related with Database using their domain accounts, then you must clearly grant lock local administrative privileges and also ORA_DBA membership.

The database uses password papers to store track of those database user surname that have been granted the SYSDBA and SYSOPER privileges. This privileges allow the adhering to operations and capabilities:

SYSOPER lets database administrators perform STARTUP, SHUTDOWN, change DATABASE OPEN/MOUNT, change DATABASE BACKUP, save on computer LOG, and RECOVER. SYSOPER additionally includes the limited SESSION privilege.

SYSDBA has actually all mechanism privileges with ADMIN OPTION, including the SYSOPER device privilege, and also permits create DATABASE and also time-based recovery.


Connections asked for AS SYSDBA or together SYSOPER must use these phrases; there is no them, the link fails. The parameter 07_DICTIONARY_ACCESSIBILITY is set to FALSE through default, to border sensitive data dictionary accessibility only to those authorized. The parameter additionally enforces the required AS SYSDBA or as SYSOPER syntax.

See Also:

Your operation system-specific documentation for information around configuring operating mechanism authentication the database administrators Database 10g relax 2 (10.2) boosts password file based authentication by make it much easier to use. The adhering to enhancements have been made:

Password paper based authentication is enabled by default. This means that the database is prepared to use a password document for authenticating customers that have actually SYSDBA or SYSOPER mechanism privileges. Password record based authentication is activated as shortly as you develop a password file using the ORAPWD utility.

A password paper containing users through SYSDBA or SYSOPER privileges have the right to be shared between different databases. You can have a shared password paper that has users in addition to the SYS user.

See more: Uswnt 10 Game Victory Tour Matches, Uswnt Continues Victory Tour On Thursday Vs


In order come share a password file between various databases, the REMOTE_LOGIN_PASSWORDFILE parameter requirements to be readjusted to common in the init.ora file. The default value of this parameter is EXCLUSIVE. This is the recommended setting.