Oracle7 Getting Started for Windows NT

Library

Product

Contents

Index

Administering a Database

Managing Oracle Database Services
Starting Up and Shutting Down a Database with Server Manager
Running Multiple Instances
Integrating Database User Authentication with Windows NT
Authenticating Database Administrators
Granting Database Roles with Windows NT
Encrypting Database Passwords
Refreshing Table Snapshots

Managing Oracle Database Services

Oracle Database Services

For each database on your system there are two Oracle services. The SID in the service names is the sid name used at service creation time.

Oracle Services Description
OracleServicesid

Runs an Oracle7 database.

OracleStartsid

Starts an Oracle7 database when Windows NT starts.

The OracleStartsid service may or may not be present depending on the startup type of the database. If the Oracle services were created using the AUTO startmode with the NT Instance Manager, both services will be present.

Starting Oracle Services

When both the Oracle services are created, their startup type is set to Automatic. Therefore, the Oracle services should have the status Started. This can be verified in the Windows NT Control Panel. If the Oracle services are not started, you must start them before starting the database. You can start the Oracle services from the Control Panel or the command prompt.

From the Control Panel:

Go to the Services dialog box:

If Using Then...
Windows NT 3.51

Open Main->Control Panel->Services

Windows NT 4.0

Go to Start->Settings->Control Panel->Services
Find OracleServicesid in the list, and check that the status is Started. If OracleServicesid is not Started, select it, and choose Start.

From the command prompt, enter:

C:\> NET START OracleServicesid

If the Oracle service you are looking for is not found in the Control Panel, then create it with NT Instance Manager, in command line mode. Do not use the GUI mode of NT Instance Manager as it will try to create the database as well as the Oracle services.

Additional Information See the chapter "Using Tools and Utilities" for more information on using Instance Manager command line.

Stopping Oracle Services

The Oracle services can be stopped from the Control Panel or the command prompt.

From the Control Panel:

Go to the Services dialog box:

If Using Then...
Windows NT 3.51

Open Main->Control Panel->Services

Windows NT 4.0

Go to Start->Settings->Control Panel->Services
Select the Oracle service, and choose Stop.

From the command prompt, enter:

C:\> NET STOP OracleServicesid

Starting Up and Shutting Down a Database with Server Manager

Starting Up a Database

Before starting up a database, ensure that the services for the database have been created and the OracleServicesid service is started. To start a database:

Set the default and local SID. Replace sid with the actual SID name.

C:\> SET ORACLE_SID=sid

C:\> SET LOCAL=2:sid
Note there are no space characters around the equal sign characters.
Run Server Manager from the command prompt:
```
C:\> SVRMGR23
```
Connect to the database using your username. For example,
```
SVRMGR> CONNECT INTERNAL /password
```
Start the database by entering the following:
```
SVRMGR> STARTUP [PFILE=path\filename] 
```
You do not need to specify the PFILE option if the initialization parameter file for the database is called INITsid.ORA and located in the ORANT\DATABASE directory, where ORANT is your Oracle Home directory. Otherwise, the complete path and file name must be specified, as in:
```
SVRMGR> STARTUP PFILE=D:\SOMEDIR\MYINIT.ORA 
```
Note that there are no space characters around the equal sign character.

Shutting Down a Database

Shut down a database by entering the following at the Server Manager prompt:

SVRMGR> SHUTDOWN mode

where mode is:

Normal

The database waits for all currently connected users to disconnect and disallows any new connections before shutting down. This is the default mode.

Immediate

The database terminates and rolls back active transactions, disconnects clients, and shuts down.

Abort

The database terminates active transactions and disconnects users; it does not roll back transactions. The database performs automatic recovery and rollback the next time it is started. Use this mode only in emergencies.

Note: Refer to the chapter "Using Tools and Utilities" in this Getting Started for a list of other tools that can shut down the database.

Running Multiple Instances

When multiple databases run on a single Windows NT machine, there are multiple OracleServicesid services and multiple sets of database files. Remember that in order to start a database, Server Manager connects to a service, and tells the service to open a database.

WARNING It is possible to accidentally attempt to open a single database with two different OracleServicesid services because a service is not restricted to opening any particular database. This leads to database corruption in most situations. Always set the ORACLE_SID and specify the PFILE option when starting a database, as described in "Starting Up and Shutting Down a Database with Server Manager" to prevent such a disaster.

Integrating Database User Authentication with Windows NT

This section describes how to authenticate non-privileged database users (users who are not Database Administrators) using the Windows NT operating system, without requiring passwords at the database level.

Note: See the chapter "Managing Users and Resources" in the Oracle7 Server Administrator's Guide for general information on authenticating users.

When you use Windows NT to authenticate non-privileged users, your database relies on Windows NT to restrict access to database accounts. A database password is not needed for this type of logon.

To use Windows NT for non-privileged user authentication:

Set the OS_AUTHENT_PREFIX parameter in the INITsid.ORA file, and use this prefix in Oracle usernames. The default value for this parameter is OPS$.
Create an operating system authenticated user by entering the following:
```
SVRMGR> CREATE USER OPS$USERID IDENTIFIED EXTERNALLY;
```
where:

OPS$

is the value set for the OS_AUTHENT_PREFIX initialization parameter.

USERID

identifies the user's Windows NT username.

For example, to authenticate a user whose Windows NT username is FRANK, when the OS_AUTHENT_PREFIX is set to XYZ, enter:

SVRMGR> CREATE USER XYZFRANK IDENTIFIED EXTERNALLY;

If you access a shared resource on the Oracle7 Server from a Windows NT or Windows 95 workstation, and connect to the Oracle7 Server, then you need not enter your Oracle7 username. For example, using Server Manager enter:

SVRMGR> CONNECT /@destination

where @destination is the SQL*Net 2.3 alias of the remote database.

Oracle7 searches the data dictionary tables for an automatic logon username corresponding to the Windows NT username of FRANK, verifies it, and allows you to connect as XYZFRANK. As the Oracle7 username is the whole name XYZFRANK, all objects created by XYZFRANK (that is tables, views, indexes, etc.) are prefixed by this name. For another user to reference the table SHARK owned by XYZFRANK, the user must enter:

SVRMGR> SELECT * FROM XYZFRANK.SHARK

Note: SQL*Net version 2.3 suports automatic authorization accounts for all protocols. The user must be already authenticated on the Windows NT workstation or server running the Oracle7 Server. An authenticated connection is established between the client's workstation and the Windows NT workstation or server when a shared resource is accessed and the correct username/password are supplied.

Note: You can set OS_AUTHENT_PREFIX to the null string (a set of double quotes with no string included, ""). This eliminates the need for any prefix to the Windows NT usernames.

Note: No other changes are required in the initialization parameter file to enable automatic logon.

Authenticating Database Administrators

You authenticate Database Administrators for Oracle7 Server for Windows NT using any of these methods:

Using Password Files
Using Operating System Authentication
Connecting as SYSOPER and SYSDBA
Connecting as INTERNAL

Note: See the chapter "The Oracle7 Database Administrator" in Oracle7 Server Administrator's Guide for more information on selecting a Database Administrator authentication method.

Using Password Files

The Instance Manager creates password files as part of the process of creating an instance. Password files are located in the ORANT\DATABASE directory and are of the form PWDsid.ORA where sid identifies the instance. A password file contains two essential elements:

PASSWORD

Sets the password for INTERNAL and SYS accounts.

ENTRIES

Sets the maximum number of entries in the password file. This corresponds to the maximum number of distinct users allowed to connect to the database with the SYSDBA and SYSOPER DBA roles.

Use Server Manager to add or delete user names, user passwords, and user privileges in password files.

Note: In addition to creating the password file you must also set the REMOTE_LOGIN_PASSWORDFILE to the appropriate value.

NONE

Indicates that Oracle7 ignores the password file and that privileged users are authenticated by the Windows NT operating system.

EXCLUSIVE

Indicates that only one database can use the password file and that the password file contains names other than SYS and INTERNAL. Oracle7 looks in the Windows NT Registry for the value of the ORA_sid_PWFILE parameter. If a value is unspecified, it looks in the Windows NT Registry for the value of the ORA_PWFILE parameter, which points to a file containing the INTERNAL password as well as user names, passwords, and privileges. If that parameter is not set, it uses the default of ORANT\DATABASE\PWDsid.ORA.

SHARED

Indicates that more than one database can use the password file. However, the only users recognized by the password file are SYS and INTERNAL. You cannot log in with SYSOPER or SYSDBA privileges even if those privileges are granted in the password file. The SHARED value of this parameter affords backward compatibility with earlier releases of Oracle7. Oracle7 looks for the same files as it does when the value is EXCLUSIVE, but only the INTERNAL account is available for privileged access. SHARED is the default value.

CAUTION: Do not move or copy password files manually; use Instance Manager to move or copy files. If you manually copy a password file, the Instance Manager may not be able to find a password to start an instance.

Using Operating System Authentication

If you choose, you can have the Windows NT operating system authenticate database administrator users. To use operating system authentication:

Set up the database administrator user to be authenticated by the operating system.
Ensure that the REMOTE_LOGIN_PASSWORDFILE initialization parameter is set to NONE. Setting this parameter to NONE causes Windows NT to ignore the password file. REMOTE_LOGIN_PASSWORDFILE can have the value NONE, EXCLUSIVE, or SHARED as described above.
An authenticated database administrator can now connect to a local or remote database over a secure connection by entering the following commands:
```
CONNECT / AS SYSOPER
```
```
CONNECT / AS SYSDBA
```

Connecting as SYSOPER and SYSDBA

Database Administrators who use CONNECT INTERNAL from a client workstation can belong to these groups:

ORA_OPER
ORA_DBA
ORA_%SID%_DBA
ORA_%SID%_OPER

The SYSDBA and SYSOPER roles are mapped as follows:

SYSDBA>  ORA_%SID%_DBA, ORA_DBA

SYSOPER> ORA_%SID%_OPER, ORA_OPER

For example, if an authenticated connection exists between a client workstation and a Windows NT computer running Oracle7 (with the authenticated username being NTUSER2), then Oracle7 searches for the username NTUSER2 in group ORA_ORCL_DBA when the user enters the command:

SVRMGR> connect / as sysdba

If the username NTUSER2 is located, the user is given DBA privileges. If not found, Oracle7 checks the global group ORA_DBA.

Connecting as INTERNAL

There are two ways to connect as INTERNAL to Oracle7 Server for Windows NT:

with a password (using a password file)
without a password (using operating system authentication)

This section describes both types of connections.

Note: The password for INTERNAL is ORACLE if you installed Oracle7 using the Oracle7 Server Products installation option. If you installed Oracle7 Server using the Custom Installation option, the password is whatever you entered when prompted during installation.

Note: When the REMOTE_LOGIN_PASSWORDFILE initialization parameter is set to NONE, connecting remotely to a database as INTERNAL is prohibited even if the correct password is supplied.

Connecting as INTERNAL with a Password

To connect as INTERNAL with a password:

Create a password file using the ORAPWD73 utility.
Set the REMOTE_LOGIN_PASSWORDFILE initialization parameter to EXCLUSIVE or SHARED.
Connect to your database as follows:
```
SVRMGR> CONNECT INTERNAL/password
```

Connecting as INTERNAL without a Password

You may connect as INTERNAL without a password, from:

Local Windows NT client to a Windows NT server on the same computer
Remote Windows NT client
Remote Windows 95 client

Remote Windows 3.1 client

Note: Oracle7 Server for Windows NT does not support setting the Windows NT Registry DBA_AUTHORIZATION parameter to the value of BYPASS. However, you can set the DBA_AUTHORIZATION in the Windows NT Registry on the client side to the value of the password for INTERNAL.

To connect as INTERNAL without a password, you must install SQL*Net Server version 2.3 on a server and SQL*Net Client version 2.3 on a client. Both products include the Windows NT Authentication Adapter, which enables a user to make secure Windows NT and Windows 95 client connections to Oracle7 Server for Windows NT without a password. To do this, you must create a new local Windows NT users group and add a Windows NT operating system user to that group. This enables you to log into a Windows NT domain, of which your Oracle7 Server for Windows NT is just one of many resources to which you have access. Once you access this domain, you are automatically validated as an authorized DBA who can access the Oracle7 Server for Windows NT without a password.

To create a user account that uses the Windows NT Authentication Adapter:

Identify a Windows NT user account on your Oracle7 Server for Windows NT server.
Set the REMOTE_LOGIN_PASSWORDFILE parameter to EXCLUSIVE or SHARED.
Create a new local user group called ORA_sid_DBA or ORA_DBA with the Windows NT User Manager:
a. Open the Windows NT User Manager.

b. Select User->New Local Group... from the top menu.
The New Local Group dialog box appears.
c. Create a database role in the Group Name field with the following syntax:
ORA_sid_DBA (specific to one instance)

ORA_DBA (specific to all instances)
Both these roles have DBA privileges.
d. Click OK.
The database group appears in the Groups list at the bottom of the User Manager Utility main screen.

e. Double-click the new group in the Groups list.
The Local Group Properties dialog box appears.

f. Click Add.
The Add Users and Groups dialog box appears.

g. Select the Windows NT user account you created in Step 1 and choose Add.

h. Click OK to grant the database role to the NT user account.
The Windows NT user account appears in the Local Group Properties dialog box.

i. Click OK.
You are returned to the User Manager main window.

j. Exit User Manager.
Create a shared drive or printer on your Oracle7 Server for Windows NT computer..
Connect to the shared drive or printer from your Windows NT, Windows 95 or Windows 3.1 client with the Windows NT user account you created earlier.
You are now connected to your Windows NT domain and its resources.
Open an Oracle tool such as SQL*Plus or Server Manager.

Enter the following command to access the Oracle7 Server for Windows NT:

For Windows NT local and remote logon

CONNECT INTERNAL/@connect_string
where service_name maps to the database alias.

For Windows 95 remote logon

CONNECT /@connect_string

For Windows 3.1 remote logon

CONNECT /@connect_string

Granting Database Roles with Windows NT

Oracle7 Server for Windows NT allows database roles to be granted to users directly by Windows NT. When users are enrolled using the automatic authenticated accounts, Windows NT groups can be used to grant these users database roles. Windows NT groups are created by using the Windows NT User Manager utility.

Additional Information See the Oracle7 Server Administrator's Guide for more information on database roles.

When you use Windows NT to authenticate users, you can operate the database so that it uses Windows NT groups to identify a user's database roles when they create a database session. Use the Windows NT User Manager utility to create, grant, or revoke database roles to users:

Set the value of the OS_ROLES initialization parameter to TRUE. The default setting for this parameter is FALSE.
Start, or restart, the database instance.
Open the Windows NT User Manager utility.
Select User->New Local Group... from the top menu.
The New Local Group dialog box appears.

Create a database role in the Group Name field with the following syntax:

ORA_SID_ROLENAME [_D] [_A]

where:

SID

Indicates the database instance.

ROLE_NAME

Identifies the database role granted to users of a database session.

D

Optional character that indicates that this database role is to be the default role of the database user. If specified, this character must be preceded by an underscore. (_D)

A

Optional character that indicates that this database role includes the ADMIN OPTION. This allows the user to grant the role to other roles only. If specified, this character must be preceded by an underscore. (_A)

Click OK.
The database group appears in the Groups list at the bottom of the User Manager Utility main screen.
Double-click the new group in the Groups list.
The Local Group Properties dialog box appears.
Click Add.
The Add Users and Groups dialog box appears.
Select a user and choose Add.
Click OK.
The user appears in the Local Group Properties dialog box.

Click OK.

The User Manager main window appears.

Using this syntax appropriately, you can convert the database roles in the following table to Windows NT groups. Then users who are connecting to the ORCL instance and authenticated by Windows NT and members of all four groups will have the privileges associated with ROLE2 and ROLE4 by default. ROLE1 and ROLE3 are available for use by the user if they use the SET ROLE command. Additionally, users can grant ROLE3 and ROLE4 to other roles:

Database Roles Windows NT Groups
ORA_ORCL_ROLE1

ORA_ORCL_ROLE1

ORA_ORCL_ROLE2

ORA_ORCL_ROLE2_D

ORA_ORCL_ROLE3

ORA_ORCL_ROLE3_A

ORA_ORCL_ROLE4

ORA_ORCL_ROLE4_DA

Note: All privileges for these roles are active when the user connects. When using operating system roles, all roles are granted and managed through the operating system. You cannot use both operating system roles and Oracle roles at the same time.

Note: When Oracle7 converts the group name to a role name, it changes the name to uppercase letters.

When OS_ROLES is set to TRUE in the INITsid.ORA file, it is important to understand how roles, and the privileges granted to these roles, are obtained by Oracle users whose IDs are not defined externally.

For example, assume an authenticated connection exists between a client workstation and a Windows NT computer running Oracle7. The user then connects over SQL*Net version 2.3 with the Oracle username SCOTT/TIGER. The roles applied to the Oracle username SCOTT consist of all roles defined for the Windows NT user account that were mapped to the database roles above. All roles available under an authenticated connection are determined by the Windows NT user ID and the groups available to the user.

Encrypting Database Passwords

With this release of the Oracle7 Server for Windows NT, you can encrypt the password used to verify a remote database connection. Enable password encryption by:

Setting the DBLINK_ENCRYPT_LOGIN initialization parameter on the server computer to TRUE.
Setting the ORA_ENCRYPT_LOGIN configuration variable on the client computer to TRUE.

Once these parameters are set to TRUE, whenever a user attempts log on remotely, Oracle7 encrypts the password before sending it to the remote database. If the connection fails, the failure is noted in the audit log. Oracle7 then checks if either of these parameters is set to FALSE. If so, Oracle7 attempts the connection again using an unencrypted version of the password. If the connection is successful, the success is noted in the audit log, and the connection proceeds.

Note: Releases prior to version 7.1 do not support encrypted passwords. If you are connecting to an earlier version of Oracle Server, you must set the initialization parameter DBLINK_ENCRYPT_LOGIN to FALSE for the connection to succeed.

Refreshing Table Snapshots

Oracle7 Server for Windows NT allows you to create copies of a remote database table. These copies, referred to as table snapshots, can reside on multiple nodes of a distributed database. Snapshots allow users to query copies of remote tables on a local Oracle7 Server, thereby reducing network traffic.

The information in a table snapshot is periodically updated, or refreshed, to reflect the most recent information in the original table from which it was created.

Note: See Oracle7 Server Administrator's Guide for information on creating and managing table snapshots.

Oracle7 Server for Windows NT also creates one or more background threads called Snapshot Refresh threads, which can periodically refresh snapshots. Several Snapshot initialization parameters control refresh threads including:

SNAPSHOT_REFRESH_PROCESSESS
SNAPSHOT_REFRESH_INTERVAL

SNAPSHOT_REFRESH_KEEP_CONNECTION

Additional Information Oracle7 Server SQL Reference lists these initialization parameters, their default values, and the range of acceptable values, as well as providing explanations of these parameters.

Note: Snapshot refresh threads are only available with the Distributed Option of Oracle7 Server for Windows NT.

Prev Next

Library

Product

Contents

Index

Oracle Services	Description
OracleServicesid	Runs an Oracle7 database.
OracleStartsid	Starts an Oracle7 database when Windows NT starts.

If Using	Then...
Windows NT 3.51	Open Main->Control Panel->Services
Windows NT 4.0	Go to Start->Settings->Control Panel->Services

Normal	The database waits for all currently connected users to disconnect and disallows any new connections before shutting down. This is the default mode.
Immediate	The database terminates and rolls back active transactions, disconnects clients, and shuts down.
Abort	The database terminates active transactions and disconnects users; it does not roll back transactions. The database performs automatic recovery and rollback the next time it is started. Use this mode only in emergencies.

OPS$	is the value set for the OS_AUTHENT_PREFIX initialization parameter.
USERID	identifies the user's Windows NT username.

PASSWORD	Sets the password for INTERNAL and SYS accounts.
ENTRIES	Sets the maximum number of entries in the password file. This corresponds to the maximum number of distinct users allowed to connect to the database with the SYSDBA and SYSOPER DBA roles.

NONE	Indicates that Oracle7 ignores the password file and that privileged users are authenticated by the Windows NT operating system.
EXCLUSIVE	Indicates that only one database can use the password file and that the password file contains names other than SYS and INTERNAL. Oracle7 looks in the Windows NT Registry for the value of the ORA_sid_PWFILE parameter. If a value is unspecified, it looks in the Windows NT Registry for the value of the ORA_PWFILE parameter, which points to a file containing the INTERNAL password as well as user names, passwords, and privileges. If that parameter is not set, it uses the default of ORANT\DATABASE\PWDsid.ORA.
SHARED	Indicates that more than one database can use the password file. However, the only users recognized by the password file are SYS and INTERNAL. You cannot log in with SYSOPER or SYSDBA privileges even if those privileges are granted in the password file. The SHARED value of this parameter affords backward compatibility with earlier releases of Oracle7. Oracle7 looks for the same files as it does when the value is EXCLUSIVE, but only the INTERNAL account is available for privileged access. SHARED is the default value.

SID	Indicates the database instance.
ROLE_NAME	Identifies the database role granted to users of a database session.
D	Optional character that indicates that this database role is to be the default role of the database user. If specified, this character must be preceded by an underscore. (_D)
A	Optional character that indicates that this database role includes the ADMIN OPTION. This allows the user to grant the role to other roles only. If specified, this character must be preceded by an underscore. (_A)

Database Roles	Windows NT Groups
ORA_ORCL_ROLE1	ORA_ORCL_ROLE1
ORA_ORCL_ROLE2	ORA_ORCL_ROLE2_D
ORA_ORCL_ROLE3	ORA_ORCL_ROLE3_A
ORA_ORCL_ROLE4	ORA_ORCL_ROLE4_DA