Skip to Main Content
Forums

Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Encrypting data in transit

User516490-OCSep 26 2014 — edited Sep 28 2014

Hi Gurus,

Oracle 11203

RHEL 6

I'm in the process of setting up network encryption for the client .The JAVA application(jboss) uses thin client and i have the below parameters setup in the sqlnet.ora on the db server.I don't really have to setup the relevant parameters on the client side ( i have many clients)since i'm controlling the encryption from the database ,correct?

What encryption algorithm should i be using to have little impact with adequate security?and how to make sure that communication should not fail with any of the clients .

SQLNET.ENCRYPTION_SERVER=REQUIRED

SQLNET.ENCRYPTION_TYPES_SERVER=(AES256,AES128,RC4_256)

SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1,MD5)

SQLNET.CRYPTO_SEED="vbnmjhyuiotrewsdfghlklnbvdsyuj"

Regards

Comments

2810868

1. As far as I know to be able to use DB client's encryption it is necessary to have advanced security licence. But this needs additional clarification.

2. Definitions you specified above are not enough. Just check listener.log in diag/tnslsnr/<dbname>/listener/trace for protocols used for connections.

They will be like:

Sat Sep 20 21:47:44 2014

Dynamic address is already listened on (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<hostname>)(PORT=1521)))

3. You may check port security status with:

nmap -sV --script ssl-enum-ciphers -p 1521 <DB hostname or IP>

4. Check your listener:

lsnrctl status

Mostly you will have like:

LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 27-SEP-2014 09:41:16

Copyright (c) 1991, 2011, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=1521)))

STATUS of the LISTENER

------------------------

Alias                    LISTENER

Version                  TNSLSNR for Linux: Version 11.2.0.3.0 - Production

Start Date                27-SEP-2014 09:40:38

Uptime                    0 days 0 hr. 0 min. 37 sec

Trace Level              off

Security                  ON: Local OS Authentication

SNMP                      OFF

Listener Parameter File  /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora

Listener Log File        /u01/app/oracle/diag/tnslsnr/<dbname>/listener/alert/log.xml

Listening Endpoints Summary...

  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<hostname>)(PORT=1521)))

Services Summary...

Service "<sericename>" has 1 instance(s).

  Instance "<instancename>", status READY, has 1 handler(s) for this service...

Service "<servicename>XDB" has 1 instance(s).

  Instance "<instancename>", status READY, has 1 handler(s) for this service...

The command completed successfully

5. You may get supported ciphers suits with

adapters $ORACLE_HOME/bin/oracle

2810868

What encryption algorithm should i be using to have little impact with adequate security?

****************

I think here is a contradiction. Adequate security will definitely mean impact because of the necessity to make numeric calculations (until you have HW crypto modules), long ssl handshake.

2810868

Some docs:

Configuring SSL for Client Authentication and Encryption With Self Signed Certificates On Both Ends Using orapki (Doc ID 401251.1)

How To Configure Oracle SQLDeveloper To Connect To A SSL Alias (Doc ID 1301925.1)

Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1)

How To Configure Oracle JDBC Driver SSL With Oracle WebLogic Server? (Doc ID 1638256.1)

http://docs.oracle.com/cd/B28359_01/network.111/b28531/toc.htm

Vlad Visan-Oracle

Hi,

Native encryption does not require an additional license, it is free on all database versions.

Having the SQLNET.ENCRYPTION_SERVER=REQUIRED and your connections from the client are being made successfully, this means that the connection is being encrypted,

but to be sure, you can see that if you take an SQLNET tracing level 16.

What Igoroshka proposed, is SSL encryption which can work on top of native encryption (another layer of security) but you will need to set in place some wallets and some valid certificates in order to work.

1 person found this helpful
2810868

Thanks Vlad for clarification.

Tracing sqlnet and net packets shows that data is encrypted. And the proper encryption suite is selected.

But trace file also shows that advanced security is involved. Also docs referencing to Advanced Security guide. As AS stated this option is used to encrypt net traffic. As far as I know there were some licensing changes. What net traffic encryption is covered now by AS license?

2810868

Here is some figures about encryption penalties (on the bottom) -- Network Encryption - Oracle FAQ.

Vlad Visan-Oracle

Here is from doc:

"Strong authentication services (Kerberos, PKI, and RADIUS) and network encryption (native network encryption and SSL/TLS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database."

2 people found this helpful
2810868

Thank you Vlad!

1 person found this helpful
1 - 8
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Oct 26 2014
Added on Sep 26 2014
#database-security, #database-security-general
8 comments
3,591 views