apps-infra

    Forum Stats

  • 3,873,841 Users
  • 2,266,617 Discussions
  • 7,911,644 Comments

Discussions

Native encryption not working

T1DSoldier
T1DSoldier Member Posts: 60 Blue Ribbon
edited Apr 22, 2020 12:11PM in Database Security - General

Native encryption does not seem to be working

OS: RH7

DB 12.2.0.1

sqlnet has the below settings

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

ADR_BASE = /u01/app/oracle

SQLNET.EXPIRE_TIME=3

SQLNET.INBOUND_CONNECT_TIMEOUT=300

SSL_VERSION=1.2

SSL_CLIENT_AUTHENTICATION = TRUE

#CIPHER_SUITES

SSL_CIPHER_SUITES = (SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,SSL_RSA_WITH_AES_128_GCM_SHA256,SSL_RSA_WITH_AES_256_GCM_SHA384)

SQLNET.ALLOWED_LOGON_VERSION_SERVER = 11

SQLNET.ALLOWED_LOGON_VERSION_CLIENT = 11

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA384)

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA384)

SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUIRED

SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED

SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256)

SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)

SQLNET.ENCRYPTION_CLIENT = REQUIRED

SQLNET.ENCRYPTION_SERVER = REQUIRED

---listener

SID_LIST_LISTENER  =

  (SID_LIST =

    (SID_DESC =

      (ORACLE_HOME = /u01/app/oracle/product/12.2.0/database)

      (SID_NAME = orcl)

      (ENVS="TNS_ADMIN=/u01/app/oracle/product/12.2.0/database/network/admin_non_ssl")

    )

)

Client Trace

(24244) [21-APR-2020 13:14:13:914] naeecom: Encryption inactive(24244) [21-APR-2020 13:14:13:914] naeecom: exit

(24244) [21-APR-2020 13:14:13:914] naeccom: entry

(24244) [21-APR-2020 13:14:13:917] naeccom: The server chose the 'SHA384' crypto-checksumming algorithm

(24244) [21-APR-2020 13:14:13:917] naeccom: exit

(24244) [21-APR-2020 13:14:13:917] na_tns: entry

(24244) [21-APR-2020 13:14:13:917] na_tns: Secure Network Services is available.

(24244) [21-APR-2020 13:14:13:917] nau_adi: entry

(24244) [21-APR-2020 13:14:13:917] nau_adi: exit

(24244) [21-APR-2020 13:14:13:917] na_tns: Authentication is not active

(24244) [21-APR-2020 13:14:13:918] na_tns: Encryption is not active

(24244) [21-APR-2020 13:14:13:918] na_tns: Crypto-checksumming is active, using SHA384

I am not sure why it is not encrypting the communications

Thanks

Dave

Tagged:

Best Answer

  • T1DSoldier
    T1DSoldier Member Posts: 60 Blue Ribbon
    edited Apr 22, 2020 12:10PM Answer ✓

    Looks like you have to set the encryption to required on the clients side as well. I dont understand why if the server requires encryption. Having to manage every client sqlnet.ora is an extensive operation, especially if users dont have the privs to modify or the knowledge to modify it.

    Thanks

    Dave

Answers

  • T1DSoldier
    T1DSoldier Member Posts: 60 Blue Ribbon
    edited Apr 22, 2020 12:10PM Answer ✓

    Looks like you have to set the encryption to required on the clients side as well. I dont understand why if the server requires encryption. Having to manage every client sqlnet.ora is an extensive operation, especially if users dont have the privs to modify or the knowledge to modify it.

    Thanks

    Dave

  • User_BH897
    User_BH897 Member Posts: 9 Green Ribbon

    Hi,

    Just put

    SQLNET.CRYPTO_CHECKSUM_SERVER = REQUESTED

    in the server and perhaps bounce the listener. Seemed to work for me.

    This enables ONNE.

apps-infra