Forum Stats

  • 3,734,235 Users
  • 2,246,916 Discussions
  • 7,857,194 Comments

Discussions

ORDS standalone encryption of database connection

We are using ORDS using the standalone server migrated from mod_plsql. 

We're on version 19.4 but will be upgrading to the latest version. We are moving to cloud and need to ensure that all network traffic is encrypted. I've been reading a lot of Oracle Notes and documentation and thought at first that the default was a jdbc connection that would be encrypted by defualt, but now I am not so sure. I read too much. I can't find any documentation or evidence in our configuration tha jdbc is being used. We are using basic authentication in our defaults.xml

<properties>

<comment>Saved on Fri Aug 21 15:05:15 ADT 2020</comment>

<entry key="db.hostname">xxxx.xxxx.xx</entry>

<entry key="db.port">1521</entry>

<entry key="db.servicename">XXXXX.XXXX.XX</entry>

<entry key="restEnabledSql.active">true</entry>

</properties>


Is this using a jdbc connection and minimal change would be to set a parameter in the database servers sqlnet.ora? I'm concerned that changing the DB server settings will affect other applications connections.


sqlnet.encryption_server=required

sqlnet.encryption_types_server=(RC4_40)


Do I need to use the tomcat server instead of standalone jetty on the ORDS server?


Do I need to install a jdbc client on the ORDs server (for standalone jetty server or tomcat)?


I am looking for minimal viable product, but will do what needs to be done to secure the traffic of course.


TIA!

Answers

  • User_SO02G
    User_SO02G Member Posts: 3 Green Ribbon

    Hi,

    Did you ever get this to work? Like you, our databases are set up for native sqlnet encryption (sqlnet.ora properties).

    I have tried changing ords defaults.xml to use TNS connection type instead of BASIC/JDBC but it is still not using encryption.

    db.connectionType">tns

    db.tnsAliasName">MY_TNS_ALIAS

    db.tnsDirectory=/u01/tns_path...

    Thanks!

  • nahunter
    nahunter Member Posts: 7 Blue Ribbon
    edited Jun 8, 2021 1:18PM

    The solution we used was to download the oracle thin client to the client server and update the defaults.xml to use tns and ords_start_stop.sh script to include the new Java parameters on the command line:

    defaults.xml needs tns connectionType and to point to the thin driver tnsnames location

    <entry key="db.connectionType">tns</entry>

    <entry key="db.tnsAliasName">XXXXXXX</entry>

    <entry key="db.tnsDirectory">/u01/app/oracle/products/instantclient/network/admin</entry>


    We added the Java encryption parameters to our start script:

    ENCRYPT_CLIENT="-Doracle.net.encryption_client=REQUIRED -Doracle.net.encryption_types_client'(AES256) -Doracle.net.crypto_checksum_types_client=(SHA256)"

    TNS_OPTION="-Doracle.net.tns_admin=/u01/app/oracle/products/instantclient/network/admin"

    export JAVA_OPTIONS="$ENCRYPT_CLIENT $TNS_OPTION -Dorg.eclipse.jetty.server.Request.maxFormContentSize=3000000"

    nohup java ${JAVA_OPTIONS} -jar /u1/opt/ords-19.4/ords.war standalone >> $LOGFILE 2>&1 &

    ;;


    https://stackoverflow.com/questions/62874109/is-it-possible-to-set-oracle-net-encryption-client-property-purely-in-jdbc-con

  • User_SO02G
    User_SO02G Member Posts: 3 Green Ribbon

    THANK YOU SO MUCH nahunter!!!

    I got it working thanks to you.

    We are using ORDS on WebLogic and I added the encryption properties to the managed server, Server Start, Arguments section:

    -Doracle.net.tns_admin=/opt/app/oracle/product/19.0.0/client_1/network/admin -Doracle.net.encryption_client=REQUIRED -Doracle.net.encryption_types_client=AES256


    For standalone ORDS:

    java -Doracle.net.tns_admin=/u01/app/oracle/product/19.0.0/client_1/network/admin -Doracle.net.encryption_client=REQUIRED -Doracle.net.encryption_types_client=AES256 -jar apex.war standalone


    And of course, add the three parameters in defaults.xml:

    db.connectionType --> tns

    db.tnsAliasName --> CAPEXQ2

    db.tnsDirectory --> /u01/app/oracle/product/19.0.0/client_1/network/admin

  • nahunter
    nahunter Member Posts: 7 Blue Ribbon

    Great. You can test it using tcpdump and wireshark.

  • User_SO02G
    User_SO02G Member Posts: 3 Green Ribbon

    Yes, wireshark to test. Also like to add for a quick verify on the database, you can query gv$session_connect_info:

    select s.inst_id, s.sid, s.serial#, s.username,s.machine,

        e.client_version, e.client_driver, e.authentication_type, e.osuser, e.banner

    from gv$session s,

    (select inst_id, sid, serial#, client_version, client_driver, authentication_type, osuser, substr(network_service_banner,1,18) banner

    from gv$session_connect_info

    where network_service_banner like 'AES%') e

    where s.inst_id = e.inst_id(+)

    and s.sid = e.sid(+)

    and s.serial# = e.serial#(+)

    and s.username is not null

    order by s.username

    ;

Sign In or Register to comment.