- 3,734,235 Users
- 2,246,916 Discussions
- 7,857,194 Comments
Forum Stats
Discussions
Howdy, Stranger!
Categories
- 380.9K All Categories
- 2.1K Data
- 203 Big Data Appliance
- 1.9K Data Science
- 446.1K Databases
- 220.4K General Database Discussions
- 3.7K Java and JavaScript in the Database
- 23 Multilingual Engine
- 506 MySQL Community Space
- 459 NoSQL Database
- 7.7K Oracle Database Express Edition (XE)
- 2.8K ORDS, SODA & JSON in the Database
- 438 SQLcl
- 3.9K SQL Developer Data Modeler
- 185.4K SQL & PL/SQL
- 20.8K SQL Developer
- 291.3K Development
- 6 Developer Projects
- 117 Programming Languages
- 288.1K Development Tools
- 96 DevOps
- 3K QA/Testing
- 645.2K Java
- 18 Java Learning Subscription
- 36.9K Database Connectivity
- 148 Java Community Process
- 104 Java 25
- 22.1K Java APIs
- 137.7K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 12 Java Essentials
- 138 Java 8 Questions
- 85.9K Java Programming
- 79 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.2K Java SE
- 13.8K Java Security
- 195 Java User Groups
- 22 JavaScript - Nashorn
- Programs
- 180 LiveLabs
- 34 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 165 Deutsche Oracle Community
- 1.2K Español
- 1.9K Japanese
- 225 Portuguese
ORDS standalone encryption of database connection
We are using ORDS using the standalone server migrated from mod_plsql.
We're on version 19.4 but will be upgrading to the latest version. We are moving to cloud and need to ensure that all network traffic is encrypted. I've been reading a lot of Oracle Notes and documentation and thought at first that the default was a jdbc connection that would be encrypted by defualt, but now I am not so sure. I read too much. I can't find any documentation or evidence in our configuration tha jdbc is being used. We are using basic authentication in our defaults.xml
<properties>
<comment>Saved on Fri Aug 21 15:05:15 ADT 2020</comment>
<entry key="db.hostname">xxxx.xxxx.xx</entry>
<entry key="db.port">1521</entry>
<entry key="db.servicename">XXXXX.XXXX.XX</entry>
<entry key="restEnabledSql.active">true</entry>
</properties>
Is this using a jdbc connection and minimal change would be to set a parameter in the database servers sqlnet.ora? I'm concerned that changing the DB server settings will affect other applications connections.
sqlnet.encryption_server=required
sqlnet.encryption_types_server=(RC4_40)
Do I need to use the tomcat server instead of standalone jetty on the ORDS server?
Do I need to install a jdbc client on the ORDs server (for standalone jetty server or tomcat)?
I am looking for minimal viable product, but will do what needs to be done to secure the traffic of course.
TIA!
Answers
-
Hi,
Did you ever get this to work? Like you, our databases are set up for native sqlnet encryption (sqlnet.ora properties).
I have tried changing ords defaults.xml to use TNS connection type instead of BASIC/JDBC but it is still not using encryption.
db.connectionType">tns
db.tnsAliasName">MY_TNS_ALIAS
db.tnsDirectory=/u01/tns_path...
Thanks!
-
The solution we used was to download the oracle thin client to the client server and update the defaults.xml to use tns and ords_start_stop.sh script to include the new Java parameters on the command line:
defaults.xml needs tns connectionType and to point to the thin driver tnsnames location
<entry key="db.connectionType">tns</entry>
<entry key="db.tnsAliasName">XXXXXXX</entry>
<entry key="db.tnsDirectory">/u01/app/oracle/products/instantclient/network/admin</entry>
We added the Java encryption parameters to our start script:
ENCRYPT_CLIENT="-Doracle.net.encryption_client=REQUIRED -Doracle.net.encryption_types_client'(AES256) -Doracle.net.crypto_checksum_types_client=(SHA256)"
TNS_OPTION="-Doracle.net.tns_admin=/u01/app/oracle/products/instantclient/network/admin"
export JAVA_OPTIONS="$ENCRYPT_CLIENT $TNS_OPTION -Dorg.eclipse.jetty.server.Request.maxFormContentSize=3000000"
nohup java ${JAVA_OPTIONS} -jar /u1/opt/ords-19.4/ords.war standalone >> $LOGFILE 2>&1 &
;;
-
THANK YOU SO MUCH nahunter!!!
I got it working thanks to you.
We are using ORDS on WebLogic and I added the encryption properties to the managed server, Server Start, Arguments section:
-Doracle.net.tns_admin=/opt/app/oracle/product/19.0.0/client_1/network/admin -Doracle.net.encryption_client=REQUIRED -Doracle.net.encryption_types_client=AES256
For standalone ORDS:
java -Doracle.net.tns_admin=/u01/app/oracle/product/19.0.0/client_1/network/admin -Doracle.net.encryption_client=REQUIRED -Doracle.net.encryption_types_client=AES256 -jar apex.war standalone
And of course, add the three parameters in defaults.xml:
db.connectionType --> tns
db.tnsAliasName --> CAPEXQ2
db.tnsDirectory --> /u01/app/oracle/product/19.0.0/client_1/network/admin
-
Great. You can test it using tcpdump and wireshark.
-
Yes, wireshark to test. Also like to add for a quick verify on the database, you can query gv$session_connect_info:
select s.inst_id, s.sid, s.serial#, s.username,s.machine,
e.client_version, e.client_driver, e.authentication_type, e.osuser, e.banner
from gv$session s,
(select inst_id, sid, serial#, client_version, client_driver, authentication_type, osuser, substr(network_service_banner,1,18) banner
from gv$session_connect_info
where network_service_banner like 'AES%') e
where s.inst_id = e.inst_id(+)
and s.sid = e.sid(+)
and s.serial# = e.serial#(+)
and s.username is not null
order by s.username
;