-
1. Re: Network Data encryption
pmdba Oct 8, 2017 4:46 AM (in response to Mike301)1 person found this helpful1. You must include encryption parameters in both the client and server sqlnet.ora files.
2. In general use the highest level of encryption that you can.
3. Oracle's native encryption will protect DB links too (they are just like any other client/server connection), but both the client db and server db sqlnet.ora files must be modified.
4. You can verify the encryption by generating a sqlnet trace file with the support level set to "SUPPORT" (this will show all network packets in the connection) or by using a tool like Wireshark to monitor the network packets.
-
2. Re: Network Data encryption
Vlad Visan-Oracle Oct 8, 2017 6:57 AM (in response to pmdba)1. You must include encryption parameters in both the client and server sqlnet.ora files.
You can just update the server side with:
SQLNET.ENCRYPTION_SERVER=REQUIRED
SQLNET.ENCRYPTION_CLIENT=REQUIRED #this is for dblink case
-
3. Re: Network Data encryption
pmdba Oct 9, 2017 10:44 PM (in response to Vlad Visan-Oracle)In the case of a db link the server with the link is the "client", and the remote server is the "server". So both the "client" and "server" sqlnet.ora files need to be modified, even though both systems may technically be servers in the sense that they are not workstations.
-
4. Re: Network Data encryption
Vlad Visan-Oracle Oct 10, 2017 1:40 PM (in response to pmdba)Let me know the results you get after you just update the sqlnet.ora on one side with both parameters:
SQLNET.ENCRYPTION_SERVER=REQUIRED
SQLNET.ENCRYPTION_CLIENT=REQUIRED
-
5. Re: Network Data encryption
Mike301 Oct 10, 2017 3:29 PM (in response to Vlad Visan-Oracle)Thank you for the updates, I'm going to test this today and provide the result.
As I understood we only have to update server or client and both side update is not required.
Will add both on server and verify result
SQLNET.ENCRYPTION_SERVER=REQUIRED
SQLNET.ENCRYPTION_CLIENT=REQUIRED
1. isn't _CLIENT is required to be added on client side?
2. How can I verify encryption via testing, I added _SERVER on server and trace user session but didn't find any encrypted text?
-
6. Re: Network Data encryption
Mike301 Oct 10, 2017 3:38 PM (in response to pmdba)>> 2. In general use the highest level of encryption that you can.
How to verify what highest level of encryption is available?
-
7. Re: Network Data encryption
Mike301 Oct 10, 2017 5:42 PM (in response to Vlad Visan-Oracle)I was able to verify network encryption from client to server using below on server:
SQLNET.ENCRYPTION_SERVER=REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER=(AES256)
For dblink testing (db1 -> db2 & db2 -> db1)
1. Do I need to have below on both db1 and db2 server sqlnet.ora?
SQLNET.ENCRYPTION_CLIENT=REQUIRED
2. Somebody raised interesting question, will JDBC thin connection will also be secured?
-
8. Re: Network Data encryption
Mike301 Oct 10, 2017 7:16 PM (in response to Vlad Visan-Oracle)Vlad Visan-Oracle wrote:
Let me know the results you get after you just update the sqlnet.ora on one side with both parameters:
SQLNET.ENCRYPTION_SERVER=REQUIRED
SQLNET.ENCRYPTION_CLIENT=REQUIRED
Above doesn't work.
Test case: (db1 -> db2)
1. set parameter in sqlnet.ora on server of db2
2. Link created on db1 to connect from db1 -> db2
3. Connect sqlplus user@db1
4. db1> select * from dual@dblink
5. Client trace of db1 displays text in clear
I set _SERVER on both db's sqlnet.ora then it was encrypting queries in trace.
Question:
1. Somebody raised interesting question, will JDBC thin connection will also be secured?
-
9. Re: Network Data encryption
pmdba Nov 16, 2017 10:30 PM (in response to Mike301)JDBC-Thin connections are NOT encrypted with these parameters. These only work for OCI clients.