9 Replies Latest reply on Nov 16, 2017 10:30 PM by pmdba

    Network Data encryption

    Mike301

      Friends,

       

      DB: 12c

      Host: Linux

       

      I'm investigation options for network data security and looking into options of configuring network data encryption via sqlnet.ora file.

       

      This is new area for me so have some questions

      1. Is it good practice to update sqlnet.ora file on both client and server or just updating on server side is sufficient?
      2. How to select what kind of algorithm to use or appropriate?
      3. Will it also secure data across dblinks or both db needs to have sqlnet.ora to be updated?
      4. How can we verify that network encryption was applied?

       

      Any link/blog/metalink reference? I'm only going through official manual currently.

       

      Thanks in advance.

        • 1. Re: Network Data encryption
          pmdba

          1. You must include encryption parameters in both the client and server sqlnet.ora files.

          2. In general use the highest level of encryption that you can.

          3. Oracle's native encryption will protect DB links too (they are just like any other client/server connection), but both the client db and server db sqlnet.ora files must be modified.

          4. You can verify the encryption by generating a sqlnet trace file with the support level set to "SUPPORT" (this will show all network packets in the connection) or by using a tool like Wireshark to monitor the network packets.

          1 person found this helpful
          • 2. Re: Network Data encryption
            Vlad Visan-Oracle

            1. You must include encryption parameters in both the client and server sqlnet.ora files.

            You can just update the server side with:

            SQLNET.ENCRYPTION_SERVER=REQUIRED

            SQLNET.ENCRYPTION_CLIENT=REQUIRED #this is for dblink case

            • 3. Re: Network Data encryption
              pmdba

              In the case of a db link the server with the link is the "client", and the remote server is the "server". So both the "client" and "server" sqlnet.ora files need to be modified, even though both systems may technically be servers in the sense that they are not workstations.

              • 4. Re: Network Data encryption
                Vlad Visan-Oracle

                Let me know the results you get after you just update the sqlnet.ora on one side with both parameters:

                SQLNET.ENCRYPTION_SERVER=REQUIRED

                SQLNET.ENCRYPTION_CLIENT=REQUIRED

                • 5. Re: Network Data encryption
                  Mike301

                  Thank you for the updates, I'm going to test this today and provide the result.

                   

                  As I understood we only have to update server or client and both side update is not required.

                   

                  Will add both on server and verify result

                  SQLNET.ENCRYPTION_SERVER=REQUIRED

                  SQLNET.ENCRYPTION_CLIENT=REQUIRED

                   

                  1. isn't _CLIENT is required to be added on client side?

                  2. How can I verify encryption via testing, I added _SERVER on server and trace user session but didn't find any encrypted text?

                  • 6. Re: Network Data encryption
                    Mike301

                    >> 2. In general use the highest level of encryption that you can.

                     

                    How to verify what highest level of encryption is available?

                    • 7. Re: Network Data encryption
                      Mike301

                      I was able to verify network encryption from client to server using below on server:

                      SQLNET.ENCRYPTION_SERVER=REQUIRED

                      SQLNET.ENCRYPTION_TYPES_SERVER=(AES256)

                      For dblink testing (db1 -> db2  & db2 -> db1)

                      1. Do I need to have below on both db1 and db2 server sqlnet.ora?

                             SQLNET.ENCRYPTION_CLIENT=REQUIRED

                       

                      2. Somebody raised interesting question, will JDBC thin connection will also be secured?

                      • 8. Re: Network Data encryption
                        Mike301

                        Vlad Visan-Oracle wrote:

                         

                        Let me know the results you get after you just update the sqlnet.ora on one side with both parameters:

                        SQLNET.ENCRYPTION_SERVER=REQUIRED

                        SQLNET.ENCRYPTION_CLIENT=REQUIRED

                        Above doesn't work.

                        Test case: (db1 -> db2)

                        1. set parameter in sqlnet.ora on server of db2

                        2. Link created on db1 to connect from db1 -> db2

                        3. Connect sqlplus user@db1

                        4. db1> select * from dual@dblink

                        5. Client trace of db1 displays text in clear

                         

                        I set _SERVER on both db's sqlnet.ora then it was encrypting queries in trace.

                         

                        Question:

                        1. Somebody raised interesting question, will JDBC thin connection will also be secured?

                        • 9. Re: Network Data encryption
                          pmdba

                          JDBC-Thin connections are NOT encrypted with these parameters. These only work for OCI clients.