2 Replies Latest reply on Dec 23, 2018 2:25 AM by Gaz in Oz

    Unable to connect to Oracle Database which is SHA512 encryption enabled on both Oracle Server and client side using cx-oracle

    Jyothsna-Oracle

      This is the setting on oracle server's sqlnet.ora

       

      **************$ORACLE_HOME/network/admin/sqlnet.ora

      SQLNET.ENCRYPTION_SERVER=required

      SQLNET.CRYPTO_CHECKSUM_SERVER=required

      SQLNET.ENCRYPTION_TYPES_SERVER=(AES256,AES192,AES128)

      SQLNET.EXPIRE_TIME=10

      SQLNET.WALLET_OVERRIDE=FALSE

      WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u02/app/oracle/admin/EXA00013/db_wallet)))

      SSL_VERSION=1.2

      SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA512)

      SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(SHA512)

      ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM)(METHOD_DATA=(DIRECTORY=/var/opt/oracle/dbaas_acfs/EXA00013/tde_wallet/)))

       

      My python version is 2.7

      cx-oracle version is 7.0

      Oracle Database version is: 12.2.0.1.0

       

      We are unable to connect to database with above setting enabled. Getting below error. Appreciate any inputs in this regard.

      File "/opt/dataraker/code/core/ws/dr/dal/dbOracle.py", line 329, in connect

         raise DBError("Error connecting to DB for env %s : %s" % (self.envName,exc))

      dr.dal.dbOracle.DBError: 'Error connecting to DB for env odr : Traceback (most recent call last):\n  File "/opt/dataraker/code/core/ws/dr/dal/dbOracle.py", line 322, in connect\n    self.conn = self.envObj.getDBConnOracle()\n  File "/opt/dataraker/code/core/ws/dr/util/misc.py", line 332, in getDBConnOracle\n    dsn=cx_Oracle.makedsn(self.obj[\'db_conf\'][\'host\'],self.obj[\'db_conf\'][\'port\'],service_name=self.obj[\'db_conf\'][\'serviceName\']))\nDatabaseError: ORA-12650: No common encryption or data integrity algorithm\n\n'

        • 1. Re: Unable to connect to Oracle Database which is SHA512 encryption enabled on both Oracle Server and client side using cx-oracle
          Richard C Evans-Oracle

          Hi, Some questions first:

           

           

          Can you help me understand why you're setting WALLET_LOCATION? EXPIRE_TIME? SSL_VERSION?

          Where does the client reside in relation to the DB? Same server / different server?

           

          You have a lot of lines in your sqlnet.ora that we would not advice you set manually anymore.  For example, anything CLIENT shouldn't be set on the DB server.  All of these SQLNET.* parameters will default automatically to parameters that lead the client and database to create an encrypted session.  

           

          What happens if you remove all of the SQLNET.* parameters and run the program, does it work? If so, can you query the NETWORK_SERVICE_BANNER column of the database view V$SESSION_CONNECT_INFO to verify the encryption status of a connection.  If both the client and the database are set to "requested" (the default) then the connection should show encrypted and the level of encryption (probably AES256).

           

          Can you let us know what happens?

           

          Regards,

          Rich

          • 2. Re: Unable to connect to Oracle Database which is SHA512 encryption enabled on both Oracle Server and client side using cx-oracle
            Gaz in Oz

            The error message full text states:

            $ oerr ORA 12650

            12650, 00000, "No common encryption or data integrity algorithm"

            // *Cause:  The client and server have no algorithm in common for

            //          either encryption or data integrity or both.

            // *Action: Choose sets of algorithms that overlap.  In other words,

            //          add one of the client's algorithm choices to the server's

            //          list or vice versa.

            ...so is that your problem, sqlnet.ora on client and server have conflicting values set up?

            What Oracle documentation did you you use as a reference for setting up your TDE security?

            Have you got Oracle Client libraries accessible in your PATH (windows) or LD_LIBRARY_PATH (Linux)?

             

            Before getting caught up with trying to get python/cx_Oracle working, it'll be simpler to do it with sqlplus first.