3 Replies Latest reply on Jul 31, 2019 9:15 PM by Gaurav Kamal - Oracle-Oracle

    Encryption on the go/transit/network

    3343172

      Hi folks,

       

      Need to encrypt data on the transit, have created a ticket, but before this would like to know, is my data really open on the transit/network or not.

       

      Oracle support shared this doc:

      How to Enable Oracle SQL*Net Client , Server , Listener , Kerberos and External procedure Tracing from Net Manager (Doc ID 395525.1)

       

      Have done this at my desktop, but not seeing any files created or generated, also at ADRCI home, not able to find the files, where I can see my data, please assist/guide, how to first see my data on the transit/network and then the steps for encryption, shared this doc:

      Overview and Configuration of Oracle Network Encryption (Doc ID 76629.1)

       

      Thanks in advance, feel free to reach-out, if requires any clarifications.

       

      Regards

      Syed

       

       

        • 1. Re: Encryption on the go/transit/network
          Gaurav Kamal - Oracle-Oracle

          You can encrypt the data in transit with Network encryption mentioned in the document (Doc ID 76629.1)

           

          You can check if the packets are encrypt in the selnet tracing.

          • 2. Re: Encryption on the go/transit/network
            3343172

            Thanks yes I can, but would like to test it first, means able to see the data not encrypted and after enabling this, data should be encrypted, this is what I'm looking for, can you please share, because as mentioned, trying this doc: How to Enable Oracle SQL*Net Client , Server , Listener , Kerberos and External procedure Tracing from Net Manager (Doc ID 395525.1)

             

            But nothing is happening, can you direct to some steps/procedure, how to accomplish this first and then will enable using netmgr.

             

            Regards

            Syed

            • 3. Re: Encryption on the go/transit/network
              Gaurav Kamal - Oracle-Oracle

              Once the sqlnet tracing is enabled, you will see the packets transferred encrypted and non-understandable.

              Before the encryption was there, you can still understand the small strings which is readable.

               

               

              Enable sqlnet tracing
              ---------------
              To enable the client tracing, some parameters have to be added into the
              client's SQLNET.ORA file.

              - Ensure you are in the correct environment

              - Check if the environment variable $TNS_ADMIN is set (echo $TNS_ADMIN)

              - if $TNS_ADMIN is set:
              -- Change to the directory where $TNS_ADMIN points to

              - if $TNS_ADMIN is not set:
              -- Change to the $ORACLE_HOME/network/admin directory

              - Do a backup copy of your current sqlnet.ora file in this directory

              - Enter the following parameters into sqlnet.ora and remove them after the
              trace files are written:

              DIAG_ADR_ENABLED = OFF
              TRACE_LEVEL_CLIENT = 16
              TRACE_FILE_CLIENT = cli 
              TRACE_DIRECTORY_CLIENT =< trace directory location>
              TRACE_UNIQUE_CLIENT = ON
              TRACE_TIMESTAMP_CLIENT = ON

              SQL> ALTER SESSION SET EVENTS = '10937 TRACE NAME CONTEXT FOREVER , LEVEL 4';

              Enable server tracing
              ---------------
              Repeat the above, except for the database server's sqlnet.ora file,
              and replace "CLIENT" with "SERVER" for all the above mentioned parameters.

              (It is possible to have both sets of parameters in the same sqlnet.ora if you are connecting using sqlplus from the DB server itself.)

              Reproduce the issue
              --------------
              - Start SQL*Plus and specify a service_name from tnsnames.ora for remote connect
              $> sqlplus user/password@service_name

              The trace file(s) are generated in the specified TRACE_DIRECTORY_CLIENT path.
              .trc will be automatically added to the trace file name

              - Cause the error to occur, or wait for it to occur if it cannot be predicted.
              .
              - Upload the generated trace files as an (zip/tar) archive to Oracle Support.


              Disable tracing
              ---------------
              - Remove the above mentioned parameters from sqlnet.ora

              ** Please note **
              The above parameters will enable the tracing for every new session
              which is established from this environment. Start as few sessions as soon as possible.

               

               

               

              How to Verify Whether Encryption and Integrity is working ?

              (Doc ID 76629.1)

               

              The best method is to take a SQLNET client and server trace and verify whether the information in the trace is in cipher text[encrypted] or in plain text.

               

               

              A part of the client trace before enabling the Encryption and Integrity will be as shown below :

              nspsend: 00 00 00 00 00 24 46 65 |.....$Fe|
              nspsend: 01 12 73 65 6C 65 63 74 |..select|
              nspsend: 20 2A 20 66 72 6F 6D 20 |.*.from.|
              nspsend: 64 75 61 6C 01 00 00 00 |dual....|
              nspsend: 00 00 00 00 00 00 00 00 |........|
              nspsend: 00 00 00 00 00 00 00 00 |........|
              nspsend: 00 00 00 00 00 00 00 00 |........|
              nspsend: 01 00 00 00 00 00 00 00 |........|
              nspsend: 00 00 00 00 00 00 00 00 |........|
              nspsend: 00 00 00 00 00 00 00 00 |........|

               

               

              A part of the client trace after enabling the Encryption and Integrity will be as shown below :

              nspsend: 1F C6 56 89 B0 5C 83 CA |..V..\..|
              nspsend: 90 B4 B0 8E 45 0C 00 32 |....E..2|
              nspsend: CE BC 9F 22 43 76 DD 84 |..."Cv..|
              nspsend: EF 61 25 62 29 8A 0D A8 |.a%b)...|
              nspsend: 2F DE 12 38 18 80 A8 56 |/..8...V|
              nspsend: 44 AD A2 7E B6 7A 7D E1 |D..~.z}.|
              nspsend: 28 76 9B D9 54 6F 2C 72 |(v..To,r|
              nspsend: 6F 3F 45 17 DA 2D 93 CB |o?E..-..|
              nspsend: EE C6 29 31 E1 BF 22 E5 |..)1..".|
              nspsend: 02 32 0B F6 26 CA F4 4C |.2..&..L|
              nspsend: B8 BC A0 5E C7 64 1D DC |...^.d..|
              nspsend: 78 B3 D2 43 B5 1A D7 C4 |x..C....|
              nspsend: 9A 79 1F 3C A8 EE DC 38 |.y.<...8|
              nspsend: E2 5C 07 01 |.\.. |