Oracle Database Native Network Encryption



Network encryption is one of the most important security hardening strategies to be adopted in
any enterprise infrastructure. It will ensure confidential data transmitted over network is
encrypted and will prevent from malicious attacks.


Network encryption guarantees that data exchanged between the clients (Application) and Database System or indeed between any two endpoints should be securely transmitted and transparently decrypted.

Moreover, compliance with mandatory laws like HIPAA dictates or highly recommends to implement
tools of encryption of in-transit and/or at-rest data as protection from theft or malicious attacks.
Oracle RDBMS Enterprise Edition offers the solutions to encrypt and secure over-transmit data,


It is important to note that Network Encryption Option is part of the Oracle Enterprise Edition and doesn’t 

require any seperate licence for Oracle Advanced Security Option.


Native Network Encryption can be configured by updating the sqlnet.ora configuration file on the database server side, 

with the following parameters as an example:


SQLNET.ENCRYPTION_SERVER = required

SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)


To check that encryption is effectively working, execute the following SQL query on the database server side:


SQL> select network_service_banner from v$session_connect_info where sid in (select distinct sid from v$mystat);


Database Side Parameters:-

SQLNET.ENCRYPTION_SERVER = REQUIRED

SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)

SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA512)


Client Side parameters

SQLNET.ENCRYPTION_SERVER = REQUIRED

SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)

SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA512)



The parameter ENCRYPTION_SERVER/ENCRYPTION_CLIENT has the following options:

REQUESTED – to enable the security service if the client allows it.

REQUIRED – to enable the security service and disallow the connection if the client is not enabled for the security service.

ACCEPTED (Default)– to enable the security service if required or requested by the client.

REJECTED – to disable the security service, even if required by the client


The data transfer will be encrypted because the SQLNET.ENCRYPTION_CLIENT parameter is REQUESTED on both the client side and the server side.


Let’s connect to the server with sqldeveloper from client.


After you close the connection, let’s search all .trc files on the client.  The trace file created at the time of the connection 

will tell us whether the connection is encrypted.


This result indicates that the data is encrypted over the network with the AES128 algorithm and data integrity is ensured by the SHA1 algorithm.

Comments

Post a Comment

Popular posts from this blog

How to fix Oracle SQL Developer connection issue "Got minus one from a read call"

Image
 During connection from SQL Developer to EBS database got below error message: Status : Failure - Test failed: IO Error: Got minus one from a read call Following solution can be done : 1. Go to directory $ORACLE_HOME / network / admin 2. Modify sqlnet.ora file with following parameter : tcp.validnode_checking = no 3. If you don 't want to disable this, you can put the machine names as follows: tcp.invited_nodes=(machine1, machine2) 3. Bounce the listener. Due to security enhancements it is not good to put tcp.validnode_checking = no or comment out will through error when we start listener like below: Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=shsebs7idb1.appsolworld.com)(PORT=1522))) TNS-00584: Valid node checking configuration error TNS-12560: TNS:protocol adapter error Better plan is to add localhost or IP address of client (Local Computer) in the sqlnet.ora file That will solve the problem NAMES.DIRECTORY_PATH=(TNSNAMES, ONAMES, HOSTNAME) SQLNET.EXPI
Read more

How to troubleshoot Long Running Concurrent Request in EBS 12.2

 The following points need to answer before jumping into troubleshooting: Are there any recent code changes done in the concurrent program?           Check long_running_sid and verify the recent code change of last_ddl_timestamp after a             discussion with the developer. Was this running long in the last few run as well, or was this time only?            ==> Check the program history. How much time does it take to complete?           Once again program history can give us some idea. Are these jobs fetching higher data compared to the last run           ===> Confirm on data change . Query Plan change will indicate this issue. Does this job runs at any specific time or it can be run anytime           ===> The nature of the job can help to understand the job's nature. Does this job fetch data using DB Link          ====> Check whether the DB link is involved or not. The below-given approach would help to conclude the gray areas. Check the load of the server using t
Read more

Few Important steps of Oracle Database Clone

 Make Sure oraInst.loc location is correct and accessble. [demantra@dsiddem ~]$ cat /etc/oraInst.loc inventory_loc=/orastage/oraInventory inst_group=dba [demantra@dsiddem ~]$ cd /orastage/oraInventory [demantra@dsiddem oraInventory]$ ls -ltr total 16 drwxrwx---. 5 demantra dba 4096 Jul 22 19:37 backup drwxrwx---. 2 demantra dba 4096 Jul 22 19:37 ContentsXML drwxrwx---. 2 demantra dba 4096 Jul 22 19:37 locks drwxrwx---. 3 demantra dba 4096 Jul 23 10:08 logs Remove Oracle Home from Inventory [demantra@dsiddem oraInventory]$ cd $ORACLE_HOME/oui/bin [demantra@dsiddem bin]$ ./runInstaller -detachHome ORACLE_HOME=$ORACLE_HOME Starting Oracle Universal Installer... Checking swap space: must be greater than 500 MB.   Actual 3039 MB    Passed The inventory pointer is located at /etc/oraInst.loc Run Clone.pl [demantra@dsiddem bin]$ echo $ORACLE_HOME /dnbsid/demantra/oracle/19.0.0 [demantra@dsiddem bin]$ echo $ORACLE_BASE /dnbsid/demantra [demantra@dsiddem bin]$ E01=ORACLE_HOME=$ORACLE_HOME [dema
Read more