Oracle Database Native Network Encryption



Network encryption is one of the most important security hardening strategies to be adopted in
any enterprise infrastructure. It will ensure confidential data transmitted over network is
encrypted and will prevent from malicious attacks.


Network encryption guarantees that data exchanged between the clients (Application) and Database System or indeed between any two endpoints should be securely transmitted and transparently decrypted.

Moreover, compliance with mandatory laws like HIPAA dictates or highly recommends to implement
tools of encryption of in-transit and/or at-rest data as protection from theft or malicious attacks.
Oracle RDBMS Enterprise Edition offers the solutions to encrypt and secure over-transmit data,


It is important to note that Network Encryption Option is part of the Oracle Enterprise Edition and doesn’t 

require any seperate licence for Oracle Advanced Security Option.


Native Network Encryption can be configured by updating the sqlnet.ora configuration file on the database server side, 

with the following parameters as an example:


SQLNET.ENCRYPTION_SERVER = required

SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)


To check that encryption is effectively working, execute the following SQL query on the database server side:


SQL> select network_service_banner from v$session_connect_info where sid in (select distinct sid from v$mystat);


Database Side Parameters:-

SQLNET.ENCRYPTION_SERVER = REQUIRED

SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)

SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA512)


Client Side parameters

SQLNET.ENCRYPTION_SERVER = REQUIRED

SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)

SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA512)



The parameter ENCRYPTION_SERVER/ENCRYPTION_CLIENT has the following options:

REQUESTED – to enable the security service if the client allows it.

REQUIRED – to enable the security service and disallow the connection if the client is not enabled for the security service.

ACCEPTED (Default)– to enable the security service if required or requested by the client.

REJECTED – to disable the security service, even if required by the client


The data transfer will be encrypted because the SQLNET.ENCRYPTION_CLIENT parameter is REQUESTED on both the client side and the server side.


Let’s connect to the server with sqldeveloper from client.


After you close the connection, let’s search all .trc files on the client.  The trace file created at the time of the connection 

will tell us whether the connection is encrypted.


This result indicates that the data is encrypted over the network with the AES128 algorithm and data integrity is ensured by the SHA1 algorithm.

Comments

Popular posts from this blog

How to drop index and before dropping it how to get the DDL.

PRVG-11250 : The check "RPM Package Manager database" was not performed because

ORA-00257:archiver error, connect internal only until freed

Verifying Daemon “Avahi-Daemon” Not Configured And Running …FAILED (PRVG-1360)

Linux OL7/RHEL7: PRVE-0421 : No entry exists in /etc/fstab for mounting /dev/shm

SKIP DNS RESLOV.CONF CHECK DURING RAC CONFIGURATION

CPU Patch Analysis

How to write to a CSV file using Oracle SQL*Plus

How to troubleshoot Long Running Concurrent Request in EBS 12.2

How To Manage Space of The FRA in the Oracle DB