How to set up Oracle Advanced Security (ASO) Network Encryption
Setting up Oracle Advanced Security Network Encryption
In any network connection, it is possible for both the client and server to support more
than one encryption algorithm and more than one integrity algorithm. When a connection
is made, the server selects which algorithm to use, if any, from those algorithms specified
in the sqlnet.ora files.
In this example we will set up network encryption by directly making changes to the
sqlnet.ora file for the ORCL database.
To set up Network Encryption, you need only add the following lines to your
sqlnet.ora file in $ORACLE_HOME/network/admin:
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED
SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (MD5)
SQLNET.ENCRYPTION_TYPES_SERVER = (DES40, RC4_40)
SQLNET.CRYPTO_SEED = “Between Ten and Seventy Random Characters”
If the file /u01/oracle/product/11.1.0/db_1/network/admin/sqlnet.ora
does not exist, create the file using a text editor such as vi or gedit and place the
lines above in the file.
Each parameter is explained below. This is all you need to do to implement Network Security.
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED
SQLNET.ENCRYPTION_SERVER = REQUIRED
To negotiate whether to turn on integrity (CHECKSUM) or encryption (ENCRYPTION),
you can specify four possible values for the Oracle Advanced Security integrity and
encryption configuration parameters – REJECTED, ACCEPTED, REQUESTED or
REQUIRED. The four values are listed in order of increasing security. The value
REJECTED provides the minimum amount of security between client and server
communications, and the value REQUIRED provides the maximum amount of
network security. In this scenario, this side of the connection specifies that the
security service must be enabled. The connection fails if the other side specifies
REJECTED or if there is no compatible algorithm supported by the other side.
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (MD5)
MD5 and SHA1 are the two integrity algorithms supported by Oracle ASO.
SQLNET.ENCRYPTION_TYPES_SERVER = (DES40, RC4_40)
This parameter enumerates some subset of the encryption algorithms supported by
ASO.SQLNET.CRYPTO_SEED=”Between Ten and Seventy Random Characters”
Several seeds are used to generate a random number on the client and on the server.
One of the seeds that can be used is a user-defined encryption seed. It can be 10 to 70
characters in length and changed at any time. The longer the string, the more secure
the environment.
Any client connecting to this server would need to have parallel settings in their local
sqlnet.ora file. Otherwise their connections will be rejected.
Logged in as the oracle user, note that you can also use the “adapters” to ascertain
what encryption and checksumming algorithms are available in the installation, for
example:
[oracle@linux ~(sec)]$ adapters
…
…
Installed Oracle Advanced Security options are:
RC4 40-bit encryption
RC4 56-bit encryption
RC4 128-bit encryption
RC4 256-bit encryption
DES40 40-bit encryption
DES 56-bit encryption
3DES 112-bit encryption
3DES 168-bit encryption
AES 128-bit encryption
AES 192-bit encryption
AES 256-bit encryption
MD5 crypto-checksumming
SHA-1 crypto-checksumming
Kerberos v5 authentication
RADIUS authentication
This change will take effect for all new connections to the database, since the
parameters within sqlnet.ora are read during the establishment of every Oracle Net
session. Note that existing connections i.e. those in place prior to the changes made to
the sqlnet.ora files, will remain un-affected by these encryption settings. This
would have implications for how a company would enforce these new settings in
a Production environment across, for example, an application server farm, where the
use of pooled database connections implies the need to force re-connects from the
mid-tier in order to pick up the new settings. In a 24×7 environment, this might be
achieved via the use of ONS (Oracle Notification Service) to denote all such pooled
connections as stale, thus forcing new connections to be established.
This example demonstrates how to configure Network Encryption for Oracle clients
such as Oracle Application (we will be modifying this configuration in a later
course). For JDBC applications such as SQL Developer, JDeveloper or a J2EE
application, a similar configuration can be set up.
To show that you are using ASO network encryption, you can query the dynamic view
V$ SESSION_CONNECT_INFO. This view displays one row for each network service
adapter the database instance is currently using. Set alias ORCL followed by connecting to
SQL Plus as system/manager. Issue the SQL Plus COLUMN format commands
followed by running the query shown below. You can see that ASO network encryption
adapters are in fact being used by Oracle for this instance.
oracle:/home/oracle> env
ORACLE_SID=ORCL
ORACLE_BASE=/u01/oracle
ORACLE_HOME=/u01/oracle/product/11.1.0/db_1
OH=/u01/oracle/product/11.1.0/db_1
oracle:/home/oracle> sqlplus system/manager
SQL*Plus: Release 11.1.0.7.0 – Production on Sat Oct 11 02:06:04 2008
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 – Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options
SQL> col network_service_banner format a24
SQL> col client_driver format a15
SQL> select sid,serial#,network_service_banner,client_driver
2 from v$session_connect_info;
SID SERIAL# NETWORK_SERVICE_BANNER CLIENT_DRIVER
———- ———- ———————— —————
118 2
120 26
170 12 Oracle Bequeath NT Proto SQL*PLUS
col Adapter for Linux: V
ersion 11.1.0.7.0 – Prod
uction
170 12 Oracle Advanced Security SQL*PLUS
: authentication service
for Linux: Version 11.1
.0.7.0 – Production
170 12 Oracle Advanced Security SQL*PLUS
: encryption service for
Linux: Version 11.1.0.7
.0 – Production
170 12 Oracle Advanced Security SQL*PLUS
: DES40 encryption servi
ce adapter for Linux: Ve
rsion 11.1.0.7.0 – Produ
ction
170 12 Oracle Advanced Security SQL*PLUS
: crypto-checksumming se
rvice for Linux: Version
11.1.0.7.0 – Production
170 12 Oracle Advanced Security SQL*PLUS
: MD5 crypto-checksummin
g service adapter
8 rows selected.