Few organizations today have access to truly private and secure networks; instead, they share network infrastructure with other organizations. As a result, information traveling over these public or virtual private networks is often vulnerable to interception. The purpose of a secure cryptosystem is to convert plaintext data into unintelligible ciphertext based on a key, in such a way that it is very hard (computationally infeasible) to convert ciphertext back into its corresponding plaintext without knowledge of the correct key.
In Oracle we can configure Oracle Database native Oracle Net Services encryption and integrity to achieve the above mentioned purpose. We have to specify the encryption and integrity algorithm in sqlnet.ora file at server and client level. It is possible for both the client and server to support more than one encryption algorithm and more than one integrity algorithm. When a connection is made, the server selects which algorithm to use based on the searche for a match between the algorithms available on both the client and the server and picks the first algorithm in its own list that also appears in the client list. If one side of the connection does not specify an algorithm list, all the algorithms installed on that side are acceptable. You will get ORA-12650 if either side specifies an algorithm that is not installed.
Configuring Network Data Encryption
1- Check what you see without Network Encryption
For this purpose I used the Wireshark to capture the network packets and observed that all the data is in clear text sent by Oracle Database Server. Start Wireshark and start capture your Ethernet using filter for your listener port eg; 1521
On one of the client machine send a test query to DB Server
2- Setting the profile on client and server
A profile specifies preferences for enabling and configuring Oracle Net features on the client or server. This is basically a collection of parameters which is stored and implemented through the sqlnet.ora file. To set the profile, perform below.
b. In the navigator pane, expand Oracle Net Configuration > Local > Profile.
c. From the list in the right pane, select Oracle Advanced Security.
d. Select the Encryption tab.
e. Select either Client or Server from the Encryption list
f. Select a value from the Encryption Type list to specify the client or server behavior when negotiating encryption and integrity. The four possible values are as follows:
accepted: Service will be active if the other side of the connection specifies either "required" or "requested", and there is a compatible algorithm available on the other side; it will otherwise be inactive.
rejected: Service must not be active, and the connection will fail if the other side specifies "required".
requested: Service will be active if the other side of the connection specifies either "accepted", "required", or "requested", and there is a compatible algorithm available on the other side; it will otherwise be inactive.
required: Service must be active, and the connection will fail if the other side specifies "rejected", or if there is no compatible algorithm on the other side.
RC4_256 256 bit key size
3DES168 Triple DES with a three-key (168 bit) option
RC4_128 128 bit key size
3DES112 Triple DES with a two-key (112 bit) option
RC4_56 56 bit key size
DES Standard 56 bit key size
RC4_40 40 bit key size
DES40 40 bit key size
When you save the network configuration using Net Manager, you should observe the below entries in sqlnet.ora file.
On the server:
- SQLNET.ENCRYPTION_SERVER = [accepted | rejected | requested | required]
SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_algorithm [,valid_encryption_algorithm])
eg;
SQLNET.ENCRYPTION_SERVER = requested
SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)
- On the client:
SQLNET.ENCRYPTION_CLIENT = [accepted | rejected | requested | required]
SQLNET.ENCRYPTION_TYPES_CLIENT = (valid_encryption_algorithm [,valid_encryption_algorithm])
- eg;
SQLNET.ENCRYPTION_CLIENT = requested
SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256)
No comments:
Post a Comment