Please see my other blog for Oracle EBusiness Suite Posts - EBMentors

Search This Blog

Note: All the posts are based on practical approach avoiding lengthy theory. All have been tested on some development servers. Please don’t test any post on production servers until you are sure.

Sunday, May 31, 2015

12c: Network Data Encryption

Few organizations today have access to truly private and secure networks; instead, they share network infrastructure with other organizations. As a result, information traveling over these public or virtual private networks is often vulnerable to interception. The purpose of a secure cryptosystem is to convert plaintext data into unintelligible ciphertext based on a key, in such a way that it is very hard (computationally infeasible) to convert ciphertext back into its corresponding plaintext without knowledge of the correct key.


In Oracle we can configure Oracle Database native Oracle Net Services encryption and integrity to achieve the above mentioned purpose. We have to specify the encryption and integrity algorithm in sqlnet.ora file at server and client level. It is possible for both the client and server to support more than one encryption algorithm and more than one integrity algorithm. When a connection is made, the server selects which algorithm to use based on the searche for a match between the algorithms available on both the client and the server and picks the first algorithm in its own list that also appears in the client list. If one side of the connection does not specify an algorithm list, all the algorithms installed on that side are acceptable. You will get ORA-12650 if either side specifies an algorithm that is not installed.



Configuring Network Data Encryption

1- Check what you see without Network Encryption
For this purpose I used the Wireshark to capture the network packets  and observed that all the data is in clear text sent by Oracle Database Server. Start Wireshark and start capture your Ethernet using filter for your listener port eg; 1521

On one of the client machine send a test query to DB Server


2- Setting the profile on client and server
A profile specifies preferences for enabling and configuring Oracle Net features on the client or server. This is basically a collection of parameters which is stored and implemented through the sqlnet.ora file. To set the profile, perform below.

a. Start Oracle Net Manager.
b. In the navigator pane, expand Oracle Net Configuration > Local > Profile.
c. From the list in the right pane, select Oracle Advanced Security.
d. Select the Encryption tab.
e. Select either Client or Server from the Encryption list
f. Select a value from the Encryption Type list to specify the client or server behavior when negotiating encryption and integrity. The four possible values are as follows:

accepted:
Service will be active if the other side of the connection specifies either "required" or "requested", and there is a compatible algorithm available on the other side; it will otherwise be inactive.

rejected: Service must not be active, and the connection will fail if the other side specifies "required".

requested: Service will be active if the other side of the connection specifies either "accepted", "required", or "requested", and there is a compatible algorithm available on the other side; it will otherwise be inactive.

required: Service must be active, and the connection will fail if the other side specifies "rejected", or if there is no compatible algorithm on the other side.

In the Encryption Seed field, enter between 10 and 70 random characters. The encryption seed for the client should not be the same as that for the server. This encryption seed is used with the encryption algorithm

From the Available Methods list, select an encryption algorithm, and then choose the right-arrow (>) button to move it to the Selected Methods list. The order of the methods in the Selected Methods list determines the preferred order for negotiation. The following algorithms are supported by Oracle Advanced Security:

RC4_256     256 bit key size 
3DES168     Triple DES with a three-key (168 bit) option 
RC4_128     128 bit key size 
3DES112     Triple DES with a two-key (112 bit) option 
RC4_56      56 bit key size 
DES         Standard 56 bit key size 
RC4_40      40 bit key size 
DES40       40 bit key size 


When you save the network configuration using Net Manager, you should observe the below entries in sqlnet.ora file.

    On the server:
    SQLNET.ENCRYPTION_SERVER = [accepted | rejected | requested | required] SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_algorithm [,valid_encryption_algorithm])

    eg;
    SQLNET.ENCRYPTION_SERVER = requested
    SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)
    On the client:
    SQLNET.ENCRYPTION_CLIENT = [accepted | rejected | requested | required]
    SQLNET.ENCRYPTION_TYPES_CLIENT = (valid_encryption_algorithm [,valid_encryption_algorithm])
    eg;
    SQLNET.ENCRYPTION_CLIENT = requested
    SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256)
3- Run the same test using Wireshark and observe the output, this time no clear text.


No comments: