How to configure encrypted connection to encrypt data over the wire, and check summing, which prevents certain classes of network attacks. .
Preliminary - Gather Information
DBA must have installed the Oracle server software with the Advanced Security option, and the DBA must have configured the database listener to at least allow encrypted sessions and check summing.
Install Oracle Client
The standard Oracle client software is sufficient on the client side. There are no special client editions of the software to consider. Install the client software and test it as per usual.
Configuring the Client for Encryption
Edit your $ORACLE_HOME/network/admin/sqlnet.ora file on the client machine. For this example, we'll assume DBA has setup your instance to use RC4_256 for encryption and MD5 for checksums. We'll also assume you want your connection to be encrypted, or else let the connection attempt fail.
To configure this, add the following lines to your sqlnet.ora :
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (MD5)
SQLNET.ENCRYPTION_TYPES_CLIENT = (RC4_256)
SQLNET.ENCRYPTION_CLIENT = required
SQLNET.CRYPTO_CHECKSUM_CLIENT = required
SQLNET.CRYPTO_SEED = 'insert a random string from 10-70 characters here'
The full set of options for both ENCRYPTION_CLIENT and CRYPTO_CHECKSUM_CLIENT are: accepted, rejected, requested, required
The full set of options for ENCRYPTION_TYPES_CLIENT are: RC4_256, RC4_128, RC4_56, RC4_40, AES256, AES192, AES128, 3DES168, 3DES112, DES, DES40 (Note: Oracle recommends RC4_256 for performance reasons.)
The full set of options for CRYPTO_CHECKSUM_TYPES_CLIENT are: MD5, SHA1
The CRYPTO_SEED must be quoted in single or double quotes.
It's possible to specify more than one encryption or checksum algorithm. To do so, separate them by commas like so:
SQLNET.ENCRYPTION_TYPES_CLIENT = (AES256,RC4_256,DES)
They will be tried in order until a match is found. If no match is found, then the connection is refused (if either client or server require encryption) or allowed but is unencrypted (all other cases). This may be useful if two different instances have a disjoint set of accepted encryption algorithms.
Note: There is no plausible reason we can think of to configure the client or server to always reject encrypted connections. However, if one side is set to reject, and the other to require, the result is what you'd expect: a connection can never be established.
Verifying encryption is working
To verify the encryption is working, it's both tedious and error prone to use a packet sniffer to verify the connect to the Oracle instance is encrypted. It is not trivial to distinguish compressed data streams from encrypted ones.
A more straightforward and reasonably solid approach is to enable client-side tracing and let Oracle's diagnostic information verify if encryption is working. To do this, edit your sqlnet.ora file, and temporarily add the following lines:
TRACE_LEVEL_CLIENT=10
TRACE_DIRECTORY_CLIENT=(a fully qualified directory to which you have write permissions)
NOTE: On Windows, TRACE_DIRECTORY_CLIENT is reported to be ignored. Instead, look under:
"C:\Documents and Settings\\Oracle\oradiag_\diag\clients\user_\host_<...>\trace\"
Use sqlplus to login to your instance. We recommend not using more elaborate or GUI tools for this test, as many such tools tend to automatically issue a number of queries on login, and will make the trace logs extremely verbose. After you have logged in successfully, logout.
In the TRACE_DIRECTORY_CLIENT, you should see a file named cli_NNNNN.trc, where NNNNN is an integer. (Note for Windows: the trace files are reported to begin with ora_ rather than cli_.) Grep or visually inspect this file, looking for the string 'encryption'. For example, a session that has successfully set up an encrypted connection will contain a line such as:
[24-OCT-2006 10:00:32:087] na_tns: encryption is active, using RC4_256
A cleartext connection would instead look like:
[24-OCT-2006 10:07:34:707] na_tns: encryption is not active
If you are familiar with Oracle client traces, please note encrypted session negotiation will not turn up at trace levels below 10. You must use an ADMIN or SUPPORT trace level.
Once testing is complete, you will probably want to remove TRACE_LEVEL_CLIENT and TRACE_DIRECTORY_CLIENT from your sqlnet.ora file.
Reference:
http://download.oracle.com/docs/cd/B28359_01/java.111/b31224/clntsec.htm#insertedID5
No comments:
Post a Comment