How To Configure Data Encryption and Integrity
Network encryption is of prime importance to you if your databases is on the cloud.
Oracle Advanced Security native Oracle Net Services encryption and integrity.
Encryption and integrity parameters are defined by modifying a sqlnet.ora file on the clients and the servers on the network.
The profile on client and server systems using data encryption and integrity must contain some or all of the parameters listed below.
About Activating Encryption and Integrity
In any network connection, it is possible for both the client and server to support more than one encryption algorithm and more than one integrity algorithm. When a connection is made, the server selects which algorithm to use, if any, from those algorithms specified in the sqlnet.ora files.
The server searches for a match between the algorithms available on both the client and the server, and picks the first algorithm in its own list that also appears in the client list.
If one side of the connection does not specify an algorithm list, all the algorithms installed on that side are acceptable.
The connection fails with error message ORA-12650 if either side specifies an algorithm that is not installed.
You can choose to configure any or all of the available Oracle Advanced Security encryption algorithms (Table 9-3), and the available integrity algorithm (SHA-1).
Only one encryption algorithm and one integrity algorithm are used for each connect session.
About Negotiating Encryption and Integrity
To negotiate whether to turn on encryption or integrity, you can specify four possible values for the Oracle Advanced Security encryption and integrity configuration parameters.
The four values are listed in the order of increasing security.
REJECTED provides the minimum amount of security between client and server communications,
ACCEPTED - Default. - Accepts, if possible, whatever encryption the other side is sending.
REQUESTED - "Preferred" method of Encryption, but not mandatory.
REQUIRED - Mandatory method of Encryption. Provides the maximum amount of network security:
Oracle Database servers and clients are set to ACCEPT encrypted connections out of the box. This means that you can enable the desired encryption and integrity settings for a connection pair by configuring just one side of the connection, server-side or client-side.
So, for example, if there are many Oracle clients connecting to an Oracle database, you can configure the required encryption and integrity settings for all these connections by making the appropriate sqlnet.ora changes at the server end.
You do not need to implement configuration changes for each client separately.
REJECTED
Select this value if you do not elect to enable the security service, even if required by the other side.
In this scenario, this side of the connection specifies that the security service is not permitted. If the other side is set to REQUIRED, the connection terminates with error message ORA-12650. If the other side is set to REQUESTED, ACCEPTED, or REJECTED, the connection continues without error and without the security service enabled.
ACCEPTED
Select this value to enable the security service if required or requested by the other side.
In this scenario, this side of the connection does not require the security service, but it is enabled if the other side is set to REQUIRED or REQUESTED.
If the other side is set to REQUIRED or REQUESTED, and an encryption or integrity algorithm match is found, the connection continues without error and with the security service enabled.
If the other side is set to REQUIRED and no algorithm match is found, the connection terminates with error message ORA-12650.
If the other side is set to REQUESTED and no algorithm match is found, or if the other side is set to ACCEPTED or REJECTED, the connection continues without error and without the security service enabled.
REQUESTED
Select this value to enable the security service if the other side permits it.
In this scenario, this side of the connection specifies that the security service is desired but not required.
The security service is enabled if the other side specifies ACCEPTED, REQUESTED, or REQUIRED.
There must be a matching algorithm available on the other side, otherwise the service is not enabled.
If the other side specifies REQUIRED and there is no matching algorithm, the connection fails.
REQUIRED
Select this value to enable the security service or preclude the connection.
In this scenario, this side of the connection specifies that the security service must be enabled. The connection fails if the other side specifies REJECTED or if there is no compatible algorithm on the other side.
Table 9-2 shows whether the security service is enabled, based on a combination of client and server configuration parameters.
If either the server or client has specified REQUIRED, the lack of a common algorithm causes the connection to fail.
Otherwise, if the service is enabled, lack of a common service algorithm results in the service being disabled.
Configuration
Configuration is done in sqlnet.ora.
Since server can also make client call - on client side need specify both
On server:
SQLNET.ENCRYPTION_SERVER = [accepted | rejected | requested | required]
SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_algorithm [,valid_encryption_algorithm])
On client:
SQLNET.ENCRYPTION_CLIENT = [accepted | rejected | requested | required]
SQLNET.ENCRYPTION_TYPES_CLIENT = (valid_encryption_algorithm [,valid_encryption_algorithm])
For Example:
Client side "sqlnet.ora" file.
To force encryption from a client, while not affecting any other connections to the server, we would add the following to the client "sqlnet.ora" file.
The server does not need to be altered as the default settings (ACCEPTED and no named encryption algorithm) will allow it to successfully negotiate a connection.
SQLNET.ENCRYPTION_CLIENT=REQUIRED
SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256)
Server side "sqlnet.ora" file.
If we would prefer clients to use encrypted connections to the server, but will accept non-encrypted connections, we would add the following to the server side "sqlnet.ora".
SQLNET.ENCRYPTION_SERVER=REQUESTED
SQLNET.ENCRYPTION_TYPES_SERVER=(AES256)
Other options:
SQLNET.ENCRYPTION_CLIENT = REQUESTEDSQLNET.ENCRYPTION_TYPES_CLIENT= (AES256, AES192, AES128)
SQLNET.ENCRYPTION_SERVER = REQUESTED
SQLNET.ENCRYPTION_TYPES_SERVER= (AES256, AES192, AES128)
In this example:
REQUESTED : The client or server will request encrypted traffic if it is possible, but will accept non-encrypted traffic if encryption is not possible.
Data Integrity
The advanced security data integrity functionality is separate to network encryption, but it is often discussed in the same context and in the same sections of the manuals.
The configuration is similar to that of network encryption, using the following parameters in the server and/or client "sqlnet.ora" files.
# Server
SQLNET.CRYPTO_CHECKSUM_SERVER
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER
# Client
SQLNET.CRYPTO_CHECKSUM_CLIENT
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT
The SQLNET.CRYPTO_CHECKSUM_[SERVER|CLIENT] parameters have the same allowed values as the SQLNET.ENCRYPTION_[SERVER|CLIENT] parameters, with the same style of negotiations.
The SQLNET.CRYPTO_CHECKSUM_TYPES_[SERVER|CLIENT] parameters only accepts the SHA1 value prior to 12c.
From 12c onward they also accept MD5, SHA1, SHA256, SHA384 and SHA512, with SHA256 being the default.
