Oracle 19c Network Encryption

Network Encryption Definition

Oracle Database is provided with a network infrastructure called Oracle Net Services between the client and the server.  Communication between the client and the server on the network is carried in plain text with Oracle Client.

Only the password field that Oracle uses to authenticate should not be added here.  The password field is always encrypted over the network according to the O5Logon protocol.

When we use Oracle Net Service for communication between client and server, we have the ability to encrypt the information transmitted on the network.

 

oracle net service ile ilgili görsel sonucu
This structure is called “Oracle Data Network Encryption and Integrity“.
Using Oracle’s capabilities, we can both encrypt data on the network and ensure data integrity.  We can use AES, DES, 3DES and RC4 symmetric encryption systems to encrypt data in the Oracle database.
In addition, with Network encryption, we can ensure the integrity of the information on the network.  The algorithm names used to ensure data integrity are listed below.
With network encryption, we not only monitor data on the network, but also protect against threats called Data Modification Attack and Replay Attack.

Configuring for Network Encryption

The configuration for Network Encryption is defined in the “sqlnet.ora” file on the client and server side.  Before configuring, Oracle Net installation must be done on both the server and client side.

Configuration can be done by replacing the file “sqlnet.ora” with the text editor or with the netmgr program.

Two separate parameters are used on the server side.

SQLNET.ENCRYPTION_SERVER = [accepted | rejected | requested | required ]
SQLNET.ENCYRPTION_TYPES_SERVER = (algorithm name)

The parameters used by the client side,

SQLNET.ENCRYPTION_CLIENT = [ accepted | rejected | requested | required ]
SQLNET.ENCYRPTION_TYPES_CLIENT = ( algorithm name )

Of these parameters, the SQLNET.ENCYRPTION_TYPES_CLIENT and SQLNET.ENCYRPTION_TYPES_SERVER parameters must be selected from the previously provided encryption algorithms.

With the installation of Oracle Net, all these encryption algorithms are installed.  The SQLNET.ENCRYPTION_SERVER and SQLNET.ENCRYPTION_CLIENT parameters are parameters that determine whether to encrypt the client and the server.

 

This parameter can take the following values,

  • REJECTED
  • ACCEPTED
  • REQUESTED
  • REQUIRED

The default value is ACCEPTED.

 

REJECRED : This means that the client and server will never establish an encrypted connection.

ACCEPTED : It means that the client and the server can establish an encrypted connection if there is a request to establish an encrypted connection.

REQUESTED : It means that the client and the server want to establish an encrypted connection.

REQUIRED : It means that the client or server is necessarily trying to establish an encrypted connection.  The client and server cannot establish a connection when a connection is requested withouth password.

 

The following is a list of how to connect to all combinations of parameters SQLNET.ENCRYPTION_CLIENT and SQLNET.ENCRYPTION_SERVER.

 

 

The parameters used on the client and server side to ensure data integrity are:

Server side:

SQLNET.CRYPTO_CHECKSUM_SERVER = [ accepted | rejected | requested | required ]
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = ( algorithm name )

Client Side:

SQLNET.CRYPTO_CHECKSUM_CLIENT = [ accepted | rejected | requested | required ]
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = ( algorithm name )

 

Network Encryption Examples

In this example, let’s define the following parameters on the client side to the “sqlnet.ora” file.  If you don’t know the location of “sqlnet.ora” file on your computer, you will need to search for.

 

TRACE_LEVEL_CLIENT=10

SQLNET.ENCRYPTIOEN_CLIENT = Requested

SQLNET.ENCRYPTIOEN_TYPES_CLIENT = ( AES128 )

SQLNET.CRYPTO_CHECKSUM_CLIENT = Requested

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (SHA1)

 

The following parameter in sqlnet.ora creates log files to indicate that the connection to the server is encrypted.

TRACE_LEVEL_CLIENT=10

The following parameters are set by the server in the “sqlnet.ora” file.

The data transfer will be encrypted because the SQLNET.ENCRYPTION_CLIENT parameter is REQUESTED on both the client side and the server side.

Let’s connect to the server with sqldeveloper from client.

 

 

 

After you close the connection, let’s search all .trc files on the client.  The trace file created at the time of the connection will tell us whether the connection is encrypted.

 

 

Look for the word “encryption” in this file.

This result indicates that the data is encrypted over the network with the AES128 algorithm and data integrity is ensured by the SHA1 algorithm.

 

See you in the next article..

 

Oracle Database Security Tutorial – Virtual Private Database

 

 

Do you want to learn Advanced Oracle database, then read the following articles.

https://ittutorial.org/advanced-oracle-database-tutorials/

About Deniz Parlak

Hi, i’m Security Data Scientist & Data Engineer at My Security Analytics. I have experienced Advance Python, Machine Learning and Big Data tools. Also i worked Oracle Database Administration, Migration and upgrade projects. For your questions [email protected]

Leave a Reply

Your email address will not be published. Required fields are marked *