Your tcp connection will be transformed to tcps.
SQL*Net
Setting the encryption/checksum(integrity) for a whole client or whole server can be done in sqlnet.ora by setting the following:Server
SQLNET.ENCRYPTION_SERVER=REQUIREDSQLNET.ENCRYPTION_TYPES_SERVER=(AES256)
SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(MD5)
Client
SQLNET.ENCRYPTION_CLIENT=REQUIREDSQLNET.ENCRYPTION_TYPES_CLIENT=(AES256)
SQLNET.CRYPTO_CHECKSUM_CLIENT=REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(MD5)
The encryption/checksum(integrity) type is a list, specifying more can be done like this: (AES256,AES192) .
So this will be for all the databases and clients using the sqlnet.ora in that home. You can set the encryption only at the database server side and all your client must obey the settings. The default is ACCEPTED for both client and server.
• Setting it on the server to REQUESTED and if your clients are able to use it, all our connections to the database will be encrypted and/or checksum.
• Setting it on the server to REQUIRED, clients which cannot use the encryption or checksum algorithms/protocols will not be able to connect.
A thing with JDBC is that it does not pick-up sqlnet.ora, but you can set these encryption and integrity settings as properties:
JDBC
prop.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL, "REQUIRED");prop.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES, "(AES256)");
prop.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL, "REQUIRED");
prop.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES, "(MD5)");
(MD5 is ok for checksumming)
WebLogic (Java JNDI)
props.put("oracle.net.encryption_client", "REQUIRED");props.put("oracle.net.encryption_types_client", "(AES256)");
props.put("oracle.net.crypto_checksum_client", "REQUIRED");
props.put("oracle.net.crypto_checksum_types_client", "(MD5)");
WebLogic connection pool
Use the following key/value pair in the Connection Pool properties:
oracle.net.encryption_client=REQUIRED
oracle.net.encryption_types_client=(AES256)
oracle.net.crypto_checksum_client=REQUIRED
oracle.net.crypto_checksum_types_client=(MD5)
WebLogic Connection Pool Encryption properties
Verifying if its working
Of course you can use Wireshark to try to read the gibberish, but one can also rely on what Oracle says, Check v$session_connect_info after joining with v$session for the network_service_banner with values like ‘AES256 Encryption service adapter for Linux: Version 12.1.0.2.0 – Production’:SQL> select network_service_banner from v$session_connect_info where sid = sys_context('USERENV','SID');
TCP/IP NT Protocol Adapter for Linux: Version 12.1.0.2.0 - Production
Encryption service for Linux: Version 12.1.0.2.0 - Production
AES256 Encryption service adapter for Linux: Version 12.1.0.2.0 - Production
Crypto-checksumming service for Linux: Version 12.1.0.2.0 - Production
MD5 Crypto-checksumming service adapter for Linux: Version 12.1.0.2.0 - Production
If it’s not encrypted, you don’t see the highlighted line, but you will see the three other ones. If you would have used the wallet approach, my guess is the TCP/IP line would be something like TCPS/IP. (I did not try this).
For system user to check encrypted connections
select ses.sid, ses.username, ses.machine, ses.program, ses.logon_time, nvl(sci.network_service_banner,'Not encrypted') encryption from v$session ses left join v$session_connect_info sci on (sci.sid = ses.sid and upper(sci.network_service_banner) like '%ENCRYPTION%ADAPTER%') where type = 'USER' and (program not like '%(J___)%' or program is null) order by encryption, ses.username;(Internal) background processes and database Jobs (Jnnn) are not encrypted. These live inside the database already and do not create an SQL*NET connection.
No comments:
Post a Comment