A
Data Encryption and Integrity Parameters

This appendix lists describes encryption and data integrity parameters supported by Oracle Advanced Security. It also includes an example of a sqlnet.ora file generated after you perform the network configuration described in Chapter 2 and Chapter 10.

This appendix covers the following topics:

• Sample sqlnet.ora File

• Data Encryption and Integrity Parameters

Sample sqlnet.ora File

This section contains a sample sqlnet.ora configuration file for a set of clients with similar characteristics and a set of servers with similar characteristics. The file includes examples of Oracle Advanced Security encryption and data integrity parameters.

Trace File Setup

#Trace file setup 
trace_level_server=16 
trace_level_client=16  
trace_directory_server=/orant/network/trace 
trace_directory_client=/orant/network/trace 
trace_file_client=cli  
trace_file_server=srv 
trace_unique_client=true 

Oracle Advanced Security Encryption

#ASO Encryption 
sqlnet.encryption_server=accepted 
sqlnet.encryption_client=requested 
sqlnet.encryption_types_server=(RC4_40) 
sqlnet.encryption_types_client=(RC4_40) 

Oracle Advanced Security Integrity

#ASO Checksum 
sqlnet.crypto_seed = "-kdje83kkep39487dvmlqEPTbxxe70273" 
sqlnet.crypto_checksum_server=requested 
sqlnet.crypto_checksum_client=requested  
sqlnet.crypto_checksum_types_server = (MD5) 
sqlnet.crypto_checksum_types_client = (MD5) 

SSL

#SSL 
oss.source.my_wallet = (SOURCE=
                          (METHOD = FILE) 
                          (METHOD_DATA = 
                           DIRECTORY=/wallet) 

SSL_CIPHER_SUITES=(SSL_DH_anon_WITH_RC4_128_MD5) 
SSL_VERSION= 3 
SSL_CLIENT_AUTHENTICATION=FALSE 

Common

#Common 
automatic_ipc = off  
sqlnet.authentication_services = (beq)  
names.directory_path = (TNSNAMES) 

Kerberos

#Kerberos 
sqlnet.authentication_services = (beq, kerberos5)  
sqlnet.authentication_kerberos5_service = oracle 
sqlnet.kerberos5_conf= /krb5/krb.conf 
sqlnet.kerberos5_keytab= /krb5/v5srvtab 
sqlnet.kerberos5_realms= /krb5/krb.realm 
sqlnet.kerberos5_cc_name = /krb5/krb5.cc 
sqlnet.kerberos5_clockskew=900 

CyberSafe

#CyberSafe 
sqlnet.authentication_services = (beq, cybersafe) 
sqlnet.authentication_gssapi_service = oracle/cybersaf.us.oracle.com  
sqlnet.authentication_kerberos5_service = oracle 
sqlnet.kerberos5_conf= /krb5/krb.conf 
sqlnet.kerberos5_keytab= /krb5/v5srvtab 
sqlnet.kerberos5_realms= /krb5/krb.realm 
sqlnet.kerberos5_cc_name = /krb5/krb5.cc 
sqlnet.kerberos5_clockskew=900 

Identix

#Identix 
sqlnet.authentication_services = (beq, identix) 
sqlnet.identix_fingerprint_database = identix_scanner 
sqlnet.identix_fingerprint_database_user = ofm_client 
sqlnet.identix_fingerprint_database_password = ofm_client 
sqlnet.identix_fingerprint_method = oracle  

RADIUS

#Radius 
sqlnet.authentication_services = (beq, RADIUS )  
sqlnet.radius_authentication_timeout = (10) 
sqlnet.radius_authentication_retries = (2) 
sqlnet.radius_authentication_port = (1645) 
sqlnet.radius_send_accounting = OFF 
sqlnet.radius_secret = /orant/network/admin/radius.key 
sqlnet.radius_authentication = radius.us.oracle.com 
sqlnet.radius_challenge_response = OFF 
sqlnet.radius_challenge_keyword = challenge 
sqlnet.radius_challenge_interface = 
oracle/net/radius/DefaultRadiusInterface 
sqlnet.radius_classpath = /jre1.1/ 

SecurID

#SecurID 
sqlnet.authentication_services = (beq, securid )

If you do not specify any values for Server Encryption, Client Encryption, Server Checksum, or Client Checksum, the corresponding configuration parameters do not appear in the sqlnet.ora file. However, Oracle Advanced Security defaults to ACCEPTED.

If no encryption or data integrity algorithm is specified on the Server Encryption, Client Encryption, Server Checksum, or Client Checksum pages, the server side of the connection uses the first algorithm in its own list of installed algorithms that also appears in the client's list of installed algorithms.

Encryption and data integrity function independently of each other: encryption can be activated while data integrity is off, and data integrity can be activated while encryption is off.

Data Encryption and Integrity Parameters

There are nine parameters to enable data encryption and integrity. The parameters are described in the following sections.

• Server Encryption Level Setting

• Client Encryption Level Setting

• Server Encryption Selected List

• Client Encryption Selected List

• Server Integrity Level Setting

• Client Integrity Level Setting

• Client Integrity Selected List

• Client Integrity Selected List

• Client Profile Encryption

  More Information: See Chapter 2, "Configuring Data Encryption and Integrity."

Server Encryption Level Setting

Table A-1 describes server encryption level settings.

Table A-1 Server Encryption Level Setting

Purpose:	This parameter specifies the desired behavior when a client or a server acting as a client is connecting to this server. The behavior of the server partially depends on the SQLNET.ENCRYPTION_CLIENT setting at the other end.
Syntax:	SQLNET.ENCRYPTION_SERVER = valid_value
Possible values:	ACCEPTED, REJECTED, REQUESTED, REQUIRED
Default value:	ACCEPTED

Client Encryption Level Setting

Table A-2 describes client encryption level settings.

Table A-2 Client Encryption Level Setting

Purpose:	This parameter specifies the desired behavior when this client (or this server acting as a client) is connecting to a server. The behavior of the client partially depends on the value set for SQLNET.ENCRYPTION_SERVER at the other end of the connection.
Syntax:	SQLNET.ENCRYPTION_CLIENT = valid_value
Possible values:	ACCEPTED, REJECTED, REQUESTED, REQUIRED
Default value:	ACCEPTED

Server Encryption Selected List

Table A-3 describes the encryption selected list.

Table A-3 Server Encryption Selected List

Purpose:	This parameter specifies a list of encryption algorithms this server is allowed to use when acting as a server in the order of desired use. Enter the most desired algorithm first. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. Each algorithm is checked against the list of client algorithm types available until a match is found. If an algorithm that is not installed is specified on this side, the connection terminates with error message ORA-12650.
Syntax:	SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_algorithm [,valid_encryption_algorithm])
Possible values:	RC4_40: This is RSA RC4 (40-bit key size) for Domestic and International RC4_56: This is RSA RC4 (56-bit key size) for Domestic and International RC4_128: This is RSA RC4 (128-bit key size) for Domestic only DES: This is Standard DES (56-bit key size) for Domestic and International DES40: This is DES40 (40-bit key size) for Domestic and International
Default value:	All installed algorithms are used in a negotiation if no algorithms are defined in the sqlnet.ora file.
Usage Notes:	Domestic version: If you are using the Domestic version, all five algorithms are installed: RC4_40, RC4_56, RC4_128, DES, and DES40. If no algorithms are specified, the installed algorithms are used in that order to negotiate a mutually acceptable algorithm with the other end of the connection. Export version: If you are using the Export version, the following algorithms are installed: RC4_40, RS4_56, DES40, and DES. If no algorithms are specified, the installed algorithms are used in that order to negotiate a mutually acceptable algorithm. You can specify multiple encryption algorithms, that is, either a single value or a list of algorithm names. For example, either of the following encryption parameters is acceptable: SQLNET.ENCRYPTION_TYPES_SERVER=(RC4_40) SQLNET.ENCRYPTION_TYPES_SERVER=(DES,RC4_56,RC4_128,DES40)

Client Encryption Selected List

Table A-4 describes the encryption selected list.

Table A-4 Client Encryption Selected List

Purpose:	This parameter specifies a list of encryption algorithms this client (or this server acting as a client) is allowed to use when connecting to a server. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. The parameters can be listed in any order. If an algorithm that is not installed is specified on this side, the connection terminates with error message ORA-12650.
Syntax:	SQLNET.ENCRYPTION_TYPES_CLIENT = (valid_encryption_ algorithm [,valid_encryption_algorithm])
Possible values:	RC4_40: This is RSA RC4 (40-bit key size) for Domestic and International RC4_56: This is RSA RC4 (56-bit key size) for Domestic and International RC4_128: This is RSA RC4 (128-bit key size) for Domestic only DES: This is Standard DES (56-bit key size) for Domestic and International DES40: This is DES40 (40-bit key size) for Domestic and International
Default value:	All installed algorithms are used if no algorithms are defined in the sqlnet.ora file.
Usage Notes:	Domestic version: If you are using the Domestic version, all five algorithms are installed: RC4_40, RC4_56, RC4_128, DES, and DES40. If no algorithms are defined in the sqlnet.ora file, the installed algorithms are used in that order to negotiate a mutually acceptable algorithm with the other end of the connection. Export version: If you are using the Export version, the RC4_40, RC4_56, DES40, and DES algorithms are installed. If no algorithms are defined in the sqlnet.ora file, the installed algorithms are used in that order to negotiate a mutually acceptable algorithm. You can specify multiple encryption algorithms, that is, either a single value or a list of algorithm names. For example, either of the following encryption parameters is acceptable: SQLNET.ENCRYPTION_TYPES_CLIENT=(DES,DES40,RC4_56,RC4_40) SQLNET.ENCRYPTION_TYPES_CLIENT=(RC4_40)

Server Integrity Level Setting

Table A-5 describes server integrity level settings.

Table A-5 Server Integrity Level Setting

Purpose:	This parameter specifies the desired data integrity behavior when a client (or another server acting as a client) is connecting to this server. The resulting behavior partially depends on the SQLNET.CRYPTO_CHECKSUM_CLIENT setting at the other end.
Syntax:	SQLNET.CRYPTO_CHECKSUM_SERVER = valid_value
Possible values:	ACCEPTED, REJECTED, REQUESTED, REQUIRED
Default value:	ACCEPTED

Client Integrity Level Setting

Table A-6 describes client integrity level settings.

Table A-6 Client Integrity Level Setting

Purpose:	This parameter specifies the desired data integrity behavior when this client (or this server acting as a client) is connecting to a server. The resulting behavior partially depends on the SQLNET.CRYPTO_CHECKSUM_SERVER setting at the other end of the connection.
Syntax:	SQLNET.CRYPTO_CHECKSUM_CLIENT = valid_value
Possible values:	ACCEPTED, REJECTED, REQUESTED, REQUIRED
Default value:	ACCEPTED

Server Integrity Selected List

Table A-7 describes the server integrity selected list.

Table A-7 Server Integrity Selected List

Purpose:	This parameter specifies a list of the data integrity algorithms this server is allowed to use, in order of desired use with the most desired algorithm first, when acting as a server to a client or another server. This list is used to negotiate a mutually acceptable algorithm with the remote end. Each algorithm is checked against the list of client algorithm types available until a match is found. The first algorithm match is the one that is used. If an algorithm is specified that is not installed on this side, the connection terminates with error message ORA-12650.
Syntax:	SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (crypto_checksum_ algorithm)
Possible values:	Currently, the only supported crypto-checksum algorithm choice is RSA Data Security's MD5 algorithm.
Default value:	MD5 (currently the only valid value)

Client Integrity Selected List

Table A-8 describes the client integrity selected list.

Table A-8 Client Integrity Selected List

Purpose:	This parameter specifies a list of data integrity algorithms this client (or this server acting as a client) is allowed to use when connecting to a server. This list is used to negotiate a mutually acceptable algorithm with the remote end. The order in which the algorithms are listed is not important. If an algorithm that is not installed on this side is specified, the connection terminates with error message ORA-12650.
Syntax:	SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (crypto_checksum_ algorithm)
Possible values:	Currently, the only supported crypto-checksum algorithm choice is RSA Data Security's MD5 algorithm.
Default value:	MD5 (currently the only valid value)

Client Profile Encryption

SQLNET.CRYPTO_SEED = "10-70 random characters"

The characters that form the value for this parameter are used when generating cryptographic keys. The more random the characters entered into this field are, the stronger the keys are. You set this parameter by entering from 10 to 70 random characters into the above statement.

Note: Oracle Corporation recommends that you enter as many characters as possible, up to 70, to make the resulting key more random and therefore stronger.

This parameter must be present in the sqlnet.ora file whenever data encryption or integrity is turned on.