| Oracle Advanced Security Administrator's Guide Release 2 (9.2) Part Number A96573-01 | 
 | 
This appendix describes encryption and data integrity parameters supported by Oracle Advanced Security. It also includes an example of a sqlnet.ora file generated by performing the network configuration described in Chapter 2, Configuring Data Encryption and Integrity, and Chapter 7, Configuring Secure Sockets Layer Authentication.
This appendix contains the following topics:
This section contains a sample sqlnet.ora configuration file for a set of clients with similar characteristics and a set of servers with similar characteristics. The file includes examples of Oracle Advanced Security encryption and data integrity parameters.
#Trace file setuptrace_level_server=16trace_level_client=16trace_directory_server=/orant/network/tracetrace_directory_client=/orant/network/tracetrace_file_client=clitrace_file_server=srvtrace_unique_client=true
#ASO Encryptionsqlnet.encryption_server=acceptedsqlnet.encryption_client=requestedsqlnet.encryption_types_server=(RC4_40)sqlnet.encryption_types_client=(RC4_40)sqlnet.crypto_seed = "-kdje83kkep39487dvmlqEPTbxxe70273"
#ASO Checksumsqlnet.crypto_checksum_server=requestedsqlnet.crypto_checksum_client=requestedsqlnet.crypto_checksum_types_server = (MD5)sqlnet.crypto_checksum_types_client = (MD5)
#SSLWALLET_LOCATIOn = (SOURCE=(METHOD = FILE)(METHOD_DATA =DIRECTORY=/wallet)SSL_CIPHER_SUITES=(SSL_DH_anon_WITH_RC4_128_MD5)SSL_VERSION= 3SSL_CLIENT_AUTHENTICATION=FALSE
#Commonautomatic_ipc = offsqlnet.authentication_services = (beq)names.directory_path = (TNSNAMES)
#Kerberossqlnet.authentication_services = (beq, kerberos5)sqlnet.authentication_kerberos5_service = oraclesqlnet.kerberos5_conf= /krb5/krb.confsqlnet.kerberos5_keytab= /krb5/v5srvtabsqlnet.kerberos5_realms= /krb5/krb.realmsqlnet.kerberos5_cc_name = /krb5/krb5.ccsqlnet.kerberos5_clockskew=900sqlnet.kerberos5_conf_mit=false
#CyberSafesqlnet.authentication_services = (beq, cybersafe)sqlnet.authentication_gssapi_service = oracle/cybersaf.us.oracle.comsqlnet.authentication_kerberos5_service = oraclesqlnet.kerberos5_conf= /krb5/krb.confsqlnet.kerberos5_keytab= /krb5/v5srvtabsqlnet.kerberos5_realms= /krb5/krb.realmsqlnet.kerberos5_cc_name = /krb5/krb5.ccsqlnet.kerberos5_clockskew=900
#Radiussqlnet.authentication_services = (beq, RADIUS )sqlnet.radius_authentication_timeout = (10)sqlnet.radius_authentication_retries = (2)sqlnet.radius_authentication_port = (1645)sqlnet.radius_send_accounting = OFFsqlnet.radius_secret = /orant/network/admin/radius.keysqlnet.radius_authentication = radius.us.oracle.comsqlnet.radius_challenge_response = OFFsqlnet.radius_challenge_keyword = challengesqlnet.radius_challenge_interface =oracle/net/radius/DefaultRadiusInterfacesqlnet.radius_classpath = /jre1.1/
If you do not specify any values for Server Encryption, Client Encryption, Server Checksum, or Client Checksum, the corresponding configuration parameters do not appear in the sqlnet.ora file. However, Oracle Advanced Security defaults to ACCEPTED.
For both data encryption and integrity algorithms, the server selects the first algorithm listed in its sqlnet.ora file that matches an algorithm listed in the client sqlnet.ora file, or in the client installed list--if the client lists no algorithms in its sqlnet.ora file. If there are no entries in the server sqlnet.ora file, the server sequentially searches its installed list to match an item on the client side--either in the client sqlnet.ora file or in the client installed list. If no match can be made and one side of the connection REQUIRED the algorithm type (data encryption or integrity), the connection fails. Otherwise, the connection succeeds with the algorithm type inactive.
Data encryption and integrity algorithms are selected independently of each other; encryption can be activated without integrity, and integrity can be activated without encryption, as shown by Table A-1:
| Encryption Selected? | Integrity Selected? | 
|---|---|
| Yes | No | 
| Yes | Yes | 
| No | Yes | 
| No | No | 
There are three classes of parameters required to enable data encryption and integrity:
Table A-2 summarizes data encryption and integrity level settings:
SQLNET.CRYPTO_SEED = "10-70 random characters"
 
The characters that form the value for this parameter are used when generating cryptographic keys. The more random the characters entered into this field are, the stronger the keys are. You set this parameter by entering from 10 to 70 random characters into the preceding statement.
| Note: Oracle Corporation recommends that you enter as many characters as possible, up to 70, to make the resulting key more random and therefore stronger. | 
This parameter must be present in the sqlnet.ora file whenever data encryption or integrity is enabled.
| 
 |  Copyright © 1996, 2002 Oracle Corporation. All Rights Reserved. | 
 |