Using Network Encryption and Integrity

To secure connections to your Oracle Database Cloud Service databases, you can use native Oracle Net Services encryption and integrity capabilities.

Encryption of network data provides data privacy so that unauthorized parties are not able to view data as it passes over the network. In addition, integrity algorithms protect against data modification and illegitimate replay.

Oracle Database provides the Advanced Encryption Standard (AES), DES, 3DES, and RC4 symmetric cryptosystems for protecting the confidentiality of Oracle Net Services traffic. It also provides a keyed, sequenced implementation of the Message Digest 5 (MD5) algorithm or the Secure Hash Algorithm (SHA-1 and SHA-2) to protect against integrity attacks.

By default, database deployments on Database Cloud Service are configured to enable native Oracle Net Services encryption and integrity. Also, by default, Oracle Net Services clients are configured to enable native encryption and integrity when they connect to an appropriately configured server. If your Oracle Net Services client is configured to explicitly reject the use of native encryption and integrity then connection attempts will fail.

You can check your configuration and verify the use of native Oracle Net Services encryption and integrity as follows. For more general information about configuring native Oracle Net Services encryption and integrity, see "Configuring Oracle Database Network Encryption and Data Integrity" in Oracle Database Security Guide for Release 18, 12.2 or 12.1 or "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" in Database Advanced Security Administrator's Guide for Release 11.2.

Checking your Database Cloud Service environment

The following procedure outlines the basic steps required to confirm that native Oracle Net Services encryption and integrity are enabled in your Database Cloud Service environment.

  1. In a command shell, connect to the compute node as the oracle user. See Connecting to a Compute Node Through Secure Shell (SSH).

  2. Change directories to the location of the sqlnet.ora configuration file. For example:

    $ cd $ORACLE_HOME/network/admin
    $ ls sqlnet.ora
    sqlnet.ora
  3. View the sqlnet.ora file and confirm that it contains the following parameter settings:

    SQLNET.ENCRYPTION_SERVER = required
    SQLNET.CRYPTO_CHECKSUM_SERVER = required
    

    The required setting enables the encryption or integrity service and disallows the connection if the client side is not enabled for the security service. This is the default setting for database deployments on Database Cloud Service.

Checking your Oracle Net Services Client Configuration

The following procedure outlines the basic steps required to confirm that native encryption and integrity are enabled in your Oracle Net Services client configuration.

  1. In a command shell, connect to the Oracle Net Services client.

  2. Change directories to the location of the tnsnames.ora and sqlnet.ora configuration files, for example:

    $ cd $ORACLE_HOME/network/admin
    $ ls *.ora
    sqlnet.ora tnsnames.ora
  3. View the sqlnet.ora file and confirm that it does not contain the following parameter settings:

    SQLNET.ENCRYPTION_CLIENT = rejected
    SQLNET.CRYPTO_CHECKSUM_CLIENT = rejected
    

    The rejected setting explicitly disables the encryption or integrity service, even if the server requires it. When a client with an encryption or integrity service setting of rejected connects to a server with the required setting, the connection fails with the following error: ORA-12660: Encryption or crypto-checksumming parameters incompatible.

    Because native Oracle Net Services encryption and integrity are enabled in your Database Cloud Service environment by default, any parameter setting other than rejected, or no setting at all, would result in the use of native encryption and integrity.

Verifying the use of Native Encryption and Integrity

You can verify the use of native Oracle Net Services encryption and integrity by connecting to your Oracle database and examining the network service banner entries associated with each connection. This information is contained in the NETWORK_SERVICE_BANNER column of the V$SESSION_CONNECT_INFO view. The following example shows the SQL command used to display the network service banner entries associated with current connection:

SQL> select network_service_banner 
     from v$session_connect_info 
     where sid in (select distinct sid from v$mystat);

The following example output shows banner information for the available encryption service and the crypto-checksumming (integrity) service, including the algorithms in use:

NETWORK_SERVICE_BANNER
-------------------------------------------------------------------------------------
TCP/IP NT Protocol Adapter for Linux: Version 12.1.0.2.0 - Production
Encryption service for Linux: Version 12.1.0.2.0 - Production
AES256 Encryption service adapter for Linux: Version 12.1.0.2.0 - Production
Crypto-checksumming service for Linux: Version 12.1.0.2.0 - Production
SHA1 Crypto-checksumming service adapter for Linux: Version 12.1.0.2.0 - Production

If native Oracle Net Services encryption and integrity was not in use, the banner entries would still include entries for the available security services; that is, the services linked into the Oracle Database software. However, there would be no entries indicating the specific algorithms in use for the connection. The following output shows an example:

NETWORK_SERVICE_BANNER
-------------------------------------------------------------------------------------
TCP/IP NT Protocol Adapter for Linux: Version 12.1.0.2.0 - Production
Encryption service for Linux: Version 12.1.0.2.0 - Production
Crypto-checksumming service for Linux: Version 12.1.0.2.0 - Production