Using Network Encryption and Integrity
To secure connections to your Oracle Database Classic Cloud Service databases, you can use native Oracle Net Services encryption and integrity capabilities.
Encryption of network data provides data privacy so that unauthorized parties are not able to view data as it passes over the network. In addition, integrity algorithms protect against data modification and illegitimate replay.
Oracle Database provides the Advanced Encryption Standard (AES), DES, 3DES, and RC4 symmetric cryptosystems for protecting the confidentiality of Oracle Net Services traffic. It also provides a keyed, sequenced implementation of the Message Digest 5 (MD5) algorithm or the Secure Hash Algorithm (SHA-1 and SHA-2) to protect against integrity attacks.
By default, database deployments on Database Classic Cloud Service are configured to enable native Oracle Net Services encryption and integrity. Also, by default, Oracle Net Services clients are configured to enable native encryption and integrity when they connect to an appropriately configured server. If your Oracle Net Services client is configured to explicitly reject the use of native encryption and integrity then connection attempts will fail.
You can check your configuration and verify the use of native Oracle Net Services encryption and integrity as follows. For more general information about configuring native Oracle Net Services encryption and integrity, see "Configuring Oracle Database Network Encryption and Data Integrity" in Oracle Database Security Guide for Release 18, 12.2 or 12.1 or "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" in Database Advanced Security Administrator's Guide for Release 11.2.
Checking your Database Classic Cloud Service environment
The following procedure outlines the basic steps required to confirm that native Oracle Net Services encryption and integrity are enabled in your Database Classic Cloud Service environment.
-
In a command shell, connect to the compute node as the
oracle
user. See Connecting to a Compute Node Through Secure Shell (SSH). -
Change directories to the location of the
sqlnet.ora
configuration file. For example:$ cd $ORACLE_HOME/network/admin $ ls sqlnet.ora sqlnet.ora
-
View the
sqlnet.ora
file and confirm that it contains the following parameter settings:SQLNET.ENCRYPTION_SERVER = required SQLNET.CRYPTO_CHECKSUM_SERVER = required
The
required
setting enables the encryption or integrity service and disallows the connection if the client side is not enabled for the security service. This is the default setting for database deployments on Database Classic Cloud Service.
Checking your Oracle Net Services Client Configuration
The following procedure outlines the basic steps required to confirm that native encryption and integrity are enabled in your Oracle Net Services client configuration.
-
In a command shell, connect to the Oracle Net Services client.
-
Change directories to the location of the
tnsnames.ora
andsqlnet.ora
configuration files, for example:$ cd $ORACLE_HOME/network/admin $ ls *.ora sqlnet.ora tnsnames.ora
-
View the
sqlnet.ora
file and confirm that it does not contain the following parameter settings:SQLNET.ENCRYPTION_CLIENT = rejected SQLNET.CRYPTO_CHECKSUM_CLIENT = rejected
The
rejected
setting explicitly disables the encryption or integrity service, even if the server requires it. When a client with an encryption or integrity service setting ofrejected
connects to a server with therequired
setting, the connection fails with the following error:ORA-12660: Encryption or crypto-checksumming parameters incompatible
.Because native Oracle Net Services encryption and integrity are enabled in your Database Classic Cloud Service environment by default, any parameter setting other than
rejected
, or no setting at all, would result in the use of native encryption and integrity.
Verifying the use of Native Encryption and Integrity
You can verify the use of native Oracle Net Services encryption and integrity by connecting to your Oracle database and examining the network service banner entries associated with each connection. This information is contained in the NETWORK_SERVICE_BANNER
column of the V$SESSION_CONNECT_INFO
view. The following example shows the SQL command used to display the network service banner entries associated with current connection:
SQL> select network_service_banner
from v$session_connect_info
where sid in (select distinct sid from v$mystat);
The following example output shows banner information for the available encryption service and the crypto-checksumming (integrity) service, including the algorithms in use:
NETWORK_SERVICE_BANNER
-------------------------------------------------------------------------------------
TCP/IP NT Protocol Adapter for Linux: Version 12.1.0.2.0 - Production
Encryption service for Linux: Version 12.1.0.2.0 - Production
AES256 Encryption service adapter for Linux: Version 12.1.0.2.0 - Production
Crypto-checksumming service for Linux: Version 12.1.0.2.0 - Production
SHA1 Crypto-checksumming service adapter for Linux: Version 12.1.0.2.0 - Production
If native Oracle Net Services encryption and integrity was not in use, the banner entries would still include entries for the available security services; that is, the services linked into the Oracle Database software. However, there would be no entries indicating the specific algorithms in use for the connection. The following output shows an example:
NETWORK_SERVICE_BANNER
-------------------------------------------------------------------------------------
TCP/IP NT Protocol Adapter for Linux: Version 12.1.0.2.0 - Production
Encryption service for Linux: Version 12.1.0.2.0 - Production
Crypto-checksumming service for Linux: Version 12.1.0.2.0 - Production