Parameters for Clients and Servers Using Transport Layer Security
Oracle provides parameters to control Transport Layer Security authentication.
-
Ways to Configure a Parameter for Transport Layer Security
There are two ways to configure a parameter for Transport Layer Security (TLS). -
Transport Layer Security Authentication Parameters for Clients and Servers
Oracle provides both static and dynamic Transport Layer Security (TLS) authentication parameters. -
Cipher Suite Parameters for Transport Layer Security
You can configure cipher suite parameters for Transport Layer Security (TLS). -
Supported Transport Layer Security Cipher Suites
Oracle Database supports a large number of cipher suites for Transport Layer Security (TLS). -
Transport Layer Security Version Parameters
You can set a range of Transport Layer Security (TLS) parameters to configure the version of TLS to use. -
Transport Layer Security Client Authentication Parameters
You can configure static and dynamic parameters for Secure Sockes Layer (TLS) on the client. -
Transport Layer Security X.509 Server Match Parameters
TheSSL_SERVER_DN_MATCHandSSL_SERVER_CERT_DNparameters validate the identity of the server to which a client connects. -
Oracle Wallet Location
You must specify wallet location parameters for applications that must access an Oracle wallet for loading the security credentials into the process space.
Ways to Configure a Parameter for Transport Layer Security
There are two ways to configure a parameter for Transport Layer Security (TLS).
-
Static: The name of the parameter that exists in the
sqlnet.orafile. Parameters likeSSL_CIPHER_SUITESandSSL_VERSIONcan also be configured using thelistener.orafile. -
Dynamic: The name of the parameter used in the security subsection of the Oracle Net address.
Transport Layer Security Authentication Parameters for Clients and Servers
Oracle provides both static and dynamic Transport Layer Security (TLS) authentication parameters. The following table describes the static and dynamic parameters for configuring TLS on the server.
| Attribute | Description |
|---|---|
| Parameter Name (static) | SQLNET.AUTHENTICATION_SERVICES |
| Parameter Name (dynamic) | AUTHENTICATION |
| Parameter Type | String LIST |
| Parameter Class | Static |
| Permitted Values | Add TCPS to the list of available authentication services. |
| Default Value | No default value. |
| Description | To control which authentication services a user wants to use. Note: The dynamic version supports only the setting of one type. |
| Existing/New Parameter | Existing |
| Syntax (static) | SQLNET.AUTHENTICATION_SERVICES = (TCPS, selected_method_1, selected_method_2) |
| Example (static) | SQLNET.AUTHENTICATION_SERVICES = (TCPS, radius) |
| Syntax (dynamic) | AUTHENTICATION = string |
| Example (dynamic) | AUTHENTICATION = (TCPS) |
Cipher Suite Parameters for Transport Layer Security
You can configure cipher suite parameters for Transport Layer Security (TLS). The following table describes the static and dynamic parameters for configuring cipher suites.
| Attribute | Description |
|---|---|
| Parameter Name (static) | SSL_CIPHER_SUITES |
| Parameter Name (dynamic) | SSL_CIPHER_SUITES |
| Parameter Type | String LIST |
| Parameter Class | Static |
| Permitted Values | Any known TLS cipher suite |
| Default Value | No default |
| Description | Controls the combination of encryption and data integrity used by TLS. |
| Existing/New Parameter | Existing |
| Syntax (static) | SSL_CIPHER_SUITES=(SSL_cipher_suite1[, SSL_cipher_suite2, ...SSL_cipher_suiteN]) |
| Example (static) | SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA) |
| Syntax (dynamic) | SSL_CIPHER_SUITES=(SSL_cipher_suite1[, SSL_cipher_suite2, ...SSL_cipher_suiteN]) |
| Example (dynamic) | SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA) |
Supported Transport Layer Security Cipher Suites
Oracle Database supports a large number of cipher suites for Transport Layer Security (TLS).
The cipher suites are as follows:
-
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 -
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -
TLS_RSA_WITH_AES_128_CBC_SHA256 -
TLS_RSA_WITH_AES_128_GCM_SHA256 -
TLS_RSA_WITH_AES_128_CBC_SHA -
TLS_RSA_WITH_AES_256_CBC_SHA -
TLS_RSA_WITH_AES_256_CBC_SHA256
Transport Layer Security Version Parameters
You can set a range of Transport Layer Security (TLS) parameters to configure the version of TLS to use.
The table below describes the SSL_VERSION static and dynamic parameters for configuring the version of TLS to be used.
| Attribute | Description |
|---|---|
| Parameter Name (static) | SSL_VERSION |
| Parameter Name (dynamic) | SSL_VERSION |
| Parameter Type | string |
| Parameter Class | Static |
| Permitted Values | Any version which is valid to TLS. Values are as follows: undetermined | 1.0 | 1.1 | 1.2 | 3.0. Append a + to the values to specify the minimum version. For example: SSL_VERSION=1.2+. Will allow TLS1.2 and above. If you want to specify one version or another version, then use “or”. The following values are permitted: 1.0 or 3.0 | 1.2 or 3.0 | 1.1 or 1.0 | 1.2 or 1.0 | 1.2 or 1.1 | 1.1 or 1.0 or 3.0 | 1.2 or 1.0 or 3.0 | 1.2 or 1.1 or 1.0 | 1.2 or 1.1 or 3.0 | 1.2 or 1.1 or 1.0 or 3. |
| Default Value | 1.2, 1.1, or 1.0. If you want to use a specific value (such as 1.2), then you must set it explicitly. |
| Description | To force the version of the TLS connection. |
| Existing/New Parameter | New |
| Syntax (static) | SSL_VERSION=version |
| Example (static) | SSL_VERSION=1.1 |
| Syntax (dynamic) | SSL_VERSION=version |
| Example (dynamic) | SSL_VERSION=1.1 or 1.2 |
Note: The ADD_SSLv3_IMPLICITLY initialization parameter has no effect on the SSL_VERSION parameter.
- TLS_DISABLE_VERSION Parameter
You can exclude Transport Layer Security (TLS) versions by configuring theTLS_DISABLE_VERSIONparameter.
TLS_DISABLE_VERSION Parameter
You can exclude Transport Layer Security (TLS) versions by configuring the TLS_DISABLE_VERSION parameter.
| Attribute | Description |
|---|---|
| Parameter Name (static) | TLS_DISABLE_VERSION |
| Parameter Name (dynamic) | TLS_DISABLE_VERSION |
| Parameter Type | string |
| Parameter Class | Static |
| Permitted Values | Any version that is valid to TLS. Values are as follows: undetermined | TLSv1.1 | TLSv1.2 | TLSv1.3. You can specify a comma-separated string of values, such as the following: (TLSv1.2, TLSv1.3). |
| Default Value | undetermined. No TLS version is excluded by default. |
| Description | To specify which TLS versions should be excluded from use. |
| Existing/New Parameter | New |
| Syntax (static) | TLS_DISABLE_VERSION=version |
| Example (static) | TLS_DISABLE_VERSION=TLSv1.3 |
| Syntax (dynamic) | TLS_DISABLE_VERSION=version |
| Example (dynamic) | TLS_DISABLE_VERSION=(TLSv1.2, TLSv1.3) |
Transport Layer Security Client Authentication Parameters
You can configure static and dynamic parameters for Secure Sockes Layer (TLS) on the client.
The following table describes the SSL_CLIENT_AUTHENTICATION parameters.
| Attribute | Description |
|---|---|
| Parameter Name (static) | SSL_CLIENT_AUTHENTICATION |
| Parameter Name (dynamic) | SSL_CLIENT_AUTHENTICATION |
| Parameter Type | Boolean |
| Parameter Class | Static |
| Permitted Values | TRUE or FALSE |
| Default Value | TRUE |
| Description | To control whether a client, in addition to the server, is authenticated using TLS. |
| Existing/New Parameter | New |
| Syntax (static) | SSL_CLIENT_AUTHENTICATION={TRUE | FALSE} |
| Example (static) | SSL_CLIENT_AUTHENTICATION=FALSE |
| Syntax (dynamic) | SSL_CLIENT_AUTHENTICATION={TRUE | FALSE} |
| Example (dynamic) | SSL_CLIENT_AUTHENTICATION=FALSE |
Transport Layer Security X.509 Server Match Parameters
The SSL_SERVER_DN_MATCH and SSL_SERVER_CERT_DN parameters validate the identity of the server to which a client connects.
-
SSL_SERVER_DN_MATCH
TheSSL_SERVER_DN_MATCHparameter forces the server’s distinguished name (DN) to match the name of the service. -
SSL_SERVER_CERT_DN
TheSSL_SERVER_CERT_DNspecifies the distinguished name (DN) of a server.
SSL_SERVER_DN_MATCH
The SSL_SERVER_DN_MATCH parameter forces the server’s distinguished name (DN) to match the name of the service.
The following table describes the SSL_SERVER_DN_MATCH parameter.
| Attribute | Description |
|---|---|
| Parameter Name | SSL_SERVER_DN_MATCH |
| Where Stored | sqlnet.ora |
| Purpose | Use this parameter to force the server’s distinguished name (DN) to match its service name. If you force the match verifications, TLS ensures that the certificate is from the server. If you choose not to enforce the match verification, TLS performs the check but permits the connection, regardless of whether there is a match.Not forcing the match lets the server potentially fake its identity. |
| Values | yes|on|true. Specify to enforce a match. If the DN matches the service name, the connection succeeds; otherwise, the connection fails. no|off|false. Specify to not enforce a match. If the DN does not match the service name, the connection is successful, but an error is logged to the sqlnet.log file. |
| Default | Oracle8i, or later: false. TLS client (always) checks server DN. If it does not match the service name, the connection succeeds but an error is logged to sqlnet.log file. |
| Usage Notes | Additionally configure the tnsnames.ora parameter SSL_SERVER_CERT_DN to enable server DN matching. |
SSL_SERVER_CERT_DN
The SSL_SERVER_CERT_DN specifies the distinguished name (DN) of a server.
The following table describes the SSL_SERVER_CERT_DN parameter.
| Attribute | Description |
|---|---|
| Parameter Name | SSL_SERVER_CERT_DN |
| Where Stored | tnsnames.ora. It can be stored on the client, for every server it connects to, or it can be stored in the LDAP directory, for every server it connects to, updated centrally. |
| Purpose | This parameter specifies the distinguished name (DN) of the server. The client uses this information to obtain the list of DNs it expects for each of the servers to force the server’s DN to match its service name. |
| Values | Set equal to distinguished name (DN) of the server. |
| Default | N/A |
| Usage Notes | Additionally configure the sqlnet.ora parameter SSL_SERVER_DN_MATCH to enable server DN matching. |
| Example | dbalias=(description=address_list=(address=(protocol=tcps)(host=hostname)(port=portnum)))(connect_data=(sid=Finance))(security=(SSL_SERVER_CERT_DN="CN=Finance,CN=OracleContext,C=US,O=Acme")) |
Oracle Wallet Location
You must specify wallet location parameters for applications that must access an Oracle wallet for loading the security credentials into the process space. The following table lists the configuration files in which you must specify the wallet locations.
-
sqlnet.ora -
listener.ora
| Static Configuration | Dynamic Configuration |
|---|---|
WALLET_LOCATION = (SOURCE= (METHOD=File) (METHOD_DATA= (DIRECTORY=your_wallet_dir) )) |
MY_WALLET_DIRECTORY = your_wallet_dir |
The default wallet location is the ORACLE_HOME directory.