Parameters for Clients and Servers Using Transport Layer Security

Oracle provides parameters to control Transport Layer Security authentication.

Ways to Configure a Parameter for Transport Layer Security

There are two ways to configure a parameter for Transport Layer Security (TLS).

Transport Layer Security Authentication Parameters for Clients and Servers

Oracle provides both static and dynamic Transport Layer Security (TLS) authentication parameters. The following table describes the static and dynamic parameters for configuring TLS on the server.

Attribute Description
Parameter Name (static) SQLNET.AUTHENTICATION_SERVICES
Parameter Name (dynamic) AUTHENTICATION
Parameter Type String LIST
Parameter Class Static
Permitted Values Add TCPS to the list of available authentication services.
Default Value No default value.
Description To control which authentication services a user wants to use. Note: The dynamic version supports only the setting of one type.
Existing/New Parameter Existing
Syntax (static) SQLNET.AUTHENTICATION_SERVICES = (TCPS, selected_method_1, selected_method_2)
Example (static) SQLNET.AUTHENTICATION_SERVICES = (TCPS, radius)
Syntax (dynamic) AUTHENTICATION = string
Example (dynamic) AUTHENTICATION = (TCPS)

Cipher Suite Parameters for Transport Layer Security

You can configure cipher suite parameters for Transport Layer Security (TLS). The following table describes the static and dynamic parameters for configuring cipher suites.

Attribute Description
Parameter Name (static) SSL_CIPHER_SUITES
Parameter Name (dynamic) SSL_CIPHER_SUITES
Parameter Type String LIST
Parameter Class Static
Permitted Values Any known TLS cipher suite
Default Value No default
Description Controls the combination of encryption and data integrity used by TLS.
Existing/New Parameter Existing
Syntax (static) SSL_CIPHER_SUITES=(SSL_cipher_suite1[, SSL_cipher_suite2, ...SSL_cipher_suiteN])
Example (static) SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA)
Syntax (dynamic) SSL_CIPHER_SUITES=(SSL_cipher_suite1[, SSL_cipher_suite2, ...SSL_cipher_suiteN])
Example (dynamic) SSL_CIPHER_SUITES=(SSL_DH_DSS_WITH_DES_CBC_SHA)

Supported Transport Layer Security Cipher Suites

Oracle Database supports a large number of cipher suites for Transport Layer Security (TLS).

The cipher suites are as follows:

Transport Layer Security Version Parameters

You can set a range of Transport Layer Security (TLS) parameters to configure the version of TLS to use.

The table below describes the SSL_VERSION static and dynamic parameters for configuring the version of TLS to be used.

Attribute Description
Parameter Name (static) SSL_VERSION
Parameter Name (dynamic) SSL_VERSION
Parameter Type string
Parameter Class Static
Permitted Values Any version which is valid to TLS. Values are as follows: undetermined | 1.0 | 1.1 | 1.2 | 3.0. Append a + to the values to specify the minimum version. For example: SSL_VERSION=1.2+. Will allow TLS1.2 and above. If you want to specify one version or another version, then use “or”. The following values are permitted: 1.0 or 3.0 | 1.2 or 3.0 | 1.1 or 1.0 | 1.2 or 1.0 | 1.2 or 1.1 | 1.1 or 1.0 or 3.0 | 1.2 or 1.0 or 3.0 | 1.2 or 1.1 or 1.0 | 1.2 or 1.1 or 3.0 | 1.2 or 1.1 or 1.0 or 3.
Default Value 1.2, 1.1, or 1.0. If you want to use a specific value (such as 1.2), then you must set it explicitly.
Description To force the version of the TLS connection.
Existing/New Parameter New
Syntax (static) SSL_VERSION=version
Example (static) SSL_VERSION=1.1
Syntax (dynamic) SSL_VERSION=version
Example (dynamic) SSL_VERSION=1.1 or 1.2

Note: The ADD_SSLv3_IMPLICITLY initialization parameter has no effect on the SSL_VERSION parameter.

TLS_DISABLE_VERSION Parameter

You can exclude Transport Layer Security (TLS) versions by configuring the TLS_DISABLE_VERSION parameter.

Attribute Description
Parameter Name (static) TLS_DISABLE_VERSION
Parameter Name (dynamic) TLS_DISABLE_VERSION
Parameter Type string
Parameter Class Static
Permitted Values Any version that is valid to TLS. Values are as follows: undetermined | TLSv1.1 | TLSv1.2 | TLSv1.3. You can specify a comma-separated string of values, such as the following: (TLSv1.2, TLSv1.3).
Default Value undetermined. No TLS version is excluded by default.
Description To specify which TLS versions should be excluded from use.
Existing/New Parameter New
Syntax (static) TLS_DISABLE_VERSION=version
Example (static) TLS_DISABLE_VERSION=TLSv1.3
Syntax (dynamic) TLS_DISABLE_VERSION=version
Example (dynamic) TLS_DISABLE_VERSION=(TLSv1.2, TLSv1.3)

Transport Layer Security Client Authentication Parameters

You can configure static and dynamic parameters for Secure Sockes Layer (TLS) on the client. The following table describes the SSL_CLIENT_AUTHENTICATION parameters.

Attribute Description
Parameter Name (static) SSL_CLIENT_AUTHENTICATION
Parameter Name (dynamic) SSL_CLIENT_AUTHENTICATION
Parameter Type Boolean
Parameter Class Static
Permitted Values TRUE or FALSE
Default Value TRUE
Description To control whether a client, in addition to the server, is authenticated using TLS.
Existing/New Parameter New
Syntax (static) SSL_CLIENT_AUTHENTICATION={TRUE | FALSE}
Example (static) SSL_CLIENT_AUTHENTICATION=FALSE
Syntax (dynamic) SSL_CLIENT_AUTHENTICATION={TRUE | FALSE}
Example (dynamic) SSL_CLIENT_AUTHENTICATION=FALSE

Transport Layer Security X.509 Server Match Parameters

The SSL_SERVER_DN_MATCH and SSL_SERVER_CERT_DN parameters validate the identity of the server to which a client connects.

SSL_SERVER_DN_MATCH

The SSL_SERVER_DN_MATCH parameter forces the server’s distinguished name (DN) to match the name of the service. The following table describes the SSL_SERVER_DN_MATCH parameter.

Attribute Description
Parameter Name SSL_SERVER_DN_MATCH
Where Stored sqlnet.ora
Purpose Use this parameter to force the server’s distinguished name (DN) to match its service name. If you force the match verifications, TLS ensures that the certificate is from the server. If you choose not to enforce the match verification, TLS performs the check but permits the connection, regardless of whether there is a match.Not forcing the match lets the server potentially fake its identity.
Values yes|on|true. Specify to enforce a match. If the DN matches the service name, the connection succeeds; otherwise, the connection fails. no|off|false. Specify to not enforce a match. If the DN does not match the service name, the connection is successful, but an error is logged to the sqlnet.log file.
Default Oracle8i, or later: false. TLS client (always) checks server DN. If it does not match the service name, the connection succeeds but an error is logged to sqlnet.log file.
Usage Notes Additionally configure the tnsnames.ora parameter SSL_SERVER_CERT_DN to enable server DN matching.

SSL_SERVER_CERT_DN

The SSL_SERVER_CERT_DN specifies the distinguished name (DN) of a server. The following table describes the SSL_SERVER_CERT_DN parameter.

Attribute Description
Parameter Name SSL_SERVER_CERT_DN
Where Stored tnsnames.ora. It can be stored on the client, for every server it connects to, or it can be stored in the LDAP directory, for every server it connects to, updated centrally.
Purpose This parameter specifies the distinguished name (DN) of the server. The client uses this information to obtain the list of DNs it expects for each of the servers to force the server’s DN to match its service name.
Values Set equal to distinguished name (DN) of the server.
Default N/A
Usage Notes Additionally configure the sqlnet.ora parameter SSL_SERVER_DN_MATCH to enable server DN matching.
Example dbalias=(description=address_list=(address=(protocol=tcps)(host=hostname)(port=portnum)))(connect_data=(sid=Finance))(security=(SSL_SERVER_CERT_DN="CN=Finance,CN=OracleContext,C=US,O=Acme"))

Oracle Wallet Location

You must specify wallet location parameters for applications that must access an Oracle wallet for loading the security credentials into the process space. The following table lists the configuration files in which you must specify the wallet locations.

Static Configuration Dynamic Configuration
WALLET_LOCATION = (SOURCE= (METHOD=File) (METHOD_DATA= (DIRECTORY=your_wallet_dir) )) MY_WALLET_DIRECTORY = your_wallet_dir

The default wallet location is the ORACLE_HOME directory.