A
Data Encryption and Integrity Parameters

This appendix describes encryption and data integrity parameters supported by Oracle Advanced Security. It also includes an example of a sqlnet.ora file generated by performing the network configuration described in Chapter 2, Configuring Data Encryption and Integrity, and Chapter 9, Configuring Secure Socket Layer Authentication.

This appendix contains the following sections:

• Sample sqlnet.ora File

• Data Encryption and Integrity Parameters

Sample sqlnet.ora File

This section contains a sample sqlnet.ora configuration file for a set of clients with similar characteristics and a set of servers with similar characteristics. The file includes examples of Oracle Advanced Security encryption and data integrity parameters.

Trace File Setup

#Trace file setup 
trace_level_server=16 
trace_level_client=16  
trace_directory_server=/orant/network/trace 
trace_directory_client=/orant/network/trace 
trace_file_client=cli  
trace_file_server=srv 
trace_unique_client=true 

Oracle Advanced Security Encryption

#ASO Encryption 
sqlnet.encryption_server=accepted 
sqlnet.encryption_client=requested 
sqlnet.encryption_types_server=(RC4_40) 
sqlnet.encryption_types_client=(RC4_40) 
sqlnet.crypto_seed = "-kdje83kkep39487dvmlqEPTbxxe70273" 

Oracle Advanced Security Integrity

#ASO Checksum 
sqlnet.crypto_checksum_server=requested 
sqlnet.crypto_checksum_client=requested  
sqlnet.crypto_checksum_types_server = (MD5) 
sqlnet.crypto_checksum_types_client = (MD5) 

SSL

#SSL 
oss.source.my_wallet = (SOURCE=
                          (METHOD = FILE) 
                          (METHOD_DATA = 
                           DIRECTORY=/wallet) 

SSL_CIPHER_SUITES=(SSL_DH_anon_WITH_RC4_128_MD5) 
SSL_VERSION= 3 
SSL_CLIENT_AUTHENTICATION=FALSE 

Common

#Common 
automatic_ipc = off  
sqlnet.authentication_services = (beq)  
names.directory_path = (TNSNAMES) 

Kerberos

#Kerberos 
sqlnet.authentication_services = (beq, kerberos5)  
sqlnet.authentication_kerberos5_service = oracle 
sqlnet.kerberos5_conf= /krb5/krb.conf 
sqlnet.kerberos5_keytab= /krb5/v5srvtab 
sqlnet.kerberos5_realms= /krb5/krb.realm 
sqlnet.kerberos5_cc_name = /krb5/krb5.cc 
sqlnet.kerberos5_clockskew=900 

CyberSafe

#CyberSafe 
sqlnet.authentication_services = (beq, cybersafe) 
sqlnet.authentication_gssapi_service = oracle/cybersaf.us.oracle.com  
sqlnet.authentication_kerberos5_service = oracle 
sqlnet.kerberos5_conf= /krb5/krb.conf 
sqlnet.kerberos5_keytab= /krb5/v5srvtab 
sqlnet.kerberos5_realms= /krb5/krb.realm 
sqlnet.kerberos5_cc_name = /krb5/krb5.cc 
sqlnet.kerberos5_clockskew=900 

Identix

#Identix 
sqlnet.authentication_services = (beq, identix) 
sqlnet.identix_fingerprint_database = identix_scanner 
sqlnet.identix_fingerprint_database_user = ofm_client 
sqlnet.identix_fingerprint_database_password = ofm_client 
sqlnet.identix_fingerprint_method = oracle  

RADIUS

#Radius 
sqlnet.authentication_services = (beq, RADIUS )  
sqlnet.radius_authentication_timeout = (10) 
sqlnet.radius_authentication_retries = (2) 
sqlnet.radius_authentication_port = (1645) 
sqlnet.radius_send_accounting = OFF 
sqlnet.radius_secret = /orant/network/admin/radius.key 
sqlnet.radius_authentication = radius.us.oracle.com 
sqlnet.radius_challenge_response = OFF 
sqlnet.radius_challenge_keyword = challenge 
sqlnet.radius_challenge_interface = 
oracle/net/radius/DefaultRadiusInterface 
sqlnet.radius_classpath = /jre1.1/ 

SecurID

#SecurID 
sqlnet.authentication_services = (beq, securid )

Data Encryption and Integrity Parameters

If you do not specify any values for Server Encryption, Client Encryption, Server Checksum, or Client Checksum, the corresponding configuration parameters do not appear in the sqlnet.ora file. However, Oracle Advanced Security defaults to ACCEPTED.

For both data encryption and integrity algorithms, the server selects the first algorithm listed in its sqlnet.ora file that matches an algorithm listed in the client sqlnet.ora file or in the client installed list. If there are no entries in the server sqlnet.ora file, the server sequentially searches its installed list, to match an item on the client side--either in the client sqlnet.ora file or in the client installed list. If no match can be made, the connection fails.

Data encryption and integrity algorithms are selected independently of each other; encryption can be activated without integrity, and integrity can be activated without encryption, as shown by Table A-1:

Table A-1 Algorithm Selection

Encryption Selected?	Integrity Selected?
Yes	No
Yes	Yes
No	Yes
No	No

There are three classes of parameters required to enable data encryption and integrity:

• Encryption and Integrity Level Settings:

• Encryption and Integrity Selected Lists

• Seeding the Random Key Generator

  See Also: Chapter 2, Configuring Data Encryption and Integrity Activating Encryption and Integrity

  Encryption and Integrity Level Settings:

  Table A-2 summarizes data encryption and integrity level settings:

  Table A-2 Encryption and Integrity Level Settings

  Algorithm Type	Platform	Item	Description
  Encryption	Server	Purpose	This parameter specifies the desired behavior when a client or a server acting as a client is connecting to this server. The behavior of the server partially depends on the SQLNET.ENCRYPTION_CLIENT setting at the other end.
  		Syntax	SQLNET.ENCRYPTION_SERVER = valid_value
  		Values	ACCEPTED, REJECTED, REQUESTED, REQUIRED
  		Default	ACCEPTED
  	Client	Purpose	This parameter specifies the desired behavior when this client (or this server acting as a client) is connecting to a server. The behavior of the client partially depends on the value set for SQLNET.ENCRYPTION_SERVER at the other end of the connection.
  		Syntax	SQLNET.ENCRYPTION_CLIENT = valid_value
  		Values	ACCEPTED, REJECTED, REQUESTED, REQUIRED
  		Default	ACCEPTED
  Integrity	Server	Purpose	This parameter specifies the desired data integrity behavior when a client (or another server acting as a client) is connecting to this server. The resulting behavior partially depends on the SQLNET.CRYPTO_CHECKSUM_CLIENT setting at the other end.
  		Syntax	SQLNET.CRYPTO_CHECKSUM_SERVER = valid_value
  		Values	ACCEPTED, REJECTED, REQUESTED, REQUIRED
  		Default	ACCEPTED
  	Client	Purpose	This parameter specifies the desired data integrity behavior when this client (or this server acting as a client) is connecting to a server. The resulting behavior partially depends on the SQLNET.CRYPTO_CHECKSUM_SERVER setting at the other end of the connection.
  		Syntax	SQLNET.CRYPTO_CHECKSUM_CLIENT = valid_value
  		Values	ACCEPTED, REJECTED, REQUESTED, REQUIRED
  		Default	ACCEPTED

  Encryption and Integrity Selected Lists

  Table A-3 Data Encryption and Integrity Selected Lists

  Algorithm Type	Platform	Item	Description
  Encryption	Server	Purpose	This parameter specifies a list of encryption algorithms used by the server, in the order of intended use. Enter the most desired algorithm first. This list is used to negotiate a mutually acceptable algorithm with the client end of the connection. Each algorithm is checked against the list of client algorithm types available until a match is found. If an algorithm that is not installed is specified on this side, the connection terminates with error message ORA-12650.
  		Syntax	SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_algorithm [,valid_encryption_algorithm])
  		Values	RC4_40: RSA RC4 (40-bit key size). RC4_56: RSA RC4 (56-bit key size). RC4_128: RSA RC4 (128-bit key size). RC4_256: RSA RC4 (256-bit key size). 3DES112: Triple-DES (112-bit key size). 3DES168: Triple-DES (168-bit key size). DES40: DES40 (40-bit key size). DES: Standard DES (56-bit key size).
  		Default	All installed algorithms are used in a negotiation if no algorithms are defined in the local sqlnet.ora file.
  Encryption	Server	Usage Notes	All algorithms are installed: RC4_40, RC4_56, RC4_128, RC4_256, 3DES112, 3DES168, DES40, and DES. If no algorithms are specified (in the local sqlnet.ora file), the installed algorithms are used in that order to negotiate a mutually acceptable algorithm with the other end of the connection. You can specify multiple encryption algorithms--either a single value or a list of algorithm names. For example, either of the following encryption parameters is acceptable: SQLNET.ENCRYPTION_TYPES_SERVER=(RC4_40) SQLNET.ENCRYPTION_TYPES_SERVER=(DES,RC4_56,RC4_128,DES40)
  	Client	Purpose	This parameter specifies a list of encryption algorithms the client (or a server acting as a client) uses when connecting to a server. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. The parameters can be listed in any order. If an algorithm that is not installed is specified on this side, the connection terminates with error message ORA-12650.
  		Syntax	SQLNET.ENCRYPTION_TYPES_CLIENT = (valid_ encryption_algorithm [,valid_encryption_ algorithm])
  		Values	RC4_40: RSA RC4 (40-bit key size). RC4_56: RSA RC4 (56-bit key size). RC4_128: RSA RC4 (128-bit key size). RC4_256: RSA RC4 (256-bit key size). 3DES112: Triple-DES (112-bit key size). 3DES168: Triple-DES (168-bit key size). DES40: DES40 (40-bit key size). DES: Standard DES (56-bit key size).
  		Default	All installed algorithms are used in a negotiation if no algorithms are defined in the sqlnet.ora file.
  Encryption	Client	Usage Notes	All algorithms are installed: RC4_40, RC4_56, RC4_128, RC4_256, 3DES112, 3DES168, DES40, and DES. If no algorithms are defined in the sqlnet.ora file, the installed algorithms are used in that order to negotiate a mutually acceptable algorithm with the other end of the connection. You can specify multiple encryption algorithms--either a single value or a list of algorithm names. For example, either of the following encryption parameters is acceptable: SQLNET.ENCRYPTION_TYPES_CLIENT=(DES,DES40,RC4_ 56,RC4_40) SQLNET.ENCRYPTION_TYPES_CLIENT=(RC4_40)
  Integrity	Server	Purpose	This parameter specifies a list of the data integrity algorithms the server is allowed to use, in order of intended use, when acting as a server to a client or another server. This list is used to negotiate a mutually acceptable algorithm with the remote end of the connection. Each algorithm is checked against the list of client algorithm types available until a match is found. The first match is the one that is used. If an algorithm is specified that is not installed on this side, the connection terminates with error message ORA-12650.
  		Syntax	SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (crypto_ checksum_algorithm)
  		Values	Message Digest 5 (MD5); Secure Hash Algorithm (SHA-1).
  		Default	All installed algorithms are used in a negotiation if no algorithms are defined in the local sqlnet.ora file.
  Integrity	Client	Purpose	This parameter specifies a list of data integrity algorithms the client (or a server acting as a client) is allowed to use when connecting to a server. This list is used to negotiate a mutually acceptable algorithm with the remote end of the connection. The order in which the algorithms are listed is not important. If an algorithm that is not installed on this side is specified, the connection terminates with error message ORA-12650.
  		Syntax	SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (crypto_ checksum_algorithm)
  		Values	Message Digest 5 (MD5); Secure Hash Algorithm (SHA-1).
  		Default	All installed algorithms are used in a negotiation if no algorithms are defined in the local sqlnet.ora file.

  Seeding the Random Key Generator

  SQLNET.CRYPTO_SEED = "10-70 random characters"
  
  
  

  The characters that form the value for this parameter are used when generating cryptographic keys. The more random the characters entered into this field are, the stronger the keys are. You set this parameter by entering from 10 to 70 random characters into the above statement.

  Note: Oracle Corporation recommends that you enter as many characters as possible, up to 70, to make the resulting key more random and therefore stronger.

  This parameter must be present in the sqlnet.ora file whenever data encryption or integrity is enabled.