Oracle® Database Advanced Security Administrator's Guide 11g Release 2 (11.2) Part Number E10746-01 |
|
|
View PDF |
This appendix describes encryption and data integrity parameters supported by Oracle Advanced Security. It also includes an example of a sqlnet.ora
file generated by performing the network configuration described in Chapter 4, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" and Chapter 8, "Configuring Secure Sockets Layer Authentication".
This appendix contains the following topics:
This section contains a sample sqlnet.ora
configuration file for a set of clients with similar characteristics and a set of servers with similar characteristics. The file includes examples of Oracle Advanced Security encryption and data integrity parameters.
#Trace file setup trace_level_server=16 trace_level_client=16 trace_directory_server=/orant/network/trace trace_directory_client=/orant/network/trace trace_file_client=cli trace_file_server=srv trace_unique_client=true
Oracle Advanced Security Transparent Data Encryption
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /etc/ORACLE/WALLETS/oracle)))
Oracle Advanced Security Network Encryption
#ASO Encryption sqlnet.encryption_server=accepted sqlnet.encryption_client=requested sqlnet.encryption_types_server=(RC4_40) sqlnet.encryption_types_client=(RC4_40)
Oracle Advanced Security Network Data Integrity
#ASO Checksum sqlnet.crypto_checksum_server=requested sqlnet.crypto_checksum_client=requested sqlnet.crypto_checksum_types_server = (MD5) sqlnet.crypto_checksum_types_client = (MD5)
#SSL WALLET_LOCATION = (SOURCE= (METHOD = FILE) (METHOD_DATA = DIRECTORY=/wallet) SSL_CIPHER_SUITES=(SSL_DH_anon_WITH_RC4_128_MD5) SSL_VERSION= 3 SSL_CLIENT_AUTHENTICATION=FALSE
#Common automatic_ipc = off sqlnet.authentication_services = (beq) names.directory_path = (TNSNAMES)
#Kerberos sqlnet.authentication_services = (beq, kerberos5) sqlnet.authentication_kerberos5_service = oracle sqlnet.kerberos5_conf= /krb5/krb.conf sqlnet.kerberos5_keytab= /krb5/v5srvtab sqlnet.kerberos5_realms= /krb5/krb.realm sqlnet.kerberos5_cc_name = /krb5/krb5.cc sqlnet.kerberos5_clockskew=900 sqlnet.kerberos5_conf_mit=false
#Radius sqlnet.authentication_services = (beq, RADIUS ) sqlnet.radius_authentication_timeout = (10) sqlnet.radius_authentication_retries = (2) sqlnet.radius_authentication_port = (1645) sqlnet.radius_send_accounting = OFF sqlnet.radius_secret = /orant/network/admin/radius.key sqlnet.radius_authentication = radius.us.example.com sqlnet.radius_challenge_response = OFF sqlnet.radius_challenge_keyword = challenge sqlnet.radius_challenge_interface = oracle/net/radius/DefaultRadiusInterface sqlnet.radius_classpath = /jre1.1/
If you do not specify any values for Server Encryption, Client Encryption, Server Checksum, or Client Checksum, the corresponding configuration parameters do not appear in the sqlnet.ora
file. However, Oracle Advanced Security defaults to ACCEPTED
.
For both data encryption and integrity algorithms, the server selects the first algorithm listed in its sqlnet.ora
file that matches an algorithm listed in the client sqlnet.ora
file, or in the client installed list if the client lists no algorithms in its sqlnet.ora
file. If there are no entries in the server sqlnet.ora
file, the server sequentially searches its installed list to match an item on the client side—either in the client sqlnet.ora
file or in the client installed list. If no match can be made and one side of the connection REQUIRED the algorithm type (data encryption or integrity), the connection fails. Otherwise, the connection succeeds with the algorithm type inactive
.
Data encryption and integrity algorithms are selected independently of each other. Encryption can be activated without integrity, and integrity can be activated without encryption, as shown by Table A-1:
Table A-1 Algorithm Type Selection
Encryption Selected? | Integrity Selected? |
---|---|
Yes |
No |
Yes |
Yes |
No |
Yes |
No |
No |
See Also:
The following sections describe data encryption and integrity parameters:
This parameter specifies the desired encryption behavior when a client or a server acting as a client connects to this server. The behavior of the server partially depends on the SQLNET.ENCRYPTION_CLIENT
setting at the other end of the connection.
This parameter specifies the desired encryption behavior when this client or server acting as a client connects to a server. The behavior of the client partially depends on the value set for SQLNET.ENCRYPTION_SERVER
at the other end of the connection.
This parameter specifies the desired data integrity behavior when a client or another server acting as a client connects to this server. The behavior partially depends on the SQLNET.CRYPTO_CHECKSUM_CLIENT
setting at the other end of the connection.
This parameter specifies the desired data integrity behavior when this client or server acting as a client connects to a server. The behavior partially depends on the SQLNET.CRYPTO_CHECKSUM_SERVER
setting at the other end of the connection.
This parameter specifies a list of encryption algorithms used by this server in the order of intended use. This list is used to negotiate a mutually acceptable algorithm with the client end of the connection. Each algorithm is checked against the list of available client algorithm types until a match is found. If an algorithm that is not installed is specified on this side, the connection terminates with the error message ORA-12650.
Table A-6 SQLNET.ENCRYPTION_TYPES_SERVER Parameter Attributes
This parameter specifies a list of encryption algorithms used by this client or server acting as a client. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. If an algorithm that is not installed is specified on this side, the connection terminates with the ORA-12650
error message.
Table A-7 SQLNET.ENCRYPTION_TYPES_CLIENT Parameter Attributes
This parameter specifies a list of data integrity algorithms that this server or client to another server uses, in order of intended use. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. Each algorithm is checked against the list of available client algorithm types until a match is found. If an algorithm is specified that is not installed on this side, the connection terminates with the ORA-12650
error message
Table A-8 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter Attributes
This parameter specifies a list of data integrity algorithms that this client or server acting as a client uses. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. If an algorithm that is not installed on this side is specified, the connection terminates with the ORA-12650
error message.
Table A-9 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter Attributes