Enabling Oracle Native Network Encryption
Network encryption is a vital security step in hardening your application and guarding your data. Additionally, it is more often becoming a requirement by many organizations and laws such as HIPAA.
In this article, we will discuss how to secure network communication between your application and the Oracle database using Oracle Native Network Encryption. We will demonstrate how encryption can be enabled and leveraged from SourcePro DB with no source code changes to your application.
Code to Query Connection Security
Using this code snippet, we will establish a connection to an Oracle database server and query the type of connection made to the database.
const RWDBDatabase db =
RWDBManager::database("ORACLE_OCI", , , , "");
const RWDBConnection conn = db.connection();
RWDBResult result =
conn.executeSql("SELECT distinct NETWORK_SERVICE_BANNER from v$session_connect_info where SID = sys_context('USERENV', 'SID')");
const RWDBTable resultTable = result.table();
RWDBReader reader = resultTable.reader();
std::cout << "Connection using services" << std::endl;
while (reader()) {
RWCString protocol;
reader >> protocol;
std::cout << " " << protocol << std::endl;
}
Output |
|---|
Connection using services
TCP/IP NT Protocol Adapter for Linux: Version 18.0.0.0.0 - Production
Crypto-checksumming service for Linux: Version 18.0.0.0.0 - Production
Encryption service for Linux: Version 18.0.0.0.0 - Production
As we can see from the output, the server is reporting that this connection is a standard unencrypted TCP connection. The query has also reported that the checksum and encryption services are available, but they are not currently in use (due to a lack of any service adapters being used). Let us now walkthrough how we can enable Oracle Native Network Encryption and see what is reported when encryption and checksum are enabled.
Back to topChanges to Server Configuration File
We will need to first update the server’s sqlnet.ora file (typically found in either $ORACLE_HOME/network/admin or if it is set $TNS_ADMIN) and add the following values.
sqlnet.ora |
|---|
SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA512)
With this update we are setting the server to require all connections be encrypted. We also specify that the server will only use AES256 encryption.
The update also enables data integrity by requiring checksum computation of data sent to the server. We also specify that the checksum will be performed using the SHA512 algorithm.
The Oracle documentation provides details on other potential values for these properties.
Back to topChanges to Client Configuration Files
Next, we will make similar changes to update the clients’ sqlnet.ora file (typically found in either $ORACLE_HOME/network/admin or if it is set $TNS_ADMIN).
sqlnet.ora |
|---|
SQLNET.ENCRYPTION_CLIENT = REQUIRED
SQLNET.ENCRYPTION_TYPES_CLIENT = (AES256)
SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (SHA512)
Note that these settings are not required to enable native network encryption. It is sufficient to set these values on the server side to enable encryption. However, to ensure that the connection is always encrypted, it is best to set these options on both sides of the connection to guard against any accidental changes on either side that could lead to an insecure connection.
Back to topA Secure Connection
Having made these changes, we can use our same example from before. We do not need to make any code changes or re-compile the executable. Running this executable, the connection security is now reported as:
Output |
|---|
Connection using services
AES256 Encryption service adapter for Linux: Version 18.0.0.0.0 - Production
TCP/IP NT Protocol Adapter for Linux: Version 18.0.0.0.0 - Production
Crypto-checksumming service for Linux: Version 18.0.0.0.0 - Production
SHA512 Crypto-checksumming service adapter for Linux: Version 18.0.0.0.0 - Production
Encryption service for Linux: Version 18.0.0.0.0 - Production
As we can see from the output, the same three services are present as before (when our connection was not encrypted). However now we also see that the AES256 Encryption service adapter and SHA512 Crypto-checksumming service adapter have been enabled to service this connection.
Conclusion
As we have seen it is very simple to enable Oracle native network encrypted communication. SourcePro DB requires no source code changes to utilize this encrypted connection or checksum data.
Oracle Native Network Encryption can be set up very easily and seamlessly integrates into your existing applications. This ease of use, however, does have some limitations. You will not have any direct control over the security certificates or ciphers used for encryption. Additionally, because there are no pre-shared keys, Native Network Encryption is vulnerable to man-in-the-middle attacks.
In our next article, we will discuss how to enable network encryption using SSL/TLS and address these issues.
In the meantime, you can request a free evaluation of SourcePro. With SourcePro, you write your code once and deploy it on any platform. This helps you reduce time-to-market, increase reliability, and extend the life of your applications.
Back to top