Oracle Database Network Encryption – Native

Network encryption is one of the most important security strategies. It will ensure data transmitted over the wire is encrypted and will prevent malicious attacks in man-in-the-middle form. Network encryption guarantees that data exchanged between the Application/End Users and Database System should be securely transmitted and transparently encrypted.

Since Oracle 10.2: “Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.

Oracle database provides below 2 options to enable database connection Network Encryption

1. Native Network Encryption
2. Encryption using SSL/TLS (Secure Socket Layer / Transport Layer Security). Click here to read more.

In this blog post, we are going to discuss Oracle Native Network Encryption.

Native Network Encryption & Data Integrity can be configured by updating the sqlnet.ora configuration file on the database server or Client side, with the following parameters. Database side encryption setup will affect all the client connections coming to the database. But client-side encryption will impose encryption only to the client where encryption parameters are set in sqlnet.ora file and other clients will remain unaffected. Native connection encryption uses Diffie-Hellman key negation algorithm. Both DB and Client session share non-secret information and based on this information generate a secret key and hereafter all communication is encrypted using this secret key. This is a classic example of Symmetric encryption where both Server and Client have the same secret key.

Database Side Parameters:-
SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA512)

Client Side Parameters:-

SQLNET.ENCRYPTION_CLIENT = REQUIRED
SQLNET.ENCRYPTION_TYPES_CLIENT = (AES256)
SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (SHA512)

The parameter ENCRYPTION_SERVER/ENCRYPTION_CLIENT has the following options:
REQUESTED – to enable the security service if the client allows it.
REQUIRED – to enable the security service and disallow the connection if the client is not enabled for the security service.
ACCEPTED (Default)– to enable the security service if required or requested by the client.
REJECTED – to disable the security service, even if required by the client

The combination of the client and server settings will determine if encryption is used, not used or the connection is rejected, as described in the encryption negotiations matrix.

Encryption Type	Pros	Cons
Native Encryption	Easy to configure	Weaker against attacks like man-in-the-middle, Server impersonation
	No client-side changes required
	No SSL/TLS certificates are required

Connection without any Encryption parameter defines either in DB or Client Side.

As we can see from the output, the server is reporting that this connection is a standard unencrypted TCP connection. The query has also reported that the checksum and encryption services are available, but they are not currently in use. Let us now walk through how we can enable Oracle Native Network Encryption and see what is reported when encryption and checksum are enabled.

C:\Users\jkhan>
C:\Users\jkhan>sqlplus sys@app_user as sysdba

SQL*Plus: Release 11.2.0.4.0 Production on Sun Dec 19 09:47:13 2021

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> SELECT distinct NETWORK_SERVICE_BANNER from v$session_connect_info where SID = sys_context('USERENV', 'SID');

NETWORK_SERVICE_BANNER
--------------------------------------------------------------------------------
TCP/IP NT Protocol Adapter for Linux: Version 11.2.0.4.0 - Production
Oracle Advanced Security: crypto-checksumming service for Linux: Version 11.2.0.
4.0 - Production

Oracle Advanced Security: encryption service for Linux: Version 11.2.0.4.0 - Pro
duction


SQL>

Server Side Connection Encryption – No specific algorithm

We will set the parameter SQLNET.ENCRYPTION_SERVER = REQUIRED & SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED in server sqlnet.ora file and restart listener. These server parameters will force the client to connect with encryption. And if the client fails to support encryption the connection will fail. In the below example, as you can see the client is connected with the Encryption algorithm: AES256 and Data Integrity Algorithm: SHA1.

[oracle@test-machine01 admin]$
[oracle@test-machine01 admin]$ cat sqlnet.ora
# sqlnet.ora Network Configuration File: /u01/app/oracle/product/11.2.0.4/db_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.

# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.


NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.AUTHENTICATION_SERVICES= (NTS)

SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED
[oracle@test-machine01 admin]$
[oracle@test-machine01 admin]$

[oracle@test-machine01 admin]$ lsnrctl stop

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 19-DEC-2021 09:54:35

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test-machine01)(PORT=1521)))
The command completed successfully
[oracle@test-machine01 admin]$


[oracle@test-machine01 admin]$ lsnrctl start

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 19-DEC-2021 09:54:35

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test-machine01)(PORT=1521)))
The command completed successfully
[oracle@test-machine01 admin]$


C:\Users\jkhan>
C:\Users\jkhan>sqlplus sys@app_user as sysdba

SQL*Plus: Release 11.2.0.4.0 Production on Sun Dec 19 09:56:44 2021

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL>
SQL> SELECT distinct NETWORK_SERVICE_BANNER from v$session_connect_info where SID = sys_context('USERENV', 'SID');

NETWORK_SERVICE_BANNER
--------------------------------------------------------------------------------
TCP/IP NT Protocol Adapter for Linux: Version 11.2.0.4.0 - Production
Oracle Advanced Security: AES256 encryption service adapter for Linux: Version 1
1.2.0.4.0 - Product

Oracle Advanced Security: crypto-checksumming service for Linux: Version 11.2.0.
4.0 - Production

Oracle Advanced Security: encryption service for Linux: Version 11.2.0.4.0 - Pro
duction

Oracle Advanced Security: SHA1 crypto-checksumming service adapter

SQL>

Server Side Connection Encryption – Specific algorithm Encryption : AES256 & Data Integrity: SHA512

In the below example we are adding two more parameters that force the client to connect with the same specified algorithm i.e Encryption Algorithm: AES256 & Data Integrity Algorithm: SHA512 only. If the client fails to support the specified algorithm then the connection will fail. As demo Oracle client version is 11.2.0.4 it’s not supporting the latest Data integrity algorithm SHA512 and hence connection fail. We can check in DB alert.log error “TNS-12649: Unknown encryption or data integrity algorithm“.

[oracle@test-machine01 admin]$
[oracle@test-machine01 admin]$ cat sqlnet.ora
# sqlnet.ora Network Configuration File: /u01/app/oracle/product/11.2.0.4/db_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.

# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.


NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.AUTHENTICATION_SERVICES= (NTS)

SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA512)
[oracle@test-machine01 admin]$

[oracle@test-machine01 admin]$ lsnrctl stop

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 19-DEC-2021 09:54:35

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test-machine01)(PORT=1521)))
The command completed successfully
[oracle@test-machine01 admin]$


[oracle@test-machine01 admin]$ lsnrctl start

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 19-DEC-2021 09:54:35

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test-machine01)(PORT=1521)))
The command completed successfully
[oracle@test-machine01 admin]$


C:\Users\jkhan>
C:\Users\jkhan>sqlplus sys@app_user as sysdba

SQL*Plus: Release 11.2.0.4.0 Production on Sun Dec 19 10:02:30 2021

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

Enter password:
ERROR:
ORA-12537: TNS:connection closed


Enter user-name:


[oracle@test-machine01 trace]$ vi alert_ucastest.log
***********************************************************************

Fatal NI connect error 12649, connecting to:
 (LOCAL=NO)

  VERSION INFORMATION:
        TNS for Linux: Version 11.2.0.4.0 - Production
        Oracle Bequeath NT Protocol Adapter for Linux: Version 11.2.0.4.0 - Production
        TCP/IP NT Protocol Adapter for Linux: Version 11.2.0.4.0 - Production
  Time: 19-DEC-2021 10:02:02
  Tracing not turned on.
  Tns error struct:
    ns main err code: 12649

TNS-12649: Unknown encryption or data integrity algorithm
    ns secondary err code: 0
    nt main err code: 0
    nt secondary err code: 0
    nt OS err code: 0
opiodr aborting process unknown ospid (126749) as a result of ORA-609
Sun Dec 19 10:03:25 2021


***********************************************************************

Client Side Connection Encryption – No specific algorithm

the advantage of client side encryption is that only specific clients can be enabled for encryption and the rest of the other clients remain unaffected. Below we are removing all encryption parameters from Server side sqlnet.ora file and restart the listener. As default setting is ACCEPTED. This will enable the security service on the server side if required or requested by the client.

Server Side Change in sqlnet.ora file

[oracle@test-machine01 admin]$ cat sqlnet.ora
# sqlnet.ora Network Configuration File: /u01/app/oracle/product/11.2.0.4/db_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.

# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.


NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.AUTHENTICATION_SERVICES= (NTS)
[oracle@test-machine01 admin]$
[oracle@test-machine01 admin]$

[oracle@test-machine01 admin]$ lsnrctl stop

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 19-DEC-2021 09:54:35

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test-machine01)(PORT=1521)))
The command completed successfully
[oracle@test-machine01 admin]$


[oracle@test-machine01 admin]$ lsnrctl start

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 19-DEC-2021 09:54:35

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=test-machine01)(PORT=1521)))
The command completed successfully
[oracle@test-machine01 admin]$

Client-Side Change in sqlnet.ora file

D:\Oracle\product\11.2.0.4\db_1\NETWORK\ADMIN>
D:\Oracle\product\11.2.0.4\db_1\NETWORK\ADMIN>type sqlnet.ora
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.

SQLNET.AUTHENTICATION_SERVICES = (NTS)
SQLNET.ENCRYPTION_CLIENT = REQUIRED
SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUIRED

D:\Oracle\product\11.2.0.4\db_1\NETWORK\ADMIN>
D:\Oracle\product\11.2.0.4\db_1\NETWORK\ADMIN>

D:\Oracle\product\11.2.0.4\db_1\NETWORK\ADMIN>
D:\Oracle\product\11.2.0.4\db_1\NETWORK\ADMIN>sqlplus sys@app_user as sysdba

SQL*Plus: Release 11.2.0.4.0 Production on Sun Dec 19 10:27:56 2021

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> SELECT distinct NETWORK_SERVICE_BANNER from v$session_connect_info where SID = sys_context('USERENV', 'SID');

NETWORK_SERVICE_BANNER
--------------------------------------------------------------------------------
TCP/IP NT Protocol Adapter for Linux: Version 11.2.0.4.0 - Production
Oracle Advanced Security: AES256 encryption service adapter for Linux: Version 1
1.2.0.4.0 - Product

Oracle Advanced Security: crypto-checksumming service for Linux: Version 11.2.0.
4.0 - Production

Oracle Advanced Security: encryption service for Linux: Version 11.2.0.4.0 - Pro
duction

Oracle Advanced Security: SHA1 crypto-checksumming service adapter

SQL>

Reference : Oracle Doc : https://docs.oracle.com/en/database/oracle/oracle-database/12.2/dbseg/configuring-network-data-encryption-and-integrity.html#GUID-258AB895-1DFA-4A14-9D66-1645F9D5D824

This document is just for learning purpose and always validate in the LAB environment first before applying in the LIVE environment.

Hope so you like this article!
Please share your valuable feedback/comments/subscribe and follow us below and don’t forget to click on the bell icon to get the most recent update. Click here to understand more about our pursuit.

DATABASE, ORACLE, SECURITY

Oracle Database Network Encryption – Native

Related Articles