Oracle 7.3 - Oracle 21c Windows 11 compatible Version

Using Oracle SQL*Net Encryption and Data Integrity Checksumming

20 Sep 2022

Using Oracle SQL*Net Encryption and Data Integrity Checksumming

KeepTool 15 Tools for Oracle databases have been released at the end of 2021. In the meantime, there have been two minor updates 15.0.1 and 15.0.2  that added additional features. We recommend you to study our release notes and stay tuned!

Let’s have a look how SQL*Net encryption can be used with our tools.

Enabling Oracle SQL*Net encryption on the database server

To configure SQL*Net encryption, you have to add two additional parameters to your sqlnet.ora file on the database server.
Let’s have a look at an example:

SQLNET.ENCRYPTION_SERVER=REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER=(AES256,DES)

The parameter SQLNET.ENCRYPTION_SERVER allows any of the following values

  • ACCEPTED: This is the default value in case the parameter is not set. The server allows both encrypted and non-encrypted connections .
  • REJECTED: The server allows only non-encrypted connections.
  • REQUESTED: The server prefers encrypted traffic if possible, but also accepts non-encrypted traffic.
  • REQUIERD: The server allows encrypted connections only.

To allow SQL*Net encryption on the server, the parameter must be set to ACCEPTED.
If you want to enforce SQL*Net encryption, the parameter must be set to REQUIRED.

The second parameter SQLNET.ENCRYPTION_TYPES_SERVER defines the allowed encryption method(s) as a comma-separated list.
Here you can find the valid encryption algorithms. If the parameter is not set, all encryption algorithms are considered.

Enabling Oracle SQL*Net encryption in the Oracle client

In case you are using a SQL*Net connection, the client configuration is very similar. You have to set two analogous parameters in your sqlnet.ora file on the client machine.
Lets again have a look at an example:

SQLNET.ENCRYPTION_CLIENT=REQUIRED
SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256)

The first parameter SQLNET.ENCRYPTION_CLIENT has the same allowed values as on the server. The pairing of client and server settings will determine if encryption is used, not used or the connection is rejected. Here you can find Oracle’s encryption negotiations matrix.

Using SQL*Net encryption with the direct TCP/IP Option

As you probably remember, our tools can optionally establish a direct TCP/IP connection to the database. That eliminates the usage of Oracle client software. The syntax of the connect string determines if a direct TCP/IP connection or an Oracle SQL*Net connection will be used.
If the connect string syntax follows either of these schemas, a direct TCP/IP connection will be established:

  • <hostname_or_ip_address> : <port> / <servicename>
  • <hostname_or_ip_address> : <port> : <SID>

Since the direct TCP/IP connection does not use any Oracle client software, you cannot configure encryption in a SQL*Net.ora file.
KeepTool 15 added a new “Direct TCP/IP” configuration page to the settings dialog. Here you can define direct TCP/IP options including encryption parameters.

Direct TCP/IP settings

The combo box “Encryption” (highlighted in green) copies the logic of the SQLNET.ENCRYPTION_CLIENT parameter.
The default value is “Accepted”. You can change it to “Required” to enforce network encryption. The “Requested” item is grayed and not yet implemented.

To allow SQL*Net encryption on the client, the parameter must be set to “Accepted”.
If you want to enforce SQL*Net encryption, the parameter must be set to “Required”.

Monitoring Oracle SQL*Net encryption

On Hora’s sessions page, you can find a new tab “Network client”. The data grid lists network service adapters that have been loaded. The use of an encryption service adapter indicates if encrypted network communication (SQLNET.ENCRYPTION) has been enabled.

Below the data grid, the tab shows additional client information such as OCI client version and client character set.

Monitoring Network Encryption

The sessions overview grid displays a new column “Encryption”. You can find it in the “Client machine” group. The following picture highlights it green.

Monitoring sessions now shows you in instantly which database connections are encrypted and which are not. This way you can check your company’s security guidelines.

Data Integrity Checksumming

There is another data security feature for data integrity. It can be configured very similar to the SQL*Net encryption using sqlnet.ora parameters:

# On the Server
SQLNET.CRYPTO_CHECKSUM_SERVER
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER

# On the Client
SQLNET.CRYPTO_CHECKSUM_CLIENT
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT

The CRYPTO_CHECKSUM-parameters have the same allowed values as the ENCRYPTION parameters, with the same negotiation rules.

The CRYPTO_CHECKSUM_TYPES-parameters accept for Oracle 12c and later the values MD5, SHA1, SHA256, SHA384 and SHA512.
SHA256 is the default value if the parameter is not set.

For the direct TCP/IP connection, you have another combo box “Crypto checksum” the copies the logic of the sqlnet.ora configuration.
For monitoring you find a column “Checksum” that is highlighted yellow in the prior hardcopies.

Conclusion

You can use both SQL*Net Encryption and Data Integrity Checksumming in conjunction with a direct TCP/IP connection – very similar to an Oracle SQL*Net connection.
The usage of encryption and checksumming by database sessions can be monitored on the sessions overview page. This allows you to keep security relevant information always in focus.