Skip Headers
Oracle® Database Advanced Security Administrator's Guide
10g Release 2 (10.2)

Part Number B14268-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

D Oracle Advanced Security FIPS 140-1 Settings

Oracle Advanced Security Release 8.1.6 has been validated under Federal Information Processing Standard (FIPS) 140-1 at the Level 2 security level. This appendix describes the formal configuration required for Oracle Advanced Security to comply with the FIPS 140-1 standard. Refer to the NIST Cryptographic Modules Validation list at the following Web site address:

http://csrc.nist.gov/cryptval/140-1/1401val.htm

This appendix contains the following topics:

D.1 Configuration Parameters

This appendix contains information on the Oracle Advanced Security parameters required in the sqlnet.ora files to ensure that any connections created between a client and server are encrypted under the control of the server.

Configuration parameters are contained in the sqlnet.ora file that is held locally for each of the client and server processes. The protection placed on these files should be equivalent to the level of a DBA.

The following configuration parameters are described in this appendix:

D.1.1 Server Encryption Level Setting

The server side of the negotiation notionally controls the connection settings. The following parameter in the server file is mandatory:

SQLNET.ENCRYPTION_SERVER=REQUIRED

Setting the encryption as REQUIRED on the server side of the connection ensures that a connection is only permitted if encryption is used, irrespective of the parameter value on the client.

D.1.2 Client Encryption Level Setting

The ENCRYPTION_CLIENT parameter specifies the connection behavior for the client. One of the following parameter settings in the client file is mandatory:

SQLNET.ENCRYPTION_CLIENT=(ACCEPTED|REQUESTED|REQUIRED)

A connection to the server is only possible if there is agreement between client and server for the connection encryption. The server has this set to REQUIRED, therefore the client must not reject encryption for a valid connection to be the result. Failure to specify one of these values results in error when attempting to connect to a FIPS 140-1 compliant server.

D.1.3 Server Encryption Selection List

The ENCRYPTION_TYPES_SERVER parameter specifies a list of encryption algorithms that the server is permitted to use when acting as a server in the order of required usage. The specified algorithm must be installed or the connection terminates. For FIPS 140-1 compliance, only DES encryption is permitted and therefore the following parameter setting is mandatory:

SQLNET.ENCRYPTION_TYPES_SERVER=(DES|DES40)

D.1.4 Client Encryption Selection List

The ENCRYPTION_TYPES_CLIENT parameter specifies the list of encryption algorithms which the client is prepared to use for the connection with the server. In order for a connection to be successful, the algorithm must first be installed and the encryption type must be mutually acceptable to the server.

To create a connection with a server that is configured for FIPS 140-1, the following parameter setting is mandatory:

SQLNET.ENCRYPTION_TYPES_CLIENT=(DES|DES40)

D.1.5 Cryptographic Seed Value

The CRYPTO_SEED parameter contains characters which are part of the seed for the random number generator. There are no explicit requirements to set this parameter to satisfy the FIPS 140-1 standard. If you would like to use this parameter, then you can set it using10 to 70 random characters to improve the quality of one of the seeds. Note that the random number generator produces higher quality output when you use a large number of random characters with this parameter.

To set this parameter, use the following syntax:

SQLNET.CRYPTO_SEED=10_to_70_random_characters

D.1.6 FIPS Parameter

The default setting of the FIPS_140 parameter is FALSE. Setting the parameter to TRUE is mandatory for both client and server to ensure Oracle Advanced Security complies with the standards defined in FIPS 140-1 as follows:

SQLNET.FIPS_140=TRUE

Note:

Use a text editor to set the FIPS_140 parameter in the sqlnet.ora file. You cannot use Oracle Net Manager to set this parameter.

D.2 Post Installation Checks

After the installation, the following permissions must be verified in the operating system:

To comply with FIPS 140-1 Level 2 requirements, the security policy must include procedures to prevent unauthorized users from reading or modifying Oracle Advanced Security processes and the memory they are using in the operating system.

D.3 Status Information

Status information for Oracle Advanced Security is available after the connection has been established. The information is contained in the RDBMS virtual table v$session_connect_info.

Running the query SELECT * from V$SESSION_CONNECT_INFO displays all of the product banner information for the active connection. Table D-1 shows an example of a connection configuration where both DES encryption and MD5 data integrity is defined:

Table D-1 Sample Output from v$session_connect_info

SID AUTHENTICATION OSUSER NETWORK_SERVICE_BANNER
7 DATABASE oracle Oracle Bequeath operating system adapter for Solaris, v8.1.6.0.0
7 DATABASE oracle Oracle Advanced Security: encryption service for Solaris
7 DATABASE oracle Oracle Advanced Security: DES encryption service adapter
7 DATABASE oracle Oracle Advanced Security: crypto-checksumming service
7 DATABASE oracle Oracle Advanced Security: MD5 crypto-checksumming service adapter.

D.4 Physical Security

To comply with FIPS 140-1 Level 2 requirements, tamper-evident seals must be applied to the cover of each computer to ensure that removal of the cover is detectable.