Skip Headers
Oracle® Database Advanced Security Administrator's Guide
11g Release 2 (11.2)

E40393-03
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

A Data Encryption and Integrity Parameters

This appendix describes encryption and data integrity parameters supported by Oracle Advanced Security. It also includes an example of a sqlnet.ora file generated by performing the network configuration described in Chapter 8, "Configuring Network Data Encryption and Integrity for Oracle Servers and Clients" and Chapter 12, "Configuring Secure Sockets Layer Authentication".

This appendix contains the following topics:

A.1 Sample sqlnet.ora File

This section contains a sample sqlnet.ora configuration file for a set of clients with similar characteristics and a set of servers with similar characteristics. The file includes examples of Oracle Advanced Security encryption and data integrity parameters.

Trace File Settings

#Trace file setup 
trace_level_server=16 
trace_level_client=16  
trace_directory_server=/orant/network/trace 
trace_directory_client=/orant/network/trace 
trace_file_client=cli  
trace_file_server=srv 
trace_unique_client=true 

Oracle Advanced Security Transparent Data Encryption Settings

ENCRYPTION_WALLET_LOCATION = (SOURCE =
                                  (METHOD = FILE)
                                  (METHOD_DATA =
                                  (DIRECTORY =
                                   /etc/ORACLE/WALLETS/oracle)))

Oracle Advanced Security Network Encryption Settings

#ASO Encryption 
sqlnet.encryption_server=accepted 
sqlnet.encryption_client=requested 
sqlnet.encryption_types_server=(AES_256) 
sqlnet.encryption_types_client=(AES_256) 

Oracle Advanced Security Network Data Integrity Settings

#ASO Checksum 
sqlnet.crypto_checksum_server=requested 
sqlnet.crypto_checksum_client=requested  
sqlnet.crypto_checksum_types_server = (SHA1) 
sqlnet.crypto_checksum_types_client = (SHA1) 

Secure Sockets Layer Settings

#SSL 
WALLET_LOCATION = (SOURCE=
                          (METHOD = FILE) 
                          (METHOD_DATA = 
                           DIRECTORY=/wallet) 

SSL_CIPHER_SUITES=(SSL_RSA_WITH_3DES_EDE_CBC_SHA) 
SSL_VERSION= 3 
SSL_CLIENT_AUTHENTICATION=FALSE 

Common Settings

#Common
automatic_ipc = off
sqlnet.authentication_services = (beq)
names.directory_path = (TNSNAMES)

Kerberos Settings

#Kerberos 
sqlnet.authentication_services = (beq, kerberos5)
sqlnet.authentication_kerberos5_service = oracle
sqlnet.kerberos5_conf= /krb5/krb.conf
sqlnet.kerberos5_keytab= /krb5/v5srvtab
sqlnet.kerberos5_realms= /krb5/krb.realm
sqlnet.kerberos5_cc_name = /krb5/krb5.cc
sqlnet.kerberos5_clockskew=900
sqlnet.kerberos5_conf_mit=false

RADIUS Settings

#Radius
sqlnet.authentication_services = (beq, RADIUS )
sqlnet.radius_authentication_timeout = (10)
sqlnet.radius_authentication_retries = (2)
sqlnet.radius_authentication_port = (1645)
sqlnet.radius_send_accounting = OFF
sqlnet.radius_secret = /orant/network/admin/radius.key
sqlnet.radius_authentication = radius.us.example.com
sqlnet.radius_challenge_response = OFF
sqlnet.radius_challenge_keyword = challenge
sqlnet.radius_challenge_interface =
oracle/net/radius/DefaultRadiusInterface
sqlnet.radius_classpath = /jre1.1/

A.2 Data Encryption and Integrity Parameters

If you do not specify any values for Server Encryption, Client Encryption, Server Checksum, or Client Checksum, the corresponding configuration parameters do not appear in the sqlnet.ora file. However, Oracle Advanced Security defaults to ACCEPTED.

For both data encryption and integrity algorithms, the server selects the first algorithm listed in its sqlnet.ora file that matches an algorithm listed in the client sqlnet.ora file, or in the client installed list if the client lists no algorithms in its sqlnet.ora file. If there are no entries in the server sqlnet.ora file, the server sequentially searches its installed list to match an item on the client side—either in the client sqlnet.ora file or in the client installed list. If no match can be made and one side of the connection REQUIRED the algorithm type (data encryption or integrity), the connection fails. Otherwise, the connection succeeds with the algorithm type inactive.

Data encryption and integrity algorithms are selected independently of each other. Encryption can be activated without integrity, and integrity can be activated without encryption, as shown by Table A-1:

Table A-1 Algorithm Type Selection

Encryption Selected? Integrity Selected?

Yes

No

Yes

Yes

No

Yes

No

No


The following sections describe data encryption and integrity parameters:

A.2.1 SQLNET.ENCRYPTION_SERVER Parameter

This parameter specifies the desired encryption behavior when a client or a server acting as a client connects to this server. The behavior of the server partially depends on the SQLNET.ENCRYPTION_CLIENT setting at the other end of the connection.

Table A-2 SQLNET.ENCRYPTION_SERVER Parameter Attributes

Attribute Description

Syntax

SQLNET.ENCRYPTION_SERVER = valid_value

Valid Values

ACCEPTED, REJECTED, REQUESTED, REQUIRED

Default Setting

ACCEPTED


A.2.2 SQLNET.ENCRYPTION_CLIENT Parameter

This parameter specifies the desired encryption behavior when this client or server acting as a client connects to a server. The behavior of the client partially depends on the value set for SQLNET.ENCRYPTION_SERVER at the other end of the connection.

Table A-3 SQLNET.ENCRYPTION_CLIENT Parameter Attributes

Attribute Description

Syntax

SQLNET.ENCRYPTION_CLIENT = valid_value

Valid Values

ACCEPTED, REJECTED, REQUESTED, REQUIRED

Default Setting

ACCEPTED


A.2.3 SQLNET.SSL_EXTENDED_KEY_USAGE Parameter

This parameter sets a Secure Sockets Layer certificate that uses extended key usage to always use client authentication.

Table A-4 SQLNET.EXTENDED_KEY_USAGE Parameter Attributes

Attribute Description

Syntax

SQLNET.SSL_EXTENDED_KEY_USAGE = valid_value

Valid Values

client authentication

Default Setting

client authentication


A.2.4 SQLNET.CRYPTO_CHECKSUM_SERVER Parameter

This parameter specifies the desired data integrity behavior when a client or another server acting as a client connects to this server. The behavior partially depends on the SQLNET.CRYPTO_CHECKSUM_CLIENT setting at the other end of the connection.

Table A-5 SQLNET.CRYPTO_CHECKSUM_SERVER Parameter Attributes

Attribute Description

Syntax

SQLNET.CRYPTO_CHECKSUM_SERVER = valid_value

Valid Values

ACCEPTED, REJECTED, REQUESTED, REQUIRED

Default Setting

ACCEPTED


A.2.5 SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter

This parameter specifies the desired data integrity behavior when this client or server acting as a client connects to a server. The behavior partially depends on the SQLNET.CRYPTO_CHECKSUM_SERVER setting at the other end of the connection.

Table A-6 SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter Attributes

Attribute Description

Syntax

SQLNET.CRYPTO_CHECKSUM_CLIENT = valid_value

Valid Values

ACCEPTED, REJECTED, REQUESTED, REQUIRED

Default Setting

ACCEPTED


A.2.6 SQLNET.ENCRYPTION_TYPES_SERVER Parameter

This parameter specifies a list of encryption algorithms used by this server in the order of intended use. This list is used to negotiate a mutually acceptable algorithm with the client end of the connection. Each algorithm is checked against the list of available client algorithm types until a match is found. If an algorithm that is not installed is specified on this side, the connection terminates with the error message ORA-12650.

Table A-7 SQLNET.ENCRYPTION_TYPES_SERVER Parameter Attributes

Attribute Description

Syntax

SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_algorithm [,valid_encryption_algorithm])

Valid Values

  • AES256: AES (256-bit key size)

  • AES192: AES (192-bit key size)

  • 3DES168: 3-key Triple-DES (168-bit effective key size)

  • AES128: AES (128-bit key size)

  • 3DES112: 2-key Triple-DES (112-bit effective key size)

Default Setting

If no algorithms are defined in the local sqlnet.ora file, all installed algorithms are used in a negotiation in the preceding sequence.

Usage Notes

You can specify multiple encryption algorithms. It can be either a single value or a list of algorithm names. For example, either of the following encryption parameters is acceptable:

SQLNET.ENCRYPTION_TYPES_SERVER=(AES_256)

SQLNET.ENCRYPTION_TYPES_SERVER=(3DES112,3DES168)


A.2.7 SQLNET.ENCRYPTION_TYPES_CLIENT Parameter

This parameter specifies a list of encryption algorithms used by this client or server acting as a client. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. If an algorithm that is not installed is specified on this side, the connection terminates with the ORA-12650 error message.

Table A-8 SQLNET.ENCRYPTION_TYPES_CLIENT Parameter Attributes

Attribute Description

Syntax

SQLNET.ENCRYPTION_TYPES_CLIENT = (valid_encryption_algorithm [,valid_encryption_algorithm])

Valid Values

  • AES256: AES (256-bit key size).

  • AES192: AES (192-bit key size).

  • 3DES168: 3-key Triple-DES (168-bit effective key size).

  • AES128: AES (128-bit key size).

  • 3DES112: 2-key Triple-DES (112-bit effective key size).

Default Setting

If no algorithms are defined in the local sqlnet.ora file, all installed algorithms are used in a negotiation.

Usage Notes

You can specify multiple encryption algorithms.


A.2.8 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter

This parameter specifies a list of data integrity algorithms that this server or client to another server uses, in order of intended use. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. Each algorithm is checked against the list of available client algorithm types until a match is found. If an algorithm is specified that is not installed on this side, the connection terminates with the ORA-12650 error message

Table A-9 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter Attributes

Attribute Description

Syntax

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (valid_crypto_checksum_algorithm [,valid_crypto_checksum_algorithm])

Valid Values

SHA1: Secure Hash Algorithm

Default Setting

If no algorithms are defined in the local sqlnet.ora file, all installed algorithms are used in a negotiation in the preceding sequence.


A.2.9 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter

This parameter specifies a list of data integrity algorithms that this client or server acting as a client uses. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. If an algorithm that is not installed on this side is specified, the connection terminates with the ORA-12650 error message.

Table A-10 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter Attributes

Attribute Description

Syntax

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (valid_crypto_checksum_algorithm [,valid_crypto_checksum_algorithm])

Valid Values

SHA1: Secure Hash Algorithm

Default Setting

If no algorithms are defined in the local sqlnet.ora file, all installed algorithms are used in a negotiation.