To enable client encryption and integrity checking, add the following lines to the client’s sqlnet.ora:
#
# Encryption
#
SQLNET.ENCRYPTION_CLIENT = REQUESTED
SQLNET.ENCRYPTION_TYPES_CLIENT = (AES256, AES192, AES128)
SQLNET.ENCRYPTION_SERVER = REQUESTED
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256, AES192, AES128)
#
# Network integrity
#
SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUESTED
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (SHA512, SHA384, SHA256)
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUESTED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA512, SHA384, SHA256)
So far, so good. But how do we verify it is working? We can check using a sql query, or we can enable a sqlnet level 16 trace on the client and review trace files with encryption disabled, and with encryption enabled.
Option 1: Query to show encryption status for the current session
In the query results, look for lines that list ciphers and contain the words “service adapter”. Ignore the other lines. This tells us that encryption and/or integrity checking is active for the connection.
select sid, network_service_banner
from v$session_connect_info
where sid=sys_context('USERENV','SID');
SID NETWORK_SERVICE_BANNER
---------- ----------------------------------------------------
1465 TCP/IP NT Protocol Adapter for: Version 19.0.0.0.0
1465 Encryption service for : Version 19.0.0.0.0
1465 AES256 Encryption service adapter for: Version 19.0.0.0.0
1465 Crypto-checksumming service for: Version 19.0.0.0.0
Option 2: Query to show encrypted clients
In the query results, look for lines that list ciphers and contain the words “service adapter”. Ignore the other lines. This tells us that encryption and/or integrity checking is active for the connection.
select v.sid, v.username, v.program ,v.machine,
i.NETWORK_SERVICE_BANNER
/* ,i.* */
from v$session v,
v$session_connect_info i
where v.sid = i.sid
and v.serial# = i.serial#
and username is not null
order by v.sid, v.username;
134 |
SYSTEM |
sqlplus.exe |
Laptop |
Encryption service for: Version 19.0.0.0.0 |
134 |
SYSTEM |
sqlplus.exe |
Laptop |
AES256 Encryption service adapter for: Version 19.0.0.0.0 |
134 |
SYSTEM |
sqlplus.exe |
Laptop |
Crypto-checksumming service for: Version 19.0.0.0.0 |
134 |
SYSTEM |
sqlplus.exe |
Laptop |
SHA512 Crypto-checksumming service adapter for: Version 19.0.0.0.0 |
Option 3: Sqlnet Client Trace
In the client sqlnet.ora, add the following line: TRACE_LEVEL_CLIENT=16.
Here are some excerpts from a couple of trace files. Both traces are the result of a sqlplus session connecting to the database and issuing the command ‘select sysdate from dual;’:
Client trace without encryption:
nam_gnsp:Reading parameter "SQLNET.ENCRYPTION_CLIENT" from parameter file
nam_gnsp:Parameter not found
naequad:Using default value "ACCEPTED"
-------------------
nam_gic:Counting # of items in "SQLNET.ENCRYPTION_TYPES_CLIENT" parameter
nam_gic:Parameter not found
naesno:Using default value "all available algorithms"
--------------------
nam_gnsp:Reading parameter "SQLNET.CRYPTO_CHECKSUM_CLIENT" from parameter file
nam_gnsp:Parameter not found
naequad:Using default value "ACCEPTED"
-------------------
nam_gic:Counting # of items in "SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT" parameter
nam_gic:Parameter not found
naesno:Using default value "all available algorithms"
-------------------
na_tns: Encryption is not active
na_tns: Crypto-checksumming is not active
-------------------
nsbasic_bsd:18 73 65 6C 65 63 74 20 |.select.|
nsbasic_bsd:73 79 73 64 61 74 65 20 |sysdate.|
nsbasic_bsd:66 72 6F 6D 20 64 75 61 |from.dua|
nsbasic_bsd:6C 01 01 00 00 00 00 00 |l.......|
Client trace with encryption:
nam_gnsp:Reading parameter "SQLNET.ENCRYPTION_CLIENT" from parameter file
nam_gnsp:Found value "REQUESTED"
-------------------
nam_gic:Counting # of items in "SQLNET.ENCRYPTION_TYPES_CLIENT" parameter
nam_gic:Found 3 items
-------------------
nam_gnsp:Reading parameter "SQLNET.CRYPTO_CHECKSUM_CLIENT" from parameter file
nam_gnsp:Found value "REQUESTED"
-------------------
nam_gic:Counting # of items in "SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT" parameter
nam_gic:Found 3 items
-------------------
naeecom:The server chose the 'AES256' encryption algorithm
naeccom:The server chose the 'SHA512' crypto-checksumming algorithm
-------------------
na_tns: Encryption is active, using AES256
na_tns: Crypto-checksumming is active, using SHA512
The trace file from the unencrypted session displays lines indicating “Encryption is not active” and “Crypto-checksumming is not active”. The trace file from the encrypted session shows encryption using AES256, and integrity using SHA512.
The trace file from the unencrypted session shows a packet dump that contains the sql statement that was issued. However this string does not appear in the trace file from the encrypted session.
You must be logged in to post a comment.