Oracle Datenbank 12c - DOAG Deutsche ORACLE … for database solutions. Oracle Database 12c SQL*Net...

Experts for database solutions.

Oracle Database 12c

SQL*Net Encryption

Thomas Lehmann – Dresden, 13.12.2016


Facts and FiguresRobotron Datenbank-Software GmbH

Year of formation 1990

Legal form GmbH (Limited liability company, 9 associates)

Number of employees 387 (Status 09/2016)

Capital stock 2.4 million EUR

Turnover 2015 32.8 million EUR

Turnover 2016 36.8 million EUR

Oracle Partner

ISO 9001 certified

Headquarters

Congress and Training Center


The Range of Services of Robotronwith Branch-Specific Expertise

Methodical and technological responsibility

Comprehensive expertise of industry-specific business processes


About Me

Thomas Lehmann

– Senior system engineer

– Over 15 years of operating experience

– Complex environment

– Mission-critical processes

– Certified performance tuning expert

– General Oracle support for products and in projects


Agenda

Data encryption in general

Data encryption on SQL*Net layer

– Native encryption

– Data integrity check

– TLS encryption with certificates

Examples and how-tos

Summary


Security and Data Encryption

Transparent Data Encryption

Data VaultAuditing

SQL*Net Encryption

Virtual Private Database

Label Security User PrivilegesSecure Authentication

Critical Patch Update

Security in SiliconData Masking

Unified Auditing


Overview

Why use SQL*Net encryption?

Why don’t YOU use SQL*Net encryption?

What’s the benefit?

What’s the cost?

What types of encryption can I use?

What’s the effort to implement this?


SQL*Net Encryption

All kinds of data are unencrypted in the SQL*Net communication protocol

From SQL*Net trace:

Enable it. It’s free since Oracle 10.2: “Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.”


Tools for Demos

Oracle Database 12.1.0.2

Oracle Client 12.1.0.2

– SQL*Net Trace

– SQL*Plus

3rd party tools

– Wireshark (network sniffer)


Native Encryption

Diffie-Hellman key negation algorithm

– Both sessions share non-secret information

– Generate secret based on that

Easy to implement

– Configure sqlnet.ora on client and server side

– encryption_server | encryption_client = rejected |

accepted | requested | required

– encryption_types_server encryption_types_client =

AES128, AES192, AES256


Native Encryption – Encryption Settings

Server Setting

REJECTED ACCEPTED REQUESTED REQUIRED

Clie

nt

Sett

ing REJECTED OFF OFF OFF FAIL

ACCEPTED OFF OFF (default) ON ON

REQUESTED OFF ON ON ON

REQUIRED FAIL ON ON ON

Settings and combinations

Valid setup:

sqlnet.encryption_server=required

sqlnet.encryption_types_server=(AES256)

sqlnet.encryption_client=requested

sqlnet.encryption_types_client=(AES256)Demo


Native Encryption – Data Integrity

Server Setting

REJECTED ACCEPTED REQUESTED REQUIRED

Clie

nt

Sett

ing REJECTED OFF OFF OFF FAIL

ACCEPTED OFF OFF (default) ON ON

REQUESTED OFF ON ON ON

REQUIRED FAIL ON ON ON

Settings and combinations

Valid setup:

sqlnet.crypto_checksum_server=requested

sqlnet.crypto_checksum_types_server = (SHA256)

sqlnet.crypto_checksum_client=requested

sqlnet.crypto_checksum_types_client = (SHA256)


Performance Comparison

Table with 1.5 million rows (165 MB)

Test case 1: select * from table;

Test case 2 (subset): select * from table where col like ‚XXX%‘;

Without Encryption With Encryption With Encryptionand Checksumming

49 sec 68 sec 69 sec

48 sec 68 sec 69 sec

48 sec 68 sec (+ 42 %) 69 sec (+ 43 %)

Without Encryption With Encryption With Encryptionand Checksumming

0,58 sec 0,63 sec 0,68 sec

0,52 sec 0,63 sec 0,66 sec

0,56 sec 0,62 sec (+ 8 %) 0,70 sec (+ 17 %)


SSL/TLS Encryption

Industrial standard

Based on public/private key infrastructure

For the setup you‘ll need:

– Wallet (to store the keys)

– Private key

– Public key

– Configuration in listener.ora and sqlnet.ora

Demo


Create Oracle Wallet

orapki wallet create -wallet ./server_wallet -auto_login -pwdserver01

Parameters:

– auto_login: only protected by file system permissions


Create Certificate

orapki wallet add -wallet ./server_wallet -dn "CN=server" -keysize1024 -self_signed -validity 365 -pwd server01

Parameters:

– keysize 512 | 1024 | 2048

– self_signed create root certificate

– validity number_of_days

orapki wallet add -wallet ./server_wallet –trused_cert –cert /path/

orapki wallet add -wallet ./server_wallet –user_cert –cert /path/


Export, Exchange, Import Certificate

Export the server certificate

– orapki wallet export -wallet ./server_wallet -dn "CN=server" -cert ./server_wallet/cert.txt

Import the server certificate on client side

– orapki wallet add -wallet ./client_wallet -trusted_cert -cert cert.txt -pwd client01


Prepare Listener

Enable TCPS and setup secure port

Parameters to set:

– SSL_CLIENT_AUTHENTICATION FALSE in listener.ora

– WALLET_LOCATION location to the wallet

– SSL_CIPHER_SUITES encryption algorithms


Prepare Listener – Example

LISTENER =

(DESCRIPTION_LIST =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCP)(HOST = oradb121.localdomain)(PORT = 1521))

(ADDRESS = (PROTOCOL = TCPS)(HOST = oradb121.localdomain)(PORT = 2484))

(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))

)

)

SSL_CLIENT_AUTHENTICATION = FALSE

SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA)

WALLET_LOCATION =

(SOURCE =

(METHOD = FILE)

(METHOD_DATA = (DIRECTORY = /home/oracle/doag/wallet/server_wallet))

)


Edit sqlnet.ora

Enable SSL in sqlnet.ora

Must be done on client and server

Parameters to set:

– SQLNET.AUTHENTICATION_SERVICES enable TCPS

– SSL_CLIENT_AUTHENTICATION certificate authentication

– SSL_VERSION 1.0 | 1.1 | 1.2

– WALLET_LOCATION location to the wallet

– SSL_CIPHER_SUITES encryption algorithms


Edit sqlnet.ora – Example

SQLNET.AUTHENTICATION_SERVICES=(TCPS,NTS,BEQ)

SSL_CLIENT_AUTHENTICATION = FALSE

SSL_VERSION = 1.2

WALLET_LOCATION =

(SOURCE =

(METHOD = FILE)

(METHOD_DATA = (DIRECTORY = /home/oracle/Wallets/server_wallet))

)

SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_128_CBC_SHA,

SSL_DH_anon_WITH_3DES_EDE_CBC_SHA)


Test the SSL/TLS Connection

Check lsnrctl status

Add TCPS connection to name resolution (e.g. tnsnames.ora)

Run tnsping to check connectivity

Run sqlplus to connect


Test the SSL/TLS Connection

Check with Wireshark


Documents & Nice to Know

Setup Wireshark: Edit->Preferences->Protocols->HTPPS->SSL/TLS Ports (Add TCPS Port)

https://docs.oracle.com/cd/B19306_01/license.102/b14199/options.htm#DBLIC137 (Oracle Documentation Options and Packs 10.2)

Oracle Advanced Security SSL Troubleshooting Guide (Doc ID 166492.1)

Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1)

BUG 18685892 - NTZ SHOULD ALLOW EXPLICIT SETTING OF SSL_VERSION TO 1.1/1.2 (This bug is first fixed in patch set 12.1.0.2, where TLS 1.1 and 1.2 are fully supported.)

https://docs.oracle.com/cd/B19306_01/license.102/b14199/options.htm#DBLIC137


Summary

Lots of security features within database

Extra license costs

SQL*Net encryption is free (since Oracle 10.2)

Native encryption easy to implement

SSL/TLS tricky but possible

Change database connectivity to database (to use wallet)

Check application layout and performance issues

Always check encryption


Questions?

Thomas Lehmann Senior Engineer

Telephone: +49 351 [email protected]

www.robotron.eu

Oracle Datenbank 12c - DOAG Deutsche ORACLE … for database solutions. Oracle Database 12c SQL*Net...

Documents

Transcript of Oracle Datenbank 12c - DOAG Deutsche ORACLE … for database solutions. Oracle Database 12c SQL*Net...