You can use Oracle’s Network Data Encryption (also denoted as Transparent Network Encryption - “TNE”) and Integrity features to secure the communication between the application server and the database server. For comprehensive background information on this topic see the Oracle Database Advanced Security Administrator's Guide [Oracle Advanced Security].
Encryption is enabled or disabled based on a combination of the client-side encryption-level setting and the server-side encryption-level setting. Similarly, integrity is enabled or disabled based on a combination of the client-side integrity-level setting and the server-side integrity-level setting.
Encryption and integrity support the same setting levels: REJECTED, ACCEPTED, REQUESTED, and REQUIRED. The table below shows how these possible settings on the client-side and server-side combine to either enable or disable the feature:
|
Parameter Description |
Parameter Name |
Possible Settings |
|---|---|---|
|
Client encryption level |
oracle.net.encryption_client |
REJECTED ACCEPTED REQUESTED REQUIRED |
|
Client encryption selected list |
oracle.net.encryption_types_client |
See Encryption algorithms for Oracle as negotiated by in decreasing order of preference |
|
Client integrity level |
oracle.net.crypto_checksum_client |
REJECTED ACCEPTED REQUESTED REQUIRED |
|
Client integrity selected list |
oracle.net.crypto_checksum_types_client |
SHA1 MD5 |
|
Table 337: JDBC Thin Client (Oracle.Net) Parameters for Encryption and Integrity |
||
Example to enforce encryption
You can enforce encryption by a configuration on the application server1 with the following settings, where the example below assumes that you want to use encryption with the algorithm RC4_128 with integrity checks based on the hash algorithm SHA1:
-
Set the following JDBC client settings by JVM settings:
-
Add -Doracle.net.encryption_client=REQUIRED as new option
-
Add -Doracle.net.encryption_types_client=(RC4_128) as new option
-
Add -Doracle.net.crypto_checksum_client=REQUIRED as new option
-
Add -Doracle.net.crypto_checksum_types_client=(SHA1) as new option
-
-
Restart the domain for the changes to take effect.
If you want to enforce encryption, it is enough to enforce this on one side, i.e. either on a client side (like above) or on a database server side (see further down below). The example above will enforce encryption, unless the database server rejects to do so. In the latter case the connection to the database would fail (according to Oracle client/server negotiations for encryption or integrity with the error ORA-12660).
If you want to make sure that only a certain client uses encrypted connections but still want to keep the possibility for unencrypted connections to the database server for other database clients, you can achieve this by adjusting only the client-side settings (in this case via JVM settings on the application server) as shown above. Instead of enforcing encryption on the application server, this can also be done on the database server side in the Oracle configuration file “sqlnet.ora”:
SQLNET.ENCRYPTION_SERVER=REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER=(RC4_128)
SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1)
If the encryption on database server side is enforced, only clients which support encryption can connect. For further background information and related solutions, such as SSL encryption with Oracle, also see the Oracle White Paper “SSL With Oracle JDBC Thin Driver” [Oracle SSL].