Home Music Tech Info Tech Blog About Us Contact Us

Information Technology

Oracle Advanced Security - page 5

Prev< 1 2 3 4 5

Secure Database Network Connections

How To Setup Secure Database Connections Using SSL

Secure Sockets Layer (SSL) is an industry standard for securing network connections. It uses RSA public key cryptography in conjunction with symmetric key cryptography to provide authentication, encryption, and data integrity.

The Oracle Advanced Security Option (ASO) provides support for SSL configuration of its network communication. Digital certificates are used to encrypt the connection between the client and the server, and it is also used to authenticate a client. This setup is ideal for use on server-to-server communication such as an application server connection to a database server or a database-to-database connection through dblink. Through the digital certificate, the database can recognize a legit client allowed to transact on the database via authentication to a third-party Certificate Authority (CA).

Setting up a secure TCP network communication using SSL requires you to setup the Oracle Wallet first and acquiring signed certs from Certificate Authority. If you haven't done so, please read the article from the start before proceeding on to the following configuration steps.

Configure the database server Oracle Net files

Modify both the listener.ora and sqlnet.ora files to set the wallet location, enable the listener to use TCPS protocol, enforcement of client authentication through SSL and set the cipher for encryption and data integrity for use with SSL.

Sample syntax:

# listener.ora and sqlnet.ora

WALLET_LOCATION =

(SOURCE =

(METHOD = FILE)

(METHOD_DATA = (DIRECTORY = <full path of wallet directory>))

)

Sample Database listener.ora entries

#-- Oracle Wallet

WALLET_LOCATION =

(SOURCE =

(METHOD = FILE)

(METHOD_DATA = (DIRECTORY = /dsk0/orabin/11gR2/product/11.2.0.4/db/owm/wallets/oradb/ ))

)

#-- Regular Unsecured Database Listener

ORA11PCI =

(DESCRIPTION_LIST =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCP)(HOST = pacific)(PORT = 1531))

)

SID_LIST_ORA11PCI =

(SID_LIST =

(SID_DESC =

(SID_NAME = PLSExtProc)

(ORACLE_HOME = /dsk0/orabin/11gR2/product/11.2.0.4/db)

(PROGRAM = extproc)

)

CONNECT_TIMEOUT_ORA11PCI = 0

STARTUP_WAIT_TIME_ORA11PCI=0

#LOGGING_ORA11PCI=OFF

#TRACE_LEVEL_ORA11PCI=OFF

#-- Secure Database Listener

ORA11PCI_SEC =

(DESCRIPTION_LIST =

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCPS)(HOST = pacific)(PORT = 2484))

)

SID_LIST_ORA11PCI_SEC =

(SID_LIST =

(SID_DESC =

(SID_NAME = PLSExtProc)

(ORACLE_HOME = /dsk0/orabin/11gR2/product/11.2.0.4/db)

(PROGRAM = extproc)

)

(SID_DESC =

(GLOBAL_DBNAME = ORA11PCI.chadslibrary.com)

(ORACLE_HOME = /dsk0/orabin/11gR2/product/11.2.0.4/db)

(SID_NAME = ORA11PCI)

)

CONNECT_TIMEOUT_ORA11PCI_SEC = 0

STARTUP_WAIT_TIME_ORA11PCI_SEC=0

#LOGGING_ORA11PCI_SEC=OFF

#TRACE_LEVEL_ORA11PCI_SEC=OFF

Note that it is recommended by Oracle to use 2484 as your TCPS port. But again for PCI DSS compliance, you set this to something else.

Sample Database sqlnet.ora entries

NAMES.DIRECTORY_PATH= (TNSNAMES)

SQLNET.AUTHENTICATION_SERVICES=(TCPS,BEQ)

SSL_CLIENT_AUTHENTICATION = TRUE

SSL_CIPHER_SUITES= (SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5)

WALLET_LOCATION =

(SOURCE =

(METHOD = FILE)

(METHOD_DATA = (DIRECTORY = /dsk0/orabin/11gR2/product/11.2.0.4/db/owm/wallets/oradb ))

)

Sample Database tnsnames.ora entries

ORA11PCI =

(DESCRIPTION =

(ADDRESS_LIST =

(ADDRESS = (PROTOCOL = TCP)(HOST = pacific)(PORT = 1531))

)

(CONNECT_DATA =

(SID = ORA11PCI)

)

ORA11PCI_SEC =

(DESCRIPTION =

(ADDRESS_LIST =

(ADDRESS = (PROTOCOL = TCPS)(HOST = pacific)(PORT = 2484))

)

(CONNECT_DATA =

(SID = ORA11PCI)

)

ORA11PCI_LISTENER =

(DESCRIPTION =

(ADDRESS_LIST =

(ADDRESS = (PROTOCOL = TCP)(HOST = pacific)(PORT = 1531))

(ADDRESS = (PROTOCOL = TCPS)(HOST = pacific)(PORT = 2484))

)

Configure The Client Oracle Net Files

Modify sqlnet.ora and tnsnames.ora similar to what was done on the database server side with additional optional parameter SSL_SERVER_DN_MATCH that enforces authentication to match the database server DN with the client's service name TNS parameter value. It should look something like this:

# sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES=(TCPS,NTS)

WALLET_LOCATION =

(SOURCE =

(METHOD = FILE)

(METHOD_DATA = (DIRECTORY = <full path of wallet directory>))

)

SSL_CLIENT_AUTHENTICATION = TRUE

SSL_CIPHER_SUITES= (SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5)

SSL_SERVER_DN_MATCH = TRUE

# tnsnames.ora

myDbConnect =

(DESCRIPTION =

(ADDRESS_LIST =

(ADDRESS = (PROTOCOL = TCPS)(HOST = dbhostname)(PORT = 2484))

)

(CONNECT_DATA =

(SERVICE_NAME = mydbname.domain.com)

)

Sample linux client application sqlnet.ora

NAMES.DIRECTORY_PATH= (TNSNAMES)

SQLNET.AUTHENTICATION_SERVICES=(TCPS,NTS)

SSL_CLIENT_AUTHENTICATION = TRUE

SSL_CIPHER_SUITES= (SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5)

WALLET_LOCATION =

(SOURCE =

(METHOD = FILE)

(METHOD_DATA = (DIRECTORY = /disk0/orabin/11gR2/product/11.2.0.3/db/owm/wallets/oradb ))

)

Sample windows client application sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES= (TCPS,NTS)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SSL_CLIENT_AUTHENTICATION = TRUE

SSL_CIPHER_SUITES= (SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5)

WALLET_LOCATION =

(SOURCE =

(METHOD = FILE)

(METHOD_DATA = (DIRECTORY = C:\app\chad\product\11.2.0\client_1\BIN\owm\wallets\chad ))

)

Sample client application tnsnames.ora

ORA11PCI_SEC =

(DESCRIPTION =

(ADDRESS_LIST =

(ADDRESS = (PROTOCOL = TCPS)(HOST = pacific)(PORT = 2484))

)

(CONNECT_DATA =

(SID = ORA11PCI)

)

ORA11PCI =

(DESCRIPTION =

(ADDRESS_LIST =

(ADDRESS = (PROTOCOL = TCP)(HOST = pacific)(PORT = 1531))

)

(CONNECT_DATA =

(SID = ORA11PCI)

)