Oracle Datenbank 12c - DOAG Deutsche ORACLE … for database solutions. Oracle Database 12c SQL*Net...
Transcript of Oracle Datenbank 12c - DOAG Deutsche ORACLE … for database solutions. Oracle Database 12c SQL*Net...
Experts for database solutions.
Oracle Database 12c
SQL*Net Encryption
Thomas Lehmann – Dresden, 13.12.2016
Experts for database solutions.
Facts and FiguresRobotron Datenbank-Software GmbH
Year of formation 1990
Legal form GmbH (Limited liability company, 9 associates)
Number of employees 387 (Status 09/2016)
Capital stock 2.4 million EUR
Turnover 2015 32.8 million EUR
Turnover 2016 36.8 million EUR
Oracle Partner
ISO 9001 certified
Headquarters
Congress and Training Center
Experts for database solutions.
The Range of Services of Robotronwith Branch-Specific Expertise
Methodical and technological responsibility
Comprehensive expertise of industry-specific business processes
Experts for database solutions.
About Me
Thomas Lehmann
– Senior system engineer
– Over 15 years of operating experience
– Complex environment
– Mission-critical processes
– Certified performance tuning expert
– General Oracle support for products and in projects
Experts for database solutions.
Agenda
Data encryption in general
Data encryption on SQL*Net layer
– Native encryption
– Data integrity check
– TLS encryption with certificates
Examples and how-tos
Summary
Experts for database solutions.
Security and Data Encryption
Transparent Data Encryption
Data VaultAuditing
SQL*Net Encryption
Virtual Private Database
Label Security User PrivilegesSecure Authentication
Critical Patch Update
Security in SiliconData Masking
Unified Auditing
Experts for database solutions.
Overview
Why use SQL*Net encryption?
Why don’t YOU use SQL*Net encryption?
What’s the benefit?
What’s the cost?
What types of encryption can I use?
What’s the effort to implement this?
Experts for database solutions.
SQL*Net Encryption
All kinds of data are unencrypted in the SQL*Net communication protocol
From SQL*Net trace:
Enable it. It’s free since Oracle 10.2: “Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.”
Experts for database solutions.
Tools for Demos
Oracle Database 12.1.0.2
Oracle Client 12.1.0.2
– SQL*Net Trace
– SQL*Plus
3rd party tools
– Wireshark (network sniffer)
Experts for database solutions.
Native Encryption
Diffie-Hellman key negation algorithm
– Both sessions share non-secret information
– Generate secret based on that
Easy to implement
– Configure sqlnet.ora on client and server side
– encryption_server | encryption_client = rejected |
accepted | requested | required
– encryption_types_server encryption_types_client =
AES128, AES192, AES256
Experts for database solutions.
Native Encryption – Encryption Settings
Server Setting
REJECTED ACCEPTED REQUESTED REQUIRED
Clie
nt
Sett
ing REJECTED OFF OFF OFF FAIL
ACCEPTED OFF OFF (default) ON ON
REQUESTED OFF ON ON ON
REQUIRED FAIL ON ON ON
Settings and combinations
Valid setup:
sqlnet.encryption_server=required
sqlnet.encryption_types_server=(AES256)
sqlnet.encryption_client=requested
sqlnet.encryption_types_client=(AES256)Demo
Experts for database solutions.
Native Encryption – Data Integrity
Server Setting
REJECTED ACCEPTED REQUESTED REQUIRED
Clie
nt
Sett
ing REJECTED OFF OFF OFF FAIL
ACCEPTED OFF OFF (default) ON ON
REQUESTED OFF ON ON ON
REQUIRED FAIL ON ON ON
Settings and combinations
Valid setup:
sqlnet.crypto_checksum_server=requested
sqlnet.crypto_checksum_types_server = (SHA256)
sqlnet.crypto_checksum_client=requested
sqlnet.crypto_checksum_types_client = (SHA256)
Experts for database solutions.
Performance Comparison
Table with 1.5 million rows (165 MB)
Test case 1: select * from table;
Test case 2 (subset): select * from table where col like ‚XXX%‘;
Without Encryption With Encryption With Encryptionand Checksumming
49 sec 68 sec 69 sec
48 sec 68 sec 69 sec
48 sec 68 sec (+ 42 %) 69 sec (+ 43 %)
Without Encryption With Encryption With Encryptionand Checksumming
0,58 sec 0,63 sec 0,68 sec
0,52 sec 0,63 sec 0,66 sec
0,56 sec 0,62 sec (+ 8 %) 0,70 sec (+ 17 %)
Experts for database solutions.
SSL/TLS Encryption
Industrial standard
Based on public/private key infrastructure
For the setup you‘ll need:
– Wallet (to store the keys)
– Private key
– Public key
– Configuration in listener.ora and sqlnet.ora
Demo
Experts for database solutions.
Create Oracle Wallet
orapki wallet create -wallet ./server_wallet -auto_login -pwdserver01
Parameters:
– auto_login: only protected by file system permissions
Experts for database solutions.
Create Certificate
orapki wallet add -wallet ./server_wallet -dn "CN=server" -keysize1024 -self_signed -validity 365 -pwd server01
Parameters:
– keysize 512 | 1024 | 2048
– self_signed create root certificate
– validity number_of_days
orapki wallet add -wallet ./server_wallet –trused_cert –cert /path/
orapki wallet add -wallet ./server_wallet –user_cert –cert /path/
Experts for database solutions.
Export, Exchange, Import Certificate
Export the server certificate
– orapki wallet export -wallet ./server_wallet -dn "CN=server" -cert ./server_wallet/cert.txt
Import the server certificate on client side
– orapki wallet add -wallet ./client_wallet -trusted_cert -cert cert.txt -pwd client01
Experts for database solutions.
Prepare Listener
Enable TCPS and setup secure port
Parameters to set:
– SSL_CLIENT_AUTHENTICATION FALSE in listener.ora
– WALLET_LOCATION location to the wallet
– SSL_CIPHER_SUITES encryption algorithms
Experts for database solutions.
Prepare Listener – Example
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = oradb121.localdomain)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = oradb121.localdomain)(PORT = 2484))
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA)
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA = (DIRECTORY = /home/oracle/doag/wallet/server_wallet))
)
Experts for database solutions.
Edit sqlnet.ora
Enable SSL in sqlnet.ora
Must be done on client and server
Parameters to set:
– SQLNET.AUTHENTICATION_SERVICES enable TCPS
– SSL_CLIENT_AUTHENTICATION certificate authentication
– SSL_VERSION 1.0 | 1.1 | 1.2
– WALLET_LOCATION location to the wallet
– SSL_CIPHER_SUITES encryption algorithms
Experts for database solutions.
Edit sqlnet.ora – Example
SQLNET.AUTHENTICATION_SERVICES=(TCPS,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 1.2
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA = (DIRECTORY = /home/oracle/Wallets/server_wallet))
)
SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA)
Experts for database solutions.
Test the SSL/TLS Connection
Check lsnrctl status
Add TCPS connection to name resolution (e.g. tnsnames.ora)
Run tnsping to check connectivity
Run sqlplus to connect
Experts for database solutions.
Test the SSL/TLS Connection
Check with Wireshark
Experts for database solutions.
Documents & Nice to Know
Setup Wireshark: Edit->Preferences->Protocols->HTPPS->SSL/TLS Ports (Add TCPS Port)
https://docs.oracle.com/cd/B19306_01/license.102/b14199/options.htm#DBLIC137 (Oracle Documentation Options and Packs 10.2)
Oracle Advanced Security SSL Troubleshooting Guide (Doc ID 166492.1)
Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1)
BUG 18685892 - NTZ SHOULD ALLOW EXPLICIT SETTING OF SSL_VERSION TO 1.1/1.2 (This bug is first fixed in patch set 12.1.0.2, where TLS 1.1 and 1.2 are fully supported.)
Experts for database solutions.
Summary
Lots of security features within database
Extra license costs
SQL*Net encryption is free (since Oracle 10.2)
Native encryption easy to implement
SSL/TLS tricky but possible
Change database connectivity to database (to use wallet)
Check application layout and performance issues
Always check encryption
Experts for database solutions.
Questions?
Thomas Lehmann Senior Engineer
Telephone: +49 351 [email protected]
www.robotron.eu