Oracle Advanced Security Administrator's Guide
Release 8.1.5

A67766-01

Library

Product

Contents

Index

Prev Next

A
Encryption and Checksumming Parameters

This appendix lists and describes encryption and checksumming parameters supported in the Oracle Advanced Security option. It also includes an example of a sqlnet.ora file generated after you perform the network configuration described in Chapter 2, "Configuring Encryption and Checksumming".

This appendix covers:

Sample SQLNET.ORA File

This section contains a sample sqlnet.ora configuration file for a set of clients with similar characteristics and a set of servers with similar characteristics. This sample sqlnet.ora file includes examples of the Oracle Advanced Security option encryption and checksumming parameters.

# SQLNET.ORA Configuration File:/private/users/oracle7/sqlnet.ora 
# Generated by Oracle Net8 Assistant 
 
SQLNET_CRYPTO_CHECKSUM_TYPE_SERVER = MD5 
 
OSS.SOURCE.MY_WALLET = 
  (SOURCE = 
    (METHOD = FILE) 
    (METHOD_DATA = 
      (DIRECTORY = /private/users/oracle7/ano814/8.1.4/network/admin/wallet) 
    ) 
  ) 
 
SQLNET.AUTHENTICATION_SERVICES= (BEQ, SECURID) 
 
SQLNET.CRYPTO_CHECKSUM_CLIENT = requested 
 
SQLNET.ENCRYPTION_TYPES_SERVER= (RC4_40, DES40) 
 
SQLNET.ENCRYPTION_TYPES_CLIENT= (RC4_40, DES40) 
 
SSL_VERSION = Any 
 
SQLNET_CRYPTO_CHECKSUM_TYPE_CLIENT = MD5 
 
SQLNET.EXPIRE_TIME = 0 
 
SQLNET.ENCRYPTION_SERVER = requested 
 
SQLNET.ENCRYPTION_CLIENT = requested 
 
SQLNET.CRYPTO_CHECKSUM_SERVER = requested 
 
SQLNET.CRYPTO_SEED = qwertyuiopasdfghjkl;zxcvbnm

Note the following:

Encryption and Checksumming Parameters

There are nine parameters to enable encryption and checksumming. These parameters are described in the following sections.

Server Encryption Level Setting

Purpose:  

This parameter specifies the desired behavior when a client (or a server acting as a client) is connecting to this server. The behavior of the server will depend in part on the SQLNET.ENCRYPTION_CLIENT setting at the other end.  

Syntax:  

SQLNET.ENCRYPTION_SERVER = valid_value  

Possible values:  

ACCEPTED, REJECTED, REQUESTED, REQUIRED  

Default value:  

ACCEPTED  

Client Encryption Level Setting

Purpose:  

This parameter specifies the desired behavior when this client (or this server acting as a client) is connecting to a server. The behavior of the client will depend in part on the value set for SQLNET.ENCRYPTION_SERVER at the other end of the connection.  

Syntax:  

SQLNET.ENCRYPTION_CLIENT = valid_value  

Possible values:  

ACCEPTED, REJECTED, REQUESTED, REQUIRED  

Default value:  

ACCEPTED  

Server Encryption Selected List

Purpose:  

This parameter specifies a list of encryption algorithms this server is allowed to use when acting as a server in the order of desired use. Type the most desired algorithm first. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. Each algorithm will be checked against the list of client algorithm types available until a match is found. If an algorithm that is not installed is specified on this side, the connection will terminate with error message ORA-12650.  

Syntax:  

SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_algorithm [,valid_encryption_algorithm])  

Possible values:  

RC4_40--This is RSA RC4 (40-bit key size) for Domestic & International

RC4_56--This is RSA RC4 (56-bit key size) for Domestic only

RC4_128--This is RSA RC4 (128-bit key size) for Domestic only

DES--This is Standard DES (56-bit key size) for Domestic only

DES40--This is DES40 (40-bit key size) for Domestic & International  

Default value:  

All installed algorithms will be used in a negotiation if no algorithms are defined in the sqlnet.ora file.  

Usage Notes:  

Domestic version--If you are using the Domestic version, all five algorithms are installed: RC4_40, RC4_56, RC4_128, DES, and DES40. If no algorithms are specified, the installed algorithms will be used in that order to negotiate a mutually acceptable algorithm with the other end of the connection.

Export version-- If you are using the Export version, the following algorithms are installed: RC4_40 and DES40. If no algorithms are specified, the installed algorithms will be used in that order to negotiate a mutually acceptable algorithm.

You can specify multiple encryption algorithms, that is, either a single value or a list of algorithm names. For example, either of the following encryption parameters is acceptable:

SQLNET.ENCRYPTION_TYPES_SERVER=(RC4_40)

SQLNET.ENCRYPTION_TYPES_SERVER=(DES,RC4_56,RC4_128,DES40)  

Client Encryption Selected List

Purpose:  

This parameter specifies a list of encryption algorithms this client (or this server acting as a client) is allowed to use when connecting to a server. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. The parameters can be listed in any order. If an algorithm that is not installed is specified on this side, the connection will terminate with error message ORA-12650.  

Syntax:  

SQLNET.ENCRYPTION_TYPES_CLIENT = (valid_encryption_algorithm [,valid_encryption_algorithm])  

Possible values:  

RC4_40--This is RSA RC4 (40-bit key size) for Domestic & International

RC4_56--This is RSA RC4 (56-bit key size) for Domestic only

RC4_128--This is RSA RC4 (128-bit key size) for Domestic only

DES--This is Standard DES (56-bit key size) for Domestic only

DES40--This is DES40 (40-bit key size) for Domestic & International  

Default value:  

All installed algorithms will be used if no algorithms are defined in the sqlnet.ora file.  

Usage Notes:  

Domestic version--If you are using the Domestic version, all five algorithms are installed: RC4_40, RC4_56, RC4_128, DES, and DES40. If no algorithms are defined in the sqlnet.ora file, the installed algorithms will be used in that order to negotiate a mutually acceptable algorithm with the other end of the connection.

Export version--If you are using the Export version, the RC4_40 and DES40 algorithms are installed. If no algorithms are defined in the sqlnet.ora file, the installed algorithms will be used in that order to negotiate a mutually acceptable algorithm.

You can specify multiple encryption algorithms, that is, either a single value or a list of algorithm names. For example, either of the following encryption parameters is acceptable:

SQLNET.ENCRYPTION_TYPES_CLIENT=(DES,DES40,RC4_56,RC4_40)

SQLNET.ENCRYPTION_TYPES_CLIENT=(RC4_40)  

Server Checksum Level Setting

Purpose:  

This parameter specifies the desired checksum behavior when a client (or another server acting as a client) is connecting to this server. The resulting behavior will depend in part on the SQLNET.CRYPTO_CHECKSUM_CLIENT setting at the other end.  

Syntax:  

SQLNET.CRYPTO_CHECKSUM_SERVER = valid_value  

Possible values:  

ACCEPTED, REJECTED, REQUESTED, REQUIRED  

Default value:  

ACCEPTED  

Client Checksum Level Setting

Purpose:  

This parameter specifies the desired checksum behavior when this client (or this server acting as a client) is connecting to a server. The resulting behavior will depend in part on the SQLNET.CRYPTO_CHECKSUM_SERVER setting at the other end of the connection.  

Syntax:  

SQLNET.CRYPTO_CHECKSUM_CLIENT = valid_value  

Possible values:  

ACCEPTED, REJECTED, REQUESTED, REQUIRED  

Default value:  

ACCEPTED  

Server Checksum Selected List

Purpose:  

This parameter specifies a list of the checksumming algorithms this server is allowed to use, in order of desired use with the most desired algorithm first, when acting as a server to a client or another server. This list is used to negotiate a mutually acceptable algorithm with the remote end. Each algorithm will be checked against the list of client algorithm types available until a match is found. The first algorithm match will be the one that is used. If an algorithm is specified that is not installed on this side, the connection will terminate with error message ORA-12650.  

Syntax:  

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (crypto_checksum_algorithm)  

Possible values:  

Currently, the only supported crypto-checksum algorithm choice is RSA Data Security's MD5 algorithm.  

Default value:  

MD5 (currently the only valid value)  

Client Checksum Selected List

Purpose:  

This parameter specifies a list of checksumming algorithms this client (or this server acting as a client) is allowed to use when connecting to a server. This list is used to negotiate a mutually acceptable algorithm with the remote end. The order in which the algorithms are listed is not important. If an algorithm that is not installed on this side is specified, the connection will terminate with error message ORA-12650.  

Syntax:  

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (crypto_checksum_algorithm)  

Possible values:  

Currently, the only supported crypto-checksum algorithm choice is RSA Data Security's MD5 algorithm.  

Default value:  

MD5 (currently the only valid value)  

Client Profile Encryption
SQLNET.CRYPTO_SEED = "10-70 random characters"

The characters that form the value for this parameter are used when generating cryptographic keys. The more random the characters entered into this field are, the stronger the keys are. You set this parameter by entering from 10 to 70 random characters into the above statement.


Note:

Oracle recommends that you enter as many characters as possible (up to 70) to make the resulting key more random and therefore stronger.  


This parameter must be present in the sqlnet.ora file whenever encryption or checksumming is turned on.




Prev

Next
Oracle
Copyright © 1999 Oracle Corporation.

All Rights Reserved.

Library

Product

Contents

Index