A
Encryption and Checksumming Parameters
This appendix lists and describes encryption and checksumming parameters supported in the Oracle Advanced Security option. It also includes an example of a sqlnet.ora file generated after you perform the network configuration described in Chapter 2, "Configuring Encryption and Checksumming".
This appendix covers:
Sample SQLNET.ORA File
This section contains a sample sqlnet.ora configuration file for a set of clients with similar characteristics and a set of servers with similar characteristics. This sample sqlnet.ora file includes examples of the Oracle Advanced Security option encryption and checksumming parameters.
# SQLNET.ORA Configuration File:/private/users/oracle7/sqlnet.ora
# Generated by Oracle Net8 Assistant
SQLNET_CRYPTO_CHECKSUM_TYPE_SERVER = MD5
OSS.SOURCE.MY_WALLET =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /private/users/oracle7/ano814/8.1.4/network/admin/wallet)
)
)
SQLNET.AUTHENTICATION_SERVICES= (BEQ, SECURID)
SQLNET.CRYPTO_CHECKSUM_CLIENT = requested
SQLNET.ENCRYPTION_TYPES_SERVER= (RC4_40, DES40)
SQLNET.ENCRYPTION_TYPES_CLIENT= (RC4_40, DES40)
SSL_VERSION = Any
SQLNET_CRYPTO_CHECKSUM_TYPE_CLIENT = MD5
SQLNET.EXPIRE_TIME = 0
SQLNET.ENCRYPTION_SERVER = requested
SQLNET.ENCRYPTION_CLIENT = requested
SQLNET.CRYPTO_CHECKSUM_SERVER = requested
SQLNET.CRYPTO_SEED = qwertyuiopasdfghjkl;zxcvbnm
Note the following:
- If you do not specify any values for Server Encryption, Client Encryption, Server Checksum, or Client Checksum, the corresponding configuration parameters will not appear in the sqlnet.ora file. However, the Oracle Advanced Security option defaults the value to
ACCEPTED
.
- If no encryption or checksumming algorithm is specified on the Server Encryption, Client Encryption, Server Checksum, or Client Checksum pages, the server side of the connection uses the first algorithm in its own list of installed algorithms that also appears in the client's list of installed algorithms.
- Encryption and checksumming function independently of each other; encryption can be activated while checksumming is off, and vice versa.
Encryption and Checksumming Parameters
There are nine parameters to enable encryption and checksumming. These parameters are described in the following sections.
Server Encryption Level Setting
Purpose: |
This parameter specifies the desired behavior when a client (or a server acting as a client) is connecting to this server. The behavior of the server will depend in part on the SQLNET.ENCRYPTION_CLIENT setting at the other end. |
Syntax: |
SQLNET.ENCRYPTION_SERVER = valid_value |
Possible values: |
ACCEPTED, REJECTED, REQUESTED, REQUIRED |
Default value: |
ACCEPTED |
Client Encryption Level Setting
Purpose: |
This parameter specifies the desired behavior when this client (or this server acting as a client) is connecting to a server. The behavior of the client will depend in part on the value set for SQLNET.ENCRYPTION_SERVER at the other end of the connection. |
Syntax: |
SQLNET.ENCRYPTION_CLIENT = valid_value |
Possible values: |
ACCEPTED, REJECTED, REQUESTED, REQUIRED |
Default value: |
ACCEPTED |
Server Encryption Selected List
Purpose: |
This parameter specifies a list of encryption algorithms this server is allowed to use when acting as a server in the order of desired use. Type the most desired algorithm first. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. Each algorithm will be checked against the list of client algorithm types available until a match is found. If an algorithm that is not installed is specified on this side, the connection will terminate with error message ORA-12650. |
Syntax: |
SQLNET.ENCRYPTION_TYPES_SERVER = (valid_encryption_algorithm [,valid_encryption_algorithm]) |
Possible values: |
RC4_40--This is RSA RC4 (40-bit key size) for Domestic & International
RC4_56--This is RSA RC4 (56-bit key size) for Domestic only
RC4_128--This is RSA RC4 (128-bit key size) for Domestic only
DES--This is Standard DES (56-bit key size) for Domestic only
DES40--This is DES40 (40-bit key size) for Domestic & International |
Default value: |
All installed algorithms will be used in a negotiation if no algorithms are defined in the sqlnet.ora file. |
Usage Notes: |
Domestic version--If you are using the Domestic version, all five algorithms are installed: RC4_40, RC4_56, RC4_128, DES, and DES40. If no algorithms are specified, the installed algorithms will be used in that order to negotiate a mutually acceptable algorithm with the other end of the connection.
Export version-- If you are using the Export version, the following algorithms are installed: RC4_40 and DES40. If no algorithms are specified, the installed algorithms will be used in that order to negotiate a mutually acceptable algorithm.
You can specify multiple encryption algorithms, that is, either a single value or a list of algorithm names. For example, either of the following encryption parameters is acceptable:
SQLNET.ENCRYPTION_TYPES_SERVER=(RC4_40)
SQLNET.ENCRYPTION_TYPES_SERVER=(DES,RC4_56,RC4_128,DES40) |
Client Encryption Selected List
Purpose: |
This parameter specifies a list of encryption algorithms this client (or this server acting as a client) is allowed to use when connecting to a server. This list is used to negotiate a mutually acceptable algorithm with the other end of the connection. The parameters can be listed in any order. If an algorithm that is not installed is specified on this side, the connection will terminate with error message ORA-12650. |
Syntax: |
SQLNET.ENCRYPTION_TYPES_CLIENT = ( valid_encryption_algorithm [,valid_encryption_algorithm]) |
Possible values: |
RC4_40--This is RSA RC4 (40-bit key size) for Domestic & International
RC4_56--This is RSA RC4 (56-bit key size) for Domestic only
RC4_128--This is RSA RC4 (128-bit key size) for Domestic only
DES--This is Standard DES (56-bit key size) for Domestic only
DES40--This is DES40 (40-bit key size) for Domestic & International |
Default value: |
All installed algorithms will be used if no algorithms are defined in the sqlnet.ora file. |
Usage Notes: |
Domestic version--If you are using the Domestic version, all five algorithms are installed: RC4_40, RC4_56, RC4_128, DES, and DES40. If no algorithms are defined in the sqlnet.ora file, the installed algorithms will be used in that order to negotiate a mutually acceptable algorithm with the other end of the connection.
Export version--If you are using the Export version, the RC4_40 and DES40 algorithms are installed. If no algorithms are defined in the sqlnet.ora file, the installed algorithms will be used in that order to negotiate a mutually acceptable algorithm.
You can specify multiple encryption algorithms, that is, either a single value or a list of algorithm names. For example, either of the following encryption parameters is acceptable:
SQLNET.ENCRYPTION_TYPES_CLIENT=(DES,DES40,RC4_56,RC4_40)
SQLNET.ENCRYPTION_TYPES_CLIENT=(RC4_40) |
Server Checksum Level Setting
Purpose: |
This parameter specifies the desired checksum behavior when a client (or another server acting as a client) is connecting to this server. The resulting behavior will depend in part on the SQLNET.CRYPTO_CHECKSUM_CLIENT setting at the other end. |
Syntax: |
SQLNET.CRYPTO_CHECKSUM_SERVER = valid_value |
Possible values: |
ACCEPTED, REJECTED, REQUESTED, REQUIRED |
Default value: |
ACCEPTED |
Client Checksum Level Setting
Purpose: |
This parameter specifies the desired checksum behavior when this client (or this server acting as a client) is connecting to a server. The resulting behavior will depend in part on the SQLNET.CRYPTO_CHECKSUM_SERVER setting at the other end of the connection. |
Syntax: |
SQLNET.CRYPTO_CHECKSUM_CLIENT = valid_value |
Possible values: |
ACCEPTED, REJECTED, REQUESTED, REQUIRED |
Default value: |
ACCEPTED |
Server Checksum Selected List
Purpose: |
This parameter specifies a list of the checksumming algorithms this server is allowed to use, in order of desired use with the most desired algorithm first, when acting as a server to a client or another server. This list is used to negotiate a mutually acceptable algorithm with the remote end. Each algorithm will be checked against the list of client algorithm types available until a match is found. The first algorithm match will be the one that is used. If an algorithm is specified that is not installed on this side, the connection will terminate with error message ORA-12650. |
Syntax: |
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (crypto_checksum_algorithm) |
Possible values: |
Currently, the only supported crypto-checksum algorithm choice is RSA Data Security's MD5 algorithm. |
Default value: |
MD5 (currently the only valid value) |
Client Checksum Selected List
Purpose: |
This parameter specifies a list of checksumming algorithms this client (or this server acting as a client) is allowed to use when connecting to a server. This list is used to negotiate a mutually acceptable algorithm with the remote end. The order in which the algorithms are listed is not important. If an algorithm that is not installed on this side is specified, the connection will terminate with error message ORA-12650. |
Syntax: |
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (crypto_checksum_algorithm) |
Possible values: |
Currently, the only supported crypto-checksum algorithm choice is RSA Data Security's MD5 algorithm. |
Default value: |
MD5 (currently the only valid value) |
Client Profile Encryption
SQLNET.CRYPTO_SEED = "
10-70 random characters"
The characters that form the value for this parameter are used when generating cryptographic keys. The more random the characters entered into this field are, the stronger the keys are. You set this parameter by entering from 10 to 70 random characters into the above statement.
Note:
Oracle recommends that you enter as many characters as possible (up to 70) to make the resulting key more random and therefore stronger.
|
This parameter must be present in the sqlnet.ora file whenever encryption or checksumming is turned on.