Re: RAC server network encryption

When I've configured network encryption for RAC in the past (11.2.0.x and 12.1.0.2 on Linux), the encryption/checksum settings very definitely had to be configured in the database (*not* grid) copy of sqlnet.ora. Here's the script I've used to verify that connections are indeed encrypted.

• show all encrypted database sessions --
• Note: The SERIAL# column of [g]v$session_connect_info may be negative
• (and wholly incorrect) on 11.2.0.3, due to bug 14377082... this is
• fixed in the 11.2.0.4 patchset. We're therefore excluding SERIAL#
• from the join criteria. -- column encryption format a10 column checksum format a10 with sessions as ( select /*+ MATERIALIZE */ inst_id, username, sid, serial# from gv$session where not ( type = 'BACKGROUND' or username is NULL ) ), session_connect_info as ( select /*+ MATERIALIZE */ inst_id, sid, serial#, network_service_banner from gv$session_connect_info ), encryption_info as ( select inst_id, sid, serial#, regexp_replace( network_service_banner, '^(Oracle Advanced Security: |)([[:alnum:]]+)
  [Ee]ncryption service adapter.+$',
  '\2' ) encryption_type from session_connect_info where regexp_like( network_service_banner, '^(Oracle Advanced Security: |)[[:alnum:]]+
  [Ee]ncryption service adapter.+$'
  ) ), checksum_info as ( select inst_id, sid, serial#, regexp_replace( network_service_banner, '^(Oracle Advanced Security: |)([[:alnum:]]+)
  [Cc]rypto-checksumming service adapter.*$',
  '\2' ) checksum_type from session_connect_info where regexp_like( network_service_banner, '^(Oracle Advanced Security: |)[[:alnum:]]+
  [Cc]rypto-checksumming service adapter.*$'
  ) ) select s.inst_id, s.sid, s.serial#, s.username, enc.encryption_type encryption, chk.checksum_type checksum from sessions s join encryption_info enc on ( enc.inst_id = s.inst_id and enc.sid = s.sid
• enc.serial# = s.serial# ) join checksum_info chk on ( chk.inst_id = s.inst_id and chk.sid = s.sid
• chk.serial# = s.serial# ) order by s.inst_id, s.username, s.sid;

• show all unencrypted database sessions --
• Note: The SERIAL# column ov [g]v$session_connect_info may be negative
• (and wholly incorrect) on 11.2.0.3, due to bug 14377082... this is
• fixed in the 11.2.0.4 patchset. We're therefore excluding SERIAL#
• from the join criteria. -- with sessions as ( select /*+ MATERIALIZE */ inst_id, username, sid, serial# from gv$session where not ( type = 'BACKGROUND' or username is NULL ) ), encryption_info as ( select /*+ MATERIALIZE */ inst_id, sid, serial#, regexp_replace( network_service_banner, '^(Oracle Advanced Security: |)([[:alnum:]]+)
  [Ee]ncryption service adapter.+$',
  '\2' ) encryption_type from gv$session_connect_info where regexp_like( network_service_banner, '^(Oracle Advanced Security: |)[[:alnum:]]+
  [Ee]ncryption service adapter.+$'
  ) ) select s.inst_id, s.sid, s.serial#, s.username from sessions s left outer join encryption_info enc on ( enc.inst_id = s.inst_id and enc.sid = s.sid ) where enc.encryption_type is NULL order by s.inst_id, s.username, s.sid;

On Wed, Jul 10, 2019 at 1:52 PM Ricard Martinez <ricard.martinez_at_gmail.com> wrote:

> Hi,
>
> Trying to configure network encryption in a RAC at server level, but
> confused about the need to configure the parameters in grid_home sqlnet.ora
> at all or only db_home sqlnet.ora. Can someone help me clarify it?
>
> Thanks
>
>

-- 
"In the beginning the Universe was created. This has made a lot of people
very angry and been widely regarded as a bad move." -Douglas Adams

--
http://www.freelists.org/webpage/oracle-l