Re: RAC server network encryption

From: Ricard Martinez <ricard.martinez_at_gmail.com>
Date: Thu, 11 Jul 2019 17:01:51 +0100
Message-ID: <CAFGV9umoC=+Zdz2VjgkKwrNq6t5pAD8RL5=dVMfyj8GPCHtHPQ_at_mail.gmail.com>



Hi,
The test I performed seems to confirm that. I can't manage encryption to work using grid_home, only db_home:

Test case 1 no encryption


Server 2 nodes RAC 19c

$GRID_HOME/network/admin/sqlnet.ora contains:

SQLNET.ENCRYPTION_SERVER = REQUESTED SQLNET.ENCRYPTION_TYPES_SERVER = (AES256) SQLNET.CRYPTO_CHECKSUM_SERVER = REQUESTED SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256, SHA384, SHA512) Client sqldeveloper using connection type tns on a windows machine:

Connection works, and network_service_banner:

TCP/IP NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production

Encryption service for Linux: Version 19.0.0.0.0 - Production

Crypto-checksumming service for Linux: Version 19.0.0.0.0 - Production

Test case 2 encryption on in RAC grid_home


Server 2 nodes RAC 19c

$GRID_HOME/network/admin/sqlnet.ora contains:

SQLNET.ENCRYPTION_SERVER = REQUESTED SQLNET.ENCRYPTION_TYPES_SERVER = (AES256) SQLNET.CRYPTO_CHECKSUM_SERVER = REQUESTED SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256, SHA384, SHA512) Client sqldeveloper using connection type tns on a windows machine:

$CLIENT_HOME/network/admin/sqlnet.ora contains:

SQLNET.ENCRYPTION_CLIENT = REQUESTED SQLNET.ENCRYPTION_TYPES_CLIENT = (AES256) SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUESTED SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT =(SHA256, SHA384, SHA512) Connections works, but checking network_service_banner:

TCP/IP NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production

Encryption service for Linux: Version 19.0.0.0.0 - Production

Crypto-checksumming service for Linux: Version 19.0.0.0.0 - Production

Test case 3 encryption on in RAC oracle_home


Server 2 nodes RAC 19c

$GRID_HOME/network/admin/sqlnet.ora is empty and $ORACLE_HOME/network/admin/sqlnet.ora contains:

SQLNET.ENCRYPTION_SERVER = REQUESTED SQLNET.ENCRYPTION_TYPES_SERVER = (AES256) SQLNET.CRYPTO_CHECKSUM_SERVER = REQUESTED SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256, SHA384, SHA512) Client sqldeveloper using connection type tns on a windows machine:

$CLIENT_HOME/network/admin/sqlnet.ora contains:

SQLNET.ENCRYPTION_CLIENT = REQUESTED SQLNET.ENCRYPTION_TYPES_CLIENT = (AES256) SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUESTED SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT =(SHA256, SHA384, SHA512) Connections works, and the checking network_service_banner show encryption in use:

TCP/IP NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production

Encryption service for Linux: Version 19.0.0.0.0 - Production

AES256 Encryption service adapter for Linux: Version 19.0.0.0.0 - Production

Crypto-checksumming service for Linux: Version 19.0.0.0.0 - Production

SHA256 Crypto-checksumming service adapter for Linux: Version 19.0.0.0.0 - Production

I think maybe will need to raise an SR to get verification, as seems grid is not involved on encryption at all then.

On Thu, Jul 11, 2019 at 3:37 PM Adric Norris <landstander668_at_gmail.com> wrote:

> When I've configured network encryption for RAC in the past (11.2.0.x and
> 12.1.0.2 on Linux), the encryption/checksum settings very definitely had to
> be configured in the database (*not* grid) copy of sqlnet.ora. Here's the
> script I've used to verify that connections are indeed encrypted.
>
> -- show all encrypted database sessions
> --
> -- Note: The SERIAL# column of [g]v$session_connect_info may be negative
> -- (and wholly incorrect) on 11.2.0.3, due to bug 14377082... this is
> -- fixed in the 11.2.0.4 patchset. We're therefore excluding SERIAL#
> -- from the join criteria.
> --
> column encryption format a10
> column checksum format a10
> with sessions as (
> select /*+ MATERIALIZE */ inst_id, username, sid, serial#
> from gv$session
> where not ( type = 'BACKGROUND' or username is NULL )
> ),
> session_connect_info as (
> select /*+ MATERIALIZE */ inst_id, sid, serial#, network_service_banner
> from gv$session_connect_info
> ),
> encryption_info as (
> select inst_id, sid, serial#,
> regexp_replace( network_service_banner,
> '^(Oracle Advanced Security: |)([[:alnum:]]+)
> [Ee]ncryption service adapter.+$',
> '\2'
> ) encryption_type
> from session_connect_info
> where regexp_like( network_service_banner,
> '^(Oracle Advanced Security: |)[[:alnum:]]+
> [Ee]ncryption service adapter.+$'
> )
> ),
> checksum_info as (
> select inst_id, sid, serial#,
> regexp_replace( network_service_banner,
> '^(Oracle Advanced Security: |)([[:alnum:]]+)
> [Cc]rypto-checksumming service adapter.*$',
> '\2'
> ) checksum_type
> from session_connect_info
> where regexp_like( network_service_banner,
> '^(Oracle Advanced Security: |)[[:alnum:]]+
> [Cc]rypto-checksumming service adapter.*$'
> )
> )
> select s.inst_id, s.sid, s.serial#, s.username, enc.encryption_type
> encryption, chk.checksum_type checksum
> from sessions s
> join encryption_info enc on ( enc.inst_id = s.inst_id and
> enc.sid = s.sid
> -- enc.serial# = s.serial#
> )
> join checksum_info chk on ( chk.inst_id = s.inst_id and
> chk.sid = s.sid
> -- chk.serial# = s.serial#
> )
> order by s.inst_id, s.username, s.sid;
>
> For completeness, this one identifies sessions which are *not* using
> network encryption.
>
> -- show all unencrypted database sessions
> --
> -- Note: The SERIAL# column ov [g]v$session_connect_info may be negative
> -- (and wholly incorrect) on 11.2.0.3, due to bug 14377082... this is
> -- fixed in the 11.2.0.4 patchset. We're therefore excluding SERIAL#
> -- from the join criteria.
> --
> with sessions as (
> select /*+ MATERIALIZE */ inst_id, username, sid, serial#
> from gv$session
> where not ( type = 'BACKGROUND' or username is NULL )
> ),
> encryption_info as (
> select /*+ MATERIALIZE */ inst_id, sid, serial#,
> regexp_replace( network_service_banner,
> '^(Oracle Advanced Security: |)([[:alnum:]]+)
> [Ee]ncryption service adapter.+$',
> '\2'
> ) encryption_type
> from gv$session_connect_info
> where regexp_like( network_service_banner,
> '^(Oracle Advanced Security: |)[[:alnum:]]+
> [Ee]ncryption service adapter.+$'
> )
> )
> select s.inst_id, s.sid, s.serial#, s.username
> from sessions s
> left outer join encryption_info enc on ( enc.inst_id = s.inst_id and
> enc.sid = s.sid
> )
> where enc.encryption_type is NULL
> order by s.inst_id, s.username, s.sid;
>
>
> On Wed, Jul 10, 2019 at 1:52 PM Ricard Martinez <ricard.martinez_at_gmail.com>
> wrote:
>
>> Hi,
>>
>> Trying to configure network encryption in a RAC at server level, but
>> confused about the need to configure the parameters in grid_home sqlnet.ora
>> at all or only db_home sqlnet.ora. Can someone help me clarify it?
>>
>> Thanks
>>
>>
>
> --
> "In the beginning the Universe was created. This has made a lot of people
> very angry and been widely regarded as a bad move." -Douglas Adams
>

--
http://www.freelists.org/webpage/oracle-l
Received on Thu Jul 11 2019 - 18:01:51 CEST

Original text of this message