Home -> Mailing Lists -> Oracle-L -> Re: RAC server network encryption

Re: RAC server network encryption

From: Mladen Gogala <gogala.mladen_at_gmail.com>
Date: Thu, 11 Jul 2019 13:51:17 -0400
Message-ID: <e80014c4-4f6c-aa1b-1bb6-207ec26eda2e_at_gmail.com> 








I don't see the reason for configuring network encryption on the 
database level. That is usually done on the router level. Why would I 
want to waste my precious db server processors on something that COTS 
network equipment can do pretty well and does pretty well for years? 
That is the same thing and doing RAID on lvm2 or ASM level.  Any SAN can 
do RAID and db server CPU is too expensive to waste on RAID or network 
encryption.



On 7/11/19 10:36 AM, Adric Norris wrote:


> When I've configured network encryption for RAC in the past (11.2.0.x 


> and 12.1.0.2 on Linux), the encryption/checksum settings very 

> definitely had to be configured in the database (*not* grid) copy of 

> sqlnet.ora. Here's the script I've used to verify that connections are 

> indeed encrypted.

>

> -- show all encrypted database sessions

> --

> -- Note: The SERIAL# column of [g]v$session_connect_info may be negative

> --       (and wholly incorrect) on 11.2.0.3, due to bug 14377082... 

> this is

> --       fixed in the 11.2.0.4 patchset. We're therefore excluding SERIAL#

> --       from the join criteria.

> --

> column encryption format a10

> column checksum   format a10

> with sessions as (

>    select /*+ MATERIALIZE */ inst_id, username, sid, serial#

>       from gv$session

>       where not ( type = 'BACKGROUND' or username is NULL )

> ),

> session_connect_info as (

>    select /*+ MATERIALIZE */ inst_id, sid, serial#, network_service_banner

>       from gv$session_connect_info

> ),

> encryption_info as (

>    select inst_id, sid, serial#,

>           regexp_replace( network_service_banner,

>                           '^(Oracle Advanced Security: 

> |)([[:alnum:]]+) [Ee]ncryption service adapter.+$',

>                           '\2'

>                         ) encryption_type

>       from session_connect_info

>       where regexp_like( network_service_banner,

>                          '^(Oracle Advanced Security: |)[[:alnum:]]+ 

> [Ee]ncryption service adapter.+$'

>                        )

> ),

> checksum_info as (

>    select inst_id, sid, serial#,

>           regexp_replace( network_service_banner,

>                           '^(Oracle Advanced Security: 

> |)([[:alnum:]]+) [Cc]rypto-checksumming service adapter.*$',

>                           '\2'

>                         ) checksum_type

>       from session_connect_info

>       where regexp_like( network_service_banner,

>                          '^(Oracle Advanced Security: |)[[:alnum:]]+ 

> [Cc]rypto-checksumming service adapter.*$'

>                        )

> )

> select s.inst_id, s.sid, s.serial#, s.username, enc.encryption_type 

> encryption, chk.checksum_type checksum

>    from sessions s

>       join encryption_info enc on ( enc.inst_id = s.inst_id and

>                                     enc.sid     = s.sid

> --                                  enc.serial# = s.serial#

>                                   )

>       join checksum_info chk on ( chk.inst_id = s.inst_id and

>                                   chk.sid     = s.sid

> --                                chk.serial# = s.serial#

>                                 )

>    order by s.inst_id, s.username, s.sid;

>

> For completeness, this one identifies sessions which are /not/ using 

> network encryption.

>

> -- show all unencrypted database sessions

> --

> -- Note: The SERIAL# column ov [g]v$session_connect_info may be negative

> --       (and wholly incorrect) on 11.2.0.3, due to bug 14377082... 

> this is

> --       fixed in the 11.2.0.4 patchset. We're therefore excluding SERIAL#

> --       from the join criteria.

> --

> with sessions as (

>    select /*+ MATERIALIZE */ inst_id, username, sid, serial#

>       from gv$session

>       where not ( type = 'BACKGROUND' or username is NULL )

>    ),

> encryption_info as (

>    select /*+ MATERIALIZE */ inst_id, sid, serial#,

>           regexp_replace( network_service_banner,

>                           '^(Oracle Advanced Security: 

> |)([[:alnum:]]+) [Ee]ncryption service adapter.+$',

>                           '\2'

>                         ) encryption_type

>       from gv$session_connect_info

>       where regexp_like( network_service_banner,

>                          '^(Oracle Advanced Security: |)[[:alnum:]]+ 

> [Ee]ncryption service adapter.+$'

>                        )

> )

> select s.inst_id, s.sid, s.serial#, s.username

>    from sessions s

>       left outer join encryption_info enc on ( enc.inst_id = s.inst_id and

>                                                enc.sid     = s.sid

>                                              )

>    where enc.encryption_type is NULL

>    order by s.inst_id, s.username, s.sid;

>

>

> On Wed, Jul 10, 2019 at 1:52 PM Ricard Martinez 

> <ricard.martinez_at_gmail.com <mailto:ricard.martinez_at_gmail.com>> wrote:

>

>     Hi,

>

>     Trying to configure network encryption in a RAC at server level,

>     but confused about the need to configure the parameters in

>     grid_home sqlnet.ora at all or only db_home sqlnet.ora. Can

>     someone help me clarify it?

>

>     Thanks

>

>

>

> -- 

> "In the beginning the Universe was created. This has made a lot of 

> people very angry and been widely regarded as a bad move." -Douglas Adams



-- 
Mladen Gogala
Database Consultant
Tel: (347) 321-1217


--
http://www.freelists.org/webpage/oracle-l


Received on Thu Jul 11 2019 - 19:51:17 CEST












Original text of this message