Re: RAC server network encryption
Date: Thu, 11 Jul 2019 12:17:30 -0600
Message-ID: <9bff0bb8-884e-a370-a76d-d7b31518f7fc_at_gmail.com>
Perhaps because of the ability of tcpdump or snoop on a node on the same subnet to display packet contents before a switch or router is ever encountered?
On 7/11/19 11:51, Mladen Gogala wrote:
>
> I don't see the reason for configuring network encryption on the
> database level. That is usually done on the router level. Why would I
> want to waste my precious db server processors on something that COTS
> network equipment can do pretty well and does pretty well for years?
> That is the same thing and doing RAID on lvm2 or ASM level. Any SAN
> can do RAID and db server CPU is too expensive to waste on RAID or
> network encryption.
>
> On 7/11/19 10:36 AM, Adric Norris wrote:
>> When I've configured network encryption for RAC in the past (11.2.0.x
>> and 12.1.0.2 on Linux), the encryption/checksum settings very
>> definitely had to be configured in the database (*not* grid) copy of
>> sqlnet.ora. Here's the script I've used to verify that connections
>> are indeed encrypted.
>>
>> -- show all encrypted database sessions
>> --
>> -- Note: The SERIAL# column of [g]v$session_connect_info may be negative
>> -- (and wholly incorrect) on 11.2.0.3, due to bug 14377082...
>> this is
>> -- fixed in the 11.2.0.4 patchset. We're therefore excluding
>> SERIAL#
>> -- from the join criteria.
>> --
>> column encryption format a10
>> column checksum format a10
>> with sessions as (
>> select /*+ MATERIALIZE */ inst_id, username, sid, serial#
>> from gv$session
>> where not ( type = 'BACKGROUND' or username is NULL )
>> ),
>> session_connect_info as (
>> select /*+ MATERIALIZE */ inst_id, sid, serial#,
>> network_service_banner
>> from gv$session_connect_info
>> ),
>> encryption_info as (
>> select inst_id, sid, serial#,
>> regexp_replace( network_service_banner,
>> '^(Oracle Advanced Security:
>> |)([[:alnum:]]+) [Ee]ncryption service adapter.+$',
>> '\2'
>> ) encryption_type
>> from session_connect_info
>> where regexp_like( network_service_banner,
>> '^(Oracle Advanced Security: |)[[:alnum:]]+
>> [Ee]ncryption service adapter.+$'
>> )
>> ),
>> checksum_info as (
>> select inst_id, sid, serial#,
>> regexp_replace( network_service_banner,
>> '^(Oracle Advanced Security:
>> |)([[:alnum:]]+) [Cc]rypto-checksumming service adapter.*$',
>> '\2'
>> ) checksum_type
>> from session_connect_info
>> where regexp_like( network_service_banner,
>> '^(Oracle Advanced Security: |)[[:alnum:]]+
>> [Cc]rypto-checksumming service adapter.*$'
>> )
>> )
>> select s.inst_id, s.sid, s.serial#, s.username, enc.encryption_type
>> encryption, chk.checksum_type checksum
>> from sessions s
>> join encryption_info enc on ( enc.inst_id = s.inst_id and
>> enc.sid = s.sid
>> -- enc.serial# = s.serial#
>> )
>> join checksum_info chk on ( chk.inst_id = s.inst_id and
>> chk.sid = s.sid
>> -- chk.serial# = s.serial#
>> )
>> order by s.inst_id, s.username, s.sid;
>>
>> For completeness, this one identifies sessions which are /not/ using
>> network encryption.
>>
>> -- show all unencrypted database sessions
>> --
>> -- Note: The SERIAL# column ov [g]v$session_connect_info may be negative
>> -- (and wholly incorrect) on 11.2.0.3, due to bug 14377082...
>> this is
>> -- fixed in the 11.2.0.4 patchset. We're therefore excluding
>> SERIAL#
>> -- from the join criteria.
>> --
>> with sessions as (
>> select /*+ MATERIALIZE */ inst_id, username, sid, serial#
>> from gv$session
>> where not ( type = 'BACKGROUND' or username is NULL )
>> ),
>> encryption_info as (
>> select /*+ MATERIALIZE */ inst_id, sid, serial#,
>> regexp_replace( network_service_banner,
>> '^(Oracle Advanced Security:
>> |)([[:alnum:]]+) [Ee]ncryption service adapter.+$',
>> '\2'
>> ) encryption_type
>> from gv$session_connect_info
>> where regexp_like( network_service_banner,
>> '^(Oracle Advanced Security: |)[[:alnum:]]+
>> [Ee]ncryption service adapter.+$'
>> )
>> )
>> select s.inst_id, s.sid, s.serial#, s.username
>> from sessions s
>> left outer join encryption_info enc on ( enc.inst_id =
>> s.inst_id and
>> enc.sid = s.sid
>> )
>> where enc.encryption_type is NULL
>> order by s.inst_id, s.username, s.sid;
>>
>>
>> On Wed, Jul 10, 2019 at 1:52 PM Ricard Martinez
>> <ricard.martinez_at_gmail.com <mailto:ricard.martinez_at_gmail.com>> wrote:
>>
>> Hi,
>>
>> Trying to configure network encryption in a RAC at server level,
>> but confused about the need to configure the parameters in
>> grid_home sqlnet.ora at all or only db_home sqlnet.ora. Can
>> someone help me clarify it?
>>
>> Thanks
>>
>>
>>
>> --
>> "In the beginning the Universe was created. This has made a lot of
>> people very angry and been widely regarded as a bad move." -Douglas Adams
> --
> Mladen Gogala
> Database Consultant
> Tel: (347) 321-1217
-- http://www.freelists.org/webpage/oracle-lReceived on Thu Jul 11 2019 - 20:17:30 CEST