Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: Verifying encryption is working? (Oracle 8i, Win2k server)

Re: Verifying encryption is working? (Oracle 8i, Win2k server)

From: Thomas T <T_at_T>
Date: Mon, 8 Mar 2004 18:22:56 -0500
Message-ID: <>

"Rick Wessman" <> wrote in message
> In article <4048bce7$>, Thomas T says...
> >
> >Hello everyone; I've just been playing with turning on encryption on our
> >test server (Oracle 8i, Win2k server). I enabled the encryption- and it
> >seemed way too easy... is there a way I can verify that encryption is
> >actually on? At the workstation, I turned on tracing (Net8 local
> >and could see that it was finding the right info from the parameter file;
> >and these lines were also in the trace file:
> >
> >***********
> >na_tns: authentication is not active
> >na_tns: encryption is active, using RC4_40
> >na_tns: crypto-checksumming is not active
> >***********
> >
> >One thing that's confusing me- I turned on admin tracing for the test
> >server's listener. In the listener.log, it shows the following lines:
> >
> >***********
> >nam_gbp: Parameter not found
> >nam_gnsp: Reading parameter "SQLNET.ENCRYPTION_SERVER" from parameter
> >nam_gnsp: Parameter not found
> >naequad: Using default value "ACCEPTED"
> >nam_gic: entry
> >nam_gic: Counting # of items in "SQLNET.ENCRYPTION_TYPES_SERVER"
> >nam_gic: Parameter not found
> >nam_gic: exit
> >naesno: Using default value "all available algorithms"
> >***********
> >At the top of the file, it looks like it's using the listener.ora file to
> >find the sqlnet.encryption params? Should I put my
> >sqlnet.encryption_server=required into the listener.ora, too? This is
> >top of the listener.trc file:
> >
> >Attempted load of system pfile source
> >D:\oracle\ora81\network\admin\listener.ora
> >Parameter source loaded successfully
> >
> >Attempted load of command line source
> >Parameter source was not loaded
> >
> >
> >
> >If I change the server's setup to "required", and my workstation to
> >"rejected", I don't get a login. When I put the server's setup back to
> >"requested", and the client back to "accepted", I do get a login. So
> >should be enough to tell me that yes, it's working- but I'd like to see
> >proof!
> >
> >
> >
> To make sure, enable tracing at level 16 in both the client and server
> sqlnet.ora. I would also set the parameters to "required" on both sides.
> will force encryption to be on for sure.
> Try a connection. If it succeeds, you can verify that encryption is on by
> looking at the trace files.
> You can ignore listener.ora. The listener is not involved in negotiating
> encryption algorithm between the client and the server.
> Rick
> Rick Wessman
> Oracle Corporation
> The opinions expressed above are mine and do not necessarily reflect
> those of Oracle Corporation.

Rick, thanks! That's exactly what I was looking for- I ran two tests (restarting the listener both times on the Win2k server), one with encryption set to "accepted", and one set to "required". I ran the same quick SQL query for both tests- and sure enough, one trace file had plaintext packets (including the password!), and the other test had encrypted packets.

Is that really all there is to the Encryption for Net8? If so, that's amazing! I've meant to play with this for years, but always figured it would be a nightmare- but all it took was 5 minutes.

One more question; do I have to list the encryption methods in the sqlnet.ora file on the client? If I leave that section out, from what I see in the trace file, it seems like the client will use all available algorithms until it finds a match to the server. Will the connection be faster if the client is told which algorithm to expect?

What I'm wondering about is whether or not I have to change each workstation's sqlnet.ora to use encryption- or, if I can just set sqlnet.encryption_server and sqlnet.encryption_types_server on the server, and leave the clients at their default values (sqlnet.encryption_client=accepted, no sqlnet.encryption_types_client entry).

Thanks again!

-Thomas Received on Mon Mar 08 2004 - 17:22:56 CST

Original text of this message