Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Verifying encryption is working? (Oracle 8i, Win2k server)

Re: Verifying encryption is working? (Oracle 8i, Win2k server)

From: Rick Wessman <Rick.WessmanNO_SPAM_at_NoOrSaPcAlMe.com>
Date: 9 Mar 2004 04:27:32 -0800
Message-ID: <c2kd7k0nov@drn.newsguy.com>


In article <404d0052_at_rutgers.edu>, Thomas T says...
>
>"Rick Wessman" <Rick.WessmanNO_SPAM_at_NoOrSaPcAlMe.com> wrote in message
>news:c2agei01s63_at_drn.newsguy.com...
>> In article <4048bce7$1_at_rutgers.edu>, Thomas T says...
>> >
>> >Hello everyone; I've just been playing with turning on encryption on our
>> >test server (Oracle 8i, Win2k server). I enabled the encryption- and it
>> >seemed way too easy... is there a way I can verify that encryption is
>> >actually on? At the workstation, I turned on tracing (Net8 local
>profile)
>> >and could see that it was finding the right info from the parameter file;
>> >and these lines were also in the trace file:
>> >
>> >***********
>> >na_tns: authentication is not active
>> >na_tns: encryption is active, using RC4_40
>> >na_tns: crypto-checksumming is not active
>> >***********
>> >
>> >One thing that's confusing me- I turned on admin tracing for the test
>> >server's listener. In the listener.log, it shows the following lines:
>> >
>> >***********
>> >nam_gbp: Parameter not found
>> >nam_gnsp: Reading parameter "SQLNET.ENCRYPTION_SERVER" from parameter
>file
>> >nam_gnsp: Parameter not found
>> >naequad: Using default value "ACCEPTED"
>> >nam_gic: entry
>> >nam_gic: Counting # of items in "SQLNET.ENCRYPTION_TYPES_SERVER"
>parameter
>> >nam_gic: Parameter not found
>> >nam_gic: exit
>> >naesno: Using default value "all available algorithms"
>> >***********
>> >At the top of the file, it looks like it's using the listener.ora file to
>> >find the sqlnet.encryption params? Should I put my
>> >sqlnet.encryption_server=required into the listener.ora, too? This is
>from
>> >top of the listener.trc file:
>> >
>> >--- PARAMETER SOURCE INFORMATION FOLLOWS ---
>> >Attempted load of system pfile source
>> >D:\oracle\ora81\network\admin\listener.ora
>> >Parameter source loaded successfully
>> >
>> >Attempted load of command line source
>> >Parameter source was not loaded
>> >
>> >
>> >
>> >If I change the server's setup to "required", and my workstation to
>> >"rejected", I don't get a login. When I put the server's setup back to
>> >"requested", and the client back to "accepted", I do get a login. So
>that
>> >should be enough to tell me that yes, it's working- but I'd like to see
>more
>> >proof!
>> >
>> >
>> >
>> To make sure, enable tracing at level 16 in both the client and server
>> sqlnet.ora. I would also set the parameters to "required" on both sides.
>That
>> will force encryption to be on for sure.
>>
>> Try a connection. If it succeeds, you can verify that encryption is on by
>> looking at the trace files.
>>
>> You can ignore listener.ora. The listener is not involved in negotiating
>the
>> encryption algorithm between the client and the server.
>>
>> Rick
>>
>> Rick Wessman
>> Oracle Corporation
>> The opinions expressed above are mine and do not necessarily reflect
>> those of Oracle Corporation.
>>
>
>Rick, thanks! That's exactly what I was looking for- I ran two tests
>(restarting the listener both times on the Win2k server), one with
>encryption set to "accepted", and one set to "required". I ran the same
>quick SQL query for both tests- and sure enough, one trace file had
>plaintext packets (including the password!), and the other test had
>encrypted packets.
>
>Is that really all there is to the Encryption for Net8? If so, that's
>amazing! I've meant to play with this for years, but always figured it
>would be a nightmare- but all it took was 5 minutes.
Yep. That's it. Hard to believe, isn't it? :-)

>
>One more question; do I have to list the encryption methods in the
>sqlnet.ora file on the client? If I leave that section out, from what I see
>in the trace file, it seems like the client will use all available
>algorithms until it finds a match to the server. Will the connection be
>faster if the client is told which algorithm to expect?
Yes, you can leave the setting out and the client and server will negotiate the algorithm.

The connection won't be any faster if you specify the algorithm. The code paths are essentially the same in both cases.

>
>What I'm wondering about is whether or not I have to change each
>workstation's sqlnet.ora to use encryption- or, if I can just set
>sqlnet.encryption_server and sqlnet.encryption_types_server on the server,
>and leave the clients at their default values
>(sqlnet.encryption_client=accepted, no sqlnet.encryption_types_client
>entry).

That will work fine as long as encryption is set to required on the server.

>
>Thanks again!

You're very welcome. I'm glad to have been of help.

>
>-Thomas

                               Rick

>
>
                                Rick Wessman
                                Oracle Corporation
     The opinions expressed above are mine and do not necessarily reflect
                         those of Oracle Corporation.
Received on Tue Mar 09 2004 - 06:27:32 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US