Scribd Logo
Upload

Welcome to Scribd!

  • Testing Encrypted Database Connections

    Uploaded by

    zak_boj
    13 views2 pages
    zxz

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    zxz

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views2 pages

    Testing Encrypted Database Connections

    Uploaded by

    zak_boj
    zxz

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Testing Encrypted Database Connections

    This document describes how to verify that your network connection to an Oracle database is being encrypted. To set up encrypted connections, see the document Oracle Secure Database Connectivity. Overview To validate that your network traffic is being encrypted when you connect to an Oracle database, you can enable client tracing and then examine the trace file to verify the encryption. You may optionally want to run a trace before you enable encryption so that you can see what that looks like before you trace your encrypted connection. Note: If your client has multiple Oracle clients installed, be sure you are working with the correct sqlnet.ora file. The basic steps are: 1) Enable tracing; 2) Run a SQL query; 3) Examine the trace file; and 4) Turn off tracing. Tracing a Database Connection 1. Tracing is enabled by adding configuration parameters to your sqlnet.ora file (see the Oracle Secure Database Connectivity document for detailed instructions on how to locate your sqlnet.ora file):
    DIAG_ADR_ENABLED=off TRACE_DIRECTORY_CLIENT = c:\temp TRACE_LEVEL_CLIENT = 16 TRACE_FILE_CLIENT = sqlnet_encryption.trc Notes:

    TRACE_DIRECTORY_CLIENT and TRACE_FILE_CLIENT can be any values you choose. Oracle will add numerical digits to the file name you supply for TRACE_FILE_CLIENT. For UNIX-type servers the TRACE_DIRECTORY_CLIENT must be a directory path such as /tmp.

    2. Use SQL*Plus or another tool to establish a connection to your target database. Run a simple query against an object that you have access to. 3. Review the contents of c:\temp\sqlnet_encryption.trc. You should not see any clear text that corresponds to the query you issued, in which case you have successfully encrypted your database connections. 4. Remove or comment-out the entries you added to your sqlnet.ora file to turn client tracing off. If you do not disable client tracing, then you will generate large trace files for every database connection and query that you issue. You can comment-out the tracing parameters by inserting a leading pound sign, as shown below:
    #DIAG_ADR_ENABLED=off #TRACE_DIRECTORY_CLIENT = c:\temp #TRACE_LEVEL_CLIENT = 16 #TRACE_FILE_CLIENT = sqlnet_encryption.trc

    Save the changes to your sqlnet.ora file. Your database connections will continue to be encrypted, but no trace files will be generated. You are now done!

    Example The following sample trace file output illustrates the difference between encrypted and unencrypted connections. The trace files will be very large. The output were looking for is usually near the end of the trace file. The following output shows a trace for the unencrypted SQL statement select dept5_dept_name from warehouse.department_tb where dept5_deptid = '133700'. In this instance, we searched the trace file for deptid to quickly get to the relevant part of the trace file:

    [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011

    15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966] 15:48:56:966]

    nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend: nspsend:

    packet dump 00 CE 00 00 06 00 00 00 00 00 03 5E 08 61 80 00 00 00 00 00 00 01 54 00 00 00 01 0D 00 00 00 00 01 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 00 00 01 FE 40 73 65 6C 65 63 74 20 64 65 70 74 35 5F 64 65 70 74 5F 6E 61 6D 65 0A 20 20 66 72 6F 6D 20 77 61 72 65 68 6F 75 73 65 2E 64 65 70 61 72 74 6D 65 6E 74 5F 74 62 0A 20 77 68 65 72 65 20 64 65 70 14 74 35 5F 64 65 70 74 69 64 20 3D 20 27 31 33 33 37 30 30 27 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 206 bytes to transport

    |........| |...^.a..| |......T.| |........| |........| |........| |........| |........| |...@sele| |ct.dept5| |_dept_na| |me...fro| |m.wareho| |use.depa| |rtment_t| |b..where| |.dep.t5_| |deptid.=| |.'133700| |'.......| |........| |........| |........| |........| |........| |...... |

    In the output above, you can easily see the select statement and its values in clear text on the right. If the select statement contained values for SSNs, birthdates or other sensitive information they would be in clear text, and we dont want that to happen. Farther down in the log you will see the results of your query in clear text, and we definitely dont want that. The output below shows trace file information for an encrypted connection. Since the query is not in clear text we cant search for it. The easiest thing to do is search for the second occurrence of naeecom. If encryption was used successfully, youll see a line saying The server chose the 'AES256' encryption algorithm and another line saying encryption is active, using AES256:
    [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 16:04:41:290] 16:04:41:290] 16:04:41:290] 16:04:41:290] 16:04:41:290] 16:04:41:290] 16:04:41:290] 16:04:41:290] 16:04:41:290] 16:04:41:290] 16:04:41:290] 16:04:41:290] 16:04:41:290] 16:04:41:290] naeecom: entry naeecom: The server chose the 'AES256' encryption algorithm naeecom: exit naeccom: entry naeccom: The server chose the 'SHA1' crypto-checksumming algorithm naeccom: exit na_tns: entry na_tns: Secure Network Services is available. nau_adi: entry nau_adi: exit na_tns: authentication is not active na_tns: encryption is active, using AES256 na_tns: crypto-checksumming is active, using SHA1 na_tns: exit

    If encryption was not successfully enabled, you will see these entries instead of the ones listed above:
    [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 [18-NOV-2011 16:08:52:637] 16:08:52:637] 16:08:52:637] 16:08:52:637] 16:08:52:637] 16:08:52:637] 16:08:52:637] 16:08:52:637] 16:08:52:637] 16:08:52:637] 16:08:52:637] 16:08:52:637] 16:08:52:637] 16:08:52:637] naeecom: entry naeecom: Encryption inactive naeecom: exit naeccom: entry naeccom: Crypto-Checksumming inactive naeccom: exit na_tns: entry na_tns: Secure Network Services is available. nau_adi: entry nau_adi: exit na_tns: authentication is not active na_tns: encryption is not active na_tns: crypto-checksumming is not active na_tns: exit -end-

    You might also like