Hi,
The test I performed seems to confirm that. I can't manage encryption to
work using grid_home, only db_home:
Test case 1 no encryption
-------------------------
Server 2 nodes RAC 19c
$GRID_HOME/network/admin/sqlnet.ora contains:
SQLNET.ENCRYPTION_SERVER = REQUESTED
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUESTED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256, SHA384, SHA512)
Client sqldeveloper using connection type tns on a windows machine:
Connection works, and network_service_banner:
TCP/IP NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production
Encryption service for Linux: Version 19.0.0.0.0 - Production
Crypto-checksumming service for Linux: Version 19.0.0.0.0 - Production
Test case 2 encryption on in RAC grid_home
--------------------------------------
Server 2 nodes RAC 19c
$GRID_HOME/network/admin/sqlnet.ora contains:
SQLNET.ENCRYPTION_SERVER = REQUESTED
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUESTED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256, SHA384, SHA512)
Client sqldeveloper using connection type tns on a windows machine:
$CLIENT_HOME/network/admin/sqlnet.ora contains:
SQLNET.ENCRYPTION_CLIENT = REQUESTED
SQLNET.ENCRYPTION_TYPES_CLIENT = (AES256)
SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUESTED
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT =(SHA256, SHA384, SHA512)
Connections works, but checking network_service_banner:
TCP/IP NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production
Encryption service for Linux: Version 19.0.0.0.0 - Production
Crypto-checksumming service for Linux: Version 19.0.0.0.0 - Production
Test case 3 encryption on in RAC oracle_home
---------------------------------------------
Server 2 nodes RAC 19c
$GRID_HOME/network/admin/sqlnet.ora is empty and
$ORACLE_HOME/network/admin/sqlnet.ora contains:
SQLNET.ENCRYPTION_SERVER = REQUESTED
SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUESTED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256, SHA384, SHA512)
Client sqldeveloper using connection type tns on a windows machine:
$CLIENT_HOME/network/admin/sqlnet.ora contains:
SQLNET.ENCRYPTION_CLIENT = REQUESTED
SQLNET.ENCRYPTION_TYPES_CLIENT = (AES256)
SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUESTED
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT =(SHA256, SHA384, SHA512)
Connections works, and the checking network_service_banner show encryption
in use:
TCP/IP NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production
Encryption service for Linux: Version 19.0.0.0.0 - Production
AES256 Encryption service adapter for Linux: Version 19.0.0.0.0 - Production
Crypto-checksumming service for Linux: Version 19.0.0.0.0 - Production
SHA256 Crypto-checksumming service adapter for Linux: Version 19.0.0.0.0 -
Production
I think maybe will need to raise an SR to get verification, as seems grid
is not involved on encryption at all then.
On Thu, Jul 11, 2019 at 3:37 PM Adric Norris <landstander668@xxxxxxxxx>
wrote:
When I've configured network encryption for RAC in the past (11.2.0.x and
12.1.0.2 on Linux), the encryption/checksum settings very definitely had to
be configured in the database (*not* grid) copy of sqlnet.ora. Here's the
script I've used to verify that connections are indeed encrypted.
-- show all encrypted database sessions
--
-- Note: The SERIAL# column of [g]v$session_connect_info may be negative
-- (and wholly incorrect) on 11.2.0.3, due to bug 14377082... this is
-- fixed in the 11.2.0.4 patchset. We're therefore excluding SERIAL#
-- from the join criteria.
--
column encryption format a10
column checksum format a10
with sessions as (
select /*+ MATERIALIZE */ inst_id, username, sid, serial#
from gv$session
where not ( type = 'BACKGROUND' or username is NULL )
),
session_connect_info as (
select /*+ MATERIALIZE */ inst_id, sid, serial#, network_service_banner
from gv$session_connect_info
),
encryption_info as (
select inst_id, sid, serial#,
regexp_replace( network_service_banner,
'^(Oracle Advanced Security: |)([[:alnum:]]+)
[Ee]ncryption service adapter.+$',
'\2'
) encryption_type
from session_connect_info
where regexp_like( network_service_banner,
'^(Oracle Advanced Security: |)[[:alnum:]]+
[Ee]ncryption service adapter.+$'
)
),
checksum_info as (
select inst_id, sid, serial#,
regexp_replace( network_service_banner,
'^(Oracle Advanced Security: |)([[:alnum:]]+)
[Cc]rypto-checksumming service adapter.*$',
'\2'
) checksum_type
from session_connect_info
where regexp_like( network_service_banner,
'^(Oracle Advanced Security: |)[[:alnum:]]+
[Cc]rypto-checksumming service adapter.*$'
)
)
select s.inst_id, s.sid, s.serial#, s.username, enc.encryption_type
encryption, chk.checksum_type checksum
from sessions s
join encryption_info enc on ( enc.inst_id = s.inst_id and
enc.sid = s.sid
-- enc.serial# = s.serial#
)
join checksum_info chk on ( chk.inst_id = s.inst_id and
chk.sid = s.sid
-- chk.serial# = s.serial#
)
order by s.inst_id, s.username, s.sid;
For completeness, this one identifies sessions which are *not* using
network encryption.
-- show all unencrypted database sessions
--
-- Note: The SERIAL# column ov [g]v$session_connect_info may be negative
-- (and wholly incorrect) on 11.2.0.3, due to bug 14377082... this is
-- fixed in the 11.2.0.4 patchset. We're therefore excluding SERIAL#
-- from the join criteria.
--
with sessions as (
select /*+ MATERIALIZE */ inst_id, username, sid, serial#
from gv$session
where not ( type = 'BACKGROUND' or username is NULL )
),
encryption_info as (
select /*+ MATERIALIZE */ inst_id, sid, serial#,
regexp_replace( network_service_banner,
'^(Oracle Advanced Security: |)([[:alnum:]]+)
[Ee]ncryption service adapter.+$',
'\2'
) encryption_type
from gv$session_connect_info
where regexp_like( network_service_banner,
'^(Oracle Advanced Security: |)[[:alnum:]]+
[Ee]ncryption service adapter.+$'
)
)
select s.inst_id, s.sid, s.serial#, s.username
from sessions s
left outer join encryption_info enc on ( enc.inst_id = s.inst_id and
enc.sid = s.sid
)
where enc.encryption_type is NULL
order by s.inst_id, s.username, s.sid;
On Wed, Jul 10, 2019 at 1:52 PM Ricard Martinez <ricard.martinez@xxxxxxxxx>
wrote:
Hi,
Trying to configure network encryption in a RAC at server level, but
confused about the need to configure the parameters in grid_home sqlnet.ora
at all or only db_home sqlnet.ora. Can someone help me clarify it?
Thanks
--
"In the beginning the Universe was created. This has made a lot of people
very angry and been widely regarded as a bad move." -Douglas Adams