I don't see the reason for configuring network encryption on the
database level. That is usually done on the router level. Why would I
want to waste my precious db server processors on something that COTS
network equipment can do pretty well and does pretty well for years?
That is the same thing and doing RAID on lvm2 or ASM level. Any SAN can
do RAID and db server CPU is too expensive to waste on RAID or network
encryption.
On 7/11/19 10:36 AM, Adric Norris wrote:
When I've configured network encryption for RAC in the past (11.2.0.x and 12.1.0.2 on Linux), the encryption/checksum settings very definitely had to be configured in the database (*not* grid) copy of sqlnet.ora. Here's the script I've used to verify that connections are indeed encrypted.
-- show all encrypted database sessions
--
-- Note: The SERIAL# column of [g]v$session_connect_info may be negative
-- (and wholly incorrect) on 11.2.0.3, due to bug 14377082... this is
-- fixed in the 11.2.0.4 patchset. We're therefore excluding SERIAL#
-- from the join criteria.
--
column encryption format a10
column checksum format a10
with sessions as (
select /*+ MATERIALIZE */ inst_id, username, sid, serial#
from gv$session
where not ( type = 'BACKGROUND' or username is NULL )
),
session_connect_info as (
select /*+ MATERIALIZE */ inst_id, sid, serial#, network_service_banner
from gv$session_connect_info
),
encryption_info as (
select inst_id, sid, serial#,
regexp_replace( network_service_banner,
'^(Oracle Advanced Security: |)([[:alnum:]]+) [Ee]ncryption service adapter.+$',
'\2'
) encryption_type
from session_connect_info
where regexp_like( network_service_banner,
'^(Oracle Advanced Security: |)[[:alnum:]]+ [Ee]ncryption service adapter.+$'
)
),
checksum_info as (
select inst_id, sid, serial#,
regexp_replace( network_service_banner,
'^(Oracle Advanced Security: |)([[:alnum:]]+) [Cc]rypto-checksumming service adapter.*$',
'\2'
) checksum_type
from session_connect_info
where regexp_like( network_service_banner,
'^(Oracle Advanced Security: |)[[:alnum:]]+ [Cc]rypto-checksumming service adapter.*$'
)
)
select s.inst_id, s.sid, s.serial#, s.username, enc.encryption_type encryption, chk.checksum_type checksum
from sessions s
join encryption_info enc on ( enc.inst_id = s.inst_id and
enc.sid = s.sid
-- enc.serial# = s.serial#
)
join checksum_info chk on ( chk.inst_id = s.inst_id and
chk.sid = s.sid
-- chk.serial# = s.serial#
)
order by s.inst_id, s.username, s.sid;
For completeness, this one identifies sessions which are /not/ using network encryption.
-- show all unencrypted database sessions
--
-- Note: The SERIAL# column ov [g]v$session_connect_info may be negative
-- (and wholly incorrect) on 11.2.0.3, due to bug 14377082... this is
-- fixed in the 11.2.0.4 patchset. We're therefore excluding SERIAL#
-- from the join criteria.
--
with sessions as (
select /*+ MATERIALIZE */ inst_id, username, sid, serial#
from gv$session
where not ( type = 'BACKGROUND' or username is NULL )
),
encryption_info as (
select /*+ MATERIALIZE */ inst_id, sid, serial#,
regexp_replace( network_service_banner,
'^(Oracle Advanced Security: |)([[:alnum:]]+) [Ee]ncryption service adapter.+$',
'\2'
) encryption_type
from gv$session_connect_info
where regexp_like( network_service_banner,
'^(Oracle Advanced Security: |)[[:alnum:]]+ [Ee]ncryption service adapter.+$'
)
)
select s.inst_id, s.sid, s.serial#, s.username
from sessions s
left outer join encryption_info enc on ( enc.inst_id = s.inst_id and
enc.sid = s.sid
)
where enc.encryption_type is NULL
order by s.inst_id, s.username, s.sid;
On Wed, Jul 10, 2019 at 1:52 PM Ricard Martinez <ricard.martinez@xxxxxxxxx <mailto:ricard.martinez@xxxxxxxxx>> wrote:
Hi,
Trying to configure network encryption in a RAC at server level,
but confused about the need to configure the parameters in
grid_home sqlnet.ora at all or only db_home sqlnet.ora. Can
someone help me clarify it?
Thanks
--
"In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move." -Douglas Adams
