Re: RAC server network encryption

  • From: Tim Gorman <tim.evdbt@xxxxxxxxx>
  • To: gogala.mladen@xxxxxxxxx, oracle-l@xxxxxxxxxxxxx
  • Date: Thu, 11 Jul 2019 12:17:30 -0600

Perhaps because of the ability of tcpdump or snoop on a node on the same subnet to display packet contents before a switch or router is ever encountered?


On 7/11/19 11:51, Mladen Gogala wrote:


I don't see the reason for configuring network encryption on the database level. That is usually done on the router level. Why would I want to waste my precious db server processors on something that COTS network equipment can do pretty well and does pretty well for years? That is the same thing and doing RAID on lvm2 or ASM level.  Any SAN can do RAID and db server CPU is too expensive to waste on RAID or network encryption.

On 7/11/19 10:36 AM, Adric Norris wrote:
When I've configured network encryption for RAC in the past (11.2.0.x and 12.1.0.2 on Linux), the encryption/checksum settings very definitely had to be configured in the database (*not* grid) copy of sqlnet.ora. Here's the script I've used to verify that connections are indeed encrypted.

-- show all encrypted database sessions
--
-- Note: The SERIAL# column of [g]v$session_connect_info may be negative
--       (and wholly incorrect) on 11.2.0.3, due to bug 14377082... this is
--       fixed in the 11.2.0.4 patchset. We're therefore excluding SERIAL#
--       from the join criteria.
--
column encryption format a10
column checksum   format a10
with sessions as (
   select /*+ MATERIALIZE */ inst_id, username, sid, serial#
      from gv$session
      where not ( type = 'BACKGROUND' or username is NULL )
),
session_connect_info as (
   select /*+ MATERIALIZE */ inst_id, sid, serial#, network_service_banner
      from gv$session_connect_info
),
encryption_info as (
   select inst_id, sid, serial#,
          regexp_replace( network_service_banner,
                          '^(Oracle Advanced Security: |)([[:alnum:]]+) [Ee]ncryption service adapter.+$',
                          '\2'
                        ) encryption_type
      from session_connect_info
      where regexp_like( network_service_banner,
                         '^(Oracle Advanced Security: |)[[:alnum:]]+ [Ee]ncryption service adapter.+$'
                       )
),
checksum_info as (
   select inst_id, sid, serial#,
          regexp_replace( network_service_banner,
                          '^(Oracle Advanced Security: |)([[:alnum:]]+) [Cc]rypto-checksumming service adapter.*$',
                          '\2'
                        ) checksum_type
      from session_connect_info
      where regexp_like( network_service_banner,
                         '^(Oracle Advanced Security: |)[[:alnum:]]+ [Cc]rypto-checksumming service adapter.*$'
                       )
)
select s.inst_id, s.sid, s.serial#, s.username, enc.encryption_type encryption, chk.checksum_type checksum
   from sessions s
      join encryption_info enc on ( enc.inst_id = s.inst_id and
                                    enc.sid     = s.sid
--                                  enc.serial# = s.serial#
                                  )
      join checksum_info chk on ( chk.inst_id = s.inst_id and
                                  chk.sid     = s.sid
--                                chk.serial# = s.serial#
                                )
   order by s.inst_id, s.username, s.sid;

For completeness, this one identifies sessions which are /not/ using network encryption.

-- show all unencrypted database sessions
--
-- Note: The SERIAL# column ov [g]v$session_connect_info may be negative
--       (and wholly incorrect) on 11.2.0.3, due to bug 14377082... this is
--       fixed in the 11.2.0.4 patchset. We're therefore excluding SERIAL#
--       from the join criteria.
--
with sessions as (
   select /*+ MATERIALIZE */ inst_id, username, sid, serial#
      from gv$session
      where not ( type = 'BACKGROUND' or username is NULL )
   ),
encryption_info as (
   select /*+ MATERIALIZE */ inst_id, sid, serial#,
          regexp_replace( network_service_banner,
                          '^(Oracle Advanced Security: |)([[:alnum:]]+) [Ee]ncryption service adapter.+$',
                          '\2'
                        ) encryption_type
      from gv$session_connect_info
      where regexp_like( network_service_banner,
                         '^(Oracle Advanced Security: |)[[:alnum:]]+ [Ee]ncryption service adapter.+$'
                       )
)
select s.inst_id, s.sid, s.serial#, s.username
   from sessions s
      left outer join encryption_info enc on ( enc.inst_id = s.inst_id and
                                               enc.sid = s.sid
                                             )
   where enc.encryption_type is NULL
   order by s.inst_id, s.username, s.sid;


On Wed, Jul 10, 2019 at 1:52 PM Ricard Martinez <ricard.martinez@xxxxxxxxx <mailto:ricard.martinez@xxxxxxxxx>> wrote:

    Hi,

    Trying to configure network encryption in a RAC at server level,
    but confused about the need to configure the parameters in
    grid_home sqlnet.ora at all or only db_home sqlnet.ora. Can
    someone help me clarify it?

    Thanks



--
"In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move." -Douglas Adams
--
Mladen Gogala
Database Consultant
Tel: (347) 321-1217

Other related posts: