Configuring Oracle SQL*Net Encryption
To properly configure the Integrity Lifecycle Manager server connection to Oracle Database, you must define a compatible connection from the client side (the Integrity Lifecycle Manager server) to the server side (the Oracle Database). It is important to remember that in this scenario, the Integrity Lifecycle Manager server is considered the client, and the Oracle Database is considered the server. For compatibility details, see the following Oracle documentation:
Of particular interest is “Table 9-1 Client/Server Negotiations for Encryption or Integrity Lifecycle Manager” in the JDBC Client-Side Security Features document. The supported algorithms and checksums must overlap between the client (the Integrity Lifecycle Manager server) and the server (the Oracle Database).
The Integrity Lifecycle Manager server contains Oracle JDBC Thin driver version 12.1.0.2. As a result, it is limited to the supported set of algorithms and checksums provided by this version of the driver.
Setting the Properties
The Oracle documentation describes how to set data encryption parameters using a Java properties object with properties such as OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL. Integrity Lifecycle Manager does not support this approach. Instead, you must set the matching Java system properties.
These properties map directly to the main configuration options that need to be set for the Integrity Lifecycle Manager server connection to the database:
Parameter
|
Values
|
oracle.net.encryption_client
|
One of the following:
• accepted
• rejected
• requested
• required
|
oracle.net.encryption_types_client
|
A bracket-enclosed, comma-separated list of any of the following supported algorithms:
• AES256
• AES192
• AES128
• 3DES168
• 3DES112
• DES56C
• DES40C
• RC4_256
• RC4_128
• RC4_40
• RC4_56
|
oracle.net.crypto_checksum_client
|
One of the following:
• accepted
• rejected
• requested
• required
|
oracle.net.crypto_checksum_types_client
|
A bracket-enclosed, comma-separated list of any of the following supported algorithms:
• MD5
• SHA1
|
In the <Integrity Server Installation Directory>/config/mksservice.conf file, define these properties by adding mks.java.additional.<index> properties, where <index> is the index of the additional property that must be unique. This provides the configuration information needed for the Oracle JDBC connection to the Integrity Lifecycle Manager server. You must make equivalent changes for the command line utilities provided with the server by adding the system properties to the LAX files inside the <Integrity Server Installation Directory>/bin directory: isutil.lax, PatchServer.lax, collectSupportPackage.lax, and encryptPassword.lax. The system properties must be appended to the lax.nl.java.option.additional property.
The following example configures the Integrity Lifecycle Manager server and the supporting command line utilities to use SQL*Net encryption for the following scenario:
• Encryption is required.
• Encryption will be limited to the DES40C algorithm.
• Checksums are required.
• Checksums will be limited to the MD5 algorithm.
The first task is to update the mksservice.conf file. If this file already has additional properties defined up to index 30, you would add the following:
mks.java.additional.31=-Doracle.net.encryption_client=REQUIRED
mks.java.additional.32=-Doracle.net.encryption_types_client="( DES40C )"
mks.java.additional.33=-Doracle.net.crypto_checksum_client=REQUESTED
mks.java.additional.34=-Doracle.net.crypto_checksum_types_client="( MD5 )"
The second task is to update the LAX files. Following is the current lax.nl.java.option.additional property in this example:
lax.nl.java.option.additional=-XX:+UseCompressedOops -Dmks.installDir=
c:/example/IntegrityServer -Dmks.install=server -Duser.language=en
-Djava.util.Arrays.useLegacyMergeSort=true -Djdk.lang.Process.
allowAmbiguousCommands=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
-Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2
|
In the LAX file, this property appears on one line. Line breaks have been added here for readability.
|
The property would be updated as follows:
lax.nl.java.option.additional=-XX:+UseCompressedOops -Dmks.installDir=
c:/example/IntegrityServer -Dmks.install=server -Duser.language=en
-Djava.util.Arrays.useLegacyMergeSort=true -Djdk.lang.Process.
allowAmbiguousCommands=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
-Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Doracle.net.
encryption_client=REQUIRED -Doracle.net.encryption_types_
client="( DES40C )" -Doracle.net.crypto_checksum_client=REQUESTED
-Doracle.net.crypto_checksum_types_client="( MD5 )"