驗證客戶端是否使用本機網路加密連接到 Oracle 數據庫

December 13, 2021

我的環境如下-
伺服器：Oracle 12C 12.1.0.2.v17（AWS RDS 服務）
客戶端：Windows 2012 機器，Oracle 19C 64 位完整客戶端
工具：客戶端機器上的 SQL Developer 和 Toad
我已按照這些說明為 RDS 服務配置了本機網路加密。
我在 RDS 上設置了以下選項 -
SQLNET.ENCRYPTION_SERVER= Accepted
SQLNET.ENCRYPTION_TYPES_SERVER= AES256
客戶端 Oracle 19c 64 位主目錄為 C:\oracle\product\19.0.0\client_1\network\admin\sqlnet.ora
兩個客戶端工具都使用上述路徑中的 TNS 名稱；我通過使用驗證了這一點 tnsping
在sqlnet.ora客戶端有以下選項 -
SQLNET.ENCRYPTION_CLIENT=REQUIRED
SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256)
完成上述配置後，我重新啟動了我的 windows 機器（只是為了確保）並能夠使用 Toad 和 SQL Developer 工具建立與 RDS 的連接。
我的問題：如何驗證我的連接是否已加密？
我嘗試執行以下查詢 -
select NETWORK_SERVICE_BANNER
from v$session_connect_info
where SID = sys_context('USERENV','SID');
我看到的輸出是
TCP/IP NT Protocol Adapter for Linux: Version 12.1.0.2.0 - Production

Encryption service for Linux: Version 12.1.0.2.0 - Production

Crypto-checksumming service for Linux: Version 12.1.0.2.0 - Production

SHA1 Crypto-checksumming service adapter for Linux: Version 12.1.0.2.0 - Production
我在輸出中沒有看到“AES256 加密” NETWORK_SERVICE_BANNER。
相關問題：我需要從這台機器到我的伺服器的所有客戶端連接都使用加密。有沒有辦法通過使用登錄觸發器來強制執行此操作？

您對我的評論感到困惑，accepted伺服器端和required客戶端 sqlplus 連接已加密，帶有瘦客戶端的 Sql Developer 未加密，但具有厚客戶端連接的同一個 Sql Developer 已加密。（Toad 超出了我從未使用過的範圍）。換句話說accepted，伺服器端正在按預期工作。

讓我為你示範

sqlnet.ora on server 

   $ cat $TNS_ADMIN/sqlnet.ora
   # sqlnet.ora Network Configuration File: /u01/app/oracle/product/19/network/admin/sqlnet.ora
   # Generated by Oracle configuration tools.
   
   NAMES.DIRECTORY_PATH= (TNSNAMES, ONAMES, HOSTNAME)
   
   SQLNET.ENCRYPTION_SERVER = accepted
   
   SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)
   
   SQLNET.CRYPTO_CHECKSUM_SERVER = required
   
   [CDB2] oracle@hol:~
   
  Client side Window 10 Pro

sqlnet.ora

# sqlnet.ora Network Configuration File: C:\app\oracle\product\19.3.0\db_1\network\admin\sqlnet.ora
# Generated by Oracle configuration tools.

# This file is actually generated by netca. But if customers choose to 
# install "Software Only", this file wont exist and without the native 
# authentication, they will not be able to connect to the database on NT.

SQLNET.AUTHENTICATION_SERVICES= (NTS)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

#SQLNET.ENCRYPTION_CLIENT=REQUIRED   -- commented out
#SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256) -- commented out



   SQL&gt; @network_encryption

NETWORK_SERVICE_BANNER
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
TCP/IP NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production
SHA1 Crypto-checksumming service adapter for Linux: Version 19.0.0.0.0 - Production
Crypto-checksumming service for Linux: Version 19.0.0.0.0 - Production
Encryption service for Linux: Version 19.0.0.0.0 - Production

現在我將取消註釋 sqlnet.ora 客戶端中的最後兩行

# sqlnet.ora Network Configuration File: C:\app\oracle\product\19.3.0\db_1\network\admin\sqlnet.ora
# Generated by Oracle configuration tools.

# This file is actually generated by netca. But if customers choose to 
# install "Software Only", this file wont exist and without the native 
# authentication, they will not be able to connect to the database on NT.

SQLNET.AUTHENTICATION_SERVICES= (NTS)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SQLNET.ENCRYPTION_CLIENT=REQUIRED

SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256)




ADR_BASE = C:\app\oracle\product\19.3.0\db_1\log


SQL&gt; @network_encryption

NETWORK_SERVICE_BANNER
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
TCP/IP NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production
AES256 Encryption service adapter for Linux: Version 19.0.0.0.0 - Production
SHA1 Crypto-checksumming service adapter for Linux: Version 19.0.0.0.0 - Production
Crypto-checksumming service for Linux: Version 19.0.0.0.0 - Production
Encryption service for Linux: Version 19.0.0.0.0 - Production.

現在讓我們用 Sql Developer 瘦客戶端進行測試