Oracle

驗證客戶端是否使用本機網路加密連接到 Oracle 數據庫

  • December 13, 2021

我的環境如下-

伺服器:Oracle 12C 12.1.0.2.v17(AWS RDS 服務)

客戶端:Windows 2012 機器,Oracle 19C 64 位完整客戶端

工具:客戶端機器上的 SQL Developer 和 Toad

我已按照這些說明為 RDS 服務配置了本機網路加密。

我在 RDS 上設置了以下選項 -

SQLNET.ENCRYPTION_SERVER= Accepted
SQLNET.ENCRYPTION_TYPES_SERVER= AES256

客戶端 Oracle 19c 64 位主目錄為 C:\oracle\product\19.0.0\client_1\network\admin\sqlnet.ora

兩個客戶端工具都使用上述路徑中的 TNS 名稱;我通過使用驗證了這一點 tnsping

sqlnet.ora客戶端有以下選項 -

SQLNET.ENCRYPTION_CLIENT=REQUIRED
SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256)

完成上述配置後,我重新啟動了我的 windows 機器(只是為了確保)並能夠使用 Toad 和 SQL Developer 工具建立與 RDS 的連接。

我的問題:如何驗證我的連接是否已加密?

我嘗試執行以下查詢 -

select NETWORK_SERVICE_BANNER
from v$session_connect_info
where SID = sys_context('USERENV','SID');

我看到的輸出是

TCP/IP NT Protocol Adapter for Linux: Version 12.1.0.2.0 - Production

Encryption service for Linux: Version 12.1.0.2.0 - Production

Crypto-checksumming service for Linux: Version 12.1.0.2.0 - Production

SHA1 Crypto-checksumming service adapter for Linux: Version 12.1.0.2.0 - Production

我在輸出中沒有看到“AES256 加密” NETWORK_SERVICE_BANNER

相關問題:我需要從這台機器到我的伺服器的所有客戶端連接都使用加密。有沒有辦法通過使用登錄觸發器來強制執行此操作?

您對我的評論感到困惑,accepted伺服器端和required客戶端 sqlplus 連接已加密,帶有瘦客戶端的 Sql Developer 未加密,但具有厚客戶端連接的同一個 Sql Developer 已加密。(Toad 超出了我從未使用過的範圍)。換句話說accepted,伺服器端正在按預期工作。

讓我為你示範

sqlnet.ora on server 

   $ cat $TNS_ADMIN/sqlnet.ora
   # sqlnet.ora Network Configuration File: /u01/app/oracle/product/19/network/admin/sqlnet.ora
   # Generated by Oracle configuration tools.
   
   NAMES.DIRECTORY_PATH= (TNSNAMES, ONAMES, HOSTNAME)
   
   SQLNET.ENCRYPTION_SERVER = accepted
   
   SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)
   
   SQLNET.CRYPTO_CHECKSUM_SERVER = required
   
   [CDB2] oracle@hol:~
   
  Client side Window 10 Pro

sqlnet.ora

# sqlnet.ora Network Configuration File: C:\app\oracle\product\19.3.0\db_1\network\admin\sqlnet.ora
# Generated by Oracle configuration tools.

# This file is actually generated by netca. But if customers choose to 
# install "Software Only", this file wont exist and without the native 
# authentication, they will not be able to connect to the database on NT.

SQLNET.AUTHENTICATION_SERVICES= (NTS)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

#SQLNET.ENCRYPTION_CLIENT=REQUIRED   -- commented out
#SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256) -- commented out



   SQL> @network_encryption

NETWORK_SERVICE_BANNER
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
TCP/IP NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production
SHA1 Crypto-checksumming service adapter for Linux: Version 19.0.0.0.0 - Production
Crypto-checksumming service for Linux: Version 19.0.0.0.0 - Production
Encryption service for Linux: Version 19.0.0.0.0 - Production

現在我將取消註釋 sqlnet.ora 客戶端中的最後兩行

# sqlnet.ora Network Configuration File: C:\app\oracle\product\19.3.0\db_1\network\admin\sqlnet.ora
# Generated by Oracle configuration tools.

# This file is actually generated by netca. But if customers choose to 
# install "Software Only", this file wont exist and without the native 
# authentication, they will not be able to connect to the database on NT.

SQLNET.AUTHENTICATION_SERVICES= (NTS)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SQLNET.ENCRYPTION_CLIENT=REQUIRED

SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256)




ADR_BASE = C:\app\oracle\product\19.3.0\db_1\log


SQL> @network_encryption

NETWORK_SERVICE_BANNER
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
TCP/IP NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production
AES256 Encryption service adapter for Linux: Version 19.0.0.0.0 - Production
SHA1 Crypto-checksumming service adapter for Linux: Version 19.0.0.0.0 - Production
Crypto-checksumming service for Linux: Version 19.0.0.0.0 - Production
Encryption service for Linux: Version 19.0.0.0.0 - Production.

現在讓我們用 Sql Developer 瘦客戶端進行測試

在此處輸入圖像描述

從上圖中可以看出它使用了 jdbc 瘦驅動程序。讓我們檢查一下 Sql Developer 中的 sql 輸出,正如預期的那樣,沒有 AES256 加密

在此處輸入圖像描述

現在我將切換到胖客戶端,檢查兩個圖像 在此處輸入圖像描述

在此處輸入圖像描述

希望這能解決

引用自:https://dba.stackexchange.com/questions/255537