Most security measures for Oracle databases are usually aimed at protecting and hardening the database itself. This includes secure configuration, implementation of the least privilege principle, reduction of the attack surface, encryption at REST, database audit and much more. Sometimes, however, it is forgotten that the database also communicates with the outside world. Without additional measures, network access to Oracle databases is always unencrypted. This is due to the standard settings and the fact that network encryption was part of the Advanced Security Option until mid-2012 and therefore subject to licensing. Due to the security vulnerability CVE-2012-1675, the licensing of network encryption was subsequently adjusted. The following information can now be found in all Oracle licence documents under Advanced Security.

Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.

Oracle® Database Database Licensing Information User Manual 21c Oracle Database Options and Their Permitted Features

Although it has been a decade since the adaptation, in my opinion network encryption is still underused. Its use should be standard nowadays.

You ask yourself why? Have you ever created a user or changed its password? Then you may know this statement.

ALTER USER scott IDENTIFIED BY tiger;

It is a regular SQL statement that is sent from the client to the server to be parsed and executed. For non-encrypted connections, the statement is sent in plain text and can be viewed by any tracing.

Why Use TLS Encryption with Oracle SQLNet

With Oracle databases, two different methods are available for network encryption:

• Oracle Native Network Encryption Standard network encryption is based on symmetric encryption with AES or other algorithms, whereby the key is negotiated when the connection is established. The configuration is very simple with sqlnet.ora on the database server, optionally also on the client side. In addition, no certificates are required. If required, the encryption can also be combined with the integrity check.
• Oracle TLS Network Encryption SSL or TLS based Network Security uses a certificate based approach to securely establish a connection between a client and an Oracle Database Server. Similar to what is known from HTTPS. The network encryption and integrity check can be combined with the authentication. The use of certificates, dedicated TCPS port etc. makes the configuration a little more complex. However, it offers additional protection against man-in-the-middle attacks or the possibility of single sing on. Thus it’s configuration can be a bit cumbersome.

See also Oracle® Database Security Guide 19c Choosing Between Native Network Encryption and Transport Layer Security for a comparsion of the two methods. In this blog post, however, we will discuss only the simple TLS connection without a client wallet i.e., no client authorisation.

Simplified TLS Configuration Steps

Prepare Software Keystore for TLS

Create a folder in TNS_ADMIN or another location suitable for the software Keystore.

mkdir -p $ORACLE_BASE/network/wallet

Create an Oracle software Keystore using orapki. See Oracle® Database Security Guide 19c Appendix F Managing Public Key Infrastructure (PKI) Elements

orapki wallet create -wallet $ORACLE_BASE/network/wallet -pwd <PASSWORD> -auto_login_local

Create a certificate request for the distinguished name of the database server db19.trivadislabs.com.

orapki wallet add -wallet $ORACLE_BASE/network/wallet -dn 'CN=db19,dc=trivadislabs,dc=com' -asym_alg RSA -keysize 4096 -pwd <PASSWORD>

Export the certificate request for transfer to the Certification Authority for signing.

orapki wallet export -wallet $ORACLE_BASE/network/wallet -dn 'CN=db19,dc=trivadislabs,dc=com' -request $ORACLE_BASE/network/wallet/db19.trivadislabs.com.csr

Windows Certification Authority

Depending on the environment, you can send the certificate request to a certification authority and receive the signed certificate back. This eliminates the steps described in this section. In my lab environment, however, I have to do everything myself. This includes the operation of a Certification Authority. But this runs on my Microsoft Active Directory Server anyway. Please adapt the following steps accordingly to your environment.

Copy the certificate request from the database server to the windows server. Ido have putty configured on my AD Server. This makes it easier to push / pullstuff from respectively to the database server.

C:\u00\app\oracle\network\admin
pscp.exe db19.trivadislabs.com:/u01/app/oracle/network/wallet/db19.trivadislabs.com.csr db19.trivadislabs.com.csr

The certreq utility will pop up with a list of CA’s. Select the correct one and let the CA create a signed certificate.

We do also require the Root certificate as well any intermediate certificate for
the software Keystore. Below you find the command certutil to export the Root
certificate. This does create binary version of the Root ceritificate and
display the PEM / Base64 format of the certificate. Make sure, to copy the
Base64 information into a test file. In my case I do store it into trivadislabs.com.pem.

C:\>certutil -ca.cert -f %TNS_ADMIN%\trivadislabs.com.cer
CA cert[0]: 3 -- Valid
CA cert[0]:
-----BEGIN CERTIFICATE-----
MIIFlTCCA32gAwIBAgIQcYnHlk5iwpRJTdc77kEmaTANBgkqhkiG9w0BAQsFADBd
MRMwEQYKCZImiZPyLGQBGRYDY29tMRwwGgYKCZImiZPyLGQBGRYMdHJpdmFkaXNs
YWJzMSgwJgYDVQQDEx9Ucml2YWRpcyBMQUIgRW50ZXJwcmlzZSBSb290IENBMB4X
DTIzMDUwNTA1NTIxOFoXDTI4MDUwNTA2MDIxNVowXTETMBEGCgmSJomT8ixkARkW
A2NvbTEcMBoGCgmSJomT8ixkARkWDHRyaXZhZGlzbGFiczEoMCYGA1UEAxMfVHJp
dmFkaXMgTEFCIEVudGVycHJpc2UgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBANHr4q+v9SHOI+nofbFA+qa3zVWPXuKzuS+eI1a54n1qNnwL
cEH0/SEXAZ7e/XfHN9KrFLIKhCw3b9LW85Co1PPjcP0B087Se/kwReBkD29L9FJG
qElIaVfKGJ/nZ8jyCrnQg5b5w5N0Xm8cWzMuV2iYu/m4/f3oz1+Rcrwgeka64dbv
IWuVjWkvRvhN0zNJHwY5jKYS59FFpFghhy0VNF7xXH5dFBepE+OPBST+Zfiu13iG
qqvraPdB4TblfBtI2YknlBCuWiNm1I+crSr2rptR4gDOud9YC0+OwmMdwPhdf7DK
sjyt/Gp0hbVT9rc1tmN9MuxxyY3Jg7b0rE+UfNluNQAt2eW8XZ5IsZxiXE+weeC5
+pwojRQPNiZC1k+LMiwCJEspTxWj1M9Qf3spWcjMKiPt1qpT4fjwladdpv5FX9AX
Z+YbgUjqviD1zwOVoc8hRlY6pctaFAx8+icjrsREjIU6yAi3ng/HcjYpiL/pd9M7
buNUB2KCYsgSKMvd++FibOxfGSPfYyYZjJ+cX8TvHpHnq507S1cPcXzQWxhqu2sc
7/OXTO5DKKUxJ/1MWb0X+Nqk7C4RGmONpvdnVTVQfVbnX9j53+8Gt7PmYOac8avJ
DNyuijBf4olcC2IoihLJCHHkToA6KhcYRNMLxOaLXyebWAHZIrMRWQbIeyl1AgMB
AAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT5
inf+t2/lUJIH2J0fYVUnfn2NBTAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0B
AQsFAAOCAgEAblL0JuP8Ql06CYMSHw+3u24c9VKaN8m8+rzaS477j+MPyzsGzbT0
Yq4bcKJFmKnZbN1Tw/sa0u1CxvlJvGeFU4KMaR72/KefEJ1Tc6AfDZrYVMeWCflo
S5lqYrj9+VR4NplPb4vYipO5St4vaergPk5gC35q1/6FL9E2nsucXb5rCgqoqLHM
P7Pg+iA2oaMvaOTfNEVIjDkuVcyTbOFezzKxDQfvdcj82gnHbc+qWq/YsKExzPlC
3rGhSUzb69fzMzzcuPxhkH35vKYSsFvTs2Va6Ztzapzbqrqorm2oZFlwL2yZboA2
AT4Mt33JK514oKeUB5unceqWIUxTeUHOLHhyoDSMRhFCeja7T8CmHD2+TIWWNbwu
q9XfoZkUcBewk+3UVQZCrkQhP6RIxI6H5Dd9fh4A+ugMAxwzUG2unsMa1yN6U/pC
7sLCrgdtZq7hQ1DtgE8Y/RxpPYNt9dtUbXWGM3a7gUBfgz+8BDaeOYPx+IycVipf
p5+Lq1RZl6zEaz1MrVEA6nnncTe1k52E1txQMgHi7x0Kn/k5OGLkJY3dTbwjxM6n
Yh/jzRP5/v0rmC2Ia/MmIiuxtV2K6pAZIlTSPVPW+NErGUn2YvAjl868w0h9Btxp
1VdZEK8h5TwG5W55t6gNGOxgkJPQAV+Ma4FfExK20qBsAIqlSAYfiKA=
-----END CERTIFICATE-----

CertUtil: -ca.cert command completed successfully.

Copy the Root CA as well the signed certificate back to the db server

pscp.exe %TNS_ADMIN%\db19.trivadislabs.com.pem db21:/u01/app/oracle/network/wallet/db19.trivadislabs.com.pem
pscp.exe %TNS_ADMIN%\trivadislabs.com.pem db21:/u01/app/oracle/network/wallet/trivadislabs.com.pem

Finalize Software Keystore

Back on the linux environment we first verify the certificates using openssl.

openssl verify -CAfile $ORACLE_BASE/network/wallet/trivadislabs.com.pem $ORACLE_BASE/network/wallet/db19.trivadislabs.com.pem

Add the trusted certificate from Active Directory to the software keystore.

orapki wallet add -wallet $ORACLE_BASE/network/wallet -trusted_cert -cert $ORACLE_BASE/network/wallet/trivadislabs.com.pem -pwd <PASSWORD>

Add the signed user certificate from Active Directory to the software keystore.

orapki wallet add -wallet $ORACLE_BASE/network/wallet -user_cert -cert $ORACLE_BASE/network/wallet/db19.trivadislabs.com.pem -pwd <PASSWORD>

Show certificates in keystore.

orapki wallet display -wallet $ORACLE_BASE/network/wallet

oracle@db19:~/ [rdbms19] orapki wallet display -wallet $ORACLE_BASE/network/wallet

Oracle PKI Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2023, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject:        CN=db19,DC=trivadislabs,DC=com
Trusted Certificates: 
Subject:        CN=Trivadis LAB Enterprise Root CA,DC=trivadislabs,DC=com

Configuration of sqlnet.ora

We update the sqlnet.ora file to cover the new wallet and set the SSL / TLS configuration. Just add / update the following parameter.

• SSL_CLIENT_AUTHENTICATION Parameter to specify whether a client is authenticated using Transport Layer Security (TLS)
• SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS This parameter is used on the server-side to ignore the value set in SQLNET.ENCRYPTION_SERVER for TCPS connections (effectively disabling ANO encryption on the TCPS listener).
• SSL_VERSION Used to define valid Transport Layer Security (TLS) versions to be used for connections.
• SSL_CIPHER_SUITES Parameter to control the combination of authentication, encryption, and data integrity algorithms used by Transport Layer Security (TLS).
• WALLET_LOCATION Use the sqlnet.ora parameter WALLET_LOCATION to specify the location of Oracle wallets.

More information about the sqlnet.ora parameter can be found in Oracle® Database Database Net Services Reference 19c chapter 5 Parameters for the sqlnet.ora File. Below you find an example of our sqlnet.or configuration.

# ---------------------------------------------------------------
# SSL/TLS Configuration for SQLNet
# ---------------------------------------------------------------
SSL_CLIENT_AUTHENTICATION=FALSE
SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS = TRUE
SSL_VERSION = 1.2
SSL_CIPHER_SUITES = (TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
WALLET_LOCATION=
  (SOURCE=
      (METHOD=file)
      (METHOD_DATA=
         (DIRECTORY=/u01/app/oracle/network/wallet)))

The sqlnet.ora file must be adapted on both the client and the server. On the database server, the sqlnet.ora applies to both.

Configuration of listener.ora

As is known from HTTP and HTTPS, a separate port must also be configured for SQLNet with TLS. This is done with the help of the listener.ora file. To do this example, we simply extend the default listener with an additional port for TCPS.

vi $TNS_ADMIN/listener.ora

LISTENER =
    (ADDRESS_LIST =
        (ADDRESS = (PROTOCOL=IPC )(KEY=LISTENER ))
        (ADDRESS = (PROTOCOL = TCP ) (HOST = db19 ) (PORT = 1521 ))
        (ADDRESS = (PROTOCOL = TCPS ) (HOST = db19 ) (PORT = 1522 ))
    )

In addition, we add the SSL / TLS configuration to the listener.ora file.

# ---------------------------------------------------------------
# SSL/TLS configuration
# ---------------------------------------------------------------
SSL_VERSION = 1.2
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION=
  (SOURCE=
      (METHOD=file)
      (METHOD_DATA=
         (DIRECTORY=/u01/app/oracle/network/wallet)))

On my environment I do have a firewall running. Therefor we have to open the new port for TCPS.

sudo firewall-cmd --zone=public --add-port=1522/tcp
sudo firewall-cmd --zone=public --add-port=1522/tcp --permanent
sudo systemctl restart firewalld
sudo firewall-cmd --zone=public --list-all

Finally, we restart the listener to activate the changes.

lsnrctl stop
lsnrctl start

Lets use openssl to verify the port and certificate.

openssl s_client -connect db19.trivadislabs.com:1522

Configuration of tnsnames.ora

Last but not least, the corresponding entries in tnsnames.ora must be defined for the connection via the new port. Enclosed is the example of the connection strings for the database TDB01 with and without TLS.

TDB01.trivadislabs.com=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=db19)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=TDB01.trivadislabs.com))(UR=A))
TDB01_TLS.trivadislabs.com=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=db19)(PORT=1522))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=TDB01.trivadislabs.com))(UR=A))

Connection Tests

Simple test with SQLPlus and a connection to the regular TCP port.

oracle@db19:~/ [rdbms19] sqlplus system@TDB01

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Sep 8 14:15:44 2023
Version 19.19.0.0.0

Copyright (c) 1982, 2022, Oracle.  All rights reserved.

Enter password: 
Last Successful login time: Thu Sep 07 2023 10:22:42 +02:00

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.19.0.0.0

SQL> 

Checking the USERENV context for the network protocol to see if we do use TCP or TCPS.

SQL> SELECT sys_context('userenv','network_protocol') FROM dual;

SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcp

And the same connecting the TCPS port.

oracle@db19:~/ [rdbms19] sqlplus system@TDB01_TLS

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Sep 8 14:18:35 2023
Version 19.19.0.0.0

Copyright (c) 1982, 2022, Oracle.  All rights reserved.

Enter password: 
Last Successful login time: Fri Sep 08 2023 14:15:47 +02:00

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.19.0.0.0

SQL

Checking the USERENV context for the network protocol to see if we do use TCP or TCPS.

SQL> SELECT sys_context('userenv','network_protocol') FROM dual;

SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
--------------------------------------------------------------------------------
tcps

We do see, that we now have the TCPS protocol in use.

Conclusion

If you leave out authentication, configuring TLS network security for Oracle databases is not that difficult. Of course, there is still the effort of managing the certificates and especially their validity period accordingly. Nevertheless, the effort is worth it when security requirements are increased. As a good practice I try to implement the following priorities:

1. As a standard, configure the Oracle native network encryption with at least REQUESTED. Idealy combined with integrity check also set to REQUESTED.
2. Enforcing the network encryption by setting it on the Database Server to REQUIRED.
3. Implement TLS based network security to protect against man-in-the-middle attacks.
4. Consider the use of strong authentication i.e. Kerberos or TLS based authentication.

References and Further Reading

A few links and references to relevant documentation, blog posts and other external resources for further reading.

• Oracle® Database Security Guide 19c Configuring Transport Layer Security Authentication
• Oracle® Database Security Guide 19c Appendix F Managing Public Key Infrastructure (PKI) Elements
• Oracle® Database Database Net Services Reference 19c chapter 5 Parameters for the sqlnet.ora File
• Oracle® Database Database Licensing Information User Manual 21c Oracle Database Options and Their Permitted Features
• Oracle Support Note 762286.1 End To End Examples of using SSL With Oracle’s JDBC THIN Driver
• Oracle Support Note 2959952.1 Configuring Oracle Database with Transport Layer Security (TLS) for Oracle Client Authentication and Encryption with X.509 (e.g. PIV or CAC) Certificates
• Oracle Support Note 736510.1 Step by Step Guide To Configure SSL Authentication
• Oracle Support Note 262394.1 A Simple Example of a TCPS Loopback Connection Using OpenSSL.
• Oracle Support Note 2739836.1 How To Check SSL Certificate Expiry Date and Distribution Name (DN)?
• Oracle Support Note 1629906.1 How to Create a Wallet via ORAPKI in Fusion Middleware 12c (12.1.x)
• ORACLE BASE Configuration of TCP/IP with SSL and TLS for Database Connections
• ORACLE BASE Native Network Encryption for Database Connections