"Translated from MoS article" for Dataguard Redo Transport enable encryption

Enable encryption for Dataguard's Redo Transport

From:
Enabling encryption for Data Guard Redo Transport (document ID 749947.1)

Suitable for:
Oracle database-enterprise edition-version 10.2.0.1 to 11.2.0.3 [Release 10.2 to 11.2]
Information in this document applies to any platform.
Checked for relevance on 08-may-2013***
Reviewed for relevance 16-jul-2015 * * *

Objective:
This article describes the use of advanced security options to enable encryption for Dataguard redo transports

Range:
Data Guard redo transport can be integrated with Advanced Security Option (ASO) to ensure the security and confidentiality of data and redo.
Advanced Security Option (ASO) can be used to enable encryption, cryptographic network checksums, and authentication services between the DG Master and DG Repositories.
ASO network encryption is available starting with Oracle 7. Example: Enabling the Advanced Encryption Standard (AES) encryption algorithm simply requires some parameter changes in the Sqlnet.ora file.
No need for certificate and directory creation, just restart database

Starting with Oracle 8i, customers can establish certificates and SSL for stronger security infrastructure.
Starting with Oracle 10g, data Guard uses the authentication network session to transmit redo Data, even if ASO is not used. These sessions are authenticated by using the password of the SYS user in the password file.
All databases in the DataGuard environment should use a password file, and passwords stored in the password file should be consistent across all DataGuard hosts. Once you want to further protect redo (for example, to encrypt redo or compute a integrity checksum value for redo traffic over the network to dis Allow redo tampering on the network), Oracle recommends that you install and use ASO

For information on configuring encryption or any advanced security services, refer to the security guides relevant for your standby database release. For example, refer to Oracle 11g's Advanced Security Administrator's Guide, Oracle 10g's Advanced Security administ Rator ' s Guide, Oracle 9i's Advanced Security Administrator's Guide, Oracle 8i's Advanced Security Administrator's Guide, O R Oracle 7 ' s advanced Networking Option Administrator's Guide.

Starting with 11gR2 network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerbero S, PKI, and RADIUS) is no longer part of the Oracle Advanced Security and is available in all licensed editions of all Suppo RTed releases of the Oracle database.

Details:
The following example enables simple DES encryption in a Dataguard environment

1. Modify the Sqlnet.ora file on both the main and standby libraries
When a connection was made, the server selects which algorithm to use, if any, from those algorithms specified in the Sqlne T.ora files.
In 11g, the following valid encryption algorithms is supported
Algorithm Name Legal Value
=============================
RC4 256-bit Key rc4_256
RC4 128-bit Key rc4_128
RC4 56-bit Key rc4_56
RC4 40-bit Key Rc4_40
AES 256-bit Key AES256
AES 192-bit Key AES192
AES 128-bit Key AES128
3-key 3DES 3des168
2-key 3DES 3des112
Des 56-bit key des
DES 40-bit Key DES40

# Setting the encryption parameters
Sqlnet.crypto_seed = "Kclabefmnoc"
Sqlnet.encryption_server = Required
Sqlnet.encryption_client = Required
Sqlnet.encryption_types_client = AES128
Sqlnet.encryption_types_server = AES128

Note that this Setting requires all clients connecting to this Database must has the advanced Security Option Insta Lled else they cannot connect to the Database. If you are want Data Guard to use the Security Option using the shown Method, set
Sqlnet.encryption_server = Accepted
instead.

2. Restart the master and standby libraries and verify that encryption is working

1. Turn on Sqlnet tracing

Trace_directory_server=<directory>
Trace_level_client=16
Trace_level_server=16
2. Search for "Encryption" in the corresponding network trace files. You'll messages similarly to below:

[28-aug-2008 15:41:36:454] sqlnet.encryption_types_client = AES128
[28-aug-2008 15:41:36:454] Sqlnet.encryption_types_server = AES128
[28-aug-2008 15:41:36:454] sqlnet.encryption_client = Required
[28-aug-2008 15:41:36:454] Sqlnet.encryption_server = Required
...
[29-aug-2008 16:03:45:973] naeecom:the server chose the ' AES128 ' encryption algorithm
[29-aug-2008 16:03:45:974] na_tns:encryption is active, using AES128
3. Ensure that plaintext messages (understandable ASCII) is not in your redo network packets.

Create table Test (a VARCHAR2 (100));
Insert into test values (' Redo encryption is working ');
Commit;
Wait until the redo is sent to the standby and then check net trace files for the above plaintext.

Oracle recommends using ASO to encrypt, because ASO is tested and integrated with Oracle Net and Dataguard

Note:from 11.2.0.4 We can enable sqlnet trace dynamically only in DG background processes,step by Step Method to enable Sqlnet (Server tracing) dynamically on Dataguard (Doc ID 2010476.1)

"Translated from MoS article" for Dataguard Redo Transport enable encryption