[Translated from mos] Enable encryption for Redo Transport OF DataGuard, and enable dataguardredo

[Translated from mos] Enable encryption for Redo Transport OF DataGuard, and enable dataguardredo

Enable encryption for mongouard's Redo Transport

Source:
Enabling Encryption for Data Guard Redo Transport (Document ID 749947.1)

Applicable:
Oracle Database-Enterprise Edition-Version 10.2.0.1 to 11.2.0.3 [Release 10.2 to 11.2]
Information in this document applies to any platform.
* ** Checked for relevance on 08-MAY-2013 ***
* ** Reviewed for relevance 16-Jul-2015 ***

Purpose:
This topic describes how to enable encryption for Redo transmission with the advanced security option DataGuard.

Range:
Data Guard redo transport can be integrated with Advanced Security Option (ASO) to ensure data and redo Security and confidentiality.
Advanced Security Option (ASO) can be used to enable encryption, cryptographic network checksums, and authentication between the master and slave databases of dg.
ASO network encryption is available from Oracle 7. For example, to enable the Advanced Encryption Standard (AES) Encryption algorithm, you only need to make some parameter changes in the sqlnet. ora file.
You do not need to create a certificate or directory. You only need to restart the database.

Starting from Oracle 8i, customers can establish certificates and SSL for stronger security infrastructure.
From Oracle 10 Gb, Data Guard uses the authentication network session to transmit redo data, even if the ASO is not used. These sessions are authenticated by using the password of the sys user in the password file.
All databases in the DataGuard environment should use the password file, and the password stored in the password file should be consistent on all DataGuard hosts. If you want to further protect redo (for example, to encrypt redo or compute an integrity checksum value for redo traffic over the network to disallow redo tampering on the network ), oracle recommends that you install and use ASO

For information about configuring encryption or any advanced security service, see the security guides relevant for your standby database release. for example, please refer to Oracle 11g's Advanced Security Administrator's Guide, Oracle 10g's Advanced Security Administrator's Guide, Oracle 9i's Advanced Security Administrator's Guide, oracle 8i's Advanced Security Administrator's Guide, or Oracle 7's Advanced Networking Option Administrator's Guide.

Starting with 11gR2 Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.

Details:
The following example shows how to enable simple DES encryption in the DataGuard environment.

1. Modify the sqlnet. ora file on both the master and slave databases.
When a connection is made, the server selects which algorithm to use, if any, from those algorithms specified in the sqlnet. ora files.
In 11g, the following valid encryption algorithms are supported
Algorithm Name Legal Value
==================================
Rc4256-bit key RC4_256
Rc4128-bit key RC4_128
RC4 56-bit key RC4_56
RC4 40-bit key RC4_40
AES 256-bit key AES256
AES 192-bit key AES192
AES 128-bit key AES128
3-key 3DES 3DES168
2-key 3DES 3DES112
DES 56-bit key DES
DES 40-bit key DES40

# Setting the encryption parameters
Sqlnet. crypto_seed = "kclabefmnoc"
Sqlnet. encryption_server = required
Sqlnet. encryption_client = required
Sqlnet. encryption_types_client = AES128
Sqlnet. encryption_types_server = AES128

-> Note that this Setting requires all Clients connecting to this Database must have the Advanced Security Option installed else they cannot connect to the Database. if you only want Data Guard to use the Security Option using the shown Method, set
Sqlnet. encryption_server = accepted
Instead.

2. Restart the master database and slave database, and verify whether the encryption works.

1. Turn on sqlnet tracing

Trace_directory_server = <directory>
Trace_level_client = 16
Trace_level_server = 16
2. Search for "encryption" in the corresponding network trace files. You will messages similarly to below:

[28-AUG-2008 15: 41: 36: 454] sqlnet. encryption_types_client = AES128
[28-AUG-2008 15: 41: 36: 454] sqlnet. encryption_types_server = AES128
[28-AUG-2008 15: 41: 36: 454] sqlnet. encryption_client = required
[28-AUG-2008 15: 41: 36: 454] sqlnet. encryption_server = required
...
[29-AUG-2008 16: 03: 45: 973] naeecom: The server chose the 'aes128 'encryption algorithm
[29-AUG-2008 16: 03: 45: 974] na_tns: encryption is active, using AES128
3. Ensure that plaintext messages (understandable ASCII) are not in your redo network packets.

Create table test (a varchar2 (100 ));
Insert into test values ('this is to test redo encryption is working ');
Commit;
Wait until the redo is sent to the standby and then check net trace files for the above plaintext.

Oracle recommends the use of ASO for encryption, because ASO is tested and integrated with Oracle Net and DataGuard.

NOTE : From 11.2.0.4 we can enable SQLNET trace dynamically only for DG background processes,Step by Step Method to Enable SQLNET(Server Tracing) Dynamically on Dataguard (Doc ID 2010476.1)