【翻譯自mos文章】為DataGuard的 Redo Transport 啟用加密，dataguardredo

【翻譯自mos文章】為DataGuard的 Redo Transport 啟用加密，dataguardredo

為DataGuard的 Redo Transport 啟用加密

來源於：
Enabling Encryption for Data Guard Redo Transport (文檔 ID 749947.1)

適用於：
Oracle Database - Enterprise Edition - Version 10.2.0.1 to 11.2.0.3 [Release 10.2 to 11.2]
Information in this document applies to any platform.
 ***Checked for relevance on 08-MAY-2013***
 *** Reviewed for relevance 16-Jul-2015 ***

目的：
本文描述了使用進階安全選項為 DataGuard的Redo 傳輸啟用加密

範圍：
Data Guard redo transport 可以與Advanced Security Option (ASO)整合在一起，以保證data和redo的安全和confidentiality。
Advanced Security Option (ASO)可以用來在dg主庫和dg備庫之間 啟用加密、cryptographic network checksums 和驗證服務。
ASO網路加密從Oracle 7開始就可用了。舉例：啟用Advanced Encryption Standard (AES) 密碼編譯演算法僅僅需要在sqlnet.ora檔案中做一些參數上的改變。
不需要認證和目錄的建立，只需要重啟database

從Oracle 8i開始，客戶可以建立 certificates and SSL  for  stronger security infrastructure.
從Oracle 10g開始，Data Guard 使用身分識別驗證網路session 來傳輸redo data，即使ASO沒有使用。這些session通過使用密碼檔案中的sys使用者的密碼來被身分識別驗證。
DataGuard 環境中的所有資料庫均應該使用密碼檔案，並且儲存在密碼檔案中的密碼應該在所有DataGuard主機上一致。一旦想進一步的保護redo（for example, to encrypt redo or compute an integrity checksum value for redo traffic over the network to disallow redo tampering on the network），Oracle建議你安裝並使用ASO

關於配置加密或者任何進階安全服務的資訊，請參考the security guides relevant for your standby database release. For example, please refer to Oracle 11g’s Advanced Security Administrator's Guide, Oracle 10g’s Advanced Security Administrator's Guide, Oracle 9i’s Advanced Security Administrator’s Guide, Oracle 8i’s Advanced Security Administrator’s Guide, or Oracle 7’s Advanced Networking Option Administrator’s Guide.

Starting with 11gR2 Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.

細節：
下面的例子是在DataGuard環境中啟用simple DES encryption

1.在主庫和備庫上，均要修改sqlnet.ora檔案
When a connection is made, the server selects which algorithm to use, if any, from those algorithms specified in the sqlnet.ora files.
In 11g, the following valid encryption algorithms are supported
Algorithm Name             Legal Value
=============================
RC4 256-bit key             RC4_256
RC4 128-bit key             RC4_128
RC4 56-bit key               RC4_56
RC4 40-bit key               RC4_40
AES 256-bit key             AES256
AES 192-bit key             AES192
AES 128-bit key             AES128
3-key 3DES                    3DES168
2-key 3DES                    3DES112
DES 56-bit key                DES
DES 40-bit key                DES40

# setting the encryption parameters
sqlnet.crypto_seed = "kclabefmnoc”
sqlnet.encryption_server = required
sqlnet.encryption_client = required
sqlnet.encryption_types_client = AES128
sqlnet.encryption_types_server = AES128

-> Note that this Setting requires all Clients connecting to this Database must have the Advanced Security Option installed else they cannot connect to the Database. If you only want Data Guard to use the Security Option using the shown Method, set
sqlnet.encryption_server = accepted
instead.

2.重啟主庫和備庫，並驗證加密是否工作

1. Turn on sqlnet tracing

trace_directory_server=<directory>
 trace_level_client=16
 trace_level_server=16
2. Search for “encryption” in the corresponding network trace files. You will messages similarly to below:

[28-AUG-2008 15:41:36:454] sqlnet.encryption_types_client = AES128
[28-AUG-2008 15:41:36:454] sqlnet.encryption_types_server = AES128
[28-AUG-2008 15:41:36:454] sqlnet.encryption_client = required
[28-AUG-2008 15:41:36:454] sqlnet.encryption_server = required
…
[29-AUG-2008 16:03:45:973] naeecom: The server chose the ‘AES128’ encryption algorithm
[29-AUG-2008 16:03:45:974] na_tns: encryption is active, using AES128
3. Ensure that plaintext messages (understandable ASCII) are not in your redo network packets.

Create table test (a varchar2 (100));
 Insert into test values (‘this is to test redo encryption is working’);
Commit;
Wait until the redo is sent to the standby and then check net trace files for the above plaintext.

Oracle 推薦使用ASO來加密，因為ASO是經過測試並與Oracle Net 和DataGuard整合的

NOTE : From 11.2.0.4 we can enable SQLNET trace dynamically only for DG background processes,Step by Step Method to Enable SQLNET(Server Tracing) Dynamically on Dataguard (Doc ID 2010476.1)