SSL and TLS for Oracle 12c
Question
This is for a Oracle database standalone server running 12c 12.2.0.1 on windows server 2016.
We are hardening our system and one of the findings was to remove support of SSL and implement TLS 1.2 and upwards where possible. A pen test report found certain port was currently using vulnerable protocols. On investigation i found this to be oracle listener. From research, it seems using Net manager we can configure SSL certificates so that the server to client communications on Oracle are encrypted. The only trouble i'm having right now is finding out any oracle document which will tell me exactly what encryption methods are supported? does anyone know how what is supported? I would like to basically disable support for SSL v2 and v3 through windows registry on all machines and allow only TLS 1.2 or higher but this may break the oracle database 12c comminications i suppose if there is no support for TLS 1.2 or higher? Any help would be appreciated in conjuction with what are the best practices for oracle standalone servers when it comes to security?
Also, a bit of a basic question i guess but in Net manager there are two tabs. One is called Encryption and another called SSL? I understand SSL would mean creating certificates and having them on the client and server such that the messages can be de-crypted. However, what does the Encryption tab do? does it literally just encrypt all communications between server and client but not using SSL or TLS?
Thank you for any help.
1 answers
solution1
0 2021-11-13 00:41:19
Check out the 2 Day DBA + Security Guide for info on network encryption. By default Oracle uses "native" encryption libraries that don't use SSL at all (those are managed by the "Encryption" tab you mentioned). SSL encryption (under the "SSL" tab) uses an entirely different protocol, and requires a specially configured listener, a different network port, and certificates in an Oracle Wallet. Check out the docs; they should walk you through everything. It's certainly too big a subject to tackle completely here.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.