1、查看加密组件
[qdtais1]@ht01[/home/oracle]$adapters
Installed Oracle Net transport protocols are:
IPC
BEQ
TCP/IP
SSL
RAW
SDP/IB
Installed Oracle Net naming methods are:
Local Naming (tnsnames.ora)
Oracle Directory Naming
Oracle Host Naming
Oracle Names Server Naming
Installed Oracle Advanced Security options are:
RC4 40-bit encryption
RC4 56-bit encryption
RC4 128-bit encryption
RC4 256-bit encryption
DES40 40-bit encryption
DES 56-bit encryption
3DES 112-bit encryption
3DES 168-bit encryption
AES 128-bit encryption
AES 192-bit encryption
AES 256-bit encryption
MD5 crypto-checksumming
SHA-1 crypto-checksumming
Kerberos v5 authentication
RADIUS authentication
2、设置网络加密,只对服务端进行设置,客户端默认设置是ACCEPTED
SQLNET.ENCRYPTION_SERVER = requested
SQLNET.ENCRYPTION_TYPES_SERVER= (RC4_256)
加密设置是否生效参考官网
https://docs.oracle.com/cd/E11882_01/network.112/e40393/asoconfg.htm#ASOAG9599
Client SettingServer SettingEncryption and Data Negotiation
REJECTEDREJECTEDOFF
ACCEPTEDREJECTEDOFF
REQUESTEDREJECTEDOFF
REQUIREDREJECTEDConnection fails
REJECTEDACCEPTEDOFF
ACCEPTEDACCEPTEDOFFFoot 1
REQUESTEDACCEPTEDON
REQUIREDACCEPTEDON
REJECTEDREQUESTEDOFF
ACCEPTEDREQUESTEDON
REQUESTEDREQUESTEDON
REQUIREDREQUESTEDON
REJECTEDREQUIREDConnection fails
ACCEPTEDREQUIREDON
REQUESTEDREQUIREDON
REQUIREDREQUIREDON
设置完sqlnet以后不用重启监听
验证是否加密可以trace sqlnet
#Trace file setup
trace_level_server=16
trace_level_client=16
trace_directory_server=/home/oracle/trace
trace_directory_client=/home/oracle/trace
trace_file_client=cli
trace_file_server=srv
trace_unique_client=true
diag_adr_enabled = off
[qdtais1]@ht01[/home/oracle/trace]$cat srv_6038.trc |grep "encryption is active"
[09-MAY-2019 18:58:28:817] na_tns: encryption is active, using RC4_256
除拉trace sqlnet以外还可以使用wireshark抓包来看具体是否加密
yum install wireshark-*
wireshark启动抓包工具,使用下面条件过滤
ip.addr eq 192.168.20.221 and tns
这是没有加密
下面是加密过的
加密以后包变大拉
加密解密性能影响,参考http://www.orafaq.com/wiki/Network_Encryption
Algorithm
None
MD5
SHA-1
Time
%None
Time
%None
Time
%None
None
79.6 s
80.5 s
101%
82.4 s
104%
DES
104.7 s
132%
107.1 s
135%
108.2 s
136%
3DES168
151.8 s
191%
153.9 s
193%
155.6 s
196%
AES128
88.8 s
112%
90.5 s
114%
92.1 s
116%
AES256
91.8 s
115%
93.5 s
117%
94.2 s
118%
RC4_128
81.6 s
103%
82.5 s
104%
85.0 s
107%
RC4_256
81.7 s
103%
82.8 s
104%
85.0 s
107%