为DataGuard的 Redo Transport 启用加密
来源于:
Enabling Encryption for Data Guard Redo Transport (文档 ID 749947.1)
适用于:
Oracle Database - Enterprise Edition - Version 10.2.0.1 to 11.2.0.3 [Release 10.2 to 11.2]
Information in this document applies to any platform.
***Checked for relevance on 08-MAY-2013***
*** Reviewed for relevance 16-Jul-2015 ***
目的:
本文描述了使用高级安全选项为 DataGuard的Redo 传输启用加密
范围:
Data Guard redo transport 可以与Advanced Security Option (ASO)整合在一起,以保证data和redo的安全和confidentiality。
Advanced Security Option (ASO)可以用来在dg主库和dg备库之间 启用加密、cryptographic network checksums 和身份验证服务。
ASO网络加密从Oracle 7开始就可用了。举例:启用Advanced Encryption Standard (AES) 加密算法仅仅需要在sqlnet.ora文件中做一些参数上的改变。
不需要证书和目录的建立,只需要重启database
从Oracle 8i开始,客户可以建立 certificates and SSL for stronger security infrastructure.
从Oracle 10g开始,Data Guard 使用身份验证网络session 来传输redo data,即使ASO没有使用。这些session通过使用密码文件中的sys用户的密码来被身份验证。
DataGuard 环境中的所有数据库均应该使用密码文件,并且保存在密码文件中的密码应该在所有DataGuard主机上一致。一旦想进一步的保护redo(for example, to encrypt redo or compute an integrity checksum value for redo traffic over the network to disallow redo tampering on the network),Oracle建议你安装并使用ASO
关于配置加密或者任何高级安全服务的信息,请参考the security guides relevant for your standby database release. For example, please refer to Oracle 11g’s Advanced Security Administrator‘s Guide, Oracle 10g’s Advanced Security Administrator‘s Guide, Oracle 9i’s Advanced Security
Administrator’s Guide, Oracle 8i’s Advanced Security Administrator’s Guide, or Oracle 7’s Advanced Networking Option Administrator’s Guide.
Starting with 11gR2 Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.
细节:
下面的例子是在DataGuard环境中启用simple DES encryption
1.在主库和备库上,均要修改sqlnet.ora文件
When a connection is made, the server selects which algorithm to use, if any, from those algorithms specified in the sqlnet.ora files.
In 11g, the following valid encryption algorithms are supported
Algorithm Name Legal Value
=============================
RC4 256-bit key RC4_256
RC4 128-bit key RC4_128
RC4 56-bit key RC4_56
RC4 40-bit key RC4_40
AES 256-bit key AES256
AES 192-bit key AES192
AES 128-bit key AES128
3-key 3DES 3DES168
2-key 3DES 3DES112
DES 56-bit key DES
DES 40-bit key DES40
# setting the encryption parameters
sqlnet.crypto_seed = "kclabefmnoc”
sqlnet.encryption_server = required
sqlnet.encryption_client = required
sqlnet.encryption_types_client = AES128
sqlnet.encryption_types_server = AES128
-> Note that this Setting requires all Clients connecting to this Database must have the Advanced Security Option installed else they cannot connect to the Database. If you only want Data Guard to use the Security Option using the shown Method, set
sqlnet.encryption_server = accepted
instead.
2.重启主库和备库,并验证加密是否工作
1. Turn on sqlnet tracing
trace_directory_server=<directory>
trace_level_client=16
trace_level_server=16
2. Search for “encryption” in the corresponding network trace files. You will messages similarly to below:
[28-AUG-2008 15:41:36:454] sqlnet.encryption_types_client = AES128
[28-AUG-2008 15:41:36:454] sqlnet.encryption_types_server = AES128
[28-AUG-2008 15:41:36:454] sqlnet.encryption_client = required
[28-AUG-2008 15:41:36:454] sqlnet.encryption_server = required
…
[29-AUG-2008 16:03:45:973] naeecom: The server chose the ‘AES128’ encryption algorithm
[29-AUG-2008 16:03:45:974] na_tns: encryption is active, using AES128
3. Ensure that plaintext messages (understandable ASCII) are not in your redo network packets.
Create table test (a varchar2 (100));
Insert into test values (‘this is to test redo encryption is working’);
Commit;
Wait until the redo is sent to the standby and then check net trace files for the above plaintext.
Oracle 推荐使用ASO来加密,因为ASO是经过测试并与Oracle Net 和DataGuard集成的
NOTE : From 11.2.0.4 we can enable SQLNET trace dynamically only for DG background processes, Step by Step Method to Enable SQLNET(Server Tracing) Dynamically on Dataguard (Doc ID 2010476.1)