How to secure SQL*Net over firewall?

Similar Messages

• SQL*Net over IPC fails for normal users

  When normal users try to use SQL*Net to log on to a local
  database on a Linux box, they get the message "ORA-12546:
  TNS:permission denied". An example of this would be the command:
  sqlplus scott/tiger@MG8
  The oracle unix account can execute the above without problems
  and when a normal user sets ORACLE_SID and omits the SQL*Net
  connect string it works fine.
  Oddly, this is only a problem for connections using the IPC
  protocol. If I omit the IPC section from my listener.ora
  (leaving only the TCP section), non-privileged users can log on
  to local databases through SQL*Net without problems.
  I suppose it's not a big deal (there's not that much overhead
  going through the TCP loopback port on Linux), but I'm wondering
  what's wrong. SQL*Net over IPC certainly works on Solaris.
  This is on a S.u.S.E 5.3 distribution of Linux.
  null

  Mark Gleaves (guest) wrote:
  : When normal users try to use SQL*Net to log on to a local
  : database on a Linux box, they get the message "ORA-12546:
  : TNS:permission denied". An example of this would be the
  : command
  : sqlplus scott/tiger@MG8
  : The oracle unix account can execute the above without problems
  : and when a normal user sets ORACLE_SID and omits the SQL*Net
  : connect string it works fine.
  Check that your oracle executable is SUID oracle and SGID dba?
  I'd have thought that would cause problems with bequeath
  connections, so perhaps not.
  Wierd error. You might try running an strace on the sqlplus to
  see what system call fails.
  -michael
  null

• Secure SQL*Net

  I've been told that there's a way to secure the SQL*Net communication between client and server, yet I've been unable to find anything about this in OTN.
  Has anyone had any success implementing this and if so, how is this configured?
  TIA-
  Matt

  Oracle Advanced Security option provides the ability to encrypt communications between client and server via Oracle Net. Details can be found on OTN: http://technet.oracle.com/deploy/security/aso/content.html

• How to decipher SQL*Net protocols/packets?

  hi,
  we have a customer that sells compliance solutions that basically track and audit information at the packet level. in order to expand their customer base they would like to offer their solutions to customer that have business systems built on Oracle Forms 6.x and Pro*C. to do this they need to understand how our network communication works. is this something that is generally available? here are some details for what the partner wants from us ...
  Their product intercepts the communication between a typical Db client and Db server at packet level, performs analysis on the packets and extracts the information required for SOX compliance. It's been successfully installed and working for various versions of Oracle servers and Clients, however it does not handle Oracle Forms and pro*C clients.
  It also wrks for pro*c client except for bind variables and arrays.
  We need information on packet formats during communication between Oracle database and Forms and pro*c clients. This will help our product to work for SOX compliance for the customers who have FORMS and pro*c clients without replacing them
  I know that form Forms to DB its SQL*Net, not sure what the protocol is for PRO*C to DB communication but do we have documentation on both?

  Assuming you are on Windows, you can download the client installable from
  http://download.oracle.com/otn/nt/oracle10g/10201/10201_client_win32.zip -- for Oracle 10g client
  http://download.oracle.com/otn/nt/oracle11g/win32_11gR1_client.zip -- for Oracle 11g client
  If you are looking for any other version, please mention the same.

• How to configure SQL*Net to survive minor dropouts?

  Hi,
  We have recently started developing over a VPN to our server. The VPN is not brilliant and we get minor dropouts for a second or so. This is causing SQL*Net to dropout and we need to re-connect and re-start all our Apps (SQL*Plus, Forms Builder, etc).
  Is there an SQL*Net setting which can keep the connection open, even if the network drops for 1-2 seconds?
  Cheers,
  Tim.

  Yes, a VPN is extremely important. Just as it's the job of DBAs to protect and maintain data, it is the job of a Network Administrator to keep the network functioning correctly. I'd say that having your NAs take care of the VPN problem is paramount to not only solving your issue, but also in keeping your company's infrastructure on-track and maintainable.
  P.S. I was an NA in one of my previous lives :(

• How To install sql*net

  I am New to oracle please tell me how and from where, i can install sql*net client.
  thanks

  Assuming you are on Windows, you can download the client installable from
  http://download.oracle.com/otn/nt/oracle10g/10201/10201_client_win32.zip -- for Oracle 10g client
  http://download.oracle.com/otn/nt/oracle11g/win32_11gR1_client.zip -- for Oracle 11g client
  If you are looking for any other version, please mention the same.

• How to check sql*net version

  Hi,
  I've read a support note that reports instructions and differences between SQL*Net 2.1 and SQL*Net 2.2.
  How can I check the SQL*Net version implemented by my databases and clients ?

  The database view v$version would obviously only report data for the database version in use and not the client.
  If the client has sqlplus then the sqlplus banner should show the client version (SQL*Plus: Release) before listing the target database release information.
  The view v$session_connect_info is know to report the database version rather than the client version.
  Reference Note: 1419025.1 Wrong Value For CLIENT_VERSION in V$SESSION_CONNECT_INFO
  See the first note I posted a reference to.
  HTH -- Mark D Powell --

• How to Secure SQL SERVER 2012 Backup without using TDE or any thirdparty backup solution

  Hi Experts
  Actually I was using backup set password feature for MS SQL SERVER 2008 but it is dropped in new versions (2012 & 2014). Please suggest some options to making the backups secure without using TDE or any third party tools.

  Hi khalil_pak,
  The WITH PASSWORD feature didn't really encrypt your backup. It just made it difficult for someone to accidentally restore the backup when they were not allowed to. And as other post, the password option is weak and could be broken easily.
  The only true way to protect the data is to encrypt the data at the source by encrypting the database with
  TDE. Or you can choose to use
  cell-level encryption to encrypt sensitive data.
  Thanks,
  Lydia Zhang
  Lydia Zhang
  TechNet Community Support

• How to find out the size of files transferred over the SQL * Net?

  I am trying to test the Advanced Compress (AC) for 11g Data Guard. When the AC is turned on, the archived log files are supposed to be compressed on the primary database server and sent over SQL*Net, then decompressed on the standby db server. We will see the file sizes are the same on both primary and standby servers. I want to verify that the AC works by monitoring how much data are sent over SQL*Net. Per Oracle, AC uses 35% less of the bandwith. That means the size of the files transferred should be at least 65% of the original size.
  Is there a way to find out the size through Oracle utilities? If not, how to find out by OS utilities? OS is Solaris 5.10.
  Thanks.

  I'm not sure this can be done via SQL*Net, but a network packet sniffer between the two servers should be able to help - you might want to contact your network team.
  HTH
  Srini

• SQL*Net Secure Protocol?

  Anyone,
  My security auditors are breathing down my back... Is SQL*Net considered a secure communication protocol?
  Can someone with a Packet Sniffer siphen off my SQL*Net communications and obtain any data being transfered through it? Namely Passwords and DB connect paramateters, data is also a concern but less.
  This is via an Internal Network not over the internet..
  Thanks in advance,
  Milller

  yes.
  you an encrypt sql*net communications within the network.
  ASO provides different bult-in mechanisms.
  you just add the following entries with appropriate values
  and your sqlnet is encrypted.
  SQLNET.ENCRYPTION_SERVER = <ACCEPTED, REJECTED, REQUESTED or REQUIRED>
  SQLNET.ENCRYPTION_CLIENT = <ACCEPTED, REJECTED, REQUESTED or REQUIRED>
  SQLNET.CRYPTO_SEED = <STRING>
  only disadvantage is
  in 8i your internal account will be locked!
  so you cant use dbstart/dbshut scripts.
  workaoround is to script the following in your dbstart/dbshut
  1. move or rename sqlnet.ora to something.ora
  2. proceed with dbstart/dbshut.
  3. move or rename something.ora to sqlnet.ora

• Oracle12c SQL*NET blocked by Windows 2008 firewall - what is the correct solution?

  Hello,
  I have a question with regards to the SQL*NET traffic being blocked by the Windows 2008 firewall. This document shows that disabling the firewall can resolve the problem:
  https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=166773506396122&id=1472931.1&displayIndex=13&_afrWindowMode=0&_adf.ctrl-state=o4dq0hlih_112
  Is this really the solution?
  From what I understand from other documents is that just enabling port 1521 will not resolve any issues, as SQL*NET can use redirection to other random ports. That is probably the reason why the Oracle installation does not alter any firewall settings.
  What other methods do people use to connect a client to a DB server?
  This document shows what other methods to use, but who uses them?
  https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=166043735580557&id=68652.1&_afrWindowMode=0&_adf.ctrl-state=o4dq0hlih_78
  Does anyone use the Oracle Connection Manager for example?
  Thanks
  Richard

  I configure firewall to allow DB Server to start new network connections

• How to connect to DB in repository assistant using SQL*net

  Hi all,
  We are in RAC enviroment. When I try to connecting to oracle DB in repository assistant (the page that asks for SYS account), I check the SQL*net, and enter the net service name (absolutly also enter the SYS and SYS psw field), but the 'next' button is grey out.
  according to installation guide, in a RAC environment, do not type the host name, port number and oracle service name. But in my case, I have to enter all these fields to enable the 'next' button.
  any idea of how to fix it?
  thanks

  I forget to say that I can connect to the repository browser using SQL*net. So I suppose that net service name is correct.
  thanks for any suggestion.

• How to drill down the cause of "SQL*Net message from/to client"

  Pretty frustrated with my tune up using suggestions from many papers for Oracle 10g R2 on AIX 5.3 L system. My users told me that the system (including Baan 5c) still responds slowly in some processes, some even worsen.
  Using both queries such as
  SELECT sid, schemaname, status FROM gv$session ORDER BY 2;
  SELECT inst_id, seq#, event, p1, p2, p3, wait_time FROM v$session_wait_history WHERE sid=<sid from above>
  INST_ID SEQ# EVENT P1 P2 P3 WAIT_TIME
  1 1 SQL*Net message from client 1413697536 1 0 6419
  1 2 SQL*Net message to client 1413697536 1 0 0
  and others similar, I found very large numbers (almost 97%) of the sessions have events as “SQL*Net message to client” and “SQL*Net message from client” on their wait_time even the sids are in inactive status. After checking the meaning of those messages in Oracle Performance and Tuning document, the document states that mainly they are probably network problems. So How can I drill down to what status of network from my client (the users) to server by Oracle or AIX? In Baan, it has its own parameter sets in its db_resource file controlling the connectivity. In average, there are 4000 “opened cursor current”, but most of them inactives.
  So my colleague asked me rollback all th changes I did on OS level such as minperm%=5
  maxperm%=90
  maxclient%=90,
  lgpg_regions lgpg_size,
  sys0 maxuproc=512,
  aio0 maxservers='260'
  and many ioo parameters to system defaults.
  I even removed the mulitplex copy of the redo log.
  I tried to proof them that there maybe the problem of the Baan/Oracle connectivity, ie due to message above,

  http://docs.oracle.com ... read them for configuration information.
  http://tahiti.oracle.com ... read them for recommendations.
  http://otn.oracle.com ... find the best practices docs.
  http://metalink.oracle.com ... look for similar issues to yours.
  People that change things, on production boxes, without first determining that metrics indicate they are a good idea, and then determining their impact on a test box, should be sold to zoos as leopard food.
  PS: Slowly likely has absolutely nothing to do with anything you touched. First you tune the application. Then you tune the database. Then you tune the operating system. Get out of the way and make the DBAs do their job.

• How to secure connection in sql server 2008? my main problem is which certificate should i add in mmc

  i'm recently working on hardening of sql server 2008. now i face with a problem. my problem is  how to secure connection in sql server 2008?  my main problem is which certificate should i add in mmc? what are these certificates about?and guide
  me in choosing the appropriate certificate.
  and how should i know that the connection in sql server is secured?
  plz guide me from the beginning cause i'm rookie in this subject.
  thanks in advance.

  Hi sqlfan,
  Question 1: my problem is how to secure connection in sql server 2008?
  Microsoft SQL Server can use Secure Sockets Layer (SSL) to encrypt data that is transmitted across a network between an instance of SQL Server and a client application. For more information about Encrypting Connections to SQL Server, please refer to the following
  article:
  http://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
  Question 2: my main problem is which certificate should i add in mmc? what are these certificates about?and guide me in choosing the appropriate certificate.
  To install a certificate in the Windows certificate store of the server computer, you will need to purchase/provision a certificate from a certificate authority first. So please go to a certificate authority to choose the appropriate certificate.
  For SQL Server to load a SSL certificate, the certificate must meet the following conditions:
  The certificate must be in either the local computer certificate store or the current user certificate store.
  The current system time must be after the Valid from property of the certificate and before the Valid to property of the certificate.
  The certificate must be meant for server authentication. This requires the Enhanced Key Usage property of the certificate to specify Server Authentication (1.3.6.1.5.5.7.3.1).
  The certificate must be created by using the KeySpec option of AT_KEYEXCHANGE. Usually, the certificate's key usage property (KEY_USAGE) will also include key encipherment (CERT_KEY_ENCIPHERMENT_KEY_USAGE).
  The Subject property of the certificate must indicate that the common name (CN) is the same as the host name or fully qualified domain name (FQDN) of the server computer. If SQL Server is running on a failover cluster, the common name must match the host
  name or FQDN of the virtual server and the certificates must be provisioned on all nodes in the failover cluster.
  Question 3: how should i know that the connection in sql server is secured?
  If the certificate is configured to be used, and the value of the ForceEncryption option is set to Yes, all data transmitted across a network between SQL Server and the client application will be encrypted using the certificate. For more detail about this,
  please refer to Configuring SSL for SQL Server in the following article:
  http://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
  If you have any question, please feel free to let me know.
  Regards,
  Donghui Li

• How can I connect oracle without installing its SQL*Net client?

  How can I connect oracle without installing its SQL*Net client?

  Pls suggest, any possible solution, i cross checked from below link, and tried to install the instant clients, but
  http://www.oracle.com/technology/software/tech/oci/instantclient/htdocs/winsoft.html
  its showing me error of "This application has failed to start because OCI.dll was not found. Re-installing the application may fix this problem."
  Let me know if you have any thing on this.