Home > Mobile >  Oracle JDBC Thin: enforce network encryption
Oracle JDBC Thin: enforce network encryption

Time:10-21

The question is how to enforce encryption using the Oracle JDBC Thin driver and by specifying this solely in the URL?

It is understood that we need to set the Oracle Net parameter oracle.net.encryption_client to required. (ref link)

For reference: We are currently specifying the Oracle JDBC URL in the TNS format, for example:

DESCRIPTION = 
   (ADDRESS_LIST =
       (ADDRESS = (PROTOCOL = tcp)(HOST = myora1.corp.net)(PORT = 1521))
       (ADDRESS = (PROTOCOL = tcp)(HOST = myora2.corp.net)(PORT = 1521)))
   (FAILOVER=ON)
   (CONNECT_DATA = (SERVER = dedicated)(SERVICE_NAME = foobar))

which translates to the following JDBC URL string:

jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = tcp)(HOST = myora1.corp.net)(PORT = 1521))(ADDRESS = (PROTOCOL = tcp)(HOST = myora2.corp.net)(PORT = 1521)))(FAILOVER=ON)(CONNECT_DATA = (SERVER = dedicated)(SERVICE_NAME = foobar)))

Before you answer you should know the following:

  1. We cannot use Properties as this is a third-party application. All we can set is the URL string.
  2. We cannot use optimistic encryption (the default in Oracle). For regulatory reasons we need to guarantee that we obtain an encrypted connection. And we need to enforce this from the client-side. (we need to protect ourselves from a potential misconfiguration on the server-side)
  3. By 'encryption' we mean using Oracle's build-in encryption method, termed Oracle Advanced Security, rather than TLS. The latter is certainly also an option but is a lot more involved (certificate circus) and Oracle Advanced Security has been deemed as "good enough" by our security specialists.
  4. We currently use the TNS descriptor format in the URL. If another format allows to specify the said parameter, encryption_client, then fine to use that URL format instead .. as long as it allows us to specify the same, for example the ADDRESS_LIST.
  5. We can replace the JDBC driver in use, meaning we have the freedom to use latest version if so required.

I see this question asked before on SO but without ever receiving a proper answer.

Any answer should ideally contain pointers to Oracle's documentation.

CodePudding user response:

As stated in the comments, starting with v21 you can use the Security option for the thin method as follows:

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=host)(PORT=5521))(CONNECT_DATA= (SERVICE_NAME=servicename))(Security=(ENCRYPTION_LEVEL=REQUIRED)))

Thereby you don't need a properties and you can embed in the connection string the encryption level desired.

Encryption JDBC String

  • Related