Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Oracle Native Network Encryption

Amazon RDS supports Oracle native network encryption (NNE). With native network encryption, you can encrypt data as it moves to and from a DB instance. Amazon RDS supports NNE for all editions of Oracle. Amazon RDS supports Oracle native network encryption for any DB instance class larger than db.t1.micro.

To use Oracle native network encryption with a DB instance, you add the NATIVE_NETWORK_ENCRYPTION option to an option group and associate that option group with the DB instance. You should first determine if the DB instance is associated with an option group that has the NATIVE_NETWORK_ENCRYPTION option. To view the option group that a DB instance is associated, you can use the RDS console, the describe-db-instances AWS CLI command, or the API action DescribeDBInstances.

Note

You can use Native Network Encryption or Secure Sockets Layer, but not both. For more information, see Oracle SSL.

A detailed discussion of Oracle native network encryption is beyond the scope of this guide, but you should understand the strengths and weaknesses of each algorithm and key before you decide on a solution for your deployment. Note that non-default TDE encryption algorithms only work with Oracle version 11.2.0.2.v7 and later. For information about the algorithms and keys that are available through Oracle native network encryption, see Configuring Network Data Encryption in the Oracle documentation. For more information about AWS security, see the AWS Security Center.

The process for using Oracle native network encryption with Amazon RDS is as follows:

  1. If the DB instance is not associated with an option group that has the network encryption option (NATIVE_NETWORK_ENCRYPTION), you must either modify an existing option group to add the NATIVE_NETWORK_ENCRYPTION option or create a new option group and add the NATIVE_NETWORK_ENCRYPTION option to it. For information about creating or modifying an option group, see Working with Option Groups. For information about adding an option to an option group, see Adding an Option to an Option Group.

  2. Specify the NATIVE_NETWORK_ENCRYPTION option settings for the option group. For information about modifying option settings, see Modifying an Option Setting.

    These settings include:

    • SQLNET.ENCRYPTION_SERVER–Specifies the encryption behavior when a client, or a server acting as a client, connects to the DB instance. Allowable values are Accepted, Rejected, Requested (the default), and Required. Requested indicates that the DB instance does not require traffic from the client to be encrypted.

    • SQLNET.CRYPTO_CHECKSUM_SERVER–Specifies the data integrity behavior when a client, or a server acting as a client, connects to the DB instance. Allowable values are Accepted, Rejected, Requested (the default), and Required. Requested indicates that the DB instance does not require the client to perform a checksum.

    • SQLNET.ENCRYPTION_TYPES_SERVER–Specifies a list of encryption algorithms used by the DB instance. The DB instance will use each algorithm, in order, to attempt to decrypt the client input until an algorithm succeeds or until the end of the list is reached. Amazon RDS uses the following default list from Oracle. You can change the order or limit the algorithms that the DB instance will accept.

      1. RC4_256: RSA RC4 (256-bit key size)

      2. AES256: AES (256-bit key size)

      3. AES192: AES (192-bit key size)

      4. 3DES168: 3-key Triple-DES (112-bit effective key size)

      5. RC4_128: RSA RC4 (128-bit key size)

      6. AES128: AES (128-bit key size)

      7. 3DES112: 2-key Triple-DES (80-bit effective key size)

      8. RC4_56: RSA RC4 (56-bit key size)

      9. DES: Standard DES (56-bit key size)

      10. RC4_40: RSA RC4 (40-bit key size)

      11. DES40: DES40 (40-bit key size)

    • SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER–Specifies the checksum algorithm. The default is sha-1, but md5 is also supported.

  3. List the options in the option group to ensure that you have added the NATIVE_NETWORK_ENCRYPTION option and specified the correct settings. You can view the options in an option group using the RDS console, the CLI command describe-option-group-options, or the Amazon RDS API action DescribeOptionGroupOptions.

  4. Associate the DB instance with the option group that has the NATIVE_NETWORK_ENCRYPTION option. For information about associating a DB instance with an option group, see Modifying a DB Instance Running the Oracle Database Engine.

With Oracle native network encryption, you can also specify network encryption on the client side. On the client (the computer used to connect to the DB instance), you can use the sqlnet.ora file to specify the following client settings: SQLNET.CRYPTO_CHECKSUM_CLIENT , SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT, SQLNET.ENCRYPTION_CLIENT,  and SQLNET.ENCRYPTION_TYPES_CLIENT. For information, see Configuring Network Data Encryption and Integrity for Oracle Servers and Clients in the Oracle documentation.

Sometimes, the DB instance will reject a connection request from an application, for example, if there is a mismatch between the encryption algorithms on the client and on the server.

To test Oracle native network encryption , add the following lines to the sqlnet.ora file on the client:

Copy
DIAG_ADR_ENABLED=off TRACE_DIRECTORY_CLIENT=/tmp TRACE_FILE_CLIENT=nettrace TRACE_LEVEL_CLIENT=16

These lines generate a trace file on the client called /tmp/nettrace* when the connection is attempted. The trace file contains information on the connection. For more information about connection-related issues when you are using Oracle Native Network Encryption, see About Negotiating Encryption and Integrity in the Oracle documentation.

Related Topics