Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Oracle Native Network Encryption

Amazon RDS supports Oracle native network encryption (NNE). With native network encryption, you can encrypt data as it moves to and from a DB instance. Amazon RDS supports NNE for all editions of Oracle. Amazon RDS supports Oracle native network encryption for any DB instance class larger than db.t1.micro.

A detailed discussion of Oracle native network encryption is beyond the scope of this guide, but you should understand the strengths and weaknesses of each algorithm and key before you decide on a solution for your deployment. Note that non-default TDE encryption algorithms only work with Oracle version 11.2.0.2.v7 and later. For information about the algorithms and keys that are available through Oracle native network encryption, see Configuring Network Data Encryption in the Oracle documentation. For more information about AWS security, see the AWS Security Center.

Note

You can use Native Network Encryption or Secure Sockets Layer, but not both. For more information, see Oracle SSL.

NNE Option Settings

Amazon RDS supports the following settings for the NNE option.

Option Setting Valid Values Default Value Description

SQLNET.ENCRYPTION_SERVER

Accepted, Rejected, Requested, Required

Requested

The encryption behavior when a client, or a server acting as a client, connects to the DB instance.

Requested indicates that the DB instance does not require traffic from the client to be encrypted.

SQLNET.CRYPTO_CHECKSUM_SERVER

Accepted, Rejected, Requested, Required

Requested

The data integrity behavior when a client, or a server acting as a client, connects to the DB instance.

Requested indicates that the DB instance does not require the client to perform a checksum.

SQLNET.ENCRYPTION_TYPES_SERVER

RC4_256,AES256, AES192,3DES168, RC4_128,AES128, 3DES112,RC4_56, DES,RC4_40, DES40

RC4_256,AES256, AES192,3DES168, RC4_128,AES128, 3DES112,RC4_56, DES,RC4_40, DES40

A list of encryption algorithms used by the DB instance. The DB instance will use each algorithm, in order, to attempt to decrypt the client input until an algorithm succeeds or until the end of the list is reached.

Amazon RDS uses the following default list from Oracle. You can change the order or limit the algorithms that the DB instance will accept.

  1. RC4_256: RSA RC4 (256-bit key size)

  2. AES256: AES (256-bit key size)

  3. AES192: AES (192-bit key size)

  4. 3DES168: 3-key Triple-DES (112-bit effective key size)

  5. RC4_128: RSA RC4 (128-bit key size)

  6. AES128: AES (128-bit key size)

  7. 3DES112: 2-key Triple-DES (80-bit effective key size)

  8. RC4_56: RSA RC4 (56-bit key size)

  9. DES: Standard DES (56-bit key size)

  10. RC4_40: RSA RC4 (40-bit key size)

  11. DES40: DES40 (40-bit key size)

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER

sha-1,md5

sha-1,md5

The checksum algorithm.

Adding the NNE Option

The general process for adding the NNE option to a DB instance is the following:

  1. Create a new option group, or copy or modify an existing option group.

  2. Add the option to the option group.

  3. Associate the option group with the DB instance.

After you add the NNE option, as soon as the option group is active, NNE is active.

To add the NNE option to a DB instance

  1. For Engine, choose the Oracle edition that you want to use. NNE is supported on all editions.

  2. For Major Engine Version, choose 11.2 or 12.1.

    For more information, see Creating an Option Group.

  3. Add the NNE option to the option group. For more information about adding options, see Adding an Option to an Option Group.

    Note

    After you add the NNE option, you don't need to restart your DB instances. As soon as the option group is active, NNE is active.

  4. Apply the option group to a new or existing DB instance:

Using NNE

With Oracle native network encryption, you can also specify network encryption on the client side. On the client (the computer used to connect to the DB instance), you can use the sqlnet.ora file to specify the following client settings: SQLNET.CRYPTO_CHECKSUM_CLIENT , SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT, SQLNET.ENCRYPTION_CLIENT,  and SQLNET.ENCRYPTION_TYPES_CLIENT. For information, see Configuring Network Data Encryption and Integrity for Oracle Servers and Clients in the Oracle documentation.

Sometimes, the DB instance will reject a connection request from an application, for example, if there is a mismatch between the encryption algorithms on the client and on the server.

To test Oracle native network encryption , add the following lines to the sqlnet.ora file on the client:

Copy
DIAG_ADR_ENABLED=off TRACE_DIRECTORY_CLIENT=/tmp TRACE_FILE_CLIENT=nettrace TRACE_LEVEL_CLIENT=16

These lines generate a trace file on the client called /tmp/nettrace* when the connection is attempted. The trace file contains information on the connection. For more information about connection-related issues when you are using Oracle Native Network Encryption, see About Negotiating Encryption and Integrity in the Oracle documentation.

Modifying NNE Settings

After you enable NNE, you can modify settings for the option. For more information about how to modify option settings, see Modifying an Option Setting. For more information about each setting, see NNE Option Settings.

Removing the NNE Option

You can remove NNE from a DB instance.

To remove NNE from a DB instance, do one of the following:

  • To remove NNE from multiple DB instances, remove the NNE option from the option group they belong to. This change affects all DB instances that use the option group. After you remove the NNE option, you don't need to restart your DB instances. For more information, see Removing an Option from an Option Group.

  • To remove NNE from a single DB instance, modify the DB instance and specify a different option group that doesn't include the NNE option. You can specify the default (empty) option group, or a different custom option group. After you remove the NNE option, you don't need to restart your DB instance. For more information, see Modifying a DB Instance Running the Oracle Database Engine.

Related Topics