All configuration is done in the "sqlnet.ora" files on the client and server. The server side configuration parameters are as follows. The server can also be considered a client if it is making client calls, so you may want to include the client settings if appropriate. The client side configuration parameters are as follows. The possible values for the parameters are as follows. - : The client or server will allow both encrypted and non-encrypted connections. This is the default if the parameter is not set. - : The client or server will refuse encrypted traffic. - : The client or server will request encrypted traffic if it is possible, but will accept non-encrypted traffic if encryption is not possible. - : The client or server will only accept encrypted traffic. The combination of the client and server settings will determine if encryption is used, not used or the connection is rejected, as described in the encryption negotiations matrix here . The parameters accept a comma-separated list of encryption algorithms. Available algorithms are listed here . If no encryption type is set, all available encryption algorithms are considered.

1
2
3
4
5

SQLNET.ENCRYPTION_SERVER
SQLNET.ENCRYPTION_TYPES_SERVER

SQLNET.ENCRYPTION_CLIENT
SQLNET.ENCRYPTION_TYPES_CLIENT

As you can see from the encryption negotiations matrix , there are many combinations that are possible. Here are a few to give you a feel for what is possible. If we require AES256 encryption on all connections to the server, we would add the following to the server side "sqlnet.ora" file. The client does not need to be altered as the default settings (ACCEPTED and no named encryption algorithm) will allow it to successfully negotiate a connection. If we want to force encryption from a client, while not affecting any other connections to the server, we would add the following to the client "sqlnet.ora" file. The server does not need to be altered as the default settings (ACCEPTED and no named encryption algorithm) will allow it to successfully negotiate a connection. If we would prefer clients to use encrypted connections to the server, but will accept non-encrypted connections, we would add the following to the server side "sqlnet.ora".

1
2
3
4
5
6
7
8

SQLNET.ENCRYPTION_SERVER=REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER=(AES256)

SQLNET.ENCRYPTION_CLIENT=REQUIRED
SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256)

SQLNET.ENCRYPTION_SERVER=REQUESTED
SQLNET.ENCRYPTION_TYPES_SERVER=(AES256)

Changes to the contents of the "sqlnet.ora" files affect all connections made using that . As a result, certain requirements may be difficult to guarantee without manually configuring TCP/IP and SSL/TLS. For example, imagine you need to make sure an individual client always uses encryption, whilst allowing other connections to the server to remain unencrypted. If you force encryption on the server you have gone against your requirement by affecting all other connections. You can force encryption for the specific client, but you can't guarantee someone won't change the "sqlnet.ora" settings on that client at a later time, therefore going against your requirement. In such a case, it might be better to manually configure TCP/IP and SSL/TLS, as it allows you to guarantee how the connections on being handled on both sides and makes the point-to-point configuration explicit.

The advanced security data integrity functionality is separate to network encryption, but it is often discussed in the same context and in the same sections of the manuals. The configuration is similar to that of network encryption, using the following parameters in the server and/or client "sqlnet.ora" files. The parameters have the same allowed values as the parameters, with the same style of negotiations. The parameters only accepts the SHA1 value prior to 12c. From 12c onward they also accept MD5, SHA1, SHA256, SHA384 and SHA512, with SHA256 being the default. For more information see: - Configuring Network Data Encryption and Integrity for Oracle Servers and Clients - Configuration of TCP/IP with SSL and TLS for Database Connections Hope this helps. Regards Tim...

1
2
3
4
5
6
7

# Server
SQLNET.CRYPTO_CHECKSUM_SERVER
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER

# Client
SQLNET.CRYPTO_CHECKSUM_CLIENT
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT