A Data Encryption and Integrity Example

Now that we've discussed both data encryption and integrity, let's see them in action. Example 6-1 is a sample application that uses the Thin driver to establish a secure database connection. First, the program loads the Oracle Thin driver using the DriverManager.registerDriver( ) method. This method is chosen because the use of encryption and integrity is definitely an Oracle extension, and therefore not portable. So why be concerned about using the

Class.forName( ) method, along with the extra coding that it requires, when portability is no longer a concern?

Second, the program creates a Properties object named prop and then adds the required properties. It adds the user and password properties because the form of getConnection( )

used with a Properties object does not take them as separate parameters. The program then adds the oracle.net.encryption_client and

oracle.net.encryption_types_client properties to require 40-bit encryption. Next, the program adds oracle.net.crypto_checksum_client and

oracle.net.crypto_checksum_types_client properties to require that MD5 message digests be added to each packet.

Third, the program calls the getConnection(String url, Properties info) form of the

getConnection( ) method. Then it finishes up in a manner similar to our previous connection examples by querying the database. This is the kind of secured connection you would most likely make for an applet. Alternatively, if you use an application or servlet, you would most likely use the OCI driver, in which case, all these settings would be transparent to the program because they would be set in the Oracle Client's sqlnet.ora file.

Example 6-1. A secure database connection application

import java.sql.*; import java.util.*;

public class TestDataEncryptionIntegrity {

public static void main(String[] argv) throws Exception {

DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver( ));

Properties prop = new Properties( ); prop.setProperty("user", "scott"); prop.setProperty("password", "tiger");

prop.setProperty("oracle.net.encryption_cl ient", "REQUIRED");

prop.setProperty("oracle.net.encryption_types_client", "( RC4_40 )"); prop.setProperty("oracle.net.crypto_checksum_client", "REQUIRED"); prop.setProperty("oracle.net.crypto_checksum_types_client", "( MD5 )");

Connection conn = DriverManager.getConnection( "jdbc:oracle:thin:@dssw2k01:1521:orcl", prop); Statement stmt = conn.createStatement( ); ResultSet rset = stmt.executeQuery(

"select 'Hello Thin driver Encryption & Integrity " + "tester '||USER||'!' result from d ual");

while(rset.next( )) System.out.println(rset.getString(1)); rset.close( ); stmt.close( ); conn.close( ); } }

Now that you know how to secure your connection's privacy and integrity, let's examine another data encryption and integrity solution available to the OCI driver, the Secure Sockets Layer.

6.5 Secure Sockets Layer

Secure Sockets Layer (SSL) is an industry-standard protocol for secure authentication, data encryption, and data integrity. With Version 8.1.6, SSL is supported only by the OCI driver. So when you configure the Oracle Client and the Server's listener software to use SSL, data encryption and integrity are transparently enabled, that is, as far as your Java programs are concerned. It's just a matter of specifying a net service name configured to use SSL in your database URL. Since the Thin driver does not yet support SSL, and may never support SSL because of export laws, there's no need for a programmer to specify any properties, and therefore, no need to show you an example. Nonetheless, it may be helpful to understand the steps involved in configuring the Oracle Client and Server to use SSL. For testing purposes, here's an outline of the activities required to configure your server for SSL:

1. Use Oracle Wallet Manager to create a new Oracle wallet, which is an abstraction for a X.509 certificate database.

2. In Wallet Manager, create a certificate request using the fully qualified domain name of your server's host as the common name.

3. Export your certificate request and send it to a certificate authority along with the required information to acquire a trusted certificate. For testing purposes, send your request to VeriSign, which you can do at http://digitalid.verisign.com/server/trial/index.htm. After VeriSign sends you your certificate via email, install the corresponding test root certificate in Internet Explorer by going to

https://digitalid.verisign.com/server/trial/trialStep4.htm. The test root certificate is distinct from the one you received via email. You'll want to use Internet Explorer to receive the test root certificate from VeriSign, because you can then export the root certificate by selecting Tools Internet Options Content Certificates Trusted Roots, scrolling to "Issued To: for VeriSign Authorized testing only," and then selecting Export. The result is an operating-system file. The reason you need to export the test root certification is to make it available to Wallet Manager. At this point you have two

certificates: a user certificate in an email and a test root certificate in an operating-system file.

4. After you get your root certificate and your trusted user certificate for the certificate request you created earlier, import them into your wallet using Wallet Manager. Import the root certificate first and then the user certificate.

5. Use Oracle Net8 Assistant to add the necessary parameters for SSL to your profile by clicking on Local, then Profile from the hierarchy tree, then selecting Oracle Advanced Security from the drop-down list box, and finally clicking on the SSL tab. You'll want to specify the same Oracle Wallet directory you used when you created your wallet. 6. Next, add an SSL listener on port 2484 to your listener by clicking on Local, then

Listeners, then LISTENER, then selecting Listening Locations from the drop-down list box, and finally clicking on Add Address. Specify the protocol TCP with SSL, your fully qualified hostname for host, and port 2484.

7. Now for the client-side configuration. Run Oracle Net8 Assistant on your client. Add an SSL net service name using port 2484 to your client by clicking on Local, then Service Naming, then clicking on the Edit/Create menu item. Specify a service name, a protocol of TCP/IP with SSL, your fully qualified hostname for the host, and port 2484.

8. Last, and this is important on Windows NT or Windows 2000, go to the Services Administrator, right click on the Oracle database service (which will be named OracleServiceORCL or something similar), select properties, click on the Log On tab, click on This Account, and specify the name of the user that owns the Oracle Wallet. Once you have followed these steps, you can use an SSL database connection with the OCI driver. There are no necessary changes to your Java programs, but, as I stated earlier, you are limited for the time being to OCI driver support. SSL cannot be used from the Thin driver. For all the gory details about Oracle Advanced Security, see the Oracle Advanced Security Administrator's Guide available on the OTN.

Now that you can create secured connections, we'll take a look at our last connection topic, Oracle's implementation of DataSources.