• No results found

How to Resolve the POODLE Vulnerability in Native Connection to Oracle

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How to Resolve the POODLE Vulnerability in Native Connection to Oracle"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

How to Resolve the POODLE Vulnerability in

Native Connection to Oracle

© 1993-2015 Informatica Corporation. No part of this document may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording or otherwise) without prior consent of Informatica Corporation. All

(2)

Abstract

You can connect to a secure Oracle database from PowerCenter. This article describes how to overcome the POODLE vulnerability when you use native connection to connect to a secure Oracle database from PowerCenter.

Supported Versions

PowerCenter 9.6.x

Table of Contents

Overview. . . 2

Checking the TLS Protocol Availability . . . 3

Configuring the SSL_VERSION Property in the Oracle Server. . . 3

Configuring the SSL_VERSION Property in the Oracle Native Client. . . 3

Configuring the Encryption Method Property in the DataDirect Oracle ODBC Driver . . . 4

Configuring the CryptoProtocolVersion in DataDirect Oracle JDBC Driver . . . 5

Overview

You can connect from PowerCenter to an Oracle database secured with the SSL or TLS protocol. The SSL protocol has been replaced by TLS. Informatica no longer supports SSL 3.0 for database connections. SSL has more security vulnerability issues than the TLS protocol. Many TLS implementations remain backward compatible with SSL 3.0 to interoperate with legacy systems.

Even if a client and server both support a version of TLS, many clients implement a protocol downgrade to work around server related interoperability bugs. A POODLE attack (Padding Oracle On Downgraded Legacy Encryption) can downgrade and break the cryptographic security of SSL 3.0 to steal secure HTTP cookies or other bearer tokens, such as HTTP authorization header contents.

Oracle does not provide a specific native configuration parameter at the Oracle server to enforce the use of the TLS protocol to secure the connection between the Oracle server and client. The SSL_VERSION property in the sqlnet.ora file defines the version of SSL that must run on the Oracle server and the clients to which Oracle connects. If you set the SSL_VERSION property in the sqlnet.ora file on the Oracle server to UNDETERMINED, Oracle uses the TLS protocol to connect to the client. You must then configure the clients to match the connection protocol that the Oracle sever uses, including the DataDirect drivers for ODBC and JDBC.

Before you configure the Oracle server and client, verify that the TLS protocol is available for use on the client and server machines.

To resolve the POODLE vulnerability when you use a native connection to a secure Oracle database from PowerCenter, perform the following tasks:

1. Check with the system administrator on the TLS protocol availability.

Verify with the help of the system administrator that the TLS protocol is available on the Oracle client and server machines.

2. Configure the SSL_VERSION property in the Oracle server.

Set the SSL_VERSION property to UNDETERMINED so that Oracle uses the TLS protocol. 3. Configure the SSL_VERSION property in the Oracle native client.

Set the SSL_VERSION property to match the Oracle server.

(3)

You must set the ENCRYPTION METHOD to TLS protocol in the Data Source security properties of the ODBC driver. You can configure the DataDirect ODBC driver to secure connection to the Oracle server that uses the TLS protocol.

5. Configure the CryptoProtocolVersion in the DataDirect Oracle JDBC driver.

You must set the CryptoProtocolVersion to TLS protocol in the connection string of the JDBC driver.

Checking the TLS Protocol Availability

Work with your system administrator to verify that the TLS protocol is available for use on the Oracle client and server machines.

Configuring the SSL_VERSION Property in the Oracle Server

On the Oracle server, set the SSL_VERSION property in the sqlnet.ora file to UNDETERMINED so that the Oracle server uses the TLS protocol when it connects to clients.

To configure the SSL_VERSION property in the Oracle server, work with your database administrator to complete the following steps:

1. Create Oracle server wallets and import client certificates into the server wallet.

Ensure that you import the valid Oracle client certificates into the Oracle server wallet as trusted certificates. 2. Set the following property in the sqlnet.ora file: SSL_VERSION = UNDETERMINED

A sample sqlnet.ora file at the Oracle server appears as follows: SQLNET.AUTHENTICATION_SERVICES= (TCPS, BEQ)

SSL_CLIENT_AUTHENTICATION = TRUE WALLET_LOCATION =

(SOURCE =

(METHOD = FILE) (METHOD_DATA =

(DIRECTORY = <DIRECTORY>) )

)

SSL SERVER dnMATCH=ON SSL_VERSION = UNDETERMINED # SSL VERSION = 3.0

After you configure the Oracle server, you must also configure the Oracle client and the Oracle drivers.

Configuring the SSL_VERSION Property in the Oracle Native

Client

The Oracle client uses the Oracle native driver to connect to Oracle. The Oracle client and server must have the same protocol.

Note: You must set the SSL_VERSION property in the Oracle server to UNDETERMINED before you configure the Oracle client.

To configure the SSL_VERSION property in the Oracle native client, perform the following tasks: 1. Create the Oracle client's wallet with the help of your database administrator.

2. Generate a client certificate with the help of your database administrator.

3. Export the certificate and send it to your database administrator to import it into the server wallet. 4. Get the valid server SSL certificate from your database administrator and import it into the client wallet.

(4)

5. Import the Oracle server certificates into the Oracle wallet as trusted certificates. 6. Set the following parameter in the sqlnet.ora file: SSL_VERSION = UNDETERMINED

Configuring the Encryption Method Property in the DataDirect

Oracle ODBC Driver

To configure the DataDirect Oracle ODBC driver to use the TLS protocol, set the ENCRYPTION_METHOD in the Data Source security properties to TLS1.

Note: You must set the SSL_VERSION property in the Oracle server to UNDETERMINED before you configure the ODBC driver.

Perform the following tasks on the client machine from where you want to connect to the Oracle server with a secure ODBC connection:

1. Create an Oracle data source using the DataDirect ODBC driver for Oracle.

2. When you create a Data Source Name for the DataDirect ODBC driver, go to the Security tab in the DSN properties and configure the Oracle server truststore and client keystore files with valid passwords. 3. On Windows, go to the Security tab and set the Encryption Method to TLS1 in the DSN properties.

On UNIX, set Encryption Method=5 in the DSN properties in the ODBC.ini file. 4. Verify that the DSN can connect to the Oracle database.

The following table describes the DSN entries that appear on Windows:

Name Description

User Name The database user name.

Authentication Method Validates the identity of database users and prevents unauthorized use of a database user name. You can authenticate users with the selected

authentication method. Specify the authentication method to select 1 - Encrypt Password.

GSS Client Library An API for programs to access security services. Select native.

Encryption Method Algorithms that encrypt the data that transfers between the client and server. Select 5 - TLS1.

Validate Server Certificate Select to validate the server side certificate in the handshake process between client and server.

Trust Store Enter the location for the .pfx file generated.

Trust Store Password Specify the password if you had set it when generating the .pfx file. Key Store Enter the location for the .pfx file generated.

Key Store Password Specify the password if you had set it when generating the .pfx file.

Sample UNIX DSN entries appear as follows: [<Box_details>]

Driver=/export/home/adputf_9/Informatica/9.6.1/ODBC7.1/lib/DWora27.so Description=InMemory ODBC SSL Connection

(5)

AuthenticationMethod=1 EnableNcharSupport=1 EncryptionMethod=5 HostName=<host_name> KeyStore=<keystore.pfx> KeyStorePassword=<password> LogonID=<ID>

Password<password> PortNumber=2484 #SID=<SID>

ServiceName=<service_name> TrustStore=<TrustStore.pfx> TrustStorePassword=<password> ValidateServerCertificate=1

Configuring the CryptoProtocolVersion in DataDirect Oracle

JDBC Driver

To configure the DataDirect Oracle JDBC driver to use the TLS protocol, set the CryptoProtocolVersion to TLSv1 in the connection string.

Note: You must set the SSL_VERSION property in the Oracle server to UNDETERMINED before you configure the JDBC driver.

Perform the following tasks in the Administrator tool to connect to the Oracle server using secure JDBC connection: 1. In the Administrator Tool, create a connection.

2. In the New Connection dialog box, select the Oracle connection type and click OK. 3. In the New Connection dialog box, enter the properties for the connection and click Next.

4. Under the Advanced JDBC security options in the Details tab, append the following parameter to the connection string entry as follows: cryptoProtocolVersion=TLSv1

5. Configure the Oracle server truststore and client keystore files. 6. Verify that the DSN can connect to the Oracle database.

Authors

Tanjot Singh Uppal Senior QA Engineer Anju Andrews Lead QA Engineer Sujitha Alexander Technical Writer

References

Download now ( PDF - 5 Page - 300.10 KB )

Related documents

Using Oracle Real Application Clusters (RAC)

For example, the following connection string enables client load balancing for the DataDirect Connect for ODBC Oracle Wire Protocol

Accessing Oracle 11g from SAS on Linux Using DataDirect Connect for ODBC

This article explains how quick and easy it is to connect to an Oracle 11g server from SAS running on a Linux client using the DataDirect Connect for ODBC Oracle Wire

How To Configure the WLAN with QoS

Wi-Fi CERTIFIED™, Wi-Fi Direct™, Wi-Fi Protected Setup™, Wi-Fi Multimedia™, WPA2™, Passpoint™, and the Wi-Fi Alliance logo are trademarks of the Wi-Fi Alliance.. UPnP™ is

Benchmarks of SQL Query Performance for ODBC and Oracle Call Interface

• Execution time differences are negligible when running SQL queries using DataDirect Connect for ODBC wire protocol drivers or Oracle Call Interface with Net8. There is no

ORACLE CONFIGURE TO ORDER SOLUTION

Oracle's CTO Solution leverages Oracle Configurator, Oracle iStore, Oracle Sales Online, Oracle Order Management Applications, and Oracle Advanced Planning and Scheduling to

How to Configure the Windows DNS Server

Under forward lookup zones, select the zone to which the A record will be added.. In this example this would

1 New Jersey Citizen Action "Risky & Wrong: NJ Auto Insurance Rates for Lower Income

Our comprehensive examination of GEICO’s underwriting practices led us to conclude that the only clear homogeneous characteristic traits common among these preferred

Top 30 Schools in League--6th Grade (41 Schools)

Bibb, Bryan, Bulloch, Chatham, Lowndes, Muscogee, Putnam, Toombs, Upson, Ware.