5 Configuring Network Data Encryption and Integrity for Thin JDBC Clients

This chapter describes the Java implementation of Oracle Advanced Security, which lets thin Java Database Connectivity (JDBC) clients securely connect to Oracle Databases. This chapter contains the following topics:

About the Java Implementation
Configuration Parameters

See Also:
Oracle Database JDBC Developer's Guide and Reference, for information about JDBC, including examples

5.1 About the Java Implementation

The Java implementation of Oracle Advanced Security provides network encryption and integrity protection for Thin JDBC clients communicating with Oracle Databases that have Oracle Advanced Security enabled.

This section contains the following topics:

Java Database Connectivity Support
Securing Thin JDBC
Implementation Overview
Obfuscation

5.1.1 Java Database Connectivity Support

Java Database Connectivity (JDBC), an industry-standard Java interface, is a Java standard for connecting to a relational database from a Java program. Sun Microsystems defined the JDBC standard and Oracle Corporation implements and extends the standard with its own JDBC drivers.

Oracle JDBC drivers are used to create JDBC applications to communicate with Oracle databases. Oracle implements two types of JDBC drivers: Thick JDBC drivers built on top of the C-based Oracle Net client, as well as a Thin (Pure Java) JDBC driver to support downloadable applets. Oracle extensions to JDBC include the following features:

Data access and manipulation
LOB access and manipulation
Oracle object type mapping
Object reference access and manipulation
Array access and manipulation
Application performance enhancement

5.1.2 Securing Thin JDBC

Because the Thin JDBC driver is designed to be used with downloadable applets used over the Internet, Oracle designed a 100% Java implementation of Oracle Advanced Security encryption and integrity algorithms for use with thin clients. Oracle Advanced Security provides the following features for Thin JDBC:

Data encryption
Data integrity checking
Secure connections from Thin JDBC clients to the Oracle RDBMS
Ability for developers to build applets that transmit data over a secure communication channel
Secure connections from middle tier servers with Java Server Pages (JSP) to the Oracle RDBMS
Secure connections from Oracle Database 10g to older versions of Oracle databases with Oracle Advanced Security installed

The Oracle JDBC Thin driver implements the Oracle O3LOGON protocol for authentication. It does not support Oracle Advanced Security SSL implementation, nor does it support third party authentication features such as RADIUS, Kerberos, and SecurID. However, the Oracle JDBC OCI (thick) driver support is the same as thick client support, where all Oracle Advanced Security features are implemented.

Note:

Use the jsse.jar file provided by your platform vendors for Java SSL requests. Oracle JavaSSL is not supported starting with this release.

Oracle Advanced Security continues to encrypt and provide integrity checking of Oracle Net Services traffic between Oracle Net clients and Oracle servers using algorithms written in C. The Oracle Advanced Security Java implementation provides Java versions of the following encryption algorithms:

RC4_256
RC4_128
RC4_56
RC4_40
3DES112
3DES168

Note:
In Oracle Advanced Security, DES runs in Cipher Block Chaining (CBC) mode.

In addition, this implementation provides data integrity checking for Thin JDBC using Message Digest 5 (MD5), a cryptographically secure message digest.

5.1.3 Implementation Overview

On the server side, the negotiation of algorithms and the generation of keys function exactly the same as Oracle Advanced Security native encryption. This enables backward and forward compatibility of clients and servers.

On the client side, the algorithm negotiation and key generation occur in exactly the same manner as C-based Oracle Advanced Security encryption. The client and server negotiate encryption algorithms, generate random numbers, use Diffie-Hellman to exchange session keys, and use the Oracle Password Protocol (O3LOGON key fold-in), in the same manner as the traditional Oracle Net clients. Thin JDBC contains a complete implementation of a Oracle Net client in pure Java.

5.1.4 Obfuscation

Java cryptography code is obfuscated in this release. Obfuscation protects Java classes and methods that contain encryption and decryption capabilities with obfuscation software.

Java byte code obfuscation is a process frequently used to protect intellectual property written in the form of Java programs. It mixes up Java symbols found in the code. The process leaves the original program structure intact, letting the program run correctly while changing the names of the classes, methods, and variables in order to hide the intended behavior. Although it is possible to decompile and read non-obfuscated Java code, obfuscated Java code is sufficiently difficult to decompile to satisfy U.S. government export controls.

5.2 Configuration Parameters

A properties class object containing several configuration parameters is passed to the Oracle Advanced Security interface. This chapter lists the configuration parameters for the following:

Client Encryption Level: ORACLE.NET.ENCRYPTION_CLIENT
Client Encryption Selected List: ORACLE.NET.ENCRYPTION_TYPES_CLIENT
Client Integrity Level: ORACLE.NET.CRYPTO_CHECKSUM_CLIENT
Client Integrity Selected List: ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT

5.2.1 Client Encryption Level: ORACLE.NET.ENCRYPTION_CLIENT

This parameter defines the level of security that the client wants to negotiate with the server. Table 5-1 describes this parameter's attributes.

Table 5-1 ORACLE.NET.ENCRYPTION_CLIENT Parameter Attributes

Attribute	Description
Parameter Type	String
Parameter Class	Static
Permitted Values	REJECTED; ACCEPTED; REQUESTED; REQUIRED
Default Value	ACCEPTED
Syntax	`up.put("oracle.net.encryption_client",level)`
Example	`up.put("oracle.net.encryption_client", "REQUIRED"), where up is defined as Properties up=new properties()`

5.2.2 Client Encryption Selected List: ORACLE.NET.ENCRYPTION_TYPES_CLIENT

This parameter defines the encryption algorithm to be used. Table 5-2 describes this parameter's attributes.

Table 5-2 ORACLE.NET.ENCRYPTION_TYPES_CLIENT Parameter Attributes

Attribute	Description
Parameter Type	String
Parameter Class	Static
Permitted Values	RC4_256; RC4_128; RC4_56; RC4_40; 3DES112; 3DES168
Syntax	`up.put("oracle.net.encryption_types_client",alg)`
Example	`up.put("oracle.net.encryption_types_client", "3DES112"), where up is defined as Properties up=new Properties()`

Note:

In this context, "C" refers to CBC (Cipher Block Chaining) mode.

5.2.3 Client Integrity Level: ORACLE.NET.CRYPTO_CHECKSUM_CLIENT

This parameter defines the level of security that it wants to negotiate with the server for data integrity. Table 5-3 describes this parameters attributes.

Table 5-3 ORACLE.NET.CRYPTO_CHECKSUM_CLIENT Parameter Attributes

Attribute	Description
Parameter Type	String
Parameter Class	Static
Permitted Values	REJECTED; ACCEPTED; REQUESTED; REQUIRED
Default Value	ACCEPTED
Syntax	`up.put("oracle.net.crypto_checksum_client",level)`
Example	`up.put("oracle.net.crypto_checksum_client", "REQUIRED"), where up is defined as Properties up=new Properties()`

5.2.4 Client Integrity Selected List: ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT

This parameter defines the data integrity algorithm to be used. Table 5-4 describes this parameter's attributes.

Table 5-4 ORACLE.NET.CRYPTO_CHEKSUM_TYPES_CLIENT Parameter Attributes

Attribute	Description
Parameter Type	String
Parameter Class	Static
Permitted Values	MD5
Syntax	`up.put("oracle.net.crypto_checksum_types_client",alg)`
Example	`up.put("oracle.net.crypto_checksum_types_client","MD5"), where up is defined as Properties up=new Properties()`