EF Core and encrypting Oracle db traffic

Discussion of open issues, suggestions and bugs regarding ADO.NET provider for Oracle
Eric_08
Posts: 17
Joined: Wed 11 Jul 2018 21:50

EF Core and encrypting Oracle db traffic

Post by Eric_08 » Wed 17 Oct 2018 21:25

I have a requirement where I need to encrypt database traffic between our application and Oracle 12.1 database. Our application is on .NET core 2.1 with EF Core 2.1 and Linux RHEL7, so direct mode is used in DevArt component. How do I use DevArt component for EF Core 2.1 to encrypt database traffic? I understand there is

Code: Select all

DirectUtils
class, but how do I use it with EF Core? Any example on how to use it would be greatly appreciated.

Thank you

Shalex
Site Admin
Posts: 8663
Joined: Thu 14 Aug 2008 12:44

Re: EF Core and encrypting Oracle db traffic

Post by Shalex » Thu 18 Oct 2018 19:22

Please refer to https://www.devart.com/dotconnect/oracl ... tmode.html > the Oracle Advanced Security Support in Direct Mode section.

Sample

Code: Select all

C:\oracle\product\12.1.0\dbhome_1\NETWORK\ADMIN\sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES= (NTS)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SQLNET.ENCRYPTION_TYPES_SERVER= (RC4_256)
SQLNET.ENCRYPTION_SERVER= REQUIRED

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (MD5)
SQLNET.CRYPTO_CHECKSUM_SERVER= REQUIRED

Code: Select all

            DirectUtils.EncryptionLevel = DirectUtils.SecurityLevel.Required;
            DirectUtils.DataIntegrityLevel = DirectUtils.SecurityLevel.Required;

            using (var conn = new OracleConnection())
            {
                conn.ConnectionString = "direct=true;server=192.168.0.169;sid=orcl;uid=c##scott;pwd=tiger;";
                conn.Open();
                var cmd = conn.CreateCommand();
                cmd.CommandText = "select 1 + 1 from dual";
                Console.WriteLine(cmd.ExecuteScalar());
            }
            Console.ReadKey();

Eric_08
Posts: 17
Joined: Wed 11 Jul 2018 21:50

Re: EF Core and encrypting Oracle db traffic

Post by Eric_08 » Thu 18 Oct 2018 19:45

Yes, I read that topic, but I'm somewhat confused here. I'm using EF Core and .NET Core, so I'm initializing

Code: Select all

DbContext
via

Code: Select all

optionsBuilder.UseOracle()
extension method. How do I use DirectUtils in this case? Do I use

Code: Select all

DirectUtils.EncryptionLevel = DirectUtils.SecurityLevel.Required;
DirectUtils.DataIntegrityLevel = DirectUtils.SecurityLevel.Required;
before optionsBuilder.UseOracle()? I want to do it just one Oracle database connection, but it appears

Code: Select all

DirectUtils
is static and not per connection.

Shalex
Site Admin
Posts: 8663
Joined: Thu 14 Aug 2008 12:44

Re: EF Core and encrypting Oracle db traffic

Post by Shalex » Tue 23 Oct 2018 09:41

There is no way to set an encryption per connection. You can use static DirectUtils for the whole application only.

Eric_08
Posts: 17
Joined: Wed 11 Jul 2018 21:50

Re: EF Core and encrypting Oracle db traffic

Post by Eric_08 » Tue 23 Oct 2018 14:04

This seems to be a design flaw. Do you have plans to modify code and make it work per connection?

Shalex
Site Admin
Posts: 8663
Joined: Thu 14 Aug 2008 12:44

Re: EF Core and encrypting Oracle db traffic

Post by Shalex » Fri 26 Oct 2018 18:23


Eric_08
Posts: 17
Joined: Wed 11 Jul 2018 21:50

Re: EF Core and encrypting Oracle db traffic

Post by Eric_08 » Tue 13 Nov 2018 13:46

Do you support TLS encryption in Direct mode? I'm getting 'ORA-03113: end-of-file on communication channel' error when I try to use code that uses encryption. I found the following conversation (viewtopic.php?t=34362) on your site from two years ago where someone was trying to use TLS encryption and was getting the same error. At that time, you mentioned that DevArt does not support encryption in direct mode. Has that been fixed yet? Do you support TLS encryption in direct mode with the latest version?

Eric_08
Posts: 17
Joined: Wed 11 Jul 2018 21:50

Re: EF Core and encrypting Oracle db traffic

Post by Eric_08 » Mon 19 Nov 2018 14:22

I need to know if DevArt supports Oracle TLS encryption in DirectMode. I need to know the answer rather quickly. Please respond with the answer. If DevArt does support TLS encryption for Oracle in Direct Mode, please tell me how can I get past 'ORA-03113: end-of-file on communication channel' error.

Pinturiccio
Devart Team
Posts: 2406
Joined: Wed 02 Nov 2011 09:44

Re: EF Core and encrypting Oracle db traffic

Post by Pinturiccio » Mon 19 Nov 2018 16:04

dotConnect for Oracle does not support SSL and TLS in the Direct mode. The Data Encryption and Data Integrity features are supported in the Direct mode starting from 9.1.131. Since this version, you can use a secure connection to Oracle database in the Direct mode, but it is not SSL/TLS. For more information, please see https://www.devart.com/dotconnect/oracl ... tMode.html , the section "Oracle Advanced Security Support in Direct Mode".
Eric_08 wrote:please tell me how can I get past 'ORA-03113: end-of-file on communication channel' error.
Please describe the error you got. Please also describe the steps for reproducing the issue.

Eric_08
Posts: 17
Joined: Wed 11 Jul 2018 21:50

Re: EF Core and encrypting Oracle db traffic

Post by Eric_08 » Mon 19 Nov 2018 16:58

Basically, I need to know if DevArt driver in direct mode for Oracle and EF Core/.NET Core supports specifying port TCPS with port 2484. On Oracle database server, the SSL certificate will be added to Oracle wallet and then somehow I need to connect to the Oracle database server using DevArt over port 2484 with TCPS. Is that supported by DevArt in direct mode? Is that the same thing as DirectUtils.SecurityLevel?

Pinturiccio
Devart Team
Posts: 2406
Joined: Wed 02 Nov 2011 09:44

Re: EF Core and encrypting Oracle db traffic

Post by Pinturiccio » Tue 20 Nov 2018 15:55

dotConnect for Oracle does not support SSL in the Direct mode. Oracle's Data Encryption and SSL are different kinds of encryption.
If you set up an Oracle server with SSL certificates, then dotConnect for Oracle won't work with your server in the Direct mode. For more information, please refer to https://docs.oracle.com/database/121/DB ... m#DBSEG020

Eric_08
Posts: 17
Joined: Wed 11 Jul 2018 21:50

Re: EF Core and encrypting Oracle db traffic

Post by Eric_08 » Tue 20 Nov 2018 17:00

Got it. Thanks!

Eric_08
Posts: 17
Joined: Wed 11 Jul 2018 21:50

Re: EF Core and encrypting Oracle db traffic

Post by Eric_08 » Tue 20 Nov 2018 19:59

So I turned on Oracle Native Encryption and Data Integrity option on the Oracle DB server (v12.1). This is what SQLNET.ora on the server looks like:

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA256)
SQLNET.AUTHENTICATION_SERVICES= (NONE)
SQLNET.ENCRYPTION_SERVER = required
SQLNET.CRYPTO_SEED = 'xxxxxxxxxxx'
SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)
ADR_BASE = D:\xxxxxxxx\dbhome_1\log
SQLNET.CRYPTO_CHECKSUM_SERVER = required

I then set DirectUtils.SecurityLevel to required by doing this:

Code: Select all

DirectUtils.EncryptionLevel = DirectUtils.SecurityLevel.Required;
DirectUtils.DataIntegrityLevel = DirectUtils.SecurityLevel.Required;
After doing that, I can't connect to the database server from my application. I'm now getting this error:

Code: Select all

Devart.Data.Oracle.OracleException (0x80004005): ORA-12650: No common encryption or data integrity algorithm
I'm running my application on .NET Core 2.1 with EF Core 2.1.4 and DevArt EF Core 9.6.621.

Please help!

Eric_08
Posts: 17
Joined: Wed 11 Jul 2018 21:50

Re: EF Core and encrypting Oracle db traffic

Post by Eric_08 » Wed 21 Nov 2018 15:11

I think I figured out what's happening. I was using SHA256 for integrity method, but looks like it's not supported by DevArt. When I switched to SHA1 for integrity method, it started working. SHA1 is a weaker algorithm though. When are you going to support SHA256/SHA384/SHA512 for integrity method? I need something higher than SHA1.

I'm using the latest DevArt Oracle/EF core component running on Linux in direct mode.

Shalex
Site Admin
Posts: 8663
Joined: Thu 14 Aug 2008 12:44

Re: EF Core and encrypting Oracle db traffic

Post by Shalex » Thu 22 Nov 2018 15:45

Eric_08 wrote:
Wed 21 Nov 2018 15:11
I think I figured out what's happening. I was using SHA256 for integrity method, but looks like it's not supported by DevArt.
That is correct: current implementation of .NET Standard Devart.* assemblies doesn't incude support for SHA256.
Eric_08 wrote:
Wed 21 Nov 2018 15:11
When are you going to support SHA256/SHA384/SHA512 for integrity method? I need something higher than SHA1.
The investigation is in progress. We will notify you about the result.

Post Reply