ODAC and Oracle Database Security

[jdredd]

http://www.oracle.com/technology/deploy ... index.html

How is ODAC with dealing with a server setup that has Oracle Advanced Security?

I am wanting to protect as much data (user/pass/sql commands/ect) from being seen on a possible deployed application. (was designed to be internal use only, but higher ups have changed their ideas now)

[Plash]

Security is provided by Oracle client. Oracle client is responsible for encrypting data that it sends to the server. If you set the corresponging settings in Oracle client, it will encrypt data when sending them through the network.

[jdredd]

so that would mean the oracle client software would need to be installed and odac direct mode couldn't be used then correct? (sorry for dumb questions, still new at using oracle and i dont touch/configure/setup/ect the servers)

[Plash]

Yes, you should install Oracle client. Direct mode does not support encrypted connection to Oracle.

[wchris]

Hello,

Is this still the case with ODAC 10 ?

90% of our customers use direct mode. We don't want to go back to OCI clients.

We need to encryp the communication between the application and the oracle server, not the tables contents or the database.

This is required for security reasons because we work with health organisations that have increased their confidentiality requirements ?

If still not available in direct mode yet, when do you expect to add the feature ? (we need it for 2018 or will have to leave the odac solution)

Thank you

PS: WPA 2 wifi protocol has been cracked in 2017, demand for encrypted transmissions will skyrocket.

[MaximG]

Support for encryption in the Direct Mode was added in ODAC 10.0.1 (05-Apr-17) :

- Oracle Encryption in the Direct mode is supported
- Oracle Data Integrity in the Direct mode is supported

The full list of changes is available by the link : https://www.devart.com/odac/revision_history.html

[wchris]

- Oracle Encryption in the Direct mode is supported
- Oracle Data Integrity in the Direct mode is supported

I have seen this, but in the documentation you speak only of TCRencriptor componant who encrypts data in tables.

We don't wan't to encrypt the data, only the network communication between client and server by using oracle tcps or similar.

I really like ODAC, but this will be a requirement for us

[MaximG]

The description of the mentioned in the previous post technologies is available at Oracle Help Center :

https://docs.oracle.com/cd/B19306_01/ne ... m#ASOAG600
and
https://docs.oracle.com/cloud/latest/db ... ASOAG10117

ODAC does not implement, but supports these technologies in both operation modes : OCI and Direct Mode. The mentioned TCREncriptor is our implementation, therefore it is present in our documentation. Please specify the questions about Oracle Encryption and Oracle Data Integrity that should be covered in ODAC documentation.

[wchris]

The description of the mentioned in the previous post technologies is available at Oracle Help Center : Please specify the questions about Oracle Encryption and Oracle Data Integrity that should be covered in ODAC documentation.

What you have implemented is "Transparent Data Encryption". it is well explained in the links you provide and allows to encrypt fields into tables. Your documentation explains it well and it is certainly a great feature, but not what we want.

Our feature request is to leave the data unchanged and just encrypt the tcp communication between ODAC direct mode and the Oracle Server using SSL or TLS. like explained in the same oracle documentation you provided, here https://docs.oracle.com/cd/B19306_01/ne ... m#CIHCBIEG

This is something Oracle can do for years with SQLnet (as requested by the first user of this thread in 2009) but ODAC could not do.

This should be a feature of the TOraSession to handle encrypted data for everything sent and recieved between the client and server. (Not a TdataSet property for just some fields.)
Also we have hundred of customers with individual databases and cannot start encrypting their whole databases. That's why we only want to secure de transmssion not the data.

Is there a way to officially make a feature request for this ? looks like your ingeneers just looked into encryption with this version 10.1 so maybe it's the right moment to ask again while they are still hot ?

Feature request : Can we have SSL or TLS encryption of the client-server communication at TOrasession level ? Please ?

[MaximG]

You can use encryption between the client and the server using TOraSession in the Direct Mode. As we have already mentioned above, starting from the version 10.0.1 (05-Apr-17) ODAC supports Oracle Encryption ( https://docs.oracle.com/cd/E11882_01/ne ... m#ASOAG010 , section 1.2.1) and
Oracle Data Integrity ( https://docs.oracle.com/cd/E11882_01/ne ... m#ASOAG010, section 1.2.1.2 ). You can test these modes operability by investigating the connection between the client and the server using any convenient sniffer

[wchris]

Thank you Maxim,

We will configure an oracle database for encryption and do some tests asap.

[MaximG]

We will be waiting for your testing results.