I had a little surprise the other day. I was asked to set up a SSL/TLS connection to a database and I refused, saying it would break our license agreement as we don’t have the Advanced Security Option. I opened the 11gR2 licensing manual to include a link in my email response and found this.
“Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.”
I checked the 11gR1, and 10gR2 docs also. Sure enough, it was removed from the Advanced Security Option from 10gR2 onward (check out update below). Check out the 10g licensing doc here, specifically the last paragraph in that linked section.
The documentation on this configuration is split among a number of manuals, most of which still say it is part of the Advanced Security Option. That made me a little nervous, so I raised an SR with Oracle to confirm the licensing situation and file bug reports against the docs to correct the inconsistency. Their response was it is definitely free and the docs are being amended to bring them in line with the licensing manual. Happy days!
Lessons learned here are:
- Skim through the licensing manual for every new release to see what bits are now free.
- Don’t trust the technical docs for licensing information. Always cross check with the licensing manual and assume that’s got the correct information. If in doubt, raise an SR to check.
As far as the configuration is concerned, I had never written about this functionality before, so I thought I should do backfill articles on it.
- Native Network Encryption for Database Connections
- Configuration of TCP/IP with SSL and TLS for Database Connections
The documentation for TCP/IP with SSL/TCP is rather convoluted, so you could be forgiven for thinking it was rocket science. Actually, it’s pretty simple to set up. It was only after I finished doing it I found a reference to the following MOS note.
It would have saved me a lot of bloody time if the documentation included this. I would never have bothered to write the article in the first place!
For a lot of people, encrypting database connections is probably not that big a deal. If your databases and application servers are sitting behind a firewall in a “safe” part of your network, then why bother?
If there are direct database connections crossing network zones, that’s a different matter! Did anyone mention “cloud”? If you need to connect to your cloud databases from application servers or client tool sitting on-premise, I guess encrypted database connections are pretty high up your list of requirements, or at least they should be. Good job it is free now.
It seems I’m not the only person behind the times on this licensing change. The Amazon AWS RDS for Oracle documentation has made the same mistake. I’ve written to them to ask them to correct this page also.
Update: Simon, Jacco, Franck and Patrick all pointed out this licensing change was due to this security exploit. It was made public during 11.2, but the license change was made retrospectively back to 10.2. I don’t feel so bad about it now.
Update2: I’ve added a link to the Native Network Encryption stuff, based on the comment by Markus.