Native Network Encryption and SSL/TLS are not part of the Advanced Security Option

 

security_image1_smallI had a little surprise the other day. I was asked to set up a SSL/TLS connection to a database and I refused, saying it would break our license agreement as we don’t have the Advanced Security Option. I opened the 11gR2 licensing manual to include a link in my email response and found this.

“Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.”

I checked the 11gR1, and 10gR2 docs also. Sure enough, it was removed from the Advanced Security Option from 10gR2 onward (check out update below). Check out the 10g licensing doc here, specifically the last paragraph in that linked section.

The documentation on this configuration is split among a number of manuals, most of which still say it is part of the Advanced Security Option. That made me a little nervous, so I raised an SR with Oracle to confirm the licensing situation and file bug reports against the docs to correct the inconsistency. Their response was it is definitely free and the docs are being amended to bring them in line with the licensing manual. Happy days! 🙂

Lessons learned here are:

  • Skim through the licensing manual for every new release to see what bits are now free.
  • Don’t trust the technical docs for licensing information. Always cross check with the licensing manual and assume that’s got the correct information. If in doubt, raise an SR to check.

As far as the configuration is concerned, I had never written about this functionality before, so I thought I should do backfill articles on it.

The documentation for TCP/IP with SSL/TCP is rather convoluted, so you could be forgiven for thinking it was rocket science. Actually, it’s pretty simple to set up. It was only after I finished doing it I found a reference to the following MOS note.

It would have saved me a lot of bloody time if the documentation included this. I would never have bothered to write the article in the first place!

cloudFor a lot of people, encrypting database connections is probably not that big a deal. If your databases and application servers are sitting behind a firewall in a “safe” part of your network, then why bother?

If there are direct database connections crossing network zones, that’s a different matter! Did anyone mention “cloud”? If you need to connect to your cloud databases from application servers or client tool sitting on-premise, I guess encrypted database connections are pretty high up your list of requirements, or at least they should be. Good job it is free now. 🙂

It seems I’m not the only person behind the times on this licensing change. The Amazon AWS RDS for Oracle documentation has made the same mistake. I’ve written to them to ask them to correct this page also. 🙂

Cheers

Tim…

Update: Simon, Jacco, Franck and Patrick all pointed out this licensing change was due to this security exploit. It was made public during 11.2, but the license change was made retrospectively back to 10.2. I don’t feel so bad about it now. 🙂

Update2: I’ve added a link to the Native Network Encryption stuff, based on the comment by Markus.

Author: Tim...

DBA, Developer, Author, Trainer.

15 thoughts on “Native Network Encryption and SSL/TLS are not part of the Advanced Security Option”

  1. Hi Tim,
    Why did you use ssl/tls encryption? Native encryption is much more easier to configure.
    Cheers, Markus

  2. Markus: Correct me if I’m wrong, but my understanding is:

    1) From the server side, if we want to force a specific client to connect using encryption our only option is to force all clients to use it. If we make it optional (ACCEPTED or REQUESTED), the client can override this using REJECTED.

    2) If we force it from the client side (REQUIRED), someone could alter the setting to REJECTED on the client and force it to stop using encryption.

    So unless we have full control over the client, or can force encryption on all clients from the server, we have no way to guarantee encryption is being used from a specific client…

    That’s how I read it…

    By using TCP/IP and SSL/TLS, we have a fine-grained control over encryption.

    Happy to be proved wrong if you know different…

    I’ve put a link to a backfill article on Native Network Encryption, just for reference. 🙂

    Cheers

    Tim…

  3. Following text suggests that one still requires OIM license for using Kerberos (Active Directory based) password less authentication.

    http://docs.oracle.com/cd/E11882_01/license.112/e47877/editions.htm#DBLIC119

    Oracle Advanced Security and Enterprise User Security

    If you wish to use Enterprise User Security in Oracle Database Enterprise Edition, you no longer need to license the Oracle Advanced Security Option for Kerberos and PKI based authentication. It does require a corresponding Oracle Identity Management Directory Services Plus to be licensed.

    Any Oracle Advanced Security licenses purchased on or before January 31, 2004, have restricted use of the Oracle Internet Directory (OID) component of Oracle Directory Services Plus to support enterprise user security.

Comments are closed.