How to enable encryption for ODBC connections to Oracle databases
search cancel

How to enable encryption for ODBC connections to Oracle databases

book

Article ID: 95420

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

As a cyber requirement there is a mandate to have all communication to database needs to be encrypted.
These are the setting on the Oracle DB Server
Oracle Database Settings:
SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER=(AES256,AES192,AES128,DES,RC4_256,RC4_128,DES40)
SQLNET.ENCRYPTION_CLIENT = REQUESTED
SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256,AES192,AES128,DES,RC4_256,RC4_128,DES40)

The ODBC connection is configured based KB ​Document ID : KB000016934
"How to enable encryption for ODBC connections to Oracle databases?"
EncryptionLevel=3 
EncryptionTypes=AES256 
DataIntegrityLevel=3 
DataIntegrityTypes=SHA1 

However, the error SQLCHAR * 0xd9f08120 [104] "[DataDirect][ODBC Oracle Wire Protocol driver][Oracle]ORA-01017: invalid username/password; logon denied"  is receved when the connected is attempted. 
Rolling back the changes allowed the connection function as expected. 

Environment

Policy Server: Version 12.52.01.00 (12.52 SP1 Base) 
OS: RedHat Linux 5
Oracle database: 11.2.0.3.0 
Datadirect oracle driver version: 7.10
NOTE: We used the following to confirm the full version of the Datadirect driver version.
From: CA/siteminder/odbc/lib, run .. 
$strings NSora28.so|grep "7\." 




 

Cause

While the version of the "DataDirect Wire protocol" may support Oracle Advanced Security, there was a related defect in an early release of the 7.1 driver. Fixed in hot fix 7.12.0085
Prior to the fix. ORA-01017 error is received if the  Encryption Level = 2 (Requested) or  Encryption Level = 3 (Required)
However, The problem does not occur when the driver has Encryption Level set to 0 or 1. 
 

Resolution

Option 1: Use EncryptionLevel=1" vs "EncryptionLevel=3" in the ODBC.ini.

Option 2: Upgrade to 12.52 Sp1 CR2 or later. 

Additional Information

DATADIRECT KB ARTICLES
CANNOT CONNECT TO ORACLE WHEN ORACLE ADVANCED SECURITY IS ENABLED
https://knowledgebase.progress.com/articles/Article/000043307
ERROR MESSAGE: ORA-01017: Invalid username/password; login denied
RESOLUTION: Fixed in hot fix 7.12.0085
Refer to "Connect  and Connect64 for ODBC hot fix download and install instructions" for instructions on how to download and install the hot fix.

DOES THE CONNECT/CONNECT64 FOR ODBC ORACLE WIRE PROTOCOL SUPPORT ORACLE ADVANCED SECURITY
https://knowledgebase.progress.com/articles/Article/2506
RESOLUTION: Enhancement request PSC00039104 has been implemented. Upgrade to Data Direct Connect for ODBC 7.1 GA or later.