Encrypted JDBC connections - I'm confused
GaffOct 3 2011 — edited Oct 4 2011Hi:
I'm trying to get my traffic between client/and DB server encrypted using the internal Oracle encryption (vs SSL). I've set up the sqlnet.ora to REQUIRE that the client encrypt traffic with AES256 encryption. I'm testing things out with a WLS application (BI Publisher) as a client and with Toad as a client. Both from machines that are not the DB server. I don't have a wallet, cert, or other stuff I would be implementing if going the SSL route.
From looking at the trace files, things look encrypted. When the sqlnet.ora file is not set up to require AES256 I can see the queries in clear text in the packet dump section of my trace files (although they have '.' for spaces and other minor changes). When the sqlnet.ora file is set up to require encryption, I see only gibberish in the packet dump sections. They are printable characters, but I can't make any queries out. So I'm thinking "Cool! That was easy!"
Not so fast! I then ran tcpdump on the ports (2484 in particular) and that will always show the cleartext of the query when the client is Toad. It will never show the query when the client is WLS. I don't know if WLS is doing things correctly and Toad is not, or it's just a quirk of WLS that the query is never legible. So doesn't this mean that the traffic from client (Toad anyway) into the server is NOT being encrypted? How is this possible if the DB is only taking encrypted connections?
Thanks
Edited by: Gaff on Oct 3, 2011 3:35 PM