How to disable EZConnect connections?
407366Oct 15 2008 — edited Mar 9 2009Anyone run into this problem yet - EZConnect apparently bypassing SSL-tunneling software?
My situation:
I have been using Oracle nearly ten years. I'm been on 10gR2 since 2005.
My sqlnet.ora file (on server and all clients) has the following entry: NAMES.DIRECTORY_PATH=(TNSNAMES).
This leads me to assume that ONLY connections made using that method are permitted to connect.
I connect from my clients (PCs and Linux web servers) to the Oracle server through an SSL-tunnel created by STunnel, an open-source encryption package. The clients all have Oracle Instant Client installed.
The TNS_ADMIN enviroment variable is set on all clients to point to the directory where I placed the sqlnet.ora and tnsnames.ora files.
Everything has worked fine, and the SQL*Net transmissions are encrypted by STunnel in transit to and from the Oracle server. This I verified by using tcpdump.
When I turn off STunnel on either end, I get TNS error messages, which is expected and good.
The goal is to encrypt the SQL*Net transmissions.
I recently installed the early adopter SQL Developer Data Modeling tool on my PC. This is a standalone application. The connection options do not include TNS (unlike the base SQL Developer tool).
I was able to connect my normal way, through my STunnel configuration.
However, I decided to try the EZConnect syntax and to my horror, got right through to the Oracle server, bypassing STunnel, and apparently igoring my server-side sqlnet.ora file.
I then tried the EZConnect syntax to try connecting from SQL*Plus on a client to the server. This failed, which is expected and good.
I then tried the EZConnect syntax on plain old SQL Developer, and once again got right through to the Oracle server, bypassing STunnel, and apparently igoring my server-side sqlnet.ora file.
How and why is my server-side NAMES.DIRECTORY_PATH configuration being ignored?
I opened a TAR the other day, SR 7137162.993. Any Oracle employees with access, please check it out.
So, to sum up:
1) EZConnect works from the Java client applications, even though it is not specified in the server-side sqlnet.ora file.
2) EZConnect does NOT work using SQL*Plus from any client (Good!)
3) The Java client apps probably connect using JDBC? I searched their installation directories looking for config files in which connection string parameters were set, but found none.
4) EZConnect is a very insecure connection method as it appears to bypass third-party encryption tools.
It may be that I missing some configuration item somewhere.
No, my organization is not going to license the Advanced Security option just to get Oracle-configured SSL capability.
Thanks for any insight anyone can provide.
Ken Banyas