I checked some Oracle 19 databases (Standard Edition, running on Windows Servern, patchlevel between 19.19 and 19.21) with the new version 3.0 of DBSAT, that was released in November 2023. On all databases I receive a “High Risk” finding, titled “Found unencrypted connections.” with Detail: “Found 1 connection established over unencrypted channel.”
When I check this finding with the following query:
SELECT
sid,
username,
schemaname,
osuser,
terminal,
program
FROM sys.gv_$session s
WHERE (inst_id, sid) not in
(SELECT inst_id, sid
FROM sys.gv_$session_connect_info
WHERE network_service_banner like '%Encryption service adapter%'
or network_service_banner like '%Crypto-checksumming service adapter%')
and TYPE <> 'BACKGROUND';
I see
SID USERNAME SCHEMANAME OSUSER TERMINAL PROGRAM
--- --------- ------------ ----------------------------- ---------- -----------------
135 SYS APEX_230200 OracleService<CDBServiceName> <HOSTNAME> ORACLE.EXE (J000)
So this is a database job and sometimes I see more than one job here. Does a job really use a network connection to communicate with the database, where it is running? And how can I encrypt this connection?
In the SQLNET.ORA all the encryption parameters are set to REQUESTED. In my opinion this should be sufficient to get an encrypted connection and all client connections to the databases are encrypted.
SQLNET.ENCRYPTION_SERVER = REQUESTED
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUESTED
SQLNET.ENCRYPTION_CLIENT = REQUESTED
SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUESTED