Skip to Main Content

Database Software

Announcement

For appeals, questions and feedback, please email oracle-forums_moderators_us@oracle.com

DBSAT tool complains about unencrypted conections of database jobs

UW (Germany)Nov 29 2023

I checked some Oracle 19 databases (Standard Edition, running on Windows Servern, patchlevel between 19.19 and 19.21) with the new version 3.0 of DBSAT, that was released in November 2023. On all databases I receive a “High Risk” finding, titled “Found unencrypted connections.” with Detail: “Found 1 connection established over unencrypted channel.”
When I check this finding with the following query:

SELECT 
 sid,
 username,
 schemaname,
 osuser,
 terminal,
 program
FROM sys.gv_$session s
WHERE (inst_id, sid) not in 
  (SELECT inst_id, sid 
     FROM sys.gv_$session_connect_info
    WHERE network_service_banner like '%Encryption service adapter%'
       or network_service_banner like '%Crypto-checksumming service adapter%')
and TYPE <> 'BACKGROUND';

I see

SID USERNAME  SCHEMANAME   OSUSER                        TERMINAL   PROGRAM          
--- --------- ------------ ----------------------------- ---------- -----------------
135 SYS       APEX_230200  OracleService<CDBServiceName> <HOSTNAME> ORACLE.EXE (J000)

So this is a database job and sometimes I see more than one job here. Does a job really use a network connection to communicate with the database, where it is running? And how can I encrypt this connection?
In the SQLNET.ORA all the encryption parameters are set to REQUESTED. In my opinion this should be sufficient to get an encrypted connection and all client connections to the databases are encrypted.

SQLNET.ENCRYPTION_SERVER = REQUESTED
SQLNET.CRYPTO_CHECKSUM_SERVER = REQUESTED
SQLNET.ENCRYPTION_CLIENT = REQUESTED
SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUESTED
Comments
Post Details
Added on Nov 29 2023
0 comments
98 views