Configure Clarity PPM with Oracle Database Encryption (On-Premise Only)
As a database administrator, you can configure
Clarity PPMcustom JDBC URL settings when you set up Oracle to accept only encrypted connections.
Configure Oracle Net Encryption:
Since June 2013, Net Encryption has been licensed with Oracle Enterprise Edition and does not require Oracle Advanced Security.
Add several lines to the
sqlnet.orafile on both the client and server:
- Client: Add a line forSQLNET.ENCRYPTION_CLIENT=and choose one of the following values (for example,SQLNET.ENCRYPTION_CLIENT=accepted):SQLNET.ENCRYPTION_CLIENT=Description:acceptedThis is the default value.Acceptedtells the server that the client accepts secure net traffic if requested.rejectedThe client rejects any connection requiring secure net traffic.requestedThe security service is activated if the server requests or requires it.requiredThe client accepts the connection only if the server accepts secure traffic.
- Server: Add one or more server lines (different combinations of lines and values are acceptable). For example, you might add:SQLNET.ENCRYPTION_SERVER=required SQLNET.ENCRYPTION_TYPES_SERVER=<encryption algorithm>The following tested encryption algorithms are supported by Oracle:
- AES256: AES with a 256-bit key size
- RC4_256: RSA RC4 with a 256-bit key size
- AES192: AES with a 192-bit key size
- 3DES168: Three-key 3DES (with an effective key size of 168 bit)
- AES128: AES with a 128-bit key size
- RCA_128: RSA RC4 with a 128-bit key size
- 3DES112: Two-key 3DES (with an effective key size of 112 bit)
- RC4_56: RSA RC4 with a 56-bit key size
- DES: DES (with an effective key size of 56 bit)
- RC4_40: RSA RC4 with a 40-bit key size
- Verify the encryption status meets your requirements. The encryption status derived from your client and server parameter values is summarized in the following table:
Note: ORA-12660 is the error returned by Oracle for the given scenario
Implement Oracle Advanced Security Encryption
Oracle Advanced Security provides the following features:
- Transparent Data Encryption (TDE) protects information in the database from media theft by encrypting sensitive data on disk.
- Data encryption and integrity to ensure the privacy of communications over any protocol into the Oracle database.
- Strong authentication services such as Kerberos, PKI, Biometrics, and RADIUS-compliant smart cards.
Follow these steps:
- Set theEncryptionLevelproperty in the JDBC URL toaccepted,requested, orrequired
- Set theEncryptionTypesproperty in the JDBC URL to one or multiple algorithms. Oracle Advanced Security provides the Advanced Encryption Standard (AES), DES, 3DES, and RC4 symmetric cryptosystems for protecting the confidentiality of network traffic.For example, your JDBC URL string inproperties.xmlas seen through CSA might look like this (we broke the long string onto multiple lines to avoid scrolling):
url="jdbc:clarity:oracle://databaseserver1.ca.com:1521;ServiceName=clrtydev; BatchPerformanceWorkaround=true;InsensitiveResultSetBufferSize=0;ServerType=dedicated; supportLinks=true;EncryptionLevel=requested;EncryptionTypes=AES"
Configure the JDBC URL in CSA
Database encryption is completely transparent to
Clarity PPM; however, you need to modify the JDBC URL to ensure
Clarity PPMcan connect to the database.
Clarity PPMuses Progress Data Direct drivers to connect to Oracle databases with the
DataIntegrityLevel=requiredparameter; however, you can use other parameters based on your security policy.
jdbc:clarity:oracle://server:1521;ServiceName=serviceTNS;BatchPerformanceWorkaround=true; InsensitiveResultSetBufferSize=0;ServerType=dedicated;supportLinks=true;DataIntegrityLevel=required; EncryptionLevel=required;EncryptionTypes=(RC4_256,AES192,3DES112);
The value of this property is ignored if the
EncryptionLevelproperty is set to
More Configuration Tips:
- Separate multiple values with commas and enclose the entire set of values in parentheses.
- If multiple values are specified and Oracle Advanced Security encryption is enabled using the EncryptionLevel property, the database server determines which algorithm is used based on how it is configured.
- If unspecified, a list of all possible values is sent to the database server. The database server determines which algorithm is used based on how it is configured.
- Consult your Oracle administrator to verify the data encryption settings of your Oracle server.