Configure Clarity PPM with Oracle Database Encryption (On-Premise Only)

ccppmop158
As a database administrator, you can configure 
Clarity PPM
 custom JDBC URL settings when you set up Oracle to accept only encrypted connections.
 
 
2
 
 
Configure Oracle Net Encryption:
Since June 2013, Net Encryption has been licensed with Oracle Enterprise Edition and does not require Oracle Advanced Security. 
 For details see the Oracle documentation for Configuring Data Encryption and Integrity.
Add several lines to the 
sqlnet.ora
 file on both the client and server:
  1.  
    Client
    : Add a line for 
    SQLNET.ENCRYPTION_CLIENT=
     and choose one of the following values (for example, 
    SQLNET.ENCRYPTION_CLIENT=accepted
    ):
    SQLNET.ENCRYPTION_CLIENT=
    Description:
    accepted
    This is the default value. 
    Accepted
     tells the server that the client accepts secure net traffic if requested.
     
    rejected
     
    The client rejects any connection requiring secure net traffic.
    requested
    The security service is activated if the server requests or requires it.
    required
    The client accepts the connection only if the server accepts secure traffic.
  2.  
    Server
    : Add one or more server lines (different combinations of lines and values are acceptable). For example, you might add:
    SQLNET.ENCRYPTION_SERVER=required SQLNET.ENCRYPTION_TYPES_SERVER=<encryption algorithm>
    The following tested encryption algorithms are supported by Oracle:
    •  
      AES256
      : AES with a 256-bit key size
    •  
      RC4_256
      : RSA RC4 with a 256-bit key size
    •  
      AES192
      : AES with a 192-bit key size
    •  
      3DES168
      : Three-key 3DES (with an effective key size of 168 bit)
    •  
      AES128
      : AES with a 128-bit key size
    •  
      RCA_128
      : RSA RC4 with a 128-bit key size
    •  
      3DES112
      : Two-key 3DES (with an effective key size of 112 bit)
    •  
      RC4_56
      : RSA RC4 with a 56-bit key size
    •  
      DES
      : DES (with an effective key size of 56 bit)
    •  
      RC4_40
      : RSA RC4 with a 40-bit key size
  3. Verify the encryption status meets your requirements. The encryption status derived from your client and server parameter values is summarized in the following table:
    image2018-12-14_10-56-29.png
     
   
Note
: ORA-12660 is the error returned by Oracle for the given scenario
Implement Oracle Advanced Security Encryption
Oracle Advanced Security provides the following features:
  • Transparent Data Encryption (TDE) protects information in the database from media theft by encrypting sensitive data on disk.
  • Data encryption and integrity to ensure the privacy of communications over any protocol into the Oracle database.
  • Strong authentication services such as Kerberos, PKI, Biometrics, and RADIUS-compliant smart cards.
 
Follow these steps
:
  1. Set the 
    EncryptionLevel
     property in the JDBC URL to 
    accepted
    requested
    , or 
    required
     
  2. Set the 
    EncryptionTypes
     property in the JDBC URL to one or multiple algorithms. Oracle Advanced Security provides the Advanced Encryption Standard (AES), DES, 3DES, and RC4 symmetric cryptosystems for protecting the confidentiality of network traffic.
    For example, your JDBC URL string in 
    properties.xml
     as seen through CSA might look like this (we broke the long string onto multiple lines to avoid scrolling):
url="jdbc:clarity:oracle://databaseserver1.ca.com:1521;ServiceName=clrtydev; BatchPerformanceWorkaround=true;InsensitiveResultSetBufferSize=0;ServerType=dedicated; supportLinks=true;EncryptionLevel=requested;EncryptionTypes=AES"
Configure the JDBC URL in CSA
Database encryption is completely transparent to 
Clarity PPM
; however, you need to modify the JDBC URL to ensure 
Clarity PPM
 can connect to the database.
Example 1:
jdbc:clarity:oracle://server:1521;ServiceName=serviceTNS;BatchPerformanceWorkaround=true; InsensitiveResultSetBufferSize=0;ServerType=dedicated;supportLinks=true;DataIntegrityLevel=required
 
Clarity PPM
 uses Progress Data Direct drivers to connect to Oracle databases with the 
DataIntegrityLevel=required
 parameter; however, you can use other parameters based on your security policy.
Example 2:
jdbc:clarity:oracle://server:1521;ServiceName=serviceTNS;BatchPerformanceWorkaround=true; InsensitiveResultSetBufferSize=0;ServerType=dedicated;supportLinks=true;DataIntegrityLevel=required; EncryptionLevel=required;EncryptionTypes=(RC4_256,AES192,3DES112);
 The value of this property is ignored if the 
EncryptionLevel
 property is set to 
rejected
.
More Configuration Tips:
  • Separate multiple values with commas and enclose the entire set of values in parentheses.
  • If multiple values are specified and Oracle Advanced Security encryption is enabled using the EncryptionLevel property, the database server determines which algorithm is used based on how it is configured.
  • If unspecified, a list of all possible values is sent to the database server. The database server determines which algorithm is used based on how it is configured.
  • Consult your Oracle administrator to verify the data encryption settings of your Oracle server.