Question

I've read recently that Oracle supports network encryption between Oracle clients and servers. I assume that if servers support this, clients can accomplish connections in the full Oracle client drivers that are used from various Oracle data access provider libraries.

However, my application is using the more independent Managed ODP.NET driver from Oracle, which does not require the full Oracle client install. Does anyone know if this driver supports network encryption?

This page seems to offer advice, but doesn't specifically call out the Managed ODP.NET drivers.

And this unanswered thread seems to indicate that it isn't supported. If that's the case, will the connection fail entirely? Before I go trial and error my way through this issue, I was hoping to find some definite documentation.

Was it helpful?

Solution 2

cue sad music

Found the answer in the driver's readme document. (located at \odp.net\doc\readme.htm in the downloaded archive.

ASO encryption (ODP.NET, Managed Driver) -- There is no support for Oracle Advanced Security Option (ASO) encryption. Setting SQLNET.ENCRYPTION_SERVER to "required" is not supported, resulting in client connection establishment failure. Not setting SQLNET.ENCRYPTION_SERVER or setting it to any other valid value are supported.

OTHER TIPS

Oracle have just (Oct 2015) released ODAC 12c Release 4.

Release announcement

This includes the latest Oracle Managed DataAccess Provider, which now supports Network Data Encryption (NDE).

(The Odp.Net Managed lib has not yet been pushed to the NuGet package repository as of 14 Oct 2015).

The Odp.Net Managed Provider Release 4 Package is now available on the NuGet package repository as of 15 Oct 2015.

Note that as this NDE functionality is part of ASO, you need to have an Oracle Enterprise Licence to use it in production.

Connecting to an Oracle DB using NDE

Configuring NDE

There is a request on Oracle's feedback site (behind a login wall) to add support for encryption to the pure .NET driver:

https://apex.oracle.com/pls/apex/f?p=18357:39:115851408950026

  • Title: Support for Oracle Advanced Security Option (ASO) encryption using the managed driver
  • Description: We (here at the university of Oslo) cannot use the new managed driver because we generally run Oracle on Linux (usually virtual machines) with encrypted communication , which seems to be unsupported by the current fully managed driver. (It works well with the unmanaged driver). In this day and age, encryption tend to be an attractive option, so please add support for this in the new managed driver. :)
  • Comment: Available in ODAC 12c Release 4 or later
  • Status: Feature Available in Production

When the sever is configured to require encryption, .NET clients using Oracle's pure managed driver will be unable to connect with an enigmatic:

ORA-12570: Network Session: Unexpected packet read error

Somewhere deep in the guts of the Oracle network driver, there’s a function ReadwithCrypto that fails with a ORA-12537: Network Session: End of file error

The stack trace:

[NetworkException (0x30f9): ORA-12537: Network Session: End of file]
   OracleInternal.Network.ReaderStream.ReadIt(OraBuf OB, Int32 len) +359
   OracleInternal.Network.ReaderStream.ReadwithCrypto(OraBuf OB) +135

[NetworkException (0x80004005): ORA-12570: Network Session: Unexpected packet read error]
   OracleInternal.Network.ReaderStream.ReadwithCrypto(OraBuf OB) +440
   OracleInternal.Network.ReaderStream.Read(OraBuf OB) +124
   OracleInternal.TTC.OraBufReader.GetDataFromNetwork() +378
   OracleInternal.TTC.OraBufReader.Read(Boolean bIgnoreData) +122
   OracleInternal.TTC.MarshallingEngine.UnmarshalUB1(Boolean bIgnoreData) +43
   OracleInternal.TTC.TTCProtocolNegotiation.ReadResponse() +197

[OracleException (0x80004005): ORA-12570: Network Session: Unexpected packet read error]
   OracleInternal.ConnectionPool.PoolManager`3.Get(ConnectionString csWithDiffOrNewPwd, Boolean bGetForApp, String affinityInstanceName, Boolean bForceMatch) +7442
   OracleInternal.ConnectionPool.OraclePoolManager.Get(ConnectionString csWithNewPassword, Boolean bGetForApp, String affinityInstanceName, Boolean bForceMatch) +1163
   OracleInternal.ConnectionPool.OracleConnectionDispenser`3.Get(ConnectionString cs, PM conPM, ConnectionString pmCS, SecureString securedPassword, SecureString securedProxyPassword) +1453
   Oracle.ManagedDataAccess.Client.OracleConnection.Open() +3662
   Contoso.Fabrikam.Database.GetConnection(Boolean useLiveData) in d:\Develop\Contoso\Fabrikam\App_Code\DatabaseConnectivity.cs:76

Having the server configured to optional encryption is the (horrible, horrible) workaround.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top