Securing Communication Between Enforce and Oracle Database
Purpose
The purpose of this document is to Encrypt communication between the Enforce server and Oracle Database. Symantec have documented in there 15.1 installation guide how to do this, however there are many errors in the guide on how this is done. This guide will overcome those issue in the Installation guide and will be accompanied with screenshots.
The 1st section will look at creating an Oracle Wallet, followed by creating a certificate, displaying the Certificate in the wallet and then Exporting the certificate into a text file. The 2nd part will be about changing the listener.ora, sqlnet.ora and the tnsnames.ora. We will also confirm at the end of the 2nd part that the Oracle services are running as they should be.
Configuring Oracle wallet, certificate and Exporting
1. Open up command prompt as ‘Administrator’ and navigate using this command cd c:\oracle
2. Run the following command mkdir wallet followed by cd wallet
3. Now we are in the wallet directory we can run the following command: orapki wallet create -wallet .\server_wallet -auto_login -pwd your_chosen_password (use your own password and keep it safe) once you execute the command you should see something similar to the following screenshot
4. Now we have created the wallet we can carry on and create the certificate to do this we execute the following command: orapki wallet add -wallet C:\oracle\Wallet\server_wallet -dn "CN=your oracle_server_hostname_or_IP" -keysize 2048 -self_signed -validity 3650 -pwd your_chosen_password_from_step_3 -sign_alg sha256 once you have ran the command you should see something similar to the following screenshot
5. To check that the certificate has been created run the following command: orapki wallet display -wallet c:\oracle\wallet\server_wallet you should see something similar to the screenshot below
6. Now we have created the certificate we now need to export it so we can use it for the Enforce server later. To do this run this command: orapki wallet export -wallet c:\oracle\wallet\server_wallet -dn CN=10.10.100.103 -cert c:\oracle\wallet\server_wallet\cert.txt you should see something similar to the screenshot below
7. Check the following directory to see if the certs file exported properly c:\oracle\wallet\server_wallet it should be similar to the image below
We should have now successfully created an Oracle wallet, certificate, exported and confirmed that it has been exported properly. We can now move on to the 2nd part.
Configuring .ora files to use encryption
1.Before we start editing any of these files a backup should be made, to do this navigate to C:\oracle\product\12.2.0.1\db_1\network and copy the ‘admin’ folder to your Desktop or another safe location.
2. Now we have made the backup of our oracle files we can now proceed. The 1st step we need to take is to stop the oracle services. Stop the oracle services that are in the following screenshot
3.We can now proceed and alter the listener.ora file, this along with the other files we will be altering are stored in the following location C:\oracle\product\12.2.0.1\db_1\network\admin open up the listener.ora file and paste the following into the file
# listener.ora Network Configuration File: C:\oracle\product\12.2.0.1\db_1\network\admin\listener.ora
# Generated by Oracle configuration tools.SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = CLRExtProc)
(ORACLE_HOME = C:\oracle\product\12.2.0.1\db_1)
(PROGRAM = extproc)
(ENVS = "EXTPROC_DLLS=ONLY:C:\oracle\product\12.2.0.1\db_1\bin\oraclr12.dll")
)
)LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = your oracle_server_hostname_or_IP)(PORT = 2484))
(ADDRESS = (PROTOCOL = IPC)(KEY = PROTECT))
)
)SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD= FILE)
(METHOD_DATA = (DIRECTORY = C:\oracle\Wallet\server_wallet))
)
)SECURE_REGISTER_LISTENER = (IPC)
4. Once you have pasted the above edit the ‘HOST’ to reflect your oracle server name or IP address and save and close it. It should look similar to the following screenshot
5.We can now change the sqlnet.ora to do this open it up using notepad and paste the following into the file
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.SQLNET.AUTHENTICATION_SERVICES=(NONE)
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA = (DIRECTORY = C:\oracle\Wallet\server_wallet))
)
6. Once you have pasted that save and close it should look like the following screenshot
7.The last file that we need to change is the tnsnames.ora to do this open it up using notepad and paste the following into the file
# tnsnames.ora Network Configuration File: C:\oracle\product\12.2.0.1\db_1\network\admin\tnsnames.ora
# Generated by Oracle configuration tools.ORACLR_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
(CONNECT_DATA =
(SID = CLRExtProc)
(PRESENTATION = RO)
)
)PROTECT =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = your oracle_server_hostname_or_IP)(PORT = 2484))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = protect)
)
)LISTENER_PROTECT =
(ADDRESS = (PROTOCOL = TCPS)(HOST = your oracle_server_hostname_or_IP)(PORT = 2484))
8. Once you have pasted that edit the ‘Host’ save and close it should look like the following screenshot
9. Now we have changed these files we need to start the oracle services. The services that need started are per the screenshot below
10. Once you have started the services you will need to open Command Prompt as Administrator and run the following command: lsnrctl status if all is working as it should then you should see something similar to the following screenshot
11.If the service doesn’t start then you may need to visit the .ora files and check you have the right IP/hostname and that the formatting is done correctly.
We should have successfully configured Oracle to connect using encryption by configuring the listener.ora, sqlnet.ora and the tnsnames.ora, we can now move onto the next section.
Configuring Enforce to use encryption to Oracle
1.Before we finish with the Oracle box we need to do one last thing. We need to transfer the cert.txt file we exported from the oracle wallet earlier. To do this navigate to c:\oracle\wallet\server_wallet right click and copy the cert.txt file and then navigate to the following location \\your_enforce_server_host\c$\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\lib\security and paste the cert.txt there. This is assuming that you have SymantecDLP installed in the default install location.
2. Once you have copied the file, logon to the server that has SymantecDLP Enforce installed on and navigate to the following directory c:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\config – This is assuming your install is in the default install location. Once you have navigated to the directory we need to copy the original ‘jdbc.properties’ file to a safe location and then open the original in notepad and replace the following string;
@(description=(address=(host=your_oracle_servername_or_IP_Here)(protocol=tcp)(port=1521))(connect_data=(sid=protect))))
with
@(description=(address=(host= your_oracle_servername_or_IP_Here)(protocol=tcps)(port=2484))(connect_data=(sid=protect))(SSL_SERVER_CERT_DN="CN=your_certificate_name_here"))
Save and close the file.
3. Now we have altered the jdbc.properties file we now need to import the oracle cert.txt into the cacerts file. To do this open up command prompt as Administrator and run the following command: keytool -import -alias oracleservercert -keystore cacerts -file cert.txt you will be prompted to enter a password, the password default is changeit once you have entered the password you will be asked if you wish to ‘Trust this Certificate? Type “Yes” followed by enter. You should see a message similar to the screenshot below
4. Once the certificate has been added you can verify (This is not required if you want to skip this part then move on to the next step) that the certificate was added by running the following command: keytool -list -v -keystore C:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\lib\security\cacerts -storepass changeit or you can open the cacerts in notepad and use the find feature to search for “oracleservercert”
5. Once you have imported the cert.txt to cacerts you will need to either reboot your server or start the SymantecDLP services. You will need to stop the SymantecDLPNotifier service before any other service and ensure that this is the 1st service you start I have highlighted this in the screenshot below
6. Once you have started all the services and waited a few minutes (Usually 3-5 minutes) try logging into your Enforce server. If you are able to log in then you have successfully Encrypted communication between Enforce and Oracle.
7. To verify that connection is established you can log on to your Oracle server and run in command prompt netstat -anp TCP you should see the service is listening out as per the screenshot below
Hopefully this has helped you configure Encrypted communications between Oracle and the enforce.
Thanks