Securing Communication Between Enforce and Oracle Database
Purpose
The purpose of this document is to Encrypt communication between the Enforce server and Oracle Database. Symantec have documented in there 15.1 installation guide how to do this, however there are many errors in the guide on how this is done. This guide will overcome those issue in the Installation guide and will be accompanied with screenshots.
The 1st section will look at creating an Oracle Wallet, followed by creating a certificate, displaying the Certificate in the wallet and then Exporting the certificate into a text file. The 2nd part will be about changing the listener.ora, sqlnet.ora and the tnsnames.ora. We will also confirm at the end of the 2nd part that the Oracle services are running as they should be.
Environment
This environment consists of the following o/s and tools.
Oracle server – Windows 2012r2 running oracle 12c
Linux Server – Red Hat Linux 7.4 running Symantec DLP15.1
MobaXterm – For SSH Access into the enforce Server
Winscp – Used to copy files between the Oracle Server and Enforce server, back up files to a safe location and to edit files
Configuring Oracle wallet, certificate and Exporting
1. Open up command prompt as ‘Administrator’ and navigate using this command cd c:\oracle
2. Run the following command mkdir wallet followed by cd wallet
3. Now we are in the wallet directory we can run the following command: orapki wallet create -wallet .\server_wallet -auto_login -pwd your_chosen_password (use your own password and keep it safe) once you execute the command you should see something similar to the following screenshot
4. Now we have created the wallet we can carry on and create the certificate to do this we execute the following command: orapki wallet add -wallet C:\oracle\Wallet\server_wallet -dn "CN=your oracle_server_hostname_or_IP" -keysize 2048 -self_signed -validity 3650 -pwd your_chosen_password_from_step_3 -sign_alg sha256 once you have ran the command you should see something similar to the following screenshot
5. To check that the certificate has been created run the following command: orapki wallet display -wallet c:\oracle\wallet\server_wallet you should see something similar to the screenshot below
6. Now we have created the certificate we now need to export it so we can use it for the Enforce server later. To do this run this command: orapki wallet export -wallet c:\oracle\wallet\server_wallet -dn CN=10.10.100.103 -cert c:\oracle\wallet\server_wallet\cert.txt you should see something similar to the screenshot below
7. Check the following directory to see if the certs file exported properly c:\oracle\wallet\server_wallet it should be similar to the image below
We should have now successfully created an Oracle wallet, certificate, exported and confirmed that it has been exported properly. We can now move on to the 2nd part.
Configuring .ora files to use encryption
1. Before we start editing any of these files a backup should be made, to do this navigate to C:\oracle\product\12.2.0.1\db_1\network and copy the ‘admin’ folder to your Desktop or another safe location.
2. Now we have made the backup of our oracle files we can now proceed. The 1st step we need to take is to stop the oracle services. Stop the oracle services that are in the following screenshot
3. We can now proceed and alter the listener.ora file, this along with the other files we will be altering are stored in the following location C:\oracle\product\12.2.0.1\db_1\network\admin open up the listener.ora file and paste the following into the file
# listener.ora Network Configuration File: C:\oracle\product\12.2.0.1\db_1\network\admin\listener.ora
# Generated by Oracle configuration tools.SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = CLRExtProc)
(ORACLE_HOME = C:\oracle\product\12.2.0.1\db_1)
(PROGRAM = extproc)
(ENVS = "EXTPROC_DLLS=ONLY:C:\oracle\product\12.2.0.1\db_1\bin\oraclr12.dll")
)
)LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = your oracle_server_hostname_or_IP)(PORT = 2484))
(ADDRESS = (PROTOCOL = IPC)(KEY = PROTECT))
)
)SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD= FILE)
(METHOD_DATA = (DIRECTORY = C:\oracle\Wallet\server_wallet))
)
)SECURE_REGISTER_LISTENER = (IPC)
4. Once you have pasted the above edit the ‘HOST’ to reflect your oracle server name or IP address and save and close it. It should look similar to the following screenshot
5.We can now change the sqlnet.ora to do this open it up using notepad and paste the following into the file
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.SQLNET.AUTHENTICATION_SERVICES=(NONE)
SSL_CLIENT_AUTHENTICATION = FALSE
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA = (DIRECTORY = C:\oracle\Wallet\server_wallet))
)
6. Once you have pasted that save and close it should look like the following screenshot
7.The last file that we need to change is the tnsnames.ora to do this open it up using notepad and paste the following into the file
# tnsnames.ora Network Configuration File: C:\oracle\product\12.2.0.1\db_1\network\admin\tnsnames.ora
# Generated by Oracle configuration tools.ORACLR_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
(CONNECT_DATA =
(SID = CLRExtProc)
(PRESENTATION = RO)
)
)PROTECT =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = your oracle_server_hostname_or_IP)(PORT = 2484))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = protect)
)
)LISTENER_PROTECT =
(ADDRESS = (PROTOCOL = TCPS)(HOST = your oracle_server_hostname_or_IP)(PORT = 2484))
8. Once you have pasted that edit the ‘Host’ save and close it should look like the following screenshot
9. Now we have changed these files we need to start the oracle services. The services that need started are per the screenshot below
10.Once you have started the services you will need to open Command Prompt as Administrator and run the following command: lsnrctl status if all is working as it should then you should see something similar to the following screenshot
11.If the service doesn’t start then you may need to visit the .ora files and check you have the right IP/hostname and that the formatting is done correctly.
We should have successfully configured Oracle to connect using encryption by configuring the listener.ora, sqlnet.ora and the tnsnames.ora.
Configuring Enforce to use encryption to Oracle
1. Before we finish with the Oracle box we need to do one last thing. We need to transfer the cert.txt file we exported from the oracle wallet earlier. To do this navigate to c:\oracle\wallet\server_wallet right click and copy the cert.txt file and copy this to a place where it will be accessible using WinSCP. Once you have copied the file to a location you can then connect to your Enforce server using Winscp and copy the certs.txt file into the following location /opt/Symantec/DataLossPrevention/Server JRE/1.8.0_162/lib/security (This is assuming that you have SymantecDLP installed in the default install location.)
2. Once you have copied the file, using WinSCP navigate to the following location /opt/Symantec/DataLossPrevention/Enforce Server/15.1/Protect/config (This is assuming your install is in the default install location.) Once you have navigated to the directory we will then need to Download the original ‘jdbc.properties’ file to a safe location. Once you have downloaded the file right click on the original and click edit. This will open up in a text editor, replace the following string;
@(description=(address=(host=your_oracle_servername_or_IP_Here)(protocol=tcp)(port=1521))(connect_data=(sid=protect))))
With
@(description=(address=(host= your_oracle_servername_or_IP_Here)(protocol=tcps)(port=2484))(connect_data=(sid=protect))(SSL_SERVER_CERT_DN="CN=your_certificate_name_here"))
Save and close the file.
3. Now we have altered the jdbc.properties file we now need to import the oracle cert.txt into the cacerts file. To do this using your preferred ssh tool log into the Enforce server as root and run the following command: keytool -import -alias oracleservercert -keystore cacerts -file cert.txt you will be prompted to enter a password, the password default is changeit once you have entered the password you will be asked if you wish to ‘Trust this Certificate? Type “Yes” followed by enter. You should see a message similar to the screenshot below
4. Once the certificate has been added you can verify (This is not required if you want to skip this part then move on to the next step) that the certificate was added by running the following command: keytool -list -v -keystore /opt/Symantec/DataLossPrevention/Server\ JRE/1.8.0_162/lib/security/cacerts -storepass changeit
Once the command has been ran you will see something like the screenshot below
If you wish to skip running the command but want to confirm that the cert imported you can navigate to the following directory using Winscp /opt/Symantec/DataLossPrevention/Server JRE/1.8.0_162/lib/security open the cacerts file by right clicking and selecting edit this will open up in a text editor, to see if the cert imported use the find feature and search for “oracleservercert” once you have found the cert name close the file
5.Once you have imported the cert.txt to cacerts you will need to either reboot your server or stop and start the SymantecDLP services. To do this using SSH navigate to the following directory cd Enforce\ Server/15.1/Protect/services/ and run the following commands to stop the services in this order:
1. SymantecDLPNotifier.sh stop
2. SymantecDLPManager.sh stop
3. SymantecDLPIncidentPersister.sh stop
4. SymantecDLPDetectionServerController.sh stop
You should then run the following commands to start the services in this order:
1. SymantecDLPNotifier.sh start
2. SymantecDLPManager.sh start
3. SymantecDLPIncidentPersister.sh start
4. SymantecDLPDetectionServerController.sh start
I have highlighted this in the screenshot below
6. Once you have started all the services and waited a few minutes (Usually 3-5 minutes) try logging into your Enforce server. If you are able to log in then you have successfully Encrypted communication between Enforce and Oracle.
7. To verify that connection is established you can log on to your Oracle server and run in command prompt netstat -anp TCP you should see the service is listening out as per the screenshot below
Hopefully this Article helps you install the Encrypted connection,
Thanks for reading.