Oracle Advanced Security: SSL
The SSL tab enables you to modify Secure Sockets Layer (SSL) settings. SSL is an industry standard protocol for securing network communications. SSL provides for authentication, encryption, and data integrity. Use SSL to secure communications between any client and any server. Specifically, you can use SSL to authenticate any client or server to one or more Oracle servers or an Oracle server to any client.
Configure SSL
From the list, select to specify settings for either the client or server.
The settings you need to configure for the server are similar to those you set for the client. There is one additional parameter: a check box entitled Require Client Authentication.
Configuration Method
TBD...From the list, select File System to...., or select Entrust to...
Wallet Configuration
A wallet is contains certificates, keys and trust points. Select one of the four configuration methods described in the table. If the method chosen is File System or Entrust Wallets, Browse to search for a wallet in your file system.
|
Wallet Configuration Method |
Access Method |
| File system |
Directory path |
|
Microsoft certificate |
None |
| Microsoft registry |
Registry key |
| Entrust wallets | Directory path |
Cipher Suite Configuration
Several SSL cipher suites have been installed by default. These default cipher suites will be overwritten if you add one or more manually.
|
Element |
Description |
| Add button |
Choose to invoke the Select a Cipher Suite to enable dialog box. In the dialog box, select a suite, and then choose OK . The cipher suite is added to the list box. |
|
Remove button |
Choose to remove a selected Cipher Suite. |
| Promote button |
Choose to move a selected Cipher Suite to a higher level in the list. |
| Demote button | Choose to move a selected Cipher Suite to a lower level in the list. |
Revocation Check (Server only)
Specify a revocation check for a certificate. Select from one of the following values:
-
None: Select to turn off certificate revocation checking.
-
Required: Select to perform certificate revocation when a certificate is available. If a certificate is revoked and no appropriate Certificate Revocation List (CRL) is found, then reject the SSL connection If no appropriate CRL is found to ascertain the revocation status of the certificate and the certificate is not revoked. then accept the SSL connection.
- Requested: Select to perform certificate revocation in case a CRL is available. Reject SSL connection if the certificate is revoked. If no appropriate CRL is found to determine the revocation status of the certificate and the certificate is not revoked, then accept the SSL connection
Require SSL Version (optional)
From the list, select the version of SSL. The client and the server must use a compatible versions of SSL. You can select SSL v3.0 or choose to allow any existing or future version of SSL to be used.
Require Client Authentication (Server only)
This check box is selected by default. Deselect this check box if you do not want to require client-side authentication.
Match server X.509 name (Client only)
From the list, select whether or not check to see if the server's distinguished name (DN) matches its service name. If you enforce the match verifications, then SSL ensures that the certificate is from the server. If you select to not enforce the match verification, then SSL performs the check but allows the connection, regardless if there is a match. Not enforcing the match allows the server to potentially fake its identify. Select from one of the following values:
-
Yes: Select to check the server DN. If the DN matches the service name, the connection succeeds. If the DN does not match the service name, the connection is successful, but an error is logged in the sqlnet.log file..
-
No: Select to not check the server DN. Ignoring this check can enable the server to fake its identity.
-
Let Client Decide: TBD
Copyright © 1996, 2009, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.
