Data Encryption

Oracle data provider supports transparent data encryption and tablespace encryption when connected to an Oracle 11g or higher database that has these features enabled. It can also be used with Oracle's SECUREFILES LOB storage mechanism.

Encrypting network data provides data privacy so that unauthorized parties cannot view and alter clear text data as it passes over the network. Oracle data provider supports the following types of data encryption for all supported Oracle databases:

• SSL: SSL secures the integrity of your data by encrypting information and providing authentication.
• Oracle Wallet: The Oracle Driver supports the use of Oracle Wallet as a Certificate Store Location. A Wallet is password-protected container that is created using the Oracle Wallet manager and contains trusted certificates for authenticating the server's public certificate.
• Oracle Advanced Security: Oracle Advanced Security provides the Advanced Encryption Standard (AES), DES, 3DES, and RC4 symmetric cryptosystems for protecting the confidentiality of network traffic.

In addition to the above the Oracle driver also supports Oracle Advanced Security data integrity checks. See Data Encryption Across the Network for more information.

Configuring SSL Encryption

To enable support for SSL connections to the Oracle database, the Oracle database must be configured for Oracle Advanced Security. For information about configuring your database, refer the Oracle documentation.

NOTE: Connection hangs can occur when the data provider is configured for SSL and the database server does not support SSL. You may want to set a login timeout using the ConnectionTimeout property to avoid problems when connecting to a server that does not support SSL.

To configure SSL encryption:

1. Set the Encryption Method connection string option to SSL.
2. To validate certificates sent by the database server, set the Validate Server Certificate connection string option to True.
3. Optionally, set the Host Name In Certificate connection string option to a host name to be used to validate the certificate. The Host Name In Certificate connection string option provides additional security against man-in-the-middle (MITM) attacks by ensuring that the server the data provider is connecting to is the server that was requested.

Configuring Oracle Wallet

The Oracle Driver supports the use of Oracle Wallet as a Certificate Store Location. A wallet is a password-protected container that is created using the Oracle Wallet Manager. It contains trusted certificates for authenticating the server's public certificate.

To configure Oracle Wallet Connection properties:

1. Specify the location of the X.509 certificate store used for client authentication in the Certificate Store Location. For more information, see Connection String Option Descriptions.
2. Specify the password of the certificate store used for server authentication in the Certificate Store Password. For more information, see Connection String Option Descriptions.

Oracle Wallet is compliant with the PKCS#12 standard and the file extension must be .pfx or .p12.

Configuring Oracle Advanced Security

To configure Oracle Advanced Security data encryption:

1. Set the Encryption Level property to accepted, requested, required, or rejected.
2. Set the Encryption Types property to one or multiple algorithms.

To configure Oracle Advanced Security data integrity:

1. Set the Data Integrity Level property to accepted, requested, required, or rejected.
2. Set the Data Integrity Types property to SHA1, SHA256, SHA384, SHA512, MD5, All, or None.

Note: Since data integrity protection operates independently from the encryption process, you can enable data integrity with or without enabling encryption.