7 Replies Latest reply on Jan 9, 2017 4:53 AM by Mark Walters

How can the AR Server 9.x encrypt its DB connection to Oracle?

Martin Rosenbauer Oct 31, 2016 9:32 AM

AR Server 9.0 and above seems to use direct JDBC connections in order to connect to the Oracle database. It does not use the Oracle fat Client libraries any more.

Therefore it seems to be impossible to alter the connection parameters of this JDBC connection in order make encrypted connections mandatory.

Has anyone been successfully passing appropriate connection parameters to the JDBC connector via command line parameters of the Java command line in file "armonitor.conf"? Is there any Java Guru out there who can tell me if this would be possible?

We are implementing an new Remedy ITSM Suite in some high-security Environment. The security architects claim that JDBC would transmit the Oracle password of the Remedy account (aradmin) without encrypting it, and therefore they require us to encrypt the whole JDBC connection to the database. Is there any way to encrypt this Connection other than to use Remedy 8.x instead of 9.x and to Switch on encryption in the Oracle fat client?

1. Re: How can the AR Server 9.x encrypt its DB connection to Oracle?

Mark Walters Oct 31, 2016 9:53 AM (in response to Martin Rosenbauer)

You're correct that 9.x uses JDBC to connect to the database rather than the OCI client as in previous versions. Unfortunately, at this time, the JDBC connection string is is hard coded and can't be configured with the options necessary to enable encryption. Please consider creating an idea in this community to suggest adding this feature.

Mark
1 of 1 people found this helpful
Like Show 2 Likes(2)

Actions
2. Re: How can the AR Server 9.x encrypt its DB connection to Oracle?

Jason Miller Oct 31, 2016 12:46 PM (in response to Mark Walters)

Wow! I can't believe there isn't an option to encrypt the connection. In 2016 with all of the security breaches every org has to worry about, this seems more like a defect than an opportunity for enhancement.
2 of 2 people found this helpful
Like Show 3 Likes(3)

Actions
3. Re: How can the AR Server 9.x encrypt its DB connection to Oracle?

Martin Rosenbauer Dec 22, 2016 11:41 AM (in response to Jason Miller)

In the meantime we have figured out that on the Oracle server, there is an option to specify the encryption standard for the DB connection. If you only permit encrypted connections, then the Remedy side is in fact switching to encrypted data interchange... If I remember right, this was configured in the "sqlnet.ora" file..
4 of 4 people found this helpful
Like Show 2 Likes(2)

Actions
4. Re: How can the AR Server 9.x encrypt its DB connection to Oracle?

Mark Walters Dec 22, 2016 12:04 PM (in response to Martin Rosenbauer)

That's interesting to hear - did you have to add a certificate on the client side Java or configure an Oracle wallet?

Mark
Like Show 0 Likes(0)

Actions
5. Re: How can the AR Server 9.x encrypt its DB connection to Oracle?

Martin Rosenbauer Dec 22, 2016 1:27 PM (in response to Mark Walters)

... no, for the Oracle to AR Server connection, we did not add any certificate. This might be due to the encryption algorithm which is used or "required" by Oracle. I think that we followed the following instructions:
Configuring Network Data Encryption and Integrity for Oracle Servers and Clients
This link seems to contain all the details for the configuration on the Oracle server side.
5 of 5 people found this helpful
Like Show 2 Likes(2)

Actions
6. Re: How can the AR Server 9.x encrypt its DB connection to Oracle?

Mark Walters Dec 23, 2016 3:59 AM (in response to Martin Rosenbauer)

Martin Rosenbauer that's really helpful thank you!

I've just tested this and it does look like setting the options on the server creates an encrypted connection. I used the Oracle Net Manager on the server to set the encryption state to requested, provided a seed and chose an algorithm. Using tcpdump on a Linux server with AR 9.1 I captured the traffic to the database and could see plain text data. I then restarted AR and checked again and now the data is no longer plain text.

I had not appreciated the different Oracle encryption options and thought that you had to configure SSL to achieve the above, which would require changes to the JDBC connect string. This seems a more straightforward option for just network packet payload encryption.

I'm going to do a bit more digging and I'll write this up as a knowledge base article/communities blog post.

Thanks again for taking the time to update this thread with the information.

Mark
1 of 1 people found this helpful
Like Show 2 Likes(2)

Actions
7. Re: How can the AR Server 9.x encrypt its DB connection to Oracle?

Mark Walters Jan 9, 2017 4:53 AM (in response to Mark Walters)

Martin Rosenbauer thank you again for the update on this topic when you found out how to enable encryption. I've created a blog post that details how to do this so others become aware of the feature. There's also a KB linking to the blog to help more people find it.

Trending in Support: Encrypting Data Between AR Servers and Oracle Databases

Mark
2 of 2 people found this helpful
Like Show 2 Likes(2)

Actions