Configuring Secured Connections Between the SQL Gateway and the Oracle Database

Overview

Oracle provides two alternatives for secured connections:

Oracle Native Network Encryption and Integration
SSL encryption

Oracle Native Network Encryption and Integration

The usage of Native Network Encryption and Integration is negotiated between the SQL Gateway and Oracle. The SQL Gateway uses the configuration values ACCEPTED for both features. If Oracle uses the configuration values REQUESTED or REQUIRED, the respective feature is active. For further information, refer to your Oracle documentation.

SSL Encryption

In order to encrypt the connection between the SQL Gateway and the Oracle database by SSL, perform the following steps:

Step	Action
1	Create self-signed certificates.
2	Configure Oracle.
3	Configure the SQL Gateway.

Creating Self-Signed Certificates for Oracle Connections

The installation of the SQL Gateway contains a batch file that creates an auto-login wallet containing a self-signed certificate for both the client and the server.

As a prerequisite for executing the batch file, the Oracle Wallet Manager must be available on the PC. The Oracle Wallet Manager is installed by the Oracle installer.

Proceed as follows

Step	Action	Details
1	Open the batch file.	In the Settings > Database Certificates tab, select Open folder > Oracle.
2	Adapt the batch file template.	Replace the placeholders `baseFolder`, `rootWallet`, `serverWallet`, and `clientWallet` that define the folders in which the Oracle wallets are created. Replace the placeholder `walletPassword` that defines the password for the wallets created. Replace the placeholders `rootSubject`, `clientSubject`, and `serverSubject` that contain the respective certificate subjects.
3	Execute the batch file on the server PC (the PC on which Oracle is running).	As a result, two auto-login wallets are created: For the SQL Gateway. For the Oracle server.
4	Copy the folder containing the auto-login wallet for the Oracle server to the Oracle PC and adapt the Oracle configuration.	Adapt the access rights of the .sso file, allowing the Oracle services to read it.
5	Copy the folder containing the auto-login wallet for the client to the SQL Gateway PC.	Adapt the access rights of the .sso file to allow the SQL Gateway to read it.

Configuring Oracle

For details on Oracle configuration, refer to your Oracle user documentation.

Configuring the SQL Gateway

In the Configuration tab of the SQL Gateway, configure the SSL parameters:

Step	Action
1	Select the entry from the list of Database Servers.
2	On the right-hand side, set the parameter SSL Encryption to ON.
3	Select the option for the Server Validation parameter.
4	Select Client Certificate.

Validation of Server Certificates

For Oracle connections, the Configuration tab of the SQL Gateway allows you to configure how to evaluate server certificates.

If the parameter SSL Encryption is set to ON, the parameter Server Validation provides the following options:

Server Validation option	Description
Verify Name	It is verified whether the name in the server certificate matches the name of the server in the TCP connection.
Verify Subject Name	It is verified whether the name you enter in the field Subject Name matches the subject name in the certificate.
No Validation	The server certificate is not verified by the SQL Gateway computer.

WARNING
	UNAUTHENTICATED ACCESS Use the No Validation setting only for testing purposes. Do not use the No Validation setting during operation. Failure to follow these instructions can result in death, serious injury, or equipment damage.

Client Certificates

For Oracle connections, the Configuration tab of the SQL Gateway allows you to select a client certificate to be used for the SSL connection to the Oracle server.

If the parameter SSL Encryption is set to ON, the parameter Client Certificate provides the following options:

Client Certificate option	Description
From Auto-Login Wallet	Select the option From Auto-Login Wallet if a client certificate is provided as an .sso file. The parameter Wallet File allows you to browse for the .sso file or to enter the path to the .sso file. NOTE: As there is no password protection available for the .sso file; see the important hazard message after the table to help avoid unauthorized access. NOTE: Allow the SQL Gateway access to the .sso file.
From Personal Store	Select the option From Personal Store if the client certificate is installed in the certificate store of the user account of the SQL Gateway.

Client Certificate option

Description

From Auto-Login Wallet

Select the option From Auto-Login Wallet if a client certificate is provided as an .sso file.

The parameter Wallet File allows you to browse for the .sso file or to enter the path to the .sso file.

NOTE: As there is no password protection available for the .sso file; see the important hazard message after the table to help avoid unauthorized access.

NOTE: Allow the SQL Gateway access to the .sso file.

From Personal Store

Select the option From Personal Store if the client certificate is installed in the certificate store of the user account of the SQL Gateway.

WARNING
	UNAUTHORIZED ACCESS Configure file access rights for the .sso wallet file and allow access only to those services that are required for establishing a secured connection. Failure to follow these instructions can result in death, serious injury, or equipment damage.

NOTE: Use the Windows Explorer > Properties > Security to assign the access rights of the file.