How to enable encryption for ODBC connections to Oracle databases

Document ID : KB000095420
Last Modified Date : 22/05/2018
Show Technical Document Details
Issue:
As a cyber requirement there is a mandate to have all communication to database needs to be encrypted.
These are the setting on the Oracle DB Server
Oracle Database Settings:
SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER=(AES256,AES192,AES128,DES,RC4_256,RC4_128,DES40)
SQLNET.ENCRYPTION_CLIENT = REQUESTED
SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256,AES192,AES128,DES,RC4_256,RC4_128,DES40)

The ODBC connection is configured based KB ​Document ID : KB000016934
"How to enable encryption for ODBC connections to Oracle databases?"
EncryptionLevel=3 
EncryptionTypes=AES256 
DataIntegrityLevel=3 
DataIntegrityTypes=SHA1 

However, the error SQLCHAR * 0xd9f08120 [104] "[DataDirect][ODBC Oracle Wire Protocol driver][Oracle]ORA-01017: invalid username/password; logon denied"  is receved when the connected is attempted. 
Rolling back the changes allowed the connection function as expected. 
Environment:
Policy Server: Version 12.52.01.00 (12.52 SP1 Base) 
OS: RedHat Linux 5
Oracle database: 11.2.0.3.0 
Datadirect oracle driver version: 7.10
NOTE: We used the following to confirm the full version of the Datadirect driver version.
From: CA/siteminder/odbc/lib, run .. 
$strings NSora28.so|grep "7\." 




 
Cause:
While the version of the "DataDirect Wire protocol" may support Oracle Advanced Security, there was a related defect in an early release of the 7.1 driver. Fixed in hot fix 7.12.0085
Prior to the fix. ORA-01017 error is received if the  Encryption Level = 2 (Requested) or  Encryption Level = 3 (Required)
However, The problem does not occur when the driver has Encryption Level set to 0 or 1. 
 
Resolution:
Option 1: Use EncryptionLevel=1" vs "EncryptionLevel=3" in the ODBC.ini.

Option 2: Upgrade to 12.52 Sp1 CR2 or later. 
Additional Information:
DATADIRECT KB ARTICLES
CANNOT CONNECT TO ORACLE WHEN ORACLE ADVANCED SECURITY IS ENABLED
https://knowledgebase.progress.com/articles/Article/000043307
ERROR MESSAGE: ORA-01017: Invalid username/password; login denied
RESOLUTION: Fixed in hot fix 7.12.0085
Refer to "Connect  and Connect64 for ODBC hot fix download and install instructions" for instructions on how to download and install the hot fix.

DOES THE CONNECT/CONNECT64 FOR ODBC ORACLE WIRE PROTOCOL SUPPORT ORACLE ADVANCED SECURITY
https://knowledgebase.progress.com/articles/Article/2506
RESOLUTION: Enhancement request PSC00039104 has been implemented. Upgrade to Data Direct Connect for ODBC 7.1 GA or later.