Oracle Database offers two ways to encrypt data over the network: native network encryption (NNE) and Transport Layer Security (TLS). NNE is a proprietary Oracle security feature, whereas TLS is an industry standard. RDS for Oracle supports NNE for all editions of Oracle Database.
NNE has the following advantages over TLS:
-
You can control NNE on the client and server using settings in the NNE option:
-
SQLNET.ALLOW_WEAK_CRYPTO_CLIENTSandSQLNET.ALLOW_WEAK_CRYPTO -
SQLNET.CRYPTO_CHECKSUM_CLIENTandSQLNET.CRYPTO_CHECKSUM_SERVER -
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENTandSQLNET.CRYPTO_CHECKSUM_TYPES_SERVER -
SQLNET.ENCRYPTION_CLIENTandSQLNET.ENCRYPTION_SERVER -
SQLNET.ENCRYPTION_TYPES_CLIENTandSQLNET.ENCRYPTION_TYPES_SERVER
-
-
In most cases, you don't need to configure your client or server. In contrast, TLS requires you to configure both client and server.
-
No certificates are required. In TLS, the server requires a certificate (which eventually expires), and the client requires a trusted root certificate for the certificate authority that issued the server’s certificate.
To enable NNE encryption for an Oracle DB instance, add the Oracle NNE option to the option group associated with the DB instance. For more information, see Oracle native network encryption.
Note
You can't use both NNE and TLS on the same DB instance.
