Oracle has finally certified the use of Advanced Security Option/Advanced Network Option for encryption of SQL*Net traffic between the database and application servers.  This certification had been promised for several years.

The Advanced Security Option (ASO) is an optional component of the Oracle Database and is an extra cost.  Advanced Networking Option (ANO) is the previous name of ASO in Oracle 8.0.x, which is also utilized in an Oracle Applications 11i configuration since Forms, Reports, and Concurrent Manager still use an 8.0.6.3 ORACLE_HOME.

This certification and encrypting of SQL*Net traffic is only relevant for highly secure implementations that require encryption of all network traffic.  The application servers and database should be solely contained in a secure data center, so encryption of this traffic only provides marginal benefits.  Of more concern is direct SQL*Net connections from application servers deployed in a DMZ and for administration (DBA's), ad-hoc querying, interfaces, and other direct SQL*Net connections.

Oracle has only certified the use of RC4 (40 or 128) rather than DES, 3DES, or AES.  RC4 is the best performing ASO encryption algorithm.  Implementations that want to comply with FIPS 140 are out of luck as only RC4 is supported.

Performance should be tested prior to implementing encryption in a production environment as the Forms SQL*Net traffic is "chatty" and could impact CPU utilization on both the database server and application servers, since RC4 is best performing for large packet sizes.

The biggest challenge to implementing encryption is the requirement of 11.5.10 and 11i.ATG.PF.H RUP3, where RUP3 is a minimum requirement for applying Critical Patch Updates.  Also, it does not appear that the AutoConfig templates support the changes to the SQLNET.ORA file for the 8.0.6.3 ORACLE_HOME, so these changes will have to be reimplemented each time after running AutoConfig.

Organizations with stringent security requirements would benefit from a limited deployment of encryption of all direct SQL*Net traffic from outside the data center, including application servers deployed in the DMZ.  This configuration would encrypt the most at risk traffic and eliminate any potential performance issues with encrypting all application server traffic.  ASO can be configured using the ACCEPTED and REQUESTED parameters to allow for some client connections to be encrypted.  This will not require encryption, but properly configured clients will then use encryption.

References:

Metalink Note ID 391248.1 "Encrypting EBS 11i Network Traffic using Advanced Security Option / Advanced Networking Option"

As I have previously discussed (here and here), Oracle is requiring recent ATG rollup patches to be installed as prerequisites for the Critical Patch Updates.  The ATG_PF rollups are generally released every 6 months.  For ATG_PF.H the following rollups have been released --

CU1 = February 2005
CU2 = July 2005
RUP3 = February 2006
RUP4 = August 2006

The rollup patches are latest code for AOL, Alerts, Oracle Applications Framework, Oracle Applications Manager, Workflow, XML Gateway, User Management, and CRM Technology Foundation to name just a few of the modules.  Also included are recent AutoConfig template files.  These are significant patches and need to be thoroughly regression tested.

RUP3 is the minimum requirement for the October 2006 Critical Update Update.  Starting with the July 2007 CPU, you must be running at least RUPn-1 (where n is the current RUP).  The January 2007 and April 2007 CPUs most likely will require at least RUP3.

Based on timing, this means to apply CPU patches in the future, you will have to at least to have tested and applied a major ATG_PF patch in previous 8 months.  The rollups also require the latest AD patchset (e.g., AD.I.4) be applied and the database to be at least 9i.  For implementations running Oracle Application Server 10g integration, the latest integration patches must be applied.

Many implementations do not apply technology patches on a regular basis, but require CPUs to be installed within 60-180 days.  Security sensitive organizations have to make sure their internal release and upgrade timelines are in sync with the Oracle RUP releases.  Annual upgrade schedules probably have to be abandoned in favor of quarterly or semi-annual technology upgrades.  At least every 6 months, an ATG RUP, AD minipack, and database upgrade are probably required moving forward.

Our recommendation is still to prioritize and install the latest cumulative database security patch within 30 to 60 days, which corrects the largest number, most critical, and easiest to exploit vulnerabilities.  Feedback from our clients show very few problems with the database security patches and some companies are moving to minimal testing for these patches.  Oracle Applications patches should be addressed next and coincide with a quarterly or semi-annual technology upgrade schedule.  Application Server patches are often not as critical as the database and application patches, therefore, these patches should be prioritized last for non-Internet implementations.

Oracle is now pushing all 11.5.10 implementations even harder in terms of mandating minimum patch levels.  The October 2006 Critical Patch Update (CPU) will require at least ATG_PF.H.RUP3 and ATG_PF.H.RUP4 is recommended.  These patches are not included in the base for any 11.5.10 release including CU2.  11.5.7, 11.5.8, and 11.5.9 customers must be at the minimum baseline in
Metalink Note ID 363827.1 -- the baseline is constantly updated and with the latest update being August 31, 2006.

These are recently released patches (RUP3 = February 2006 and RUP4 = August 2006) and are not minor patches, both are around 270MB with 9,000 files.  The patches also include new functionality, like support for case-sensitive passwords.  RUP4 requires the latest AD update AD.I.4.

The mandatory requirements for Critical Patch Updates will be consistent moving forward with at least the current or previous ATG RUP being required in order to install the CPU patches.  This corresponds with the requirements of a recent AD minipack (at least AD.I.4) and a recent database patchset (at least 9.2.0.6).  Many organizations are now facing a significant patching and testing challenge to apply security patches.

References:

Metalink Note ID 363827.1 "Rebaselined Oracle Applications Technology Components for Releases 11.5.7, 11.5.8, 11.5.9, and 11.5.10"
11i.ATG_PF.H RUP3 = Patch 4334965 = Metalink Note ID 337274.1
11i.ATG_PF.H.RUP4 = Patch 4676589 = Metalink Note ID 365228.1