Good Afternoon Gentlemen,

I really need clarification on setting up SSL encryption for data packet encryption as it driving me a bit crazy. I want to setup SSL encryption to make sure that data packets that is set to and from the client and oracle database is encrypted. It sounds easy, but it has been one of the most frustrating Oracle RDBMS function of my career. Data Guard for instance is 5x easier to setup because I feel that Oracle did a great job with that documentation.

I keep seeing that Oracle calls SSL encryption of data packets "SSL Authentication" for some reason which is confusing. It is my understanding that it is optional for "SSL Authentication" when setting up SSL encryption of data packets. In other words, encryption of data packets to me has little do to with "SSL authentication." They should be two independent processes, at least, based on what I have read. In fact, in 11g, Oracle support told us to set SSL_CLIENT_AUTHENTICATION within the sqlnet.ora to false because of a bug, but it still ended up encrypting the data packets usingTCPS!

Oracle documentation is also illogical. Oracle documentation on "SSL Encryption" in the Oracle 19c doc section ISN'T under: "Part IV Securing Data on the Network." Instead they include it within section "Part V Managing Strong Authentication under 21 Configuring Secure Sockets Layer Authentication!" If I am instructed to setup SSL encryption to "secure data on the network," I would instantaneously go to "Part IV Securing Data on the Network." Again, it is my understanding that I am able to go through the whole setup of SSL encryption to encrypt data over the network and set SSL_CLIENT_AUTHENTICATION=FALSE which would turn off SSL authenticated by database with SSL certificates so it is confusing to see the steps within "secure socket layer AUTHENTICATION."

By completing the steps below, I was able to get the client to establish an SSL / TCPS connection to the database server:
Create wallets
Generate certificate request
Have it signed by CA (BTW: this wasn't easy and Oracle doesn't provide a process document on how this is accomplished.)
Import CA signed certificates
Export certificate from Oracle Server wallet and import into the Client's wallet
Configure sqlnet.ora and listener.ora with Wallet_Location and SSL_VERSION=1.2
Configure the listener.ora listener protocol to use tcpS
Set SSL_CLIENT_AUTHENTICATION=FALSE in both sqlnet.ora and listener.ora
BTW: I've confirmed that an SSL secure connection was established through by looking at both the listener.log and through SQL*Plus:

1.) Output from listener log:
10-JUN-2021 11:52:21 * (CONNECT_DATA=(CID=(PROGRAM=JDBC Thin Client)(HOST=__jdbc__)(USER=svc_x))(SERVICE_NAME=oracle)) * (ADDRESS=(PROTOCOL=tcps)(HOST=x.x.x.x)(PORT=550)) * establish * oracle * 0

2.) SQL Plus
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.11.0.0.0
SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
---------------------------------------------------------------------
tcps

Here are my questions:
1.) Can I confirm that SSL encryption of data packets are occurring through the two methods I used to verify above?

2.) If we set SSL_CLIENT_AUTHENTICATION=FALSE in the sqlnet.ora and followed all of the other SSL authentication steps, does
a.) SSL encryption of data packets still occur?
b.) Will the user still be authenticated by the database? If yes, please confirm that the password will still be encrypted since the password is always encrypted by default even when SSL encryption isn't setup.

3.) Why does Oracle call it SSL Authentication even though SSL Authentication isn't necessary to setup SSL Encryption?

4.) Oracle doesn't even have a document called "Setup of SSL Encryption" within "Part IV Securing Data on the Network" it only includes steps to use Native Encryption which is less secure than SSL encryption. Isn't it odd that it isn't part of "Part IV Securing Data on the Network?"

5.) What is the benefit of having the database authenticate with SSL certificate? If it is a significant benefit, why not just make it part of the SSL setup instead making us set SSL_CLIENT_AUTHENTICATION=FALSE in the listener.ora and SSL_CLIENT_AUTHENTICATION=TRUE in the sqlnet.ora?

6.) Oracle metalink provides this document "Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1)." I followed it, but got to the last section which is confusing. It has instructions to create users as externally as 'DN of client certificate'. Do I really need to recreate database accounts like steps in Task III below so that SSL authentication is used? If yes, does this mean that database passwords aren't used with SSL Authentication?

Here are those steps:

Task III: Create Database User

Create a database user which requires to be authenticated over SSL. The externally as clause should include the exact subject DN of the client certificate. By viewing the client wallet with OWM or orapki tool you can get the Subject DN of the client certificate.

SQL> create user <username> identified externally as 'DN of client certificate';

Now, you can login to the database as 'sqlplus /@<alias>' . You are not going to supply any password as this user is authenticated by the client certificate which is already imported in to the client wallet.

>sqlplus /@<tns_alias>

Thank you for your help with this confusing subject.

John