Questions about TOAD sans Client

TOAD 16.0 does not require an Oracle Cient to connect to a database. I have not yet installed that version, but I have a few questions about the 'sans client' thing:

  1. I am given to understand that a TNS Names file can still be used. Where does TOAD look for that by default?
  2. What about sqlnet.ora and such things as encryption--either ANO or SSL?
  3. In a previous thread, it was stated that LDAP would still require the Oracle Client. What other features of the client make having it necessary?

Cheers,
Russ

Hi Russ,

  1. In the folder specified by TNS_ADMIN, or in the same folder as Toad.exe. When making a connection, Toad will parse the TNSNames.ora file, pull out the "Description=...." text for whatever alias you give it, and use that to connect.
  2. Client side SQLNet.ora and LDAP.ora are not used. Toad won't make a TCPS connection in clientless mode. Toad will, however, use Oracle's native encryption and Data Integrity features (described here in oracle docs). Configured in server side SQLNet.ora. My server side sqlnet.ora is like the below.
# sqlnet.ora Network Configuration File: /opt/oracle/software/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

SQLNET.ENCRYPTION_SERVER=REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER=(AES256)

SQLNET.ENCRYPTION_CLIENT=REQUESTED
SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256)

SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED
SQLNET.CRYPTO_CHECKSUM_CLIENT=REQUESTED

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA256)
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=(SHA256)
  1. Nothing else, unless you want to be able to run in SQL*Plus or use any other utilities that come in the Oracle client.

You can run this SQL in clientless mode to verify if encryption and data integrity are in use.

The blue arrows mean it's turned on server side.
The red arrows mean it's in use for the current session.

-John

1 Like

Since we use TCPS, we will not be able to use clientless connections. Bummer. But it is better to realize that going in.

Cheers,
Russ

So, without a sqlnet.ora file on the client side, how does TOAD configure the encryption settings? 'REQUESTED' for encryption and checksum is a good compromise, but what about the cryptosystem and hash algorithm. Does TOAD just use the full list for each, strongest first, and let the server choose?

Cheers,
Russ

Also, what about logging and tracing?

Our 3rd party components that we use to connect to the DB work that out with the server.
I don't know the specifics of the handshake and how they settle on an algorithm, but I know you can set that on the server side (see sqlnet.ora above)

Re: logging and tracing - if you mean on server side, that should still happen. Client side, we don't duplicate this oracle client functionality.

It is pretty clear, then, that going without a client reduces the connection service to just the basics.

Logging on the client is not so important, but tracing can be immensely so. Server- and client-side tracing are not identical and do not produce the same data. Each can only trace what it sees, and they do not see all the same things.

Well, Encryption and Data Integrity are more than the basics, I think.

We do have spool sql as some form of logging/tracing, but I know it's not the same as what the Oracle client does.

I'll double-check to see if there is anything that I'm missing.

The whole point about tracing is not so much to see the contents of the data stream, which is encrypted anyway, but the many diagnostic messages that are recorded about the connection itself.

I see. I looked, there is no tracing feature that I can enable with no-client mode.

I know it won't work for everyone, but it sure is handy for those it does work for.

Agreed. And we do have one fully virtualized environment where it will be useful.

1 Like