ENCRYPT_CIPHERS configuration parameter
Use the ENCRYPT_CIPHERS configuration parameter to define all ciphers and modes that can be used by the current database session. ENCRYPT_CIPHERS is used for Enterprise Replication and High-Availability Data Replication only.
- onconfig.std value
- Not set. Encryption ciphers are not used.
- values
- See the Usage section.
- takes effect
- After you edit your onconfig file and restart the database server.
Usage
The encryption cipher and mode used is randomly chosen among the ciphers common between the two servers. If a specific cipher is discovered to have a weakness, you should reset the ENCRYPT_CIPHERS configuration parameter value to eliminate that cipher by using the allbut option.
Syntax for the ENCRYPT_CIPHERS configuration parameter >>-ENCRYPT_CIPHERS--+-all-----------------------------+-------->< | .-,----------. | | V | | +-allbut--:--<----+-cipher-+-+-->-+ | '-mode---' | | .-,---------------. | | V | | '---cipher--:--mode-+-------------'
| Field | Description |
|---|---|
| all | Include all available ciphers and modes, except
ECB mode, which is considered weak. For example: ENCRYPT_CIPHERS all |
| allbut | Include all ciphers and modes, except ECB and
the ciphers and modes listed. For example: ENCRYPT_CIPHERS allbut:<cbc,bf> The cipher list can include unique, abbreviated entries. For example, bf can represent bf-1, bf-2, and bf-3; however, if the abbreviation is the name of an actual cipher, then only that cipher is eliminated. Therefore, des eliminates only the des cipher, but de eliminates the des, des3, and desx ciphers. |
| cipher | The following ciphers are supported:
All modes are supported for all ciphers, except the desx cipher. For an updated list of supported ciphers, see the Release Notes. |
| mode | The following modes are supported:
|