Oracle Database Advanced Security Administrator’s Guide Adv Sec 01 PDF 112 E40393 10
User Manual:
Open the PDF directly: View PDF
Page Count: 366 [warning: Documents this large are best viewed by clicking the View PDF Link!]
- Contents
- List of Figures
- List of Tables
- Preface
- What's New in Oracle Advanced Security?
- Oracle Database 11g Release 2 (11.2.0.4) New Features in Oracle Advanced Security
- Oracle Database 11g Release 2 (11.2.0.3) New Features in Oracle Advanced Security
- Oracle Database 11g Release 2 (11.2) New Features in Oracle Advanced Security
- Oracle Database 11g Release 1 (11.1) New Features in Oracle Advanced Security
- Part I Getting Started with Oracle Advanced Security
- 1 Introduction to Oracle Advanced Security
- 2 Configuration and Administration Tools Overview
- Part II Oracle Data Redaction
- 4 Oracle Data Redaction Features and Capabilities
- Using Full Data Redaction to Redact All Data
- Using Partial Data Redaction to Redact Sections of Data
- Using Regular Expressions to Redact Patterns of Data
- Using Random Data Redaction to Generate Random Values
- Comparison of Full, Partial, and Random Redaction Based on Data Types
- Using No Redaction for Testing Purposes
- 5 Configuring Oracle Data Redaction Policies
- About Oracle Data Redaction Policies
- Who Can Create Oracle Data Redaction Policies?
- Planning the Creation of an Oracle Data Redaction Policy
- General Syntax of the DBMS_REDACT.ADD_POLICY Procedure
- Using Expressions to Define Conditions for Data Redaction Policies
- Creating a Full Redaction Policy and Altering the Default Full Redaction Value
- Creating a Partial Redaction Policy
- About Creating Partial Redaction Policies
- Syntax for Creating a Partial Redaction Policy
- Creating Partial Redaction Policies Using Fixed Character Shortcuts
- Creating Partial Redaction Policies Using Character Data Types
- Creating Partial Redaction Policies Using Number Data Types
- Creating Partial Redaction Policies Using Date-Time Data Types
- Creating a Regular Expression-Based Redaction Policy
- Creating a Random Redaction Policy
- Creating a Policy That Uses No Redaction
- Exempting Users from Oracle Data Redaction Policies
- Altering an Oracle Data Redaction Policy
- Redacting Multiple Columns
- Disabling and Enabling an Oracle Data Redaction Policy
- Dropping an Oracle Data Redaction Policy
- Example: How Oracle Data Redaction Affects Tables and Views
- Example: Using SQL Expressions to Build Reports with Redacted Values
- Finding Information About Oracle Data Redaction Policies
- 6 Oracle Data Redaction Use with Oracle Database Features
- Oracle Data Redaction and DML and DDL Operations
- Oracle Data Redaction and Nested Functions, Inline Views, and the WHERE Clause
- Oracle Data Redaction and Aggregate Functions
- Oracle Data Redaction and Object Types
- Oracle Data Redaction and Editions
- Oracle Data Redaction and Oracle Virtual Private Database
- Oracle Data Redaction and Oracle Database Vault
- Oracle Data Redaction and the EXPDP Utility access_method Parameter
- Oracle Data Redaction and Data Masking and Subsetting Pack
- 7 Security Guidelines for Oracle Data Redaction
- General Usage Guidelines
- Restricting Administrative Access to Oracle Data Redaction Policies
- How Oracle Data Redaction Affects the SYS, SYSTEM and Default Schemas
- Writing Policy Expressions That Depend on SYS_CONTEXT Attributes
- Creating Policies on Materialized Views
- Dropping Policies When the Recycle Bin Is Enabled
- Part III Data Encryption and Integrity
- 8 Securing Stored Data Using Transparent Data Encryption
- About Transparent Data Encryption
- Using Transparent Data Encryption
- Enabling Transparent Data Encryption
- Setting and Resetting the Master Encryption Key
- Opening and Closing the Encrypted Wallet
- Encrypting Columns in Tables
- Creating Tables with Encrypted Columns
- Encrypting Columns in Existing Tables
- Creating an Index on an Encrypted Column
- Adding or Removing Salt from an Encrypted Column
- Changing the Encryption Key or Algorithm for Tables with Encrypted Columns
- Data Types That Can Be Encrypted with TDE Column Encryption
- Restrictions on Using TDE Column Encryption
- Encrypting Entire Tablespaces
- Using Hardware Security Modules with TDE
- Using Transparent Data Encryption with Oracle RAC
- Managing Transparent Data Encryption
- Oracle Wallet Management
- Backup and Recovery of Master Encryption Keys
- Export and Import of Tables with Encrypted Columns
- Performance and Storage Overheads
- Security Considerations
- Using Transparent Data Encryption in a Multi-Database Environment
- Replication in Distributed Environments
- Compression and Data Deduplication of Encrypted Data
- Transparent Data Encryption with OCI
- Transparent Data Encryption in a Multi-Database Environment
- Transparent Data Encryption Data Dictionary Views
- Example: Getting Started with TDE Column Encryption and TDE Tablespace Encryption
- Troubleshooting Transparent Data Encryption
- Transparent Data Encryption Reference Information
- 9 Configuring Network Data Encryption and Integrity for Oracle Servers and Clients
- 10 Configuring Network Authentication, Encryption, and Integrity for Thin JDBC Clients
- 8 Securing Stored Data Using Transparent Data Encryption
- Part IV Oracle Advanced Security Strong Authentication
- 11 Configuring RADIUS Authentication
- About RADIUS
- RADIUS Authentication Modes
- Enabling RADIUS Authentication, Authorization, and Accounting
- Step 1: Install RADIUS on the Oracle Database Server and on the Oracle Client
- Step 2: Configure RADIUS Authentication
- Step 3: Create a User and Grant Access
- Step 4: Configure External RADIUS Authorization (optional)
- Step 5: Configure RADIUS Accounting
- Step 6: Add the RADIUS Client Name to the RADIUS Server Database
- Step 7: Configure the Authentication Server for Use with RADIUS
- Step 8: Configure the RADIUS Server for Use with the Authentication Server
- Step 9: Configure Mapping Roles
- Using RADIUS to Log In to a Database
- RSA ACE/Server Configuration Checklist
- 12 Configuring Kerberos Authentication
- Enabling Kerberos Authentication
- Step 1: Install Kerberos
- Step 2: Configure a Service Principal for an Oracle Database Server
- Step 3: Extract a Service Key Table from Kerberos
- Step 4: Install an Oracle Database Server and an Oracle Client
- Step 5: Install Oracle Net Services and Oracle Advanced Security
- Step 6: Configure Oracle Net Services and Oracle Database
- Step 7: Configure Kerberos Authentication
- Step 8: Create a Kerberos User
- Step 9: Create an Externally Authenticated Oracle User
- Step 10: Get an Initial Ticket for the Kerberos/Oracle User
- Utilities for the Kerberos Authentication Adapter
- Configuring Interoperability with a Windows 2000 Domain Controller KDC
- Configuring Kerberos Authentication Fallback Behavior
- Troubleshooting the Oracle Kerberos Authentication Configuration
- Enabling Kerberos Authentication
- 13 Configuring Secure Sockets Layer Authentication
- Secure Sockets Layer and Transport Layer Security
- Public Key Infrastructure in an Oracle Environment
- Secure Sockets Layer Combined with Other Authentication Methods
- Secure Sockets Layer and Firewalls
- Secure Sockets Layer Usage Issues
- Enabling Secure Sockets Layer
- Step 1: Install Oracle Advanced Security and Related Products
- Step 2: Configure Secure Sockets Layer on the Server
- Step 2A: Confirm Wallet Creation on the Server
- Step 2B: Specify the Database Wallet Location on the Server
- Step 2C: Set the Secure Sockets Layer Cipher Suites on the Server (Optional)
- Step 2D: Set the Required SSL Version on the Server (Optional)
- Step 2E: Set SSL Client Authentication on the Server (Optional)
- Step 2F: Set SSL as an Authentication Service on the Server (Optional)
- Step 2G: Create a Listening Endpoint that Uses TCP/IP with SSL on the Server
- Step 3: Configure Secure Sockets Layer on the Client
- Step 3A: Confirm Client Wallet Creation
- Step 3B: Configure the Server DNs and Use TCP/IP with SSL on the Client
- Step 3C: Specify Required Client SSL Configuration (Wallet Location)
- Step 3D: Set the Client Secure Sockets Layer Cipher Suites (Optional)
- Step 3E: Set the Required SSL Version on the Client (Optional)
- Step 3F: Set SSL as an Authentication Service on the Client (Optional)
- Step 3G: Specify the Certificate to Use for Authentication on the Client (Optional)
- Step 4: Log on to the Database Instance
- Troubleshooting Secure Sockets Layer
- Certificate Validation with Certificate Revocation Lists
- About Certificate Validation with Certificate Revocation Lists
- What CRLs Should You Use?
- How CRL Checking Works
- Configuring Certificate Validation with Certificate Revocation Lists
- Certificate Revocation List Management
- About Certificate Revocation Management
- Displaying orapki Help for Commands That Manage CRLs
- Renaming CRLs with a Hash Value for Certificate Validation
- Uploading CRLs to Oracle Internet Directory
- Listing CRLs Stored in Oracle Internet Directory
- Viewing CRLs in Oracle Internet Directory
- Deleting CRLs from Oracle Internet Directory
- Troubleshooting Certificate Validation
- Configuring Your System to Use Hardware Security Modules
- About Configuring Your System to Use Hardware Security Modules
- Guidelines for Using Hardware Security Modules with Oracle Advanced Security
- Configuring Your System to Use nCipher Hardware Security Modules
- Configuring Your System to Use SafeNET Hardware Security Modules
- Troubleshooting Using Hardware Security Modules
- Configuring SSL in an Oracle Real Application Clusters Environment
- Step 1: Configure the TCPS Protocol Endpoints
- Step 2: Update the Local Listener Parameter on Each Oracle RAC Node
- Step 3: Create SSL Certificates and Wallets for the Cluster and for the Clients
- Step 4: Copy the Wallet to Each Cluster Node and Create an Obfuscated Wallet
- Step 5: Define Wallet Locations in the listener.ora and sqlnet.ora Files
- Step 6: Restart the Database Instances and Listeners
- Step 7: Test the Configuration from a Cluster Node
- Step 8: Test the Configuration from a Remote Client
- 14 Using Oracle Wallet Manager
- Oracle Wallet Manager Overview
- Starting Oracle Wallet Manager
- How to Create a Complete Wallet: Process Overview
- Managing Wallets
- Required Guidelines for Creating Wallet Passwords
- Creating a New Wallet
- Opening an Existing Wallet
- Closing a Wallet
- Exporting Oracle Wallets to Third-Party Environments
- Exporting Oracle Wallets to Tools that Do Not Support PKCS #12
- Uploading a Wallet to an LDAP Directory
- Downloading a Wallet from an LDAP Directory
- Saving Changes
- Saving the Open Wallet to a New Location
- Saving in System Default
- Deleting the Wallet
- Changing the Password
- Using Auto Login
- Managing Certificates
- Managing User Certificates
- Managing Trusted Certificates
- 15 Configuring Multiple Authentication Methods and Disabling Oracle Advanced Security
- 11 Configuring RADIUS Authentication
- Part V Appendixes
- A Data Encryption and Integrity Parameters
- Sample sqlnet.ora File
- Data Encryption and Integrity Parameters
- SQLNET.ENCRYPTION_SERVER Parameter
- SQLNET.ENCRYPTION_CLIENT Parameter
- SQLNET.SSL_EXTENDED_KEY_USAGE Parameter
- SQLNET.CRYPTO_CHECKSUM_SERVER Parameter
- SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter
- SQLNET.ENCRYPTION_TYPES_SERVER Parameter
- SQLNET.ENCRYPTION_TYPES_CLIENT Parameter
- SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter
- SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter
- B Authentication Parameters
- Parameters for Clients and Servers using Kerberos Authentication
- Parameters for Clients and Servers using RADIUS Authentication
- sqlnet.ora File Parameters
- SQLNET.AUTHENTICATION_SERVICES Parameter
- SQLNET.RADIUS_AUTHENTICATION Parameter
- SQLNET.RADIUS_AUTHENTICATION_PORT Parameter
- SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter
- SQLNET.RADIUS_AUTHENTICATION_RETRIES Parameter
- SQLNET.RADIUS_SEND_ACCOUNTING Parameter
- SQLNET.RADIUS_SECRET Parameter
- SQLNET.RADIUS_ALTERNATE Parameter
- SQLNET.RADIUS_ALTERNATE_PORT Parameter
- SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter
- SQLNET.RADIUS_ALTERNATE_RETRIES Parameter
- SQLNET.RADIUS_CHALLENGE_RESPONSE Parameter
- SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter
- SQLNET.RADIUS_AUTHENTICATION_INTERFACE Parameter
- SQLNET.RADIUS_CLASSPATH Parameter
- Minimum RADIUS Parameters
- Initialization File Parameters
- sqlnet.ora File Parameters
- Parameters for Clients and Servers Using Secure Sockets Layer
- C Integrating Authentication Devices Using RADIUS
- D Oracle Advanced Security FIPS 140 Settings
- E orapki Utility
- orapki Utility Overview
- Creating Signed Certificates for Testing Purposes
- Managing Oracle Wallets with orapki Utility
- Managing Certificate Revocation Lists (CRLs) with orapki Utility
- orapki Usage Examples
- orapki Utility Commands Summary
- F Entrust-Enabled Secure Sockets Layer Authentication
- Benefits of Entrust-Enabled Oracle Advanced Security
- Required System Components for Entrust-Enabled Oracle Advanced Security
- Entrust Authentication Process
- Enabling Entrust Authentication
- Creating Entrust Profiles
- Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL
- Configuring SSL on the Client and Server for Entrust-Enabled SSL
- Configuring Entrust on the Client
- Configuring Entrust on the Server
- Creating Entrust-Enabled Database Users
- Logging Into the Database Using Entrust-Enabled SSL
- Issues and Restrictions that Apply to Entrust-Enabled SSL
- Troubleshooting Entrust In Oracle Advanced Security
- A Data Encryption and Integrity Parameters
- Glossary
- Index