Oracle Database Advanced Security Administrator’s Guide Adv Sec 01 PDF 112 E40393 10

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 366 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Oracle® Database
Advanced Security Administrator’s Guide
11g Release 2 (11.2)
E40393-10
March 2016
Oracle Database Advanced Security Administrator's Guide 11g Release 2 (11.2)
E40393-10
Copyright © 1996, 2016, Oracle and/or its affiliates. All rights reserved.
Primary Author: Sumit Jeloka
Contributors: Min-Hank Ho, Peter Knaggs, Adam Lee, Dah-Yoh Lim, Rahil Mir, Gopal Mulagund, Paul
Needham, Vikram Pesati, Paul Youn, Peter Wahl
This software and related documentation are provided under a license agreement containing restrictions on
use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your
license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,
transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse
engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is
prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If
you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it
on behalf of the U.S. Government, the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software,
any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users
are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and
agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and
adaptation of the programs, including any operating system, integrated software, any programs installed on
the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to
the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management
applications. It is not developed or intended for use in any inherently dangerous applications, including
applications that may create a risk of personal injury. If you use this software or hardware in dangerous
applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other
measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages
caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of
their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks
are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD,
Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced
Micro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information on content, products,
and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly
disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle
Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your
access to or use of third-party content, products, or services.
iii
Contents
Preface ............................................................................................................................................................... xxi
Audience..................................................................................................................................................... xxi
Documentation Accessibility................................................................................................................... xxi
Related Documentation........................................................................................................................... xxii
Conventions ............................................................................................................................................. xxiii
What's New in Oracle Advanced Security? .............................................................................. xxv
Oracle Database 11g Release 2 (11.2.0.4) New Features in Oracle Advanced Security................. xxv
Oracle Database 11g Release 2 (11.2.0.3) New Features in Oracle Advanced Security ................ xxvi
Oracle Database 11g Release 2 (11.2) New Features in Oracle Advanced Security...................... xxvii
Oracle Database 11g Release 1 (11.1) New Features in Oracle Advanced Security..................... xxviii
Part I Getting Started with Oracle Advanced Security
1 Introduction to Oracle Advanced Security
Security Challenges in an Enterprise Environment .......................................................................... 1-1
Security in Enterprise Grid Computing Environments................................................................ 1-1
Security in an Intranet or Internet Environment........................................................................... 1-2
Common Security Threats ................................................................................................................ 1-2
Eavesdropping and Data Theft................................................................................................. 1-2
Data Tampering .......................................................................................................................... 1-2
Falsifying User Identities........................................................................................................... 1-3
Password-Related Threats......................................................................................................... 1-3
Solving Security Challenges with Oracle Advanced Security ........................................................ 1-3
Data Encryption.................................................................................................................................. 1-3
Supported Encryption Algorithms........................................................................................... 1-4
Data Integrity............................................................................................................................... 1-5
Federal Information Processing Standard............................................................................... 1-5
Strong Authentication ....................................................................................................................... 1-5
Centralized Authentication and Single Sign-On.................................................................... 1-6
Supported Authentication Methods ........................................................................................ 1-8
Oracle Advanced Security Architecture............................................................................................... 1-9
System Requirements........................................................................................................................... 1-10
Oracle Advanced Security Restrictions............................................................................................. 1-11
iv
2 Configuration and Administration Tools Overview
Network Encryption and Strong Authentication Configuration Tools......................................... 2-1
Oracle Net Manager........................................................................................................................... 2-1
Starting Oracle Net Manager..................................................................................................... 2-2
Navigating to the Oracle Advanced Security Profile ............................................................ 2-2
Oracle Advanced Security Profile Property Sheets................................................................ 2-3
Oracle Advanced Security Kerberos Adapter Command-Line Utilities.................................... 2-4
Public Key Infrastructure Credentials Management Tools ............................................................. 2-4
Oracle Wallet Manager...................................................................................................................... 2-4
Starting Oracle Wallet Manager................................................................................................ 2-5
Navigating the Oracle Wallet Manager User Interface ......................................................... 2-5
Toolbar.......................................................................................................................................... 2-7
Menus ........................................................................................................................................... 2-7
orapki Utility....................................................................................................................................... 2-9
Duties of a Security Administrator/DBA ............................................................................................ 2-9
Part II Oracle Data Redaction
3 Introduction to Oracle Data Redaction
What Is Oracle Data Redaction?............................................................................................................ 3-1
When to Use Oracle Data Redaction .................................................................................................... 3-2
Benefits of Using Oracle Data Redaction ............................................................................................ 3-2
Target Use Cases for Oracle Data Redaction ...................................................................................... 3-2
Using Oracle Data Redaction with Database Applications ......................................................... 3-2
Considerations When Using Oracle Data Redaction with Ad Hoc Database Queries............ 3-3
4 Oracle Data Redaction Features and Capabilities
Using Full Data Redaction to Redact All Data ................................................................................... 4-1
Using Partial Data Redaction to Redact Sections of Data ................................................................ 4-2
Using Regular Expressions to Redact Patterns of Data .................................................................... 4-3
Using Random Data Redaction to Generate Random Values......................................................... 4-4
Comparison of Full, Partial, and Random Redaction Based on Data Types ................................ 4-4
Redaction Capabilities for Oracle Built-in Data Types................................................................. 4-5
Redaction Capabilities for the ANSI Data Types .......................................................................... 4-5
Redaction Capabilities for the User Defined Data Types or Oracle Supplied Types............... 4-6
Using No Redaction for Testing Purposes .......................................................................................... 4-6
5 Configuring Oracle Data Redaction Policies
About Oracle Data Redaction Policies ................................................................................................. 5-1
Who Can Create Oracle Data Redaction Policies?............................................................................. 5-2
Planning the Creation of an Oracle Data Redaction Policy............................................................. 5-2
General Syntax of the DBMS_REDACT.ADD_POLICY Procedure.............................................. 5-3
Using Expressions to Define Conditions for Data Redaction Policies.......................................... 5-5
About Using Expressions in Data Redaction Policies................................................................... 5-5
Applying the Redaction Policy Based on User Environment...................................................... 5-6
Applying the Redaction Policy Based on Database Role ............................................................. 5-6
v
Applying the Redaction Policy Based on Oracle Application Express Session States............. 5-6
Applying the Redaction Policy with No Filtering......................................................................... 5-7
Creating a Full Redaction Policy and Altering the Default Full Redaction Value ..................... 5-7
Creating a Full Redaction Policy...................................................................................................... 5-7
About Creating Full Data Redaction Policies ......................................................................... 5-7
Syntax for Creating a Full Redaction Policy ........................................................................... 5-8
Examples of Full Data Redaction Policies............................................................................... 5-8
Altering the Default Full Data Redaction Value............................................................................ 5-9
About Altering the Default Full Data Redaction Value ........................................................ 5-9
Altering the Default Full Data Redaction Value for Non-LOB Data Type Columns..... 5-10
Altering the Default Full Data Redaction Value for LOB Data Type Columns.............. 5-11
Creating a Partial Redaction Policy ................................................................................................... 5-12
About Creating Partial Redaction Policies .................................................................................. 5-12
Syntax for Creating a Partial Redaction Policy........................................................................... 5-12
Creating Partial Redaction Policies Using Fixed Character Shortcuts.................................... 5-13
Settings for Fixed Character Shortcuts.................................................................................. 5-13
Example of a Partial Redaction Policy Using a Fixed Character Shortcut ...................... 5-14
Creating Partial Redaction Policies Using Character Data Types ........................................... 5-15
Settings for Character Data Types......................................................................................... 5-15
Example of a Partial Redaction Policy Using Character a Data Type.............................. 5-16
Creating Partial Redaction Policies Using Number Data Types.............................................. 5-16
Settings for Number Data Types ........................................................................................... 5-16
Example of a Partial Redaction Policy Using a Number Data Type ................................ 5-17
Creating Partial Redaction Policies Using Date-Time Data Types.......................................... 5-17
Settings for Date-Time Data Types........................................................................................ 5-17
Example of a Partial Redaction Policy Using Date-Time Data Type ............................... 5-18
Creating a Regular Expression-Based Redaction Policy................................................................ 5-18
About Creating Regular Expression-Based Redaction Policies................................................ 5-19
Syntax for Creating a Regular Expression-Based Redaction Policy ........................................ 5-19
Creating Regular Expression-Based Redaction Policies Using Shortcuts............................... 5-20
Regular Expression Shortcuts ................................................................................................ 5-20
Example of a Regular Expression Redaction Policy Using Shortcuts.............................. 5-22
Creating Custom Regular Expression Redaction Policies......................................................... 5-23
Settings for Custom Regular Expressions ............................................................................ 5-23
Example of a Custom Regular Expression Redaction Policy ............................................ 5-24
Creating a Random Redaction Policy................................................................................................ 5-24
About Creating Random Redaction Policies............................................................................... 5-24
Syntax for Creating a Random Redaction Policy ....................................................................... 5-24
Example of a Random Redaction Policy...................................................................................... 5-25
Creating a Policy That Uses No Redaction....................................................................................... 5-25
About Creating Policies That Use No Redaction........................................................................ 5-25
Syntax for Creating a Policy with No Redaction........................................................................ 5-26
Example of Performing No Redaction ......................................................................................... 5-26
Exempting Users from Oracle Data Redaction Policies................................................................. 5-26
Altering an Oracle Data Redaction Policy........................................................................................ 5-27
About Altering an Oracle Data Redaction Policy....................................................................... 5-27
Syntax for the DBMS_REDACT.ALTER_POLICY Procedure.................................................. 5-28
vi
Parameters Required for Various DBMS_REDACT.ALTER_POLICY Actions..................... 5-28
Example of Altering an Oracle Data Redaction Policy.............................................................. 5-29
Redacting Multiple Columns.............................................................................................................. 5-30
Disabling and Enabling an Oracle Data Redaction Policy ........................................................... 5-31
Disabling an Oracle Data Redaction Policy................................................................................. 5-31
Enabling an Oracle Data Redaction Policy.................................................................................. 5-32
Dropping an Oracle Data Redaction Policy..................................................................................... 5-32
Example: How Oracle Data Redaction Affects Tables and Views .............................................. 5-33
Example: Using SQL Expressions to Build Reports with Redacted Values .............................. 5-36
Finding Information About Oracle Data Redaction Policies ....................................................... 5-37
6 Oracle Data Redaction Use with Oracle Database Features
Oracle Data Redaction and DML and DDL Operations................................................................... 6-1
Oracle Data Redaction and Nested Functions, Inline Views, and the WHERE Clause ............. 6-2
Oracle Data Redaction and Aggregate Functions .............................................................................. 6-2
Oracle Data Redaction and Object Types............................................................................................ 6-2
Oracle Data Redaction and Editions..................................................................................................... 6-2
Oracle Data Redaction and Oracle Virtual Private Database .......................................................... 6-2
Oracle Data Redaction and Oracle Database Vault........................................................................... 6-3
Oracle Data Redaction and the EXPDP Utility access_method Parameter ................................... 6-3
Oracle Data Redaction and Data Masking and Subsetting Pack.................................................... 6-3
7 Security Guidelines for Oracle Data Redaction
General Usage Guidelines...................................................................................................................... 7-1
Restricting Administrative Access to Oracle Data Redaction Policies .......................................... 7-2
How Oracle Data Redaction Affects the SYS, SYSTEM and Default Schemas........................... 7-2
Writing Policy Expressions That Depend on SYS_CONTEXT Attributes.................................... 7-2
Creating Policies on Materialized Views ............................................................................................ 7-3
Dropping Policies When the Recycle Bin Is Enabled ....................................................................... 7-3
Part III Data Encryption and Integrity
8 Securing Stored Data Using Transparent Data Encryption
About Transparent Data Encryption .................................................................................................... 8-1
Benefits of Using Transparent Data Encryption............................................................................ 8-1
Types of Transparent Data Encryption........................................................................................... 8-2
TDE Column Encryption ........................................................................................................... 8-2
TDE Tablespace Encryption ...................................................................................................... 8-3
Using Transparent Data Encryption..................................................................................................... 8-5
Enabling Transparent Data Encryption.......................................................................................... 8-5
Specifying a Wallet Location for Transparent Data Encryption.......................................... 8-5
Using Wallets with Automatic Login Enabled....................................................................... 8-5
Setting and Resetting the Master Encryption Key ........................................................................ 8-6
Setting the Master Encryption Key........................................................................................... 8-6
Resetting the Master Encryption Key ...................................................................................... 8-7
Opening and Closing the Encrypted Wallet .................................................................................. 8-7
vii
Encrypting Columns in Tables......................................................................................................... 8-8
Creating Tables with Encrypted Columns.............................................................................. 8-9
Encrypting Columns in Existing Tables ............................................................................... 8-12
Creating an Index on an Encrypted Column....................................................................... 8-13
Adding or Removing Salt from an Encrypted Column ..................................................... 8-13
Changing the Encryption Key or Algorithm for Tables with Encrypted Columns ....... 8-14
Data Types That Can Be Encrypted with TDE Column Encryption................................ 8-14
Restrictions on Using TDE Column Encryption ................................................................. 8-15
Encrypting Entire Tablespaces...................................................................................................... 8-15
Setting the Tablespace Master Encryption Key................................................................... 8-16
Opening the Oracle Wallet ..................................................................................................... 8-16
Creating an Encrypted Tablespace........................................................................................ 8-17
Restrictions on Using TDE Tablespace Encryption ............................................................ 8-19
Using Hardware Security Modules with TDE............................................................................ 8-19
Set the ENCRYPTION_WALLET_LOCATION Parameter in the sqlnet.ora File.......... 8-19
Copy the PKCS#11 Library to Its Correct Path.................................................................... 8-20
Set Up the HSM........................................................................................................................ 8-20
Generate a Master Encryption Key for HSM-Based Encryption....................................... 8-21
Reconfigure the Software Wallet (Optional)........................................................................ 8-21
Ensure that the HSM Is Accessible........................................................................................ 8-22
Encrypt and Decrypt Data...................................................................................................... 8-23
Using Transparent Data Encryption with Oracle RAC ............................................................. 8-23
Using a Non-Shared File System to Store the Wallet ......................................................... 8-23
Managing Transparent Data Encryption .......................................................................................... 8-23
Oracle Wallet Management ........................................................................................................... 8-24
Specifying a Separate Wallet for Transparent Data Encryption ....................................... 8-24
Using an Auto Login Wallet................................................................................................... 8-24
Creating Wallets....................................................................................................................... 8-25
Backup and Recovery of Master Encryption Keys..................................................................... 8-25
Backup and Recovery of Oracle Wallet ................................................................................ 8-25
Backup and Recovery of PKI Key Pair.................................................................................. 8-26
Export and Import of Tables with Encrypted Columns............................................................ 8-26
Performance and Storage Overheads........................................................................................... 8-28
Performance Overheads.......................................................................................................... 8-28
Storage Overheads................................................................................................................... 8-29
Security Considerations ................................................................................................................. 8-29
Using Transparent Data Encryption in a Multi-Database Environment................................ 8-30
Replication in Distributed Environments.................................................................................... 8-30
Compression and Data Deduplication of Encrypted Data ....................................................... 8-31
Transparent Data Encryption with OCI ...................................................................................... 8-31
Transparent Data Encryption in a Multi-Database Environment............................................ 8-31
Transparent Data Encryption Data Dictionary Views............................................................... 8-32
Example: Getting Started with TDE Column Encryption and TDE Tablespace Encryption. 8-34
Prepare the Database for Transparent Data Encryption ........................................................... 8-35
Specify an Oracle Wallet Location in the sqlnet.ora File.................................................... 8-35
Create the Master Encryption Key ........................................................................................ 8-35
Open the Oracle Wallet........................................................................................................... 8-35
viii
Create a Table with an Encrypted Column................................................................................. 8-36
Create an Index on an Encrypted Column.................................................................................. 8-36
Alter a Table to Encrypt an Existing Column............................................................................. 8-37
Create an Encrypted Tablespace................................................................................................... 8-37
Create a Table in an Encrypted Tablespace................................................................................. 8-37
Troubleshooting Transparent Data Encryption .............................................................................. 8-38
Transparent Data Encryption Reference Information ................................................................... 8-42
Supported Encryption and Integrity Algorithms....................................................................... 8-43
Quick Reference: Transparent Data Encryption SQL Commands........................................... 8-43
9 Configuring Network Data Encryption and Integrity for Oracle Servers and
Clients
Oracle Advanced Security Encryption ................................................................................................. 9-1
Advanced Encryption Standard ...................................................................................................... 9-1
Triple-DES Support ........................................................................................................................... 9-2
Oracle Advanced Security Data Integrity............................................................................................ 9-2
Data Integrity Algorithms Supported............................................................................................. 9-2
Diffie-Hellman Based Key Negotiation .............................................................................................. 9-2
Authentication Key Fold-in .............................................................................................................. 9-3
How To Configure Data Encryption and Integrity............................................................................ 9-3
About Activating Encryption and Integrity................................................................................... 9-3
About Negotiating Encryption and Integrity ................................................................................ 9-4
REJECTED.................................................................................................................................... 9-4
ACCEPTED.................................................................................................................................. 9-4
REQUESTED................................................................................................................................ 9-5
REQUIRED................................................................................................................................... 9-5
Configuring Encryption and Integrity Parameters Using Oracle Net Manager....................... 9-6
Configuring Encryption on the Client and the Server........................................................... 9-6
Configuring Integrity on the Client and the Server............................................................... 9-7
10 Configuring Network Authentication, Encryption, and Integrity for Thin
JDBC Clients
About the Java Implementation ......................................................................................................... 10-1
Java Database Connectivity Support............................................................................................ 10-1
Securing Thin JDBC ........................................................................................................................ 10-2
Implementation Overview............................................................................................................. 10-3
Obfuscation ...................................................................................................................................... 10-3
Configuration Parameters.................................................................................................................... 10-3
CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL Parameter ................... 10-3
CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES Parameter.................... 10-4
CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL Parameter....................... 10-4
CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES Parameter ....................... 10-5
CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_SERVICES Parameter .. 10-5
AnoServices Constants................................................................................................................... 10-5
Part IV Oracle Advanced Security Strong Authentication
ix
11 Configuring RADIUS Authentication
About RADIUS...................................................................................................................................... 11-1
RADIUS Authentication Modes ........................................................................................................ 11-2
Synchronous Authentication Mode.............................................................................................. 11-3
Challenge-Response (Asynchronous) Authentication Mode ................................................... 11-4
Enabling RADIUS Authentication, Authorization, and Accounting ......................................... 11-7
Step 1: Install RADIUS on the Oracle Database Server and on the Oracle Client ................. 11-7
Step 2: Configure RADIUS Authentication................................................................................. 11-7
Step 2A: Configure RADIUS on the Oracle Client.............................................................. 11-7
Step 2B: Configure RADIUS on the Oracle Database Server............................................. 11-8
Step 2C: Configure Additional RADIUS Features ............................................................ 11-10
Step 3: Create a User and Grant Access ..................................................................................... 11-12
Step 4: Configure External RADIUS Authorization (optional) .............................................. 11-13
Step 4A: Configure the Oracle Server (RADIUS Client) .................................................. 11-13
Step 4B: Configure the Oracle Client Where Users Log In .............................................. 11-13
Step 4C: Configure the RADIUS Server.............................................................................. 11-13
Step 5: Configure RADIUS Accounting..................................................................................... 11-14
Step 5A: Set RADIUS Accounting on the Oracle Database Server................................. 11-14
Step 5B: Configure the RADIUS Accounting Server ........................................................ 11-15
Step 6: Add the RADIUS Client Name to the RADIUS Server Database ............................. 11-15
Step 7: Configure the Authentication Server for Use with RADIUS..................................... 11-15
Step 8: Configure the RADIUS Server for Use with the Authentication Server .................. 11-16
Step 9: Configure Mapping Roles............................................................................................... 11-16
Using RADIUS to Log In to a Database.......................................................................................... 11-17
RSA ACE/Server Configuration Checklist..................................................................................... 11-17
12 Configuring Kerberos Authentication
Enabling Kerberos Authentication ................................................................................................... 12-1
Step 1: Install Kerberos................................................................................................................... 12-1
Step 2: Configure a Service Principal for an Oracle Database Server...................................... 12-2
Step 3: Extract a Service Key Table from Kerberos .................................................................... 12-2
Step 4: Install an Oracle Database Server and an Oracle Client............................................... 12-3
Step 5: Install Oracle Net Services and Oracle Advanced Security ......................................... 12-3
Step 6: Configure Oracle Net Services and Oracle Database.................................................... 12-3
Step 7: Configure Kerberos Authentication ................................................................................ 12-4
Step 7A: Configure Kerberos on the Client and on the Database Server ........................ 12-4
Step 7B: Set the Initialization Parameters............................................................................. 12-5
Step 7C: Set sqlnet.ora Parameters (Optional)..................................................................... 12-6
Step 8: Create a Kerberos User ...................................................................................................... 12-7
Step 9: Create an Externally Authenticated Oracle User........................................................... 12-8
Step 10: Get an Initial Ticket for the Kerberos/Oracle User ..................................................... 12-8
Utilities for the Kerberos Authentication Adapter......................................................................... 12-8
Obtaining the Initial Ticket with the okinit Utility .................................................................... 12-9
Displaying Credentials with the oklist Utility............................................................................ 12-9
Removing Credentials from the Cache File with the okdstry Utility ................................... 12-10
Connecting to an Oracle Database Server Authenticated by Kerberos................................. 12-10
x
Configuring Interoperability with a Windows 2000 Domain Controller KDC...................... 12-10
Step 1: Configure Oracle Kerberos Client for a Windows 2000 Domain Controller KDC . 12-11
Step 1A: Create the Client Kerberos Configuration Files................................................. 12-11
Step 2A: Specify the Oracle Configuration Parameters in the sqlnet.ora File............... 12-11
Step 3A: Specify the Listening Port Number ..................................................................... 12-12
Step 2: Configure a Windows 2000 Domain Controller KDC for the Oracle Client............ 12-12
Step 2A: Create the User ....................................................................................................... 12-12
Step 2B: Create the Oracle Database Principal .................................................................. 12-12
Step 3: Configure Oracle Database for a Windows 2000 Domain Controller KDC............. 12-13
Step 3A: Set Configuration Parameters in the sqlnet.ora File ......................................... 12-13
Step 3B: Create an Externally Authenticated Oracle User............................................... 12-13
Step 4: Obtain an Initial Ticket for the Kerberos/Oracle User ............................................... 12-13
Configuring Kerberos Authentication Fallback Behavior .......................................................... 12-13
Troubleshooting the Oracle Kerberos Authentication Configuration ..................................... 12-14
13 Configuring Secure Sockets Layer Authentication
Secure Sockets Layer and Transport Layer Security ...................................................................... 13-1
The Difference Between Secure Sockets Layer and Transport Layer Security ...................... 13-1
How Oracle Database Uses Secure Sockets Layer for Authentication.................................... 13-2
How Secure Sockets Layer Works in an Oracle Environment: The SSL Handshake............ 13-3
Public Key Infrastructure in an Oracle Environment .................................................................... 13-3
About Public Key Infrastructure in an Oracle Environment.................................................... 13-3
About Public Key Cryptography.................................................................................................. 13-3
Public Key Infrastructure Components in an Oracle Environment ........................................ 13-4
Certificate Authority................................................................................................................ 13-4
Certificates ................................................................................................................................ 13-5
Certificate Revocation Lists.................................................................................................... 13-5
Wallets ....................................................................................................................................... 13-5
Hardware Security Modules .................................................................................................. 13-6
Secure Sockets Layer Combined with Other Authentication Methods ..................................... 13-6
Architecture: Oracle Advanced Security and Secure Sockets Layer ....................................... 13-7
How Secure Sockets Layer Works with Other Authentication Methods ............................... 13-7
Secure Sockets Layer and Firewalls................................................................................................... 13-7
Secure Sockets Layer Usage Issues .................................................................................................... 13-8
Enabling Secure Sockets Layer........................................................................................................... 13-8
Step 1: Install Oracle Advanced Security and Related Products.............................................. 13-9
Step 2: Configure Secure Sockets Layer on the Server............................................................... 13-9
Step 2A: Confirm Wallet Creation on the Server ................................................................ 13-9
Step 2B: Specify the Database Wallet Location on the Server ........................................... 13-9
Step 2C: Set the Secure Sockets Layer Cipher Suites on the Server (Optional) ............ 13-10
Step 2D: Set the Required SSL Version on the Server (Optional) ................................... 13-12
Step 2E: Set SSL Client Authentication on the Server (Optional) ................................... 13-13
Step 2F: Set SSL as an Authentication Service on the Server (Optional) ....................... 13-14
Step 2G: Create a Listening Endpoint that Uses TCP/IP with SSL on the Server........ 13-14
Step 3: Configure Secure Sockets Layer on the Client ............................................................. 13-14
Step 3A: Confirm Client Wallet Creation........................................................................... 13-14
Step 3B: Configure the Server DNs and Use TCP/IP with SSL on the Client .............. 13-15
xi
Step 3C: Specify Required Client SSL Configuration (Wallet Location)........................ 13-16
Step 3D: Set the Client Secure Sockets Layer Cipher Suites (Optional)......................... 13-18
Step 3E: Set the Required SSL Version on the Client (Optional)..................................... 13-20
Step 3F: Set SSL as an Authentication Service on the Client (Optional)........................ 13-20
Step 3G: Specify the Certificate to Use for Authentication on the Client (Optional)... 13-20
Step 4: Log on to the Database Instance..................................................................................... 13-21
Troubleshooting Secure Sockets Layer........................................................................................... 13-21
Certificate Validation with Certificate Revocation Lists............................................................. 13-24
About Certificate Validation with Certificate Revocation Lists............................................. 13-24
What CRLs Should You Use?...................................................................................................... 13-25
How CRL Checking Works ......................................................................................................... 13-25
Configuring Certificate Validation with Certificate Revocation Lists .................................. 13-26
About Configuring Certificate Validation with Certificate Revocation Lists............... 13-26
Enabling Certificate Revocation Status Checking for the Client or Server ................... 13-26
Disabling Certificate Revocation Status Checking............................................................ 13-28
Certificate Revocation List Management................................................................................... 13-28
About Certificate Revocation Management....................................................................... 13-28
Displaying orapki Help for Commands That Manage CRLs.......................................... 13-29
Renaming CRLs with a Hash Value for Certificate Validation....................................... 13-29
Uploading CRLs to Oracle Internet Directory................................................................... 13-30
Listing CRLs Stored in Oracle Internet Directory............................................................. 13-30
Viewing CRLs in Oracle Internet Directory....................................................................... 13-31
Deleting CRLs from Oracle Internet Directory.................................................................. 13-31
Troubleshooting Certificate Validation ..................................................................................... 13-32
Oracle Net Tracing File Error Messages Associated with Certificate Validation......... 13-32
Configuring Your System to Use Hardware Security Modules................................................. 13-34
About Configuring Your System to Use Hardware Security Modules................................. 13-34
Guidelines for Using Hardware Security Modules with Oracle Advanced Security ......... 13-34
Configuring Your System to Use nCipher Hardware Security Modules ............................. 13-35
About Configuring Your System to Use nCipher Hardware Security Modules.......... 13-35
Oracle Components Required To Use an nCipher Hardware Security Module.......... 13-35
About Installing an nCipher Hardware Security Module............................................... 13-35
Configuring Your System to Use SafeNET Hardware Security Modules ............................ 13-36
About Configuring Your System to Use SafeNet Hardware Security Modules .......... 13-36
Oracle Components for the SafeNET Luna SA Hardware Security Module................ 13-36
About Installing a SafeNET Hardware Security Module ................................................ 13-37
Troubleshooting Using Hardware Security Modules.............................................................. 13-37
Errors in the Oracle Net Trace Files .................................................................................... 13-37
Error Messages Associated with Using Hardware Security Modules........................... 13-37
Configuring SSL in an Oracle Real Application Clusters Environment.................................. 13-38
Step 1: Configure the TCPS Protocol Endpoints....................................................................... 13-39
Step 2: Update the Local Listener Parameter on Each Oracle RAC Node............................ 13-40
Step 3: Create SSL Certificates and Wallets for the Cluster and for the Clients .................. 13-42
Creating the SSL Certificate for Each Cluster and for the Test Client............................ 13-42
Signing Each User Certificate............................................................................................... 13-43
Step 4: Copy the Wallet to Each Cluster Node and Create an Obfuscated Wallet.............. 13-44
Step 5: Define Wallet Locations in the listener.ora and sqlnet.ora Files ............................... 13-45
xii
Step 6: Restart the Database Instances and Listeners............................................................... 13-46
Step 7: Test the Configuration from a Cluster Node................................................................ 13-46
Step 8: Test the Configuration from a Remote Client .............................................................. 13-47
14 Using Oracle Wallet Manager
Oracle Wallet Manager Overview...................................................................................................... 14-1
Wallet Password Management ..................................................................................................... 14-2
Strong Wallet Encryption............................................................................................................... 14-2
Microsoft Windows Registry Wallet Storage.............................................................................. 14-2
Options Supported:.................................................................................................................. 14-2
Backward Compatibility ................................................................................................................ 14-3
Public-Key Cryptography Standards (PKCS) Support.............................................................. 14-3
Multiple Certificate Support.......................................................................................................... 14-3
LDAP Directory Support ............................................................................................................... 14-5
Starting Oracle Wallet Manager ......................................................................................................... 14-6
How to Create a Complete Wallet: Process Overview ................................................................... 14-6
Managing Wallets ................................................................................................................................. 14-7
Required Guidelines for Creating Wallet Passwords................................................................ 14-7
Creating a New Wallet ................................................................................................................... 14-8
Creating a Standard Wallet .................................................................................................... 14-8
Creating a Wallet to Store Hardware Security Module Credentials ................................ 14-8
Opening an Existing Wallet........................................................................................................... 14-9
Closing a Wallet............................................................................................................................. 14-10
Exporting Oracle Wallets to Third-Party Environments......................................................... 14-10
Exporting Oracle Wallets to Tools that Do Not Support PKCS #12 ...................................... 14-10
Uploading a Wallet to an LDAP Directory ............................................................................... 14-11
Downloading a Wallet from an LDAP Directory..................................................................... 14-11
Saving Changes ............................................................................................................................. 14-12
Saving the Open Wallet to a New Location .............................................................................. 14-12
Saving in System Default............................................................................................................. 14-13
Deleting the Wallet ....................................................................................................................... 14-13
Changing the Password ............................................................................................................... 14-13
Using Auto Login.......................................................................................................................... 14-14
Enabling Auto Login ............................................................................................................. 14-14
Disabling Auto Login............................................................................................................ 14-14
Managing Certificates ........................................................................................................................ 14-14
Managing User Certificates ......................................................................................................... 14-15
Adding a Certificate Request ............................................................................................... 14-15
Importing the User Certificate into the Wallet .................................................................. 14-17
Importing Certificates and Wallets Created by Third Parties ........................................ 14-18
Removing a User Certificate from a Wallet ....................................................................... 14-19
Removing a Certificate Request........................................................................................... 14-20
Exporting a User Certificate ................................................................................................. 14-20
Exporting a User Certificate Request.................................................................................. 14-20
Managing Trusted Certificates.................................................................................................... 14-20
Importing a Trusted Certificate ........................................................................................... 14-21
Removing a Trusted Certificate........................................................................................... 14-21
xiii
Exporting a Trusted Certificate............................................................................................ 14-22
Exporting All Trusted Certificates....................................................................................... 14-22
15 Configuring Multiple Authentication Methods and Disabling Oracle
Advanced Security
Connecting with User Name and Password..................................................................................... 15-1
Disabling Oracle Advanced Security Authentication.................................................................... 15-1
Configuring Multiple Authentication Methods ............................................................................. 15-2
Configuring Oracle Database for External Authentication ......................................................... 15-3
Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora .................. 15-3
Setting OS_AUTHENT_PREFIX to a Null Value ....................................................................... 15-3
Part V Appendixes
A Data Encryption and Integrity Parameters
Sample sqlnet.ora File ............................................................................................................................ A-1
Data Encryption and Integrity Parameters......................................................................................... A-2
SQLNET.ENCRYPTION_SERVER Parameter.............................................................................. A-3
SQLNET.ENCRYPTION_CLIENT Parameter.............................................................................. A-4
SQLNET.SSL_EXTENDED_KEY_USAGE Parameter................................................................. A-4
SQLNET.CRYPTO_CHECKSUM_SERVER Parameter............................................................... A-4
SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter ............................................................... A-4
SQLNET.ENCRYPTION_TYPES_SERVER Parameter................................................................ A-5
SQLNET.ENCRYPTION_TYPES_CLIENT Parameter................................................................ A-5
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter................................................. A-6
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter................................................. A-6
B Authentication Parameters
Parameters for Clients and Servers using Kerberos Authentication ........................................... B-1
Parameters for Clients and Servers using RADIUS Authentication............................................. B-1
sqlnet.ora File Parameters................................................................................................................ B-2
SQLNET.AUTHENTICATION_SERVICES Parameter........................................................ B-2
SQLNET.RADIUS_AUTHENTICATION Parameter........................................................... B-2
SQLNET.RADIUS_AUTHENTICATION_PORT Parameter .............................................. B-2
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter ...................................... B-2
SQLNET.RADIUS_AUTHENTICATION_RETRIES Parameter......................................... B-2
SQLNET.RADIUS_SEND_ACCOUNTING Parameter ....................................................... B-3
SQLNET.RADIUS_SECRET Parameter.................................................................................. B-3
SQLNET.RADIUS_ALTERNATE Parameter ........................................................................ B-3
SQLNET.RADIUS_ALTERNATE_PORT Parameter............................................................ B-3
SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter.................................................... B-4
SQLNET.RADIUS_ALTERNATE_RETRIES Parameter ...................................................... B-4
SQLNET.RADIUS_CHALLENGE_RESPONSE Parameter................................................. B-4
SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter................................................. B-4
SQLNET.RADIUS_AUTHENTICATION_INTERFACE Parameter .................................. B-4
SQLNET.RADIUS_CLASSPATH Parameter......................................................................... B-5
xiv
Minimum RADIUS Parameters ...................................................................................................... B-5
Initialization File Parameters........................................................................................................... B-5
Parameters for Clients and Servers Using Secure Sockets Layer .................................................. B-5
Secure Sockets Layer Authentication Parameters........................................................................ B-5
Cipher Suite Parameters................................................................................................................... B-6
Supported SSL Cipher Suites ................................................................................................... B-6
Secure Sockets Layer Version Parameters..................................................................................... B-7
Secure Sockets Layer Client Authentication Parameters ............................................................ B-7
SSL X.509 Server Match Parameters........................................................................................ B-8
Wallet Location.................................................................................................................................. B-9
C Integrating Authentication Devices Using RADIUS
About the RADIUS Challenge-Response User Interface................................................................ C-1
Customizing the RADIUS Challenge-Response User Interface.................................................... C-1
D Oracle Advanced Security FIPS 140 Settings
About the FIPS 140 Settings .................................................................................................................. D-1
Configuring Oracle Database for FIPS 140-2 ..................................................................................... D-1
About the FIPS 140-2 Settings ......................................................................................................... D-1
Configuring the SSLFIPS_140 Parameter ...................................................................................... D-2
Selecting Cipher Suites..................................................................................................................... D-2
Post-Installation Checks................................................................................................................... D-2
Verifying FIPS Connections............................................................................................................. D-3
Configuring Oracle Database for FIPS 140-1 ..................................................................................... D-3
About the FIPS 140-1 Settings ......................................................................................................... D-3
sqlnet.ora FIPS 140-1 Configuration Parameters.......................................................................... D-3
Server Encryption Level Setting .............................................................................................. D-4
Client Encryption Level Setting............................................................................................... D-4
Server Encryption Selection List.............................................................................................. D-4
Client Encryption Selection List............................................................................................... D-4
FIPS Parameter ........................................................................................................................... D-5
Post Installation Checks ................................................................................................................... D-5
Status Information............................................................................................................................. D-5
Physical Security ............................................................................................................................... D-6
E orapki Utility
orapki Utility Overview......................................................................................................................... E-1
orapki Utility Syntax......................................................................................................................... E-1
Creating Signed Certificates for Testing Purposes........................................................................... E-2
Managing Oracle Wallets with orapki Utility ................................................................................... E-2
Creating, Viewing, and Modifying Wallets with orapki............................................................. E-2
Creating a PKCS#12 Wallet ...................................................................................................... E-3
Creating an Auto Login Wallet................................................................................................ E-3
Viewing a Wallet........................................................................................................................ E-4
Modifying the Password for a Wallet..................................................................................... E-4
Adding Certificates and Certificate Requests to Oracle Wallets with orapki.......................... E-4
xv
Exporting Certificates and Certificate Requests from Oracle Wallets with orapki................. E-6
Managing Certificate Revocation Lists (CRLs) with orapki Utility.............................................. E-6
orapki Usage Examples .......................................................................................................................... E-6
orapki Utility Commands Summary ................................................................................................... E-8
orapki cert create............................................................................................................................... E-8
Purpose........................................................................................................................................ E-8
Syntax .......................................................................................................................................... E-8
orapki cert display ............................................................................................................................ E-9
Purpose........................................................................................................................................ E-9
Syntax .......................................................................................................................................... E-9
orapki crl delete................................................................................................................................. E-9
Purpose........................................................................................................................................ E-9
Prerequisites ............................................................................................................................... E-9
Syntax .......................................................................................................................................... E-9
orapki crl display ............................................................................................................................ E-10
Purpose...................................................................................................................................... E-10
Syntax ........................................................................................................................................ E-10
orapki crl hash ................................................................................................................................. E-10
Purpose...................................................................................................................................... E-10
Syntax ........................................................................................................................................ E-10
orapki crl list .................................................................................................................................... E-11
Purpose...................................................................................................................................... E-11
Syntax ........................................................................................................................................ E-11
orapki crl upload............................................................................................................................. E-11
Purpose...................................................................................................................................... E-11
Syntax ........................................................................................................................................ E-11
orapki wallet add ............................................................................................................................ E-12
Purpose...................................................................................................................................... E-12
Syntax ........................................................................................................................................ E-12
orapki wallet create......................................................................................................................... E-13
Purpose...................................................................................................................................... E-13
Syntax ........................................................................................................................................ E-13
orapki wallet display ...................................................................................................................... E-13
Purpose...................................................................................................................................... E-13
Syntax ........................................................................................................................................ E-13
orapki wallet export........................................................................................................................ E-13
Purpose...................................................................................................................................... E-13
Syntax ........................................................................................................................................ E-13
F Entrust-Enabled Secure Sockets Layer Authentication
Benefits of Entrust-Enabled Oracle Advanced Security.................................................................. F-1
Enhanced X.509-Based Authentication and Single Sign-On....................................................... F-1
Integration with Entrust Authority Key Management................................................................ F-2
Integration with Entrust Authority Certificate Revocation........................................................ F-2
Required System Components for Entrust-Enabled Oracle Advanced Security ....................... F-2
Entrust Authority for Oracle ........................................................................................................... F-2
Entrust Authority Security Manager ...................................................................................... F-3
xvi
Entrust Authority Self-Administration Server ...................................................................... F-3
Entrust Entelligence Desktop Manager.................................................................................. F-3
Entrust Authority Server Login Feature........................................................................................ F-3
Entrust Authority IPSec Negotiator Toolkit.................................................................................. F-3
Entrust Authentication Process ............................................................................................................ F-4
Enabling Entrust Authentication ......................................................................................................... F-4
Creating Entrust Profiles.................................................................................................................. F-4
Administrator-Created Entrust Profiles ................................................................................. F-4
User-Created Entrust Profiles .................................................................................................. F-5
Installing Oracle Advanced Security and Related Products for Entrust-Enabled SSL........... F-5
Configuring SSL on the Client and Server for Entrust-Enabled SSL......................................... F-5
Configuring Entrust on the Client.................................................................................................. F-5
Configuring Entrust on a UNIX Client................................................................................... F-6
Configuring Entrust on a Windows Client ............................................................................ F-6
Configuring Entrust on the Server ................................................................................................. F-6
Configuring Entrust on a UNIX Server .................................................................................. F-6
Configuring Entrust on a Windows Server............................................................................ F-7
Creating Entrust-Enabled Database Users .................................................................................... F-8
Logging Into the Database Using Entrust-Enabled SSL.............................................................. F-8
Issues and Restrictions that Apply to Entrust-Enabled SSL.......................................................... F-9
Troubleshooting Entrust In Oracle Advanced Security .................................................................. F-9
Error Messages Returned When Running Entrust on Any Platform........................................ F-9
Error Messages Returned When Running Entrust on Windows Platforms........................... F-10
General Checklist for Running Entrust on Any Platform......................................................... F-12
Checklist for Entrust Installations on Windows.................................................................. F-12
Glossary
Index
xvii
List of Figures
1–1 Encryption.................................................................................................................................... 1-4
1–2 Strong Authentication with Oracle Authentication Adapters ............................................. 1-6
1–3 How a Network Authentication Service Authenticates a User............................................ 1-7
1–4 Oracle Advanced Security in an Oracle Networking Environment................................. 1-10
1–5 Oracle Net Services with Authentication Adapters............................................................ 1-10
2–1 Oracle Advanced Security Profile in Oracle Net Manager................................................... 2-3
2–2 Oracle Wallet Manager User Interface..................................................................................... 2-5
2–3 Certificate Request Information Displayed in Oracle Wallet Manager Right Pane.......... 2-7
5–1 How Oracle Data Redaction Policies Work in a Chain of Views...................................... 5-36
8–1 TDE Column Encryption Overview......................................................................................... 8-3
8–2 TDE Tablespace Encryption ...................................................................................................... 8-4
11–1 RADIUS in an Oracle Environment ...................................................................................... 11-2
11–2 Synchronous Authentication Sequence ................................................................................ 11-3
11–3 Asynchronous Authentication Sequence ............................................................................. 11-5
13–1 SSL in Relation to Other Authentication Methods.............................................................. 13-7
15–1 Oracle Advanced Security Authentication Window .......................................................... 15-2
F–1 Entrust Authentication Process................................................................................................ F-4
xviii
List of Tables
1–1 Authentication Methods and System Requirements......................................................... 1-11
2–1 Oracle Wallet Manager Navigator Pane Objects................................................................... 2-6
2–2 Oracle Wallet Manager Toolbar Buttons ................................................................................ 2-7
2–3 Oracle Wallet Manager Wallet Menu Options ...................................................................... 2-8
2–4 Oracle Wallet Manager Operations Menu Options .............................................................. 2-8
2–5 Oracle Wallet Manager Help Menu Options......................................................................... 2-9
2–6 Common Security Administrator/DBA Configuration and Administrative Tasks..... 2-10
4–1 Redaction Capabilities for Oracle Built-in Data Types......................................................... 4-5
4–2 Redaction Capabilities for the ANSI Data Types.................................................................. 4-6
4–3 Redaction Capabilities for the User Defined Data Types or Oracle Supplied Types ...... 4-6
5–1 DBMS_REDACT Procedures.................................................................................................... 5-2
5–2 Partial Fixed Character Redaction Shortcuts ...................................................................... 5-13
5–3 Shortcuts for the regexp_pattern Parameter....................................................................... 5-21
5–4 Shortcuts for the regexp_replace_string Parameter........................................................... 5-22
5–5 Parameters Required for Various DBMS_REDACT.ALTER_POLICY Actions............. 5-29
5–6 Data Redaction Views ............................................................................................................ 5-38
8–1 Maximum Allowable Size for Data Types .......................................................................... 8-14
8–2 Description of the ALL_ENCRYPTED_COLUMNS Data Dictionary View .................. 8-32
8–3 Description of the V$ENCRYPTED_TABLESPACES View ............................................. 8-33
8–4 Description of the V$WALLET View................................................................................... 8-33
8–5 Description of the V$ENCRYPTION_WALLET View...................................................... 8-34
8–6 Supported Encryption Algorithms for Transparent Data Encryption............................ 8-43
8–7 Transparent Data Encryption SQL Commands Quick Reference ................................... 8-43
9–1 Two Forms of Attack................................................................................................................. 9-2
9–2 Encryption and Data Integrity Negotiations ......................................................................... 9-5
9–3 Valid Encryption Algorithms................................................................................................... 9-7
10–1 CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL Attributes ........... 10-3
10–2 CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES Attributes............ 10-4
10–3 CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL Attributes............... 10-4
10–4 CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES Attributes ............... 10-5
10–5 CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_SERVICES Attributes .....
10-5
11–1 RADIUS Authentication Components................................................................................. 11-2
12–1 Options for the okinit Utility................................................................................................. 12-9
12–2 Options for the oklist Utility ............................................................................................... 12-10
13–1 SSL Cipher Suites.................................................................................................................. 13-11
14–1 KeyUsage Values .................................................................................................................... 14-4
14–2 Oracle Wallet Manager Import of User Certificates to an Oracle Wallet ....................... 14-4
14–3 Oracle Wallet Manager Import of Trusted Certificates to an Oracle Wallet.................. 14-5
14–4 PKI Wallet Encoding Standards ......................................................................................... 14-10
14–5 Types of Certificates ............................................................................................................. 14-15
14–6 Certificate Request: Fields and Descriptions .................................................................... 14-16
14–7 Available Key Sizes............................................................................................................... 14-17
A–1 Algorithm Type Selection ........................................................................................................ A-3
A–2 SQLNET.ENCRYPTION_SERVER Parameter Attributes .................................................. A-3
A–3 SQLNET.ENCRYPTION_CLIENT Parameter Attributes................................................... A-4
A–4 SQLNET.EXTENDED_KEY_USAGE Parameter Attributes............................................... A-4
A–5 SQLNET.CRYPTO_CHECKSUM_SERVER Parameter Attributes.................................... A-4
A–6 SQLNET.CRYPTO_CHECKSUM_CLIENT Parameter Attributes.................................... A-4
A–7 SQLNET.ENCRYPTION_TYPES_SERVER Parameter Attributes .................................... A-5
A–8 SQLNET.ENCRYPTION_TYPES_CLIENT Parameter Attributes..................................... A-5
A–9 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER Parameter Attributes ..................... A-6
A–10 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT Parameter Attributes...................... A-6
xix
B–1 Kerberos Authentication Parameters .................................................................................... B-1
B–2 SQLNET.AUTHENTICATION_SERVICES Parameter Attributes.................................... B-2
B–3 SQLNET.RADIUS_AUTHENTICATION Parameter Attributes ....................................... B-2
B–4 SQLNET.RADIUS_AUTHENTICATION_PORT Parameter Attributes .......................... B-2
B–5 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT Parameter Attributes .................. B-2
B–6 SQLNET.RADIUS_AUTHENTICATION_RETRIES Parameter Attributes..................... B-3
B–7 SQLNET.RADIUS_SEND_ACCOUNTING Parameter Attributes ................................... B-3
B–8 SQLNET.RADIUS_SECRET Parameter Attributes.............................................................. B-3
B–9 SQLNET.RADIUS_ALTERNATE Parameter Attributes .................................................... B-3
B–10 SQLNET.RADIUS_ALTERNATE_PORT Parameter Attributes........................................ B-3
B–11 SQLNET.RADIUS_ALTERNATE_TIMEOUT Parameter Attributes................................ B-4
B–12 SQLNET.RADIUS_ALTERNATE_RETRIES Parameter Attributes .................................. B-4
B–13 SQLNET.RADIUS_CHALLENGE_RESPONSE Parameter Attributes............................. B-4
B–14 SQLNET.RADIUS_CHALLENGE_KEYWORD Parameter Attributes............................. B-4
B–15 SQLNET.RADIUS_AUTHENTICATION_INTERFACE Parameter Attributes .............. B-4
B–16 SQLNET.RADIUS_CLASSPATH Parameter Attributes..................................................... B-5
B–17 Wallet Location Parameters..................................................................................................... B-9
C–1 Server Encryption Level Setting ............................................................................................. C-2
D–1 Sample Output from v$session_connect_info ...................................................................... D-5
xx
xxi
Preface
Welcome to the Oracle Database Advanced Security Administrator's Guide for the 11g
Release 2 (11.2) of Oracle Advanced Security.
Oracle Advanced Security contains a comprehensive suite of security features that
protect enterprise networks and securely extend them to the Internet. It provides a
single source of integration with multiple network encryption and authentication
solutions, single sign-on services, and security protocols.
The Oracle Database Advanced Security Administrator's Guide describes how to
implement, configure and administer Oracle Advanced Security.
This preface contains these topics:
Audience
Documentation Accessibility
Related Documentation
Conventions
Audience
The Oracle Database Advanced Security Administrator's Guide is intended for users and
systems professionals involved with the implementation, configuration, and
administration of Oracle Advanced Security including:
Implementation consultants
System administrators
Security administrators
Database administrators (DBAs)
Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle
Accessibility Program website at
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc
.
Access to Oracle Support
Oracle customers have access to electronic support through My Oracle Support. For
information, visit
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info
or
visit
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs
if you are hearing
impaired.
xxii
Related Documentation
For more information, refer to these Oracle resources:
Oracle Database Net Services Administrator's Guide
Oracle Database Heterogeneous Connectivity User's Guide
Oracle Database JDBC Developer's Guide and Reference
Oracle Internet Directory Administrator's Guide
Oracle Database Administrator's Guide
Oracle Database Security Guide
Many books in the documentation set use the sample schemas of the seed database,
which is installed by default when you install Oracle. Refer to Oracle Database Sample
Schemas for information on how these schemas were created and how you can use
them yourself.
To download free release notes, installation documentation, white papers, or other
collateral, please visit the Oracle Technology Network (OTN). You must register online
before using OTN; registration is free and can be done at
http://www.oracle.com/technetwork/index.html
If you already have a user name and password for OTN, then you can go directly to
the documentation section of the OTN Web site at
http://www.oracle.com/technetwork/documentation/index.html
For information from third-party vendors, refer to:
ACE/Server Administration Manual, from Security Dynamics
ACE/Server Client for UNIX, from Security Dynamics
ACE/Server Installation Manual, from Security Dynamics
RADIUS Administrator's Guide
Notes about building and installing Kerberos from Kerberos version 5 source
distribution
Entrust/PKI for Oracle
Administering Entrust/PKI on UNIX
Application Environment Specification/Distributed Computing
For conceptual information about the network security technologies supported by
Oracle Advanced Security, you can refer to the following third-party publications:
Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C by
Bruce Schneier. New York: John Wiley & Sons, 1996.
SSL & TLS Essentials: Securing the Web by Stephen A. Thomas. New York: John
Wiley & Sons, 2000.
Understanding and Deploying LDAP Directory Services by Timothy A. Howes, Ph.D.,
Mark C. Smith, and Gordon S. Good . Indianapolis: New Riders Publishing, 1999.
Understanding Public-Key Infrastructure: Concepts, Standards, and Deployment
Considerations by Carlisle Adams and Steve Lloyd. Indianapolis: New Riders
Publishing, 1999.
xxiii
Conventions
The following text conventions are used in this document:
Convention Meaning
boldface Boldface type indicates graphical user interface elements associated
with an action, or terms defined in text or the glossary.
italic Italic type indicates book titles, emphasis, or placeholder variables for
which you supply particular values.
monospace
Monospace type indicates commands within a paragraph, URLs, code
in examples, text that appears on the screen, or text that you enter.
xxiv
xxv
What's New in Oracle Advanced Security?
This section describes new features of Oracle Advanced Security 11g Release 2 (11.2)
and provides pointers to additional information.
Oracle Database 11g Release 2 (11.2.0.4) New Features in Oracle Advanced
Security
Oracle Database 11g Release 2 (11.2.0.3) New Features in Oracle Advanced
Security
Oracle Database 11g Release 2 (11.2) New Features in Oracle Advanced Security
Oracle Database 11g Release 1 (11.1) New Features in Oracle Advanced Security
Oracle Database 11g Release 2 (11.2.0.4) New Features in Oracle
Advanced Security
This release includes the following new features:
Oracle Data Redaction for Masking Data
Filtering for Secure Sockets Layer Certificates
Oracle Data Redaction for Masking Data
This release includes Oracle Data Redaction, which gives you the ability to disguise
(mask) data from low-privileged users or applications. For example, suppose you have
the following credit card numbers:
5105 1051 0510 5100
5111 1111 1111 1118
5454 5454 5454 5454
You can use Data Redaction to disguise the last four digits as follows:
5105 1051 0510 ****
5111 1111 1111 ****
5454 5454 5454 ****
The data is redacted at run time, that is, it is hidden when the user accesses the page
containing the data, but it is not hidden in the database. This enables the sensitive data
to be processed normally, and it preserves the back-end referential integrity and
constraints for the data. You have the option of redacting the data partially so that
some of the original data is preserved (such as the last four digits of a credit card
number), entirely by replacing it with a fixed value, or by replacing the data with an
xxvi
encrypted value. You also can easily apply Oracle Data Redaction policies throughout
the databases in your enterprise.
See Part II, "Oracle Data Redaction" for more information.
Filtering for Secure Sockets Layer Certificates
Starting with this release, you can use the
SQLNET.SSL_EXTENDED_KEY_USAGE
parameter
in the
sqlnet.ora
file to select a Secure Sockets Layer certificate to be used
automatically to authenticate clients. For example, suppose you have multiple
certificates for a smart card but only one of the certificates has an extended key usage
field of
client authentication
. In the application, a certificate chooser dialog box
would appear, prompting the user to select the type of authentication. Because the
type of authentication would always be for clients, the
SQLNET.SSL_EXTENDED_KEY_
USAGE
parameter can enable the application to bypass this dialog box and
automatically choose client authentication. As a result, the user has fewer steps to
perform in a task, thereby making the user’s job easier and more efficient.
See "Step 3G: Specify the Certificate to Use for Authentication on the Client (Optional)"
on page 13-20 for more information.
Oracle Database 11g Release 2 (11.2.0.3) New Features in Oracle
Advanced Security
This release includes the following new features:
Support for SHA-2 Certificate Signatures
Support for PIN and Multiple Certificates on Smart Card
TDE Hardware Acceleration for Solaris
Support for SHA-2 Certificate Signatures
This feature introduces support for SHA-2 (256-bit) signed certificates that are used by
the database for network encryption and authentication.
These certificates are issued by a separate certificate authority (CA), and are
exchanged between the database and a client when a secure database connection is
being established.
Support for PIN and Multiple Certificates on Smart Card
This feature introduces support for authenticating to the database using Common
Access Cards (CAC, HSPD-12) that contain multiple certificates.
When a database user inserts a card containing one or more digital certificates into a
card reader, the database attempts to intelligently select which certificate to read. If the
database cannot determine which certificate to read, a selection box is presented on
Windows clients. The user also must manually enter the correct PIN.
TDE Hardware Acceleration for Solaris
Transparent Data Encryption (TDE) can automatically detect whether the database
host machine includes specialized cryptographic silicon that accelerates the encryption
and decryption processing. When detected, TDE uses the specialized silicon for
cryptographic processing, accelerating the overall cryptographic performance
significantly.
xxvii
In prior releases, cryptographic hardware acceleration for TDE was only available on
Intel Xeon, and only for Linux. Starting with release 11.2.0.3, it works with the current
versions of Solaris 11 running on both SPARC T-Series and Intel Xeon.
Oracle Database 11g Release 2 (11.2) New Features in Oracle Advanced
Security
This release includes the following new features:
Enhanced TDE Tablespace Encryption
TDE Supports Intel Advanced Encryption Standard New Instructions (Intel
AES-NI)
Internet Protocol Version 6 (IPv6) Support
Kerberos Enhancements
Enhanced TDE Tablespace Encryption
Oracle Database 11g Release 2 (11.2) implements the following enhancements to TDE
Tablespace Encryption:
A unified master encryption key is used for both Transparent Data Encryption
(TDE) Column Encryption and TDE Tablespace Encryption.
The unified master encryption key can optionally be stored in a hardware security
module. This enables you to use the TDE Tablespace Encryption feature along
with hardware security modules.
You can reset (
rekey
) the unified master encryption key. This provides enhanced
security and helps meet security and compliance requirements.
TDE Supports Intel Advanced Encryption Standard New Instructions (Intel
AES-NI)
Transparent Data Encryption (TDE) now supports Intel AES-NI. Oracle Database 11g
Release 2 (11.2) running on Intel Xeon 5600 series processor-based servers with Intel
AES-NI shows a multifold increase in TDE encryption and decryption speed.
According to benchmark results, TDE shows a 10x speedup of AES encryption
processing rate and an 8x speedup of decryption processing rate, using 256 bit keys, on
Intel Xeon X5680 processor utilizing AES-NI as compared to Intel Xeon X5560
processor without AES-NI.
Internet Protocol Version 6 (IPv6) Support
Oracle Advanced Security fully supports Internet Protocol Version 6 (IPv6) networks.
Kerberos Enhancements
The Oracle Kerberos authentication mechanism now supports the Microsoft Windows
Server 2003 constrained delegation feature. The middle tier can use the Kerberos
adapter to authenticate to the Oracle Database without providing the user's forwarded
Kerberos credentials.
A user can authenticate to the middle tier using a non-Kerberos authentication
mechanism. The middle tier authenticates to the backend Oracle Database using the
Kerberos authentication mechanism on behalf of the user.
See Also: "Encrypting Entire Tablespaces" on page 8-15
xxviii
Oracle Database 11g Release 1 (11.1) New Features in Oracle Advanced
Security
This release includes the following new features:
Enhanced Transparent Data Encryption
Kerberos Authentication More Secure and Manageable
Enhanced Transparent Data Encryption
Transparent Data Encryption enables you to encrypt data in columns without having
to manage the encryption key. Businesses can protect sensitive data in their databases
without having to make changes to their applications.
Oracle Advanced Security uses industry standard encryption algorithms including
AES and 3DES to encrypt columns that have been marked for encryption. Key
Management is handled by the database. SQL interfaces to Key Management hide the
complexity of encryption.
You can now encrypt entire tablespaces using Tablespace Encryption. All objects
created in the encrypted tablespace are automatically encrypted. See "TDE Tablespace
Encryption" in on page 8-3 for more information.
Transparent Data Encryption now enables you to use a hardware security module
(HSM) to store the master encryption key. This allows for enhanced security. See
"Using Hardware Security Modules with TDE" on page 8-19 for more information.
Kerberos Authentication More Secure and Manageable
The Kerberos implementation now makes use of secure encryption algorithms like
3DES
and
AES
in place of
DES
. This makes using Kerberos more secure. The Kerberos
authentication mechanism in Oracle Database now supports the following encryption
types:
DES3-CBC-SHA
(
DES3
algorithm in
CBC
mode with
HMAC-SHA1
as checksum)
AES128-CTS
(
AES
algorithm with 128-bit key in
CTS
mode with
HMAC-SHA1
as
checksum)
AES256-CTS
(
AES
algorithm with 256-bit key in
CTS
mode with
HMAC-SHA1
as
checksum)
The Kerberos implementation has been enhanced to interoperate smoothly with
Microsoft and MIT Key Distribution Centers.
The Kerberos prinicipal name can now contain more than 30 characters. It is no longer
restricted by the number of characters allowed in a database user name.
See Also: Microsoft documentation for more information on the
Microsoft Windows Server 2003 constrained delegation feature
See Also: "Supported Encryption Algorithms" on page 1-4 for more
information on the encryption algorithms that are supported.
Chapter 8, "Securing Stored Data Using Transparent Data Encryption"
for more information on implementing and using Transparent Data
Encryption.
See Also: Chapter 12, "Configuring Kerberos Authentication"
xxix
Note: In this release, the features of Multiplexing and Connection
Pooling do not work with SSL transport. Refer to Oracle Database JDBC
Developer's Guide and Reference for details of encryption support
available in JDBC.
xxx
Part I
Part I
Getting Started with
Oracle Advanced Security
This part introduces Oracle Advanced Security, describing security solutions it
provides, its features, and its tools.
Part I contains the following chapters:
Chapter 1, "Introduction to Oracle Advanced Security"
Chapter 2, "Configuration and Administration Tools Overview"
1
Introduction to Oracle Advanced Security 1-1
1
Introduction to Oracle Advanced Security
This chapter introduces Oracle Advanced Security, summarizes the security risks it
addresses, and describes its features. These features are available to database and
related products that interface with Oracle Net Services, including Oracle Database,
Oracle Application Server, and Oracle Identity Management infrastructure.
This chapter contains the following topics:
Security Challenges in an Enterprise Environment
Solving Security Challenges with Oracle Advanced Security
Oracle Advanced Security Architecture
System Requirements
Oracle Advanced Security Restrictions
Security Challenges in an Enterprise Environment
To increase efficiency and lower costs, companies adopt strategies to automate
business processes. One such strategy is to conduct more business on the Web, but that
requires greater computing power, translating to higher IT costs. In response to rising
IT costs, more and more businesses are considering enterprise grid computing
architecture where inexpensive computers act as one powerful system. While such
strategies improve the bottom line, they introduce risks, which are associated with
securing data, in rest and motion, and managing an ever increasing number of user
identities.
This section examines the security challenges of today's enterprise computing
environments in the following topics:
Security in Enterprise Grid Computing Environments
Security in an Intranet or Internet Environment
Common Security Threats
Security in Enterprise Grid Computing Environments
Grid computing is a computing architecture that coordinates large numbers of servers
and storage to act as a single large computer. It provides flexibility, lower costs, and IT
investment protection because inexpensive, off-the-shelf components can be added to
the grid as business needs change. While providing significant benefits, grid
computing environments present unique security requirements because their
computing resources are distributed and often heterogeneous. The following sections
discuss these requirements:
Security Challenges in an Enterprise Environment
1-2 Oracle Database Advanced Security Administrator's Guide
Distributed Environment Security Requirements
Enterprise grid computing pools distributed business computing resources to cost
effectively harness the power of clustered servers and storage. A distributed
environment requires secure network connections. Even more critical in grid
environments, it is necessary to have a uniform definition of "who is the user" and
"what is the user allowed to do." Without such uniform definitions, administrators
frequently must assign, manage, and revoke authorizations for every user on different
software applications to protect employee, customer, and partner information. This is
expensive because it takes time, which drives up costs. Consequently, the cost savings
gained with grid computing are lost.
Heterogeneous Environment Security Requirements
Because grid computing environments often grow as business needs change,
computing resources are added over time, resulting in diverse collections of hardware
and software. Such heterogeneous environments require support for different types of
authentication mechanisms which adhere to industry standards. Without strict
adherence to industry standards, integrating heterogeneous components becomes
costly and time consuming. Once again the benefits of grid computing are squandered
when the appropriate infrastructure is not present.
Security in an Intranet or Internet Environment
Oracle databases power the largest and most popular Web sites on the Internet. In
record numbers, organizations throughout the world are deploying distributed
databases and client/server applications based on Oracle Database and Oracle Net
Services. This proliferation of distributed computing is matched by an increase in the
amount of information that organizations place on computers. Employee and financial
records, customer orders, product information, and other sensitive data have moved
from filing cabinets to file structures. The volume of sensitive information on the Web
has thus increased the value of data that can be compromised.
Common Security Threats
The increased volume of data in distributed, heterogeneous environments exposes
users to a variety of security threats, including the following:
Eavesdropping and Data Theft
Data Tampering
Falsifying User Identities
Password-Related Threats
Eavesdropping and Data Theft
Over the Internet and in wide area network environments, both public carriers and
private networks route portions of their network through insecure land lines,
vulnerable microwave and satellite links, or a number of servers— exposing valuable
data to interested third parties. In local area network environments within a building
or campus, the potential exists for insiders with access to the physical wiring to view
data not intended for them, and network sniffers can be installed to eavesdrop on
network traffic.
Data Tampering
Distributed environments bring with them the possibility that a malicious third party
can compromise integrity by tampering with data as it moves between sites.
Solving Security Challenges with Oracle Advanced Security
Introduction to Oracle Advanced Security 1-3
Falsifying User Identities
In a distributed environment, it is more feasible for a user to falsify an identity to gain
access to sensitive information. How can you be sure that user Pat connecting to
Server A from Client B really is user Pat?
Moreover, in distributed environments, malefactors can hijack connections. How can
you be sure that Client B and Server A are what they claim to be? A transaction that
should go from the Personnel system on Server A to the Payroll system on Server B
could be intercepted in transit and re-routed to a terminal masquerading as Server B.
Password-Related Threats
In large systems, users typically must remember multiple passwords for the different
applications and services that they use. For example, a developer can have access to a
development application on a workstation, a PC for sending e-mail, and several
computers or intranet sites for testing, reporting bugs, and managing configurations.
Users typically respond to the problem of managing multiple passwords in several
ways:
They may select easy-to-guess passwords, such as a name, a fictional character, or
a word found in a dictionary. All of these passwords are vulnerable to dictionary
attacks.
They may also choose to standardize passwords so that they are the same on all
systems or Web sites. This results in a potentially large exposure in the event of a
compromised password. They can also use passwords with slight variations that
can be easily derived from known passwords.
Users with complex passwords may write them down where an attacker can easily
find them, or they may just forget them, requiring costly administration and
support efforts.
All of these strategies compromise password secrecy and service availability.
Moreover, administration of multiple user accounts and passwords is complex,
time-consuming, and expensive.
Solving Security Challenges with Oracle Advanced Security
To solve enterprise computing security problems, Oracle Advanced Security provides
industry standards-based data privacy, integrity, authentication, single sign-on, and
access authorization in a variety of ways. For example, you can configure either Oracle
Net native encryption or Secure Sockets Layer (SSL) for data privacy. Oracle Advanced
Security also provides the choice of several strong authentication methods, including
Kerberos, smart cards, and digital certificates.
Oracle Advanced Security provides the following security features:
Data Encryption
Strong Authentication
Data Encryption
Sensitive information that is stored in your database or that travels over enterprise
networks and the Internet can be protected by encryption algorithms. An encryption
algorithm transforms information into a form that cannot be deciphered without a
decryption key.
Solving Security Challenges with Oracle Advanced Security
1-4 Oracle Database Advanced Security Administrator's Guide
Figure 1–1 shows how encryption works to ensure the security of a transaction sent
over the network. For example, if a manager approves a bonus, this data should be
encrypted when sent over the network to avoid eavesdropping. If all communication
between the client, the database, and the application server is encrypted, then when
the manager sends the bonus amount to the database, it is protected.
Figure 1–1 Encryption
This section discusses the following topics:
Supported Encryption Algorithms
Data Integrity
Federal Information Processing Standard
Supported Encryption Algorithms
Oracle Advanced Security provides the following encryption algorithms to protect the
privacy of network data transmissions:
Triple-DES Encryption
Advanced Encryption Standard
Selecting the network encryption algorithm is a user configuration option, providing
varying levels of security and performance for different types of data transfers.
Prior versions of Oracle Advanced Security provided three editions: Domestic,
Upgrade, and Export, each with different key lengths. Oracle Advanced Security 11g
Release 2 (11.2) contains a complete complement of the available encryption
algorithms and key lengths, previously only available in the Domestic edition. Users
deploying prior versions of the product can obtain the Domestic edition for a specific
product release.
Triple-DES Encryption Oracle Advanced Security also supports Triple-DES encryption
(3DES), which encrypts message data with three passes of the DES algorithm. 3DES
provides a high degree of message security, but with a performance penalty. The
magnitude of penalty depends on the speed of the processor performing the
encryption. 3DES typically takes three times as long to encrypt a data block as
compared with the standard DES algorithm.
Note: The U.S. government has relaxed its export guidelines for
encryption products. Accordingly, Oracle can ship Oracle
Advanced Security with its strongest encryption features to all of its
customers.
Solving Security Challenges with Oracle Advanced Security
Introduction to Oracle Advanced Security 1-5
3DES is available in two-key and three-key versions, with effective key lengths of
112-bits and 168-bits, respectively. Both versions operate in outer Cipher Block
Chaining (CBC) mode.
Advanced Encryption Standard Approved by the National Institute of Standards and
Technology (NIST) in Federal Information Processing Standards (FIPS) Publication
197, Advanced Encryption Standard (AES) is a cryptographic algorithm standard
developed to replace DES. AES is a symmetric block cipher that can process data
blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits, which are
referred to as AES-128, AES-192, and AES-256, respectively. All three versions operate
in outer-CBC mode.
Data Integrity
To ensure the integrity of data packets during transmission, Oracle Advanced Security
can generate a cryptographically secure message digest using the SHA-1 hashing
algorithm and include it with each message sent across a network.
Data integrity algorithms add little overhead and protect against the following attacks:
Data modification
Deleted packets
Replay attacks
Federal Information Processing Standard
Oracle Advanced Security Release 8.1.6 has been validated under U.S. Federal
Information Processing Standard 140-1 (FIPS) at the Level 2 security level. This
provides independent confirmation that Oracle Advanced Security conforms to federal
government standards.
The cryptographic libraries for SSL included in Oracle Database 10g have been
validated under FIPS 140-2 at the Level 2 security level. Both FIPS 140-1 and FIPS
140-2 related configuration settings are described in Appendix D, "Oracle Advanced
Security FIPS 140 Settings".
Strong Authentication
Authentication is used to prove the identity of the user. Authenticating user identity is
imperative in distributed environments, without which there can be little confidence in
network security. Passwords are the most common means of authentication. Oracle
Advanced Security enables strong authentication with Oracle authentication adapters
See Also:
Chapter 9, "Configuring Network Data Encryption
and Integrity for Oracle Servers and Clients"
Appendix A, "Data Encryption and Integrity Parameters"
Note: SHA-1 produces a larger message digest than the
previously supported MD5, making it more secure against
brute-force collision and inversion attacks.
See Also: Chapter 9, "Configuring Network Data Encryption
and Integrity for Oracle Servers and Clients", for information about
SHA-1
Solving Security Challenges with Oracle Advanced Security
1-6 Oracle Database Advanced Security Administrator's Guide
that support various third-party authentication services, including SSL with digital
certificates.
Figure 1–2 shows user authentication with an Oracle database instance configured to
use a third-party authentication server. Having a central facility to authenticate all
members of the network (clients to servers, servers to servers, users to both clients and
servers) is one effective way to address the threat of network nodes falsifying their
identities.
Figure 1–2 Strong Authentication with Oracle Authentication Adapters
This section contains the following topics:
Centralized Authentication and Single Sign-On
Supported Authentication Methods
Centralized Authentication and Single Sign-On
Centralized authentication also provides the benefit of single sign-on (SSO) for users.
Single sign-on enables users to access multiple accounts and applications with a single
password. A user only needs to login once and can then automatically connect to any
other service without having to giving user name and password again. Single sign-on
eliminates the need for the user to remember and administer multiple passwords,
reducing the time spent logging into multiple services.
How Centralized Network Authentication Works Figure 1–3 shows how a centralized
network authentication service typically operates.
Solving Security Challenges with Oracle Advanced Security
Introduction to Oracle Advanced Security 1-7
Figure 1–3 How a Network Authentication Service Authenticates a User
The following steps describe how centralized Network Authentication Process works.
1. A user (client) requests authentication services and provides identifying
information, such as a token or password.
2. The authentication server validates the user's identity and passes a ticket or
credentials back to the client, which may include an expiration time.
3. The client passes these credentials to the Oracle server concurrent with a service
request, such as connection to a database.
4. The server sends the credentials back to the authentication server for
authentication.
5. The authentication server checks the credentials and notifies the Oracle server.
6. If the credentials were accepted by the authentication server, then the Oracle
server authenticates the user. If the authentication server rejected the credentials,
then authentication fails, and the service request is denied.
Solving Security Challenges with Oracle Advanced Security
1-8 Oracle Database Advanced Security Administrator's Guide
Supported Authentication Methods
Oracle Advanced Security supports the following industry-standard authentication
methods:
Kerberos
Remote Authentication Dial-In User Service (RADIUS) :
Secure Sockets Layer (with digital certificates)
Entrust/PKI
Kerberos Oracle Advanced Security support for Kerberos provides the benefits of
single sign-on and centralized authentication of Oracle users. Kerberos is a trusted
third-party authentication system that relies on shared secrets. It presumes that the
third party is secure, and provides single sign-on capabilities, centralized password
storage, database link authentication, and enhanced PC security. It does this through a
Kerberos authentication server. Refer to Chapter 12, "Configuring Kerberos
Authentication" for information about configuring and using this adapter.
Remote Authentication Dial-In User Service (RADIUS) : RADIUS is a client/server security
protocol that is most widely known for enabling remote authentication and access.
Oracle Advanced Security uses this standard in a client/server network environment
to enable use of any authentication method that supports the RADIUS protocol.
RADIUS can be used with a variety of authentication mechanisms, including token
cards and smart cards.
Smart Cards
A RADIUS-compliant smart card is a credit card-like hardware device which has
memory and a processor. It is read by a smart card reader located at the client
workstation.
Token Cards
Token cards (Secure ID or RADIUS-compliant) can improve ease of use through
several different mechanisms. Some token cards dynamically display one-time
passwords that are synchronized with an authentication service. The server can
verify the password provided by the token card at any given time by contacting
the authentication service. Other token cards have a keypad and operate on a
challenge-response basis. In this case, the server offers a challenge (a number) that
the user enters into a token card. The token card provides a response (another
number cryptographically derived from the challenge) that the user enters and
sends to the server.
You can use SecurID tokens through the RADIUS adapter.
Secure Sockets Layer Secure Sockets Layer (SSL) is an industry standard protocol for
securing network connections. SSL provides authentication, data encryption, and data
integrity.
Note: Oracle authentication for Kerberos provides database link
authentication (also called proxy authentication). Kerberos is also
an authentication method that is supported with Enterprise User
Security.
See Also: Chapter 11, "Configuring RADIUS Authentication" for
information about configuring and using RADIUS
Oracle Advanced Security Architecture
Introduction to Oracle Advanced Security 1-9
The SSL protocol is the foundation of a public key infrastructure (PKI). For
authentication, SSL uses digital certificates that comply with the X.509v3 standard and
a public and private key pair.
Oracle Advanced Security SSL can be used to secure communications between any
client and any server. You can configure SSL to provide authentication for the server
only, the client only, or both client and server. You can also configure SSL features in
combination with other authentication methods supported by Oracle Advanced
Security (database user names and passwords, RADIUS, and Kerberos).
To support your PKI implementation, Oracle Advanced Security includes the
following features in addition to SSL:
Oracle wallets, where you can store PKI credentials
Oracle Wallet Manager, which you can use to manage your Oracle wallets
Certificate validation with certificate revocation lists (CRLs)
Hardware security module support
Entrust/PKI Oracle Advanced Security supports the public key infrastructure provided
by the Entrust/PKI software from Entrust Technologies, Inc. Entrust-enabled Oracle
Advanced Security lets Entrust users incorporate Entrust single sign-on into their
Oracle applications, and it lets Oracle users incorporate Entrust-based single sign-on
into Oracle applications.
Oracle Advanced Security Architecture
Oracle Advanced Security complements an Oracle server or client installation with
advanced security features. Figure 1–4 shows the Oracle Advanced Security
architecture within an Oracle networking environment.
See Also:
Chapter 13, "Configuring Secure Sockets Layer Authentication"
for conceptual, configuration, and usage information about
SSL, certificate validation, and hardware security modules
Chapter 14, "Using Oracle Wallet Manager" for information
about using this tool to manage Oracle wallets
Chapter 15, "Configuring Multiple Authentication Methods
and Disabling Oracle Advanced Security" for information
about configuring SSL in combination with other
authentication methods
See Also: Appendix F, "Entrust-Enabled Secure Sockets Layer
Authentication" for more information about this feature
System Requirements
1-10 Oracle Database Advanced Security Administrator's Guide
Figure 1–4 Oracle Advanced Security in an Oracle Networking Environment
Oracle Advanced Security supports authentication through adapters that are similar to
the existing Oracle protocol adapters. As shown in Figure 1–5, authentication adapters
integrate the Oracle Net interface, and allow existing applications to take advantage of
new authentication systems transparently, without any changes to the application.
Figure 1–5 Oracle Net Services with Authentication Adapters
System Requirements
Oracle Advanced Security 11g Release 2 (11.2) requires Oracle Net 11g Release 2 (11.2)
and supports Oracle Database Enterprise Edition. Table 1–1 lists additional system
requirements.
See Also: Oracle Database Net Services Administrator's Guide for
more information about stack communications in an Oracle
networking environment
Note: Oracle Advanced Security is not available with Oracle
Database Standard Edition.
Oracle Advanced Security Restrictions
Introduction to Oracle Advanced Security 1-11
Oracle Advanced Security Restrictions
Oracle Applications support Oracle Advanced Security encryption and data integrity.
However, because Oracle Advanced Security requires Oracle Net Services to transmit
data securely, Oracle Advanced Security external authentication features are not
supported by some parts of Oracle Financial, Human Resource, and Manufacturing
Applications when they are running on Microsoft Windows. The portions of these
products that use Oracle Display Manager (ODM) do not take advantage of Oracle
Advanced Security, because ODM does not use Oracle Net Services.
Table 1–1 Authentication Methods and System Requirements
Authentication Method System Requirements
Kerberos MIT Kerberos Version 5, release 1.1 or above.
The Kerberos authentication server must be installed on a
physically secure system.
RADIUS A RADIUS server that is compliant with the standards in
the Internet Engineering Task Force (IETF) RFC #2138,
Remote Authentication Dial In User Service (RADIUS) and
RFC #2139 RADIUS Accounting.
To enable challenge-response authentication, you must
run RADIUS on an operating system that supports the
Java Native Interface as specified in release 1.1 of the Java
Development Kit from JavaSoft.
SSL A wallet that is compatible with the Oracle Wallet
Manager 10g release. Wallets created in earlier releases of
the Oracle Wallet Manager are not forward compatible.
Entrust/PKI Entrust IPSEC Negotiator Toolkit Release 6.0
Entrust/PKI 6.0
Oracle Advanced Security Restrictions
1-12 Oracle Database Advanced Security Administrator's Guide
2
Configuration and Administration Tools Overview 2-1
2
Configuration and Administration Tools
Overview
Configuring advanced security features for an Oracle database instance includes
configuring encryption, integrity (checksumming), and strong authentication methods
for Oracle Net Services. Strong authentication method configuration can include
third-party software, as is the case for Kerberos or RADIUS, or it may entail
configuring and managing a public key infrastructure for using digital certificates with
Secure Sockets Layer (SSL).
Such diverse advanced security features require a diverse set of tools with which to
configure and administer them. This chapter introduces the tools used to configure
and administer advanced security features for an Oracle database in the following
topics:
Network Encryption and Strong Authentication Configuration Tools
Public Key Infrastructure Credentials Management Tools
Duties of a Security Administrator/DBA
Network Encryption and Strong Authentication Configuration Tools
Oracle Net Services can be configured to encrypt data using standard encryption
algorithms, and for strong authentication methods, such as Kerberos, RADIUS, and
SSL. The following sections introduce the Oracle tools you can use to configure these
advanced security features for an Oracle Database:
Oracle Net Manager
Oracle Advanced Security Kerberos Adapter Command-Line Utilities
Oracle Net Manager
Oracle Net Manager is a graphical user interface tool, primarily used to configure
Oracle Net Services for an Oracle home on a local client or server host.
Although you can use Oracle Net Manager to configure Oracle Net Services, such as
naming, listeners, and general network settings, it also enables you to configure the
following Oracle Advanced Security features, which use the Oracle Net protocol:
Strong authentication (Kerberos, RADIUS, and Secure Sockets Layer)
Network encryption (Triple-DES and AES)
Checksumming for data integrity (SHA-1)
Network Encryption and Strong Authentication Configuration Tools
2-2 Oracle Database Advanced Security Administrator's Guide
This section introduces you to the features of Oracle Net Manager that are used to
configure Oracle Advanced Security. It contains the following topics:
Starting Oracle Net Manager
Navigating to the Oracle Advanced Security Profile
Starting Oracle Net Manager
You can start Oracle Net Manager by using Oracle Enterprise Manager Console or as a
standalone application. However, you must use the standalone application to access
the Oracle Advanced Security Profile where you can configure Oracle Advanced
Security features.
To start Oracle Net Manager as a standalone application:
(UNIX) From
$ORACLE_HOME/bin
, enter the following at the command line:
netmgr
(Windows) Select Start, Programs, Oracle - HOME_NAME, Configuration and
Migration Tools, Net Manager
Navigating to the Oracle Advanced Security Profile
The Oracle Net Manager interface window contains two panes: the navigator pane
and the right pane.The interface displays various property sheets that enable you to
configure network components. When you select a network object in the navigator
pane, its associated property sheets displays in the right pane. To configure Oracle
Advanced Security features, select the Profile object in the navigator pane, and then
select Oracle Advanced Security from the list in the right pane, as shown in
Figure 2–1.
See Also:
"Duties of a Security Administrator/DBA" on page 2-9 for
information about the tasks you can perform with this tool that
configure advanced security features
Oracle Database Net Services Administrator's Guide and Oracle
Net Manager online Help for complete documentation of this
tool
Network Encryption and Strong Authentication Configuration Tools
Configuration and Administration Tools Overview 2-3
Figure 2–1 Oracle Advanced Security Profile in Oracle Net Manager
Oracle Advanced Security Profile Property Sheets
The Oracle Advanced Security Profile contains the following property sheets:
Authentication Property Sheet
Other Params Property Sheet
Integrity Property Sheet
Encryption Property Sheet
SSL Property Sheet
Authentication Property Sheet Use this property sheet to select a strong authentication
method, such as Kerberos Version 5 (KERBEROS5), Windows native authentication
(NTS), or RADIUS.
Other Params Property Sheet Use this property sheet to set other parameters for the
authentication method you selected on the Authentication property sheet.
Integrity Property Sheet Use this property sheet to enable checksumming on the client or
the server and to select an encryption algorithm for generating secure message digests.
Encryption Property Sheet Use this property sheet to select one or more cipher suites to
encrypt client or server connections with native encryption algorithms.
SSL Property Sheet Use this property sheet to configure Secure Sockets Layer (SSL),
including the wallet location and cipher suite, on a client or server.
Public Key Infrastructure Credentials Management Tools
2-4 Oracle Database Advanced Security Administrator's Guide
Oracle Advanced Security Kerberos Adapter Command-Line Utilities
The Oracle Advanced Security Kerberos adapter provides three command-line utilities
that enable you to obtain, cache, display, and remove Kerberos credentials. The
following table briefly describes these utilities:
Public Key Infrastructure Credentials Management Tools
The security provided by a public key infrastructure (PKI) depends on how effectively
you store, manage, and validate your PKI credentials. The following Oracle tools are
used to manage certificates, wallets, and certificate revocation lists so your PKI
credentials can be stored securely and your certificate validation mechanisms kept
current:
Oracle Wallet Manager
orapki Utility
Oracle Wallet Manager
Oracle Wallet Manager is an application that wallet owners and security
administrators use to manage and edit the security credentials in their Oracle wallets.
A wallet is a password-protected container that is used to store authentication and
signing credentials, including private keys, certificates, and trusted certificates needed
by SSL. You can use Oracle Wallet Manager to perform the following tasks:
Create public and private key pairs
Store and manage user credentials
Generate certificate requests
Store and manage certificate authority certificates (root key certificate and
certificate chain)
Upload and download wallets to and from an LDAP directory
Create wallets to store hardware security module credentials
The following topics introduce the Oracle Wallet Manager user interface:
Utility Name Description
okinit
Obtains Kerberos tickets from the key distribution center (KDC)
and caches them in the user's credential cache
oklist
Displays a list of Kerberos tickets in the specified credential
cache
okdstry
Removes Kerberos credentials from the specified credential
cache
See Also: "Utilities for the Kerberos Authentication Adapter" on
page 12-8 for complete descriptions of these utilities, their syntax,
and available options
Note: The Cybersafe adapter is not supported beginning with this
release. You should use Oracle's Kerberos adapter in its place.
Kerberos authentication with the Cybersafe KDC (Trust Broker)
continues to be supported when using the Kerberos adapter.
Public Key Infrastructure Credentials Management Tools
Configuration and Administration Tools Overview 2-5
Starting Oracle Wallet Manager
Navigating the Oracle Wallet Manager User Interface
Toolbar
Menus
Starting Oracle Wallet Manager
To start Oracle Wallet Manager:
(UNIX) From
$ORACLE_HOME/bin
, enter the following at the command line:
owm
(Windows) Select Start, Programs, Oracle HOME_NAME, Integrated
Management Tools, Wallet Manager
Navigating the Oracle Wallet Manager User Interface
The Oracle Wallet Manager interface includes two panes, a toolbar, and various menu
items as shown in Figure 2–2.
Figure 2–2 Oracle Wallet Manager User Interface
Navigator Pane The navigator pane provides a graphical navigation tree view of the
certificate requests and certificates stored in the Oracle home where Oracle Wallet
See Also: Chapter 14, "Using Oracle Wallet Manager" for detailed
information about using this application
Public Key Infrastructure Credentials Management Tools
2-6 Oracle Database Advanced Security Administrator's Guide
Manager is installed. You can use the navigator pane to view, modify, add, or delete
certificates and certificate requests.
The navigator pane functions the same way as it does in other Oracle graphical user
interface tools, enabling you to
Expand and contract wallet objects so that you can manage the user and trusted
certificates they contain.
Right-click a wallet, certificate, or certificate request to perform operations on it
such as add, remove, import, or export.
When you expand a wallet, you see a nested list of user and trusted certificates. When
you select a wallet or certificate in the navigator pane, details about your selection
display in the adjacent right pane of Oracle Wallet Manager. Table 2–1 lists the main
objects that display in the navigator pane.
Right Pane The right pane displays information about an object that is selected in the
navigator pane. The right pane is read-only.
Figure 2–3 shows what is displayed in the right pane when a certificate request object
is selected in the navigator pane. Information about the request and the requester's
identity display in the Requested Identity, Key Size, and Key Type fields. The PKCS
#10-encoded certificate request displays in the Certificate Request text box. To request
a certificate from a certificate authority, you can copy this request into an e-mail or
export it into a file.
Table 2–1 Oracle Wallet Manager Navigator Pane Objects
Object Description
Wallet Password-protected container that is used to store
authentication and signing credentials
Certificate Request1
1These objects display only after you create a wallet, generate a certificate request, and import a
certificate into the wallet.
A PKCS #10-encoded message containing the requester's
distinguished name (DN), a public key, the key size, and key
type.
Certificate1An X.509 data structure containing the entity's DN, public key,
and is signed by a trusted identity (certificate authority).
Trusted Certificates1Sometimes called a root key certificate, is a certificate from a
third party identity that is qualified with a level of trust.
Note: Figure 2–3 shows a certificate request for a user. A certificate
can also be requested for a server in which case the CN attribute will
contain the name of the server in place of the user name.
Public Key Infrastructure Credentials Management Tools
Configuration and Administration Tools Overview 2-7
Figure 2–3 Certificate Request Information Displayed in Oracle Wallet Manager Right Pane
Toolbar
The toolbar contains buttons that enable you to manage your wallets. Move the mouse
cursor over a toolbar button to display a description of the button's function. The
toolbar buttons are listed and described in Table 2–2.
Menus
You use Oracle Wallet Manager menus to manage your wallets and the credentials
they contain. The following sections describe the options that are available under each
menu.
Wallet Menu Table 2–3 describes the contents of the Wallet menu.
Table 2–2 Oracle Wallet Manager Toolbar Buttons
Toolbar Button Description
New Creates a new wallet
Open Wallet Enables you to browse your file system to locate and open an
existing wallet
Save Wallet Saves the currently open wallet
Delete Wallet Deletes the wallet that is currently selected in the navigator
pane
Help Opens the Oracle Wallet Manager online Help
Public Key Infrastructure Credentials Management Tools
2-8 Oracle Database Advanced Security Administrator's Guide
Operations Menu Table 2–4 describes the contents of the Operations menu.
Table 2–3 Oracle Wallet Manager Wallet Menu Options
Option Description
New Creates a new wallet
Open Opens an existing wallet
Close Closes the currently open wallet
Upload Into The
Directory Service
Uploads a wallet to a specified LDAP directory server.
You must supply a directory password, host name, and port
information.
Download From The
Directory Service
Downloads a wallet from a specified LDAP directory server. You
must supply a directory password, host name, and port
information.
Save Saves the currently open wallet in the current working directory
Save As Enables you to browse your file system to choose a directory
location in which to save the currently open wallet
Save In System
Default
Saves the currently open wallet in the system default location:
(UNIX)
/etc/ORACLE/WALLETS/username
(Windows)
%USERPROFILE%\ORACLE\WALLETS
Delete Deletes the wallet in the current working directory.
You must supply the wallet password.
Change Password Changes the password for the currently open wallet. You must
supply the old password before you can create a new one.
Auto Login Sets the auto login feature for the currently open wallet.
Exit Exits the Oracle Wallet Manager application
Table 2–4 Oracle Wallet Manager Operations Menu Options
Option Description
Add Certificate Request Generates a certificate request for the currently open wallet
that you can use to request a certificate from a certificate
authority (CA)
Import User Certificate Imports the user certificate issued to you from the CA. You
must import the issuing CA's certificate as a trusted certificate
before you can import the user certificate.
Import Trusted Certificate Imports the CA's trusted certificate
Remove Certificate
Request
Deletes the certificate request in the currently open wallet. You
must remove the associated user certificate before you can
delete a certificate request.
Remove User Certificate Deletes the user certificate from the currently open wallet.
Remove Trusted
Certificate
Removes the trusted certificate that is selected in the navigator
pane from the currently open wallet. You must remove all user
certificates that the trusted certificate signs before you can
remove it.
Export User Certificate Exports the user certificate in the currently open wallet to save
in a file system directory
Export Certificate Request Exports the certificate request in the currently open wallet to
save in a file
Duties of a Security Administrator/DBA
Configuration and Administration Tools Overview 2-9
Help Menu Table 2–5 describes the contents of the Help menu.
orapki Utility
The orapki utility is a command line tool that you can use to manage certificate
revocation lists (CRLs), create and manage Oracle wallets, and to create signed
certificates for testing purposes.
The basic syntax for this utility is as follows:
orapki module command -option_1 argument ... -option_n argument
For example, the following command lists all CRLs in the CRL subtree in an instance
of Oracle Internet Directory that is installed on
machine1.us.example.com
and that
uses port 389:
orapki crl list -ldap machine1.us.example.com:389
Duties of a Security Administrator/DBA
Most of the tasks of a security administrator involve ensuring that the connections to
and from Oracle databases are secure. Table 2–6 lists the primary tasks of security
administrators, the tools used to perform the tasks, and links to where the tasks are
documented.
Export Trusted Certificate Exports the trusted certificate that is selected in the navigator
pane to save in another location in your file system
Export All Trusted
Certificates
Exports all trusted certificates in the currently open wallet to
save in another location in your file system
Export Wallet Exports the currently open wallet to save as a text file
Table 2–5 Oracle Wallet Manager Help Menu Options
Option Description
Contents Opens Oracle Wallet Manager online Help
Search for Help on Opens Oracle Wallet Manager online Help and displays the
Search tab
About Oracle Wallet
Manager
Opens a window that displays the Oracle Wallet Manager
version number and copyright information
See Also:
"Certificate Revocation List Management" on page 13-28 for
information about how to use
orapki
to manage CRLs in the
directory
Appendix E, "orapki Utility" for reference information on all
available
orapki
commands
Table 2–4 (Cont.) Oracle Wallet Manager Operations Menu Options
Option Description
Duties of a Security Administrator/DBA
2-10 Oracle Database Advanced Security Administrator's Guide
Table 2–6 Common Security Administrator/DBA Configuration and Administrative Tasks
Task Tools Used See Also
Configure encrypted Oracle Net connections
between database servers and clients Oracle Net Manager "Configuring Encryption on the Client
and the Server" on page 9-6
Configure checksumming on Oracle Net
connections between database servers and
clients
Oracle Net Manager "Configuring Integrity on the Client and
the Server" on page 9-7
Configure database clients to accept RADIUS
authentication Oracle Net "Step 2A: Configure RADIUS on the
Oracle Client" on page 11-7
Configure a database to accept RADIUS
authentication Oracle Net "Step 2B: Configure RADIUS on the
Oracle Database Server" on page 11-8
Create a RADIUS user and grant them access
to a database session SQL*Plus "Step 3: Create a User and Grant Access"
on page 11-12
Configure Kerberos authentication on a
database client and server Oracle Net Manager "Step 7: Configure Kerberos
Authentication" on page 12-4
Create a Kerberos database user
kadmin.local
Oracle Net Manager
"Step 8: Create a Kerberos User" on
page 12-7
"Step 9: Create an Externally
Authenticated Oracle User" on
page 12-8
Manage Kerberos credentials in the credential
cache
okinit
oklist
okdstry
"Obtaining the Initial Ticket with the
okinit Utility" on page 12-9
"Displaying Credentials with the
oklist Utility" on page 12-9
"Removing Credentials from the
Cache File with the okdstry Utility"
on page 12-10
Create a wallet for a database client or server Oracle Wallet Manager "Creating a New Wallet" on page 14-8
Request a user certificate from a certificate
authority (CA) for SSL authentication
Oracle Wallet Manager "Adding a Certificate Request" on
page 14-15
"Importing the User Certificate into
the Wallet" on page 14-17
Import a user certificate and its associated
trusted certificate (CA certificate) into a
wallet
Oracle Wallet Manager "Importing a Trusted Certificate" on
page 14-21
"Importing the User Certificate into
the Wallet" on page 14-17
Configuring SSL connections for a database
client
Oracle Net Manager "Step 3: Configure Secure Sockets Layer
on the Client" on page 13-14
Configuring SSL connections for a database
server
Oracle Net Manager "Step 2: Configure Secure Sockets Layer
on the Server" on page 13-9
Enabling certificate validation with
certificate revocation lists
Oracle Net Manager "Configuring Certificate Validation
with Certificate Revocation Lists" on
page 13-26
Part II
Part II
Oracle Data Redaction
This part describes how to use Oracle Data Redaction.
Part II contains the following chapters:
Chapter 3, "Introduction to Oracle Data Redaction"
Chapter 4, "Oracle Data Redaction Features and Capabilities"
Chapter 5, "Configuring Oracle Data Redaction Policies"
Chapter 6, "Oracle Data Redaction Use with Oracle Database Features"
Chapter 7, "Security Guidelines for Oracle Data Redaction"
3
Introduction to Oracle Data Redaction 3-1
3
Introduction to Oracle Data Redaction
Oracle Data Redaction provides the ability to redact data, typically sensitive data in
real time.
This chapter contains the following topics:
What Is Oracle Data Redaction?
When to Use Oracle Data Redaction
Benefits of Using Oracle Data Redaction
Target Use Cases for Oracle Data Redaction
What Is Oracle Data Redaction?
Oracle Data Redaction enables you to mask (redact) data that is returned from queries
issued by applications. You can redact column data by using one of the following
methods:
Full redaction. You redact all of the contents of the column data. The redacted
value returned to the querying application user depends on the data type of the
column. For example, columns of the
NUMBER
data type are redacted with a zero
(
0
), and character data types are redacted with a single space.
Partial redaction. You redact a portion of the column data. For example, you can
redact a Social Security number with asterisks (*), except for the last 4 digits.
Regular expressions. You can use regular expressions to look for patterns of data
to redact. For example, you can use regular expressions to redact email addresses,
which can have varying character lengths. It is designed for use with character
data only.
Random redaction. The redacted data presented to the querying application user
appears as randomly generated values each time it is displayed, depending on the
data type of the column.
No redaction. The None redaction type option enables you to test the internal
operation of your redaction policies, with no effect on the results of queries against
tables with policies defined on them. You can use this option to test the redaction
policy definitions before applying them to a production environment.
Oracle Database applies the redaction at runtime, when users access the data (that is,
at query-execution time). This solution works well in a production system. During the
time that the data is being redacted, all of the data processing is performed normally,
and the back-end referential integrity constraints are preserved.
When to Use Oracle Data Redaction
3-2 Oracle Database Advanced Security Administrator's Guide
Data redaction can help you to comply with industry regulations such as Payment
Card Industry Data Security Standard (PCI DSS) and the Sarbanes-Oxley Act.
When to Use Oracle Data Redaction
Use Oracle Data Redaction when you must disguise sensitive data that your
applications and application users must access. Data Redaction enables you to easily
disguise the data using several different redaction styles.
Oracle Data Redaction is ideal for situations in which you must redact specific
characters out of the result set of queries of Personally Identifiable Information (PII)
returned to certain application users. For example, you may want to present a U.S.
Social Security number that ends with the numbers 4320 as
***-**-4320
.
Oracle Data Redaction is particularly suited for call center applications and other
applications that are read-only. Take care when using Oracle Data Redaction with
applications that perform updates back to the database, because redacted data can be
written back to this database.
Benefits of Using Oracle Data Redaction
The benefits of using Oracle Data Redaction to protect your data are as follows:
You have different styles of redaction from which to choose.
Because the data is redacted at runtime, Data Redaction is well suited to
environments in which data is constantly changing.
You can create the Data Redaction policies in one central location and easily
manage them from there.
The Data Redaction policies enable you to create a wide variety of function
conditions based on
SYS_CONTEXT
values, which can be used at runtime to decide
when the Data Redaction policies will apply to the results of the application user’s
query.
Target Use Cases for Oracle Data Redaction
Oracle Data Redaction fulfils common use case scenarios.
This section contains:
Using Oracle Data Redaction with Database Applications
Considerations When Using Oracle Data Redaction with Ad Hoc Database
Queries
Using Oracle Data Redaction with Database Applications
Oracle Data Redaction protects sensitive data that is displayed in database
applications. Data Redaction is transparent to application users because it preserves
the original data type and (optionally) the formatting. It is highly transparent to the
database because the data remains the same in buffers, caches, and storage—only
being changed at the last minute just before SQL query results are returned to the
caller. The redaction is enforced consistently across all of the applications that use the
same underlying database. You can specify which application users should see only
redacted data by checking application user information that is passed into the
database through the
SYS_CONTEXT
function; you can redact data based on attributes of
the current database or application user; and you can implement multiple logical
Target Use Cases for Oracle Data Redaction
Introduction to Oracle Data Redaction 3-3
conditions within a given redaction policy. In addition, Data Redaction is implemented
in a way that minimizes performance overhead. These characteristics make Oracle
Data Redaction particularly well suited for usage by a range of applications, analytics
tools, reporting tools, and monitoring tools that share common production databases.
Although its primary target is redaction of production data for applications, Oracle
Data Redaction also can be used in combination with Oracle Enterprise Manager Data
Masking and Subsetting Pack for protecting sensitive data in testing and development
environments.
Considerations When Using Oracle Data Redaction with Ad Hoc Database Queries
You may encounter situations where it is convenient to redact sensitive data for ad hoc
queries that are performed by database users. For example, in the course of supporting
a production application, a user may need to run ad hoc database queries to
troubleshoot and fix an urgent problem with the application. This is different from the
application-based scenarios described in "Using Oracle Data Redaction with Database
Applications" on page 3-2, which typically generate a bounded set of SQL queries, use
defined database accounts, and have fixed privileges.
Even though Oracle Data Redaction is not designed to prevent data exposure to
database users who run ad hoc queries directly against the database, it can provide an
additional layer to reduce the chances of accidental data exposure. Because such users
may have rights to change data, alter the database schema, and circumvent the SQL
query interface entirely, it is possible for a malicious user to bypass Data Redaction
policies in certain circumstances.
Remember that the Oracle Database security tools are designed to be used together to
improve overall security. By deploying one or more of these tools as a complement to
Oracle Data Redaction, you can securely increase your overall security posture.
See Also:
Oracle Database Real Application Testing User's Guide for more
information about data masking
"Oracle Data Redaction and Data Masking and Subsetting Pack"
on page 6-3
See Also: "General Usage Guidelines" on page 7-1 for additional
general usage guidelines
Target Use Cases for Oracle Data Redaction
3-4 Oracle Database Advanced Security Administrator's Guide
4
Oracle Data Redaction Features and Capabilities 4-1
4
Oracle Data Redaction Features and
Capabilities
Oracle Data Redaction provides a variety of ways to redact different types of data.
This chapter contains the following topics:
Using Full Data Redaction to Redact All Data
Using Partial Data Redaction to Redact Sections of Data
Using Regular Expressions to Redact Patterns of Data
Using Random Data Redaction to Generate Random Values
Comparison of Full, Partial, and Random Redaction Based on Data Types
Using No Redaction for Testing Purposes
Using Full Data Redaction to Redact All Data
When an Oracle Data Redaction policy that specifies full data redaction is applied to a
table or view, the entire contents of the column are redacted. By default the output is
displayed as follows:
Character data types: The output text is a single space.
Number data types: The output text is a zero (
0
).
Date-time data types: The output text is set to the first day of January, 2001, which
appears as
01-JAN-01
.
Full redaction is the default and is used whenever a Data Redaction policy specifies
the column but omits the
function_type
parameter setting. When you run the
DBMS_
REDACT.ADD_POLICY
procedure, to set the
function_type
parameter setting for full
redaction, you enter the following setting:
function_type => DBMS_REDACT.FULL
You can use the
DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES
procedure to change
the full redaction output to different values.
See Also:
"Syntax for Creating a Full Redaction Policy" on page 5-8
"Altering the Default Full Data Redaction Value" on page 5-9
Using Partial Data Redaction to Redact Sections of Data
4-2 Oracle Database Advanced Security Administrator's Guide
Using Partial Data Redaction to Redact Sections of Data
In partial data redaction, you redact portions of the displayed output. You can set the
position within the actual data at which to begin the redaction, the number of
characters to redact starting from that position, and the redaction character to use. This
type of redaction is useful for situations where you want it to be obvious to the person
viewing the data that it was redacted in some way. Typically, you use this type of
redaction for credit cards or ID numbers.
Be aware that partial data redaction requires that your data width remain fixed. If you
want to redact columns containing string values of variable length, then you must use
regular expressions, as described in "Using Regular Expressions to Redact Patterns of
Data" on page 4-3.
To specify partial redaction, you must set the
DBMS_REDACT.ADD_POLICY
procedure
function_type
parameter to
DBMS_REDACT.PARTIAL
and use the
function_parameters
parameter to define the partial redaction behavior.
The displayed output for partial data redaction can be as follows:
Character data types: When partially redacted, a Social Security number
(represented as a hyphenated string within a character data type) with value
987-65-4320
could be redacted so that it is displayed as shown in the following
examples. The code on the right specifies how to redact the character data: it
specifies the expected input format of the actual data, the format to use for the
display of the redacted output, the start position at which to begin the redaction,
the character to use for the redaction, and how many characters to redact. The first
example uses a predefined shortcut for character data type Social Security
numbers, and the second example replaces the first five numbers with an asterisk
(
*
) while preserving the hyphens (
-
) in between the numbers.
XXX-XX-4320 function_parameters => DBMS_REDACT.REDACT_US_SSN_F5,
***-**-4320 function_parameters => 'VVVFVVFVVVV,VVV-VV-VVVV,*,1,5',
Number data types: The partially redacted
NUMBER
data type Social Security
number
987654328
could appear as follows. Both redact the first five digits. The
first example uses a predefined shortcut that is designed for Social Security
numbers in the
NUMBER
data type, and the second replaces the first five numbers
with the number
9
, starting from the first digit.
XXXXX4328 function_parameters => DBMS_REDACT.REDACT_NUM_US_SSN_F5,
999994328 function_parameters => '9,1,5',
Date-time data types: Partially redacted datetime values can appear simply as
different dates. For example, the date
29-AUG-11 10.20.50.000000 AM
could
appear as follows. In the first example, the day of the month is redacted to
02
(using the setting
d02
) and in the second example, the month is redacted to
DEC
(using
m12
). The uppercase values show the actual month (
M
), year (
Y
), hour (
H
),
minute (
M
), and second (
S
).
02-AUG-11 10.20.50.000000 AM function_parameters => 'Md02YHMS',
29-DEC-11 10.20.50.000000 AM function_parameters => 'm12DYHMS',
Using Regular Expressions to Redact Patterns of Data
Oracle Data Redaction Features and Capabilities 4-3
Using Regular Expressions to Redact Patterns of Data
You can use regular expressions to redact specific data within a column data value,
based on a pattern search. For example, you can redact the user name of email
addresses, so that only the domain shows (for example, replacing
hpreston
in the
email address
hpreston@example.com
with
[redacted]
so that it appears as
[redacted]@example.com
). To perform the redaction, set the
DBMS_REDACT.ADD_POLICY
procedure
function_type
parameter to
DBMS_REDACT.REGEXP
, and then use the
following parameters to build the regular expression:
A string search pattern (that is, the values to search for), such as:
regexp_pattern => '(.+)@(.+\.[A-Za-z]{2,4})'
This setting looks for a pattern of the following form:
one_or_more_characters@one_or_more_characters.2-4_characters_in_range_A-Z_or_
a-z
A replacement string, which replaces the value matched by the
regexp_pattern
setting. The replacement string can include back references to sub-expressions of
the main regular expression pattern. The following example replaces the data
before the
@
symbol (from the
regexp_pattern
setting) with the text
[redacted]
.
The
\2
setting refers to the second match group, which is
(.+\.[A-Za-z]{2,4})
from the
regexp_pattern
setting.
regexp_replace_string => '[redacted]@\2'
The starting position for the string search string, such as the first character of the
data, such as:
regexp_position => DBMS_REDACT.RE_BEGINNING
The kind of search and replace operation to perform, such as the first occurrence,
every fifth occurrence, or all of the occurrences, such as:
regexp_occurrence => DBMS_REDACT.RE_ALL
The default matching behavior for the search and replace operation, such as
whether the search is case-sensitive (
i
sets it to be not case-sensitive):
regexp_match_parameter => 'i
In addition to the default parameters, you can use a set of predefined shortcuts that
enable you to use commonly used regular expressions for telephone numbers, email
addresses, and credit card numbers.
See Also:
"Syntax for Creating a Partial Redaction Policy" on page 5-12
"Syntax for Creating a Regular Expression-Based Redaction
Policy" on page 5-19
See Also: "About Creating Regular Expression-Based Redaction
Policies" on page 5-19
Using Random Data Redaction to Generate Random Values
4-4 Oracle Database Advanced Security Administrator's Guide
Using Random Data Redaction to Generate Random Values
In random data redaction, the entire value is redacted by replacing it with a random
value. The redacted values displayed in the result set of the query change randomly
each time application users run the query. This type of redaction is useful in cases
where you do not want it to be obvious that the data was redacted. It works especially
well for number and datetime data types, where it is difficult to distinguish between
random and real data.
The displayed output for random values changes based on the data type of the
redacted column, as follows:
Character data types: The random output is a mixture of characters (for example,
HTU[G{\pjkEWcK
). It behaves differently for the
CHAR
and
VARCHAR2
data types, as
follows:
CHAR data type: The redacted output is always in the same character set as
the character set of the column. The byte length of the redacted output is
always the same as the column definition length (that is, the column length
that was provided at the time of table creation). For example, if the column is
CHAR(20)
, then a string of 20 random characters is provided in the redacted
output of the user’s query.
VARCHAR2 data type: For random redaction of a
VARCHAR
data type, the
redacted output is always in the same character set as the character set of the
column. The length of the redacted output is limited based on the length of the
actual data in the column. No characters in excess of the length of the actual
data are displayed. For example, if the column is
VARCHAR2(20)
and the row
being redacted contains actual data with a length of 12, then a string of 12
random characters (not 20) is provided in the redacted output of the user’s
query for that row.
Number data types: Each actual number value is redacted by replacing it with a
random, non-negative number modulo the absolute value of the actual data. This
redaction results in random numbers that do not exceed the precision of the actual
data. For example, the number
987654321
can be redacted by replacing it with any
of the numbers
12345678
,
13579
,
0
, or
987654320
, but not by replacing it with any
of the numbers
987654321
,
99987654321
, or
-1
. The number
-123
could be
redacted by replacing it with the numbers
122
,
0
, or
83
, but not by replacing it with
any of the numbers
123
,
1123
, or
-2
.
The only exception to the above is when the actual value is an integer between -1
and 9. In this case, the actual data is redacted by replacing it with a random,
non-negative integer modulo ten (10).
Date-time data types: When values of the date data type are redacted using
random Data Redaction, Oracle Database displays them with random dates that
are always different from those of the actual data.
The setting for using random redaction is as follows:
function_type => DBMS_REDACT.RANDOM
Comparison of Full, Partial, and Random Redaction Based on Data Types
The full, partial, and random data redaction styles affect the Oracle built-in, ANSI,
user-defined, and Oracle supplied types in different ways.
See Also: "Syntax for Creating a Random Redaction Policy" on
page 5-24
Comparison of Full, Partial, and Random Redaction Based on Data Types
Oracle Data Redaction Features and Capabilities 4-5
This section contains:
Redaction Capabilities for Oracle Built-in Data Types
Redaction Capabilities for the ANSI Data Types
Redaction Capabilities for the User Defined Data Types or Oracle Supplied Types
Redaction Capabilities for Oracle Built-in Data Types
Table 4–1 compares how the full, partial, and random redaction styles work for Oracle
built-in data types.
Redaction Capabilities for the ANSI Data Types
Table 4–2 compares how the full, partial, and random redaction styles work for ANSI
data types.
Table 4–1 Redaction Capabilities for Oracle Built-in Data Types
Data Type Notes Full Redaction Partial Redaction Random Redaction
Character:
CHAR
,
VARCHAR2
(including
long
VARCHAR2
, for
example,
VARCHAR2(20000)
),
NCHAR
,
NVARCHAR2
None Default redacted
value is a single
blank space
Supported data
type Supported data type
Number:
NUMBER
,
FLOAT
,
BINARY_FLOAT
,
BINARY_DOUBLE
None Default redacted
value is zero (
0
). Supported data
type Supported data type
Raw:
LONG
RAW
,
RAW
None Not a supported
data type Not a supported
data type Not a supported
data type
Date-time:
DATE
,
TIMESTAMP
,
TIMESTAMP
WITH TIME ZONE
,
TIMESTAMP WITH LOCAL
TIME ZONE
None Default redacted
value is
01-01-01
or
01-01-01
01:00:00
.
Supported data
type Supported data type
Interval:
INTERVAL
YEAR TO MONTH
,
INTERVAL DAY TO
SECOND
None Not a supported
data type Not a supported
data type Not a supported
data type
Large Object:
BFILE
None Not a supported
data type Not a supported
data type Not a supported
data type
Large Object:
BLOB
The No Redaction type
(
DBMS_REDACT.NONE
)
does not support LOB
data types.
Oracle's raw
representation of
[redacted]
Not a supported
data type Not a supported
data type
Large Object:
CLOB
,
NCLOB
The No Redaction type
(
DBMS_REDACT.NONE
)
does not support LOB
data types.
Default redacted
value is
[redacted]
.
Not a supported
data type Not a supported
data type
Rowid:
ROWID
,
UROWID
None Not a supported
data type Not a supported
data type Not a supported
data type
Using No Redaction for Testing Purposes
4-6 Oracle Database Advanced Security Administrator's Guide
Redaction Capabilities for the User Defined Data Types or Oracle Supplied Types
Table 4–3 compares how the full, partial, and random redaction styles work for user
defined and Oracle supplied types.
Using No Redaction for Testing Purposes
You can create a Data Redaction policy that does not perform redaction. This is useful
for cases in which you have a redacted base table, yet you want a specific application
user to have a view that always shows the actual data. You can create a new view of
Table 4–2 Redaction Capabilities for the ANSI Data Types
Data Type
How
Converted Full Redaction Partial Redaction Random Redaction
CHARACTER(n)
,
CHAR(n)
Converted to
CHAR(n)
Default redacted
value is a single
blank space.
Supported data
type Supported data type
CHARACTER VARYING(n)
,
CHAR VARYING(n)
Converted to
VARCHAR2(n)
Default redacted
value is a single
blank space.
Supported data
type Supported data type
NATIONAL CHARACTER(n)
,
NATIONAL CHAR(n)
,
NCHAR(n)
Converted to
NCHAR(n)
Default redacted
value is a single
blank space.
Supported data
type Supported data type
NATIONAL CHARACTER
VARYING(n)
,
NATIONAL CHAR VARYING(n)
,
NCHAR VARYING(n)
Converted to
NVARCHAR2(n)
Default redacted
value is a single
blank space.
Supported data
type Supported data type
NUMERIC
[(
p,s
)]
DECIMAL
[(
p,s
)]
Converted to
NUMBER(p,s)
Default redacted
value is zero (
0
). Supported data
type Supported data type
INTEGER
INT
SMALLINT
Converted to
NUMBER(38)
Default redacted
value is zero (
0
). Supported data
type Supported data type
FLOAT
DOUBLE PRECISION
Converted to
FLOAT(126)
Default redacted
value is zero (
0
)Supported data
type Supported data type
REAL
Converted to
FLOAT(63)
Default redacted
value is zero (
0
). Supported data
type Supported data type
GRAPHIC
LONG VARGRAPHIC
VARGRAPHIC
TIME
None Not a supported
data type Not a supported
data type Not a supported
data type
Table 4–3 Redaction Capabilities for the User Defined Data Types or Oracle Supplied Types
Data Type or Type Full Redaction Partial Redaction Random Redaction
User-defined data types Not a supported data type Not a supported
data type Not a supported
data type
Any types, XML types, Oracle Spatial
types, Oracle Media types Not a supported data type Not a supported
data type Not a supported
data type
Using No Redaction for Testing Purposes
Oracle Data Redaction Features and Capabilities 4-7
the redacted table and then define a Data Redaction policy for this view. The policy
still exists on the base table, but no redaction is performed when the application
queries using the view as long as the
DBMS_REDACT.NONE
function_type
setting was
used to create a policy on the view.
Using No Redaction for Testing Purposes
4-8 Oracle Database Advanced Security Administrator's Guide
5
Configuring Oracle Data Redaction Policies 5-1
5
Configuring Oracle Data Redaction Policies
An Oracle Data Redaction policy defines how to redact data in a column based on the
table column type and the type of redaction you want to use. You can enable and
disable policies as necessary.
This section contains the following topics:
About Oracle Data Redaction Policies
Who Can Create Oracle Data Redaction Policies?
Planning the Creation of an Oracle Data Redaction Policy
General Syntax of the DBMS_REDACT.ADD_POLICY Procedure
Using Expressions to Define Conditions for Data Redaction Policies
Creating a Full Redaction Policy and Altering the Default Full Redaction Value
Creating a Partial Redaction Policy
Creating a Regular Expression-Based Redaction Policy
Creating a Random Redaction Policy
Creating a Policy That Uses No Redaction
Exempting Users from Oracle Data Redaction Policies
Altering an Oracle Data Redaction Policy
Redacting Multiple Columns
Disabling and Enabling an Oracle Data Redaction Policy
Dropping an Oracle Data Redaction Policy
Example: How Oracle Data Redaction Affects Tables and Views
Example: Using SQL Expressions to Build Reports with Redacted Values
Finding Information About Oracle Data Redaction Policies
About Oracle Data Redaction Policies
An Oracle Data Redaction policy defines the conditions in which redaction must occur
for a table or view.
A Data Redaction policy has the following characteristics:
The Data Redaction policy defines the following: What kind of redaction to
perform, how the redaction should occur, and when the redaction takes place.
Who Can Create Oracle Data Redaction Policies?
5-2 Oracle Database Advanced Security Administrator's Guide
Oracle Database performs the redaction at execution time, just before the data is
returned to the application.
A Data Redaction policy can fully redact values, partially redact values, or
randomly redact values. In addition, you can define a Data Redaction policy to not
redact any data at all, for when you want to test your policies in a test
environment.
A Data Redaction policy can be defined with a policy expression which allows for
different application users to be presented with either redacted data or actual data,
based on whether the policy expression returns
TRUE
or
FALSE
. Redaction takes
place when the boolean result of evaluating the policy expression is
TRUE
. For
security reasons, the functions and operators that can be used in the policy
expression are limited to
SYS_CONTEXT
and a few others. User-created functions are
not allowed. Policy expressions can make use of the
SYS_SESSION_ROLES
namespace with the
SYS_CONTEXT
function to check for enabled roles.
Table 5–1 lists the procedures in the
DBMS_REDACT
package.
Who Can Create Oracle Data Redaction Policies?
To create redaction policies, you must have the
EXECUTE
privilege on the
DBMS_REDACT
PL/SQL package. You do not need any privileges to access the underlying tables or
views that will be protected by the policy.
Planning the Creation of an Oracle Data Redaction Policy
Before you create an Oracle Data Redaction policy, it is important to plan the data
redaction process that best suits your data.
1. Ensure that you have been granted the
EXECUTE
privilege on the
DBMS_REDACT
PL/SQL package.
2. Determine the data type of the table or view column that you want to redact.
3. Ensure that this column is not used in an Oracle Virtual Private Database (VPD)
row filtering condition. That is, it must not be part of the VPD predicate generated
by the VPD policy function.
Table 5–1 DBMS_REDACT Procedures
Procedure Description
DBMS_REDACT.ADD_POLICY
Adds a Data Redaction policy to a table or
view
DBMS_REDACT.ALTER_POLICY
Modifies a Data Redaction policy
DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES
Globally updates the full redaction value for
a given data type. You must restart the
database instance before the updated values
can be used.
DBMS_REDACT.ENABLE_POLICY
Enables a Data Redaction policy
DBMS_REDACT.DISABLE_POLICY
Disables a Data Redaction policy
DBMS_REDACT.DROP_POLICY
Drops a Data Redaction policy
See Also: Oracle Database PL/SQL Packages and Types Reference for
detailed information about the
DBMS_REDACT
PL/SQL package
General Syntax of the DBMS_REDACT.ADD_POLICY Procedure
Configuring Oracle Data Redaction Policies 5-3
4. Decide on the type of redaction that you want to perform: full, random, partial,
regular expressions, or none.
5. Decide which users to apply the Data Redaction policy to.
6. Based on this information, create the Data Redaction policy by using the
DBMS_
REDACT.ADD_POLICY
procedure.
7. Configure the policy to have additional columns to be redacted, as described in
"Redacting Multiple Columns" on page 5-30.
After you create the Data Redaction policy, it is automatically enabled and ready to
redact data.
General Syntax of the DBMS_REDACT.ADD_POLICY Procedure
To create a Data Redaction policy, use the
DBMS_REDACT.ADD_POLICY
procedure. The
complete syntax is as follows:
DBMS_REDACT.ADD_POLICY (
DBMS_REDACT.ADD_POLICY (
object_schema IN VARCHAR2 := NULL,
object_name IN VARCHAR2 := NULL,
policy_name IN VARCHAR2,
policy_description IN VARCHAR2 := NULL,
column_name IN VARCHAR2 := NULL,
column_description IN VARCHAR2 := NULL,
function_type IN BINARY_INTEGER := DBMS_REDACT.FULL,
function_parameters IN VARCHAR2 := NULL,
expression IN VARCHAR2,
enable IN BOOLEAN := TRUE,
regexp_pattern IN VARCHAR2 := NULL,
regexp_replace_string IN VARCHAR2 := NULL,
regexp_position IN BINARY_INTEGER :=1,
regexp_occurrence IN BINARY_INTEGER :=0,
regexp_match_parameter IN VARCHAR2 := NULL);
In this specification:
object_schema
: Specifies the schema of the object on which the Data Redaction
policy will be applied. If you omit this setting (or enter
NULL
), then Oracle
Database uses the current user’s name. Be aware that the meaning of "current
user" here can change, depending on where you invoke the
DBMS_REDACT.ADD_
POLICY
procedure.
For example, suppose user
mpike
grants user
fbrown
the
EXECUTE
privilege on a
definer’s rights PL/SQL package called
mpike.protect_data
in
mpike
’s schema.
From within this package,
mpike
has coded a procedure called
protect_cust_
data
, which invokes the
DBMS_REDACT.ADD_POLICY
procedure. User
mpike
has set
the
object_schema
parameter to
NULL
.
When
fbrown
invokes the
protect_cust_data
procedure in the
mpike.protect_
data
package, Oracle Database attempts to define the Data Redaction policy
around the object
cust_data
in the
mpike
schema, not the
cust_data
object in the
schema that belongs to
fbrown
.
object_name
: Specifies the name of the table or view to which the Data Redaction
policy applies.
policy_name
: Specifies the name of the policy to be created. Ensure that this name
is unique in the database instance. You can find a list of existing Data Redaction
General Syntax of the DBMS_REDACT.ADD_POLICY Procedure
5-4 Oracle Database Advanced Security Administrator's Guide
policies by querying the
POLICY_NAME
column of the
REDACTION_POLICIES
data
dictionary view.
policy_description
: Specifies a brief description of the purpose of the policy.
column_name
: Specifies the column whose data you want to redact. Note the
following:
You can apply the Data Redaction policy to multiple columns. If you want to
apply the Data Redaction policy to multiple columns, then after you use
DBMS_
REDACT.ADD_POLICY
to create the policy, run the
DBMS_REDACT.ALTER_POLICY
procedure as many times as necessary to add each of the remaining required
columns to the policy. See "Altering an Oracle Data Redaction Policy" on
page 5-27.
Only one policy can be defined on a table or view. You can, however, create a
new view on the table, and by defining a second redaction policy on this new
view, you can choose to redact the columns in a different way when a query is
issued against this new view. When deciding how to redact a given column,
Oracle Database uses the policy of the earliest view in a view chain. See
"Example: How Oracle Data Redaction Affects Tables and Views" on page 5-33
for more information about using Data Redaction policies with views.
If you do not specify a column (for example, by entering NULL), then no
columns are redacted by the policy. This enables you to create your policies
so that they are in place, and then later on, you can add the column
specification when you are ready.
Do not use a column that is currently used in an Oracle Virtual Private
Database (VPD) row filtering condition. In other words, the column should
not be part of the VPD predicate generated by the VPD policy function. See
"Oracle Data Redaction and Oracle Virtual Private Database" on page 6-2 for
more information about using Data Redaction with VPD.s
You cannot define a Data Redaction policy on a virtual column. In addition,
you cannot define a Data Redaction policy on a column that is involved in the
SQL expression of any virtual column.
column_description
: Specifies a brief description of the column that you are
redacting.
function_type
: Specifies a function that sets the type of redaction. See the
following sections for more information:
"Syntax for Creating a Full Redaction Policy" on page 5-8
"Syntax for Creating a Partial Redaction Policy" on page 5-12
"Syntax for Creating a Regular Expression-Based Redaction Policy" on
page 5-19
"Syntax for Creating a Random Redaction Policy" on page 5-24
"Syntax for Creating a Policy with No Redaction" on page 5-26
If you omit the
function_type
parameter, then the default redaction
function_
type
setting is
DBMS_REDACT.FULL
.
function_parameters
: Specifies how the column redaction should appear for
partial redaction. See "Syntax for Creating a Partial Redaction Policy" on page 5-12.
expression
: Specifies a Boolean SQL expression to determine how the policy is
applied. Redaction takes place only if this policy expression evaluates to
TRUE
. See
"Using Expressions to Define Conditions for Data Redaction Policies" on page 5-5.
Using Expressions to Define Conditions for Data Redaction Policies
Configuring Oracle Data Redaction Policies 5-5
enable
: When set to
TRUE
, enables the policy upon creation. When set to
FALSE
, it
creates the policy as a disabled policy. The default is
TRUE
. After you create the
policy, you can disable or enable it. See the following sections:
"Disabling an Oracle Data Redaction Policy" on page 5-31
"Enabling an Oracle Data Redaction Policy" on page 5-32
regexp_pattern
,
regexp_replace_string
,
regexp_position
,
regexp_position
,
regexp_occurrence
,
regexp_match_parameter
: Enable you to use regular
expressions to redact data, either fully or partially. If the
regexp_pattern
does not
match anything in the actual data, then full redaction will take place, so be careful
when specifying the
regexp_pattern
. Ensure that all of the values in the column
conform to the semantics of the regular expression you are using. See "Syntax for
Creating a Regular Expression-Based Redaction Policy" on page 5-19 for more
information.
Using Expressions to Define Conditions for Data Redaction Policies
When you create any Oracle Data Redaction policy, you must use the
expression
parameter in the
DBMS_REDACT.ADD_POLICY
procedure to specify the conditions in
which the policy applies.
This section contains:
About Using Expressions in Data Redaction Policies
Applying the Redaction Policy Based on User Environment
Applying the Redaction Policy Based on Database Role
Applying the Redaction Policy Based on Oracle Application Express Session States
Applying the Redaction Policy with No Filtering
About Using Expressions in Data Redaction Policies
The
expression
parameter of the
DBMS_REDACT.ADD_POLICY
procedure defines a
Boolean expression that must evaluate to
TRUE
before the redaction can table place.
This expression must be based on one of the following functions:
SYS_CONTEXT
, using a specified namespace. The default namespace for
SYS_
CONTEXT
is
USERENV
, which includes values such as
SESSION_USER
and
CLIENT_
IDENTIFIER
. (See Oracle Database SQL Language Reference for detailed information
about this function.) Another namespace that you can use is the
SYS_SESSION_
ROLES
namespace, which contains attributes for each role.
The following Oracle Application Express functions:
V
, which is a wrapper for the
APEX_UTIL.GET_SESSION_STATE
function
NV
, which is a wrapper for the
APEX_UTIL.GET_NUMERIC_SESSION_STATE
function
See Oracle Application Express API Reference for more information about these
APEX_
UTIL
package functions.
The
OLS_LABEL_DOMINATES
function, described in Oracle Label Security
Administrator's Guide, which is a wrapper for the
LBACSYS.OLS_LABEL_DOMINATES
function.
Follow these guidelines when you write the expression:
Using Expressions to Define Conditions for Data Redaction Policies
5-6 Oracle Database Advanced Security Administrator's Guide
Use only the following operators:
=
,
!=
,
>
,
<
,
>=
,
<=
Because the expression must evaluate to
TRUE
for redaction, be careful when
making comparisons with
NULL
. Remember that in SQL the value
NULL
is
undefined, so comparisons with
NULL
tend to return
FALSE
.
Do not use user-created functions in the
expression
parameter; this is not
permitted.
Remember that for user
SYS
and users who have the
EXEMPT REDACTION POLICY
privilege, all of the Data Redaction policies are bypassed, so the results of their queries
are not redacted. See for more information about users who are exempted from Data
Redaction policies.
Remember that for user
SYS
and users who have the
EXEMPT REDACTION POLICY
privilege, all of the Data Redaction policies are bypassed, so the results of their queries
are not redacted. See "Exempting Users from Oracle Data Redaction Policies" on
page 5-26 for more information about users who are exempted from Data Redaction
policies.
Applying the Redaction Policy Based on User Environment
To apply a Data Redaction policy based on the user’s environment (such as the session
user name or client identifier), you can use the
USERENV
namespace of the
SYS_CONTEXT
function in the
DBMS_REDACT.ADD_POLICY
expression
parameter.
Example 5–1 shows how to apply the policy only to the session user name
psmith
.
Example 5–1 Filtering Users by Session User Name
expression => 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''PSMITH'''
Applying the Redaction Policy Based on Database Role
To apply a Data Redaction policy based on database roles, you can use the
SYS_
SESSION_ROLES
namespace in the
SYS_CONTEXT
function, which contains attributes for
each role. The value of the attribute is
TRUE
if the specified role is enabled for the
querying application user; the value is
FALSE
if the role is not enabled.
For example, suppose you wanted only supervisors to be allowed to see the actual
data. Example 5–2 shows how to use the
DBMS_REDACT.ADD_POLICY
expression
parameter to set the policy to show the actual data to any application user who has the
supervisor
role enabled, but redact the data for all of the other application users.
Example 5–2 Applying a Data Redaction Policy by Database Role
expression => 'SYS_CONTEXT(''SYS_SESSION_ROLES'',''SUPERVISOR'') = ''FALSE'''
Applying the Redaction Policy Based on Oracle Application Express Session States
To apply a Data Redaction policy based on an Oracle Application Express (APEX)
session state, you can use either of the following public Application Express APIs in
the
DBMS_REDACT.ADD_POLICY
expression
parameter:
V
, which is a synonym for the
APEX_UTIL.GET_SESSION_STATE
function
NV
, which is a synonym for the
APEX_UTIL.GET_NUMERIC_SESSION_STATE
function
See Also: Oracle Database SQL Language Reference for information
about more namespaces that you can use with the
SYS_CONTEXT
function
Creating a Full Redaction Policy and Altering the Default Full Redaction Value
Configuring Oracle Data Redaction Policies 5-7
You can, for example, use these functions to redact data based on a job or a privilege
role that is stored in a session state in an APEX application.
Example 5–3 shows how to set the
DBMS_REDACT.ADD_POLICY
expression
parameter if
you wanted redaction to take place when the application item called
G_JOB
has the
value
CLERK
.
Example 5–3 Filtering Users by Oracle Application Express Session State
expression => 'V'(''G_JOB'') = ''CLERK'''
If you want redaction to take place when the querying user is not within the context of
an APEX application (when the query is issued from outside the APEX framework, for
example directly through SQL*Plus), then use an
IS NULL
clause as follows. This
policy expression causes actual data to be shown to user
mavis
only when her query
comes from within an APEX application. Otherwise, the query result is redacted.
expression => 'V(''APP_USER'') != ''mavis@example.com'' or V(''APP_USER'') is
null'
Applying the Redaction Policy with No Filtering
You can apply the policy irrespective of the context to any user, with no filtering.
However, be aware that user
SYS
and users who have the
EXEMPT REDACTION POLICY
privilege are always except from Oracle Data Redaction policies. To apply the policy to
users who are not
SYS
or have been granted the
EXEMPT REDACTION POLICY
privilege,
write the
DBMS_REDACT.ADD_POLICY
expression
parameter to evaluate to
TRUE
, as
shown Example 5–4.
Example 5–4 Applying the Redaction Policy with No Filtering
expression => '1=1'
Creating a Full Redaction Policy and Altering the Default Full Redaction
Value
This section contains:
Creating a Full Redaction Policy
Altering the Default Full Data Redaction Value
Creating a Full Redaction Policy
This section contains:
About Creating Full Data Redaction Policies
Syntax for Creating a Full Redaction Policy
Examples of Full Data Redaction Policies
About Creating Full Data Redaction Policies
A full data redaction policy redacts all the contents of a data column. To set the
redaction policy to be full, you must set the function_type parameter to
DBMS_
See Also: Oracle Application Express API Reference
See Also: "Exempting Users from Oracle Data Redaction Policies" on
page 5-26
Creating a Full Redaction Policy and Altering the Default Full Redaction Value
5-8 Oracle Database Advanced Security Administrator's Guide
REDACT.FULL
. By default,
NUMBER
data type columns are replaced with zero (
0
) and
character data type columns are replaced with a single space (
). You can modify this
default by using the
DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES
procedure.
Syntax for Creating a Full Redaction Policy
The fields used for creating a full data redaction policy are as follows:
DBMS_REDACT.ADD_POLICY (
object_schema IN VARCHAR2 := NULL,
object_name IN VARCHAR2,
column_name IN VARCHAR2 := NULL,
policy_name IN VARCHAR2,
function_type IN BINARY_INTEGER := NULL,
expression IN VARCHAR2,
enable IN BOOLEAN := TRUE);
In this specification:
object_schema
,
object_name
,
column_name
,
policy_name
,
expression
,
enable
: See
"General Syntax of the DBMS_REDACT.ADD_POLICY Procedure" on page 5-3.
function_ty