Oracle Database 11g: Security Student Guide D52365GC10 Edition 1.0 October 2007 PRODUCTION Copyright © 2007, Oracle All rights reserved This documentation contains proprietary information of Oracle Corporation It is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law Reverse engineering of the software is prohibited If this documentation is delivered to a U.S Government Agency of the Department of Defense, then it is delivered with Restricted Rights and the following legend is applicable: Restricted Rights Legend Use, duplication or disclosure by the Government is subject to restrictions for commercial computer software and shall be deemed to be Restricted Rights software under Federal law, as set forth in subparagraph (c)(1)(ii) of DFARS 252.227-7013, Rights in Technical Data and Computer Software (October 1988) This material or any portion of it may not be copied in any form or by any means without the express prior written permission of the Education Products group of Oracle Corporation Any other copying is a violation of copyright law and may result in civil and/or criminal penalties If this documentation is delivered to a U.S Government Agency not within the Department of Defense, then it is delivered with “Restricted Rights,” as defined in FAR 52.227-14, Rights in Data-General, including Alternate III (June 1987) The information in this document is subject to change without notice If you find any problems in the documentation, please report them in writing to Worldwide Education Services, Oracle Corporation, 500 Oracle Parkway, Box SB-6, Redwood Shores, CA 94065 Oracle Corporation does not warrant that this document is error-free Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates Other names may be trademarks of their respective owners Author James Spiller Technical Contributors and Reviewers Amith Mahalingaiah, Hozefa Palitanawala, Sudheesh Varma This book was published using: oracletutor Table of Contents Security: New Features 1-2 Chapter 1Security: New Features 1-2 Objectives 1-3 Secure Password Support 1-4 Automatic Secure Configuration 1-5 Password Configuration 1-6 Enable Built-in Password Complexity Checker 1-7 Managing Default Audits 1-8 Adjust Security Settings 1-10 Setting Security Parameters 1-11 Using RMAN Security Enhancements 1-13 Creating and Using Virtual Private Catalogs 1-14 Using RMAN Virtual Private Catalogs 1-15 Summary .1-17 11g Security Optional New Features .2-2 Chapter 211g Security Optional New Features .2-2 Objectives 2-3 Transparent Data Encryption .2-4 Using Tablespace Encryption 2-6 TDE and LogMiner .2-7 TDE and Logical Standby .2-8 TDE and Streams 2-9 Hardware Security Module 2-10 Using a Hardware Security Module with TDE .2-11 Encryption for LOB Columns .2-12 Using Kerberos Enhancements 2-13 Enterprise Manager Security Management 2-14 Managing TDE with Enterprise Manager .2-15 Managing Tablespace Encryption with Enterprise Manager .2-16 Managing Virtual Private Database .2-17 Managing Label Security with Enterprise Manager .2-18 Managing Label Security with Oracle Internet Directory 2-19 Managing Enterprise Users with Enterprise Manager 2-20 Enterprise Manager Policy Trend 2-21 Oracle Audit Vault Enhancements 2-22 Managing Fine-Grained Access to External Network Services 2-23 Demonstration .2-25 Summary .2-26 Copyright © 2007, Oracle All rights reserved Oracle Database 11g: Security Table of Contents i Copyright © 2007, Oracle All rights reserved Oracle Database 11g: Security Table of Contents ii Security: New Features Copyright © 2007, Oracle All rights reserved Security: New Features Chapter - Page Chapter 1Security: New Features Security: New Features Copyright © 2007, Oracle All rights reserved Security: New Features Chapter - Page Objectives Objectives After completing this lesson, you should be able to: • Configure strong authentication for privileged users • Create a virtual private catalog for RMAN Copyright © 2007, Oracle All rights reserved Security: New Features Chapter - Page Secure Password Support Secure Password Support More Secure Password Support Passwords • Are case sensitive • Contain more characters • Use more secure hash algorithm • Use salt in the hash algorithm Usernames are still Oracle identifiers (up to 30 characters, case insensitive) You must use more secure passwords to meet the demands of compliance to various security and privacy regulations Passwords that very short and passwords that are formed from a limited set of characters are susceptible to brute force attacks Longer passwords with more different characters allowed make the password much more difficult to guess or find In Oracle Database 11g, the password is is handled differently than in previous versions; • Passwords are case sensitive Upper and lower case characters are now different characters when used in a password • Passwords may contain multibyte characters without quoting Only the ‘$’,’_’, and ‘#’ special characters are allowed in the password without quoting the password • Passwords are always passed through a hash algorithm, then stored as a user credential When the user presents a password, it is hashed then compared to the stored credential In Oracle Database 11g the hash algorithm is SHA-1 of the public algorithm used in previous versions of the database SHA-1 is a stronger algorithm using a 160 bit key • Passwords always use salt A hash function always produces the same output, given the same input Salt is a unique (random) value that is added to the input, to insure the output credential in unique Copyright © 2007, Oracle All rights reserved Security: New Features Chapter - Page Automatic Secure Configuration Automatic Secure Configuration • Default password profile • Default auditing • Built-in Password complexity checking Oracle Database 11g installs and creates the database with certain security features recommended by the Centre for Internet Security (CIS) benchmark The CIS recommended configuration is more secure than the 10gR2 default installation; yet open enough to allow the majority of applications to be successful Many customers have adopted this benchmark already There are some recommendations of the CIS benchmark that may be incompatible with some applications Copyright © 2007, Oracle All rights reserved Security: New Features Chapter - Page Password Configuration Password Configuration By default: • Default password profile is enabled • Account is locked after 10 failed login attempts In upgrade: • Passwords are case insensitive until changed • Passwords become case sensitive by ALTER USER On creation: • Passwords are case sensitive When creating a custom database using the Database Configuration Assistant (DBCA), you can specify the Oracle Database 11g default security configuration By default, If a user tries to connect to an Oracle Instance multiple times using an incorrect password, the instance delays each login after the third try This protection applies for attempts made from different IP addresses or multiple client connections Afterwards, it gradually increases the time before the user can try another password, up to a maximum of about ten seconds The default password profile is enabled with these settings at database creation: PASSWORD_LIFE_TIME 180 PASSWORD_GRACE_TIME PASSWORD_REUSE_TIME UNLIMITED PASSWORD_REUSE_MAX UNLIMITED FAILED_LOGIN_ATTEMPTS 10 PASSWORD_LOCK_TIME PASSWORD_VERIFY_FUNCTION NULL When an Oracle Database 10g is upgraded, passwords are case insensitive until the ALTER USER… command is used to change the password When the database is created, the passwords will be case sensitive by default Copyright © 2007, Oracle All rights reserved Security: New Features Chapter - Page Encryption for LOB Columns Encryption for LOB Columns CREATE TABLE test1 (doc CLOB ENCRYPT USING 'AES128') LOB(doc) STORE AS SECUREFILE (CACHE NOLOGGING ); • LOB encryption is allowed only for SecureFiles • All LOBs in the LOB column are encrypted • LOBs can be encrypted on per-column or per-partition basis – Allows for the co-existence of SecureFiles and BasicFiles LOBs Oracle Database 11g introduces a completely reengineered large object (LOB) data type that dramatically improves performance, manageability, and ease of application development This Secure Files implementation (of LOBs) offers advanced, next-generation functionality such as intelligent compression and transparent encryption The encrypted data in SecureFiles is stored in-place and is available for random reads and writes You must create the LOB with the SECUREFILE parameter, with encryption enabled(ENCRYPT) or disabled(DECRYPT—the default) on the LOB column The current TDE syntax is used for extending encryption to LOB data types LOB implementation from prior versions is still supported for backward compatibility and is now referred to as BasicFiles If you add a LOB column to a table, you can specify whether it should be created as SECUREFILES or BASICFILES The default LOB type is BASICFILES to ensure backward compatibility Valid algorithms are 3DES168, AES128, AES192, and AES256 The default is AES192 Note: For a further discussion on SecureFiles, please see the 11g: Infrastructure Grid Performance eStudy Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 12 Using Kerberos Enhancements Using Kerberos Enhancements • Use stronger encryption algorithms (no action required) • Interoperability between MS KDC and MIT KDC (no Action required) • Longer principal name CREATE USER KRBUSER IDENTIFIED EXTERNALLY AS 'KerberosUser@SOMEORGANIZATION.COM'; • Convert a DB user to Kerberos user ALTER USER DBUSER IDENTIFIED EXTERNALLY AS 'KerberosUser@SOMEORGANIZATION.COM'; The Oracle client Kerberos implementation now makes use of secure encryption algorithms like 3DES and AES in place of DES This makes using Kerberos more secure The Kerberos authentication mechanism in Oracle Database now supports the following encryption types: • DES3-CBC-SHA (DES3 algorithm in CBC mode with HMAC-SHA1 as checksum) • RC4-HMAC (RC4 algorithm with HMAC-MD5 as checksum) • AES128-CTS (AES algorithm with 128-bit key in CTS mode with HMAC-SHA1 as checksum) • AES256-CTS (AES algorithm with 256-bit key in CTS mode with HMAC-SHA1 as checksum) The Kerberos implementation has been enhanced to interoperate smoothly with Microsoft and MIT Key Distribution Centers The Kerberos principal name can now contain more than 30 characters It is no longer restricted by the number of characters allowed in a database user name If the Kerberos principal name is longer than 30 characters use: CREATE USER KRBUSER IDENTIFIED EXTERNALLY AS 'KerberosUser@SOMEORGANIZATION.COM'; Database users can be converted to Kerberos users without requiring a new user to be created using the ALTER USER syntax: ALTER USER DBUSER IDENTIFIED EXTERNALLY AS 'KerberosUser@SOMEORGANIZATION.COM'; Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 13 Enterprise Manager Security Management Enterprise Manager Security Management Manage Security through EM • Policy Manager replaced for – Virtual Private Database – Application Context – Oracle Label Security • Enterprise User Security pages added • TDE pages added Security management has been integrated into Enterprise Manager The Policy Manager Java console based tool has been superseded Oracle Label Security, Application Contexts, and Virtual Private Database previous administered through Oracle Policy Manager tool are managed through the Enterprise Manager The Oracle Policy Manager tool is still available The Enterprise Manager Security tool has been superseded by Enterprise Manager features Enterprise User Security is also now managed though Enterprise Manager The menu item for Enterprise manage will appear as soon as the ldap.ora file is configured See the Enterprise User Administrator's Guide for configuration details The Enterpriser Security Manager tool is still available Transparent Data Encryption can now be managed through Enterprise Manager, including Wallet management You can create, open, and close the Wallet from Enterprise manager pages Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 14 Managing TDE with Enterprise Manager Managing TDE with Enterprise Manager The administrator using Enterprise Manager can open and close the wallet, move the location of the wallet and generate a new master key The example shows that TDE options are part of the Create or Edit Table processes Table encryption options allow you to choose the encryption algorithm and salt The table key can also be reset The other place where TDE changed the management pages is Export and Import Data If TDE is configured, the wallet is open, and the table to exported has encrypted columns, the export wizard will offer data encryption The same arbitrary key(password) that was used on export must be provided both on import in order to import any encrypted columns A partial import that does not include tables that contain encrypted columns does not require the password Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 15 Managing Tablespace Encryption with Enterprise Manager Managing Tablespace Encryption with Enterprise Manager You can manage tablespace encryption from the same console as you manage Transparent Database Encryption Once encryption has been enabled for the database, the DBA can set the encryption property of a tablespace on the Edit Tablespace page or create Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 16 Managing Virtual Private Database Managing Virtual Private Database With Enterprise Manager 11g you can now manage the Virtual Private Database policies from the console You can enable, disable, add, and drop polices The console also allows you to manage application contexts The application context page is not shown Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 17 Managing Label Security with Enterprise Manager Managing Label Security with Enterprise Manager Oracle Label Security (OLS) Management is integrated with Enterprise Manager Database Control The Database Administrator can manage OLS from the same console that is used for managing the database instances, listeners and host The differences between database control and grid control are minimal Oracle Label Security (OLS) Management is integrated with Enterprise Manager Grid control The Database Administrator can manage OLS from the same console that is used for managing the database instances, listeners and other targets Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 18 Managing Label Security with Oracle Internet Directory Managing Label Security with Oracle Internet Directory Oracle Label Security policies can now be created and stored in the Oracle Internet Directory, then applied to one or more databases A database will subscribe to a policy making the policy available to the database, and the policy can be applied to tables and schemas in the database Label authorizations can be assigned to enterpriser users in the form of profiles Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 19 Managing Enterprise Users with Enterprise Manager Managing Enterprise Users with Enterprise Manager The functionality of the Enterprise Security Manager has been integrated into Enterprise Manager Enterprise Manager allows you to create and configure enterprise domains, enterprise roles, user schema mappings and proxy permissions Databases can be configured for enterprise user security after they have been registered with OID The registration is performed through the DBCA tool Enterprise Users and groups can also be configured for enterprise user security The creation of enterprise users and groups can be done through Delegated Administration Service (DAS) Administrators for the database can be created and given the appropriate roles in OID through Enterprise Manager Enterprise Manager allows you to manage enterprise users and roles, schema mappings, domain mappings, and proxy users Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 20 Enterprise Manager Policy Trend Enterprise Manager Policy Trend Enterprise Manager Policy Trend allows you to view the compliance of your database configuration against a set of Oracle security best practices Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 21 Oracle Audit Vault Enhancements Oracle Audit Vault Enhancements Audit Vault enhancements to Streams • Harden Streams configuration • DML/DDL capture on SYS and SYSTEM schemas • Capture changes to SYS.AUD$ and SYS.FGA_LOG$ Oracle Audit Vault provides auditing in a heterogeneous environment Audit Vault consists of a secure database to store and analyze audit information from various sources such as databases, OS audit trails etc Oracle Streams is an asynchronous information sharing infrastructure that facilitates sharing of events within a database or from one database to another Events could be DML or DDL changes happening in a database These events are captured by Streams implicit capture and are propagated to a queue in a remote database where they are consumed by a subscriber which is typically the Streams apply process Oracle Streams has been enhanced to support Audit Vault The Streams configurations are controlled from the Audit Vault location Once the initial configuration has been completed, Streams setup at both the Audit Source and Audit Vault will be completely driven from the Audit Vault This prevents configurations from being changed at the Audit Source Oracle Streams has been enhanced to allow capture of changes to the SYS, and SYSTEM schemas Oracle Streams already captures for user schemas all DML on participating tables and all DDL to the database Streams is enhanced to capture the events that change the database audit trail, forwarding that information to Audit Vault Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 22 Managing Fine-Grained Access to External Network Services Managing Fine-Grained Access to External Network Services Create an ACL and its privileges BEGIN DBMS_NETWORK_ACL_ADMIN.CREATE_ACL ( acl => 'us-oracle-com-permissions.xml', description => ‘Permissions for oracle network', principal => ‘SCOTT', is_grant => TRUE, privilege => 'connect'); END; The network utility family of PL/SQL packages such as UTL_TCP, UTL_INADDR, UTL_HTTP, UTL_SMTP, and UTL_MAIL allow Oracle users to make network callouts from the database using raw TCP or using higher level protocols built on raw TCP A user either did or did not have EXECUTE privilege on these packages and there was no control over which network hosts were accessed The new package DBMS_NETWORK_ACL_ADMIN allows fine-grained control using access control lists (ACL) implemented by XML DB Create an access control list (ACL) The ACL is a list of users and privileges held in an XML file The XML document named in the acl parameter is relative to the /sys/acl/ folder in the XML DB In the example, SCOTT is granted connect The username is case sensitive in the ACL and must match the username of the session There are only resolve and connect privileges The connect privilege implies resolve Optional parameters can specify a start and end timestamp for these privileges To add more users and privileges to this ACL use the ADD_PRIVILEGE procedure Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 23 Managing Fine-Grained Access to External Network Services Managing Fine-Grained Access to External Network Services Assign an ACL to one or more network hosts BEGIN DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL ( acl => ‘us-oracle-com-permissions.xml', host => ‘*.us.oracle.com', lower_port => 80, upper_port => null); END Assign an ACL to one or more network hosts The ASSIGN_ACL procedure associates the ACL with a network host and optionally a port or range of ports In the example, the host parameter allows wild card character for the host name to assign the ACL to all the hosts of a domain The use of wild cards affect the order of precedence for the evaluation of the ACL Fully qualified host names with ports are evaluated before hosts with ports Fully qualified host names are evaluated before partial domain names, and sub-domains are evaluated before the top level domain level Multiple hosts can be assigned to the same ACL and multiple users can be added to the same ACL in any order after the ACL has been created Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 24 Demonstration Demonstration For further understanding, click on the link in the notes below for Oracle By Example demonstration on the following functionality: • Using Transparent Data Encryption Click the following link for a demonstration on: • Using Transparent Data Encryption[http://www.oracle.com/technology/obe/11gr1_db/security/tde/tde.htm] Please note that this OBE was created under Oracle Database 11g Beta Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 25 Summary Summary In this lesson, you should have learned how to: • Encrypt a tablespace • Use a Hardware Security Module with TDE • Use Enterprise Manager to manage security options • Configure fine-grained access to network services Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter - Page 26 [...]... Oracle All rights reserved Security: New Features Chapter 1 - Page 18 11g Security Optional New Features Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter 0 - Page 1 Chapter 211g Security Optional New Features 11g Security Optional New Features Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter 2 - Page 2 Objectives Objectives... catowner.dbms_rcvcat.create_virtual_catalog; 5 Register a new database in the catalog: RMAN> CONNECT TARGET / CATALOG vpcowner /oracle@ catdb; RMAN> REGISTER DATABASE; 6 Use the virtual catalog: RMAN> CONNECT TARGET / CATALOG vpcowner /oracle@ catdb; RMAN> BACKUP DATABASE; 4 Create a virtual private catalog a If the target database is an Oracle Database 11g database and the RMAN client is an 11g client, you can use the RMAN command:... Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter 2 - Page 13 Enterprise Manager Security Management Enterprise Manager Security Management Manage Security through EM • Policy Manager replaced for – Virtual Private Database – Application Context – Oracle Label Security • Enterprise User Security pages added • TDE pages added Security management has been integrated into... Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter 2 - Page 8 TDE and Streams TDE and Streams Oracle Streams now provides the ability to transparently: • Decrypt values protected by TDE for filtering and processing • Re-encrypt values so that they are never in clear text while on disk Capture Staging Apply In Oracle Database 11g, Oracle Streams supports TDE Oracle Streams... 2007, Oracle All rights reserved Security: New Features Chapter 1 - Page 9 Adjust Security Settings Adjust Security Settings Need Beta 5 Screenshot When you create a database using the DBCA tool, you are offered a choice of security settings: • Keep the enhanced 11g default security settings (recommended) These settings include enabling auditing and new default password profile • Revert to pre -11g default... local database supports TDE This is performed transparently without any user intervention LCR message tracing does not display clear text of encrypted column values Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter 2 - Page 9 Hardware Security Module Hardware Security Module Encrypt and decrypt operations are performed on the hardware security module Hardware Security. .. SEC_MAX_FAILED_LOGIN_ATTEMPTS A set of new parameters have been added to the Oracle Database 11g to enhance the default security of the database These parameters are system wide and static Use case sensitive passwords to improve security A new parameter SEC_CASE_SENSITIVE_LOGON allows you to set the case sensitivity of user passwords Oracle recommends that you retain the default setting of TRUE You can specify... encrypted using the wallet at the target The data can be encrypted in transit using Advanced Security Option to provide network encryption Oracle Database 11g introduces a completely reengineered large object (LOB) data type called SecureFiles offering compression and transparent encryption Oracle Database 11g extends Data Pump compression capability so that you can now compress table data on export... compressed file Any command that you would use on a regular file also works on a compressed file Copyright © 2007, Oracle All rights reserved 11g Security Optional New Features Chapter 2 - Page 4 In Oracle Database 11g, Data Pump supplies more encryption options for more flexible and robust security The most important new encryption feature for Data Pump is the ability to encrypt dump file sets You can... enabled Copyright © 2007, Oracle All rights reserved Security: New Features Chapter 1 - Page 11 This parameter prevents a program from making a database connection and then attempting to authenticate by trying hundreds or thousands of passwords Copyright © 2007, Oracle All rights reserved Security: New Features Chapter 1 - Page 12 Using RMAN Security Enhancements Using RMAN Security Enhancements • Configure