Oracle Database Vault Integration in SWPM

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

Oracle Database Vault Integration in SWPMOracle Database Vault 12c

Andreas BeckerPrincipal Member Technical StaffSAP Development, Oracle Server TechnologiesJune 19, 2017

DOAG SIG Oracle und SAP 19. Juni 2017


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.



Agenda

Oracle Database Vault 12c

Oracle Database Vault Integration in SWPM

Further Considerations

1

2

3



Oracle Database Vault and Cloud


Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | DOAG SIG Oracle und SAP 19. Juni 2017

Oracle Database Vault


SAP NetWeaver, Oracle Cloud and Oracle Database VaultThis could be a separate presentation in the future.



Oracle Database Vault 12c



Oracle Database 11g Release 2

• DV enabled in Oracle Home

• ~10 separate SAP Notes

• DV installation: manual only (*)

– SWPM: no support for DV

Oracle Database 12c Release 1

• DV enabled in Database (!!)

• One (!) SAP Note 2218115

• DV installation: manual or SWPM

– SWPM (SP21+): support for DV


Oracle Database Vault – Status and Comparison

(*) DV installation/configuration as manual task.Required after SAP system install, SAP system copyor SAP system rename (post-config task)

https://service.sap.com/sap/support/notes/2218115






• SAP Software Provisioning Manager (SWPM) SP21 and higher

• Oracle Database 12c Release 1 and higher

• Oracle Database Vault Patch 9656644 must be installed

– PL/SQL scripts from this patch are used by SWPM to install and configure Database Vault. If the patch is not installed, the installation will fail.

Reference: SAP Note 2218115

Prerequisites




Oracle Database Vault Integration in SWPMIntegration Levels


Step Basic (Level 1) Standard (Level 2) Full (Level 3)

Install OLS/DV Yes (*) Yes (*) Yes (*)

Create DV Admin Accounts Yes (*) Yes (*)

Configure OLS/DV Yes (*) Yes (*)

Create DV Policy for SAP Yes (**)

Enable DV Yes (**)

Reference: SAP Note 2218115

(*) Task for DV Security Administrator (DV_OWNER, DV_ADMIN) e.g. SECADMIN

(*) Task for DBA (e.g. SYS)



Oracle Database Vault Integration in SWPMIntegration Level Standard (Level 2) - Install DV


(*) Task for DBA (e.g. SYS)


Oracle Database Vault Integration in SWPMIntegration Level Full (Level 3) – Install and Enable DV


(*) Task for DV Security Administrator (DV_OWNER, DV_ADMIN) e.g. SECADMIN


Oracle Database Vault Integration in SWPMSWPM Dialogs for System Copy (Backup/Restore)




• Which level is recommended?

– Basic (level 1) is not supported (at the moment)

– Use Standard (level 2) or Full (level 3) according to your requirements• Level 2: install components and users, but do not enable DV

– requires manual enabling of Database Vault by SECADMIN afterwards

– Details see SAP Note 2218115

• Level 3: install components and users, install DV policy and enable DV

– DV is fully installed and enabled

Recommendation for Integration Level




• When should I install Database Vault in an SAP system?

– only when required (business requirement for DV) Principle of „minimum installation“ do not install software, components or users when not needed

– Note: you need a Database Vault license!!!

Recommendation




• Automatic installation and configuration of Database Vault for an SAP system in the following scenarios (SAP admin tasks):

– SAP system installation, SAP system copy, SAP system rename

• Manual installation according to SAP Note 2218115 is still possible.

Advantages





Restrictions:

• No DV support in SWPM for SAP MCOD installations

• No DV support in SWPM for Oracle databases < 12.1

Current Limitations:

• No DV support for SAP systems with Oracle Multitenant (CDB/PDB)

Restrictions and Current Limitations in SWPM SP21



DV_PATCH_ADMIN Role

• DV_PATCH_ADMIN role

– enables SYS for the following tasks:• Perform patch post-install steps

• Manage database users (CREATE, ALTER, DROP)

– SWPM uses DV_PATCH_ADMIN role to work on the configuration of an SAP systemwhere DV is already enabled• SAP system rename

• SAP system copy

SWPM Implementation Details



Further ConsiderationsSupport for Oracle Database Security in SWPM



Further Considerations

SWPM Support for … Current status

Database Vault OK (SWPM SP 21)

-> Database Vault and Multitenant Planned (SWPM SP > 21)

-> Database Vault in existing SAP system (post-config) Not planned (depending on customer request)

Transparent Data Encryption (TDE) Planned (SWPM SP > 21)

Network Encryption Planned

Unified Auditing Planned

Plans for Future SWPM Integrations of Oracle Database Security Features


Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | DOAG SIG Oracle und SAP 19. Juni 2017


Safe Harbor Statement

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


Documents

Oracle Database Vault Integration in SWPM