Use Case: Enhance security for a database

with sensitive data

Koen Van Bastelaere

Oracle DBA

Agenda

● About me

● The project

● OS

● Database

● Application

● Encryption and identity

● Q&A

2

Agenda

● About me

● The project

● OS

● Database

● Application

● Encryption and identity

● Q&A

3

The project

Disclose security details means keeping silence about the project!

The things I cannot say:

● Customer name

● “Type” of sensitive data

The things I can say:

● Apex Application

● Oracle 12.1 database

● ORDS: Oracle REST Data Services

● Some fields contain “sensitive” data

4

Agenda

● About me

● The project

● OS

● Database

● Application

● Encryption and identity

● Q&A

5

OS

● Software and patching

○ Oracle Linux 6.9

○ Apply quarterly security patches

○ Update to 7.x before 6.x goes out of support

● Accounts

○ Only ssh login with personal accounts

○ sudo

6

OS

● Filesystem encryption

○ Sqlnet trace files

○ Database trace files

○ Database audit files

○ Core dump files

○ Wallet

● No filesystem encryption for

○ Data, temp, undo, flashback and (archived) redo log files / TDE

○ Rman backup files / Rman encryption

○ Datapump dump files / Datapump encryption

7

OS - Filesystem encryption

● Example

yum install ecryptfs-utils

mount -t ecryptfs /u01 /u01

8

Agenda

● About me

● The project

● OS

● Database

● Application

● Encryption and identity

● Q&A

9

Database

● Software and patching

● Accounts

● Sqlnet encryption

● Tablespace encryption

● Backup encryption

● Datapump encryption

10

Database - Software and patching

● Oracle 12.1.0.2

● Apply quarterly security patches

● Update to 12.2 before 12.1 goes out of support

11

Database - Accounts

12

Database - Accounts

● Application and monitoring

○ strong password

○ does not expire

● Personal DBA

○ strong password

○ expires every x days?

● All others (schema, shared, ...)

○ expired & locked

select 'alter user '||username||' password expire account lock;'

from dba_users_with_defpwd;

13

Database - Sqlnet encryption

● No advanced security license

● Easy method

○ sqlnet.ora (both database and listener)

SQLNET.ENCRYPTION_SERVER = required

SQLNET.ENCRYPTION_TYPES_SERVER = (aes256)

SQLNET.CRYPTO_CHECKSUM_SERVER = required

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA1)

14

Database - Sqlnet encryption

● SSL - Use TLS!

○ Allows for identity check (DN match)

○ sqlnet.ora (database & listener)

SSL_VERSION=1.2 or 1.1 or 1.0

○ create an SSL endpoint on listener (listener.ora or srvctl)

○ client specific + DN matching to check identity

■ tnsnames.ora

(ADDRESS=(PROTOCOL=TCPS)(...)...))

(SECURITY=(SSL_SERVER_CERT_DN=”cn=<NAME>,cn=OracleContext,c=be,o=acme”))

■ sqlnet.ora

SSL_SERVER_DN_MATCH=ON

15

Database - Tablespace encryption

● Advanced security license

● You need an encryption key (symmetric) in an Oracle wallet

○ sqlnet.ora

ENCRYPTION_WALLET_LOCATION =

○ Create the wallet and add the key

sqlplus / as syskm

ADMINISTER KEY MANAGEMENT ...

○ Views

(g)v$encryption_wallet

(g)v$encryption_keys

16

Database - Tablespace encryption

● Create an encrypted tablespace

sqlplus / as sysdba

create tablespace ... ENCRYPTION USING 'AES256' DEFAULT STORAGE (ENCRYPT);

● New 12.2 feature: inline tablespace encryption

○ Online needs double storage

○ Offline is in-placealter tablespace …

● View

v$encrypted_tablespaces

17

Database - Tablespace encryption

Don’t forget to securely backup your wallet.

If you lose your TDE master key, you lose your data!

18

Database - Backup encryption

● Advanced security license

● Uses the same encryption wallet & key as TDE

● Make a restore procedure and test it!

● Configuration:

rman

> connect target /

> configure encryption for database on;

19

Database - Datapump encryption

● Advanced security license

● Can use the same encryption wallet & key as TDE

● Usage:

ENCRYPTION=ALL|DATA_ONLY|ENCRYPTED_COLUMNS_ONLY|METADATA_ONLY|NONE

ENCRYPTION_MODE=TRANSPARENT

20

Agenda

● About me

● The project

● OS

● Database

● Application

● Encryption and identity

● Q&A

21

Application

Apex

● “Sensitive data” field

○ value not visible by default

○ Show button records user details in “view” table

○ editing records user details in “history” table

● ORDS https

22

Agenda

● About me

● The project

● OS

● Database

● Application

● Encryption and identity

● Q&A

23

Encryption and identity

● Encryption

○ Symmetric key

○ Private - public key pair (PKI)

● Certificates - Identity

○ server, client

○ user, trusted

○ ca

● Oracle Wallets

○ encryption keys

○ certificates

○ secrets (key / value pairs)

24

Oracle Wallets

● Types

● Contents

● Administration

● Location

● Issues

25

Oracle Wallets

Types

● normal

● auto-login

● auto-login, local only

26

Oracle Wallets

Contents

● certificates

○ CA trusted certificate

○ server (user) certificate - PKCS #12 format

■ listener

■ database

○ client (user) certificate

● credentials

○ ldap (OID, OUD)

○ database

● tde keys

27

Oracle Wallets

Administration

● Command-line

○ orapki

○ mkstore

○ keytool (java)

● Wallet manager

● SQL

○ administer key management

○ (g)v$ views

28

Oracle Wallets

Location

● filesystem

● ASM

● ldap

● Windows registry

29

Oracle Wallets

Issues

● RAC & Dataguard

● Refresh database

● Multiple databases on one host

○ Use TNS_ADMIN for different sqlnet.ora & wallet_location

Known TDE Wallet Issues (Doc ID 1301365.1)

30

Agenda

● About me

● The project

● OS

● Database

● Application

● Encryption and identity

● Q&A

31

Quality. Passion. Personality.

info@exitas.be

www.exitas.be

+32 (0)3 443 12 38

Veldkant 31 - (B) 2550 Kontich