Use Case: Enhance security for a database
with sensitive data
Koen Van Bastelaere
Oracle DBA
Agenda
● About me
● The project
● OS
● Database
● Application
● Encryption and identity
● Q&A
2
Agenda
● About me
● The project
● OS
● Database
● Application
● Encryption and identity
● Q&A
3
The project
Disclose security details means keeping silence about the project!
The things I cannot say:
● Customer name
● “Type” of sensitive data
The things I can say:
● Apex Application
● Oracle 12.1 database
● ORDS: Oracle REST Data Services
● Some fields contain “sensitive” data
4
Agenda
● About me
● The project
● OS
● Database
● Application
● Encryption and identity
● Q&A
5
OS
● Software and patching
○ Oracle Linux 6.9
○ Apply quarterly security patches
○ Update to 7.x before 6.x goes out of support
● Accounts
○ Only ssh login with personal accounts
○ sudo
6
OS
● Filesystem encryption
○ Sqlnet trace files
○ Database trace files
○ Database audit files
○ Core dump files
○ Wallet
● No filesystem encryption for
○ Data, temp, undo, flashback and (archived) redo log files / TDE
○ Rman backup files / Rman encryption
○ Datapump dump files / Datapump encryption
7
OS - Filesystem encryption
● Example
yum install ecryptfs-utils
mount -t ecryptfs /u01 /u01
8
Agenda
● About me
● The project
● OS
● Database
● Application
● Encryption and identity
● Q&A
9
Database
● Software and patching
● Accounts
● Sqlnet encryption
● Tablespace encryption
● Backup encryption
● Datapump encryption
10
Database - Software and patching
● Oracle 12.1.0.2
● Apply quarterly security patches
● Update to 12.2 before 12.1 goes out of support
11
Database - Accounts
12
Database - Accounts
● Application and monitoring
○ strong password
○ does not expire
● Personal DBA
○ strong password
○ expires every x days?
● All others (schema, shared, ...)
○ expired & locked
select 'alter user '||username||' password expire account lock;'
from dba_users_with_defpwd;
13
Database - Sqlnet encryption
● No advanced security license
● Easy method
○ sqlnet.ora (both database and listener)
SQLNET.ENCRYPTION_SERVER = required
SQLNET.ENCRYPTION_TYPES_SERVER = (aes256)
SQLNET.CRYPTO_CHECKSUM_SERVER = required
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA1)
14
Database - Sqlnet encryption
● SSL - Use TLS!
○ Allows for identity check (DN match)
○ sqlnet.ora (database & listener)
SSL_VERSION=1.2 or 1.1 or 1.0
○ create an SSL endpoint on listener (listener.ora or srvctl)
○ client specific + DN matching to check identity
■ tnsnames.ora
(ADDRESS=(PROTOCOL=TCPS)(...)...))
(SECURITY=(SSL_SERVER_CERT_DN=”cn=<NAME>,cn=OracleContext,c=be,o=acme”))
■ sqlnet.ora
SSL_SERVER_DN_MATCH=ON
15
Database - Tablespace encryption
● Advanced security license
● You need an encryption key (symmetric) in an Oracle wallet
○ sqlnet.ora
ENCRYPTION_WALLET_LOCATION =
○ Create the wallet and add the key
sqlplus / as syskm
ADMINISTER KEY MANAGEMENT ...
○ Views
(g)v$encryption_wallet
(g)v$encryption_keys
16
Database - Tablespace encryption
● Create an encrypted tablespace
sqlplus / as sysdba
create tablespace ... ENCRYPTION USING 'AES256' DEFAULT STORAGE (ENCRYPT);
● New 12.2 feature: inline tablespace encryption
○ Online needs double storage
○ Offline is in-placealter tablespace …
● View
v$encrypted_tablespaces
17
Database - Tablespace encryption
Don’t forget to securely backup your wallet.
If you lose your TDE master key, you lose your data!
18
Database - Backup encryption
● Advanced security license
● Uses the same encryption wallet & key as TDE
● Make a restore procedure and test it!
● Configuration:
rman
> connect target /
> configure encryption for database on;
19
Database - Datapump encryption
● Advanced security license
● Can use the same encryption wallet & key as TDE
● Usage:
ENCRYPTION=ALL|DATA_ONLY|ENCRYPTED_COLUMNS_ONLY|METADATA_ONLY|NONE
ENCRYPTION_MODE=TRANSPARENT
20
Agenda
● About me
● The project
● OS
● Database
● Application
● Encryption and identity
● Q&A
21
Application
Apex
● “Sensitive data” field
○ value not visible by default
○ Show button records user details in “view” table
○ editing records user details in “history” table
● ORDS https
22
Agenda
● About me
● The project
● OS
● Database
● Application
● Encryption and identity
● Q&A
23
Encryption and identity
● Encryption
○ Symmetric key
○ Private - public key pair (PKI)
● Certificates - Identity
○ server, client
○ user, trusted
○ ca
● Oracle Wallets
○ encryption keys
○ certificates
○ secrets (key / value pairs)
24
Oracle Wallets
● Types
● Contents
● Administration
● Location
● Issues
25
Oracle Wallets
Types
● normal
● auto-login
● auto-login, local only
26
Oracle Wallets
Contents
● certificates
○ CA trusted certificate
○ server (user) certificate - PKCS #12 format
■ listener
■ database
○ client (user) certificate
● credentials
○ ldap (OID, OUD)
○ database
● tde keys
27
Oracle Wallets
Administration
● Command-line
○ orapki
○ mkstore
○ keytool (java)
● Wallet manager
● SQL
○ administer key management
○ (g)v$ views
28
Oracle Wallets
Location
● filesystem
● ASM
● ldap
● Windows registry
29
Oracle Wallets
Issues
● RAC & Dataguard
● Refresh database
● Multiple databases on one host
○ Use TNS_ADMIN for different sqlnet.ora & wallet_location
Known TDE Wallet Issues (Doc ID 1301365.1)
30
Agenda
● About me
● The project
● OS
● Database
● Application
● Encryption and identity
● Q&A
31
Quality. Passion. Personality.
www.exitas.be
+32 (0)3 443 12 38
Veldkant 31 - (B) 2550 Kontich