Presentation is loading. Please wait.

Presentation is loading. Please wait.

C Copyright © 2007, Oracle. All rights reserved. Security New Features.

Published byTrevor Oliver Modified over 8 years ago

Similar presentations

Presentation on theme: "C Copyright © 2007, Oracle. All rights reserved. Security New Features."— Presentation transcript:

1 C Copyright © 2007, Oracle. All rights reserved. Security New Features

2 Copyright © 2007, Oracle. All rights reserved. C - 2 Objectives After completing this lesson, you should be able to: Configure the password file to use case-sensitive passwords Encrypt a tablespace Configure fine-grained access to network services

3 Copyright © 2007, Oracle. All rights reserved. C - 3 Secure Password Support Passwords in Oracle Database 11g: –Are case-sensitive –Contain more characters –Use more secure hash algorithm –Use salt in the hash algorithm Usernames are still Oracle identifiers (up to 30 characters, non-case-sensitive)

4 Copyright © 2007, Oracle. All rights reserved. C - 4 Automatic Secure Configuration Default password profile Default auditing Built-in password complexity checking

5 Copyright © 2007, Oracle. All rights reserved. C - 5 Password Configuration By default: –Default password profile is enabled –Account is locked after 10 failed login attempts In upgrade: –Passwords are non-case-sensitive until changed –Passwords become case-sensitive when the ALTER USER command is used On creation: –Passwords are case-sensitive

6 Copyright © 2007, Oracle. All rights reserved. C - 6 Enable Built-in Password Complexity Checker Execute the utlpwdmg.sql script to create the password verify function: Alter the default profile: ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION verify_function_11g; SQL> CONNECT / as SYSDBA SQL> @?/rdbms/admin/utlpwdmg.sql

7 Copyright © 2007, Oracle. All rights reserved. C - 7 Managing Default Audits Review audit logs: –Default audit options cover important security privileges Archive audit records –Export –Copy to another table Remove archived audit records

8 Copyright © 2007, Oracle. All rights reserved. C - 8 Notes only

9 Copyright © 2007, Oracle. All rights reserved. C - 9 Adjust Security Settings Need Beta 5 Screenshot

10 Copyright © 2007, Oracle. All rights reserved. C - 10 Setting Security Parameters Use case-sensitive passwords SEC_SEC_CASE_SENSITIVE_LOGON Protect against DoS attacks SEC_PROTOCOL_ERROR_FURTHER_ACTION SEC_PROTOCOL_ERROR_TRACE_ACTION Protect against brute force attacks SEC_MAX_FAILED_LOGIN_ATTEMPTS

11 Copyright © 2007, Oracle. All rights reserved. C - 11 Notes only page

12 Copyright © 2007, Oracle. All rights reserved. C - 12 Setting Database Administrator Authentication Use password file with case-sensitive passwords. Enable strong authentication for administrator roles: –Grant the administrator role in OID. –Use Kerberos tickets. –Use certificates with SSL.

13 Copyright © 2007, Oracle. All rights reserved. C - 13 Set Up Directory Authentication for Administrative Users 1.Create the user in the directory. 2.Grant the SYSDBA or SYSOPER enterprise role to user. 3.Set the LDAP_DIRECTORY_SYSAUTH parameter in the database. 4.Check whether the LDAP_DIRECTORY_ACCESS parameter is set to PASSWORD or SSL. 5.Test the connection. $sqlplus fred/t%3eEGQ@orcl AS SYSDBA

14 Copyright © 2007, Oracle. All rights reserved. C - 14 Set Up Kerberos Authentication for Administrative Users 1.Create the user in the Kerberos domain. 2.Configure OID for Kerberos authentication. 3.Grant the SYSDBA or SYSOPER enterprise role to the user in OID. 4.Set the LDAP_DIRECTORY_SYSAUTH parameter in the database. 5.Set the LDAP_DIRECTORY_ACCESS parameter. 6.Test the connection. $sqlplus /@orcl AS SYSDBA

15 Copyright © 2007, Oracle. All rights reserved. C - 15 Set Up SSL Authentication for Administrative Users 1.Configure client to use SSL. 2.Configure server to use SSL. 3.Configure OID for SSL user authentication. 4.Grant SYSOPER or SYSDBA to the user. 5.Set the LDAP_DIRECTORY_SYSAUTH parameter in the database. 6.Test the connection. $sqlplus /@orcl AS SYSDBA

16 Copyright © 2007, Oracle. All rights reserved. C - 16 Notes only page

17 Copyright © 2007, Oracle. All rights reserved. C - 17 Transparent Data Encryption New features in TDE include: Tablespace Encryption Support for LogMiner Support for Logical Standby Support for Streams Support for Asynchronous Change Data Capture Hardware-based master key protection

18 Copyright © 2007, Oracle. All rights reserved. C - 18 Using Tablespace Encryption Create an encrypted tablespace. 1.Create or open the encryption wallet: 2.Create a tablespace with the encryption keywords: SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "welcome1"; SQL> CREATE TABLESPACE encrypt_ts 2> DATAFILE '$ORACLE_HOME/dbs/encrypt.dat' SIZE 100M 3> ENCRYPTION USING '3DES168' 4> DEFAULT STORAGE (ENCRYPT);

19 Copyright © 2007, Oracle. All rights reserved. C - 19 TDE and LogMiner LogMiner supports TDE-encrypted columns. Restrictions: –The wallet holding the TDE master keys must be open. –Hardware Security Modules are not supported. –User-held keys are not supported.

20 Copyright © 2007, Oracle. All rights reserved. C - 20 TDE and Logical Standby Logical standby database with TDE: Wallet on the standby is a copy of the wallet on the primary. Master key may be changed only on the primary. Wallet open and close commands are not replicated. Table key may be changed on the standby. Table encryption algorithm may be changed on the standby.

21 Copyright © 2007, Oracle. All rights reserved. C - 21 TDE and Streams Oracle Streams now provides the ability to transparently: Decrypt values protected by TDE for filtering and processing Reencrypt values so that they are never in clear text while on disk Apply StagingCapture

22 Copyright © 2007, Oracle. All rights reserved. C - 22 Hardware Security Module Hardware Security Module Database server Client Encrypt and decrypt operations are performed on the hardware security module. Encrypted data

23 Copyright © 2007, Oracle. All rights reserved. C - 23 Using a Hardware Security Module with TDE 1.Configure sqlnet.ora : 2.Copy the PKCS#11 library to the correct path. 3.Set up the HSM. 4.Generate a master encryption key for HSM-based encryption: 5.Ensure that the HSM is accessible. 6.Encrypt and decrypt data. ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM) (METHOD_DATA= (DIRECTORY=/app/oracle/admin/SID1/wallet))) ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY user_Id:password

24 Copyright © 2007, Oracle. All rights reserved. C - 24 Encryption for LOB Columns LOB encryption is allowed only for SECUREFILE LOBs. All LOBs in the LOB column are encrypted. LOBs can be encrypted on per-column or per-partition basis. –Allows for the coexistence of SECUREFILE and BASICFILE LOBs CREATE TABLE test1 (doc CLOB ENCRYPT USING 'AES128') LOB(doc) STORE AS SECUREFILE (CACHE NOLOGGING );

25 Copyright © 2007, Oracle. All rights reserved. C - 25 Using Kerberos Enhancements Use stronger encryption algorithms (no action required). Interoperability between MS KDC and MIT KDC (no action required) Longer principal name: Convert a DB user to Kerberos user: CREATE USER KRBUSER IDENTIFIED EXTERNALLY AS 'KerberosUser@SOMEORGANIZATION.COM'; ALTER USER DBUSER IDENTIFIED EXTERNALLY AS 'KerberosUser@SOMEORGANIZATION.COM';

26 Copyright © 2007, Oracle. All rights reserved. C - 26 Enterprise Manager Security Management Manage security through EM. Policy Manager replaced for: –Virtual Private Database –Application Context –Oracle Label Security Enterprise User Security pages added TDE pages added

27 Copyright © 2007, Oracle. All rights reserved. C - 27 Managing TDE with Enterprise Manager

28 Copyright © 2007, Oracle. All rights reserved. C - 28 Managing Tablespace Encryption with Enterprise Manager

29 Copyright © 2007, Oracle. All rights reserved. C - 29 Managing Virtual Private Database

30 Copyright © 2007, Oracle. All rights reserved. C - 30 Managing Label Security with Enterprise Manager

31 Copyright © 2007, Oracle. All rights reserved. C - 31 Managing Label Security with Oracle Internet Directory

32 Copyright © 2007, Oracle. All rights reserved. C - 32 Managing Enterprise Users with Enterprise Manager

33 Copyright © 2007, Oracle. All rights reserved. C - 33 Enterprise Manager Policy Trend

34 Copyright © 2007, Oracle. All rights reserved. C - 34 Managing Enterprise Users with Enterprise Manager

35 Copyright © 2007, Oracle. All rights reserved. C - 35 Oracle Audit Vault Enhancements Audit Vault enhancements to Streams: Harden Streams configuration DML/DDL capture on SYS and SYSTEM schemas Capture changes to SYS.AUD$ and SYS.FGA_LOG$

36 Copyright © 2007, Oracle. All rights reserved. C - 36 Using RMAN Security Enhancements Configure backup shredding: Using backup shredding: RMAN> CONFIGURE ENCRYPTION EXTERNAL KEY STORAGE ON; RMAN> DELETE FORCE;

37 Copyright © 2007, Oracle. All rights reserved. C - 37 Managing Fine-Grained Access to External Network Services 1.Create an ACL and its privileges: BEGIN DBMS_NETWORK_ACL_ADMIN.CREATE_ACL ( acl => 'us-oracle-com-permissions.xml', description => ‘Permissions for oracle network', principal => ‘SCOTT', is_grant => TRUE, privilege => 'connect'); END;

38 Copyright © 2007, Oracle. All rights reserved. C - 38 Managing Fine-Grained Access to External Network Services 2.Assign an ACL to one or more network hosts: BEGIN DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL ( acl => ‘us-oracle-com-permissions.xml', host => ‘*.us.oracle.com', lower_port => 80, upper_port => null); END

39 Copyright © 2007, Oracle. All rights reserved. C - 39 Summary In this lesson, you should have learned how to: Configure the password file to use case-sensitive passwords Encrypt a tablespace Configure fine-grained access to network services

40 Copyright © 2007, Oracle. All rights reserved. C - 40 Practice 14: Overview This practice covers the following topics: Changing the use of case-sensitive passwords Implementing a password complexity function Encrypting a tablespace

Download ppt "C Copyright © 2007, Oracle. All rights reserved. Security New Features."

Similar presentations

The following is intended to outline our general product direction

The following is intended to outline our general product direction
18 Copyright © Oracle Corporation, 2001. All rights reserved. Transporting Data Between Databases.

18 Copyright © Oracle Corporation, All rights reserved. Transporting Data Between Databases.
Oracle Database Security

Oracle Database Security
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.

Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.

Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
15 Copyright © 2006, Oracle. All rights reserved. Database Security.

15 Copyright © 2006, Oracle. All rights reserved. Database Security.
Administering User Security

Administering User Security
Configuring Recovery Manager

Configuring Recovery Manager
4 Copyright © 2008, Oracle. All rights reserved. Configuring Backup Specifications.

4 Copyright © 2008, Oracle. All rights reserved. Configuring Backup Specifications.
9 Copyright © Oracle Corporation, 2001. All rights reserved. Oracle Recovery Manager Overview and Configuration.

9 Copyright © Oracle Corporation, All rights reserved. Oracle Recovery Manager Overview and Configuration.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Oracle TDE -11gR2.

Oracle TDE -11gR2.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
11 Copyright © 2004, Oracle. All rights reserved. Oracle Database Security.

11 Copyright © 2004, Oracle. All rights reserved. Oracle Database Security.

Similar presentations

Ads by Google