Download presentation
Presentation is loading. Please wait.
Published byTrevor Oliver Modified over 8 years ago
1
C Copyright © 2007, Oracle. All rights reserved. Security New Features
2
Copyright © 2007, Oracle. All rights reserved. C - 2 Objectives After completing this lesson, you should be able to: Configure the password file to use case-sensitive passwords Encrypt a tablespace Configure fine-grained access to network services
3
Copyright © 2007, Oracle. All rights reserved. C - 3 Secure Password Support Passwords in Oracle Database 11g: –Are case-sensitive –Contain more characters –Use more secure hash algorithm –Use salt in the hash algorithm Usernames are still Oracle identifiers (up to 30 characters, non-case-sensitive)
4
Copyright © 2007, Oracle. All rights reserved. C - 4 Automatic Secure Configuration Default password profile Default auditing Built-in password complexity checking
5
Copyright © 2007, Oracle. All rights reserved. C - 5 Password Configuration By default: –Default password profile is enabled –Account is locked after 10 failed login attempts In upgrade: –Passwords are non-case-sensitive until changed –Passwords become case-sensitive when the ALTER USER command is used On creation: –Passwords are case-sensitive
6
Copyright © 2007, Oracle. All rights reserved. C - 6 Enable Built-in Password Complexity Checker Execute the utlpwdmg.sql script to create the password verify function: Alter the default profile: ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION verify_function_11g; SQL> CONNECT / as SYSDBA SQL> @?/rdbms/admin/utlpwdmg.sql
7
Copyright © 2007, Oracle. All rights reserved. C - 7 Managing Default Audits Review audit logs: –Default audit options cover important security privileges Archive audit records –Export –Copy to another table Remove archived audit records
8
Copyright © 2007, Oracle. All rights reserved. C - 8 Notes only
9
Copyright © 2007, Oracle. All rights reserved. C - 9 Adjust Security Settings Need Beta 5 Screenshot
10
Copyright © 2007, Oracle. All rights reserved. C - 10 Setting Security Parameters Use case-sensitive passwords SEC_SEC_CASE_SENSITIVE_LOGON Protect against DoS attacks SEC_PROTOCOL_ERROR_FURTHER_ACTION SEC_PROTOCOL_ERROR_TRACE_ACTION Protect against brute force attacks SEC_MAX_FAILED_LOGIN_ATTEMPTS
11
Copyright © 2007, Oracle. All rights reserved. C - 11 Notes only page
12
Copyright © 2007, Oracle. All rights reserved. C - 12 Setting Database Administrator Authentication Use password file with case-sensitive passwords. Enable strong authentication for administrator roles: –Grant the administrator role in OID. –Use Kerberos tickets. –Use certificates with SSL.
13
Copyright © 2007, Oracle. All rights reserved. C - 13 Set Up Directory Authentication for Administrative Users 1.Create the user in the directory. 2.Grant the SYSDBA or SYSOPER enterprise role to user. 3.Set the LDAP_DIRECTORY_SYSAUTH parameter in the database. 4.Check whether the LDAP_DIRECTORY_ACCESS parameter is set to PASSWORD or SSL. 5.Test the connection. $sqlplus fred/t%3eEGQ@orcl AS SYSDBA
14
Copyright © 2007, Oracle. All rights reserved. C - 14 Set Up Kerberos Authentication for Administrative Users 1.Create the user in the Kerberos domain. 2.Configure OID for Kerberos authentication. 3.Grant the SYSDBA or SYSOPER enterprise role to the user in OID. 4.Set the LDAP_DIRECTORY_SYSAUTH parameter in the database. 5.Set the LDAP_DIRECTORY_ACCESS parameter. 6.Test the connection. $sqlplus /@orcl AS SYSDBA
15
Copyright © 2007, Oracle. All rights reserved. C - 15 Set Up SSL Authentication for Administrative Users 1.Configure client to use SSL. 2.Configure server to use SSL. 3.Configure OID for SSL user authentication. 4.Grant SYSOPER or SYSDBA to the user. 5.Set the LDAP_DIRECTORY_SYSAUTH parameter in the database. 6.Test the connection. $sqlplus /@orcl AS SYSDBA
16
Copyright © 2007, Oracle. All rights reserved. C - 16 Notes only page
17
Copyright © 2007, Oracle. All rights reserved. C - 17 Transparent Data Encryption New features in TDE include: Tablespace Encryption Support for LogMiner Support for Logical Standby Support for Streams Support for Asynchronous Change Data Capture Hardware-based master key protection
18
Copyright © 2007, Oracle. All rights reserved. C - 18 Using Tablespace Encryption Create an encrypted tablespace. 1.Create or open the encryption wallet: 2.Create a tablespace with the encryption keywords: SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "welcome1"; SQL> CREATE TABLESPACE encrypt_ts 2> DATAFILE '$ORACLE_HOME/dbs/encrypt.dat' SIZE 100M 3> ENCRYPTION USING '3DES168' 4> DEFAULT STORAGE (ENCRYPT);
19
Copyright © 2007, Oracle. All rights reserved. C - 19 TDE and LogMiner LogMiner supports TDE-encrypted columns. Restrictions: –The wallet holding the TDE master keys must be open. –Hardware Security Modules are not supported. –User-held keys are not supported.
20
Copyright © 2007, Oracle. All rights reserved. C - 20 TDE and Logical Standby Logical standby database with TDE: Wallet on the standby is a copy of the wallet on the primary. Master key may be changed only on the primary. Wallet open and close commands are not replicated. Table key may be changed on the standby. Table encryption algorithm may be changed on the standby.
21
Copyright © 2007, Oracle. All rights reserved. C - 21 TDE and Streams Oracle Streams now provides the ability to transparently: Decrypt values protected by TDE for filtering and processing Reencrypt values so that they are never in clear text while on disk Apply StagingCapture
22
Copyright © 2007, Oracle. All rights reserved. C - 22 Hardware Security Module Hardware Security Module Database server Client Encrypt and decrypt operations are performed on the hardware security module. Encrypted data
23
Copyright © 2007, Oracle. All rights reserved. C - 23 Using a Hardware Security Module with TDE 1.Configure sqlnet.ora : 2.Copy the PKCS#11 library to the correct path. 3.Set up the HSM. 4.Generate a master encryption key for HSM-based encryption: 5.Ensure that the HSM is accessible. 6.Encrypt and decrypt data. ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=HSM) (METHOD_DATA= (DIRECTORY=/app/oracle/admin/SID1/wallet))) ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY user_Id:password
24
Copyright © 2007, Oracle. All rights reserved. C - 24 Encryption for LOB Columns LOB encryption is allowed only for SECUREFILE LOBs. All LOBs in the LOB column are encrypted. LOBs can be encrypted on per-column or per-partition basis. –Allows for the coexistence of SECUREFILE and BASICFILE LOBs CREATE TABLE test1 (doc CLOB ENCRYPT USING 'AES128') LOB(doc) STORE AS SECUREFILE (CACHE NOLOGGING );
25
Copyright © 2007, Oracle. All rights reserved. C - 25 Using Kerberos Enhancements Use stronger encryption algorithms (no action required). Interoperability between MS KDC and MIT KDC (no action required) Longer principal name: Convert a DB user to Kerberos user: CREATE USER KRBUSER IDENTIFIED EXTERNALLY AS 'KerberosUser@SOMEORGANIZATION.COM'; ALTER USER DBUSER IDENTIFIED EXTERNALLY AS 'KerberosUser@SOMEORGANIZATION.COM';
26
Copyright © 2007, Oracle. All rights reserved. C - 26 Enterprise Manager Security Management Manage security through EM. Policy Manager replaced for: –Virtual Private Database –Application Context –Oracle Label Security Enterprise User Security pages added TDE pages added
27
Copyright © 2007, Oracle. All rights reserved. C - 27 Managing TDE with Enterprise Manager
28
Copyright © 2007, Oracle. All rights reserved. C - 28 Managing Tablespace Encryption with Enterprise Manager
29
Copyright © 2007, Oracle. All rights reserved. C - 29 Managing Virtual Private Database
30
Copyright © 2007, Oracle. All rights reserved. C - 30 Managing Label Security with Enterprise Manager
31
Copyright © 2007, Oracle. All rights reserved. C - 31 Managing Label Security with Oracle Internet Directory
32
Copyright © 2007, Oracle. All rights reserved. C - 32 Managing Enterprise Users with Enterprise Manager
33
Copyright © 2007, Oracle. All rights reserved. C - 33 Enterprise Manager Policy Trend
34
Copyright © 2007, Oracle. All rights reserved. C - 34 Managing Enterprise Users with Enterprise Manager
35
Copyright © 2007, Oracle. All rights reserved. C - 35 Oracle Audit Vault Enhancements Audit Vault enhancements to Streams: Harden Streams configuration DML/DDL capture on SYS and SYSTEM schemas Capture changes to SYS.AUD$ and SYS.FGA_LOG$
36
Copyright © 2007, Oracle. All rights reserved. C - 36 Using RMAN Security Enhancements Configure backup shredding: Using backup shredding: RMAN> CONFIGURE ENCRYPTION EXTERNAL KEY STORAGE ON; RMAN> DELETE FORCE;
37
Copyright © 2007, Oracle. All rights reserved. C - 37 Managing Fine-Grained Access to External Network Services 1.Create an ACL and its privileges: BEGIN DBMS_NETWORK_ACL_ADMIN.CREATE_ACL ( acl => 'us-oracle-com-permissions.xml', description => ‘Permissions for oracle network', principal => ‘SCOTT', is_grant => TRUE, privilege => 'connect'); END;
38
Copyright © 2007, Oracle. All rights reserved. C - 38 Managing Fine-Grained Access to External Network Services 2.Assign an ACL to one or more network hosts: BEGIN DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL ( acl => ‘us-oracle-com-permissions.xml', host => ‘*.us.oracle.com', lower_port => 80, upper_port => null); END
39
Copyright © 2007, Oracle. All rights reserved. C - 39 Summary In this lesson, you should have learned how to: Configure the password file to use case-sensitive passwords Encrypt a tablespace Configure fine-grained access to network services
40
Copyright © 2007, Oracle. All rights reserved. C - 40 Practice 14: Overview This practice covers the following topics: Changing the use of case-sensitive passwords Implementing a password complexity function Encrypting a tablespace
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.