| Oracle® Database Lite Oracle Lite Client Guide Release 10.3 Part Number E12548-02 |
|
|
View PDF |
| Oracle® Database Lite Oracle Lite Client Guide Release 10.3 Part Number E12548-02 |
|
|
View PDF |
The following sections detail how to encrypt the Oracle Lite database:
The introduction of handheld devices within the corporate environment can pose a security threat to an organization. Devices are now used to store not only company contacts; but, with external cards, may store up to 60 gigabytes of information or more. Devices also provide a mobile point of entry into the organizational network that is located outside the network security perimeter. It is essential to secure this data if a device is lost or compromised.
Securing a device involves a layered approach. You must secure not only access to the device, but data stored on the device and communications across the network. Most aspects of security for a mobile device must be incorporated before Oracle Database Lite is even involved within the security infrastructure.
Security needs to start with the device itself. Authentication on the device must be implemented through pin or password authentication, biometric readers, secure digital media for storage, and even how the device is stored, transported, and accounted for.
Once access is gained to the device, further security needs to be implemented within the mobile application to prevent the application from being able to retrieve invalid data. Technologies, such as the Microsoft.Net Compact Framework, incorporate API calls that may be used to encrypt and decrypt any data that will be stored or retrieved from the device.
Oracle Database Lite provides several security features that may be utilized to help in securing data. These features aid in protecting information during both synchronization, and once access to a device has been obtained. The two most important aspects of security provided by Oracle Database Lite for the mobile infrastructure are the following:
Use Secure Socket Layer (SSL) to protect the transmission of data during the synchronization process. For full details, see Section 11.4, "Configuring for Secure Socket Layer (SSL) Communication" in the Oracle Database Lite Administration and Deployment Guide.
Use one of the Oracle Database Lite encryption options to protect the actual database files. See Section 14.2, "Encrypting the Oracle Lite Database" for full details.
When you encrypt the Oracle Lite database using any of the encryption techniques in this section, the Oracle Lite database is encrypted using a 128 bit Advanced Encryption Standard (AES) encryption. This does not encrypt the data stored within the Oracle Lite database itself; it only encrypts the database as a whole.
In the default server configuration, Mobile clients do not automatically encrypt the snapshot ODB files. The following sections demonstrate how to encrypt the Oracle Lite database:
Section 14.2.1, "Configuring for Automatic Encryption of the Oracle Lite Database"
Section 14.2.2, "Create a Command to Initiate Automatic Encryption of the Oracle Lite Database"
Section 14.2.3, "Execute EncrypDB Command to Encrypt Database"
The synchronization engine can automatically encrypt the Oracle Lite database used with the Mobile client. To configure for automatic encryption of the snapshot ODB files after initial synchronization, set the ENCRYPTDB parameter in the SYNC section in the POLITE.INI/POLITE.TXT file.
For details on what value to use for the ENCRYPTDB parameter in the POLITE.INI/POLITE.TXT file, see Section E.2.12, "ENCRYPTDB " in the Oracle Database Lite Administration and Deployment Guide.
On the server, you can configure for automatic encryption of the snapshot ODB files after initial synchronization by performing the following:
Logon to the Mobile Server as an Administrator and launch the Mobile Manager tool.
Click on Mobile Devices, followed by Administration.
Click on Command Management.
Click Create Command.
Create the following new Command:
Name: EncryptDB Command: updt_conf.otl Description: Encrypt Database
Edit the newly created command EncryptDB, as follows:
Command: updt_conf?app=sync&key=ENCRYPTDB&val=1
Apply the changes.
Edit the DeviceInfo Command. Insert the new Command EncryptDB and click OK.
For more information on sending commands to the Mobile device, see Section 7.6, "Sending Commands to Your Mobile Device" in the Oracle Database Lite Administration and Deployment Guide.
As described in Section C.4, "ENCRYPDB", you can execute the encrypdb command on the client to encrypt the Oracle Lite database. If you are using the database as an embedded database and not for synchronization, then you can provide the Mobile user password for the encryption. However, if you are using this database with the Mobile Server for synchronization, do not provide a password, as modifying this password will create an issue for synchronization.
The database on the client—also known as the Oracle Lite database—uses Advanced Encryption Standard (AES) for encrypting the database. However, you can provide your own encryption module for the client database.
The following sections describe how to implement and plug-in your own encryption module.
Oracle Database Lite invokes your encryption APIs when performing encryption duties, instead of the internal AES encryption module. Thus, you must develop and include the following APIs in your customized encryption module:
Note:
All of the functions in this section are in Windows format. Adjust appropriately if developing on a UNIX environment.Implement the encCreateCtxt function to initialize the external encryption module. Oracle Database Lite invokes this function when initializing encryption. This function returns an encryption context handle to Oracle Database Lite, which it passes back on all subsequent API calls. The context handle is displayed as a void*, so that you can make it any type of structure you desire.
extern "C" __declspec(dllexport) void* encCreateCtxt()
When Oracle Database Lite is finished with the encryption module, it invokes the encDeleteCtxt function to delete the encryption context—which was created with the encCreateCtxt function.
extern "C" __declspec(dllexport) void encDeleteCtxt(void * ctx)
Oracle Database Lite invokes your encCreateKey function to create the encryption key within the encryption context, as follows:
extern "C" __declspec(dllexport) void encCreateKey (void* ctx,
const unsigned char* key, int len, int dir)
Where the input parameters are as follows:
ctx—The encryption context, which is created in the encCreateCtxt function.
key—Pointer to the key to be created.
len—Length of the encryption key.
dir—Encryption direction or type, where 1: encryption, 2: decryption, 3: both encryption and decryption.
Oracle Database Lite invokes your encEncryptData function to encrypt the data that is to be sent, as follows:
extern "C" __declspec(dllexport) int encEncryptData (void* ctx,
const unsigned char* data, int len, unsigned char* out)
Where the input parameters are as follows:
ctx—The encryption context, which is created in the encCreateCtxt function.
data—Pointer to the data to be encrypted.
len—Length of the data in bytes.
out—Output buffer.
This function returns the number of bytes copied to the output buffer.
Oracle Database Lite invokes your encDecryptData function to decrypt the data that it receives. This function copies the result to the output buffer.
extern "C" __declspec(dllexport) int encDecryptData (void* ctx,
const unsigned char* data, int len, unsigned char* out)
Where the input parameters are as follows:
ctx—The encryption context, which is created in the encCreateCtxt function.
data—Pointer to the data to be decrypted.
len—Length of the data in bytes.
out—Output buffer.
This function returns the number of bytes copied to the output buffer.
Once implemented, you can plug-in your custom encryption module by adding the [All Databases] section to the POLITE.INI configuration file. You must either implement your encryption module into a DLL for the Windows environment or into a Shared Object (.SO) for the UNIX environment.
For example, if you created the encryption module as a DLL called my_enc.dll, which is located in the C:\my_dir directory, then you would add this module as the default encryption module in the POLITE.INI configuration file, as follows:
[All Databases] EXTERNAL_ENCRYPTION_DLL=C:\my_dir\my_enc.dll
When you install the Branch Office Manager on the Windows machine, it creates the OracleDatabaseLite user account with the minimum set of privileges required to execute the Oracle Database Lite software. This prevents Oracle Database Lite Branch Office executing under the SYSTEM account, which has broad privileges within the system and can make the system vulnerable.
Both the 'Oracle Lite Multiuser Service' is created as well as the normal Web-to-Go service executes under the privileges of the OracleDatabaseLite user. The Oracle Lite Multiuser Server enables remote clients to connect to the Oracle Lite database.
Normally, when installed, the password for the OracleDatabaseLite user is randomly generated during the setup. You can either pre-configure this password before the Branch Office installation or modify it after the configuration. See Section 3.5.3, "Defining Password for OracleDatabaseLite User for Branch Office on Windows Machine" in the Oracle Database Lite Getting Started Guide.
|
 Copyright © 1997, 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|