This section describes new features of Oracle Advanced Security 10g Release 2 (10.2) and provides pointers to additional information. New features information from the previous release is also retained to help those users migrating to the current release.
The following sections describe the new features in Oracle Advanced Security:
This release includes the following new feature:
Transparent Data Encryption and Built-in Key Management
Transparent Data Encryption enables you to encrypt data in columns without having to manage the encryption key. Businesses can protect sensitive data in their databases without having to make changes to their applications.
Oracle Advanced Security uses industry standard encryption algorithms including AES and 3DES to encrypt columns that have been marked for encryption. Key Management is handled by the database. SQL interfaces to Key Management hide the complexity of encryption.
Note:In this release, the features of Multiplexing and Connection Pooling do not work with SSL transport. Refer to Oracle Database JDBC Developer's Guide and Reference for details of encryption support available in JDBC.
This release provides the following new features for strong authentication:
Support for TLS (Transport Layer Security), version 1.0
TLS is an industry-standard protocol which provides effective security for transactions conducted on the Web. It has been developed by the Internet Engineering Task Force (IETF) to be the successor to SSL version 3.0. TLS is a configurable option provided in Oracle Net Manager.
See Also:Chapter 8, "Configuring Secure Sockets Layer Authentication" for configuration details
Support for Hardware Security Modules, including Oracle Wallet Manager Integration
In this release, Oracle Advanced Security supports hardware security modules which use APIs that conform to the RSA Security, Inc., Public-Key Cryptography Standards (PKCS) #11. In addition, it is now possible to create Oracle Wallets that can store credentials on a hardware security module for servers, or private keys on tokens for clients. This provides roaming authentication to the database.
Hardware security modules can be used for the following functions:
Store cryptographic information, such as private keys, which provides stronger security.
Perform cryptographic operations to off load RSA operations from the server, freeing the CPU to respond to other transactions.
Certificate Revocation Lists (CRL) and CRL Distribution Point (CRLDP) Support for Certificate Validation
In the current release, you have the option to configure certificate revocation status checking for both the client and the server. Certificate revocation status is checked against CRLs which are located in file system directories, Oracle Internet Directory, or downloaded from the location specified in the CRL Distribution Point (CRL DP) extension on the certificate. The
orapki utility has also been added for CRL management and for managing Oracle wallets and certificates.
Appendix F, "orapki Utility" for details about
orapki command line utility