Topics
Oracle Audit Vault And Database Firewall Hybrid Cloud Deployment And Pre-requisites
Configuring Oracle Database Exadata Express Cloud Service Secured Target Using TCPS
Configuring Oracle Database Exadata Express Cloud Service Secured Target Using TCP
Configuring Autonomous Data Warehouse and Autonomous Transaction Processing
Oracle recommends you follow these steps to deploy Hybrid Cloud Secured Target instance.
In Oracle Audit Vault and Database Firewall hybrid cloud deployment model, the Audit Vault Server is either deployed on-premises or in Oracle Cloud. It monitors Oracle Database Cloud Service, Oracle Exadata Cloud Service, and on-premises database instances. It uses Audit Vault Agents that are configured specifically for cloud targets to collect audit data from Cloud Database instances. These Agents connect to the target database and to the Audit Vault Server. Connections to the Audit Vault Server are made through SQL*Net on ports 1521 and 1522. There is a wide variety of network configurations, firewalls, and cloud providers, each with their own unique ways of configuring network connectivity. This chapter uses Oracle Public Cloud as an example.
For non-Oracle clouds, the concepts are similar but the actual execution of configuring network connectivity between Agents and databases differ. When using the hybrid cloud deployment model for Oracle Databases running in non-Oracle clouds, support is limited to Agent interaction with the database. Due to wide variety of network configuration paradigms used by different cloud providers, support for network connectivity issues must remain with the cloud provider.When using the hybrid cloud deployment model for Oracle Databases running on-premises, where the Audit Vault Server is running in Oracle Public Cloud, configuration of the on-premises network to enable connectivity between the Agents and Audit Vault Server is the responsibility of the customer, and support is for the Agent itself, and not the underlying network components involved in allowing the connections.
TCP and TCPS are the two connection options in DBCS. Setting up connections for TCP and TCPS is similar. The difference is the port numbers. The following are key characteristics of Database Cloud Service (DBCS) cloud target configuration settings:
TCP connections have encryption enforced by default.
TCPS connections are configured between Audit Vault Agents and cloud targets.
On the Audit Vault Server the TCPS option must be set for cloud targets.
Additional Audit Vault Agents can be used to collect audit data from on-premises databases, directories, and operating systems.
Note:
The user can have multiple Audit Vault Agents to collect data from DBCS instances.
Only one Audit Vault Agent can be installed on a host for a single Audit Vault Server. Multiple audit trail collections can be started using a single Audit Vault Agent.
This deployment offers great flexibility for customers to address consistent audit or security policies across on-premises and cloud environments.
Pre-requisites for deploying Oracle Audit Vault and Database Firewall Hybrid Cloud
There are many factors to consider before deploying Oracle Audit Vault and Database Firewall Hybrid. The table outlines the availability of Oracle Audit Vault and Database Firewall features for databases on-premises against OPC, in case of DBCS and for Exadata Express Cloud Service.
Feature | DBs On-premises | DBs in OPC | Exadata Express Cloud Service | Data Warehouse Cloud Service |
---|---|---|---|---|
Database Table based audit collection (SYS.AUD$; SYS.FGA_LOG$ etc..) |
Yes |
Yes |
No |
No |
Unified Audit Table Trail |
Yes |
Yes |
Yes |
Yes |
Database File based audit collection |
Yes |
No |
No |
No |
REDO log support |
Yes |
No |
No |
No |
OS audit collection |
Yes |
No |
No |
No |
Retrieve Entitlements |
Yes |
Yes |
Yes |
Yes |
Policy retrieval/provisioning for Traditional audit trails |
Yes |
Yes |
No |
No |
View Interactive reports |
Yes |
Yes |
Yes |
Yes |
View Scheduled reports |
Yes |
Yes |
Yes |
Yes |
Stored Procedure Auditing |
Yes |
No |
No |
No |
Pre-requisites for auditing Oracle Audit Vault and Database Firewall Hybrid Cloud
There are multiple aspects that have to be considered while auditing DBCS targets. Audit requirements and audit policies on DBCS cloud targets are critical as the number and type of enabled audit policies directly affects the number of audit records sent to the Audit Vault Server. DBCS instances may have various audit settings. Hence users must review this information either on the Audit Vault Server or directly on the database instance.
Note:
The audit data collection from table based audit trails is only supported. The version specific information is listed below:
Release | Audit information supported |
---|---|
Oracle Database 11g Release 11.2 |
|
Oracle Database 12c and later |
|
Note:
The SYS.AUD$ and SYS.FGA_LOG$ tables have an additional column RLS$INFO. The Unified Audit trail table has RLS_INFO column. This column describes row level security policies configured. This is mapped to the extension field in Oracle Audit Vault and Database Firewall. In order to populate this column, the user needs to set the AUDIT_TRAIL
parameter of the secured target to DB EXTENDED
.
This procedure is used to open up a specific port. This is one of the pre-requisites before deploying Audit Vault and Database Firewall Hybrid Cloud.
To open a port, execute the following procedure:
This section contains detailed deployment steps for configuring cloud targets for DBCS instances in TCP mode. The Audit Vault server and Audit Vault agent are installed on-premises.
Topics
Step 1: Registering On-premises Host on the Audit Vault Server
Step 2: Installing Audit Vault Agent on Registered On-premises Hosts
Step 4: Setting Up or Reviewing Audit Policies on Target Oracle Database Cloud Service Instances
Step 5: Creating a Secured Target on Audit Vault Server for the DBCS Instance
Step 6: Starting Audit Trail On Audit Vault Server For The DBCS Instance
This configuration step registers the on-premises host in the Audit Vault server.
In case there is already a registered on-premises host in the Audit Vault server installed on the agent for monitoring Oracle Database Cloud Services instances, bypass this procedure. Otherwise, the steps are similar for all target databases that are on-premises.
This configuration step installs Oracle Audit Vault agents on registered on-premises hosts.
Note:
If there is already an Audit Vault agent installed on an on-premises host that is planned for monitoring DBCS instances then ignore this step. In case there are no agents installed, there are specific requirements for the Audit Vault agents that monitor DBCS instances. The requirements or features are as follows:
The agent has to run on-premise.
A minimum of one agent must be dedicated to monitor only DBCS instances. There may be multiple agents dedicated to monitor only DBCS instances.
The agent should not run on the Audit Vault server.
Note:
The connection methodology is different in case on-premises deployment, for TCP connections.
Prerequisite
Port 1521 has to be opened up on the DBCS instance for TCP connection so that later SQL*Plus and SQL*Developer can be used. TCP connection is encrypted by default. It utilizes the native encryption. See Opening Ports on DBCS for detailed steps.
Procedure for installation:
This configuration step explains how to manage audit policies on target Oracle Database Cloud Service instances.
Check the audit polices that are enabled and change them as needed. For Oracle Database 11g release 11.2 and Oracle Database 12c instances where the Unified audit is not enabled, it is possible to provision audit policies from the Audit Vault server. If the Unified Trail is enabled on Oracle12c instances, ensure to change the audit policies manually on the DBCS instance.
Note:
Ensure to understand the audit settings on the DBCS instances before starting the audit data collection process. Currently one Audit Vault agent supports up to a maximum of 10 cloud target audit trails. The collection speed is up to 25 million audit records per target audit trail, per day. The recommended Audit Vault agent configuration can be found in the Oracle Audit Vault and Database Firewall Installation Guide.
Run the DBMS_AUDIT_MGMT
package on the DBCS instances for audit clean up, after the data is collected by on-premises Audit Vault Server. The Audit Vault Server supports data retention policies for every target and meets compliance requirements. It allows configuring different retention policies for on-premises and DBCS instances.
Storage requirements on the Audit Vault Server also must be reviewed to ensure enough storage is available, while adding more on-premises or DBCS instance targets to the Audit Vault Server.
To connect to the DBCS instance the configuration is the same as for on-premise targets. The user must define these specific settings on the Target configuration page. Use the following procedure:
Use this procedure to start an audit trail on the Audit Vault Server for the DBCS instance.
Log in to the Audit Vault console with administrator privileges.
In the Secure Target, select Audit Trails and then Add Audit Trail.
Select Audit Trail Type as TABLE
.
Note:
Other trail types are not supported for DBCS secured target instances.
Select the registered Collection Host and Secured Target in the previous and following steps.
The supported table trails for Oracle DBCS secured target are:
UNIFIED_AUDIT_TRAIL
SYS.AUD$
SYS.FGA_LOG$
DVSYS.AUDIT_TRAIL$
Click Save to add the audit trail.
High level process to configure TCPS connections for DBCS instances:
Topics
Prerequisite
Port 1522 has to be opened up on the DBCS Instance for TCPS connection. See Opening Ports on DBCS for detailed information. Later some standard tools such as SQL*Plus and SQL*Developer can be used.
This configuration step shows you how to create server wallets and certificates.
This configuration step explains how to create client wallets and certificates.
This section contains detailed deployment steps for configuring cloud targets for DBCS instances in TCPS mode. The Audit Vault server and Audit Vault agent are installed on-premises.
Topics
Step 1: Registering On-premises Host on Oracle Audit Vault Server
Step 2: Installing Oracle Audit Vault Agent on Registered On-premises Hosts and Configuring TCPS
Step 3: Creating User Accounts on Oracle Database Cloud Service Target Instances
Step 4: Setting Up or Reviewing Audit Policies on Target Oracle Database Cloud Service Instances
Step 5: Creating A Secured Target On Audit Vault Server For The DBCS Instance
Step 6: Starting Audit Trail On Audit Vault Server For The DBCS Instance
Follow this configuration procedure to register on-premises hosts on Oracle Audit Vault Server.
This step registers the on-premises host on the Audit Vault server.
Note:
If there is already a registered on-premises host in the Audit Vault Server installed on the Agent for monitoring DBCS instances, then skip this procedure. Otherwise, the steps are similar for all target databases that are on-premises. See Registering Hosts in the Audit Vault Server for detailed steps.
This configuration procedure installs Oracle Audit Vault Agent on registered on-premises hosts and configures TCPS.
Note:
If there is already an Audit Vault agent installed on an on-premises host that is planned for monitoring DBCS instances then ignore this step. In case there are no agents installed, there are specific requirements for the Audit Vault agents that monitor DBCS instances. The requirements or features are as follows:
The agent has to run on-premise.
A minimum of one agent must be dedicated to monitor only DBCS instances. There may be multiple agents dedicated to monitor only DBCS instances.
The agent should not run on the Audit Vault server.
This step creates a user account on the Oracle Database Cloud Service instance.
Note:
The connection methodology and scripts utilized are different in case on-premises deployment.
Prerequisite
Port 1522 has to be opened up on the DBCS instance for TCP connection so that later SQL*Plus and SQL*Developer can be used. TCP connection is encrypted by default. It utilizes the native encryption. See Opening Ports on DBCS for detailed steps.
Procedure:
Use this procedure to set up and review audit policies on target Oracle Database Cloud Service instances.
Check the audit polices that are enabled and change them as needed. For Oracle Database 11g, Oracle Database 11.2, and Oracle Database 12c release instances where the unified audit is not enabled, you can provision audit policies from the Audit Vault Server. If the Unified Trail is enabled on Oracle Database 12c instances, change the audit policies manually on the DBCS instance.
Note:
Understand the audit settings on the DBCS instances, before starting the audit data collection process. Currently one Audit Vault Agent supports up to a maximum of 10 cloud target audit trails. The collection speed is up to 25 million audit records per target audit trail, in a day. The recommended Audit Vault Agent configuration can be found in the Oracle Audit Vault and Database Firewall Installation Guide.
Run the DBMS_AUDIT_MGMT package on the DBCS instances for audit clean up, once the data is collected by the on-premises Audit Vault Server. The Audit Vault Server supports data retention policies for every target and meets compliance requirements. It allows configuring different retention policies for on-premises and DBCS instances.
This section contains detailed deployment steps for configuring Oracle Database Exadata Express Cloud Service secured targets in TCPS mode.
Topics
Prerequisites
Ensure the right version of JDK is installed. The supported JDK versions are:
JDK7u80 or higher
JDK8u71
JCE Unlimited Strength Jurisdiction Policy Files with both JDK7 and JDK8. JDK 8 .jar files can be downloaded from: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
This section contains detailed deployment steps for configuring Exadata Express Cloud Targets in TCP mode. The Audit Vault Server and Audit Vault Agent are installed on-premises.
Topics
Step 1: Registering On Premises Host On The Audit Vault Server
Step 2: Installing Audit Vault Agent On Registered On Premises Host
Step 3: Creating User Accounts on Oracle Exadata Express Cloud Target Instances
Step 4: Setting Up or Reviewing Audit Policies on Target Oracle Exadata Express Cloud Instances
Step 5: Creating A Secured Target On Audit Vault Server For The Exadata Express Cloud Instance
Step 6: Starting Audit Trail On Audit Vault Server For The Exadata Express Cloud Instance
This configuration step creates user accounts on Oracle Exadata Express Cloud targets.
This configuration step enables you to set up and review audit policies on target Oracle Exadata Express Cloud instances.
Note:
This is not supported for Oracle Exadata Express Cloud Service instance.
This section contains detailed deployment steps for configuring the following Oracle Database Cloud Service types as secured targets in TCPS mode:
Topics
Prerequisites
Ensure the right version of JDK is installed. The supported JDK versions are:
JDK7u80 or higher
JDK8u71
JCE Unlimited Strength Jurisdiction Policy Files with both JDK7 and JDK8. JDK 8 .jar files can be downloaded from: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
This configuration step creates user account on Oracle Cloud instances.
Complete this procedure to create a user account on an Autonomous Data Warehouse or on an Autonomous Transaction Processing Cloud instance:
Create a Secured Target on Audit Vault Server for the Autonomous Data Warehouse or Autonomous Transaction Processing Cloud Instance. See Step 5: Creating A Secured Target On Audit Vault Server For The DBCS Instance.