Overview of Oracle Break Glass

Break Glass for Oracle Applications provides you with additional security by restricting administrative access to systems and services. When you use Break Glass, Oracle Support representatives can access your cloud environment only after relevant approvals and authorization to troubleshoot any issues that may arise in your cloud environment.

In addition to such controlled access, data at rest is secured using Oracle’s Transparent Data Encryption (TDE) and Database Vault. You can control the TDE master encryption key and manage its lifecycle.

Note that Break Glass service is enabled only for Oracle Applications such as Oracle HCM Cloud Service, Oracle CRM Cloud Service, and Oracle ERP Cloud Service.

Key features:

  • Your data in the Oracle Cloud environment is encrypted at rest using TDE, and it is protected and audited using Data Vault.

  • Break Glass access is time bound; it secures your data by providing only temporary access to Oracle support personnel.

  • Break Glass provides access windows that you can configure; access credentials are programmatically reset after each access.

  • Break Glass access is audited, logged, and detailed reports are available.

  • You can upload, remove, or restore your TDE master encryption key from Infrastructure Classic Console or Applications Console.

A unique pair of transportation keys, one public, and another private, are generated by Oracle for every transfer of the TDE master key from you to us. The public key of the transportation key pair is available in Infrastructure Classic Console or Applications Console. You can use this public key to encrypt a new TDE master encryption key and upload it using the Manage TDE Key tile in Infrastructure Classic Console or Applications Console.

To generate the random TDE Master Keys, you can use OpenSSL, which has been certified for generating random TDE Master Keys and for encrypting them using the transportation key. You install OpenSSL on your premises to perform any of the actions on the Manage TDE Key page, which is available from the Infrastructure Classic Console or Applications Console in your Cloud Account.