1. Administrator's Guide
  2. Getting Started with Oracle Audit Vault and Database Firewall
  3. Oracle Audit Vault And Database Firewall Hybrid Cloud Deployment

13 Oracle Audit Vault And Database Firewall Hybrid Cloud Deployment

To use Oracle Audit Vault and Database Firewall Hybrid Cloud Deployment, you must perform some preliminary tasks.

13.1 Oracle Audit Vault and Database Firewall Hybrid Cloud Deployment and Prerequisites

You can configure Oracle Audit Vault and Database Firewall for hybrid cloud deployments.

Oracle AVDF hybrid cloud deployment models:

  1. Audit Vault Server deployed on-premises and the targets are deployed in cloud or on-premises
  2. Audit Vault Server deployed on cloud and the targets are deployed in cloud or on-premises

In Oracle Public Cloud deployment model, the Audit Vault Server is either deployed on-premises or in Oracle Cloud. It monitors Oracle Database Cloud Service, Oracle Exadata Cloud Service, and on-premises database instances. It uses Audit Vault Agents that can collect audit data from on-premises or cloud targets. These Agents connect to the target database and to the Audit Vault Server. Connections to the Audit Vault Server are made through JDBC on ports 1521 and 1522. This chapter uses Oracle Public Cloud as an example.

For non-Oracle clouds, the concepts are similar but the actual execution of configuring network connectivity between Agents and databases differ. There is a wide variety of network configurations, firewalls, and cloud providers, each with their own unique ways of configuring network connectivity. When using the hybrid cloud deployment model for Oracle Databases running in non-Oracle clouds, support is limited to Agent interaction with the database. Due to wide variety of network configuration paradigms used by different cloud providers, support for network connectivity issues must remain with the cloud provider.

When using the hybrid cloud deployment model for Oracle Databases running on-premises, the Audit Vault Server is running in Public Cloud. In such cases, the configuration of the on-premises network to enable connectivity between the Agents and Audit Vault Server is the responsibility of the customer. Oracle AVDF support is limited to the Audit Vault Agent, and not to the underlying network components involved in allowing the connections.

TCP and TCPS are the two connection options in Oracle Database Cloud Service. Setting up connections for TCP and TCPS is similar. The difference is the port numbers. The following are the key characteristics of Oracle Database Cloud Service cloud target configuration settings:

  • TCP connections have encryption enforced by default.

  • TCPS connections are configured between Audit Vault Agents and cloud targets.

    • On the Audit Vault Server the TCPS option must be set for cloud targets.

    • Additional Audit Vault Agents can be used to collect audit data from on-premises databases, directories, and operating systems.

      Note:

      • The user can have multiple Audit Vault Agents to collect data from DBCS instances.

      • Only one Audit Vault Agent can be installed on a host for a single Audit Vault Server. Multiple audit trail collections can be started using a single Audit Vault Agent.

    • This deployment offers great flexibility for customers to address consistent audit or security policies across on-premises and cloud environments.

Prerequisites for deploying Audit Vault and Database Firewall Hybrid Cloud

There are many factors to consider before deploying Oracle Audit Vault and Database Firewall Hybrid. The table outlines the availability of Audit Vault and Database Firewall features for databases on-premises against OPC, in case of DBCS and for Exadata Express Cloud Service.

Feature DBs On-premises DBs in OPC Exadata Express Cloud Service Data Warehouse Cloud Service

Database Table based audit collection

(SYS.AUD$; SYS.FGA_LOG$ etc..)

Yes

Yes

No

No

Unified Audit Table Trail

Yes

Yes

Yes

Yes

Database File based audit collection

Yes

No

No

No

REDO log support

Yes

No

No

No

OS audit collection

Yes

No

No

No

Retrieve Entitlements

Yes

Yes

Yes

Yes

Policy retrieval/provisioning for Traditional audit trails

Yes

Yes

No

No

View Interactive reports

Yes

Yes

Yes

Yes

View Scheduled reports

Yes

Yes

Yes

Yes

Stored Procedure Auditing

Yes

No

No

No

Prerequisites for auditing Oracle Audit Vault and Database Firewall Hybrid Cloud

There are multiple aspects that have to be considered while auditing DBCS targets. Audit requirements and audit policies on DBCS cloud targets are critical as the number and type of enabled audit policies directly affects the number of audit records sent to the Audit Vault Server. DBCS instances may have various audit settings. Hence users must review this information either on the Audit Vault Server or directly on the database instance.

Note:

The audit data collection from table based audit trails is only supported. The version specific information is listed below:

Release Audit information supported

Oracle Database 11g Release 11.2

  • Fine Grained Audit

  • Database Vault Audit

  • Traditional Audit data stored in sys.AUD$

Oracle Database 12c and later

  • Unified Audit

  • Database Vault Audit

  • Fine Grained Audit

  • Traditional Audit data stored in sys.AUD$

Note:

The SYS.AUD$ and SYS.FGA_LOG$ tables have an additional column RLS$INFO. The Unified Audit trail table has RLS_INFO column. This column describes row level security policies configured. This is mapped to the extension field in Oracle Audit Vault and Database Firewall. In order to populate this column, the user needs to set the AUDIT_TRAIL parameter of the target to DB EXTENDED.

13.2 Opening Ports on Oracle Database Cloud Service

You can open ports on Oracle Database Cloud Service.

This procedure is used to open up a specific port. This is one of the pre-requisites before deploying Audit Vault and Database Firewall Hybrid Cloud.

To open a port, execute the following procedure:

  1. Log in to the DBCS service.
  2. Click on the navigation menu that is located next to the Oracle logo on the top.
  3. Select Oracle Cloud Infrastructure Compute for Oracle Public Cloud service.
  4. In the next screen, click on Network tab that is located at the top of setup port or allowlist.
  5. Click the Security Application tab to display the list of available ports.
  6. Click Create Security Application and specify the port that must be enabled.
  7. Click Security Rules tab, and then click Create Security Rule button.
  8. In the Security Application field select the application previously chosen.
  9. Enter the remaining fields.
  10. Click Create.

13.3 Configuring Hybrid Cloud Target Using TCP

You can configure cloud targets for DBCS instances in TCP mode. The Audit Vault server and Audit Vault agent are installed on-premises.

13.3.1 Step 1: Registering On-premises Host on the Audit Vault Server

This configuration step registers the on-premises host in the Audit Vault server.

In case there is already a registered on-premises host in the Audit Vault server installed on the agent for monitoring Oracle Database Cloud Services instances, bypass this procedure. Otherwise, the steps are similar for all target databases that are on-premises.

See Also:

Registering Hosts on the Audit Vault Server

13.3.2 Step 2: Installing Audit Vault Agent on Registered On-premises Hosts

This configuration step installs Oracle Audit Vault agents on registered on-premises hosts.

Note:

If there is already an Audit Vault agent installed on an on-premises host that is planned for monitoring DBCS instances then ignore this step. In case there are no agents installed, there are specific requirements for the Audit Vault agents that monitor DBCS instances. The requirements or features are as follows:

  1. The agent has to run on-premise.

  2. A minimum of one agent must be dedicated to monitor only DBCS instances. There may be multiple agents dedicated to monitor only DBCS instances.

  3. The agent should not run on the Audit Vault server.

  1. Install the Audit Vault agent on the on-premises host.

    See Also:

    Deploying the Audit Vault Agent on Host Computers for detailed steps on installing on-premises host.

  2. Start the Audit Vault agent.

13.3.3 Step 3: Creating User Accounts on Oracle Database Cloud Service Target Instances

This configuration step creates user accounts on Oracle Database Cloud Service target instances.

Note:

The connection methodology is different in case on-premises deployment, for TCP connections.

Prerequisite

  • Port 1521 has to be opened on the DBCS instance for TCP connection so that later SQL*Plus and SQL*Developer can be used. TCP connection is encrypted by default. It utilizes the native encryption. See Opening Ports on Oracle Database Cloud Service for detailed steps.

Procedure for installation:

  1. Ensure that the connection has been established to the DBCS instances through TCP as user with SYSDBA administrative privilege.
  2. Scripts and respective actions:
    Script Action

    oracle_AVDF_dbcs_user_setup.sql

    To setup target user account.

    oracle_AVDF_dbcs_drop_db_permissions.sql

    To revoke permission from user.
  3. Execute the script  in order to setup target user account in specific mode:

    oracle_AVDF_dbcs_user_setup.sql <username> <mode>

    Where <username> is the user name of the Hybrid cloud target user.

    The <mode> can be one of the following:

    Mode Purpose

    AUDIT_COLLECTION

    To collect data from Oracle Cloud instance TABLE audit trail in Oracle Audit Vault and Database Firewall.

    AUDIT_SETTING_PROVISIONING

    To set up privileges for managing the Oracle Cloud instance audit policy from Oracle Audit Vault and Database Firewall.

    STORED_PROCEDURE_AUDITING

    To enable stored procedure auditing for the Oracle Cloud instance.

    ENTITLEMENT_RETRIEVAL

    To enable user entitlement retrieval for Oracle Cloud instance.

    ALL

    To enable all the above mentioned options.

13.3.4 Step 4: Setting Up or Reviewing Audit Policies on Target Oracle Database Cloud Service Instances

This configuration step explains how to manage audit policies on target Oracle Database Cloud Service instances.

Check the audit polices that are enabled and change them as needed. For Oracle Database 11g release 11.2 and Oracle Database 12c instances where the Unified audit is not enabled, it is possible to provision audit policies from the Audit Vault server. If the Unified Trail is enabled on Oracle12c instances, ensure to change the audit policies manually on the DBCS instance.

Note:

Ensure to understand the audit settings on the DBCS instances before starting the audit data collection process. Currently one Audit Vault agent supports up to a maximum of 10 cloud target audit trails. The collection speed is up to 25 million audit records per target audit trail, per day. The recommended Audit Vault agent configuration can be found in the Oracle Audit Vault and Database Firewall Installation Guide.

Run the DBMS_AUDIT_MGMT package on the DBCS instances for audit clean up, after the data is collected by on-premises Audit Vault Server. The Audit Vault Server supports data retention policies for every target and meets compliance requirements. It allows configuring different retention policies for on-premises and DBCS instances.

Storage requirements on the Audit Vault Server also must be reviewed to ensure enough storage is available, while adding more on-premises or DBCS instance targets to the Audit Vault Server.

13.3.5 Step 5: Creating Targets on Oracle Audit Vault Server for Oracle Database Cloud Service Instances

This configuration step creates targets on Oracle Audit Vault Servers for Oracle Database Cloud Service instances.

To connect to the DBCS instance the configuration is the same as for on-premise targets. The user must define these specific settings on the target configuration page.
  1. Log in to Audit Vault console with as an administrator.
  2. Click the Targets tab.
  3. Click the Register button on the right.
  4. Enter a Name for the target and select from the Type menu.
  5. Optionally fill in the Description field.
  6. Under the Audit Connection Details sub tab, choose the Advanced option.
  7. In the Protocol menu, select TCP.
  8. In the Target Location field, enter the following settings:
    jdbc:oracle:thin:@//host_ip:port_number/service_name

    Alternatively, you can accomplish this uing the Basic option. Enter the details in Host Name/IP Address, Port, Service Name fields.

  9. Enter the User Name and Password.
  10. Click Save to save the configuration changes.

13.3.6 Step 6: Starting Audit Trail on Audit Vault Server for Oracle Database Cloud Service Instances

This configuration step starts the audit trail on Oracle Audit Vault Server for Oracle Database Cloud Service instances.

Use this procedure to start an audit trail on the Audit Vault Server for the DBCS instance.

  1. Log in to the Audit Vault console as an administrator.

  2. In the Targets tab, select the newly registered target.

  3. Under Audit Data Collection section, click Add. The Add Audit Trail dialog is displayed.

  4. Select Audit Trail Type as TABLE.

    Note:

    Other trail types are not supported for DBCS target instances.

  5. Select the appropriate values in the Trail Location from the drop down menu.

    The supported table trails for Oracle DBCS target are:

    1. UNIFIED_AUDIT_TRAIL

    2. SYS.AUD$

    3. SYS.FGA_LOG$

    4. DVSYS.AUDIT_TRAIL$

  6. Select the Agent Host.

  7. Click Save to add the audit trail.

13.4 Configuring TCPS Connections for DBCS Instances

Learn how to configure TCPS connections for DBCS instances.

13.4.1 Step 1: Creating Server Wallet and Certificate

This configuration step shows you how to create server wallets and certificates.

  1. Ensure that port 1522 is open on the DBCS instance for TCPS connection. .
    See Opening Ports on Oracle Database Cloud Service for detailed information. Later some standard tools such as SQL*Plus and SQL*Developer can be used
  2. Create a new auto-login wallet by executing the orapki utility.

    mkdir -p <wallet path>

    orapki wallet create –wallet <wallet path> -auto_login

    Note:

    This command will prompt you to enter and re-enter a wallet password.

    Example:

    orapki wallet create –wallet /u01/app/example/demowallet -auto_login

  3. Create a self-signed certificate and load it into the wallet, by executing the command:

    orapki wallet add –wallet <wallet path> -dn

    Note:

    This command will prompt you to enter and re-enter a wallet password.

    CN=hostname –keysize 1024 -self_signed –validity 365

    Example:

    orapki wallet add –wallet /u01/app/example/demowallet -dn

    CN=CloudAB2.abcdXY.example.somedomain –keysize 1024 -self_signed –validity 365

  4. Check the contents of the wallet by executing the following command:

    orapki wallet display -wallet <wallet path>

    Result:

    Displays the self-signed certificate which is both a user and trusted certificate.

    Requested Certificates:
User Certificates:
Subject:          CN=<hostname>
Trusted Certificates:
Subject:          CN=<hostname>

    Example:

    orapki wallet display –wallet /u01/app/example/demowallet

    Result:

    Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:         CN=CloudAB2.abcdXY.example.somedomain
Trusted Certificates:
Subject:         CN=CloudAB2.abcdXY.example.somedomain
  5. Export the certificate to the client wallet for future use, by executing the command:

    orapki wallet export –wallet <wallet path> -dn CN=hostname

    Note:

    This command will prompt you to enter and re-enter a wallet password.

    -cert <certificate file name>.crt

    Example:

    orapki wallet export –wallet /u01/app/example/demowallet –dn

    CN=CloudAB2.abcdXY.example.somedomain -cert CloudAB2-certificate.crt

  6. Check that the certificate has been exported as expected, by executing the command:

    cat <certificate file name>.crt

    Example:

    cat CloudAB2-certificate.crt

    Result:

    -----BEGIN CERTIFICATE-----
MIIB0TCCAToCAQAwDQYJKoZIhvcNAQEEBQAwMTEvMC0GA1UEAxMmQ2xvdWRTVDIuZGViZGV2MTku
b3JhY2xlY2xvdWQuaW50ZXJuYWwwHhcNMTYwNTExMTEyMDI2WhcNMjYwNTA5MTEyMDI2WjAxMS8w
LQYDVQQDEyZDbG91ZFNUMi5kZWJkZXYxOS5vcmFjbGVjbG91ZC5pbnRlcm5hbDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAr6fhuQly2t3i8gugLVzgP2kFGVXVOzqbggEIC+Qazb15JuKs0ntk
En9ERGvA0fxHkAkCtIPjCzQD5WYRU9C8AQQOWe7UFHae7PsQX8jsmEtecpr5Wkq3818+26qU3Jyi
XxxK/rRydwBO526G5Tn5XPsovaw/PYJxF/fIKMG7fzMCAwEAATANBgkqhkiG9w0BAQQFAAOBgQCu
fBYJj4wQYriZIfjij4eac/jnO85EifF3L3DU8qCHJxOxRgK97GJzD73TiY20xpzQjWKougX73YKV
Tp9yusAx/T/qXbpAD9JKyHlKj16wPeeMcS06pmDDXtJ2CYqOUwMIk53cK7mLaAHCbYGGM6btqP4V
KYIjP48GrsQ5MOqd0w==
-----END CERTIFICATE-----

13.4.2 Step 2: Creating Client (Agent) Wallet and Certificate

This configuration step explains how to create client wallets and certificates.

  1. Run the following command to create a new auto-login wallet:
    c:\>mkdir -p <client wallet dir>
    c:\>orapki wallet create –wallet "<wallet path>" -auto_login

    Note:

    This command will prompt you to enter and re-enter a wallet password.

    Example:

    C:\Work\CloudWallet>orapki wallet create –wallet C:\Work\CloudWallet -auto_login

    Result:

    Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
  2. Run the following command to create a self-signed certificate and load it into the wallet:
    c:\>orapki wallet add –wallet <client wallet path> -dn

    Note:

    This command will prompt you to enter and re-enter a wallet password. 
    CN=%client computer name% –keysize 1024 -self_signed –validity 365

    Example:

    C:\Work\CloudWallet>orapki wallet add –wallet C:\Work\CloudWallet -dn
    CN=machine1.somedomain.com –keysize 1024 -self_signed –validity 365

    Result:

    Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
  3. Check the contents of the wallet by running the command:
    orapki wallet display –wallet <client wallet path>

    Note:

    This command will prompt you to enter and re-enter a wallet password.

    Example:

    C:\Work\CloudWallet>orapki wallet display –wallet C:\Work\CloudWallet

    Result:

    Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:       CN=machine1.foobar.example.com
Trusted Certificates:
Subject:       OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:       CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject:       OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:       OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:       CN=machine1.foobar.example.com
  4. Run the following command to export the certificate and load it onto the server:
    orapki wallet export –wallet <client wallet path> -dn

    Note:

    This command will prompt you to enter and re-enter a wallet password. 
    CN=<client computer name> -cert <clent computer name>-certificate.crt

    Example:

    C:\Work\CloudWallet>orapki wallet export –wallet C:\Work\CloudWallet -dn
    CN=machine1.foobar.example.com -cert machine1-certificate.crt

    Result:

    Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
  5. Check the certificate by running the command:
    more c:\%computername%-certificate.crt

    Example:

    C:\Work\CloudWallet>more machine1-certificate.crt

    Result:

    -----BEGIN CERTIFICATE-----
MIIBsTCCARoCAQAwDQYJKoZIhvcNAQEEBQAwITEfMB0GA1UEAxMWZ2JyMzAxMzkudWsub3JhY2xl
LmNvbTAeFw0xNjA1MTExMTQzMzFaFw0yNjA1MDkxMTQzMzFaMCExHzAdBgNVBAMTFmdicjMwMTM5
LnVrLm9yYWNsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKH8G8sFS6l0llu+RMfl
7Yt+Ppw8J0PfDEDbTGP5wtsrs/22dUCipU9l+vif1VgSPLE2UPJbGM8tQzTC6UYbBtWHe4CshmvD
EVlcIMsEFvD7a5Q+P45jqNSEtV9VdbGyxaD6i5Y/Smd+B87FcQQCX54LaI9BJ8SZwmPXgDweADLf
AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAai742jfNYYTKMq2xxRygGJGn1LhpFenHvuHLBvnTup1N
nZOBwBi4VxW3CImvwONYcCEFp3E1SRswS5evlfIfruCZ1xQBoUNei3EJ6O3OdKeRRp2E+muXEtfe
U+jwUE+SzpnzfpI23Okl2vo8Q7VHrSalxE2KEhAzC1UYX7ZYp1U=
-----END CERTIFICATE-----

13.4.3 Step 3: Exchanging Client (Agent) and Server Certificates

This configuration step explains how to exchange client (agent) and server certificates.

  1. Exchange client (agent) and server certificates. Each side of the connection has to trust the other. Hence ensure to load the certificate from the server as a trusted certificate into the client wallet and vice versa. Load the server certificate into the client wallet by executing the command:
    orapki wallet add –wallet <client wallet path> -trusted_cert -cert <server certificate path>

    Note:

    This command will prompt you to enter and re-enter a wallet password.

    Example:

    C:\Work\CloudWallet>orapki wallet add –wallet C:\Work\CloudWallet -trusted_cert -cert C:\Work\CloudWallet\CloudAB2-certificate.crt

    Result:

    Oracle PKI Tool : Version 12.1.0.1

    Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

  2. Check the contents of the client wallet by executing the command:
    orapki wallet display –wallet <client wallet path>

    Note:

    This command will prompt you to enter and re-enter a wallet password.

    Example:

    C:\Work\CloudWallet>orapki wallet display –wallet C:\Work\CloudWallet

    Notice the self-signed certificate is a trusted user certificate.

    Result:

    Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:       CN=machine1.foobar.example.com
Trusted Certificates:
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=machine1.foobar.example.com
Subject:        CN=GTE CyberTrust Global Root,OU=MNO CyberTrust Solutions\, Inc.,O=MNO Corporation,C=US
Subject:        CN=CloudAB2.abcxy10.example.somedomain
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
  3. Load the client certificate into server by executing the command:
    orapki wallet add –wallet <server wallet path> -trusted_cert -cert <client certificate file>

    Note:

    This command will prompt you to enter and re-enter a wallet password.

    Example:

    orapki wallet add –wallet /u01/app/example/demowallet -trusted_cert -cert machine1-certificate.crt

    Result:

    Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
  4. Check the contents of the client wallet by executing the command:
    orapki wallet display –wallet <client wallet path>

    Note:

    This command will prompt you to enter and re-enter a wallet password.

    Example:

    C:\Work\CloudWallet>orapki wallet display –wallet C:\Work\CloudWallet

    The server certificate is now included in the list of trusted certificates.

    Result:

    Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.


Requested Certificates:
User Certificates:
Subject:        CN=machine1.foobar.example.com
Trusted Certificates:
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=machine1.foobar.example.com
Subject:        CN=GTE CyberTrust Global Root,OU=MNO CyberTrust Solutions\, Inc.,O=MNO Corporation,C=US
Subject:        CN=CloudAB2.abcdXY.example.somedomain
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
  5. Load the client certificate into server by executing the command:
    orapki wallet add –wallet <server wallet path> -trusted_cert -cert <client certificate file>

    Note:

    This command will prompt you to enter and re-enter a wallet password.

    Example:

    orapki wallet add –wallet /u01/app/example/demowallet -trusted_cert -cert machine1-certificate.crt

    Result:

    Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
  6. Check the contents of the server wallet by executing the command:
    orapki wallet display –wallet <wallet path>

    Note:

    This command will prompt you to enter and re-enter a wallet password.

    Example:

    orapki wallet display –wallet /u01/app/example/demowallet

    Result:

    Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject:        CN=CloudAB2.abcdXY.example.somedomain
Trusted Certificates:
Subject:        CN=CloudAB2.abcdXY.example.somedomain
Subject:        CN=machine1.foobar.example.com

13.4.4 Step 4: Configuring Server Network

This step explains how to configure the server network.

Data security between an Audit Vault Server and an Oracle Database target is achieved by default, through network encryption over TCP connection. Data security can also be achieved by using a TCPS/SSL connection.

  1. Configure the server network. Add the following entries on the server and into the $ORACLE_HOME/network/admin/sqlnet.ora file:
    orapki wallet add –wallet <client wallet path> -trusted_cert -cert <server certificate path>

    Note:

    This command will prompt you to enter and re-enter a wallet password. 
    WALLET_LOCATION =
   (SOURCE =
     (METHOD = FILE)
     (METHOD_DATA =
       (DIRECTORY = /u01/app/oracle/demowallet)
     )
   )
 
SQLNET.AUTHENTICATION_SERVICES = (TCPS,TCP,NTS,BEQ)
SSL_CLIENT_AUTHENTICATION = TRUE
 
SQLNET.ENCRYPTION_SERVER = ACCEPTED/REQUESTED/REJECTED
SQLNET.CRYPTO_CHECKSUM_SERVER = ACCEPTED/REQUESTED/REJECTED

    Note:

    1. The server encryption is set to REQUIRED on the DBCS instance and on-premises by default. Set the server encryption to ACCEPTED or REQUESTED or REJECTED.

    2. REJECTED is not a recommended option. The following table describes these options in detail.

    Option Description

    ACCEPTED

    The server does not allow both encrypted and non-encrypted connections. This is the default value in case the parameter is not set.

    REJECTED

    The server does not allow encrypted traffic.

    REQUESTED

    The server requests encrypted traffic if it is possible, but accepts non-encrypted traffic if encryption is not possible.

    REQUIRED

    The server accepts only encrypted traffic.
  2. Configure the listener to accept SSL or TLS encrypted connections. Edit the $ORACLE_HOME/network/admin/listener.ora file. Add the wallet information and the TCPS entry. Set the values as follows, using the directory location that you specified for your environment:
    SSL_CLIENT_AUTHENTICATION = TRUE

WALLET_LOCATION =
  (SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
      (DIRECTORY = /u01/app/oracle/demowallet)
    )
  )

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = <host name>.localdomain)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
      (ADDRESS = (PROTOCOL = TCPS)(HOST = <host name>.localdomain)(PORT = 1522))
    )
  )
  3. Restart the listener by executing the following commands:
    $ lsnrctl stop

    Example:

    $ lsnrctl start

13.4.5 Step 5: Connecting to DBCS instances in TCPS mode

To connect Oracle Database Cloud Service instances with TCPS follow these steps:

  1. Enable port 1522 on the cloud service.
  2. Configure TCPS connection for the DBCS instance once port 1522 has been opened.
  3. Create the server wallet and certificate.
  4. Create client (agent) wallet and certificate.
  5. Exchange the client (agent) and server certificates.
  6. Configure the server network.
  7. Connect to the DBCS instance through TCPS using the Audit Vault agent or tools like SQL*Plus or SQL*Developer.

    See Also:

13.5 Configuring Hybrid Cloud Target Using TCPS

Learn how to configure cloud targets for DBCS instances in TCPS mode. The Audit Vault server and Audit Vault agent are installed on-premises.

13.5.1 Step 1: Registering On-premises Host on Oracle Audit Vault Server

Follow this configuration procedure to register on-premises hosts on Oracle Audit Vault Server.

This step registers the on-premises host on the Audit Vault server.

Note:

If there is already a registered on-premises host in the Audit Vault Server installed on the Agent for monitoring DBCS instances, then skip this procedure. Otherwise, the steps are similar for all target databases that are on-premises. See Registering Hosts on the Audit Vault Server for detailed steps.

13.5.2 Step 2: Installing Oracle Audit Vault Agent on Registered On-premises Hosts and Configuring TCPS

This configuration procedure installs Oracle Audit Vault Agent on registered on-premises hosts and configures TCPS.

Note:

If there is already an Audit Vault agent installed on an on-premises host that is planned for monitoring DBCS instances then ignore this step. In case there are no agents installed, there are specific requirements for the Audit Vault agents that monitor DBCS instances. The requirements or features are as follows:

  1. The agent has to run on-premise.

  2. A minimum of one agent must be dedicated to monitor only DBCS instances. There may be multiple agents dedicated to monitor only DBCS instances.

  3. The agent should not run on the Audit Vault server.

  1. Install the Audit Vault agent on the on-premises host. See Deploying the Audit Vault Agent on Host Computers for detailed steps on installing on-premises host.
  2. Start the Audit Vault agent.

13.5.3 Step 3: Creating User Accounts on Oracle Database Cloud Service Target Instances

This step creates a user account on the Oracle Database Cloud Service instance.

Note:

The connection methodology and scripts utilized are different in case on-premises deployment.

Prerequisite

  • Port 1522 has to be opened up on the DBCS instance for TCP connection so that later SQL*Plus and SQL*Developer can be used. TCP connection is encrypted by default. It utilizes the native encryption. See Opening Ports on Oracle Database Cloud Service for detailed steps.

Procedure:

  1. Ensure that the connection has been established to the DBCS instances through TCPS as user with SYSDBA administrative privilege.
  2. Create Server Wallet and certificate.
  3. Create Client Wallet and certificate.
  4. Exchange Client and Server certificates.
  5. Configure Server network.

    Note:

    See “Configuring TCPS Connections for DBCS Instances” for creating Server Wallet, Client Wallet, certificates, and exchanging certificates.

  6. Once the above steps are complete, the user can now connect to the DBCS instances in TCPS using the Audit Vault Agent or tools like SQL*Plus and SQL*Developer.
  7. Execute the following commands to create audit retrieval user account creation scripts:

    1. oracle_AVDF_dbcs_user_setup.sql

    2. oracle_AVDF_dbcs_drop_db_permissions.sql

    Note:

    These scripts are different from those of the on-premises database instances.

13.5.4 Step 4: Setting Up or Reviewing Audit Policies on Target Oracle Database Cloud Service Instances

Use this procedure to set up and review audit policies on target Oracle Database Cloud Service instances.

Check the audit polices that are enabled and change them as needed. For Oracle Database 11g, Oracle Database 11.2, and Oracle Database 12c release instances where the unified audit is not enabled, you can provision audit policies from the Audit Vault Server. If the Unified Trail is enabled on Oracle Database 12c instances, change the audit policies manually on the DBCS instance.

Note:

  • Understand the audit settings on the DBCS instances, before starting the audit data collection process. Currently one Audit Vault Agent supports up to a maximum of 10 cloud target audit trails. The collection speed is up to 25 million audit records per target audit trail, in a day. The recommended Audit Vault Agent configuration can be found in the Oracle Audit Vault and Database Firewall Installation Guide.

  • Run the DBMS_AUDIT_MGMT package on the DBCS instances for audit clean up, once the data is collected by the on-premises Audit Vault Server. The Audit Vault Server supports data retention policies for every target and meets compliance requirements. It allows configuring different retention policies for on-premises and DBCS instances.

13.5.5 Step 5: Creating Targets on Audit Vault Server for Oracle Database Cloud Service Instances

This configuration step creates target on Oracle Audit Vault Servers for Oracle Database Cloud Service instances.

The user must define these specific settings on the target configuration page. Use the following procedure:

  1. Log in to Audit Vault console as an administrator.
  2. Click Targets tab.
  3. Click the Register button on the right.
  4. Enter a Name for the target and select from the Type menu.
  5. Optionally fill in the Description field.
  6. Under the Audit Connection Details sub tab, choose the Advanced option.
  7. In the Protocol menu, select TCPS.
  8. In the Wallet field, choose the client wallet by navigating to the location of the wallet where it was previously created.
  9. Enter the following TCPS connection string in the Target Location field:
    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=<Host IP>)(PORT=<Port Number>))(CONNECT_DATA=(SERVICE_NAME=<service name>)(SERVER=DEDICATED))(SECURITY= (SSL_SERVER_CERT_DN="DN")))

    This can also be accomplished in the Basic option. Enter the details in Host Name/IP Address, Server DN, and the Wallet fields.

  10. Enter the User Name and Password.
  11. Click Save to save the configuration changes.

    See Also:

    Configuring TCPS Connections for DBCS Instances for information on creating a wallet.

13.5.6 Step 6: Starting Audit Trail on Audit Vault Server for Oracle Database Cloud Services Instances

This configuration step starts an audit trail on Oracle Audit Vault Server for Oracle Database Cloud Service instances.

Use this procedure to start audit trail on the Audit Vault Server for the DBCS instance:

  1. Log in to the Audit Vault console as an administrator.
  2. In the Targets tab, select the newly registered target.
  3. Under Audit Data Collection section, click Add. The Add Audit Trail dialog is displayed.
  4. Select Audit Trail Type as TABLE.

    Note:

    Other trail types are not supported for the DBCS target instance.

  5. Select the appropriate values in the Trail Location from the drop down menu. The supported table trails for Oracle DBCS target are:

    1. UNIFIED_AUDIT_TRAIL

    2. SYS.AUD$

    3. SYS.FGA_LOG$

    4. DVSYS.AUDIT_TRAIL$

  6. Select the Agent Host.
  7. Click Save to add the audit trail.

13.6 Configuring Oracle Database Exadata Express Cloud Service Target Using TCPS

Learn how to configure Oracle Database Exadata Express Cloud Service targets in TCPS mode.

13.6.1 Step 1: Installing Audit Vault Agent on registered On-premises Hosts and Configuring TCPS

This step installs Oracle Audit Vault Agent on registered on-premises hosts and configures TCPS.

See Step 2: Installing Oracle Audit Vault Agent on Registered On-premises Hosts and Configuring TCPS.

Prerequisites

13.6.2 Step 2: Creating User Accounts on Oracle Exadata Express Cloud Service Instances

This configuration step creates user accounts on Oracle Exadata Express Cloud Service Instances.

Procedure:

  1. Ensure that the connection has been established to the Oracle Database Cloud Service instances through TCPS as user with SYSDBA administrative privilege.
  2. Create Server Wallet and certificate.
  3. Create Client Wallet and certificate.
  4. Exchange Client and Server certificates.
  5. Configure Server network.
  6. After the above steps are complete, you can now connect to the DBCS instances in TCPS using the Audit Vault Agent or tools like SQL*Plus and SQL*Developer.
  7. Run the following commands to create audit retrieval user account scripts:

    oracle_AVDF_E1_user_setup.sql

    oracle_AVDF_E1_drop_db_permissions.sql

    See Also:

    Configuring TCPS Connections for DBCS Instances for creating Server Wallet, Client Wallet, certificates, and exchanging certificates.

13.6.3 Step 3: Creating Targets on Oracle Audit Vault Server for Oracle Exadata Express Cloud Service Instances

This configuration step creates targets on Oracle Audit Vault Server for Oracle Exadata Express Cloud Service instances.

  1. Create a target on Oracle Audit Vault Server for the DBCS Instance. See Step 5: Creating Targets on Audit Vault Server for Oracle Database Cloud Service Instances.
  2. Execute the following command to set mandatory target attribute for SSL version:

    av.collector.stconn.oracle.net.ssl_version = 1.2

13.7 Configuring Oracle Database Exadata Express Cloud Service Target Using TCP

Learn how to configure Exadata Express Cloud Targets in TCP mode. The Audit Vault Server and Audit Vault Agent are installed on-premises.

13.7.1 Step 1: Registering On-premises Hosts on Oracle Audit Vault Server

This configuration step explains how to register on-premises hosts on Oracle Audit Vault Server.

See Step 1: Registering On-premises Host on the Audit Vault Server.

13.7.2 Step 2: Installing Audit Vault Agents on Registered On-Premises Hosts

This configuration step installs agents on registered on-premises hosts.

See Step 2: Installing Audit Vault Agent on Registered On-premises Hosts.

13.7.3 Step 3: Creating User Accounts on Oracle Exadata Express Cloud Target Instances

This configuration step creates user accounts on Oracle Exadata Express Cloud targets.

  1. Log in with SYSDBA administrative privilege and establish a connection to the DBCS instances through TCP.
  2. Execute the following commands to create audit retrieval user account scripts:

    oracle_AVDF_E1_user_setup.sql

    oracle_AVDF_E1_drop_db_permissions.sql

13.7.4 Step 4: Setting Up or Reviewing Audit Policies on Target Oracle Exadata Express Cloud Instances

This configuration step enables you to set up and review audit policies on target Oracle Exadata Express Cloud instances.

Note:

This is not supported for Oracle Exadata Express Cloud Service instance.

13.7.5 Step 5: Creating Targets on Oracle Audit Vault Servers for Oracle Exadata Express Cloud Instances

This configuration step creates targets on Oracle Audit Vault Servers for Oracle Exadata Express Cloud instances.

See Step 5: Creating Targets on Oracle Audit Vault Server for Oracle Database Cloud Service Instances.

13.7.6 Step 6: Starting Audit Trail on Oracle Audit Vault Server for Oracle Exadata Express Cloud Instances

This configuration step starts audit trails on Oracle Audit Vault Server for Oracle Exadata Express Cloud instances.

Use this procedure to start audit trail on Oracle Audit Vault Server for Oracle Exadata Express Cloud instances:

  1. Log in to the Audit Vault console as an administrator.
  2. In the Targets tab, select the newly registered target.
  3. Under Audit Data Collection section, click Add. The Add Audit Trail dialog is displayed.
  4. Select Audit Trail Type as TABLE.

    Note:

    Other trail types are not supported for the Express Exadata Cloud target instance.

  5. Select the appropriate values in the Trail Location from the drop-down menu. The supported table trails for Oracle Express Exadata Cloud target are:

    1. UNIFIED_AUDIT_TRAIL

  6. Click Save to add the audit trail.

13.8 Configuring Autonomous Data Warehouse and Autonomous Transaction Processing

Learn how to configure Oracle Database Cloud Service types as targets in TCPS mode for Autonomous Data Warehouse and Autonomous Transaction Processing.

13.8.1 Step 1: Install Audit Vault Agent on Registered Host

This configuration step installs Audit Vault Agents on registered host.

Prerequisites

Ensure the right version of JDK is installed. The supported JDK versions are:

Follow these steps:

  1. Install the Audit Vault Agent on the host machine. See Deploying the Audit Vault Agent on Host Computers for detailed steps.
  2. Start the Audit Vault Agent.

13.8.2 Step 2: Create User Accounts on Oracle Cloud Instances

This configuration step creates user account on Oracle Cloud instances.

Complete this procedure to create a user account on an Autonomous Data Warehouse or on an Autonomous Transaction Processing Cloud instance:

  1. Ensure that the connection has been established to the Autonomous Data Warehouse Cloud instances through TCPS as user with SYSDBA administrative privilege.
  2. Create a user that is used to collect audit data from the database.
  3. Run the script to provide relevant privileges to the user: oracle_AVDF_dbcs_user_setup.sql

13.8.3 Step 3: Create Targets on Audit Vault Server for the Cloud Instances

This configuration step creates a target on Audit Vault Server for the Autonomous Data Warehouse and Autonomous Transaction Processing Cloud instances.

Prerequisites

  1. The user must download the client wallet using Oracle Cloud Infrastructure Console. See Download Client Credentials (Wallets) for complete information.

  2. Unzip the client wallet. The wallet contains the Single Sign On Wallet file (cwallet.sso).
  3. The user can get connection string Using Oracle Cloud Infrastructure Console.

The user must enter these details and specific settings on the target configuration page. Follow the below steps:

  1. Log in to Audit Vault Server console as an administrator.
  2. Click Targets tab.
  3. Click the Register button on the right.
  4. Enter a Name for the target and select the Type as Oracle Database.
  5. Optionally fill in the Description field.
  6. Under the Audit Connection Details sub tab, choose the Advanced option.
  7. In the Protocol menu, select TCPS.
  8. In the Wallet field, upload the Single Sign On Wallet file (cwallet.sso).
  9. Enter the TCPS connection string in the Target Location field: jdbc:oracle:thin:@<Connection string from OCI Console>
  10. Enter the User Name and Password.
  11. Click Save to save the configuration changes.

13.8.4 Step 4: Start Audit Trail on Audit Vault Server for the Autonomous Data Warehouse and Autonomous Transaction Processing Cloud Instances

This configuration step starts an audit trail on Audit Vault Server for the Autonomous Data Warehouse and Autonomous Transaction Processing Cloud instances.

Create audit trail using the Audit Vault Server console for the Autonomous Data Warehouse and Autonomous Transaction Processing Cloud instances. See Step 6: Starting Audit Trail on Audit Vault Server for Oracle Database Cloud Services Instances for complete information.

13.8.5 Step 5: (Optional) Revoke Audit Vault and Database Firewall Privileges for a User

Use this configuration step to revoke user privileges on Oracle Cloud instances.

If a user no longer requires access to audit data on the database, revoke the privileges by running the following script as the SYS user with the SYSDBA privilege: oracle_AVDF_dbcs_drop_db_permissions.sql.