Table of Contents

• List of Tables
• Title and Copyright Information
• Preface
  • Audience
  • Documentation Accessibility
  • Related Documents
  • Conventions
• Changes in This Release for Oracle Database Security Guide
  • Changes in Oracle Database Security 12c Release 2 (12.2.0.1)
    • New Features
      • Ability to Create Application Common Objects, Users, Roles, and Profiles
      • Application Container Security Features
      • Addition of SYSRAC Administrative Privilege for Oracle Real Application Clusters
      • Administrative User Authentication Enhancements
      • Enhancements for the Management of Administrative Passwords
      • STIG Compliance Features
      • Better Security for Password Versions
      • Ability to Automatically Lock Inactive Database User Accounts
      • More Flexibility in Controlling Database Link Access
      • Ability to Control Definer's Rights Privileges for Database Links
      • PDB Lockdown Profiles to Restrict Operations on PDBs
      • Ability to Set the Identity of the Operating System User for PDBs
      • Updated Kerberos Utilities
      • Additional Security Feature Support for Transparent Sensitive Data Protection
      • Ability to Enable Unified Auditing for Groups of Users Through Roles
      • New Audit Events for Oracle Database Real Application Security
      • Ability to Capture Oracle Virtual Private Database Predicates in the Audit Trail
      • Enhancements for the AUDSYS Audit Schema
    • Deprecated Features
      • Deprecated Columns from the AUDIT_UNIFIED_ENABLED_POLICIES and DBA_XS_ENB_AUDIT_POLICIES Views
      • Deprecated Password Verification Functions
      • Deprecation of the UNIFIED_AUDIT_SGA_QUEUE_SIZE Initialization Parameter
      • Deprecation of the CONTAINER_GUID Parameter from the DBMS_AUDIT_MGMT Package
      • Deprecation of Settings to Flush Audit Trail Records to Disk
  • Updates to Oracle Database Security 12.2
    • Security Update for Native Encryption
• 1 Introduction to Oracle Database Security
  • 1.1 About Oracle Database Security
  • 1.2 Additional Oracle Database Security Products
• Part I Managing User Authentication and Authorization
  • 2 Managing Security for Oracle Database Users
    • 2.1 About User Security
    • 2.2 Creating User Accounts
      • 2.2.1 About Common Users and Local Users
        • 2.2.1.1 About Common Users
        • 2.2.1.2 How Plugging in PDBs Affects CDB Common Users
        • 2.2.1.3 About Local Users
      • 2.2.2 Who Can Create User Accounts?
      • 2.2.3 Creating a New User Account That Has Minimum Database Privileges
      • 2.2.4 Restrictions on Creating the User Name for a New Account
        • 2.2.4.1 Uniqueness of User Names
        • 2.2.4.2 User Names in a Multitenant Environment
        • 2.2.4.3 Case Sensitivity for User Names
      • 2.2.5 Assignment of User Passwords
      • 2.2.6 Default Tablespace for the User
        • 2.2.6.1 About Assigning a Default Tablespace for a User
        • 2.2.6.2 DEFAULT TABLESPACE Clause for Assigning a Default Tablespace
      • 2.2.7 Tablespace Quotas for a User
        • 2.2.7.1 About Assigning a Tablespace Quota for a User
        • 2.2.7.2 CREATE USER Statement for Assigning a Tablespace Quota
        • 2.2.7.3 Restriction of the Quota Limits for User Objects in a Tablespace
        • 2.2.7.4 Grants to Users for the UNLIMITED TABLESPACE System Privilege
      • 2.2.8 Temporary Tablespaces for the User
        • 2.2.8.1 About Assigning a Temporary Tablespace for a User
        • 2.2.8.2 TEMPORARY TABLESPACE Clause for Assigning a Temporary Tablespace
      • 2.2.9 Profiles for the User
      • 2.2.10 Creation of a Common User or a Local User
        • 2.2.10.1 About Creating Common User Accounts
        • 2.2.10.2 CREATE USER Statement for Creating a Common User Account
        • 2.2.10.3 About Creating Local User Accounts
        • 2.2.10.4 CREATE USER Statement for Creating a Local User Account
      • 2.2.11 Creating a Default Role for the User
    • 2.3 Altering User Accounts
      • 2.3.1 About Altering User Accounts
      • 2.3.2 Methods of Altering Common or Local User Accounts
      • 2.3.3 Changing Non-SYS User Passwords
        • 2.3.3.1 About Changing Non-SYS User Passwords
        • 2.3.3.2 Using the PASSWORD Command or ALTER USER Statement to Change a Password
      • 2.3.4 Changing the SYS User Password
        • 2.3.4.1 About Changing the SYS User Password
        • 2.3.4.2 ORAPWD Utility for Changing the SYS User Password
    • 2.4 Configuring User Resource Limits
      • 2.4.1 About User Resource Limits
      • 2.4.2 Types of System Resources and Limits
        • 2.4.2.1 Limits to the User Session Level
        • 2.4.2.2 Limits to Database Call Levels
        • 2.4.2.3 Limits to CPU Time
        • 2.4.2.4 Limits to Logical Reads
        • 2.4.2.5 Limits to Other Resources
      • 2.4.3 Values for Resource Limits of Profiles
      • 2.4.4 Managing Resources with Profiles
        • 2.4.4.1 About Profiles
        • 2.4.4.2 ora_stig_profile User Profile
        • 2.4.4.3 Creating a Profile
        • 2.4.4.4 Creating a CDB Profile or an Application Profile
        • 2.4.4.5 Assigning a Profile to a User
        • 2.4.4.6 Dropping Profiles
    • 2.5 Dropping User Accounts
      • 2.5.1 About Dropping User Accounts
      • 2.5.2 Terminating a User Session
      • 2.5.3 About Dropping a User After the User Is No Longer Connected to the Database
      • 2.5.4 Dropping a User Whose Schema Contains Objects
    • 2.6 Database User and Profile Data Dictionary Views
      • 2.6.1 Data Dictionary Views That List Information About Users and Profiles
      • 2.6.2 Query to Find All Users and Associated Information
      • 2.6.3 Query to List All Tablespace Quotas
      • 2.6.4 Query to List All Profiles and Assigned Limits
      • 2.6.5 Query to View Memory Use for Each User Session
  • 3 Configuring Authentication
    • 3.1 About Authentication
    • 3.2 Configuring Password Protection
      • 3.2.1 What Are the Oracle Database Built-in Password Protections?
      • 3.2.2 Minimum Requirements for Passwords
      • 3.2.3 Creating a Password by Using the IDENTIFIED BY Clause
      • 3.2.4 Using a Password Management Policy
        • 3.2.4.1 About Managing Passwords
        • 3.2.4.2 Finding User Accounts That Have Default Passwords
        • 3.2.4.3 Password Settings in the Default Profile
        • 3.2.4.4 Using the ALTER PROFILE Statement to Set Profile Limits
        • 3.2.4.5 Disabling and Enabling the Default Password Security Settings
        • 3.2.4.6 Automatically Locking Inactive Database User Accounts
        • 3.2.4.7 Automatically Locking User Accounts After Failed Logins
        • 3.2.4.8 Example: Locking an Account with the CREATE PROFILE Statement
        • 3.2.4.9 Explicitly Locking a User Account
        • 3.2.4.10 Controlling the User Ability to Reuse Previous Passwords
        • 3.2.4.11 About Controlling Password Aging and Expiration
        • 3.2.4.12 Using the CREATE PROFILE or ALTER PROFILE Statement to Set a Password Lifetime
        • 3.2.4.13 Checking the Status of a User Account
        • 3.2.4.14 Password Change Life Cycle
        • 3.2.4.15 PASSWORD_LIFE_TIME Profile Parameter Low Value
      • 3.2.5 Managing the Complexity of Passwords
        • 3.2.5.1 About Password Complexity Verification
        • 3.2.5.2 How Oracle Database Checks the Complexity of Passwords
        • 3.2.5.3 Who Can Use the Password Complexity Functions?
        • 3.2.5.4 verify_function_11G Function Password Requirements
        • 3.2.5.5 ora12c_verify_function Password Requirements
        • 3.2.5.6 ora12c_strong_verify_function Function Password Requirements
        • 3.2.5.7 ora12c_stig_verify_function Password Requirements
        • 3.2.5.8 About Customizing Password Complexity Verification
        • 3.2.5.9 Enabling Password Complexity Verification
      • 3.2.6 Managing Password Case Sensitivity
        • 3.2.6.1 SEC_CASE_SENSITIVE_LOGON Parameter and Password Case Sensitivity
        • 3.2.6.2 Using the ALTER SYSTEM Statement to Enable Password Case Sensitivity
        • 3.2.6.3 Management of Case Sensitivity for Secure Role Passwords
        • 3.2.6.4 Management of Password Versions of Users
        • 3.2.6.5 Finding and Resetting User Passwords That Use the 10G Password Version
        • 3.2.6.6 How Case Sensitivity Affects Password Files
        • 3.2.6.7 How Case Sensitivity Affects Passwords Used in Database Link Connections
      • 3.2.7 Ensuring Against Password Security Threats by Using the 12C Password Version
        • 3.2.7.1 About the 12C Version of the Password Hash
        • 3.2.7.2 Oracle Database 12C Password Version Configuration Guidelines
        • 3.2.7.3 Configuring Oracle Database to Use the 12C Password Version Exclusively
        • 3.2.7.4 How Server and Client Logon Versions Affect Database Links
        • 3.2.7.5 Configuring Oracle Database Clients to Use the 12C Password Version Exclusively
      • 3.2.8 Managing the Secure External Password Store for Password Credentials
        • 3.2.8.1 About the Secure External Password Store
        • 3.2.8.2 How Does the External Password Store Work?
        • 3.2.8.3 About Configuring Clients to Use the External Password Store
        • 3.2.8.4 Configuring a Client to Use the External Password Store
        • 3.2.8.5 Example: Sample SQLNET.ORA File with Wallet Parameters Set
        • 3.2.8.6 Managing External Password Store Credentials
          • 3.2.8.6.1 Listing External Password Store Contents
          • 3.2.8.6.2 Adding Credentials to an External Password Store
          • 3.2.8.6.3 Modifying Credentials in an External Password Store
          • 3.2.8.6.4 Deleting Credentials from an External Password Store
      • 3.2.9 Managing Passwords for Administrative Users
        • 3.2.9.1 About Managing Passwords for Administrative Users
        • 3.2.9.2 Setting the LOCK and EXPIRED Status of Administrative Users
        • 3.2.9.3 Password Profile Settings for Administrative Users
        • 3.2.9.4 Last Successful Login Time for Administrative Users
        • 3.2.9.5 Management of the Password File of Administrative Users
        • 3.2.9.6 Migration of the Password File of Administrative Users
        • 3.2.9.7 How the Multitenant Option Affects Password Files for Administrative Users
        • 3.2.9.8 Password Complexity Verification Functions for Administrative Users
    • 3.3 Authentication of Database Administrators
      • 3.3.1 About Authentication of Database Administrators
      • 3.3.2 Strong Authentication, Centralized Management for Administrators
        • 3.3.2.1 About Strong Authentication for Database Administrators
        • 3.3.2.2 Configuring Directory Authentication for Administrative Users
        • 3.3.2.3 Configuring Kerberos Authentication for Administrative Users
        • 3.3.2.4 Configuring Secure Sockets Layer Authentication for Administrative Users
      • 3.3.3 Authentication of Database Administrators by Using the Operating System
      • 3.3.4 Authentication of Database Administrators by Using Their Passwords
      • 3.3.5 Risks of Using Password Files for Database Administrator Authentication
    • 3.4 Database Authentication of Users
      • 3.4.1 About Database Authentication
      • 3.4.2 Advantages of Database Authentication
      • 3.4.3 Creating Users Who Are Authenticated by the Database
    • 3.5 Operating System Authentication of Users
    • 3.6 Network Authentication of Users
      • 3.6.1 Authentication with Secure Sockets Layer
      • 3.6.2 Authentication with Third-Party Services
        • 3.6.2.1 About Authentication Using Third-Party Services
        • 3.6.2.2 Authentication with Kerberos
        • 3.6.2.3 Authentication with RADIUS
        • 3.6.2.4 Authentication with Directory-Based Services
        • 3.6.2.5 Authentication with Public Key Infrastructure
    • 3.7 Configuring Operating System Users for a PDB
      • 3.7.1 About Configuring Operating System Users for a PDB
      • 3.7.2 Configuring an Operating System User for a PDB
    • 3.8 Global User Authentication and Authorization
      • 3.8.1 About Configuring Global User Authentication and Authorization
      • 3.8.2 Configuration of Users Who Are Authorized by a Directory Service
        • 3.8.2.1 Creating a Global User Who Has a Private Schema
        • 3.8.2.2 Creating Multiple Enterprise Users Who Share Schemas
      • 3.8.3 Advantages of Global Authentication and Global Authorization
    • 3.9 Configuring an External Service to Authenticate Users and Passwords
      • 3.9.1 About External Authentication
      • 3.9.2 Advantages of External Authentication
      • 3.9.3 Enabling External Authentication
      • 3.9.4 Creating a User Who Is Authenticated Externally
      • 3.9.5 Authentication of User Logins By Using the Operating System
      • 3.9.6 Authentication of User Logins Using Network Authentication
    • 3.10 Multitier Authentication and Authorization
    • 3.11 Administration and Security in Clients, Application Servers, and Database Servers
    • 3.12 Preserving User Identity in Multitiered Environments
      • 3.12.1 Middle Tier Server Use for Proxy Authentication
        • 3.12.1.1 About Proxy Authentication
        • 3.12.1.2 Advantages of Proxy Authentication
        • 3.12.1.3 Who Can Create Proxy User Accounts?
        • 3.12.1.4 Guidelines for Creating Proxy User Accounts
        • 3.12.1.5 Creating Proxy User Accounts and Authorizing Users to Connect Through Them
        • 3.12.1.6 Proxy User Accounts and the Authorization of Users to Connect Through Them
        • 3.12.1.7 Using Proxy Authentication with the Secure External Password Store
        • 3.12.1.8 How the Identity of the Real User Is Passed with Proxy Authentication
        • 3.12.1.9 Limits to the Privileges of the Middle Tier
        • 3.12.1.10 Authorizing a Middle Tier to Proxy and Authenticate a User
        • 3.12.1.11 Authorizing a Middle Tier to Proxy a User Authenticated by Other Means
        • 3.12.1.12 Reauthenticating a User Through the Middle Tier to the Database
        • 3.12.1.13 Using Password-Based Proxy Authentication
        • 3.12.1.14 Using Proxy Authentication with Enterprise Users
      • 3.12.2 Using Client Identifiers to Identify Application Users Unknown to the Database
        • 3.12.2.1 About Client Identifiers
        • 3.12.2.2 How Client Identifiers Work in Middle Tier Systems
        • 3.12.2.3 Use of the CLIENT_IDENTIFIER Attribute to Preserve User Identity
        • 3.12.2.4 Use of the CLIENT_IDENTIFIER Independent of Global Application Context
        • 3.12.2.5 Setting the CLIENT_IDENTIFIER Independent of Global Application Context
        • 3.12.2.6 Use of the DBMS_SESSION PL/SQL Package to Set and Clear the Client Identifier
        • 3.12.2.7 Enabling the CLIENTID_OVERWRITE Event System-Wide
        • 3.12.2.8 Enabling the CLIENTID_OVERWRITE Event for the Current Session
        • 3.12.2.9 Disabling the CLIENTID_OVERWRITE Event
    • 3.13 User Authentication Data Dictionary Views
  • 4 Configuring Privilege and Role Authorization
    • 4.1 About Privileges and Roles
    • 4.2 Who Should Be Granted Privileges?
    • 4.3 How the Oracle Multitenant Option Affects Privileges
    • 4.4 Managing Administrative Privileges
      • 4.4.1 About Administrative Privileges
      • 4.4.2 Grants of Administrative Privileges to Users
      • 4.4.3 SYSDBA and SYSOPER Privileges for Standard Database Operations
      • 4.4.4 SYSBACKUP Administrative Privilege for Backup and Recovery Operations
      • 4.4.5 SYSDG Administrative Privilege for Oracle Data Guard Operations
      • 4.4.6 SYSKM Administrative Privilege for Transparent Data Encryption
      • 4.4.7 SYSRAC Administrative Privilege for Oracle Real Application Clusters
    • 4.5 Managing System Privileges
      • 4.5.1 About System Privileges
      • 4.5.2 Why Is It Important to Restrict System Privileges?
        • 4.5.2.1 About the Importance of Restricting System Privileges
        • 4.5.2.2 Restricting System Privileges by Securing the Data Dictionary
        • 4.5.2.3 User Access to Objects in the SYS Schema
      • 4.5.3 Grants and Revokes of System Privileges
      • 4.5.4 Who Can Grant or Revoke System Privileges?
      • 4.5.5 About ANY Privileges and the PUBLIC Role
    • 4.6 Managing Commonly and Locally Granted Privileges
      • 4.6.1 About Commonly and Locally Granted Privileges
      • 4.6.2 How Commonly Granted System Privileges Work
      • 4.6.3 How Commonly Granted Object Privileges Work
      • 4.6.4 Granting or Revoking Privileges to Access a PDB
      • 4.6.5 Example: Granting a Privilege in a Multitenant Environment
      • 4.6.6 Enabling Common Users to View CONTAINER_DATA Object Information
        • 4.6.6.1 Viewing Data About the Root, CDB, and PDBs While Connected to the Root
        • 4.6.6.2 Enabling Common Users to Query Data in Specific PDBs
    • 4.7 Managing Common Roles and Local Roles
      • 4.7.1 About Common Roles and Local Roles
      • 4.7.2 How Common Roles Work
      • 4.7.3 How the PUBLIC Role Works in a Multitenant Environment
      • 4.7.4 Privileges Required to Create, Modify, or Drop a Common Role
      • 4.7.5 Rules for Creating Common Roles
      • 4.7.6 Creating a Common Role
      • 4.7.7 Rules for Creating Local Roles
      • 4.7.8 Creating a Local Role
      • 4.7.9 Role Grants and Revokes for Common Users and Local Users
    • 4.8 Managing User Roles
      • 4.8.1 About User Roles
        • 4.8.1.1 What Are User Roles?
        • 4.8.1.2 The Functionality of Roles
        • 4.8.1.3 Properties of Roles and Why They Are Advantageous
        • 4.8.1.4 Typical Uses of Roles
        • 4.8.1.5 Common Uses of Application Roles
        • 4.8.1.6 Common Uses of User Roles
        • 4.8.1.7 How Roles Affect the Scope of a User's Privileges
        • 4.8.1.8 How Roles Work in PL/SQL Blocks
          • 4.8.1.8.1 Roles Used in Named Blocks with Definer's Rights
          • 4.8.1.8.2 Roles Used in Named Blocks with Invoker's Rights and Anonymous PL/SQL Blocks
        • 4.8.1.9 How Roles Aid or Restrict DDL Usage
        • 4.8.1.10 How Operating Systems Can Aid Roles
        • 4.8.1.11 How Roles Work in a Distributed Environment
      • 4.8.2 Predefined Roles in an Oracle Database Installation
      • 4.8.3 Creating a Role
        • 4.8.3.1 About the Creation of Roles
        • 4.8.3.2 Creating a Role That Is Authenticated With a Password
        • 4.8.3.3 Creating a Role That Has No Password Authentication
        • 4.8.3.4 Creating a Role That Is External or Global
        • 4.8.3.5 Altering a Role
      • 4.8.4 Specifying the Type of Role Authorization
        • 4.8.4.1 Authorizing a Role by Using the Database
        • 4.8.4.2 Authorizing a Role by Using an Application
        • 4.8.4.3 Authorizing a Role by Using an External Source
        • 4.8.4.4 Authorizing a Role by Using the Operating System
        • 4.8.4.5 Authorizing a Role by Using a Network Client
        • 4.8.4.6 Authorizing a Global Role by an Enterprise Directory Service
      • 4.8.5 Granting and Revoking Roles
        • 4.8.5.1 About Granting and Revoking Roles
        • 4.8.5.2 Who Can Grant or Revoke Roles?
        • 4.8.5.3 Granting and Revoking Roles to and from Program Units
      • 4.8.6 Dropping Roles
      • 4.8.7 Restricting SQL*Plus Users from Using Database Roles
        • 4.8.7.1 Potential Security Problems of Using Ad Hoc Tools
        • 4.8.7.2 How the PRODUCT_USER_PROFILE System Table Can Limit Roles
        • 4.8.7.3 How Stored Procedures Can Encapsulate Business Logic
      • 4.8.8 Role Privileges and Secure Application Roles
    • 4.9 Using PDB Lockdown Profiles to Restrict Operations on PDBs
      • 4.9.1 About PDB Lockdown Profiles
      • 4.9.2 Creating a PDB Lockdown Profile
      • 4.9.3 Enabling a PDB Lockdown Profile
      • 4.9.4 Dropping a PDB Lockdown Profile
    • 4.10 Managing Object Privileges
      • 4.10.1 About Object Privileges
      • 4.10.2 Who Can Grant Object Privileges?
      • 4.10.3 Grants and Revokes of Object Privileges
        • 4.10.3.1 About Granting and Revoking Object Privileges
        • 4.10.3.2 How the ALL Clause Grants or Revokes All Available Object Privileges
      • 4.10.4 READ and SELECT Object Privileges
        • 4.10.4.1 About Managing READ and SELECT Object Privileges
        • 4.10.4.2 Enabling Users to Use the READ Object Privilege to Query Any Table in the Database
        • 4.10.4.3 Restrictions on the READ and READ ANY TABLE Privileges
      • 4.10.5 Object Privilege Use with Synonyms
      • 4.10.6 Sharing Application Common Objects
        • 4.10.6.1 Metadata-Linked Application Common Objects
        • 4.10.6.2 Data-Linked Application Common Objects
        • 4.10.6.3 Extended Data-Linked Application Common Objects
    • 4.11 Table Privileges
      • 4.11.1 How Table Privileges Affect Data Manipulation Language Operations
      • 4.11.2 How Table Privileges Affect Data Definition Language Operations
    • 4.12 View Privileges
      • 4.12.1 Privileges Required to Create Views
      • 4.12.2 The Use of Views to Increase Table Security
    • 4.13 Procedure Privileges
      • 4.13.1 The Use of the EXECUTE Privilege for Procedure Privileges
      • 4.13.2 Procedure Execution and Security Domains
      • 4.13.3 System Privileges Required to Create or Replace a Procedure
      • 4.13.4 System Privileges Required to Compile a Procedure
      • 4.13.5 How Procedure Privileges Affect Packages and Package Objects
        • 4.13.5.1 About the Effect of Procedure Privileges on Packages and Package Objects
        • 4.13.5.2 Example: Procedure Privileges Used in One Package
        • 4.13.5.3 Example: Procedure Privileges and Package Objects
    • 4.14 Type Privileges
      • 4.14.1 System Privileges for Named Types
      • 4.14.2 Object Privileges for Named Types
      • 4.14.3 Method Execution Model for Named Types
      • 4.14.4 Privileges Required to Create Types and Tables Using Types
      • 4.14.5 Example: Privileges for Creating Types and Tables Using Types
      • 4.14.6 Privileges on Type Access and Object Access
      • 4.14.7 Type Dependencies
    • 4.15 Grants of User Privileges and Roles
      • 4.15.1 Granting System Privileges and Roles to Users and Roles
        • 4.15.1.1 Privileges for Grants of System Privileges and Roles to Users and Roles
        • 4.15.1.2 Example: Granting a System Privilege and a Role to a User
        • 4.15.1.3 Example: Granting the EXECUTE Privilege on a Directory Object
        • 4.15.1.4 Use of the ADMIN Option to Enable Grantee Users to Grant the Privilege
        • 4.15.1.5 Creating a New User with the GRANT Statement
      • 4.15.2 Granting Object Privileges to Users and Roles
        • 4.15.2.1 About Granting Object Privileges to Users and Roles
        • 4.15.2.2 How the WITH GRANT OPTION Clause Works
        • 4.15.2.3 Grants of Object Privileges on Behalf of the Object Owner
        • 4.15.2.4 Grants of Privileges on Columns
        • 4.15.2.5 Row-Level Access Control
    • 4.16 Revokes of Privileges and Roles from a User
      • 4.16.1 Revokes of System Privileges and Roles
      • 4.16.2 Revokes of Object Privileges
        • 4.16.2.1 About Revokes of Object Privileges
        • 4.16.2.2 Revokes of Multiple Object Privileges
        • 4.16.2.3 Revokes of Object Privileges on Behalf of the Object Owner
        • 4.16.2.4 Revokes of Column-Selective Object Privileges
        • 4.16.2.5 Revokes of the REFERENCES Object Privilege
      • 4.16.3 Cascading Effects of Revoking Privileges
        • 4.16.3.1 Cascading Effects When Revoking System Privileges
        • 4.16.3.2 Cascading Effects When Revoking Object Privileges
    • 4.17 Grants and Revokes of Privileges to and from the PUBLIC Role
    • 4.18 Grants of Roles Using the Operating System or Network
      • 4.18.1 About Granting Roles Using the Operating System or Network
      • 4.18.2 Operating System Role Identification
      • 4.18.3 Operating System Role Management
      • 4.18.4 Role Grants and Revokes When OS_ROLES Is Set to TRUE
      • 4.18.5 Role Enablements and Disablements When OS_ROLES Is Set to TRUE
      • 4.18.6 Network Connections with Operating System Role Management
    • 4.19 How Grants and Revokes Work with SET ROLE and Default Role Settings
      • 4.19.1 When Grants and Revokes Take Effect
      • 4.19.2 How the SET ROLE Statement Affects Grants and Revokes
      • 4.19.3 Specifying the Default Role for a User
      • 4.19.4 The Maximum Number of Roles That a User Can Have Enabled
    • 4.20 User Privilege and Role Data Dictionary Views
      • 4.20.1 Data Dictionary Views to Find Information about Privilege and Role Grants
      • 4.20.2 Query to List All System Privilege Grants
      • 4.20.3 Query to List All Role Grants
      • 4.20.4 Query to List Object Privileges Granted to a User
      • 4.20.5 Query to List the Current Privilege Domain of Your Session
      • 4.20.6 Query to List Roles of the Database
      • 4.20.7 Query to List Information About the Privilege Domains of Roles
  • 5 Managing Security for Definer's Rights and Invoker's Rights
    • 5.1 About Definer's Rights and Invoker's Rights
    • 5.2 How Procedure Privileges Affect Definer's Rights
    • 5.3 How Procedure Privileges Affect Invoker's Rights
    • 5.4 When You Should Create Invoker's Rights Procedures
    • 5.5 Controlling Invoker's Rights Privileges for Procedure Calls and View Access
      • 5.5.1 How the Privileges of a Schema Affect the Use of Invoker's Rights Procedures
      • 5.5.2 How the INHERIT [ANY] PRIVILEGES Privileges Control Privilege Access
      • 5.5.3 Grants of the INHERIT PRIVILEGES Privilege to Other Users
      • 5.5.4 Example: Granting INHERIT PRIVILEGES on an Invoking User
      • 5.5.5 Example: Revoking INHERIT PRIVILEGES
      • 5.5.6 Grants of the INHERIT ANY PRIVILEGES Privilege to Other Users
      • 5.5.7 Example: Granting INHERIT ANY PRIVILEGES to a Trusted Procedure Owner
      • 5.5.8 Managing INHERIT PRIVILEGES and INHERIT ANY PRIVILEGES
    • 5.6 Definer's Rights and Invoker's Rights in Views
      • 5.6.1 About Controlling Definer's Rights and Invoker's Rights in Views
      • 5.6.2 Using the BEQUEATH Clause in the CREATE VIEW Statement
      • 5.6.3 Finding the User Name or User ID of the Invoking User
      • 5.6.4 Finding BEQUEATH DEFINER and BEQUEATH_CURRENT_USER Views
    • 5.7 Using Code Based Access Control for Definer's Rights and Invoker's Rights
      • 5.7.1 About Using Code Based Access Control for Applications
      • 5.7.2 Who Can Grant Code Based Access Control Roles to a Program Unit?
      • 5.7.3 How Code Based Access Control Works with Invoker's Rights Program Units
      • 5.7.4 How Code Based Access Control Works with Definer's Rights Program Units
      • 5.7.5 Grants of Database Roles to Users for Their CBAC Grants
      • 5.7.6 Grants and Revokes of Database Roles to a Program Unit
      • 5.7.7 Tutorial: Controlling Access to Sensitive Data Using Code Based Access Control
        • 5.7.7.1 About This Tutorial
        • 5.7.7.2 Step 1: Create the User and Grant HR the CREATE ROLE Privilege
        • 5.7.7.3 Step 2: Create the print_employees Invoker's Rights Procedure
        • 5.7.7.4 Step 3: Create the hr_clerk Role and Grant Privileges for It
        • 5.7.7.5 Step 4: Test the Code Based Access Control HR.print_employees Procedure
        • 5.7.7.6 Step 5: Create the view_emp_role Role and Grant Privileges for It
        • 5.7.7.7 Step 6: Test the HR.print_employees Procedure Again
        • 5.7.7.8 Step 7: Remove the Components of This Tutorial
    • 5.8 Controlling Definer's Rights Privileges for Database Links
      • 5.8.1 About Controlling Definer's Rights Privileges for Database Links
      • 5.8.2 Grants of the INHERIT REMOTE PRIVILEGES Privilege to Other Users
      • 5.8.3 Example: Granting INHERIT REMOTE PRIVILEGES on a Connected User
      • 5.8.4 Grants of the INHERIT ANY REMOTE PRIVILEGES Privilege to Other Users
      • 5.8.5 Revokes of the INHERIT [ANY] REMOTE PRIVILEGES Privilege
      • 5.8.6 Example: Revoking the INHERIT REMOTE PRIVILEGES Privilege
      • 5.8.7 Example: Revoking the INHERIT REMOTE PRIVILEGES Privilege from PUBLIC
      • 5.8.8 Tutorial: Using a Database Link in a Definer's Rights Procedure
        • 5.8.8.1 About This Tutorial
        • 5.8.8.2 Step 1: Create User Accounts
        • 5.8.8.3 Step 2: As User dbuser2, Create a Table to Store User IDs
        • 5.8.8.4 Step 3: As User dbuser1, Create a Database Link and Definer's Rights Procedure
        • 5.8.8.5 Step 4: Test the Definer's Rights Procedure
        • 5.8.8.6 Step 5: Remove the Components of This Tutorial
  • 6 Managing Fine-Grained Access in PL/SQL Packages and Types
    • 6.1 About Managing Fine-Grained Access in PL/SQL Packages and Types
    • 6.2 About Fine-Grained Access Control to External Network Services
    • 6.3 About Access Control to Oracle Wallets
    • 6.4 Upgraded Applications That Depend on Packages That Use External Network Services
    • 6.5 Configuring Access Control for External Network Services
      • 6.5.1 Syntax for Configuring Access Control for External Network Services
      • 6.5.2 Example: Configuring Access Control for External Network Services
      • 6.5.3 Revoking Access Control Privileges for External Network Services
      • 6.5.4 Example: Revoking External Network Services Privileges
    • 6.6 Configuring Access Control to an Oracle Wallet
      • 6.6.1 About Configuring Access Control to an Oracle Wallet
      • 6.6.2 Step 1: Create an Oracle Wallet
      • 6.6.3 Step 2: Configure Access Control Privileges for the Oracle Wallet
      • 6.6.4 Step 3: Make the HTTP Request with the Passwords and Client Certificates
        • 6.6.4.1 Making the HTTPS Request with the Passwords and Client Certificates
        • 6.6.4.2 Using a Request Context to Hold the Wallet When Sharing the Session with Other Applications
        • 6.6.4.3 Use of Only a Client Certificate to Authenticate
        • 6.6.4.4 Use of a Password to Authenticate
      • 6.6.5 Revoking Access Control Privileges for Oracle Wallets
    • 6.7 Examples of Configuring Access Control for External Network Services
      • 6.7.1 Example: Configuring Access Control for a Single Role and Network Connection
      • 6.7.2 Example: Configuring Access Control for a User and Role
      • 6.7.3 Example: Using the DBA_HOST_ACES View to Show Granted Privileges
      • 6.7.4 Example: Configuring ACL Access Using Passwords in a Non-Shared Wallet
      • 6.7.5 Example: Configuring ACL Access for a Wallet in a Shared Database Session
    • 6.8 Specifying a Group of Network Host Computers
    • 6.9 Precedence Order for a Host Computer in Multiple Access Control List Assignments
    • 6.10 Precedence Order for a Host in Access Control List Assignments with Port Ranges
    • 6.11 Checking Privilege Assignments That Affect User Access to Network Hosts
      • 6.11.1 About Privilege Assignments that Affect User Access to Network Hosts
      • 6.11.2 How to Check User Network Connection and Domain Privileges
      • 6.11.3 Example: Administrator Checking User Network Access Control Permissions
      • 6.11.4 How Users Can Check Their Network Connection and Domain Privileges
      • 6.11.5 Example: User Checking Network Access Control Permissions
    • 6.12 Configuring Network Access for Java Debug Wire Protocol Operations
    • 6.13 Data Dictionary Views for Access Control Lists Configured for User Access
  • 7 Managing Security for a Multitenant Environment in Enterprise Manager
    • 7.1 About Managing Security for a Multitenant Environment in Enterprise Manager
    • 7.2 Logging into a Multitenant Environment in Enterprise Manager
      • 7.2.1 Logging into a CDB or a PDB
      • 7.2.2 Switching to a Different PDB or to the Root
    • 7.3 Managing Common and Local Users in Enterprise Manager
      • 7.3.1 Creating a Common User Account in Enterprise Manager
      • 7.3.2 Editing a Common User Account in Enterprise Manager
      • 7.3.3 Dropping a Common User Account in Enterprise Manager
      • 7.3.4 Creating a Local User Account in Enterprise Manager
      • 7.3.5 Editing a Local User Account in Enterprise Manager
      • 7.3.6 Dropping a Local User Account in Enterprise Manager
    • 7.4 Managing Common and Local Roles and Privileges in Enterprise Manager
      • 7.4.1 Creating a Common Role in Enterprise Manager
      • 7.4.2 Editing a Common Role in Enterprise Manager
      • 7.4.3 Dropping a Common Role in Enterprise Manager
      • 7.4.4 Revoking Common Privilege Grants in Enterprise Manager
      • 7.4.5 Creating a Local Role in Enterprise Manager
      • 7.4.6 Editing a Local Role in Enterprise Manager
      • 7.4.7 Dropping a Local Role in Enterprise Manager
      • 7.4.8 Revoking Local Privilege Grants in Enterprise Manager
• Part II Application Development Security
  • 8 Managing Security for Application Developers
    • 8.1 About Application Security Policies
    • 8.2 Considerations for Using Application-Based Security
      • 8.2.1 Are Application Users Also Database Users?
      • 8.2.2 Is Security Better Enforced in the Application or in the Database?
    • 8.3 Securing Passwords in Application Design
      • 8.3.1 General Guidelines for Securing Passwords in Applications
        • 8.3.1.1 Platform-Specific Security Threats
        • 8.3.1.2 Guidelines for Designing Applications to Handle Password Input
        • 8.3.1.3 Guidelines for Configuring Password Formats and Behavior
        • 8.3.1.4 Guidelines for Handling Passwords in SQL Scripts
      • 8.3.2 Use of an External Password Store to Secure Passwords
      • 8.3.3 Securing Passwords Using the ORAPWD Utility
      • 8.3.4 Example: Java Code for Reading Passwords
    • 8.4 Securing External Procedures
      • 8.4.1 About Securing External Procedures
      • 8.4.2 General Process for Configuring extproc for a Credential Authentication
      • 8.4.3 extproc Process Authentication and Impersonation Expected Behaviors
      • 8.4.4 Configuring Authentication for External Procedures
      • 8.4.5 External Procedures for Legacy Applications
    • 8.5 Managing Application Privileges
    • 8.6 Advantages of Using Roles to Manage Application Privileges
    • 8.7 Creating Secure Application Roles to Control Access to Applications
      • 8.7.1 Step 1: Create the Secure Application Role
      • 8.7.2 Step 2: Create a PL/SQL Package to Define the Access Policy for the Application
        • 8.7.2.1 About Creating a PL/SQL Package to Define the Access Policy for an Application
        • 8.7.2.2 Creating a PL/SQL Package or Procedure to Define the Access Policy for an Application
        • 8.7.2.3 Testing the Secure Application Role
    • 8.8 Association of Privileges with User Database Roles
      • 8.8.1 Why Users Should Only Have the Privileges of the Current Database Role
      • 8.8.2 Use of the SET ROLE Statement to Automatically Enable or Disable Roles
    • 8.9 Protecting Database Objects by Using Schemas
      • 8.9.1 Protecting Database Objects in a Unique Schema
      • 8.9.2 Protection of Database Objects in a Shared Schema
    • 8.10 Object Privileges in an Application
      • 8.10.1 What Application Developers Must Know About Object Privileges
      • 8.10.2 SQL Statements Permitted by Object Privileges
    • 8.11 Parameters for Enhanced Security of Database Communication
      • 8.11.1 Bad Packets Received on the Database from Protocol Errors
      • 8.11.2 Controlling Server Execution After Receiving a Bad Packet
      • 8.11.3 Configuration of the Maximum Number of Authentication Attempts
      • 8.11.4 Configuring the Display of the Database Version Banner
      • 8.11.5 Configuring Banners for Unauthorized Access and Auditing User Actions
• Part III Controlling Access to Data
  • 9 Using Application Contexts to Retrieve User Information
    • 9.1 About Application Contexts
      • 9.1.1 What Is an Application Context?
      • 9.1.2 Components of the Application Context
      • 9.1.3 Where Are the Application Context Values Stored?
      • 9.1.4 Benefits of Using Application Contexts
      • 9.1.5 How Editions Affects Application Context Values
    • 9.2 Types of Application Contexts
    • 9.3 Using Database Session-Based Application Contexts
      • 9.3.1 About Database Session-Based Application Contexts
      • 9.3.2 Components of a Database Session-Based Application Context
      • 9.3.3 Creating Database Session-Based Application Contexts
        • 9.3.3.1 About Creating Database Session-Based Application Contexts
        • 9.3.3.2 Creating a Database Session-Based Application Context
        • 9.3.3.3 Database Session-Based Application Contexts for Multiple Applications
      • 9.3.4 Creating a Package to Set a Database Session-Based Application Context
        • 9.3.4.1 About the Package That Manages the Database Session-Based Application Context
        • 9.3.4.2 Using the SYS_CONTEXT Function to Retrieve Session Information
        • 9.3.4.3 Checking the SYS_CONTEXT Settings
        • 9.3.4.4 Dynamic SQL with SYS_CONTEXT
        • 9.3.4.5 SYS_CONTEXT in a Parallel Query
        • 9.3.4.6 SYS_CONTEXT with Database Links
        • 9.3.4.7 DBMS_SESSION.SET_CONTEXT for Setting Session Information
        • 9.3.4.8 Example: Simple Procedure to Create an Application Context Value
      • 9.3.5 Logon Triggers to Run a Database Session Application Context Package
      • 9.3.6 Example: Creating a Simple Logon Trigger
      • 9.3.7 Example: Creating a Logon Trigger for a Production Environment
      • 9.3.8 Example: Creating a Logon Trigger for a Development Environment
      • 9.3.9 Tutorial: Creating and Using a Database Session-Based Application Context
        • 9.3.9.1 Step 1: Create User Accounts and Ensure the User SCOTT Is Active
        • 9.3.9.2 Step 2: Create the Database Session-Based Application Context
        • 9.3.9.3 Step 3: Create a Package to Retrieve Session Data and Set the Application Context
        • 9.3.9.4 Step 4: Create a Logon Trigger for the Package
        • 9.3.9.5 Step 5: Test the Application Context
        • 9.3.9.6 Step 6: Remove the Components of This Tutorial
      • 9.3.10 Initializing Database Session-Based Application Contexts Externally
        • 9.3.10.1 About Initializing Database Session-Based Application Contexts Externally
        • 9.3.10.2 Default Values from Users
        • 9.3.10.3 Values from Other External Resources
        • 9.3.10.4 Example: Creating an Externalized Database Session-based Application Context
        • 9.3.10.5 Initialization of Application Context Values from a Middle-Tier Server
      • 9.3.11 Initializing Database Session-Based Application Contexts Globally
        • 9.3.11.1 About Initializing Database Session-Based Application Contexts Globally
        • 9.3.11.2 Database Session-Based Application Contexts with LDAP
        • 9.3.11.3 How Globally Initialized Database Session-Based Application Contexts Work
        • 9.3.11.4 Initializing a Database Session-Based Application Context Globally
      • 9.3.12 Externalized Database Session-Based Application Contexts
    • 9.4 Global Application Contexts
      • 9.4.1 About Global Application Contexts
      • 9.4.2 Uses for Global Application Contexts
      • 9.4.3 Components of a Global Application Context
      • 9.4.4 Global Application Contexts in an Oracle Real Application Clusters Environment
      • 9.4.5 Creating Global Application Contexts
        • 9.4.5.1 Ownership of the Global Application Context
        • 9.4.5.2 Creating a Global Application Context
      • 9.4.6 PL/SQL Package to Manage a Global Application Context
        • 9.4.6.1 About the Package That Manages the Global Application Context
        • 9.4.6.2 How Editions Affects the Results of a Global Application Context PL/SQL Package
        • 9.4.6.3 DBMS_SESSION.SET_CONTEXT username and client_id Parameters
        • 9.4.6.4 Sharing Global Application Context Values for All Database Users
        • 9.4.6.5 Example: Package to Manage Global Application Values for All Database Users
        • 9.4.6.6 Global Contexts for Database Users Who Move Between Applications
        • 9.4.6.7 Global Application Context for Nondatabase Users
        • 9.4.6.8 Example: Package to Manage Global Application Context Values for Nondatabase Users
        • 9.4.6.9 Clearing Session Data When the Session Closes
      • 9.4.7 Embedding Calls in Middle-Tier Applications to Manage the Client Session ID
        • 9.4.7.1 About Managing Client Session IDs Using a Middle-Tier Application
        • 9.4.7.2 Step 1: Retrieve the Client Session ID Using a Middle-Tier Application
        • 9.4.7.3 Step 2: Set the Client Session ID Using a Middle-Tier Application
          • 9.4.7.3.1 About Setting the Client Session ID Using a Middle-Tier Application
          • 9.4.7.3.2 Setting the Client Session ID Using a Middle-Tier Application
          • 9.4.7.3.3 Checking the Value of the Client Identifier
        • 9.4.7.4 Step 3: Clear the Session Data Using a Middle-Tier Application
      • 9.4.8 Tutorial: Creating a Global Application Context That Uses a Client Session ID
        • 9.4.8.1 About This Tutorial
        • 9.4.8.2 Step 1: Create User Accounts
        • 9.4.8.3 Step 2: Create the Global Application Context
        • 9.4.8.4 Step 3: Create a Package for the Global Application Context
        • 9.4.8.5 Step 4: Test the Newly Created Global Application Context
        • 9.4.8.6 Step 5: Modify the Session ID and Test the Global Application Context Again
        • 9.4.8.7 Step 6: Remove the Components of This Tutorial
      • 9.4.9 Global Application Context Processes
        • 9.4.9.1 Simple Global Application Context Process
        • 9.4.9.2 Global Application Context Process for Lightweight Users
    • 9.5 Using Client Session-Based Application Contexts
      • 9.5.1 About Client Session-Based Application Contexts
      • 9.5.2 Setting a Value in the CLIENTCONTEXT Namespace
      • 9.5.3 Retrieving the CLIENTCONTEXT Namespace
      • 9.5.4 Example: Retrieving a Client Session ID Value for Client Session-Based Contexts
      • 9.5.5 Clearing a Setting in the CLIENTCONTEXT Namespace
      • 9.5.6 Clearing All Settings in the CLIENTCONTEXT Namespace
    • 9.6 Application Context Data Dictionary Views
  • 10 Using Oracle Virtual Private Database to Control Data Access
    • 10.1 About Oracle Virtual Private Database
      • 10.1.1 What Is Oracle Virtual Private Database?
      • 10.1.2 Benefits of Using Oracle Virtual Private Database Policies
        • 10.1.2.1 Security Policies Based on Database Objects Rather Than Applications
        • 10.1.2.2 Control Over How Oracle Database Evaluates Policy Functions
      • 10.1.3 Who Can Create Oracle Virtual Private Database Policies?
      • 10.1.4 Privileges to Run Oracle Virtual Private Database Policy Functions
      • 10.1.5 Oracle Virtual Private Database Use with an Application Context
      • 10.1.6 Oracle Virtual Private Database in a Multitenant Environment
    • 10.2 Components of an Oracle Virtual Private Database Policy
      • 10.2.1 Function to Generate the Dynamic WHERE Clause
      • 10.2.2 Policies to Attach the Function to the Objects You Want to Protect
    • 10.3 Configuration of Oracle Virtual Private Database Policies
      • 10.3.1 About Oracle Virtual Private Database Policies
      • 10.3.2 Attaching a Policy to a Database Table, View, or Synonym
      • 10.3.3 Example: Attaching a Simple Oracle Virtual Private Database Policy to a Table
      • 10.3.4 Enforcing Policies on Specific SQL Statement Types
      • 10.3.5 Example: Specifying SQL Statement Types with DBMS_RLS.ADD_POLICY
      • 10.3.6 Control of the Display of Column Data with Policies
        • 10.3.6.1 Policies for Column-Level Oracle Virtual Private Database
        • 10.3.6.2 Example: Creating a Column-Level Oracle Virtual Private Database Policy
        • 10.3.6.3 Display of Only the Column Rows Relevant to the Query
        • 10.3.6.4 Column Masking to Display Sensitive Columns as NULL Values
        • 10.3.6.5 Example: Adding Column Masking to an Oracle Virtual Private Database Policy
      • 10.3.7 Oracle Virtual Private Database Policy Groups
        • 10.3.7.1 About Oracle Virtual Private Database Policy Groups
        • 10.3.7.2 Creation of a New Oracle Virtual Private Database Policy Group
        • 10.3.7.3 Default Policy Group with the SYS_DEFAULT Policy Group
        • 10.3.7.4 Multiple Policies for Each Table, View, or Synonym
        • 10.3.7.5 Validation of the Application Used to Connect to the Database
      • 10.3.8 Optimizing Performance by Using Oracle Virtual Private Database Policy Types
        • 10.3.8.1 About Oracle Virtual Private Database Policy Types
        • 10.3.8.2 Dynamic Policy Type to Automatically Rerun Policy Functions
        • 10.3.8.3 Example: Creating a DYNAMIC Policy with DBMS_RLS.ADD_POLICY
        • 10.3.8.4 Static Policy to Prevent Policy Functions from Rerunning for Each Query
        • 10.3.8.5 Example: Creating a Static Policy with DBMS_RLS.ADD_POLICY
        • 10.3.8.6 Example: Shared Static Policy to Share a Policy with Multiple Objects
        • 10.3.8.7 When to Use Static and Shared Static Policies
        • 10.3.8.8 Context-Sensitive Policy for Application Context Attributes That Change
        • 10.3.8.9 Example: Creating a Context-Sensitive Policy with DBMS_RLS.ADD_POLICY
        • 10.3.8.10 Example: Refreshing Cached Statements for a VPD Context-Sensitive Policy
        • 10.3.8.11 Example: Altering an Existing Context-Sensitive Policy
        • 10.3.8.12 Example: Using a Shared Context Sensitive Policy to Share a Policy with Multiple Objects
        • 10.3.8.13 When to Use Context-Sensitive and Shared Context-Sensitive Policies
        • 10.3.8.14 Summary of the Five Oracle Virtual Private Database Policy Types
    • 10.4 Tutorials: Creating Oracle Virtual Private Database Policies
      • 10.4.1 Tutorial: Creating a Simple Oracle Virtual Private Database Policy
        • 10.4.1.1 About This Tutorial
        • 10.4.1.2 Step 1: Ensure That the OE User Account Is Active
        • 10.4.1.3 Step 2: Create a Policy Function
        • 10.4.1.4 Step 3: Create the Oracle Virtual Private Database Policy
        • 10.4.1.5 Step 4: Test the Policy
        • 10.4.1.6 Step 5: Remove the Components of This Tutorial
      • 10.4.2 Tutorial: Implementing a Session-Based Application Context Policy
        • 10.4.2.1 About This Tutorial
        • 10.4.2.2 Step 1: Create User Accounts and Sample Tables
        • 10.4.2.3 Step 2: Create a Database Session-Based Application Context
        • 10.4.2.4 Step 3: Create a PL/SQL Package to Set the Application Context
        • 10.4.2.5 Step 4: Create a Logon Trigger to Run the Application Context PL/SQL Package
        • 10.4.2.6 Step 5: Test the Logon Trigger
        • 10.4.2.7 Step 6: Create a PL/SQL Policy Function to Limit User Access to Their Orders
        • 10.4.2.8 Step 7: Create the New Security Policy
        • 10.4.2.9 Step 8: Test the New Policy
        • 10.4.2.10 Step 9: Remove the Components of This Tutorial
      • 10.4.3 Tutorial: Implementing an Oracle Virtual Private Database Policy Group
        • 10.4.3.1 About This Tutorial
        • 10.4.3.2 Step 1: Create User Accounts and Other Components for This Tutorial
        • 10.4.3.3 Step 2: Create the Two Policy Groups
        • 10.4.3.4 Step 3: Create PL/SQL Functions to Control the Policy Groups
        • 10.4.3.5 Step 4: Create the Driving Application Context
        • 10.4.3.6 Step 5: Add the PL/SQL Functions to the Policy Groups
        • 10.4.3.7 Step 6: Test the Policy Groups
        • 10.4.3.8 Step 7: Remove the Components of This Tutorial
    • 10.5 How Oracle Virtual Private Database Works with Other Oracle Features
      • 10.5.1 Oracle Virtual Private Database Policies with Editions
      • 10.5.2 SELECT FOR UPDATE Statement in User Queries on VPD-Protected Tables
      • 10.5.3 Oracle Virtual Private Database Policies and Outer or ANSI Joins
      • 10.5.4 Oracle Virtual Private Database Security Policies and Applications
      • 10.5.5 Automatic Reparsing for Fine-Grained Access Control Policies Functions
      • 10.5.6 Oracle Virtual Private Database Policies and Flashback Queries
      • 10.5.7 Oracle Virtual Private Database and Oracle Label Security
        • 10.5.7.1 Using Oracle Virtual Private Database to Enforce Oracle Label Security Policies
        • 10.5.7.2 Oracle Virtual Private Database and Oracle Label Security Exceptions
      • 10.5.8 Export of Data Using the EXPDP Utility access_method Parameter
      • 10.5.9 User Models and Oracle Virtual Private Database
    • 10.6 Oracle Virtual Private Database Data Dictionary Views
  • 11 Using Transparent Sensitive Data Protection
    • 11.1 About Transparent Sensitive Data Protection
    • 11.2 General Steps for Using Transparent Sensitive Data Protection
    • 11.3 Use Cases for Transparent Sensitive Data Protection Policies
    • 11.4 Privileges Required for Using Transparent Sensitive Data Protection
    • 11.5 How a Multitenant Environment Affects Transparent Sensitive Data Protection
    • 11.6 Creating Transparent Sensitive Data Protection Policies
      • 11.6.1 Step 1: Create a Sensitive Type
      • 11.6.2 Step 2: Identify the Sensitive Columns to Protect
      • 11.6.3 Step 3: Import the Sensitive Columns List from ADM into Your Database
      • 11.6.4 Step 4: Create the Transparent Sensitive Data Protection Policy
        • 11.6.4.1 About Creating the Transparent Sensitive Data Protection Policy
        • 11.6.4.2 Creating the Transparent Sensitive Data Protection Policy
        • 11.6.4.3 Setting the Oracle Data Redaction or Virtual Private Database Feature Options
        • 11.6.4.4 Setting Conditions for the Transparent Sensitive Data Protection Policy
        • 11.6.4.5 Specifying the DBMS_TSDP_PROTECT.ADD_POLICY Procedure
      • 11.6.5 Step 5: Associate the Policy with a Sensitive Type
      • 11.6.6 Step 6: Enable the Transparent Sensitive Data Protection Policy
        • 11.6.6.1 Enabling Protection for the Current Database in a Protected Source
        • 11.6.6.2 Enabling Protection for a Specific Table Column
        • 11.6.6.3 Enabling Protection for a Specific Column Type
      • 11.6.7 Step 7: Optionally, Export the Policy to Other Databases
    • 11.7 Altering Transparent Sensitive Data Protection Policies
    • 11.8 Disabling Transparent Sensitive Data Protection Policies
    • 11.9 Dropping Transparent Sensitive Data Protection Policies
    • 11.10 Using the Predefined REDACT_AUDIT Policy to Mask Bind Values
      • 11.10.1 About the REDACT_AUDIT Policy
      • 11.10.2 Variables Associated with Sensitive Columns
        • 11.10.2.1 About Variables Associated with Sensitive Columns
        • 11.10.2.2 Bind Variables and Sensitive Columns in the Expressions of Conditions
        • 11.10.2.3 A Bind Variable and a Sensitive Column Appearing in the Same SELECT Item
        • 11.10.2.4 Bind Variables in Expressions Assigned to Sensitive Columns in INSERT or UPDATE Operations
      • 11.10.3 How Bind Variables on Sensitive Columns Behave with Views
      • 11.10.4 Disabling the REDACT_AUDIT Policy
      • 11.10.5 Enabling the REDACT_AUDIT Policy
    • 11.11 Transparent Sensitive Data Protection Policies with Data Redaction
    • 11.12 Using Transparent Sensitive Data Protection Policies with Oracle VPD Policies
      • 11.12.1 About Using TSDP Policies with Oracle Virtual Private Database Policies
      • 11.12.2 DBMS_RLS.ADD_POLICY Parameters That Are Used for TSDP Policies
      • 11.12.3 Tutorial: Creating a TSDP Policy That Uses Virtual Private Database Protection
        • 11.12.3.1 Step 1: Create the hr_appuser User Account
        • 11.12.3.2 Step 2: Identify the Sensitive Columns
        • 11.12.3.3 Step 3: Create an Oracle Virtual Private Database Function
        • 11.12.3.4 Step 4: Create and Enable a Transparent Sensitive Data Protection Policy
        • 11.12.3.5 Step 5: Test the Transparent Sensitive Data Protection Policy
        • 11.12.3.6 Step 6: Remove the Components of This Tutorial
    • 11.13 Using Transparent Sensitive Data Protection Policies with Unified Auditing
      • 11.13.1 About Using TSDP Policies with Unified Audit Policies
      • 11.13.2 Unified Audit Policy Settings That Are Used with TSDP Policies
    • 11.14 Using Transparent Sensitive Data Protection Policies with Fine-Grained Auditing
      • 11.14.1 About Using TSDP Policies with Fine-Grained Auditing
      • 11.14.2 Fine-Grained Auditing Parameters That Are Used with TSDP Policies
    • 11.15 Using Transparent Sensitive Data Protection Policies with TDE Column Encryption
      • 11.15.1 About Using TSDP Policies with TDE Column Encryption
      • 11.15.2 TDE Column Encryption ENCRYPT Clause Settings Used with TSDP Policies
    • 11.16 Transparent Sensitive Data Protection Data Dictionary Views
  • 12 Manually Encrypting Data
    • 12.1 Security Problems That Encryption Does Not Solve
      • 12.1.1 Principle 1: Encryption Does Not Solve Access Control Problems
      • 12.1.2 Principle 2: Encryption Does Not Protect Against a Malicious Administrator
      • 12.1.3 Principle 3: Encrypting Everything Does Not Make Data Secure
    • 12.2 Data Encryption Challenges
      • 12.2.1 Encrypted Indexed Data
      • 12.2.2 Generated Encryption Keys
      • 12.2.3 Transmitted Encryption Keys
      • 12.2.4 Storing Encryption Keys
        • 12.2.4.1 About Storing Encryption Keys
        • 12.2.4.2 Storage of Encryption Keys in the Database
        • 12.2.4.3 Storage of Encryption Keys in the Operating System
        • 12.2.4.4 Users Managing Their Own Encryption Keys
        • 12.2.4.5 Manual Encryption with Transparent Database Encryption and Tablespace Encryption
      • 12.2.5 Importance of Changing Encryption Keys
      • 12.2.6 Encryption of Binary Large Objects
    • 12.3 Data Encryption Storage with the DBMS_CRYPTO Package
    • 12.4 Using Ciphertexts Encrypted in OFB Mode in Oracle Database Release 11g
    • 12.5 Examples of Using the Data Encryption API
      • 12.5.1 Example: Data Encryption Procedure
      • 12.5.2 Example: AES 256-Bit Data Encryption and Decryption Procedures
      • 12.5.3 Example: Encryption and Decryption Procedures for BLOB Data
    • 12.6 Data Dictionary Views for Encrypted Data
• Part IV Securing Data on the Network
  • 13 Configuring Oracle Database Native Network Encryption and Data Integrity
    • 13.1 About Oracle Database Native Network Encryption and Data Integrity
      • 13.1.1 How Oracle Database Native Network Encryption and Integrity Works
      • 13.1.2 Advanced Encryption Standard
      • 13.1.3 ARIA
      • 13.1.4 GOST
      • 13.1.5 SEED
      • 13.1.6 Triple-DES Encryption
      • 13.1.7 Choosing Between Native Network Encryption and Transport Layer Security
    • 13.2 Oracle Database Native Network Encryption Data Integrity
    • 13.3 Improving Native Network Encryption Security
      • 13.3.1 About Improving Native Network Encryption Security
      • 13.3.2 Applying Security Improvement Updates to Native Network Encryption
    • 13.4 Data Integrity Algorithms Support
    • 13.5 Diffie-Hellman Based Key Negotiation
    • 13.6 Configuration of Data Encryption and Integrity
      • 13.6.1 About Activating Encryption and Integrity
      • 13.6.2 About Negotiating Encryption and Integrity
        • 13.6.2.1 About the Values for Negotiating Encryption and Integrity
        • 13.6.2.2 REJECTED Configuration Parameter
        • 13.6.2.3 ACCEPTED Configuration Parameter
        • 13.6.2.4 REQUESTED Configuration Parameter
        • 13.6.2.5 REQUIRED Configuration Parameter
      • 13.6.3 Configuring Encryption and Integrity Parameters Using Oracle Net Manager
        • 13.6.3.1 Configuring Encryption on the Client and the Server
        • 13.6.3.2 Configuring Integrity on the Client and the Server
  • 14 Configuring the Thin JDBC Client Network
    • 14.1 About the Java Implementation
    • 14.2 Java Database Connectivity Support
    • 14.3 Thin JDBC Features
    • 14.4 Implementation Overview
    • 14.5 Obfuscation of the Java Cryptography Code
    • 14.6 Configuration Parameters for the Thin JDBC Network Implementation
      • 14.6.1 About the Thin JDBC Network Implementation Configuration Parameters
      • 14.6.2 Client Encryption Level Parameter
      • 14.6.3 Client Encryption Selected List Parameter
      • 14.6.4 Client Integrity Level Parameter
      • 14.6.5 Client Integrity Selected List Parameter
      • 14.6.6 Client Authentication Service Parameter
      • 14.6.7 AnoServices Constants
• Part V Managing Strong Authentication
  • 15 Introduction to Strong Authentication
    • 15.1 What Is Strong Authentication?
    • 15.2 Centralized Authentication and Single Sign-On
    • 15.3 How Centralized Network Authentication Works
    • 15.4 Supported Strong Authentication Methods
      • 15.4.1 About Kerberos
      • 15.4.2 About Remote Authentication Dial-In User Service (RADIUS)
      • 15.4.3 About Secure Sockets Layer
    • 15.5 Oracle Database Native Network Encryption/Strong Authentication Architecture
    • 15.6 System Requirements for Strong Authentication
    • 15.7 Oracle Database Native Network Encryption and Strong Authentication Restrictions
  • 16 Strong Authentication Administration Tools
    • 16.1 About the Configuration and Administration Tools
    • 16.2 Native Network Encryption and Strong Authentication Configuration Tools
      • 16.2.1 About Oracle Net Manager
      • 16.2.2 Kerberos Adapter Command-Line Utilities
    • 16.3 Public Key Infrastructure Credentials Management Tools
      • 16.3.1 About Oracle Wallet Manager
      • 16.3.2 About the orapki Utility
    • 16.4 Duties of Strong Authentication Administrators
  • 17 Configuring Kerberos Authentication
    • 17.1 Enabling Kerberos Authentication
      • 17.1.1 Step 1: Install Kerberos
      • 17.1.2 Step 2: Configure a Service Principal for an Oracle Database Server
      • 17.1.3 Step 3: Extract a Service Key Table from Kerberos
      • 17.1.4 Step 4: Install an Oracle Database Server and an Oracle Client
      • 17.1.5 Step 5: Configure Oracle Net Services and Oracle Database
      • 17.1.6 Step 6: Configure Kerberos Authentication
        • 17.1.6.1 Step 6A: Configure Kerberos on the Client and on the Database Server
        • 17.1.6.2 Step 6B: Set the Initialization Parameters
        • 17.1.6.3 Step 6C: Set sqlnet.ora Parameters (Optional)
      • 17.1.7 Step 7: Create a Kerberos User
      • 17.1.8 Step 8: Create an Externally Authenticated Oracle User
      • 17.1.9 Step 9: Get an Initial Ticket for the Kerberos/Oracle User
    • 17.2 Utilities for the Kerberos Authentication Adapter
      • 17.2.1 okinit Utility Options for Obtaining the Initial Ticket
      • 17.2.2 oklist Utility Options for Displaying Credentials
      • 17.2.3 okdstry Utility Options for Removing Credentials from the Cache File
      • 17.2.4 okcreate Utility Options for Automatic Keytab Creation
    • 17.3 Connecting to an Oracle Database Server Authenticated by Kerberos
    • 17.4 Configuring Interoperability with a Windows 2008 Domain Controller KDC
      • 17.4.1 About Configuring Interoperability with a Windows 2008 Domain Controller KDC
      • 17.4.2 Step 1: Configure Oracle Kerberos Client for Windows 2008 Domain Controller
        • 17.4.2.1 Step 1A: Create the Client Kerberos Configuration Files
        • 17.4.2.2 Step 1B: Specify the Oracle Configuration Parameters in the sqlnet.ora File
        • 17.4.2.3 Step 1C: Specify the Listening Port Number
      • 17.4.3 Step 2: Configure a Windows 2008 Domain Controller KDC for the Oracle Client
        • 17.4.3.1 Step 2A: Create the User Account
        • 17.4.3.2 Step 2B: Create the Oracle Database Principal User Account and Keytab
      • 17.4.4 Step 3: Configure Oracle Database for a Windows 2008 Domain Controller KDC
        • 17.4.4.1 Step 3A: Set Configuration Parameters in the sqlnet.ora File
        • 17.4.4.2 Step 3B: Create an Externally Authenticated Oracle User
      • 17.4.5 Step 4: Obtain an Initial Ticket for the Kerberos/Oracle User
    • 17.5 Configuring Kerberos Authentication Fallback Behavior
    • 17.6 Troubleshooting the Oracle Kerberos Authentication Configuration
  • 18 Configuring Secure Sockets Layer Authentication
    • 18.1 Secure Sockets Layer and Transport Layer Security
      • 18.1.1 The Difference Between Secure Sockets Layer and Transport Layer Security
      • 18.1.2 Using Transport Layer Security in a Multitenant Environment
    • 18.2 How Oracle Database Uses Secure Sockets Layer for Authentication
    • 18.3 How Secure Sockets Layer Works in an Oracle Environment: The SSL Handshake
    • 18.4 Public Key Infrastructure in an Oracle Environment
      • 18.4.1 About Public Key Cryptography
      • 18.4.2 Public Key Infrastructure Components in an Oracle Environment
        • 18.4.2.1 Certificate Authority
        • 18.4.2.2 Certificates
        • 18.4.2.3 Certificate Revocation Lists
        • 18.4.2.4 Wallets
        • 18.4.2.5 Hardware Security Modules
    • 18.5 Secure Sockets Layer Combined with Other Authentication Methods
      • 18.5.1 Architecture: Oracle Database and Secure Sockets Layer
      • 18.5.2 How Secure Sockets Layer Works with Other Authentication Methods
    • 18.6 Secure Sockets Layer and Firewalls
    • 18.7 Secure Sockets Layer Usage Issues
    • 18.8 Enabling Secure Sockets Layer
      • 18.8.1 Step 1: Configure Secure Sockets Layer on the Server
        • 18.8.1.1 Step 1A: Confirm Wallet Creation on the Server
        • 18.8.1.2 Step 1B: Specify the Database Wallet Location on the Server
        • 18.8.1.3 Step 1C: Set the Secure Sockets Layer Cipher Suites on the Server (Optional)
          • 18.8.1.3.1 About the Secure Sockets Layer Cipher Suites
          • 18.8.1.3.2 SSL Cipher Suite Authentication, Encryption, Integrity, and TLS Versions
          • 18.8.1.3.3 Specifying Secure Sockets Cipher Suites for the Database Server
        • 18.8.1.4 Step 1D: Set the Required Secure Sockets Layer Version on the Server (Optional)
        • 18.8.1.5 Step 1E: Set SSL Client Authentication on the Server (Optional)
        • 18.8.1.6 Step 1F: Set SSL as an Authentication Service on the Server (Optional)
        • 18.8.1.7 Step 1G: Create a Listening Endpoint that Uses TCP/IP with SSL on the Server
      • 18.8.2 Step 2: Configure Secure Sockets Layer on the Client
        • 18.8.2.1 Step 2A: Confirm Client Wallet Creation
        • 18.8.2.2 Step 2B: Configure the Server DNs and Use TCP/IP with SSL on the Client
          • 18.8.2.2.1 About Configuring the Server DNS and Using TCP/IP with SSL on the Client
          • 18.8.2.2.2 Configuring the Server DNS and Using TCP/IP with SSL on the Client
        • 18.8.2.3 Step 2C: Specify Required Client SSL Configuration (Wallet Location)
        • 18.8.2.4 Step 2D: Set the Client Secure Sockets Layer Cipher Suites (Optional)
          • 18.8.2.4.1 About Setting the Client Secure Sockets Layer Cipher Suites
          • 18.8.2.4.2 Setting the Client Secure Sockets Layer Cipher Suites
        • 18.8.2.5 Step 2E: Set the Required SSL Version on the Client (Optional)
        • 18.8.2.6 Step 2F: Set SSL as an Authentication Service on the Client (Optional)
          • 18.8.2.6.1 About the SQLNET.AUTHENTICATION_SERVICES Parameter
          • 18.8.2.6.2 Setting the SQLNET.AUTHENTICATION_SERVICES Parameter
        • 18.8.2.7 Step 2G: Specify the Certificate to Use for Authentication on the Client (Optional)
          • 18.8.2.7.1 About the SQLNET.SSL_EXTENDED_KEY_USAGE Parameter
          • 18.8.2.7.2 Setting the SQLNET.SSL_EXTENDED_KEY_USAGE Parameter
      • 18.8.3 Step 3: Log in to the Database Instance
    • 18.9 Troubleshooting the Secure Sockets Layer Configuration
    • 18.10 Certificate Validation with Certificate Revocation Lists
      • 18.10.1 About Certificate Validation with Certificate Revocation Lists
      • 18.10.2 What CRLs Should You Use?
      • 18.10.3 How CRL Checking Works
      • 18.10.4 Configuring Certificate Validation with Certificate Revocation Lists
        • 18.10.4.1 About Configuring Certificate Validation with Certificate Revocation Lists
        • 18.10.4.2 Enabling Certificate Revocation Status Checking for the Client or Server
        • 18.10.4.3 Disabling Certificate Revocation Status Checking
      • 18.10.5 Certificate Revocation List Management
        • 18.10.5.1 About Certificate Revocation List Management
        • 18.10.5.2 Displaying orapki Help for Commands That Manage CRLs
        • 18.10.5.3 Renaming CRLs with a Hash Value for Certificate Validation
        • 18.10.5.4 Uploading CRLs to Oracle Internet Directory
        • 18.10.5.5 Listing CRLs Stored in Oracle Internet Directory
        • 18.10.5.6 Viewing CRLs in Oracle Internet Directory
        • 18.10.5.7 Deleting CRLs from Oracle Internet Directory
      • 18.10.6 Troubleshooting CRL Certificate Validation
      • 18.10.7 Oracle Net Tracing File Error Messages Associated with Certificate Validation
    • 18.11 Configuring Your System to Use Hardware Security Modules
      • 18.11.1 General Guidelines for Using Hardware Security Modules for SSL
      • 18.11.2 Configuring Your System to Use nCipher Hardware Security Modules
        • 18.11.2.1 About Configuring Your System to Use nCipher Hardware Security Modules
        • 18.11.2.2 Oracle Components Required To Use an nCipher Hardware Security Module
        • 18.11.2.3 Directory Path Requirements for Installing an nCipher Hardware Security Module
      • 18.11.3 Configuring Your System to Use SafeNET Hardware Security Modules
        • 18.11.3.1 About Configuring Your System to Use SafeNET Hardware Security Modules
        • 18.11.3.2 Oracle Components Required for SafeNET Luna SA Hardware Security Modules
        • 18.11.3.3 Directory Path Requirements for Installing a SafeNET Hardware Security Module
      • 18.11.4 Troubleshooting Using Hardware Security Modules
        • 18.11.4.1 Errors in the Oracle Net Trace Files
        • 18.11.4.2 Error Messages Associated with Using Hardware Security Modules
  • 19 Configuring RADIUS Authentication
    • 19.1 About Configuring RADIUS Authentication
    • 19.2 RADIUS Components
    • 19.3 RADIUS Authentication Modes
      • 19.3.1 Synchronous Authentication Mode
        • 19.3.1.1 Sequence for Synchronous Authentication Mode
        • 19.3.1.2 Example: Synchronous Authentication with SecurID Token Cards
      • 19.3.2 Challenge-Response (Asynchronous) Authentication Mode
        • 19.3.2.1 Sequence for Challenge-Response (Asynchronous) Authentication Mode
        • 19.3.2.2 Example: Asynchronous Authentication with Smart Cards
        • 19.3.2.3 Example: Asynchronous Authentication with ActivCard Tokens
    • 19.4 Enabling RADIUS Authentication, Authorization, and Accounting
      • 19.4.1 Step 1: Configure RADIUS Authentication
        • 19.4.1.1 Step 1A: Configure RADIUS on the Oracle Client
        • 19.4.1.2 Step 1B: Configure RADIUS on the Oracle Database Server
          • 19.4.1.2.1 Step 1B (1): Create the RADIUS Secret Key File on the Oracle Database Server
          • 19.4.1.2.2 Step 1B (2): Configure RADIUS Parameters on the Server (sqlnet.ora file)
          • 19.4.1.2.3 Step 1B (3): Set Oracle Database Server Initialization Parameters
        • 19.4.1.3 Step 1C: Configure Additional RADIUS Features
          • 19.4.1.3.1 Step 1C(1): Change Default Settings
          • 19.4.1.3.2 Step 1C(2): Configure Challenge-Response Mode
          • 19.4.1.3.3 Step 1C(3): Set Parameters for an Alternate RADIUS Server
      • 19.4.2 Step 2: Create a User and Grant Access
      • 19.4.3 Step 3: Configure External RADIUS Authorization (Optional)
        • 19.4.3.1 Step 3A: Configure the Oracle Server (RADIUS Client)
        • 19.4.3.2 Step 3B: Configure the Oracle Client Where Users Log In
        • 19.4.3.3 Step 3C: Configure the RADIUS Server
      • 19.4.4 Step 4: Configure RADIUS Accounting
        • 19.4.4.1 Step 4A: Set RADIUS Accounting on the Oracle Database Server
        • 19.4.4.2 Step 4B: Configure the RADIUS Accounting Server
      • 19.4.5 Step 5: Add the RADIUS Client Name to the RADIUS Server Database
      • 19.4.6 Step 6: Configure the Authentication Server for Use with RADIUS
      • 19.4.7 Step 7: Configure the RADIUS Server for Use with the Authentication Server
      • 19.4.8 Step 8: Configure Mapping Roles
    • 19.5 Using RADIUS to Log in to a Database
    • 19.6 RSA ACE/Server Configuration Checklist
  • 20 Customizing the Use of Strong Authentication
    • 20.1 Connecting to a Database Using Strong Authentication
    • 20.2 Disabling Strong Authentication and Native Network Encryption
    • 20.3 Configuring Multiple Authentication Methods
    • 20.4 Configuring Oracle Database for External Authentication
      • 20.4.1 Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora
      • 20.4.2 Setting OS_AUTHENT_PREFIX to a Null Value
• Part VI Monitoring Database Activity with Auditing
  • 21 Introduction to Auditing
    • 21.1 What Is Auditing?
    • 21.2 Why Is Auditing Used?
    • 21.3 Best Practices for Auditing
    • 21.4 What Is Unified Auditing?
    • 21.5 Benefits of the Unified Audit Trail
    • 21.6 Checking if Your Database Has Migrated to Unified Auditing
    • 21.7 Mixed Mode Auditing
      • 21.7.1 About Mixed Mode Auditing
      • 21.7.2 Enablement of Unified Auditing
      • 21.7.3 How Database Creation Determines the Type of Auditing You Have Enabled
      • 21.7.4 Capabilities of Mixed Mode Auditing
    • 21.8 Who Can Perform Auditing?
    • 21.9 Auditing in a Multitenant Environment
    • 21.10 Auditing in a Distributed Database
  • 22 Configuring Audit Policies
    • 22.1 Selecting an Auditing Type
      • 22.1.1 Auditing SQL Statements, Privileges, and Other General Activities
      • 22.1.2 Auditing Commonly Used Security-Relevant Activities
      • 22.1.3 Auditing Specific, Fine-Grained Activities
    • 22.2 Auditing Activities with Unified Audit Policies and the AUDIT Statement
      • 22.2.1 About Auditing Activities with Unified Audit Policies and AUDIT
      • 22.2.2 Best Practices for Creating Unified Audit Policies
      • 22.2.3 Syntax for Creating a Unified Audit Policy
      • 22.2.4 Auditing Roles
        • 22.2.4.1 About Role Auditing
        • 22.2.4.2 Configuring Role Unified Audit Policies
        • 22.2.4.3 Example: Auditing the DBA Role in a Multitenant Environment
      • 22.2.5 Auditing System Privileges
        • 22.2.5.1 About System Privilege Auditing
        • 22.2.5.2 System Privileges That Can Be Audited
        • 22.2.5.3 System Privileges That Cannot Be Audited
        • 22.2.5.4 Configuring a Unified Audit Policy to Capture System Privilege Use
        • 22.2.5.5 Example: Auditing a User Who Has ANY Privileges
        • 22.2.5.6 Example: Using a Condition to Audit a System Privilege
        • 22.2.5.7 How System Privilege Unified Audit Policies Appear in the Audit Trail
      • 22.2.6 Auditing Administrative Users
        • 22.2.6.1 Administrative User Accounts That Can Be Audited
        • 22.2.6.2 Configuring a Unified Audit Policy to Capture Administrator Activities
        • 22.2.6.3 Example: Auditing the SYS User
      • 22.2.7 Auditing Object Actions
        • 22.2.7.1 About Auditing Object Actions
        • 22.2.7.2 Object Actions That Can Be Audited
        • 22.2.7.3 Configuring an Object Action Unified Audit Policy
        • 22.2.7.4 Example: Auditing Actions on SYS Objects
        • 22.2.7.5 Example: Auditing Multiple Actions on One Object
        • 22.2.7.6 Example: Auditing Both Actions and Privileges on an Object
        • 22.2.7.7 Example: Auditing All Actions on a Table
        • 22.2.7.8 Example: Auditing All Actions in the Database
        • 22.2.7.9 How Object Action Unified Audit Policies Appear in the Audit Trail
        • 22.2.7.10 Auditing Functions, Procedures, Packages, and Triggers
        • 22.2.7.11 Auditing of Oracle Virtual Private Database Predicates
        • 22.2.7.12 Audit Policies for Oracle Virtual Private Database Policy Functions
        • 22.2.7.13 Unified Auditing with Editioned Objects
      • 22.2.8 Auditing the READ ANY TABLE and SELECT ANY TABLE Privileges
        • 22.2.8.1 About Auditing the READ ANY TABLE and SELECT ANY TABLE Privileges
        • 22.2.8.2 Creating a Unified Audit Policy to Capture READ Object Privilege Operations
        • 22.2.8.3 How the Unified Audit Trail Captures READ ANY TABLE and SELECT ANY TABLE
      • 22.2.9 Auditing SQL Statements and Privileges in a Multitier Environment
      • 22.2.10 Creating a Condition for a Unified Audit Policy
        • 22.2.10.1 About Conditions in Unified Audit Policies
        • 22.2.10.2 Configuring a Unified Audit Policy with a Condition
        • 22.2.10.3 Example: Auditing Access to SQL*Plus
        • 22.2.10.4 Example: Auditing Actions Not in Specific Hosts
        • 22.2.10.5 Example: Auditing Both a System-Wide and a Schema-Specific Action
        • 22.2.10.6 Example: Auditing a Condition Per Statement Occurrence
        • 22.2.10.7 Example: Unified Audit Session ID of a Current Administrative User Session
        • 22.2.10.8 Example: Unified Audit Session ID of a Current Non-Administrative User Session
        • 22.2.10.9 How Audit Records from Conditions Appear in the Audit Trail
      • 22.2.11 Auditing Application Context Values
        • 22.2.11.1 About Auditing Application Context Values
        • 22.2.11.2 Configuring Application Context Audit Settings
        • 22.2.11.3 Disabling Application Context Audit Settings
        • 22.2.11.4 Example: Auditing Application Context Values in a Default Database
        • 22.2.11.5 Example: Auditing Application Context Values from Oracle Label Security
        • 22.2.11.6 How Audited Application Contexts Appear in the Audit Trail
      • 22.2.12 Auditing Oracle Database Real Application Security Events
        • 22.2.12.1 About Auditing Oracle Database Real Application Security Events
        • 22.2.12.2 Oracle Database Real Application Security Auditable Events
        • 22.2.12.3 Oracle Database Real Application Security User, Privilege, and Role Audit Events
        • 22.2.12.4 Oracle Database Real Application Security Security Class and ACL Audit Events
        • 22.2.12.5 Oracle Database Real Application Security Session Audit Events
        • 22.2.12.6 Oracle Database Real Application Security ALL Events
        • 22.2.12.7 Configuring a Unified Audit Policy for Oracle Database Real Application Security
        • 22.2.12.8 Example: Auditing Real Application Security User Account Modifications
        • 22.2.12.9 Example: Using a Condition in a Real Application Security Unified Audit Policy
        • 22.2.12.10 How Oracle Database Real Application Security Events Appear in the Audit Trail
      • 22.2.13 Auditing Oracle Recovery Manager Events
        • 22.2.13.1 About Auditing Oracle Recovery Manager Events
        • 22.2.13.2 Oracle Recovery Manager Unified Audit Trail Events
        • 22.2.13.3 How Oracle Recovery Manager Audited Events Appear in the Audit Trail
      • 22.2.14 Auditing Oracle Database Vault Events
        • 22.2.14.1 About Auditing Oracle Database Vault Events
        • 22.2.14.2 Who Is Audited in Oracle Database Vault?
        • 22.2.14.3 About Oracle Database Vault Unified Audit Trail Events
        • 22.2.14.4 Oracle Database Vault Realm Audit Events
        • 22.2.14.5 Oracle Database Vault Rule Set and Rule Audit Events
        • 22.2.14.6 Oracle Database Vault Command Rule Audit Events
        • 22.2.14.7 Oracle Database Vault Factor Audit Events
        • 22.2.14.8 Oracle Database Vault Secure Application Role Audit Events
        • 22.2.14.9 Oracle Database Vault Oracle Label Security Audit Events
        • 22.2.14.10 Oracle Database Vault Oracle Data Pump Audit Events
        • 22.2.14.11 Oracle Database Vault Enable and Disable Audit Events
        • 22.2.14.12 Configuring a Unified Audit Policy for Oracle Database Vault
        • 22.2.14.13 Example: Auditing an Oracle Database Vault Realm
        • 22.2.14.14 Example: Auditing an Oracle Database Vault Rule Set
        • 22.2.14.15 Example: Auditing Two Oracle Database Vault Events
        • 22.2.14.16 Example: Auditing Oracle Database Vault Factors
        • 22.2.14.17 How Oracle Database Vault Audited Events Appear in the Audit Trail
      • 22.2.15 Auditing Oracle Label Security Events
        • 22.2.15.1 About Auditing Oracle Label Security Events
        • 22.2.15.2 Oracle Label Security Unified Audit Trail Events
        • 22.2.15.3 Oracle Label Security Auditable User Session Labels
        • 22.2.15.4 Configuring a Unified Audit Policy for Oracle Label Security
        • 22.2.15.5 Example: Auditing Oracle Label Security Session Label Attributes
        • 22.2.15.6 Example: Excluding a User from an Oracle Label Security Policy
        • 22.2.15.7 Example: Auditing Oracle Label Security Policy Actions
        • 22.2.15.8 Example: Querying for Audited OLS Session Labels
        • 22.2.15.9 How Oracle Label Security Audit Events Appear in the Audit Trail
      • 22.2.16 Auditing Oracle Data Mining Events
        • 22.2.16.1 About Auditing Oracle Data Mining Events
        • 22.2.16.2 Oracle Data Mining Unified Audit Trail Events
        • 22.2.16.3 Configuring a Unified Audit Policy for Oracle Data Mining
        • 22.2.16.4 Example: Auditing Multiple Oracle Data Mining Operations by a User
        • 22.2.16.5 Example: Auditing All Failed Oracle Data Mining Operations by a User
        • 22.2.16.6 How Oracle Data Mining Events Appear in the Audit Trail
      • 22.2.17 Auditing Oracle Data Pump Events
        • 22.2.17.1 About Auditing Oracle Data Pump Events
        • 22.2.17.2 Oracle Data Pump Unified Audit Trail Events
        • 22.2.17.3 Configuring a Unified Audit Policy for Oracle Data Pump
        • 22.2.17.4 Example: Auditing Oracle Data Pump Import Operations
        • 22.2.17.5 Example: Auditing All Oracle Data Pump Operations
        • 22.2.17.6 How Oracle Data Pump Audited Events Appear in the Audit Trail
      • 22.2.18 Auditing Oracle SQL*Loader Direct Load Path Events
        • 22.2.18.1 About Auditing in Oracle SQL*Loader Direct Path Load Events
        • 22.2.18.2 Oracle SQL*Loader Direct Load Path Unified Audit Trail Events
        • 22.2.18.3 Configuring a Unified Audit Trail Policy for Oracle SQL*Loader Direct Path Events
        • 22.2.18.4 Example: Auditing Oracle SQL*Loader Direct Path Load Operations
        • 22.2.18.5 How SQL*Loader Direct Path Load Audited Events Appear in the Audit Trail
      • 22.2.19 Auditing Only Top-Level Statements
        • 22.2.19.1 About Auditing Only Top-Level SQL Statements
        • 22.2.19.2 Configuring a Unified Audit Policy to Capture Only Top-Level Statements
        • 22.2.19.3 Example: Auditing Top-Level Statements
        • 22.2.19.4 How the Unified Audit Trail Captures Top-Level SQL Statements
      • 22.2.20 Unified Audit Policies or AUDIT Settings in a Multitenant Environment
        • 22.2.20.1 About Local, CDB Common, and Application Common Audit Policies
        • 22.2.20.2 Traditional Auditing in a Multitenant Environment
        • 22.2.20.3 Configuring a Local Unified Audit Policy or Common Unified Audit Policy
        • 22.2.20.4 Example: Local Unified Audit Policy
        • 22.2.20.5 Example: CDB Common Unified Audit Policy
        • 22.2.20.6 Example: Application Common Unified Audit Policy
        • 22.2.20.7 How Local or Common Audit Policies or Settings Appear in the Audit Trail
      • 22.2.21 Altering Unified Audit Policies
        • 22.2.21.1 About Altering Unified Audit Policies
        • 22.2.21.2 Altering a Unified Audit Policy
        • 22.2.21.3 Example: Altering a Condition in a Unified Audit Policy
        • 22.2.21.4 Example: Altering an Oracle Label Security Component in a Unified Audit Policy
        • 22.2.21.5 Example: Altering Roles in a Unified Audit Policy
        • 22.2.21.6 Example: Dropping a Condition from a Unified Audit Policy
      • 22.2.22 Enabling and Applying Unified Audit Policies to Users and Roles
        • 22.2.22.1 About Enabling Unified Audit Policies
        • 22.2.22.2 Enabling a Unified Audit Policy
        • 22.2.22.3 Example: Enabling a Unified Audit Policy
      • 22.2.23 Disabling Unified Audit Policies
        • 22.2.23.1 About Disabling Unified Audit Policies
        • 22.2.23.2 Disabling a Unified Audit Policy
        • 22.2.23.3 Example: Disabling a Unified Audit Policy
      • 22.2.24 Dropping Unified Audit Policies
        • 22.2.24.1 About Dropping Unified Audit Policies
        • 22.2.24.2 Dropping a Unified Audit Policy
        • 22.2.24.3 Example: Disabling and Dropping a Unified Audit Policy
      • 22.2.25 Tutorial: Auditing Nondatabase Users
        • 22.2.25.1 Step 1: Create the User Accounts and Ensure the User OE Is Active
        • 22.2.25.2 Step 2: Create the Unified Audit Policy
        • 22.2.25.3 Step 3: Test the Policy
        • 22.2.25.4 Step 4: Remove the Components of This Tutorial
    • 22.3 Auditing Activities with the Predefined Unified Audit Policies
      • 22.3.1 Logon Failures Predefined Unified Audit Policy
      • 22.3.2 Secure Options Predefined Unified Audit Policy
      • 22.3.3 Oracle Database Parameter Changes Predefined Unified Audit Policy
      • 22.3.4 User Account and Privilege Management Predefined Unified Audit Policy
      • 22.3.5 Center for Internet Security Recommendations Predefined Unified Audit Policy
      • 22.3.6 Oracle Database Real Application Security Predefined Audit Policies
        • 22.3.6.1 System Administrator Operations Predefined Unified Audit Policy
        • 22.3.6.2 Session Operations Predefined Unified Audit Policy
      • 22.3.7 Oracle Database Vault Predefined Unified Audit Policy for DVSYS and LBACSYS Schemas
      • 22.3.8 Oracle Database Vault Predefined Unified Audit Policy for Default Realms and Command Rules
    • 22.4 Auditing Specific Activities with Fine-Grained Auditing
      • 22.4.1 About Fine-Grained Auditing
      • 22.4.2 Where Are Fine-Grained Audit Records Stored?
      • 22.4.3 Who Can Perform Fine-Grained Auditing?
      • 22.4.4 Fine-Grained Auditing on Tables or Views That Have Oracle VPD Policies
      • 22.4.5 Fine-Grained Auditing in a Multitenant Environment
      • 22.4.6 Fine-Grained Audit Policies with Editions
      • 22.4.7 Using the DBMS_FGA PL/SQL Package to Manage Fine-Grained Audit Policies
        • 22.4.7.1 About the DBMS_FGA PL/SQL PL/SQL Package
        • 22.4.7.2 The DBMS_FGA PL/SQL Package with Editions
        • 22.4.7.3 The DBMS_FGA PL/SQL Package in a Multitenant Environment
        • 22.4.7.4 Creating a Fine-Grained Audit Policy
          • 22.4.7.4.1 About Creating a Fine-Grained Audit Policy
          • 22.4.7.4.2 Syntax for Creating a Fine-Grained Audit Policy
          • 22.4.7.4.3 Audits of Specific Columns and Rows
        • 22.4.7.5 Example: Using DBMS_FGA.ADD_POLICY to Create a Fine-Grained Audit Policy
        • 22.4.7.6 Disabling a Fine-Grained Audit Policy
        • 22.4.7.7 Enabling a Fine-Grained Audit Policy
        • 22.4.7.8 Dropping a Fine-Grained Audit Policy
      • 22.4.8 Tutorial: Adding an Email Alert to a Fine-Grained Audit Policy
        • 22.4.8.1 About This Tutorial
        • 22.4.8.2 Step 1: Install and Configure the UTL_MAIL PL/SQL Package
        • 22.4.8.3 Step 2: Create User Accounts
        • 22.4.8.4 Step 3: Configure an Access Control List File for Network Services
        • 22.4.8.5 Step 4: Create the Email Security Alert PL/SQL Procedure
        • 22.4.8.6 Step 5: Create and Test the Fine-Grained Audit Policy Settings
        • 22.4.8.7 Step 6: Test the Alert
        • 22.4.8.8 Step 7: Remove the Components of This Tutorial
    • 22.5 Audit Policy Data Dictionary Views
  • 23 Administering the Audit Trail
    • 23.1 Managing the Unified Audit Trail
      • 23.1.1 When and Where Are Audit Records Created?
      • 23.1.2 Activities That Are Mandatorily Audited
      • 23.1.3 How Do Cursors Affect Auditing?
      • 23.1.4 Writing the Unified Audit Trail Records to the AUDSYS Schema
      • 23.1.5 When Audit Records Are Written to the Operating System
      • 23.1.6 Moving Operating System Audit Records into the Unified Audit Trail
      • 23.1.7 Disabling Unified Auditing
    • 23.2 Archiving the Audit Trail
      • 23.2.1 Archiving the Traditional Operating System Audit Trail
      • 23.2.2 Archiving the Unified and Traditional Database Audit Trails
    • 23.3 Purging Audit Trail Records
      • 23.3.1 About Purging Audit Trail Records
      • 23.3.2 Selecting an Audit Trail Purge Method
        • 23.3.2.1 Purging the Audit Trail on a Regularly Scheduled Basis
        • 23.3.2.2 Manually Purging the Audit Trail at a Specific Time
      • 23.3.3 Scheduling an Automatic Purge Job for the Audit Trail
        • 23.3.3.1 About Scheduling an Automatic Purge Job
        • 23.3.3.2 Step 1: If Necessary, Tune Online and Archive Redo Log Sizes
        • 23.3.3.3 Step 2: Plan a Timestamp and Archive Strategy
        • 23.3.3.4 Step 3: Optionally, Set an Archive Timestamp for Audit Records
        • 23.3.3.5 Step 4: Create and Schedule the Purge Job
      • 23.3.4 Manually Purging the Audit Trail
        • 23.3.4.1 About Manually Purging the Audit Trail
        • 23.3.4.2 Using DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL to Manually Purge the Audit Trail
      • 23.3.5 Other Audit Trail Purge Operations
        • 23.3.5.1 Enabling or Disabling an Audit Trail Purge Job
        • 23.3.5.2 Setting the Default Audit Trail Purge Job Interval for a Specified Purge Job
        • 23.3.5.3 Deleting an Audit Trail Purge Job
        • 23.3.5.4 Clearing the Archive Timestamp Setting
      • 23.3.6 Example: Directly Calling a Unified Audit Trail Purge Operation
    • 23.4 Audit Trail Management Data Dictionary Views
• Appendixes
  • A Keeping Your Oracle Database Secure
    • A.1 About the Oracle Database Security Guidelines
    • A.2 Downloading Security Patches and Contacting Oracle Regarding Vulnerabilities
      • A.2.1 Downloading Security Patches and Workaround Solutions
      • A.2.2 Contacting Oracle Security Regarding Vulnerabilities in Oracle Database
    • A.3 Guidelines for Securing User Accounts and Privileges
    • A.4 Guidelines for Securing Roles
    • A.5 Guidelines for Securing Passwords
    • A.6 Guidelines for Securing Data
    • A.7 Guidelines for Securing the ORACLE_LOADER Access Driver
    • A.8 Guidelines for Securing a Database Installation and Configuration
    • A.9 Guidelines for Securing the Network
      • A.9.1 Client Connection Security
      • A.9.2 Network Connection Security
      • A.9.3 Secure Sockets Layer Connection Security
    • A.10 Guideline for Securing External Procedures
    • A.11 Guidelines for Auditing
      • A.11.1 Manageability of Audited Information
      • A.11.2 Audits of Typical Database Activity
      • A.11.3 Audits of Suspicious Database Activity
      • A.11.4 Audits of Sensitive Data
      • A.11.5 Recommended Audit Settings
      • A.11.6 Best Practices Before Querying the UNIFIED_AUDIT_TRAIL Data Dictionary View
    • A.12 Addressing the CONNECT Role Change
      • A.12.1 Why Was the CONNECT Role Changed?
      • A.12.2 How the CONNNECT Role Change Affects Applications
        • A.12.2.1 How the CONNECT Role Change Affects Database Upgrades
        • A.12.2.2 How the CONNECT Role Change Affects Account Provisioning
        • A.12.2.3 How the CONNECT Role Change Affects Applications Using New Databases
      • A.12.3 How the CONNECT Role Change Affects Users
        • A.12.3.1 How the CONNECT Role Change Affects General Users
        • A.12.3.2 How the CONNECT Role Change Affects Application Developers
        • A.12.3.3 How the CONNECT Role Change Affects Client Server Applications
      • A.12.4 Approaches to Addressing the CONNECT Role Change
        • A.12.4.1 Creating a New Database Role
        • A.12.4.2 Restoring the CONNECT Privilege
        • A.12.4.3 Data Dictionary View to Show CONNECT Grantees
        • A.12.4.4 Least Privilege Analysis Studies
  • B Data Encryption and Integrity Parameters
    • B.1 About Using sqlnet.ora for Data Encryption and Integrity
    • B.2 Sample sqlnet.ora File
    • B.3 Data Encryption and Integrity Parameters
      • B.3.1 About the Data Encryption and Integrity Parameters
      • B.3.2 SQLNET.ENCRYPTION_SERVER
      • B.3.3 SQLNET.ENCRYPTION_CLIENT
      • B.3.4 SQLNET.CRYPTO_CHECKSUM_SERVER
      • B.3.5 SQLNET.CRYPTO_CHECKSUM_CLIENT
      • B.3.6 SQLNET.ENCRYPTION_TYPES_SERVER
      • B.3.7 SQLNET.ENCRYPTION_TYPES_CLIENT
      • B.3.8 SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER
      • B.3.9 SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT
  • C Kerberos, SSL, and RADIUS Authentication Parameters
    • C.1 Parameters for Clients and Servers Using Kerberos Authentication
    • C.2 Parameters for Clients and Servers Using Secure Sockets Layer
      • C.2.1 Ways to Configure a Parameter for Secure Sockets Layer
      • C.2.2 Secure Sockets Layer Authentication Parameters for Clients and Servers
      • C.2.3 Cipher Suite Parameters for Secure Sockets Layer
      • C.2.4 Supported Secure Sockets Layer Cipher Suites
      • C.2.5 Secure Sockets Layer Version Parameters
      • C.2.6 Secure Sockets Layer Client Authentication Parameters
      • C.2.7 Secure Sockets Layer X.509 Server Match Parameters
        • C.2.7.1 SSL_SERVER_DN_MATCH
        • C.2.7.2 SSL_SERVER_CERT_DN
      • C.2.8 Oracle Wallet Location
    • C.3 Parameters for Clients and Servers Using RADIUS Authentication
      • C.3.1 sqlnet.ora File Parameters
        • C.3.1.1 SQLNET.AUTHENTICATION_SERVICES
        • C.3.1.2 SQLNET.RADIUS_ALTERNATE
        • C.3.1.3 SQLNET.RADIUS_ALTERNATE_PORT
        • C.3.1.4 SQLNET.RADIUS_ALTERNATE_TIMEOUT
        • C.3.1.5 SQLNET.RADIUS_ALTERNATE_RETRIES
        • C.3.1.6 SQLNET.RADIUS_AUTHENTICATION
        • C.3.1.7 SQLNET.RADIUS_AUTHENTICATION_INTERFACE
        • C.3.1.8 SQLNET.RADIUS_AUTHENTICATION_PORT
        • C.3.1.9 SQLNET.RADIUS_AUTHENTICATION_TIMEOUT
        • C.3.1.10 SQLNET.RADIUS_AUTHENTICATION_RETRIES
        • C.3.1.11 SQLNET.RADIUS_CHALLENGE_RESPONSE
        • C.3.1.12 SQLNET.RADIUS_CHALLENGE_KEYWORD
        • C.3.1.13 SQLNET.RADIUS_CLASSPATH
        • C.3.1.14 SQLNET.RADIUS_SECRET
        • C.3.1.15 SQLNET.RADIUS_SEND_ACCOUNTING
      • C.3.2 Minimum RADIUS Parameters
      • C.3.3 Initialization File Parameter for RADIUS
  • D Integrating Authentication Devices Using RADIUS
    • D.1 About the RADIUS Challenge-Response User Interface
    • D.2 Customizing the RADIUS Challenge-Response User Interface
    • D.3 Example: Using the OracleRadiusInterface Interface
  • E Oracle Database FIPS 140-2 Settings
    • E.1 About the Oracle Database FIPS 140-2 Settings
    • E.2 Configuring FIPS 140-2 for Transparent Data Encryption and DBMS_CRYPTO
    • E.3 Configuration of FIPS 140-2 for Secure Sockets Layer
      • E.3.1 Configuring the SSLFIPS_140 and SSLFIPS_LIB Parameters for Secure Sockets Layer
      • E.3.2 Approved SSL Cipher Suites for FIPS 140-2
    • E.4 Postinstallation Checks for FIPS 140-2
    • E.5 Verifying FIPS 140-2 Connections
  • F Using the orapki Utility to Manage PKI Elements
    • F.1 Uses of the orapki Utility
    • F.2 orapki Utility Syntax
    • F.3 Creating Signed Certificates for Testing Purposes
    • F.4 Viewing a Certificate
    • F.5 Managing Oracle Wallets with orapki Utility
      • F.5.1 About Managing Wallets with orapki
      • F.5.2 Creating, Viewing, and Modifying Wallets with orapki
        • F.5.2.1 Creating a PKCS#12 Wallet
        • F.5.2.2 Creating an Auto-Login Wallet
        • F.5.2.3 Creating an Auto-Login Wallet That Is Associated with a PKCS#12 Wallet
        • F.5.2.4 Creating an Auto-Login Wallet That Is Local to the Computer and User Who Created It
        • F.5.2.5 Viewing a Wallet
        • F.5.2.6 Modifying the Password for a Wallet
        • F.5.2.7 Converting an Oracle Wallet to Use the AES256 Algorithm
      • F.5.3 Adding Certificates and Certificate Requests to Oracle Wallets with orapki
        • F.5.3.1 Adding a Certificate Request to an Oracle Wallet
        • F.5.3.2 Adding a Trusted Certificate to an Oracle Wallet
        • F.5.3.3 Adding a Root Certificate to an Oracle Wallet
        • F.5.3.4 Adding a User Certificate to an Oracle Wallet
        • F.5.3.5 Verifying Credentials on the Hardware Device That Uses a PKCS#11 Wallet
        • F.5.3.6 Adding PKCS#11 Information to an Oracle Wallet
      • F.5.4 Exporting Certificates and Certificate Requests from Oracle Wallets with orapki
    • F.6 Management of Certificate Revocation Lists (CRLs) with orapki Utility
    • F.7 orapki Usage
      • F.7.1 Example: Wallet with a Self-Signed Certificate and Export of the Certificate
      • F.7.2 Example: Creating a Wallet and a User Certificate
    • F.8 orapki Utility Commands Summary
      • F.8.1 orapki cert create
      • F.8.2 orapki cert display
      • F.8.3 orapki crl delete Command
      • F.8.4 orapki crl display
      • F.8.5 orapki crl hash
      • F.8.6 orapki crl list
      • F.8.7 orapki crl upload
      • F.8.8 orapki wallet add
      • F.8.9 orapki wallet convert
      • F.8.10 orapki wallet create
      • F.8.11 orapki wallet display
      • F.8.12 orapki wallet export
  • G How the Unified Auditing Migration Affects Individual Audit Features
• Glossary
• Index