Table of Contents
- Title and Copyright Information
- Preface
-
Changes in This Release for Oracle Database Security Guide
-
Changes in Oracle Database Security 23ai
- Transport Layer Security 1.3 Protocol Now Supported in Oracle Database
- Simplified Transport Layer Security Configuration
- Schema Privileges to Simplify Access Control
- Oracle SQL Firewall is Now Built into Oracle Database
- Increased Maximum Password Length
- Read-Only Users and Sessions
- New Database Role for Application Developers
- Oracle Data Dictionary Protection Extended to Non-SYS Oracle Schemas with Separation of Duties Protection
- Strict DN Matching with Both Listener and Server Certificates
- Ability to Configure Transport Layer Security Connections without Client Wallets
- Updated Kerberos Library and Other Improvements
- Improved and More Secure Local Auto-Login Wallets
- New sqlnet.ora Parameter to Prevent the Use of Deprecated Ciphers
- Enhancements to RADIUS Configuration
- Enhancements to the DBMS_CRYPTO PL/SQL Package
- Authenticating and Authorizing IAM Users to Oracle Autonomous Database on Dedicated Exadata Infrastructure
- Ability of Azure Users to Log in to Oracle Database with Their Azure AD OAAuth2 Access Token
- Ability to Audit Object Actions at the Column Level for Tables and Views
- Consolidation of the FIPS_140 Parameter
- Desupport of Case Insensitive Passwords
- Desupport of Traditional Auditing
- Updates to Oracle Database Security 23ai
-
Changes in Oracle Database Security 23ai
- 1 Introduction to Oracle Database Security
-
Part I Managing User Authentication and Authorization
-
2
Managing Security for Oracle Database Users
- 2.1 About User Security
-
2.2
Creating User Accounts
- 2.2.1 About Common Users and Local Users
- 2.2.2 Who Can Create User Accounts?
- 2.2.3 Creating a New User Account That Has Minimum Database Privileges
- 2.2.4 Restrictions on Creating the User Name for a New Account
- 2.2.5 Assignment of User Passwords
- 2.2.6 Default Tablespace for the User
- 2.2.7 Tablespace Quotas for a User
- 2.2.8 Temporary Tablespaces for the User
- 2.2.9 Profiles for the User
- 2.2.10 Creation of a Common User or a Local User
- 2.2.11 Creating a Default Role for the User
- 2.3 Altering User Accounts
- 2.4 Configuring User Resource Limits
- 2.5 Dropping User Accounts
- 2.6 Predefined Schema User Accounts Provided by Oracle Database
- 2.7 Database User and Profile Data Dictionary Views
-
3
Configuring Authentication
- 3.1 About Authentication
-
3.2
Configuring Password Protection
- 3.2.1 What Are the Oracle Database Built-in Password Protections?
- 3.2.2 Minimum Requirements for Passwords
- 3.2.3 Creating a Password by Using the IDENTIFIED BY Clause
-
3.2.4
Using a Password Management Policy
- 3.2.4.1 About Managing Passwords
- 3.2.4.2 Finding User Accounts That Have Default Passwords
- 3.2.4.3 Password Settings in the Default Profile
- 3.2.4.4 Using the ALTER PROFILE Statement to Modify Profile Limits
- 3.2.4.5 Disabling and Enabling the Default Password Security Settings
- 3.2.4.6 Automatically Locking Inactive Database User Accounts
- 3.2.4.7 Automatically Locking User Accounts After a Specified Number of Failed Log-in Attempts
- 3.2.4.8 Example: Locking an Account with the CREATE PROFILE Statement
- 3.2.4.9 Explicitly Locking a User Account with the CREATE USER or ALTER USER Statement
- 3.2.4.10 Controlling the User Ability to Reuse Previous Passwords
- 3.2.4.11 About Controlling Password Aging and Expiration
- 3.2.4.12 Setting a Password Lifetime
- 3.2.4.13 Checking the Status of a User Account
- 3.2.4.14 Password Change Life Cycle
- 3.2.4.15 PASSWORD_LIFE_TIME Profile Parameter Low Value
-
3.2.5
Managing Gradual Database Password Rollover for Applications
- 3.2.5.1 About Managing Gradual Database Password Rollover for Applications
- 3.2.5.2 Password Change Life Cycle During a Gradual Database Password Rollover
- 3.2.5.3 Enabling the Gradual Database Password Rollover
- 3.2.5.4 Changing a Password to Begin the Gradual Database Password Rollover Period
- 3.2.5.5 Changing a Password During the Gradual Database Password Rollover Period
- 3.2.5.6 Ending the Password Rollover Period
- 3.2.5.7 Database Behavior During the Gradual Password Rollover Period
- 3.2.5.8 Database Server Behavior After the Password Rollover Period Ends
- 3.2.5.9 Guideline for Handling Compromised Passwords
- 3.2.5.10 How Gradual Database Password Rollover Works During Oracle Data Pump Exports
- 3.2.5.11 Using Gradual Database Password Rollover in an Oracle Data Guard Environment
- 3.2.5.12 Finding Users Who Still Use Their Old Passwords
-
3.2.6
Managing the Complexity of Passwords
- 3.2.6.1 About Password Complexity Verification
- 3.2.6.2 How Oracle Database Checks the Complexity of Passwords
- 3.2.6.3 Who Can Use the Password Complexity Functions?
- 3.2.6.4 ora12c_verify_function Password Requirements
- 3.2.6.5 ora12c_strong_verify_function Function Password Requirements
- 3.2.6.6 ora12c_stig_verify_function Password Requirements
- 3.2.6.7 About Customizing Password Complexity Verification
- 3.2.6.8 Enabling Password Complexity Verification
-
3.2.7
Managing Password Case Sensitivity
- 3.2.7.1 Management of Case Sensitivity for Secure Role Passwords
- 3.2.7.2 Management of Password Versions of Users
- 3.2.7.3 Finding and Resetting User Passwords That Use the 10G Password Version
- 3.2.7.4 How Case Sensitivity Affects Password Files
- 3.2.7.5 How Case Sensitivity Affects Passwords Used in Database Link Connections
-
3.2.8
Ensuring Against Password Security Threats by Using the 12C Password Version
- 3.2.8.1 About the 12C Version of the Password Hash
- 3.2.8.2 Oracle Database 12C Password Version Configuration Guidelines
- 3.2.8.3 Configuring Oracle Database to Use the 12C Password Version Exclusively
- 3.2.8.4 How Server and Client Logon Versions Affect Database Links
- 3.2.8.5 Configuring Oracle Database Clients to Use the 12C Password Version Exclusively
-
3.2.9
Managing the Secure External Password Store for Password Credentials
- 3.2.9.1 About the Secure External Password Store
- 3.2.9.2 How Does the Secure External Password Store Work?
- 3.2.9.3 About Configuring Clients to Use the Secure External Password Store
- 3.2.9.4 Configuring a Client to Use the Secure External Password Store
- 3.2.9.5 Example: Sample sqlnet.ora File with Wallet Parameters Set
- 3.2.9.6 Managing External Password Store Credentials
- 3.2.9.7 Creating SQL*Loader Object Store Credentials
-
3.2.10
Managing Passwords for Administrative Users
- 3.2.10.1 About Managing Passwords for Administrative Users
- 3.2.10.2 Setting the LOCK and EXPIRED Status of Administrative Users
- 3.2.10.3 Password Profile Settings for Administrative Users
- 3.2.10.4 Last Successful Login Time for Administrative Users
- 3.2.10.5 Management of the Password File of Administrative Users
- 3.2.10.6 Migration of the Password File of Administrative Users
- 3.2.10.7 How the Multitenant Option Affects Password Files for Administrative Users
- 3.2.10.8 Password Complexity Verification Functions for Administrative Users
-
3.3
Authentication of Database Administrators
- 3.3.1 About Authentication of Database Administrators
- 3.3.2 Strong Authentication, Centralized Management for Administrators
- 3.3.3 Authentication of Database Administrators by Using the Operating System
- 3.3.4 Authentication of Database Administrators by Using Their Passwords
- 3.3.5 Risks of Using Password Files for Database Administrator Authentication
- 3.4 Database Authentication of Users
- 3.5 Schema-Only Accounts
- 3.6 Configuring Operating System Users for a PDB
- 3.7 External (Non-Database) User Authentication and Access to the Database
- 3.8 Multitier Authentication and Authorization
- 3.9 Administration and Security in Clients, Application Servers, and Database Servers
-
3.10
Preserving User Identity in Multitiered Environments
-
3.10.1
Middle Tier Server Use for Proxy Authentication
- 3.10.1.1 About Proxy Authentication
- 3.10.1.2 Advantages of Proxy Authentication
- 3.10.1.3 Who Can Create Proxy User Accounts?
- 3.10.1.4 Guidelines for Creating Proxy User Accounts
- 3.10.1.5 Creating Proxy User Accounts and Authorizing Users to Connect Through Them
- 3.10.1.6 Proxy User Accounts and the Authorization of Users to Connect Through Them
- 3.10.1.7 Using Proxy Authentication with the Secure External Password Store
- 3.10.1.8 How the Identity of the Real User Is Passed with Proxy Authentication
- 3.10.1.9 Limits to the Privileges of the Middle Tier
- 3.10.1.10 Authorizing a Middle Tier to Proxy and Authenticate a User
- 3.10.1.11 Authorizing a Middle Tier to Proxy a User Authenticated by Other Means
- 3.10.1.12 Reauthenticating a User Through the Middle Tier to the Database
- 3.10.1.13 Using Password-Based Proxy Authentication
- 3.10.1.14 Using Proxy Authentication with Enterprise Users
-
3.10.2
Using Client Identifiers to Identify Application Users Unknown to the Database
- 3.10.2.1 About Client Identifiers
- 3.10.2.2 How Client Identifiers Work in Middle Tier Systems
- 3.10.2.3 Use of the CLIENT_IDENTIFIER Attribute to Preserve User Identity
- 3.10.2.4 Use of the CLIENT_IDENTIFIER Independent of Global Application Context
- 3.10.2.5 Setting the CLIENT_IDENTIFIER Independent of Global Application Context
- 3.10.2.6 Use of the DBMS_SESSION PL/SQL Package to Set and Clear the Client Identifier
- 3.10.2.7 Enabling the CLIENTID_OVERWRITE Event System-Wide
- 3.10.2.8 Enabling the CLIENTID_OVERWRITE Event for the Current Session
- 3.10.2.9 Disabling the CLIENTID_OVERWRITE Event
-
3.10.1
Middle Tier Server Use for Proxy Authentication
- 3.11 User Authentication Data Dictionary Views
-
4
Configuring Privilege and Role Authorization
- 4.1 About Privileges and Roles
-
4.2
Privilege and Role Grants in a CDB
- 4.2.1 About Privilege and Role Grants in a CDB
- 4.2.2 Principles of Privilege and Role Grants in a CDB
- 4.2.3 Privileges and Roles Granted Locally in a CDB
- 4.2.4 What Makes a Privilege or Role Grant Local
- 4.2.5 Roles and Privileges Granted Locally
- 4.2.6 Roles and Privileges Granted Commonly in a CDB
- 4.2.7 What Makes a Grant Common
- 4.2.8 Roles and Privileges Granted Commonly
- 4.2.9 Grants to PUBLIC in a CDB
- 4.2.10 Grants of Privileges and Roles: Scenario
- 4.3 Who Should Be Granted Privileges?
- 4.4 How the Oracle Multitenant Option Affects Privileges
-
4.5
Managing Administrative Privileges
- 4.5.1 About Administrative Privileges
- 4.5.2 Grants of Administrative Privileges to Users
- 4.5.3 SYSDBA and SYSOPER Privileges for Standard Database Operations
- 4.5.4 Forcing oracle Users to Enter a Password When Logging in as SYSDBA
- 4.5.5 SYSBACKUP Administrative Privilege for Backup and Recovery Operations
- 4.5.6 SYSDG Administrative Privilege for Oracle Data Guard Operations
- 4.5.7 SYSKM Administrative Privilege for Transparent Data Encryption
- 4.5.8 SYSRAC Administrative Privilege for Oracle Real Application Clusters
- 4.6 Managing System Privileges
- 4.7 Managing Schema Privileges
- 4.8 Administering Schema Security Policies
- 4.9 Managing Privileges to Enable Diagnostics
-
4.10
Managing Commonly and Locally Granted Privileges
- 4.10.1 About Commonly and Locally Granted Privileges
- 4.10.2 How Commonly Granted System Privileges Work
- 4.10.3 How Commonly Granted Object Privileges Work
- 4.10.4 Granting or Revoking Privileges to Access a PDB
- 4.10.5 Example: Granting a Privilege to a Common User
- 4.10.6 Enabling Common Users to View CONTAINER_DATA Object Information
-
4.11
Managing User Roles
-
4.11.1
About User Roles
- 4.11.1.1 What Are User Roles?
- 4.11.1.2 The Functionality of Roles
- 4.11.1.3 Properties of Roles and Why They Are Advantageous
- 4.11.1.4 Typical Uses of Roles
- 4.11.1.5 Common Uses of Application Roles
- 4.11.1.6 Common Uses of User Roles
- 4.11.1.7 How Roles Affect the Scope of a User's Privileges
- 4.11.1.8 How Roles Work in PL/SQL Blocks
- 4.11.1.9 How Roles Aid or Restrict DDL Usage
- 4.11.1.10 How Operating Systems Can Aid Roles
- 4.11.1.11 How Roles Work in a Distributed Environment
- 4.11.2 Predefined Roles in an Oracle Database Installation
- 4.11.3 Creating a Role
-
4.11.4
Specifying the Type of Role Authorization
- 4.11.4.1 Authorizing a Role by Using the Database
- 4.11.4.2 Authorizing a Role by Using an Application
- 4.11.4.3 Authorizing a Role by Using an External Source
- 4.11.4.4 Authorizing a Role by Using the Operating System
- 4.11.4.5 Authorizing a Role by Using a Network Client
- 4.11.4.6 Authorizing a Global Role by an Enterprise Directory Service
- 4.11.5 Granting and Revoking Roles
- 4.11.6 Dropping Roles
- 4.11.7 Restricting SQL*Plus Users from Using Database Roles
- 4.11.8 Role Privileges and Secure Application Roles
-
4.11.1
About User Roles
-
4.12
Managing Common Roles and Local Roles
- 4.12.1 About Common Roles and Local Roles
- 4.12.2 Common Roles in a CDB
- 4.12.3 How Common Roles Work
- 4.12.4 How the PUBLIC Role Works in a Multitenant Environment
- 4.12.5 Privileges Required to Create, Modify, or Drop a Common Role
- 4.12.6 Rules for Creating Common Roles
- 4.12.7 Creating a Common Role
- 4.12.8 Rules for Creating Local Roles
- 4.12.9 Local Roles in a CDB
- 4.12.10 Creating a Local Role
- 4.12.11 Role Grants and Revokes for Common Users and Local Users
-
4.13
Restricting Operations on PDBs Using PDB Lockdown Profiles
- 4.13.1 About PDB Lockdown Profiles
- 4.13.2 How PDB Lockdown Profiles Work
- 4.13.3 PDB_OS_CREDENTIAL Initialization Parameter
- 4.13.4 Features That Benefit from PDB Lockdown Profiles
- 4.13.5 PDB Lockdown Profile Inheritance
- 4.13.6 Default PDB Lockdown Profiles
- 4.13.7 Creating a PDB Lockdown Profile
- 4.13.8 Enabling or Disabling a PDB Lockdown Profile
- 4.13.9 Dropping a PDB Lockdown Profile
- 4.14 Managing Object Privileges
- 4.15 Managing Dictionary Protection for Oracle-Maintained Schemas
- 4.16 Table Privileges
- 4.17 View Privileges
-
4.18
Procedure Privileges
- 4.18.1 The Use of the EXECUTE Privilege for Procedure Privileges
- 4.18.2 Procedure Execution and Security Domains
- 4.18.3 System Privileges Required to Create or Replace a Procedure
- 4.18.4 System Privileges Required to Compile a Procedure
- 4.18.5 How Procedure Privileges Affect Packages and Package Objects
-
4.19
Type Privileges
- 4.19.1 System Privileges for Named Types
- 4.19.2 Object Privileges for Named Types
- 4.19.3 Method Execution Model for Named Types
- 4.19.4 Privileges Required to Create Types and Tables Using Types
- 4.19.5 Example: Privileges for Creating Types and Tables Using Types
- 4.19.6 Privileges on Type Access and Object Access
- 4.19.7 Type Dependencies
-
4.20
Grants of User Privileges and Roles
-
4.20.1
Granting System Privileges and Roles to Users and Roles
- 4.20.1.1 Privileges for Grants of System Privileges and Roles to Users and Roles
- 4.20.1.2 Example: Granting a System Privilege and a Role to a User
- 4.20.1.3 Example: Granting the EXECUTE Privilege on a Directory Object
- 4.20.1.4 Use of the ADMIN Option to Enable Grantee Users to Grant the Privilege
- 4.20.1.5 Creating a New User with the GRANT Statement
- 4.20.2 Granting Object Privileges to Users and Roles
-
4.20.1
Granting System Privileges and Roles to Users and Roles
- 4.21 Revokes of Privileges and Roles from a User
- 4.22 Grants and Revokes of Privileges to and from the PUBLIC Role
-
4.23
Grants of Roles Using the Operating System or Network
- 4.23.1 About Granting Roles Using the Operating System or Network
- 4.23.2 Operating System Role Identification
- 4.23.3 Operating System Role Management
- 4.23.4 Role Grants and Revokes When OS_ROLES Is Set to TRUE
- 4.23.5 Role Enablements and Disablements When OS_ROLES Is Set to TRUE
- 4.23.6 Network Connections with Operating System Role Management
- 4.24 How Grants and Revokes Work with SET ROLE and Default Role Settings
- 4.25 Configuring Read-Only Users
-
4.26
User Privilege and Role Data Dictionary Views
- 4.26.1 Data Dictionary Views to Find Information about Privilege and Role Grants
- 4.26.2 Query to List All System Privilege Grants
- 4.26.3 Query to List Schema Privilege Grants
- 4.26.4 Query to List All Role Grants
- 4.26.5 Query to List Object Privileges Granted to a User
- 4.26.6 Query to List the Current Privilege Domain of Your Session
- 4.26.7 Query to List Roles of the Database
- 4.26.8 Query to List Information About the Privilege Domains of Roles
-
5
Performing Privilege Analysis to Identify Privilege Use
- 5.1 What Is Privilege Analysis?
-
5.2
Creating and Managing Privilege Analysis Policies
- 5.2.1 About Creating and Managing Privilege Analysis Policies
- 5.2.2 General Steps for Managing Privilege Analysis
- 5.2.3 Creating a Privilege Analysis Policy
- 5.2.4 Examples of Creating Privilege Analysis Policies
- 5.2.5 Enabling a Privilege Analysis Policy
- 5.2.6 Disabling a Privilege Analysis Policy
-
5.2.7
Generating a Privilege Analysis Report
- 5.2.7.1 About Generating a Privilege Analysis Report
- 5.2.7.2 General Process for Managing Multiple Named Capture Runs
- 5.2.7.3 Generating a Privilege Analysis Report Using DBMS_PRIVILEGE_CAPTURE
- 5.2.7.4 Generating a Privilege Analysis Report Using Cloud Control
- 5.2.7.5 Accessing Privilege Analysis Reports Using Cloud Control
- 5.2.8 Dropping a Privilege Analysis Policy
- 5.3 Creating Roles and Managing Privileges Using Cloud Control
-
5.4
Tutorial: Using Capture Runs to Analyze ANY Privilege Use
- 5.4.1 Step 1: Create User Accounts
- 5.4.2 Step 2: Create and Enable a Privilege Analysis Policy
- 5.4.3 Step 3: Use the READ ANY TABLE System Privilege
- 5.4.4 Step 4: Disable the Privilege Analysis Policy
- 5.4.5 Step 5: Generate and View a Privilege Analysis Report
- 5.4.6 Step 6: Create a Second Capture Run
- 5.4.7 Step 7: Remove the Components for This Tutorial
-
5.5
Tutorial: Analyzing Privilege Use by a User Who Has the DBA Role
- 5.5.1 Step 1: Create User Accounts
- 5.5.2 Step 2: Create and Enable a Privilege Analysis Policy
- 5.5.3 Step 3: Perform the Database Tuning Operations
- 5.5.4 Step 4: Disable the Privilege Analysis Policy
- 5.5.5 Step 5: Generate and View Privilege Analysis Reports
- 5.5.6 Step 6: Remove the Components for This Tutorial
-
5.6
Tutorial: Capturing Schema Privilege Use
- 5.6.1 Step 1: Create User Accounts
- 5.6.2 Step 2: Create and Enable a Privilege Analysis Policy
- 5.6.3 Step 3: Use the READ ANY TABLE System Privilege
- 5.6.4 Step 4: Disable the Privilege Analysis Policy
- 5.6.5 Step 5: Generate and View Privilege Analysis Reports
- 5.6.6 Step 6: Remove the Components for This Tutorial
- 5.7 Privilege Analysis Policy and Report Data Dictionary Views
-
6
Configuring Centrally Managed Users with Microsoft Active Directory
-
6.1
Introduction to Centrally Managed Users with Microsoft Active Directory
- 6.1.1 About the Oracle Database-Microsoft Active Directory Integration
- 6.1.2 How Centrally Managed Users with Microsoft Active Directory Works
- 6.1.3 Centrally Managed User-Microsoft Active Directory Architecture
- 6.1.4 Supported Authentication Methods
- 6.1.5 Users Supported by Centrally Managed Users with Microsoft Active Directory
- 6.1.6 How the Oracle Multitenant Option Affects Centrally Managed Users
- 6.1.7 Centrally Managed Users with Database Links
-
6.2
Configuring the Oracle Database-Microsoft Active Directory Integration
- 6.2.1 About Configuring the Oracle Database-Microsoft Active Directory Connection
-
6.2.2
Connecting to Microsoft Active Directory
- 6.2.2.1 Step 1: Create an Oracle Service Directory User Account on Microsoft Active Directory and Grant Permissions
- 6.2.2.2 Step 2: For Password Authentication, Install the Password Filter and Extend the Microsoft Active Directory Schema
- 6.2.2.3 Step 3: If Necessary, Install the Oracle Database Software
- 6.2.2.4 Step 4: Create the dsi.ora or ldap.ora File
- 6.2.2.5 Step 5: Request an Active Directory Certificate for a Secure Connection
- 6.2.2.6 Step 6: Create the Wallet for a Secure Connection
-
6.2.2.7
Step 7: Configure the Microsoft Active Directory Connection
- 6.2.2.7.1 About Configuring the Microsoft Active Directory Connection
- 6.2.2.7.2 Configuring the Access Manually Using Database System Parameters
- 6.2.2.7.3 Configuring the Access Using the Database Configuration Assistant GUI
- 6.2.2.7.4 Configuring the Access Using Database Configuration Assistant Silent Mode
- 6.2.2.8 Step 8: Verify the Oracle Wallet
- 6.2.2.9 Step 9: Test the Integration
- 6.3 Configuring Authentication for Centrally Managed Users
-
6.4
Configuring Authorization for Centrally
Managed Users
- 6.4.1 About Configuring Authorization for Centrally Managed Users
- 6.4.2 Mapping a Directory Group to a Shared Database Global User
- 6.4.3 Mapping a Directory Group to a Global Role
- 6.4.4 Exclusively Mapping a Directory User to a Database Global User
- 6.4.5 Altering or Migrating a User Mapping Definition
- 6.4.6 Configuring Administrative Users
- 6.4.7 Verifying the Centrally Managed User Logon Information
- 6.5 Integration of Oracle Database with Microsoft Active Directory Account Policies
- 6.6 Configuring Centrally Managed Users with Oracle Autonomous Database
- 6.7 Troubleshooting Centrally Managed Users
-
6.1
Introduction to Centrally Managed Users with Microsoft Active Directory
-
7
Authenticating and Authorizing IAM Users for Oracle DBaaS Databases
- 7.1 Introduction to Authenticating and Authorizing IAM Users for Oracle DBaaS
-
7.2
Configuring Oracle DBaaS for IAM
- 7.2.1 Enabling External Authentication for Oracle DBaaS
-
7.2.2
Configuring Authorization for IAM Users and Oracle Cloud Infrastructure Applications
- 7.2.2.1 About Configuring Authorization for IAM Users and Oracle Cloud Infrastructure Applications
- 7.2.2.2 Mapping an IAM Group to a Shared Oracle Database Global User
- 7.2.2.3 Mapping an IAM Group to an Oracle Database Global Role
- 7.2.2.4 Exclusively Mapping an IAM User to an Oracle Database Global User
- 7.2.2.5 Altering or Migrating an IAM User Mapping Definition
- 7.2.2.6 Mapping Instance and Resource Principals
- 7.2.2.7 Verifying the IAM User Logon Information
- 7.2.3 Configuring IAM Proxy Authentication
- 7.3 Configuring IAM for Oracle DBaaS
- 7.4 Accessing the Database Using an Instance Principal or a Resource Principal
-
7.5
Configuring the Database Client Connection
- 7.5.1 About Connecting to an Autonomous Database Instance Using IAM
- 7.5.2 Supported Client Drivers for IAM Connections
- 7.5.3 Using Centralized Oracle Cloud Infrastructure Services for Net Naming and Secrets
- 7.5.4 Client Connections That Use an IAM Database Password Verifier
-
7.5.5
Client Connections That Use a Token Requested by an IAM User Name and Database Password
- 7.5.5.1 About Client Connections That Use a Token Requested by an IAM User Name and Database Password
- 7.5.5.2 Parameters to Set for Client Connections That Use a Token Requested by an IAM User Name and Database Password
- 7.5.5.3 Configuring the Database Client to Retrieve a Token Using an IAM User Name and Database Password
- 7.5.5.4 Configuring a Secure External Password Store Wallet to Retrieve an IAM Token
- 7.5.6 Client Connections That Use a Token Requested by a Client Application or Tool
- 7.5.7 TLS Connections without Client Wallets
- 7.5.8 Enabling Clients to Directly Retrieve IAM Tokens
- 7.5.9 Common Database Client Configurations
- 7.5.10 Using OCI Object Store for Network Service Configuration Information
-
7.6
Accessing a Database Cross-Tenancy Using an IAM Integration
- 7.6.1 About Cross-Tenancy Access for IAM Users to DBaaS Instances
- 7.6.2 Configuring Policies
- 7.6.3 Mapping Database Schemas and Roles to Users and Groups in Another Tenancy
- 7.6.4 Configuring Database Clients for Cross-Tenancy Access
- 7.6.5 Requesting Cross-Tenancy Tokens Using the OCI Command-Line Interface
- 7.7 Database Links in an Oracle DBaaS-to-IAM Integration
-
7.8
Troubleshooting IAM Connections
- 7.8.1 Areas to Check on the Client-Side for ORA-01017 Errors
- 7.8.2 Database Client Trace Files
- 7.8.3 Check in the Oracle Cloud Infrastructure IAM and the Oracle Database for ORA-01017 Errors
- 7.8.4 ORA-01017 Errors Caused by Improperly Configured IAM Users
- 7.8.5 ORA-12599 and ORA-03114 Errors Caused When Trying to Access a Database Using a Token
- 7.8.6 Actions IAM Administrators Can Take to Address ORA-01017 Errors
-
8
Authenticating and Authorizing Microsoft Azure Users for Oracle Databases
-
8.1
Introduction to Oracle Database Integration with Microsoft Entra ID
- 8.1.1 About Integrating Oracle Database with Microsoft Entra ID
- 8.1.2 Architecture of Oracle Database Integration with Microsoft Entra ID
- 8.1.3 Azure Users Mapping to an Oracle Database Schema and Roles
- 8.1.4 Use Cases for Connecting to an Oracle Database Using Entra ID
- 8.1.5 General Process of Authenticating Microsoft Entra ID Identities with Oracle Database
-
8.2
Configuring the Oracle Database for Microsoft Entra ID Integration
- 8.2.1 Oracle Database Requirements for the Microsoft Entra ID Integration
- 8.2.2 Registering the Oracle Database Instance with a Microsoft Entra ID Tenancy
- 8.2.3 Enabling Microsoft Entra ID v2 Access Tokens
- 8.2.4 Managing App Roles in Microsoft Entra ID
- 8.2.5 Enabling Entra ID External Authentication for Oracle Database
- 8.2.6 Disabling Entra ID External Authentication for Oracle Database
- 8.3 Mapping Oracle Database Schemas and Roles
-
8.4
Configuring Entra ID Client Connections to the Oracle Database
- 8.4.1 About Configuring Client Connections to Entra ID
- 8.4.2 Operational Flow for SQL*Plus Client Connection to Oracle Database Using Microsoft Entra ID OAuth2 Token
- 8.4.3 Supported Client Drivers for Entra ID Connections
- 8.4.4 Registering a Client with Entra ID Application Registration
- 8.4.5 Configuration of Clients to Work with Microsoft Entra ID Tokens
-
8.4.6
Examples of Retrieving Entra ID OAuth2 Tokens Outside an Oracle Database Client
- 8.4.6.1 About Examples of Retrieving Microsoft Entra ID OAuth2 Tokens Outside of an Oracle Database Client
- 8.4.6.2 Example: Requesting a Token Using a Python Script for the Interactive (Authorization) Flow
- 8.4.6.3 Example: Requesting a Token Using Azure CLI for the Interactive (Authorization) Flow
- 8.4.6.4 Requesting a Token Using the Azure CLI for the Client Credential Flow
-
8.4.7
Creating a Network Proxy for the Database to Connect with the Internet
- 8.4.7.1 About Creating a Network Proxy for the Database to Connect with the Internet
- 8.4.7.2 Testing the Accessibility of the Entra ID Endpoint
- 8.4.7.3 Creating the Network Proxy for the Default Oracle Database Environment
- 8.4.7.4 Creating the Network Proxy for an Oracle Real Application Clusters Environment
- 8.4.7.5 Creating the Network Proxy in the Windows Registry Editor
- 8.4.8 Using Centralized Entra ID Services for Net Naming and Secrets
- 8.5 Configuring Microsoft Entra ID Proxy Authentication
- 8.6 Configuring Microsoft Power BI Single-Sign On
- 8.7 Troubleshooting Microsoft Entra ID Connections
-
8.1
Introduction to Oracle Database Integration with Microsoft Entra ID
-
9
Managing Security for Definer's Rights and Invoker's Rights
- 9.1 About Definer's Rights and Invoker's Rights
- 9.2 How Procedure Privileges Affect Definer's Rights
- 9.3 How Procedure Privileges Affect Invoker's Rights
- 9.4 When You Should Create Invoker's Rights Procedures
-
9.5
Controlling Invoker's Rights Privileges for Procedure Calls and View Access
- 9.5.1 How the Privileges of a Schema Affect the Use of Invoker's Rights Procedures
- 9.5.2 How the INHERIT [ANY] PRIVILEGES Privileges Control Privilege Access
- 9.5.3 Grants of the INHERIT PRIVILEGES Privilege to Other Users
- 9.5.4 Example: Granting INHERIT PRIVILEGES on an Invoking User
- 9.5.5 Example: Revoking INHERIT PRIVILEGES
- 9.5.6 Grants of the INHERIT ANY PRIVILEGES Privilege to Other Users
- 9.5.7 Example: Granting INHERIT ANY PRIVILEGES to a Trusted Procedure Owner
- 9.5.8 Managing INHERIT PRIVILEGES and INHERIT ANY PRIVILEGES
- 9.6 Definer's Rights and Invoker's Rights in Views
-
9.7
Using Code Based Access Control for Definer's Rights and Invoker's Rights
- 9.7.1 About Using Code Based Access Control for Applications
- 9.7.2 Who Can Grant Code Based Access Control Roles to a Program Unit?
- 9.7.3 How Code Based Access Control Works with Invoker's Rights Program Units
- 9.7.4 How Code Based Access Control Works with Definer's Rights Program Units
- 9.7.5 Grants of Database Roles to Users for Their CBAC Grants
- 9.7.6 Grants and Revokes of Database Roles to a Program Unit
-
9.7.7
Tutorial: Controlling Access to Sensitive Data Using Code Based Access Control
- 9.7.7.1 About This Tutorial
- 9.7.7.2 Step 1: Create the User and Grant HR the CREATE ROLE Privilege
- 9.7.7.3 Step 2: Create the print_employees Invoker's Rights Procedure
- 9.7.7.4 Step 3: Create the hr_clerk Role and Grant Privileges for It
- 9.7.7.5 Step 4: Test the Code Based Access Control HR.print_employees Procedure
- 9.7.7.6 Step 5: Create the view_emp_role Role and Grant Privileges for It
- 9.7.7.7 Step 6: Test the HR.print_employees Procedure Again
- 9.7.7.8 Step 7: Remove the Components of This Tutorial
-
9.8
Controlling Definer's Rights Privileges for Database Links
- 9.8.1 About Controlling Definer's Rights Privileges for Database Links
- 9.8.2 Grants of the INHERIT REMOTE PRIVILEGES Privilege to Other Users
- 9.8.3 Example: Granting INHERIT REMOTE PRIVILEGES on a Connected User
- 9.8.4 Grants of the INHERIT ANY REMOTE PRIVILEGES Privilege to Other Users
- 9.8.5 Revokes of the INHERIT [ANY] REMOTE PRIVILEGES Privilege
- 9.8.6 Example: Revoking the INHERIT REMOTE PRIVILEGES Privilege
- 9.8.7 Example: Revoking the INHERIT REMOTE PRIVILEGES Privilege from PUBLIC
-
9.8.8
Tutorial: Using a Database Link in a Definer's Rights Procedure
- 9.8.8.1 About This Tutorial
- 9.8.8.2 Step 1: Create User Accounts
- 9.8.8.3 Step 2: As User dbuser2, Create a Table to Store User IDs
- 9.8.8.4 Step 3: As User dbuser1, Create a Database Link and Definer's Rights Procedure
- 9.8.8.5 Step 4: Test the Definer's Rights Procedure
- 9.8.8.6 Step 5: Remove the Components of This Tutorial
-
10
Managing Fine-Grained Access in PL/SQL Packages and Types
- 10.1 About Managing Fine-Grained Access in PL/SQL Packages and Types
- 10.2 About Fine-Grained Access Control to External Network Services
- 10.3 About Access Control to Oracle Wallets
- 10.4 Upgraded Applications That Depend on Packages That Use External Network Services
-
10.5
Configuring Access Control for External Network Services
- 10.5.1 Syntax for Configuring Access Control for External Network Services
- 10.5.2 Enabling the Listener to Recognize Access Control for External Network Services
- 10.5.3 Example: Configuring Access Control for External Network Services
- 10.5.4 Revoking Access Control Privileges for External Network Services
- 10.5.5 Example: Revoking External Network Services Privileges
-
10.6
Configuring Access Control to an Oracle Wallet
- 10.6.1 About Configuring Access Control to an Oracle Wallet
- 10.6.2 Step 1: Configure the Operating System Certificate Store as the Default Wallet Path
- 10.6.3 Step 2: Configure Access Control Privileges for the Oracle Wallet
- 10.6.4 Step 3: Make the HTTP Request with the Passwords and Client Certificates
- 10.6.5 Revoking Access Control Privileges for Oracle Wallets
- 10.6.6 Troubleshooting ORA-29024 Errors
-
10.7
Examples of Configuring Access Control for External Network Services
- 10.7.1 Example: Configuring Access Control for a Single Role and Network Connection
- 10.7.2 Example: Configuring Access Control for a User and Role
- 10.7.3 Example: Using the DBA_HOST_ACES View to Show Granted Privileges
- 10.7.4 Example: Configuring ACL Access Using Passwords in a Non-Shared Wallet
- 10.7.5 Example: Configuring ACL Access for a Wallet in a Shared Database Session
- 10.8 Specifying a Group of Network Host Computers
- 10.9 Precedence Order for a Host Computer in Multiple Access Control List Assignments
- 10.10 Precedence Order for a Host in Access Control List Assignments with Port Ranges
-
10.11
Checking Privilege Assignments That Affect User Access to Network Hosts
- 10.11.1 About Privilege Assignments that Affect User Access to Network Hosts
- 10.11.2 How to Check User Network Connection and Domain Privileges
- 10.11.3 Example: Administrator Checking User Network Access Control Permissions
- 10.11.4 How Users Can Check Their Network Connection and Domain Privileges
- 10.11.5 Example: User Checking Network Access Control Permissions
- 10.12 Configuring Network Access for Java Debug Wire Protocol Operations
- 10.13 Data Dictionary Views for Access Control Lists Configured for User Access
-
11
Managing Security for a Multitenant Environment in Enterprise Manager
- 11.1 About Managing Security for a Multitenant Environment in Enterprise Manager
- 11.2 Logging into a Multitenant Environment in Enterprise Manager
-
11.3
Managing Common and Local Users in Enterprise Manager
- 11.3.1 Creating a Common User Account in Enterprise Manager
- 11.3.2 Editing a Common User Account in Enterprise Manager
- 11.3.3 Dropping a Common User Account in Enterprise Manager
- 11.3.4 Creating a Local User Account in Enterprise Manager
- 11.3.5 Editing a Local User Account in Enterprise Manager
- 11.3.6 Dropping a Local User Account in Enterprise Manager
-
11.4
Managing Common and Local Roles and Privileges in Enterprise Manager
- 11.4.1 Creating a Common Role in Enterprise Manager
- 11.4.2 Editing a Common Role in Enterprise Manager
- 11.4.3 Dropping a Common Role in Enterprise Manager
- 11.4.4 Revoking Common Privilege Grants in Enterprise Manager
- 11.4.5 Creating a Local Role in Enterprise Manager
- 11.4.6 Editing a Local Role in Enterprise Manager
- 11.4.7 Dropping a Local Role in Enterprise Manager
- 11.4.8 Revoking Local Privilege Grants in Enterprise Manager
-
2
Managing Security for Oracle Database Users
-
Part II Application Development Security
-
12
Managing Security for Application Developers
- 12.1 About Application Security Policies
- 12.2 Considerations for Using Application-Based Security
- 12.3 Use of the DB_DEVELOPER_ROLE Role for Application Developers
- 12.4 Securing Passwords in Application Design
-
12.5
Securing External Procedures
- 12.5.1 About Securing External Procedures
- 12.5.2 General Process for Configuring extproc for a Credential Authentication
- 12.5.3 extproc Process Authentication and Impersonation Expected Behaviors
- 12.5.4 Configuring Authentication for External Procedures
- 12.5.5 External Procedures for Legacy Applications
- 12.6 Securing LOBs with LOB Locator Signatures
- 12.7 Managing Application Privileges
- 12.8 Advantages of Using Roles to Manage Application Privileges
- 12.9 Creating Secure Application Roles to Control Access to Applications
- 12.10 Association of Privileges with User Database Roles
- 12.11 Protecting Database Objects by Using Schemas
- 12.12 Object Privileges in an Application
-
12.13
Parameters for Enhanced Security of Database Communication
- 12.13.1 Bad Packets Received on the Database from Protocol Errors
- 12.13.2 Controlling Server Execution After Receiving a Bad Packet
- 12.13.3 Configuration of the Maximum Number of Authentication Attempts
- 12.13.4 Configuring the Display of the Database Version Banner
- 12.13.5 Configuring Banners for Unauthorized Access and Auditing User Actions
-
12
Managing Security for Application Developers
-
Part III Controlling Access to Data
-
13
Using Oracle SQL Firewall
- 13.1 Overview of Oracle SQL Firewall
-
13.2
Configuring Oracle SQL Firewall
- 13.2.1 About Configuring Oracle SQL Firewall
- 13.2.2 Configuring and Managing Oracle SQL Firewall with Oracle Data Safe
-
13.2.3
Configuring and Managing Oracle SQL Firewall with the DBMS_SQL_FIREWALL Package
- 13.2.3.1 Configuring Oracle SQL Firewall Using the DBMS_SQL_FIREWALL Package
- 13.2.3.2 Modifications to Oracle SQL Firewall Configurations
- 13.2.3.3 Managing Performance for Capture Logs
- 13.2.3.4 Purging Oracle SQL Firewall Logs
- 13.2.3.5 Auditing Oracle SQL Firewall Violations by Using Unified Audit Policies
- 13.2.3.6 Troubleshooting Oracle SQL Firewall by Enabling or Disabling SQL Firewall Trace Files
-
13.3
How Oracle SQL Firewall Works with Other Oracle Features
- 13.3.1 Oracle SQL Firewall and Oracle Data Pump
- 13.3.2 Oracle SQL Firewall and Oracle Scheduler Jobs
- 13.3.3 Oracle SQL Firewall and Oracle Database Vault
- 13.3.4 Oracle SQL Firewall and Oracle Real Application Security
- 13.3.5 Oracle SQL Firewall and Oracle Database Centrally Managed Users and Enterprise Users
- 13.3.6 Oracle SQL Firewall and Oracle Virtual Private Database
- 13.3.7 Oracle SQL Firewall in a Multitenant Environment
- 13.4 Oracle SQL Firewall Data Dictionary Views and Example Queries
-
14
Using Application Contexts to Retrieve User Information
- 14.1 About Application Contexts
- 14.2 Types of Application Contexts
-
14.3
Using Database Session-Based Application Contexts
- 14.3.1 About Database Session-Based Application Contexts
- 14.3.2 Components of a Database Session-Based Application Context
- 14.3.3 Creating Database Session-Based Application Contexts
-
14.3.4
Creating a Package to Set a Database Session-Based Application Context
- 14.3.4.1 About the Package That Manages the Database Session-Based Application Context
- 14.3.4.2 Using the SYS_CONTEXT Function to Retrieve Session Information
- 14.3.4.3 Checking the SYS_CONTEXT Settings
- 14.3.4.4 Dynamic SQL with SYS_CONTEXT
- 14.3.4.5 SYS_CONTEXT in a Parallel Query
- 14.3.4.6 SYS_CONTEXT with Database Links
- 14.3.4.7 DBMS_SESSION.SET_CONTEXT for Setting Session Information
- 14.3.4.8 Example: Simple Procedure to Create an Application Context Value
- 14.3.5 Logon Triggers to Run a Database Session Application Context Package
- 14.3.6 Example: Creating a Simple Logon Trigger
- 14.3.7 Example: Creating a Logon Trigger for a Production Environment
- 14.3.8 Example: Creating a Logon Trigger for a Development Environment
-
14.3.9
Tutorial: Creating and Using a Database Session-Based Application Context
- 14.3.9.1 Step 1: Create User Accounts and Ensure the User SCOTT Is Active
- 14.3.9.2 Step 2: Create the Database Session-Based Application Context
- 14.3.9.3 Step 3: Create a Package to Retrieve Session Data and Set the Application Context
- 14.3.9.4 Step 4: Create a Logon Trigger for the Package
- 14.3.9.5 Step 5: Test the Application Context
- 14.3.9.6 Step 6: Remove the Components of This Tutorial
-
14.3.10
Initializing Database Session-Based Application Contexts Externally
- 14.3.10.1 About Initializing Database Session-Based Application Contexts Externally
- 14.3.10.2 Default Values from Users
- 14.3.10.3 Values from Other External Resources
- 14.3.10.4 Example: Creating an Externalized Database Session-based Application Context
- 14.3.10.5 Initialization of Application Context Values from a Middle-Tier Server
-
14.3.11
Initializing Database Session-Based Application Contexts Globally
- 14.3.11.1 About Initializing Database Session-Based Application Contexts Globally
- 14.3.11.2 Database Session-Based Application Contexts with LDAP
- 14.3.11.3 How Globally Initialized Database Session-Based Application Contexts Work
- 14.3.11.4 Initializing a Database Session-Based Application Context Globally
- 14.3.12 Externalized Database Session-Based Application Contexts
-
14.4
Global Application Contexts
- 14.4.1 About Global Application Contexts
- 14.4.2 Uses for Global Application Contexts
- 14.4.3 Components of a Global Application Context
- 14.4.4 Global Application Contexts in an Oracle Real Application Clusters Environment
- 14.4.5 Creating Global Application Contexts
-
14.4.6
PL/SQL Package to Manage a Global Application Context
- 14.4.6.1 About the Package That Manages the Global Application Context
- 14.4.6.2 How Editions Affects the Results of a Global Application Context PL/SQL Package
- 14.4.6.3 DBMS_SESSION.SET_CONTEXT username and client_id Parameters
- 14.4.6.4 Sharing Global Application Context Values for All Database Users
- 14.4.6.5 Example: Package to Manage Global Application Values for All Database Users
- 14.4.6.6 Global Contexts for Database Users Who Move Between Applications
- 14.4.6.7 Global Application Context for Nondatabase Users
- 14.4.6.8 Example: Package to Manage Global Application Context Values for Nondatabase Users
- 14.4.6.9 Clearing Session Data When the Session Closes
-
14.4.7
Embedding Calls in Middle-Tier Applications to Manage the Client Session ID
- 14.4.7.1 About Managing Client Session IDs Using a Middle-Tier Application
- 14.4.7.2 Step 1: Retrieve the Client Session ID Using a Middle-Tier Application
- 14.4.7.3 Step 2: Set the Client Session ID Using a Middle-Tier Application
- 14.4.7.4 Step 3: Clear the Session Data Using a Middle-Tier Application
-
14.4.8
Tutorial: Creating a Global Application Context That Uses a Client Session ID
- 14.4.8.1 About This Tutorial
- 14.4.8.2 Step 1: Create User Accounts
- 14.4.8.3 Step 2: Create the Global Application Context
- 14.4.8.4 Step 3: Create a Package for the Global Application Context
- 14.4.8.5 Step 4: Test the Newly Created Global Application Context
- 14.4.8.6 Step 5: Modify the Session ID and Test the Global Application Context Again
- 14.4.8.7 Step 6: Remove the Components of This Tutorial
- 14.4.9 Global Application Context Processes
-
14.5
Using Client Session-Based Application Contexts
- 14.5.1 About Client Session-Based Application Contexts
- 14.5.2 Setting a Value in the CLIENTCONTEXT Namespace
- 14.5.3 Retrieving the CLIENTCONTEXT Namespace
- 14.5.4 Example: Retrieving a Client Session ID Value for Client Session-Based Contexts
- 14.5.5 Clearing a Setting in the CLIENTCONTEXT Namespace
- 14.5.6 Clearing All Settings in the CLIENTCONTEXT Namespace
- 14.6 Application Context Data Dictionary Views
-
15
Using Oracle Virtual Private Database to Control Data Access
-
15.1
About Oracle Virtual Private Database
- 15.1.1 What Is Oracle Virtual Private Database?
- 15.1.2 Benefits of Using Oracle Virtual Private Database Policies
- 15.1.3 Who Can Create Oracle Virtual Private Database Policies?
- 15.1.4 Privileges to Run Oracle Virtual Private Database Policy Functions
- 15.1.5 Oracle Virtual Private Database Use with an Application Context
- 15.1.6 Oracle Virtual Private Database in a Multitenant Environment
- 15.2 Components of an Oracle Virtual Private Database Policy
-
15.3
Configuration of Oracle Virtual Private Database Policies
- 15.3.1 About Oracle Virtual Private Database Policies
- 15.3.2 Attaching a Policy to a Database Table, View, or Synonym
- 15.3.3 Example: Attaching a Simple Oracle Virtual Private Database Policy to a Table
- 15.3.4 Enforcing Policies on Specific SQL Statement Types
- 15.3.5 Example: Specifying SQL Statement Types with DBMS_RLS.ADD_POLICY
-
15.3.6
Control of the Display of Column Data with Policies
- 15.3.6.1 Policies for Column-Level Oracle Virtual Private Database
- 15.3.6.2 Example: Creating a Column-Level Oracle Virtual Private Database Policy
- 15.3.6.3 Display of Only the Column Rows Relevant to the Query
- 15.3.6.4 Column Masking to Display Sensitive Columns as NULL Values
- 15.3.6.5 Example: Adding Column Masking to an Oracle Virtual Private Database Policy
-
15.3.7
Oracle Virtual Private Database Policy Groups
- 15.3.7.1 About Oracle Virtual Private Database Policy Groups
- 15.3.7.2 Creation of a New Oracle Virtual Private Database Policy Group
- 15.3.7.3 Default Policy Group with the SYS_DEFAULT Policy Group
- 15.3.7.4 Multiple Policies for Each Table, View, or Synonym
- 15.3.7.5 Validation of the Application Used to Connect to the Database
-
15.3.8
Optimizing Performance by Using Oracle Virtual Private Database Policy Types
- 15.3.8.1 About Oracle Virtual Private Database Policy Types
- 15.3.8.2 Dynamic Policy Type to Automatically Rerun Policy Functions
- 15.3.8.3 Example: Creating a DYNAMIC Policy with DBMS_RLS.ADD_POLICY
- 15.3.8.4 Static Policy to Prevent Policy Functions from Rerunning for Each Query
- 15.3.8.5 Example: Creating a Static Policy with DBMS_RLS.ADD_POLICY
- 15.3.8.6 Example: Shared Static Policy to Share a Policy with Multiple Objects
- 15.3.8.7 When to Use Static and Shared Static Policies
- 15.3.8.8 Context-Sensitive Policy for Application Context Attributes That Change
- 15.3.8.9 Example: Creating a Context-Sensitive Policy with DBMS_RLS.ADD_POLICY
- 15.3.8.10 Example: Refreshing Cached Statements for a VPD Context-Sensitive Policy
- 15.3.8.11 Example: Altering an Existing Context-Sensitive Policy
- 15.3.8.12 Example: Using a Shared Context Sensitive Policy to Share a Policy with Multiple Objects
- 15.3.8.13 When to Use Context-Sensitive and Shared Context-Sensitive Policies
- 15.3.8.14 Summary of the Five Oracle Virtual Private Database Policy Types
-
15.4
Tutorials: Creating Oracle Virtual Private Database Policies
- 15.4.1 Tutorial: Creating a Simple Oracle Virtual Private Database Policy
-
15.4.2
Tutorial: Implementing a Session-Based Application Context Policy
- 15.4.2.1 About This Tutorial
- 15.4.2.2 Step 1: Create User Accounts and Sample Tables
- 15.4.2.3 Step 2: Create a Database Session-Based Application Context
- 15.4.2.4 Step 3: Create a PL/SQL Package to Set the Application Context
- 15.4.2.5 Step 4: Create a Logon Trigger to Run the Application Context PL/SQL Package
- 15.4.2.6 Step 5: Test the Logon Trigger
- 15.4.2.7 Step 6: Create a PL/SQL Policy Function to Limit User Access to Their Orders
- 15.4.2.8 Step 7: Create the New Security Policy
- 15.4.2.9 Step 8: Test the New Policy
- 15.4.2.10 Step 9: Remove the Components of This Tutorial
-
15.4.3
Tutorial: Implementing an Oracle Virtual Private Database Policy Group
- 15.4.3.1 About This Tutorial
- 15.4.3.2 Step 1: Create User Accounts and Other Components for This Tutorial
- 15.4.3.3 Step 2: Create the Two Policy Groups
- 15.4.3.4 Step 3: Create PL/SQL Functions to Control the Policy Groups
- 15.4.3.5 Step 4: Create the Driving Application Context
- 15.4.3.6 Step 5: Add the PL/SQL Functions to the Policy Groups
- 15.4.3.7 Step 6: Test the Policy Groups
- 15.4.3.8 Step 7: Remove the Components of This Tutorial
-
15.5
How Oracle Virtual Private Database Works with Other Oracle Features
- 15.5.1 Oracle Virtual Private Database Policies with Editions
- 15.5.2 SELECT FOR UPDATE Statement in User Queries on VPD-Protected Tables
- 15.5.3 Oracle Virtual Private Database Policies and Outer or ANSI Joins
- 15.5.4 Oracle Virtual Private Database Security Policies and Applications
- 15.5.5 Automatic Reparsing for Fine-Grained Access Control Policies Functions
- 15.5.6 Oracle Virtual Private Database Policies and Flashback Queries
- 15.5.7 Oracle Virtual Private Database and Oracle Label Security
- 15.5.8 Export of Data Using the EXPDP Utility access_method Parameter
- 15.5.9 Oracle Virtual Private Database Policies and Oracle Flashback Time Travel
- 15.5.10 User Models and Oracle Virtual Private Database
- 15.5.11 Oracle Virtual Private Database and JSON
- 15.6 Oracle Virtual Private Database Data Dictionary Views
-
15.1
About Oracle Virtual Private Database
-
16
Using Transparent Sensitive Data Protection
- 16.1 About Transparent Sensitive Data Protection
- 16.2 General Steps for Using Transparent Sensitive Data Protection
- 16.3 Benefits of Transparent Sensitive Data Protection Policies
- 16.4 Privileges Required for Using Transparent Sensitive Data Protection
- 16.5 How a Multitenant Environment Affects Transparent Sensitive Data Protection
-
16.6
Creating Transparent Sensitive Data Protection Policies
- 16.6.1 Step 1: Create a Sensitive Type
- 16.6.2 Step 2: Identify the Sensitive Columns to Protect
- 16.6.3 Step 3: Import the Sensitive Columns List from ADM into Your Database
-
16.6.4
Step 4: Create the Transparent Sensitive Data Protection Policy
- 16.6.4.1 About Creating the Transparent Sensitive Data Protection Policy
- 16.6.4.2 Creating the Transparent Sensitive Data Protection Policy
- 16.6.4.3 Setting the Oracle Data Redaction or Virtual Private Database Feature Options
- 16.6.4.4 Setting Conditions for the Transparent Sensitive Data Protection Policy
- 16.6.4.5 Specifying the DBMS_TSDP_PROTECT.ADD_POLICY Procedure
- 16.6.5 Step 5: Associate the Policy with a Sensitive Type
- 16.6.6 Step 6: Enable the Transparent Sensitive Data Protection Policy
- 16.6.7 Step 7: Optionally, Export the Policy to Other Databases
- 16.7 Altering Transparent Sensitive Data Protection Policies
- 16.8 Disabling Transparent Sensitive Data Protection Policies
- 16.9 Dropping Transparent Sensitive Data Protection Policies
-
16.10
Using the Predefined REDACT_AUDIT Policy for Redaction
- 16.10.1 About the REDACT_AUDIT Policy
-
16.10.2
Variables Associated with Sensitive Columns
- 16.10.2.1 About Variables Associated with Sensitive Columns
- 16.10.2.2 Bind Variables and Sensitive Columns in the Expressions of Conditions
- 16.10.2.3 A Bind Variable and a Sensitive Column Appearing in the Same SELECT Item
- 16.10.2.4 Bind Variables in Expressions Assigned to Sensitive Columns in INSERT or UPDATE Operations
- 16.10.3 How Bind Variables on Sensitive Columns Behave with Views
- 16.10.4 Disabling the REDACT_AUDIT Policy
- 16.10.5 Enabling the REDACT_AUDIT Policy
- 16.11 Transparent Sensitive Data Protection Policies with Data Redaction
-
16.12
Using Transparent Sensitive Data Protection Policies with Oracle VPD Policies
- 16.12.1 About Using TSDP Policies with Oracle Virtual Private Database Policies
- 16.12.2 DBMS_RLS.ADD_POLICY Parameters That Are Used for TSDP Policies
-
16.12.3
Tutorial: Creating a TSDP Policy That Uses Virtual Private Database Protection
- 16.12.3.1 Step 1: Create the hr_appuser User Account
- 16.12.3.2 Step 2: Identify the Sensitive Columns
- 16.12.3.3 Step 3: Create an Oracle Virtual Private Database Function
- 16.12.3.4 Step 4: Create and Enable a Transparent Sensitive Data Protection Policy
- 16.12.3.5 Step 5: Test the Transparent Sensitive Data Protection Policy
- 16.12.3.6 Step 6: Remove the Components of This Tutorial
- 16.13 Using Transparent Sensitive Data Protection Policies with Unified Auditing
- 16.14 Using Transparent Sensitive Data Protection Policies with Fine-Grained Auditing
- 16.15 Using Transparent Sensitive Data Protection Policies with TDE Column Encryption
- 16.16 Transparent Sensitive Data Protection Data Dictionary Views
-
17
Encryption of Sensitive Credential Data in the Data Dictionary
- 17.1 About Encrypting Sensitive Credential Data in the Data Dictionary
- 17.2 How the Multitenant Option Affects the Encryption of Sensitive Data
- 17.3 Encrypting Sensitive Credential Data in System Tables
- 17.4 Rekeying Sensitive Credential Data in the SYS.LINK$ System Table
- 17.5 Deleting Sensitive Credential Data in System Tables
- 17.6 Restoring the Functioning of Database Links After a Lost Keystore
- 17.7 Data Dictionary Views for Encrypted Data Dictionary Credentials
- 18 Securing and Isolating Resources Using DbNest
-
19
On-Demand Encryption of Data
- 19.1 About On-Demand Encryption of Data
- 19.2 Security Problems That Encryption Does Not Solve
- 19.3 Data Encryption Challenges
- 19.4 Data Encryption Storage with the DBMS_CRYPTO Package
- 19.5 Asymmetric Key Operations with the DBMS_CRYPTO Package
- 19.6 Examples of Using the Data Encryption API
-
13
Using Oracle SQL Firewall
-
Part IV Securing Data on the Network
- 20 Securing Data for Oracle Database Connections
-
21
Configuring Oracle Database Native Network Encryption and Data Integrity
- 21.1 About Oracle Database Native Network Encryption and Data Integrity
- 21.2 Oracle Database Native Network Encryption Data Integrity
- 21.3 Data Encryption and Integrity sqlnet.ora Parameters
- 21.4 Data Integrity Algorithms Support
- 21.5 Diffie-Hellman Based Key Negotiation
-
21.6
Configuration of Data Encryption and Integrity
- 21.6.1 About Activating Encryption and Integrity
- 21.6.2 About Negotiating Encryption and Integrity
- 21.6.3 Configuring Encryption and Integrity Parameters Using Oracle Net Manager
- 21.7 Troubleshooting the Native Network Encryption Configuration
-
22
Configuring Transport Layer Security Encryption
- 22.1 Transport Layer Security (TLS) and the Oracle Database
-
22.2
Configuring TLS for the Oracle
Database and Client
- 22.2.1 About Configuring TLS for the Oracle Database
- 22.2.2 Configuring TLS Using a Public Certificate Authority Root of Trust for the Database Server Certificate
- 22.2.3 Configuring TLS with a Self-Signed Root Certificate
- 22.2.4 Configuring TLS Connection With a Client Wallet
- 22.2.5 Enabling Distinguished Name (DN) Matching
-
22.3
Advanced and Optional
Configurations
- 22.3.1 Optional Parameters for Transport Layer Security
- 22.3.2 Mutual Transport Layer Security (mTLS)
- 22.3.3 Oracle Wallet Location
- 22.3.4 Enable Weak DN Matching
- 22.3.5 Private Key/Certificate Selection
- 22.3.6 Transport Layer Security Encryption Combined with Authentication Methods
- 22.3.7 Specifying TLS Protocol and TLS Cipher Suites
-
22.3.8
Certificate Validation with Certificate Revocation Lists
- 22.3.8.1 About Certificate Validation with Certificate Revocation Lists
- 22.3.8.2 What CRLs Should You Use?
- 22.3.8.3 How CRL Checking Works
- 22.3.8.4 Configuring Certificate Validation with Certificate Revocation Lists
-
22.3.8.5
Certificate Revocation List Management
- 22.3.8.5.1 About Certificate Revocation List Management
- 22.3.8.5.2 Displaying orapki Help for Commands That Manage CRLs
- 22.3.8.5.3 Renaming CRLs with a Hash Value for Certificate Validation
- 22.3.8.5.4 Uploading CRLs to Oracle Internet Directory
- 22.3.8.5.5 Listing CRLs Stored in Oracle Internet Directory
- 22.3.8.5.6 Viewing CRLs in Oracle Internet Directory
- 22.3.8.5.7 Deleting CRLs from Oracle Internet Directory
- 22.3.8.6 Troubleshooting CRL Certificate Validation
- 22.3.8.7 Oracle Net Tracing File Error Messages Associated with Certificate Validation
-
22.4
TLS and Other Oracle
Products
-
22.4.1
Transport Layer Security Connections in an Oracle Real Application Clusters Environment
- 22.4.1.1 Step 1: Configure TCPS Protocol Endpoints
- 22.4.1.2 Step 2: Ensure That the LOCAL_LISTENER Parameter Is Correctly Set on Each Node
- 22.4.1.3 Step 3: Create Transport Layer Security Wallets and Certificates
- 22.4.1.4 Step 4: Create a Wallet in Each Node of the Oracle RAC Cluster
- 22.4.1.5 Step 5: Define Wallet Locations in the listener.ora and sqlnet.ora Files
- 22.4.1.6 Step 6: Restart the Database Instances and Listeners
- 22.4.1.7 Step 7: Test the Cluster Node Configuration
- 22.4.1.8 Step 8: Test the Remote Client Configuration
-
22.4.1
Transport Layer Security Connections in an Oracle Real Application Clusters Environment
- 22.5 Troubleshooting the Transport Layer Security Configuration
- 22.6 Migrating to and Configuring Transport Layer Security Version 1.3
-
Part V Managing Strong Authentication
-
23
Introduction to Strong Authentication
- 23.1 What Is Strong Authentication?
- 23.2 Centralized Authentication and Single Sign-On
- 23.3 How Centralized Network Authentication Works
- 23.4 Supported Strong Authentication Methods
- 23.5 Oracle Database Native Network Encryption/Strong Authentication Architecture
- 23.6 System Requirements for Strong Authentication
- 23.7 Oracle Database Native Network Encryption and Strong Authentication Restrictions
- 24 Strong Authentication Administration Tools
-
25
Configuring Kerberos Authentication
-
25.1
Introduction to Kerberos on Oracle Database
- 25.1.1 Kerberos Components in a Typical Oracle Database Configuration
- 25.1.2 Tickets Used in the Kerberos Configuration
- 25.1.3 Kerberos Server Key Distribution Center
- 25.1.4 How Oracle Database Works with Kerberos
- 25.1.5 Oracle Database Parameters Used in a Kerberos Configuration
- 25.1.6 How Authentication Works in an Oracle Database Kerberos Configuration
-
25.2
Enabling Kerberos Authentication
- 25.2.1 Step 1: Install Kerberos
- 25.2.2 Step 2: Configure a Service Principal for an Oracle Database Server
- 25.2.3 Step 3: Extract a Service Key Table from Kerberos
- 25.2.4 Step 4: Install an Oracle Database Server and an Oracle Client
- 25.2.5 Step 5: Configure Oracle Net Services and Oracle Database
- 25.2.6 Step 6: Configure Kerberos Authentication
- 25.2.7 Step 7: Create a Kerberos User
- 25.2.8 Step 8: Create an Externally Authenticated Oracle User
- 25.2.9 Step 9: Get an Initial Ticket for the Kerberos/Oracle User
- 25.3 Utilities for the Kerberos Authentication Adapter
- 25.4 Connecting to an Oracle Database Server Authenticated by Kerberos
-
25.5
Configuring Interoperability with Microsoft Windows Server Domain Controller KDC
- 25.5.1 About Configuring Interoperability with a Microsoft Windows Server Domain Controller KDC
- 25.5.2 Step 1: Configure Oracle Kerberos Client for Microsoft Windows Server Domain Controller
- 25.5.3 Step 2: Configure a Microsoft Windows Server Domain Controller KDC for the Oracle Client
- 25.5.4 Step 3: Configure Oracle Database for a Microsoft Windows Server Domain Controller KDC
- 25.5.5 Step 4: Obtain an Initial Ticket for the Kerberos/Oracle User
- 25.6 Configuring Kerberos Authentication Fallback Behavior
- 25.7 Troubleshooting the Oracle Kerberos Authentication Configuration
-
25.1
Introduction to Kerberos on Oracle Database
-
26
Configuring PKI Certificate
Authentication
- 26.1 How Oracle Database Uses Transport Layer Security for Authentication
- 26.2 Enabling Oracle Internet Directory to Use Transport Layer Security Authentication
- 26.3 Configuring User Authentication with Transport Layer Security
-
26.4
Configuring Transport Layer Security for Client Authentication and Encryption with X.509 Certificates
- 26.4.1 About Configuring TLS for Client Authentication and Encryption with X.509 Certificates
-
26.4.2
Configuring the Server for Authentication and Encryption with X.509 Certificates
- 26.4.2.1 Step 1: Create and Configure the Server Wallet for the X.509 Certificate
- 26.4.2.2 Step 2: Shut Down the Oracle Listener on the Server
- 26.4.2.3 Step 3: Configure the sqlnet.ora File on the Server
- 26.4.2.4 Step 4: For Logical Volume Management, Configure the Server listener.ora File
- 26.4.2.5 Step 5: For Grid Infrastructure, Configure the Server Listener Process
- 26.4.2.6 Step 6: Set Initialization Parameters on the Server
- 26.4.2.7 Step 7: Create an External Database User on the Server
- 26.4.2.8 Step 8: Restart and Check the Listener Process on the Server
-
26.4.3
Configuring the Client for Authentication and Encryption with X.509 Certificates
- 26.4.3.1 Step 1: Configure the sqlnet.ora File on the Client
- 26.4.3.2 Step 2: Configure the tnsnames.ora File on the Client
-
26.4.3.3
Step 3: Configure Microsoft Certificate Store on the Client
- 26.4.3.3.1 About Configuring Microsoft Certificate Store on the Client
- 26.4.3.3.2 Setting the TNS_ADMIN Environment Variable
- 26.4.3.3.3 Configuring Microsoft Certificate Store on the Client
- 26.4.3.3.4 Testing the Microsoft Certificate Store Configuration Using tnsping
- 26.4.3.3.5 Testing the Microsoft Certificate Store Configuration Using SQL*Plus
- 26.5 Configuring Email over Transport Layer Security with an Oracle Wallet
-
26.6
Troubleshooting Transport Layer Security Errors
- 26.6.1 Step 1: Check the TLS Connection with the tnsping Utility
- 26.6.2 Step 2: Check the SSL_VERSION Parameter
- 26.6.3 Step 3: Check the Wallet File Permissions
- 26.6.4 Step 4: Check the Wallet Settings in the sqlnet.ora and listener.ora Files
- 26.6.5 Step 5: Enable Tracing for the SQL*Net and Listener Connections
-
27
Configuring RADIUS Authentication
- 27.1 About Configuring RADIUS Authentication
- 27.2 RADIUS Components
- 27.3 RADIUS Authentication Modes
- 27.4 RADIUS Parameters
-
27.5
Enabling RADIUS Authentication, Authorization, and Accounting
- 27.5.1 Step 1: Configure RADIUS Authentication
- 27.5.2 Step 2: Create a User and Grant Access
- 27.5.3 Step 3: Configure External RADIUS Authorization (Optional)
- 27.5.4 Step 4: Configure RADIUS Accounting
- 27.5.5 Step 5: Add the RADIUS Client Name to the RADIUS Server Database
- 27.5.6 Step 6: Configure the Authentication Server for Use with RADIUS
- 27.5.7 Step 7: Configure the RADIUS Server for Use with the Authentication Server
- 27.5.8 Step 8: Configure Mapping Roles
- 27.6 Using RADIUS to Log in to a Database
- 27.7 Integrating Authentication Devices Using RADIUS
- 28 Customizing the Use of Strong Authentication
-
23
Introduction to Strong Authentication
-
Part VI Monitoring Database Activity with Auditing
- 29 Introduction to Auditing
-
30
Provisioning Audit Policies
- 30.1 Getting Started with Auditing
- 30.2 About Audit Policies
- 30.3 Activities That Are Mandatorily Audited
-
30.4
Auditing Activities with the Predefined Unified Audit Policies
- 30.4.1 About Auditing Activities with the Predefined Unified Audit Policies
- 30.4.2 Secure Options Predefined Unified Audit Policy
- 30.4.3 Oracle Database Parameter Changes Predefined Unified Audit Policy
- 30.4.4 User Account and Privilege Management Predefined Unified Audit Policy
- 30.4.5 Center for Internet Security Recommendations Predefined Unified Audit Policy
- 30.4.6 Security Technical Implementation Guide Predefined Unified Audit Policies
- 30.4.7 ORA_DICTIONARY Sensitive Column Queries Predefined Unified Audit Policy
- 30.4.8 Oracle Database Real Application Security Predefined Audit Policies
- 30.4.9 Oracle Database Vault Predefined Unified Audit Policy for DVSYS and LBACSYS Schemas
- 30.4.10 Oracle Database Vault Predefined Unified Audit Policy for Default Realms and Command Rules
- 30.4.11 Oracle Label Security Predefined Unified Audit Policy for LBACSYS Objects
- 30.5 Steps to Provision Unified Audit Policies
- 30.6 Common Audit Configurations Across All PDBs
- 30.7 General Audit Data Dictionary Views
-
31
Creating Custom Unified Audit Policies
- 31.1 About Custom Unified Audit Policies
- 31.2 Best Practices for Creating Custom Unified Audit Policies
- 31.3 Syntax for Creating a Custom Unified Audit Policy
-
31.4
Auditing Standard Oracle Database Components
- 31.4.1 Auditing Roles
-
31.4.2
Auditing System Privileges
- 31.4.2.1 About System Privilege Auditing
- 31.4.2.2 System Privileges That Can Be Audited
- 31.4.2.3 System Privileges That Cannot Be Audited
- 31.4.2.4 Configuring a Unified Audit Policy to Capture System Privilege Use
- 31.4.2.5 Example: Auditing a User Who Has ANY Privileges
- 31.4.2.6 Example: Using a Condition to Audit a System Privilege
- 31.4.2.7 How System Privilege Unified Audit Policies Appear in the Audit Trail
- 31.4.3 Auditing Administrative Users
-
31.4.4
Auditing Object Actions
- 31.4.4.1 About Auditing Object Actions
- 31.4.4.2 Object Actions That Can Be Audited
- 31.4.4.3 Guidelines for Column Level Auditing and Virtual Columns
- 31.4.4.4 Configuring an Object Action Unified Audit Policy
- 31.4.4.5 Example: Auditing Actions on SYS Objects
- 31.4.4.6 Example: Auditing Multiple Actions on One Object
- 31.4.4.7 Example: Auditing GRANT and REVOKE Operations on an Object
- 31.4.4.8 Example: Auditing Both Actions and Privileges on an Object
- 31.4.4.9 Example: Auditing an Action on a Table Column
- 31.4.4.10 Example: Auditing All Actions on a Table
- 31.4.4.11 Example: Auditing All Actions in the Database
- 31.4.4.12 How Object Action Unified Audit Policies Appear in the Audit Trail
- 31.4.4.13 Auditing Functions, Procedures, Packages, and Triggers
- 31.4.4.14 Auditing of Oracle Virtual Private Database Predicates
- 31.4.4.15 Audit Policies for Oracle Virtual Private Database Policy Functions
- 31.4.4.16 Unified Auditing with Editioned Objects
- 31.4.5 Auditing the READ ANY TABLE and SELECT ANY TABLE Privileges
-
31.4.6
Auditing Only Top-Level Statements
- 31.4.6.1 About Auditing Only Top-Level SQL Statements
- 31.4.6.2 Configuring a Unified Audit Policy to Capture Only Top-Level Statements
- 31.4.6.3 Example: Auditing Top-Level Statements
- 31.4.6.4 Example: Comparison of Top-Level SQL Statement Audits
- 31.4.6.5 How the Unified Audit Trail Captures Top-Level SQL Statements
-
31.5
Unified Auditing with Configurable Conditions
- 31.5.1 About Conditions in Unified Audit Policies
- 31.5.2 Configuring a Unified Audit Policy with a Condition
- 31.5.3 Example: Auditing Access to SQL*Plus
- 31.5.4 Example: Auditing Actions Not in Specific Hosts
- 31.5.5 Example: Auditing Both a System-Wide and a Schema-Specific Action
- 31.5.6 Example: Auditing a Condition Per Statement Occurrence
- 31.5.7 Example: Unified Audit Session ID of a Current Administrative User Session
- 31.5.8 Example: Unified Audit Session ID of a Current Non-Administrative User Session
- 31.5.9 How Audit Records from Conditions Appear in the Audit Trail
-
31.6
Auditing for Multitier or Multitenant Configurations
- 31.6.1 Auditing in a Multitier Deployment
-
31.6.2
Auditing in a Multitenant Deployment
- 31.6.2.1 About Local, CDB Common, and Application Common Audit Policies
- 31.6.2.2 Common Audit Configurations Across All PDBs
- 31.6.2.3 Unified Audit Policies in an Application Root
- 31.6.2.4 Configuring a Local Unified Audit Policy or Common Unified Audit Policy
- 31.6.2.5 Example: Local Unified Audit Policy
- 31.6.2.6 Example: CDB Common Unified Audit Policy
- 31.6.2.7 Example: Application Common Unified Audit Policy
- 31.6.2.8 How Local or Common Audit Policies or Settings Appear in the Audit Trail
-
31.7
Extending Unified Auditing to Capture Custom Attributes
- 31.7.1 About Auditing Application Context Values
- 31.7.2 Configuring Application Context Audit Settings
- 31.7.3 Disabling Application Context Audit Settings
- 31.7.4 Example: Auditing Application Context Values in a Default Database
- 31.7.5 Example: Auditing Application Context Values from Oracle Label Security
- 31.7.6 How Audited Application Contexts Appear in the Audit Trail
-
31.8
Auditing Components of Other Oracle Products and Features
- 31.8.1 Auditing Oracle SQL Firewall
-
31.8.2
Auditing Oracle Database Vault Events
- 31.8.2.1 About Auditing Oracle Database Vault Events
- 31.8.2.2 Who Is Audited in Oracle Database Vault?
- 31.8.2.3 About Oracle Database Vault Unified Audit Trail Events
- 31.8.2.4 Oracle Database Vault Realm Audit Events
- 31.8.2.5 Oracle Database Vault Rule Set and Rule Audit Events
- 31.8.2.6 Oracle Database Vault Command Rule Audit Events
- 31.8.2.7 Oracle Database Vault Factor Audit Events
- 31.8.2.8 Oracle Database Vault Secure Application Role Audit Events
- 31.8.2.9 Oracle Database Vault Oracle Label Security Audit Events
- 31.8.2.10 Oracle Database Vault Oracle Data Pump Audit Events
- 31.8.2.11 Oracle Database Vault Enable and Disable Audit Events
- 31.8.2.12 Configuring a Unified Audit Policy for Oracle Database Vault
- 31.8.2.13 Example: Auditing an Oracle Database Vault Realm
- 31.8.2.14 Example: Auditing an Oracle Database Vault Rule Set
- 31.8.2.15 Example: Auditing Two Oracle Database Vault Events
- 31.8.2.16 Example: Auditing Oracle Database Vault Factors
- 31.8.2.17 How Oracle Database Vault Audited Events Appear in the Audit Trail
-
31.8.3
Auditing Oracle Database Real Application Security Events
- 31.8.3.1 About Auditing Oracle Database Real Application Security Events
- 31.8.3.2 Oracle Database Real Application Security Auditable Events
- 31.8.3.3 Oracle Database Real Application Security User, Privilege, and Role Audit Events
- 31.8.3.4 Oracle Database Real Application Security Security Class and ACL Audit Events
- 31.8.3.5 Oracle Database Real Application Security Session Audit Events
- 31.8.3.6 Oracle Database Real Application Security ALL Events
- 31.8.3.7 Configuring a Unified Audit Policy for Oracle Database Real Application Security
- 31.8.3.8 Example: Auditing Real Application Security User Account Modifications
- 31.8.3.9 Example: Using a Condition in a Real Application Security Unified Audit Policy
- 31.8.3.10 How Oracle Database Real Application Security Events Appear in the Audit Trail
- 31.8.4 Auditing Oracle Recovery Manager Events
-
31.8.5
Auditing Oracle Label Security Events
- 31.8.5.1 About Auditing Oracle Label Security Events
- 31.8.5.2 Oracle Label Security Unified Audit Trail Events
- 31.8.5.3 Oracle Label Security Auditable User Session Labels
- 31.8.5.4 Configuring a Unified Audit Policy for Oracle Label Security
- 31.8.5.5 Example: Auditing Oracle Label Security Session Label Attributes
- 31.8.5.6 Example: Excluding a User from an Oracle Label Security Policy
- 31.8.5.7 Example: Auditing Oracle Label Security Policy Actions
- 31.8.5.8 Example: Querying for Audited OLS Session Labels
- 31.8.5.9 How Oracle Label Security Audit Events Appear in the Audit Trail
-
31.8.6
Auditing Oracle Data Pump Events
- 31.8.6.1 About Auditing Oracle Data Pump Events
- 31.8.6.2 Oracle Data Pump Unified Audit Trail Events
- 31.8.6.3 Configuring a Unified Audit Policy for Oracle Data Pump
- 31.8.6.4 Example: Auditing Oracle Data Pump Import Operations
- 31.8.6.5 Example: Auditing All Oracle Data Pump Operations
- 31.8.6.6 How Oracle Data Pump Audit Events Appear in the Audit Trail
-
31.8.7
Auditing Oracle SQL*Loader Direct Load Path Events
- 31.8.7.1 About Auditing in Oracle SQL*Loader Direct Path Load Events
- 31.8.7.2 Oracle SQL*Loader Direct Load Path Unified Audit Trail Events
- 31.8.7.3 Configuring a Unified Audit Trail Policy for Oracle SQL*Loader Direct Path Events
- 31.8.7.4 Example: Auditing Oracle SQL*Loader Direct Path Load Operations
- 31.8.7.5 How SQL*Loader Direct Path Load Audited Events Appear in the Audit Trail
-
31.8.8
Auditing Oracle XML DB HTTP and FTP Protocols
- 31.8.8.1 About Auditing Oracle XML DB HTTP and FTP Protocols
- 31.8.8.2 Configuring a Unified Audit Policy to Capture Oracle XML DB HTTP and FTP Protocols
- 31.8.8.3 Example: Auditing Failed Oracle XML DB HTTP Messages
- 31.8.8.4 Example: Auditing All Oracle XML DB FTP Messages
- 31.8.8.5 Example: Auditing Oracle XML DB HTTP Messages That Have 401 AUTH Errors
- 31.8.8.6 How the Unified Audit Trail Captures Oracle XML DB HTTP and FTP Protocol Messages
-
31.8.9
Auditing Oracle Machine Learning for SQL Events
- 31.8.9.1 About Auditing Oracle Machine Learning for SQL Events
- 31.8.9.2 Oracle Machine Learning for SQL Unified Audit Trail Events
- 31.8.9.3 Configuring a Unified Audit Policy for Oracle Machine Learning for SQL
- 31.8.9.4 Example: Auditing Multiple Oracle Machine Learning for SQL Operations by a User
- 31.8.9.5 Example: Auditing All Failed Oracle Machine Learning for SQL Operations by a User
- 31.8.9.6 How Oracle Machine Learning for SQL Events Appear in the Audit Trail
-
31.9
Managing Unified Audit Policies
-
31.9.1
Altering Unified Audit Policies
- 31.9.1.1 About Altering Unified Audit Policies
- 31.9.1.2 Altering a Unified Audit Policy
- 31.9.1.3 Example: Altering a Condition in a Unified Audit Policy
- 31.9.1.4 Example: Altering an Oracle Label Security Component in a Unified Audit Policy
- 31.9.1.5 Example: Altering Roles in a Unified Audit Policy
- 31.9.1.6 Example: Dropping a Condition from a Unified Audit Policy
- 31.9.1.7 Example: Altering an Existing Unified Audit Policy Top-Level Statement Audits
- 31.9.2 Enabling and Applying Unified Audit Policies to Users and Roles
- 31.9.3 Disabling Unified Audit Policies
- 31.9.4 Dropping Unified Audit Policies
-
31.9.1
Altering Unified Audit Policies
- 31.10 Tutorial: Auditing Nondatabase Users
- 31.11 Unified Audit Policy Data Dictionary Views
-
32
Value-Based Auditing with Fine-Grained Audit Policies
-
32.1
Overview of Fine-Grained Auditing
- 32.1.1 About Fine-Grained Auditing
- 32.1.2 Where Are Fine-Grained Audit Records Stored?
- 32.1.3 Who Can Perform Fine-Grained Auditing?
- 32.1.4 Fine-Grained Auditing on Tables or Views That Have Oracle VPD Policies
- 32.1.5 Fine-Grained Auditing in a Multitenant Environment
- 32.1.6 Fine-Grained Audit Policies with Editions
- 32.2 Creating Fine-Grained Audit Policies
- 32.3 Managing Fine-Grained Audit Policies
-
32.4
Tutorial: Adding an Email Alert to a Fine-Grained Audit Policy
- 32.4.1 About This Tutorial
- 32.4.2 Step 1: Install and Configure the UTL_MAIL PL/SQL Package
- 32.4.3 Step 2: Create User Accounts
- 32.4.4 Step 3: Configure an Access Control List File for Network Services
- 32.4.5 Step 4: Create the Email Security Alert PL/SQL Procedure
- 32.4.6 Step 5: Create and Test the Fine-Grained Audit Policy Settings
- 32.4.7 Step 6: Test the Alert
- 32.4.8 Step 7: Remove the Components of This Tutorial
- 32.5 Fine-Grained Audit Policy Data Dictionary Views
-
32.1
Overview of Fine-Grained Auditing
-
33
Administering the Audit Trail
-
33.1
Managing the Unified Audit Trail
- 33.1.1 How and Where Unified Audit Records Are Created
- 33.1.2 Sizing Recommendations for Unified Auditing
- 33.1.3 How Audit Trail Records Are Written to the AUDSYS Schema
- 33.1.4 Writing the Unified Audit Trail Records to SYSLOG or the Windows Event Viewer
- 33.1.5 How Unified Audit Records are Written to the Operating System
- 33.1.6 Moving Operating System Audit Records into the Unified Audit Trail
- 33.1.7 Improving the Performance of Queries and Purge Operations
- 33.1.8 Using Oracle Data Pump to Export and Import Unified Audit Trail Records
- 33.1.9 How Do Cursors Affect Auditing?
- 33.2 Archiving the Audit Trail
- 33.3 Purging Audit Trail Records
- 33.4 Audit Trail Management Data Dictionary Views
-
33.1
Managing the Unified Audit Trail
-
Appendixes
-
A
Keeping Your Oracle Database Secure
- A.1 About the Oracle Database Security Guidelines
- A.2 Downloading Security Patches and Contacting Oracle Regarding Vulnerabilities
- A.3 Guidelines for Securing User Accounts and Privileges
- A.4 Guidelines for Securing Passwords
- A.5 Securing Authentication for Oracle Database Microsoft Windows Installations
- A.6 Guidelines for Securing Roles
- A.7 Guidelines for Securing Data
- A.8 Guidelines for Securing the ORACLE_LOADER Access Driver
- A.9 Guidelines for Securing a Database Installation and Configuration
- A.10 Guideline for Securing Multitenant PDBs from the Root in a Linux Environment
- A.11 Guidelines for Securing the Network
- A.12 Guideline for Securing External Procedures
- A.13 Guidelines for Auditing
- A.14 Addressing the CONNECT Role Change
-
B
Managing Oracle Database Wallets and Certificates
-
B.1
Introduction to Oracle Database Wallets and Certificates
- B.1.1 About Oracle Database Wallets
- B.1.2 About Oracle Database Certificates
- B.1.3 About Certificate Authority (CA)
- B.1.4 Tools Used to Manage Oracle Database Wallets and Certificates
- B.1.5 General Process of Managing Oracle Database Wallets and Certificates
- B.1.6 Oracle Database Wallet Search Order
- B.2 Managing Oracle Database Wallets and Certificates with the orapki Utility
-
B.3
Managing Oracle Database Wallets
- B.3.1 Creating a PKCS#12 Wallet
- B.3.2 Using OpenSSL to Create a PKCS#12 Wallet That Has a Certificate Chain
- B.3.3 Importing a PKCS#12 Wallet
- B.3.4 Creating an Auto-Login-Only Wallet
- B.3.5 Creating a Local Auto-Login Wallet
- B.3.6 Creating an Auto-Login Wallet That Is Associated with a PKCS#12 Wallet
- B.3.7 Viewing a Wallet
- B.3.8 Modifying the Password for a Wallet
- B.3.9 Converting an Oracle Wallet to Use the AES256 Algorithm
- B.3.10 Deleting a Wallet
-
B.4
Managing Oracle Database Certificates
- B.4.1 Certificate Store Location for System Wallets
- B.4.2 Adding a Certificate Request to an Oracle Wallet
- B.4.3 Creating Signed Certificates
- B.4.4 Creating a Signed Certificate Using a Self-Signed Root
- B.4.5 Adding a Trusted Certificate to an Oracle Wallet
- B.4.6 Adding a Root Certificate to an Oracle Wallet
- B.4.7 Adding Root Certificate Authority That Requires an Intermediate Certificate Using Microsoft Internet Explorer
- B.4.8 Adding a User Certificate to an Oracle Wallet
- B.4.9 Verifying Credentials on the Hardware Device That Uses a PKCS#11 Wallet
- B.4.10 Adding PKCS#11 Information to an Oracle Wallet
- B.4.11 Viewing a Certificate
- B.4.12 Controlling MD5 and SHA-1 Certificate Use
- B.4.13 Certificate Import and Export Operations
- B.4.14 Management of Certificate Revocation Lists (CRLs) with orapki Utility
- B.5 Examples of Creating Wallets and Certificates Using orapki
-
B.6
orapki Utility Commands Summary
- B.6.1 orapki cert create
- B.6.2 orapki cert display
- B.6.3 orapki crl delete
- B.6.4 orapki crl display
- B.6.5 orapki crl hash
- B.6.6 orapki crl list
- B.6.7 orapki crl upload
- B.6.8 orapki secretstore create_credential
- B.6.9 orapki secretstore create_entry
- B.6.10 orapki secretstore create_user_credential
- B.6.11 orapki secretstore delete_credential
- B.6.12 orapki secretstore delete_entry
- B.6.13 orapki secretstore delete_user_credential
- B.6.14 orapki secretstore list_credentials
- B.6.15 orapki secretstore list_entries
- B.6.16 orapki secretstore list_entries_unsorted
- B.6.17 orapki secretstore modify_credential
- B.6.18 orapki secretstore modify_entry
- B.6.19 orapki secretstore modify_user_credential
- B.6.20 orapki wallet add
- B.6.21 orapki wallet change_pwd
- B.6.22 orapki wallet convert
- B.6.23 orapki wallet create
- B.6.24 orapki wallet delete
- B.6.25 orapki wallet display
- B.6.26 orapki wallet export
- B.6.27 orapki wallet export_private_key
- B.6.28 orapki wallet import_pkcs12
- B.6.29 orapki wallet import_private_key
- B.6.30 orapki wallet jks_to_pkcs12
- B.6.31 orapki wallet pkcs12_to_jks
- B.6.32 orapki wallet remove
-
B.7
mkstore Utility Commands Summary
- B.7.1 mkstore create
- B.7.2 mkstore createALO
- B.7.3 mkstore createCredential
- B.7.4 mkstore createEntry
- B.7.5 mkstore createUserCredential
- B.7.6 mkstore delete
- B.7.7 mkstore deleteCredential
- B.7.8 mkstore deleteEntry
- B.7.9 mkstore deleteSSO
- B.7.10 mkstore deleteUserCredential
- B.7.11 mkstore list
- B.7.12 mkstore listCredential
- B.7.13 mkstore modifyCredential
- B.7.14 mkstore modifyEntry
- B.7.15 mkstore modifyUserCredential
- B.7.16 mkstore viewEntry
-
B.1
Introduction to Oracle Database Wallets and Certificates
-
C
Oracle Database FIPS 140-2 Settings
- C.1 About the Oracle Database FIPS 140-2 Settings
-
C.2
Configuration of FIPS 140-2 Using the Consolidated FIPS_140 Parameter
- C.2.1 About Configuration of FIPS 140-2 Using the FIPS_140 Parameter
- C.2.2 Configuring the FIPS_140 Parameter
- C.2.3 Running orapki in FIPS Mode
- C.2.4 Configuring Standalone Java FIPS for Running Java Client Applications in FIPS Mode
- C.2.5 Enabling FIPS by Running the enable_fips.py Python Script
- C.2.6 FIPS-Supported Algorithms for Transparent Data Encryption
- C.2.7 FIPS-Supported Cipher Suites for DBMS_CRYPTO
- C.2.8 FIPS-Supported Cipher Suites for Transport Layer Security
- C.2.9 FIPS-Supported Algorithms for Network Native Encryption
- C.3 Legacy FIPS 140-2 Configurations
- C.4 Postinstallation Checks for FIPS 140-2
- C.5 Verifying FIPS 140-2 Connections
- C.6 Managing Deprecated Weaker Algorithm Keys
- D Considerations for Transitioning from Traditional to Unified Auditing
-
A
Keeping Your Oracle Database Secure
- Glossary
- Index